SlideShare a Scribd company logo

INFA 620Lab 4 Firewall.docx

Download as DOCX, PDF
J
jaggernaoma

This document outlines a lab exercise for configuring a Smoothwall firewall to manage network traffic between an enterprise network and an external network. It details the steps to set up the firewall, manage inbound and outbound traffic, and create rules for allowing specific protocols. The lab emphasizes best practices for firewall administration, such as maintaining a whitelist for security.

Education
1 of 531
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
INFA 620 Lab 4: Firewall Introduction You are the Network Security Administrator for an organization. You are responsible for the configuration of a firewall that segregates the enterprise network from the external network. You will strategically allow authorized incoming and outgoing traffic while denying all unauthorized traffic. In this lab, we going to practice setting up a Smoothwall firewall in a UMUC remote lab. Smothwall is a Linux kernel- based firewall. It has a rich graphics interface and it implements
the firewall using UNIX/Linux iptables. (See http://linux.die.net/man/8/iptables). The manual for the Smoothwall firewall can be found at: http://www.smoothwall.com/media/114580/AdvancedFirewall- admin.pdf. The exercise does not require you to read the entire manual. We are going to experiment with inbound and outbound traffic filtering aspects (Chapter 7) of the firewall. The UMUC remote environment for this lab is shown in the figure below. Notice the firewall/router separates the100.100.0.X External network (virtual Internet) from the 198.168.1.x Enterprise machines. This firewall will be controlling the in- and out-bound traffic of the enterprise. Designed and written by Jeffrey Karlan Page 10 of 24 INFA 620 Firewall Lab ManualCopyright UMUC 2016Page 8 of 36 INFA 620 Firewall Lab Manual Copyright UMUC 2016 Page 12 of 23 Step by Step Instructions for Performing the Lab Activity 1) From the Virtual Machine screen, double click the console for Enterprise. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to Enterprise. Double click VNC Viewer. Enter remote host address 10.5.14.110 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.)
2) This is Enterprise (Centos) 3) Double click Firewall GUI 4) Supply Username and Password and Click OK 5) This is Firewall (Smoothwall) 6) Click Networking > Outgoing. This is where you will configure rules to allow or deny network traffic from our internal Enterprise network to the External Virtual Internet. 7) Notice the Interface Defaults section the current selection is “Blocked with Exceptions”. This means that all traffic from Enterprise network to External network that is not explicitly allowed is implicitly denied. This method of administering a firewall is known as maintaining a “Whitelist”. If we were to implicitly allow all network traffic except for explicitly denied protocols it is known as maintaining a “Blacklist”. In network administration maintaining a whitelist is considered best practice. Our Firewall has an interface on the Enterprise Internal network known as the Green Interface, and an interface on the External network known as the Red interface. 8) Minimize Smoothwall and return to Enterprise desktop 9) Double click Scripts > Double click Traffic. 10) Each of the scripts in this folder will simulate 5 packets of traffic using their named protocol from the Enterprise network to the External network.
11) Together we will enable HTTP traffic from Enterprise to External. HTTP is needed in order for users to browse websites on the internet. Double Click Web Browser 12) Click the + button to open a new tab 13) In the browser bar type 100.100.0.100 > Enter. Firefox should be unable to connect. Firewall is implicitly denying http traffic. 14) Minimize Firefox and return to the Desktop > Scripts > Traffic Folder > Double Click HTTP.sh 15) Select run in terminal 16) Your output should look like this. We sent 5 packets to 100.100.0.100 and Firewall blocked them. 17) Maximize or reopen Firefox to return to Firewall Click Networking > Outgoing 18) In the “Add exception area” Leave Application as “User defined” type 80 at the Port. In Comment type “Allow HTTP to External”. Leave the Enabled checkbox checked. Click Add 19) Current exceptions should have this entry: 20) Open a new browser tab and go to 100.100.0.100 again. If this page came up you successfully allowed HTTP traffic from the Enterprise network to External. 21) Return to Enterprise desktop > Scripts > Traffic > Double
click http.sh > Run in Terminal 22) Your output should now look like this. This means the HTTP packets successfully reached their destination at 100.100.0.100 23) (50 Points) On your own you will now create 7 more rules on Firewall to allow the following protocols to reach the External network. Use the scripts in the traffic folder to test each rule. a. DNS b. FTP c. HTTPS d. POP3 e. RDP f. SMTP g. Telnet 24) There are services hosted on the Enterprise network that require access from the External network. Your Enterprise has a single public IP Address, 100.100.0.1. By default Firewall blocks all incoming traffic on its public facing interface. You will configure port forwarding explicitly to allow traffic on specific ports to reach destinations on the Enterprise network, while denying traffic on all other ports. 25) From the Virtual Machine screen, double click the console for External. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to External. Double click VNC Viewer. Enter remote host address 10.5.14.11 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.) 26) This is External (Kali Linux) 27) Double click the Web Browser on the desktop
28) In the browser bar type infa620.umuc.com > enter. The browser should not be able to display the webpage 29) Return to the External Desktop and open the Scripts folder > Traffic folder > HTTP.sh 30) Select Run in Terminal 31) Your output should look like this. Firewall is blocking traffic on port 80 32) Get back to the Firewall GUI in the Enterprise (You may need to re-authenticate using root/aspring2013): 33) Select Networking > Incoming 34) Enter Port: 80 and Destination IP: 192.168.1.20 > Comment: Allow Traffic on Port 80 to Webserver > Leave Enabled Checkbox Checked > Click AddComment by Chris J. Wade: It was not clear which was the source and which was the destination. SRC ports required and DST ports can be any 35) Your current rule should look like this: 36) On External open the web browser and go to web address: infa620.umuc.com If you see this page you have successfully allowed External traffic access to your Enterprise webserver. 37) On External desktop click Scripts > Traffic > http.sh > Run in Terminal Your output should look like this: This means that 5 packets successfully reached the webserver
on the Enterprise network through Firewall. 38) Score (50) On your own you will now 6 more port forwarding rules on Firewall to allow the following protocols to reach the proper address on the Internal network. a. FTP – 192.168.1.30 b. DNS – 192.168.1.10 c. HTTPS – 192.168.1.20 d. POP3 – 192.168.1.30 e. RDP – 192.168.1.10 f. SMTP – 192.168.1.30 g. Telnet – 192.168.1.10 Use the scripts in the traffic folder to test each rule.Test the functionality of your rule For example, use the FTP.sh script (on External Desktop > Scripts > Traffic > FTP.sh) to test the FTP setup. 39) Your working firewall is configured, so you will export the firewall configuration to submit as proof of work. Please return to Enterprise Desktop. 40) Scripts > Show iptables Firewall.sh > Run in terminal > Password: > Enter > File > Save Contents ow 41) Name your file yourLastName_Initial_Firewall_Config.txt (example: Smith_b__Firewall_Config.txt) > Save to Desktop 42) Places > INFA Share 43) Drag your Firewall Config.txt to the INFA Share Folder 44) Return to Jumpbox Desktop > Click INFA Share Folder,
your Firewall Config.txt should be in that folder. 45) Open a Windows Explorer on the Jumpbox and locate the C drive on your local machine under “Other’ 46) Drill down to C:UsersyournameDocuments 47) Drag file from INFAShare on Jumpbox to Documents folder on your local machine. The screen below shows a file named, readme. But it should be the Firewall Configuration file, Smith_b__Firewall_Config.txt in our case. Submit this file to your LEO Lab 4 folder. INFA 620 Firewall Lab Manual Copywright UMUC 2014Page 11 of 24 "Have We Chosen the Right Employee?" Please respond to the following: Once an organization has recruited candidates and they are going through the application process, how do they select the right employee? There are a number of tools and assessments that are used in selecting candidates for any given role. Please respond to the following question: • Out of all the selection assessments presented in the text, choose one (1) that you believe is most effective for selecting a candidate for any given role. List three (3) benefits for that assessment and describe why you believe each benefit would be appropriate for selecting the right employee. Next, give your opinion on the extent to which the use of technology in the selection process adds value to organizations, and provide at least one (1) example to support your answer.
Unified Threat Management Advanced Firewall Administration Guide For future reference Advanced Firewall serial number: Date installed: Smoothwall contact: Smoothwall® Advanced Firewall, Administration Guide, October 2014 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Advanced Firewall. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: [email protected] © 2001 – 2014 Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron.
Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Advanced Firewall contains graphics taken from the Open Icon
Library project http:// openiconlibrary.sourceforge.net/ Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom Email [email protected] Web www.smoothwall.net Telephone USA and Canada: United Kingdom: All other countries: 1 800 959 3760 0870 1 999 500 +44 870 1 999 500 Fax USA and Canada: United Kingdom: All other countries: 1 888 899 9164 0870 1 991 399 +44 870 1 991 399 Contents About This Guide...................................................... 1 Audience and Scope ......................................................................... 1 Organization and Use ....................................................................... 1 Conventions............................................................................
........... 2 Related Documentation.................................................................... 2 Chapter 1 Introduction ............................................................... 3 Overview of Advanced Firewall ....................................................... 3 Annual Renewal................................................................................. 4 Chapter 2 Advanced Firewall Overview.................................... 5 Accessing Advanced Firewall .......................................................... 5 Dashboard ......................................................................................... 6 Logs and reports ............................................................................... 6 Reports ..................................................................................... 7 Alerts ......................................................................................... 7 Realtime................................................................................. ... 8 Logs .......................................................................................... 9 Settings................................................................................... .. 9 Networking ...................................................................................... 10 Filtering ................................................................................... 10
Routing ................................................................................... 10 Interfaces................................................................................ 11 Firewall.................................................................................. .. 11 Outgoing ................................................................................. 12 Settings................................................................................... 12 Services.................................................................................. .......... 12 Authentication ........................................................................ 13 User Portal.............................................................................. 13 Proxies ................................................................................... 14 SNMP ...................................................................................... 14 DNS ......................................................................................... 14 Message Censor .................................................................... 15 iii Advanced Firewall Administration Guide Contents Intrusion System .................................................................... 15 DHCP ...................................................................................... 16 System
............................................................................................. 16 Maintenance........................................................................... 16 Central Management ............................................................. 17 Preferences ............................................................................ 17 Administration........................................................................ 17 Hardware ................................................................................ 18 Diagnostics...................................................................... ....... 18 Certificates ............................................................................. 18 VPN ............................................................................................... .... 19 Configuration Guidelines................................................................ 19 Specifying Networks, Hosts and Ports ................................ 19 Using Comments ................................................................... 20 Creating, Editing and Removing Rules ................................ 20 Connecting via the Console ........................................................... 21 Connecting Using a Client .................................................... 21 Secure Communication .................................................................. 22 Unknown Entity Warning.......................................................
22 Inconsistent Site Address ..................................................... 23 Chapter 3 Working with Interfaces ......................................... 25 Configuring Global Settings for Interfaces ................................... 26 Connecting Using an Internet Connectivity Profile ..................... 27 Connecting Using a Static Ethernet Connectivity Profile .. 27 Connecting using a DHCP Ethernet Connectivity Profile .. 29 Connecting using a PPP over Ethernet Connectivity Profile . ............................................................................................... .. 31 Connecting using a PPTP over Ethernet Connectivity Profile ............................................................................................... .. 33 Connecting using an ADSL/DSL Modem Connectivity Profile ........................................................................................ ....... .. 35 Connecting using an ISDN Modem Connectivity Profile ... 36 Connecting Using a Dial-up Modem Connectivity Profile . 38 Creating a PPP Profile .................................................................... 40 Modifying Profiles .................................................................. 41 Deleting Profiles..................................................................... 41 Working with Bridges ..................................................................... 42 Creating Bridges .................................................................... 42
Editing Bridges....................................................................... 42 Deleting Bridges .................................................................... 42 Working with Bonded Interfaces ................................................... 43 Creating Bonds ...................................................................... 43 Editing Bonds ................................................................. ........ 43 Deleting Bonds....................................................................... 43 Configuring IP Addresses .............................................................. 44 Adding an IP Address ............................................................ 44 Editing an IP Address ............................................................ 44 Deleting an IP Address.......................................................... 44 iv Smoothwall Ltd Advanced Firewall Administration Guide Contents Virtual LANs ..................................................................................... 45 Creating a VLAN..................................................................... 45 Editing a VLAN ....................................................................... 46 Deleting a VLAN ..................................................................... 46
Chapter 4 Managing Your Network Infrastructure ................ 47 Creating Subnets ............................................................................ 47 Editing and Removing Subnet Rules ................................... 48 Using RIP ......................................................................................... 49 Sources ............................................................................................ 51 Creating Source Rules .......................................................... 51 Removing a Rule .................................................................... 52 Editing a Rule ......................................................................... 52 About IP Address Definitions................................................ 52 Ports ............................................................................................... .. 52 Creating a Ports Rule ............................................................ 53 Creating an External Alias Rule ..................................................... 54 Editing and Removing External Alias Rules ........................ 55 Port Forwards from External Aliases ................................... 55 Creating a Source Mapping Rule .................................................. 55 Editing and Removing Source Mapping Rules ................... 56 Working with Secondary External Interfaces
............................... 56 Configuring a Secondary External Interface ....................... 57 Using DHCP ..................................................................................... 59 Enabling DHCP....................................................................... 59 Creating a DHCP Subnet....................................................... 60 Editing a DHCP subnet.......................................................... 62 Deleting a DHCP subnet ....................................................... 62 Adding a Dynamic Range...................................................... 62 Adding a Static Assignment ................................................. 63 Adding a Static Assignment from the ARP Table ............... 63 Editing and Removing Assignments .................................... 64 Viewing DHCP Leases ........................................................... 64 DHCP Relaying....................................................................... 65 Creating Custom DHCP Options .......................................... 65 Chapter 5 General Network Security Settings ....................... 67 Blocking by IP.................................................................................. 67 Creating IP Blocking Rules ................................................... 67 Editing and Removing IP Block Rules ................................. 69 Configuring Advanced Networking Features ............................... 69 Working with Port
Groups.............................................................. 72 Creating a Port Group ........................................................... 72 Adding Ports to Existing Port Groups.................................. 73 Editing Port Groups ............................................................... 73 Deleting a Port Group............................................................ 73 Chapter 6 Configuring Inter-Zone Security ............................ 75 About Zone Bridging Rules ............................................................ 75 v Advanced Firewall Administration Guide Contents Creating a Zone Bridging Rule ...................................................... 76 Editing and Removing Zone Bridge Rules .................................... 78 A Zone Bridging Tutorial ................................................................ 78 Creating the Zone Bridging Rule.......................................... 78 Allowing Access to the Web Server ..................................... 79 Accessing a Database on the Protected Network ............. 79 Group Bridging ................................................................................ 80 Group Bridging and Authentication ..................................... 80 Creating Group Bridging Rules ............................................ 81 Editing and Removing Group Bridges ................................. 82
Chapter 7 Managing Inbound and Outbound Traffic............. 83 Introduction to Port Forwards – Inbound Security ...................... 83 Port Forward Rules Criteria .................................................. 83 Creating Port Forward Rules ................................................ 84 Load Balancing Port Forwarded Traffic .............................. 86 Editing and Removing Port Forward Rules ......................... 86 Advanced Network and Firewall Settings..................................... 86 Network Application Helpers................................................ 86 Managing Bad External Traffic ............................................. 87 Configuring Reflective Port Forwards ................................. 88 Managing Connectivity Failback .......................................... 88 Managing Outbound Traffic and Services .................................... 89 Working with Port Rules ....................................................... 89 Working with Outbound Access Policies ............................ 93 Managing External Services .......................................................... 96 Chapter 8 Virtual Private Networking ..................................... 99 Advanced Firewall VPN Features ................................................ 100 What is a VPN?
.............................................................................. 100 About VPN Gateways .......................................................... 101 Administrator Responsibilities ........................................... 101 About VPN Authentication............................................................ 101 PSK Authentication.............................................................. 102 X509 Authentication ............................................................ 102 Configuration Overview ................................................................ 104 Working with Certificate Authorities and Certificates............... 105 Creating a CA ....................................................................... 105 Exporting the CA Certificate............................................... 106 Importing Another CA's Certificate.................................... 107 Deleting the Local Certificate Authority and its Certificate... ............................................................................................... 107 Deleting an Imported CA Certificate.................................. 107 Managing Certificates .................................................................. 108 Creating a Certificate .......................................................... 108 Reviewing a Certificate ....................................................... 109 Exporting Certificates .........................................................
110 Exporting in the PKCS#12 Format ..................................... 110 Importing a Certificate ........................................................ 111 Deleting a Certificate........................................................... 111 vi Smoothwall Ltd Advanced Firewall Administration Guide Contents Setting the Default Local Certificate ........................................... 112 Site-to-Site VPNs – IPSec............................................................. 112 Recommended Settings...................................................... 113 Creating an IPsec Tunnel .................................................... 113 IPSec Site to Site and X509 Authentication – Example ............. 117 Prerequisite Overview ......................................................... 117 Creating the Tunnel on the Primary System ..................... 118 Creating the Tunnel on the Secondary System ................ 119 Checking the System is Active ........................................... 120 Activating the IPSec tunnel................................................. 120 IPSec Site to Site and PSK Authentication ................................. 121 Creating the Tunnel Specification on Primary System .... 121 Creating the Tunnel Specification on the Secondary System ...............................................................................................
122 Checking the System is Active ........................................... 123 Activating the PSK tunnel ................................................... 123 About Road Warrior VPNs ............................................................ 124 Configuration Overview....................................................... 124 IPSec Road Warriors .................................................................... 125 Creating an IPSec Road Warrior ........................................ 125 Supported IPSec Clients .............................................................. 128 Creating L2TP Road Warrior Connections ................................. 128 Creating a Certificate .......................................................... 128 Configuring L2TP and SSL VPN Global Settings .............. 129 Creating an L2TP Tunnel..................................................... 129 Configuring an iPhone-compatible Tunnel........................ 130 Using NAT-Traversal ........................................................... 132 VPNing Using L2TP Clients .......................................................... 132 L2TP Client Prerequisites ................................................... 132 Connecting Using Windows XP/2000 ................................ 132 Installing an L2TP Client ..................................................... 133
VPNing with SSL............................................................................ 137 Prerequisites ........................................................................ 137 Configuring VPN with SSL .................................................. 137 Managing SSL Road Warriors...................................................... 139 Managing Group Access to SSL VPNs .............................. 139 Managing Custom Client Scripts for SSL VPNs ............... 139 Generating SSL VPN Archives ............................................ 140 Configuring SSL VPN on Internal Networks...................... 141 Configuring and Connecting Clients.................................. 141 VPN Zone Bridging........................................................................ 144 Secure Internal Networking ......................................................... 145 Creating an Internal L2TP VPN ........................................... 145 Advanced VPN Configuration ...................................................... 147 Multiple Local Certificates .................................................. 147 Creating Multiple Local Certificates .................................. 147 Public Key Authentication................................................... 149 Configuring Both Ends of a Tunnel as CAs ....................... 149 VPNs between Business Partners...................................... 150 Extended Site to Site Routing............................................. 151
Managing VPN Systems ............................................................... 153 vii Advanced Firewall Administration Guide Contents Automatically Starting the VPN System ............................ 153 Manually Controlling the VPN System ............................... 154 Viewing and Controlling Tunnels........................................ 154 VPN Logging......................................................................... 155 VPN Tutorials ................................................................................. 156 Example 1: Preshared Key Authentication ........................ 156 Example 2: X509 Authentication......................................... 158 Example 3: Two Tunnels and Certificate Authentication . 160 Example 4: IPSec Road Warrior Connection..................... 162 Example 5: L2TP Road Warrior........................................... 165 Working with SafeNet SoftRemote ............................................. 167 Configuring IPSec Road Warriors ...................................... 167 Using the Security Policy Template SoftRemote.............. 167 Creating a Connection without the Policy File.................. 169 Advanced Configuration ..................................................... 171 Chapter 9 Authentication and User Management ............... 173 Configuring Global Authentication Settings
............................... 174 About Directory Servers ............................................................... 175 Configuring a Microsoft Active Directory Connection ..... 176 Configuring an LDAP Connection ...................................... 177 Configuring a RADIUS Connection .................................... 179 Configuring an Active Directory Connection – Legacy Meth- od .......................................................................................... 181 Configuring a Local Users Directory ................................. 184 Reordering Directory Servers............................................. 184 Editing a Directory Server ................................................... 184 Deleting a Directory Server................................................. 185 Diagnosing Directories........................................................ 185 Managing Local Users .................................................................. 185 Adding Users........................................................................ 185 Editing Local Users.............................................................. 186 Deleting Users...................................................................... 186 Managing Groups of Users .......................................................... 186 About Groups ....................................................................... 186 Adding Groups ..................................................................... 187
Editing Groups ..................................................................... 187 Deleting Groups ................................................................... 188 Mapping Groups............................................................................ 188 Remapping Groups.............................................................. 188 Deleting Group Mappings ................................................... 189 Managing Temporarily Banned Users......................................... 189 Creating a Temporary Ban.................................................. 189 Removing Temporary Bans ................................................ 190 Removing Expired Bans ...................................................... 190 Managing User Activity ................................................................ 191 Viewing User Activity........................................................... 191 Logging Users Out............................................................... 191 Banning Users...................................................................... 191 About SSL Authentication ............................................................ 192 viii Smoothwall Ltd
Advanced Firewall Administration Guide Contents Customizing the SSL Login Page....................................... 192 Reviewing SSL Login Pages ............................................... 194 Configuring SSL Login ........................................................ 194 Creating SSL Login Exceptions.......................................... 195 Managing Kerberos Keytabs ....................................................... 196 Adding Keytabs.................................................................... 196 Managing Keytabs ............................................................... 197 Chapter 10 Centrally Managing Smoothwall Systems .......... 199 About Centrally Managing Smoothwall Systems....................... 199 Pre-requirements................................................................. 200 Setting up a Centrally Managed Smoothwall System ............... 200 Configuring the Parent Node .............................................. 200 Configuring Child Nodes ..................................................... 201 Adding Child Nodes to the System .................................... 202 Editing Child Node Settings................................................ 205 Deleting Nodes in the System ............................................ 205 Managing Nodes in a Smoothwall System ................................. 205 Monitoring Node Status ......................................................
206 Accessing the Node Details Page ...................................... 207 Working with Updates ......................................................... 207 Rebooting Nodes ................................................................. 208 Disabling Nodes ................................................................... 209 Using BYOD in a Centrally Managed System............................. 209 Appendix A User Authentication .............................................. 211 Overview ........................................................................................ 211 Verifying User Identity Credentials .................................... 211 About Authentication Mechanisms .................................... 212 Other Authentication Mechanisms .................................... 212 Choosing an Authentication Mechanism .......................... 212 About the Login Time-out ................................................... 213 Advanced Firewall and DNS......................................................... 213 A Common DNS Pitfall ........................................................ 213 Working with Large Directories ................................................... 214 Active Directory............................................................................. 214
Active Directory Username Types...................................... 214 Accounts and NTLM Identification..................................... 215 About Kerberos ............................................................................. 215 Kerberos Pre-requisites and Limitations .......................... 215 Troubleshooting................................................................... 215 Appendix B Troubleshooting VPNs.......................................... 217 Site-to-site Problems.................................................................... 217 L2TP Road Warrior Problems ...................................................... 218 Enabling L2TP Debugging................................................... 218 Windows Networking Issues........................................................ 219 ix Advanced Firewall Administration Guide Contents Appendix C Hosting Tutorials................................................... 221 Basic Hosting Arrangement ......................................................... 221 Extended Hosting Arrangement .................................................. 222 More Advanced Hosting Arrangement ....................................... 224 Glossary ................................................................. 227
Index....................................................................... 237 x Smoothwall Ltd About This Guide Smoothwall’s Advanced Firewall is a licenced feature of your Smoothwall System. This manual provides guidance for configuring Advanced Firewall. Audience and Scope This guide is aimed at system administrators maintaining and deploying Advanced Firewall. This guide assumes the following prerequisite knowledge: • An overall understanding of the functionality of the Smoothwall System • An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: • Chapter 1, Introduction on page 3 • Chapter 2, Advanced Firewall Overview on page 5
• Chapter 3, Working with Interfaces on page 25 • Chapter 4, Managing Your Network Infrastructure on page 47 • Chapter 5, General Network Security Settings on page 67 • Chapter 6, Configuring Inter-Zone Security on page 75 • Chapter 7, Managing Inbound and Outbound Traffic on page 83 • Chapter 8, Virtual Private Networking on page 99 1 Advanced Firewall Administration Guide About This Guide • Chapter 9, Authentication and User Management on page 173 • Chapter 10, Centrally Managing Smoothwall Systems on page 199 • Appendix A:User Authentication on page 211 • Appendix B:Troubleshooting VPNs on page 217 • Appendix C:Hosting Tutorials on page 221 • Glossary on page 227 • Index on page 237 Conventions The following typographical conventions are used in this guide: This guide is written in such a way as to be printed on both
sides of the paper. Related Documentation The following guides provide additional information relating to Advanced Firewall: • Advanced Firewall Installation Guide, which describes how to install Advanced Firewall • Advanced Firewall Operations Guide, which describes how to maintain Advanced Firewall • Advanced Firewall Upgrade Guide, which describes how to upgrade Advanced Firewall • Advanced Firewall User Portal Guide, which describes how to use the Advanced Firewall user portal • http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base and the latest product manuals. Item Convention Example Key product terms Initial Capitals Advanced Firewall Cross-references and references to other guides Italics See Chapter 1, Introduction on page 3 Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics http://<my_ip>/portal
2 Smoothwall Ltd http://www.smoothwall.net/support 1 Introduction This chapter introduces Advanced Firewall, including: • Overview of Advanced Firewall on page 3 • Annual Renewal on page 4 Overview of Advanced Firewall Advanced Firewall is the Unified Threat Management system for enterprise networks. Combining the functions of perimeter and internal firewalls, Advanced Firewall employs Microsoft Active Directory/ LDAP user authentication for policy based access control to local network zones and Internet services. Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. Advanced Firewall provides: • Perimeter firewall – multiple Internet connections with load sharing and automatic connection failover • User authentication – policy-based access control and user authentication with support for Microsoft Active Directory, Novell eDirectory and other LDAP authentication servers
• Load balancer – the ideal solution for the efficient and resilient use of multiple Internet connections. • Internal firewall – segregation of networks into physically separate zones with user-level access control of inter-zone traffic • Email Security: anti-spam, anti-malware, mail relay and control. • VPN Gateway – site-to-site, secure remote access and secure wireless connections. 3 Advanced Firewall Administration Guide Introduction Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. 4 Smoothwall Ltd 2 Advanced Firewall Overview In this chapter: • How to access Advanced Firewall • An overview of the pages used to configure and manage Advanced Firewall.
Accessing Advanced Firewall To access Advanced Firewall: 1. In a web browser, enter the address of your Advanced Firewall, for example: https://192.168.72.141:441 Note: The example address above uses HTTPS to ensure secure communication with your Advanced Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Advanced Firewall as described in the Advanced Firewall Installation and Setup Guide. 2. Accept Advanced Firewall’s certificate.The login screen is displayed. 5 Advanced Firewall Administration Guide Advanced Firewall Overview 3. Enter the following information: 4. Click Login. The Dashboard opens. The following sections give an overview of Advanced Firewall’s default sections and pages. Dashboard The dashboard is the default home page of your Advanced Firewall system. It displays service
information and customizable summary reports. Logs and reports The Logs and reports section contains the following sub- sections and pages: Field Information Username Enter admin This is the default Advanced Firewall administrator account. Password Enter the password you specified for the admin account when installing Advanced Firewall. 6 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Reports Alerts Pages Description Summary Displays a number of generated reports. For more information, refer to the Advanced Firewall Operations Guide. Reports Where you generate and organize reports. For more information, refer to the Advanced Firewall Operations Guide. Recent and saved Lists recently-generated and previously saved
reports. For more information, refer to the Advanced Firewall Operations Guide. Scheduled Sets which reports are automatically generated and delivered. For more information, refer to the Advanced Firewall Operations Guide. Custom Enables you to create and view custom reports. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Alerts Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Advanced Firewall Operations Guide. Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Advanced Firewall Operations Guide. 7 Advanced Firewall Administration Guide Advanced Firewall Overview Realtime Pages Description System A real time view of the system log with some filtering options. For more information, refer to the Advanced Firewall Operations Guides.
Firewall A real time view of the firewall log with some filtering options. For more information, refer to the Advanced Firewall Operations Guide. IPSec A real time view of the IPSec log with some filtering options. For more information, see Realtime IPsec Information on page 113. Email Displays the email log viewer running in real time mode. For more information, see Email Logs on page 122. Portal A real time view of activity on user portals. For more information, refer to the Advanced Firewall Operations Guide. IM proxy A real time view of recent instant messaging conversations. For more information, see Realtime Instant Messaging on page 114. Traffic graphs Displays a real time bar graph of the bandwidth being used. For more information, refer to the Advanced Firewall Operations Guide. 8 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Logs Settings Pages Description
System Simple logging information for the internal system services. For more information, refer to the Advanced Firewall Operations Guide. Firewall Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Advanced Firewall Operations Guide. IPSec Displays diagnostic information for VPN tunnels. For more information, see IPSec Logs on page 120. Email Displays sender, recipient, subject and other email message information. For more information, see Email Logs on page 122. IDS Displays network traffic detected by the intrusion detection system (IDS). For more information, see IDS Logs on page 124. IPS Displays network traffic detected by the intrusion detection system (IPS). For more information, see IPS Logs on page 125. IM proxy Displays information on instant messaging conversations. For more information, see IM Proxy Logs on page 126. Web proxy Displays detailed analysis of web proxy usage. For more information, see Web Proxy Logs on page 63. Reverse proxy Displays information on reverse proxy usage. For more information, see Reverse Proxy Logs on page 127.
Log settings Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Datastore settings Contains settings to manage the storing of log files. For more information, refer to the Advanced Firewall Operations Guide. Groups Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Advanced Firewall Operations Guide Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Advanced Firewall Operations Guide. 9 Advanced Firewall Administration Guide Advanced Firewall Overview Networking The Networking section contains the following sub-sections and pages: Filtering
Routing Pages Description Zone bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 75. Group bridging Used to define the network zones that are accessible to authenticated groups of users. For more information, see Group Bridging on page 80. IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 67. Pages Description Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Creating Subnets on page 47. RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using RIP on page 49. Sources Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. For more information, see Sources on page
51. Ports Used to create rules to set the external interface based on the destination port. For more information, see Ports on page 52. 10 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Interfaces Firewall Pages Description Interfaces Configure and display information on your Advanced Firewall’s internal interfaces. For more information, see Configuring Global Settings for Interfaces on page 26. Internal aliases Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the need for physical switches. For more information, see Working with Secondary External Interfaces on page 56. External aliases Used to create IP address aliases on static Ethernet external interfaces. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. For more
information, see Creating an External Alias Rule on page 54. Connectivity Used to create external connection profiles and implement them. For more information, see Connecting Using a Static Ethernet Connectivity Profile on page 27. PPP Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. For more information, see Creating a PPP Profile on page 40. Secondaries Used to configure an additional, secondary external interface. For more information, see Working with Secondary External Interfaces on page 56 Pages Description Port forwarding Used to forward incoming connection requests to internal network hosts. For more information, see Introduction to Port Forwards – Inbound Security on page 83. Source mapping Used to map specific internal hosts or subnets to an external alias. For more information, see Creating a Source Mapping Rule on page 55 Advanced Used to enable or disable NAT-ing helper modules and manage bad external traffic. For more information, see Network Application Helpers on page 86.
11 Advanced Firewall Administration Guide Advanced Firewall Overview Outgoing Settings Services The Services section contains the following sub-sections and pages: Pages Description Policies Used to assign outbound access controls to IP addresses and networks. For more information, see Working with Outbound Access Policies on page 93. Ports Used to define lists of outbound destination ports and services that should be blocked or allowed. For more information, see Managing Outbound Traffic and Services on page 89. External services Used to define a list of external services that should always be accessible to internal network hosts. For more information, see Managing External Services on page 96. Pages Description Port groups Create and edit groups of ports for use throughout
Advanced Firewall. For more information, see Working with Port Groups on page 72. Advanced Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 69. 12 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Authentication User Portal Pages Description Settings Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 174. Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Servers on page 175. Groups Used to customize group names. For more information, see Managing Groups of Users on page 186. Temporary bans Enables you to manage temporarily banned user
accounts. For more information, see Managing Temporarily Banned Users on page 189. User activity Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 191. SSL login Used to customize the end-user SSL login page and configure SSL login redirection and exceptions. For more information, see About SSL Authentication on page 192. Kerberos keytabs This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 196. BYOD Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Portals This page enables you to configure and manage user portals. For more information, refer to the Advanced Firewall Operations Guide. Group access This page enables you to assign groups of users to portals. For more information, refer to the Advanced Firewall Operations Guide.
User access This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Advanced Firewall Operations Guide. 13 Advanced Firewall Administration Guide Advanced Firewall Overview Proxies SNMP DNS Pages Description Web proxy Used to configure and enable the web proxy service, allowing controlled access to the Internet for local network hosts. For more information, see Managing the Web Proxy Service. Instant messenger Used to configure and enable instant messaging proxying. For more information, see Instant Messenger Proxying on page 41. SIP Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. For more information, see SIP Proxying on page 43. FTP Used to configure and enable a proxy to manage FTP traffic. For more
information, see FTP Proxying on page 46. Reverse proxy The reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. For more information, see Reverse Proxy Service on page 50. Pages Description SNMP Used to activate Advanced Firewall’s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Static DNS Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information, see Adding Static DNS Hosts on page 54. DNS proxy Used to provide a DNS proxy service for local network hosts. For more information, see Enabling the DNS Proxy Service on page 55 Dynamic DNS Used to configure access to third-party dynamic DNS service providers. For more information, see Managing Dynamic DNS on page 55. 14 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall
Overview Message Censor Intrusion System Pages Description Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Advanced Firewall Operations Guide. Filters This is where you create and manage filters for matching particular types of message content. For more information, refer to the Advanced Firewall Operations Guide. Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the Advanced Firewall Operations Guide. Custom categories Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Signatures Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. For more information, see
Uploading Custom Signatures on page 68. Policies Enables you to configure Advanced Firewall’s intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information, see Creating Custom Policies on page 67. IDS Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). For more information, see Deploying Intrusion Detection Policies on page 64. IPS Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). For more information, see Deploying Intrusion Prevention Policies on page 65. 15 Advanced Firewall Administration Guide Advanced Firewall Overview DHCP System The System section contains the following sub-sections and pages: Maintenance Pages Description Global Used to enable the Dynamic Host Configuration Protocol
(DHCP) service and set its mode of operation. For more information, see Enabling DHCP on page 59. DHCP server Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information, see Creating a DHCP Subnet on page 60. DHCP leases Used to view all current DHCP leases, including IP address, MAC address, hostname, lease start and end time, and the current lease state. For more information, see Viewing DHCP Leases on page 64. DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP server, and re-route DHCP responses back to the requesting host. For more information, see DHCP Relaying on page 65. Custom options Used to create and edit custom DHCP options. For more information, see Creating Custom DHCP Options on page 65. Pages Description Updates Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Advanced Firewall Operations Guide. Modules Used to upload, view, check, install and remove
Advanced Firewall modules. For more information, refer to the Advanced Firewall Operations Guide. Licenses Used to display and update license information for the licensable components of the system. For more information, refer to the Advanced Firewall Operations Guide. Archives Used to create and restore archives of system configuration information. For more information, refer to the Advanced Firewall Operations Guide. Scheduler Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the Advanced Firewall Operations Guide. Shutdown Used to shutdown or reboot the system. For more information, refer to the Advanced Firewall Operations Guide. 16 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Central Management Preferences
Administration Pages Description Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 205. Child nodes This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 201. Local node settings This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page 200. Pages Description User interface Used to manage Advanced Firewall’s dashboard settings. For more information, refer to the Advanced Firewall Operations Guide. Time Used to manage Advanced Firewall’s time zone, date and time settings. For more information, refer to the Advanced Firewall Operations Guide. Registration options Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to
Smoothwall. For more information, refer to the Advanced Firewall Operations Guide. Hostname Used to configure Advanced Firewall’s hostname. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Admin options Used to enable secure access to Advanced Firewall using SSH, and to enable referral checking. For more information, refer to the Advanced Firewall Operations Guide. External access Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Advanced Firewall. For more information, refer to the Advanced Firewall Operations Guide. Administrative users Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Advanced Firewall Operations Guide. 17 Advanced Firewall Administration Guide Advanced Firewall Overview Hardware Diagnostics
Certificates Pages Description UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Advanced Firewall Operations Guide. Failover Used to specify what Advanced Firewall should do in the event of a hardware failure. For more information, see Managing Hardware Failover on page 164. Modem Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, see Configuring Modems on page 169. Firmware upload Used to upload firmware used by USB modems. For more information, see Installing and Uploading Firmware on page 170. Pages Description Functionality tests Used to ensure that your current Advanced Firewall settings are not likely to cause problems. For more information, refer to the Advanced Firewall Operations Guide. Configuration report Used to create diagnostic files for support purposes. For more information, refer to the Advanced Firewall Operations Guide.
IP tools Contains the ping and trace route IP tools. For more information, refer to the Advanced Firewall Operations Guide. Whois Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Advanced Firewall Operations Guide. Traffic analysis Used to generate and display detailed information on current traffic. For more information, refer to the Advanced Firewall Operations Guide. Page Description Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, see Managing CA Certificates on page 176. 18 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview VPN The VPN section contains the following pages: Configuration Guidelines This section provides guidance about how to enter suitable
values for frequently required configuration settings. Specifying Networks, Hosts and Ports IP Address An IP address defines the network location of a single network host. The following format is used: 192.168.10.1 IP Address Range An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example: 192.168.10.1-192.168.10.20 Pages Description Control Used to show the current status of the VPN system and enable you to stop and restart the service. For more information, see Managing VPN Systems on page 153. Certificate authorities Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates on this page. For more information, see Working with Certificate
Authorities and Certificates on page 105. Certificates Used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates. For more information, see Managing Certificates on page 108. Global Used to configure global settings for the VPN system. For more information, see Setting the Default Local Certificate on page 112. IPSec subnets Used to configure IPSec subnet VPN tunnels. For more information, see Site- to-Site VPNs – IPSec on page 112. IPSec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information, see IPSec Road Warriors on page 125. L2TP roadwarriors Used to create and manage L2TP road warrior VPN tunnels. For more information, see Creating L2TP Road Warrior Connections on page 128. SSL roadwarriors Enables you to configure and upload custom SSL VPN client scripts. For more information, see Managing Custom Client Scripts for SSL VPNs on page 139. 19 Advanced Firewall Administration Guide Advanced Firewall Overview
192.168.10.1-192.168.12.255 Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: 192.168.10.0/255.255.255.0 192.168.10.0/24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples: 255.255.255.0 255.255.0.0 255.255.248.0 Service and Ports A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop- down list and enter the numeric port number into the adjacent User defined field. Examples: 21 7070
Port Range A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used: 137:139 Using Comments Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information. Creating, Editing and Removing Rules Much of Advanced Firewall is configured by creating rules – for example, IP block rules and administration access rules. 20 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Creating a Rule To create a rule: 1. Enter configuration details in the Add a new rule area.
2. Click Add to create the rule and add it to the appropriate Current rules area. Editing a Rule To edit a rule: 1. Find the rule in the Current rules area and select its adjacent Mark option. 2. Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values. 3. Change the configuration values as necessary. 4. Click Add to re-create the edited rule and add it to the Current rules area. Removing a Rule To remove one or more rules: 1. Select the rule(s) to be removed in the Current rules area. 2. Click Remove to remove the selected rule(s). Note: The same processes for creating, editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc. Connecting via the Console You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol.
Note: By default, Advanced Firewall only allows SSH access if it has been specifically configured. See Configuring Administration Access Options on page 154 for more information. Connecting Using a Client When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application, such as PuTTY. To connect using an SSH client: 1. Check SSH access is enabled on Advanced Firewall. See Configuring Administration Access Options on page 154 for more information. 21 Advanced Firewall Administration Guide Advanced Firewall Overview 2. Start PuTTY or an equivalent client. 3. Enter the following information: 4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Advanced Firewall command line. ‘ Secure Communication When you connect your web browser to Advanced Firewall’s web-based interface on a HTTPS port
for the first time, your browser will display a warning that Advanced Firewall’s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. Unknown Entity Warning This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Advanced Firewall’s certificate is a self-signed certificate. Note: The data traveling between your browser and Advanced Firewall is secure and encrypted. To remove this warning, your web browser needs to be told to trust certificates generated by Advanced Firewall. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser’s documentation for information on how to import the certificate. Field Description Host Name (or IP address) Enter Advanced Firewall’s host name or IP address. Port Enter 222 Protocol Select SSH.
22 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Inconsistent Site Address Your browser will generate a warning if Advanced Firewall’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Advanced Firewall’s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption. 23
3 Working with Interfaces This chapter describes how to configure the interfaces (network interface cards) on your Advanced Firewall, including: • Configuring Global Settings for Interfaces on page 26 • Connecting Using an Internet Connectivity Profile on page 27 • Creating a PPP Profile on page 40 • Working with Bridges on page 42 • Working with Bonded Interfaces on page 43 • Configuring IP Addresses on page 44 • Virtual LANs on page 45 25 Advanced Firewall Administration Guide Working with Interfaces Configuring Global Settings for Interfaces Global settings determine Advanced Firewall’s default gateway, and primary and secondary DNS addresses. To configure global settings: 1. Browse to the Networking > Interfaces > Interfaces page. The following settings global interface settings are available: Setting Description
Default gateway This setting determines Advanced Firewall’s default gateway. When using a connectivity profile to connect to the Internet, select the Use external connectivity profile option. For more information, see Connecting Using an Internet Connectivity Profile on page 27. Primary DNS If Advanced Firewall is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure. For more information, see Advanced Firewall and DNS on page 213. Secondary DNS Enter the IP address of the secondary DNS server, if one is available. 26 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Connecting Using an Internet Connectivity Profile Advanced Firewall supports the following Internet connection methods: Up to five different connections to the Internet can be defined, each stored in its own connectivity profile. Each profile defines the type of connection that should be used and appropriate settings.
The following sections explain how to connect using different connection methods. Connecting Using a Static Ethernet Connectivity Profile The following section explains how to connect to the Internet using a static ethernet connectivity profile. A static Ethernet connection enables Advanced Firewall to use a static IP address as assigned by your ISP. To connect using a static ethernet connectivity profile: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: Connection Method Description Ethernet An Ethernet NIC routed to an Internet connection, not controlled by Advanced Firewall. Modem An internal or external modem connected to the Internet via an ISP, controlled by Advanced Firewall. A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to
control the behavior of dial-up modem devices. Ethernet/modem hybrid An Ethernet NIC routed to an external modem connected to the Internet via an ISP, controlled by Advanced Firewall. Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description Name Accept the default name or enter a custom name. Use as Select External. 27 Advanced Firewall Administration Guide Working with Interfaces 4. On the Networking > Interfaces > Connectivity page, configure the following settings: MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment.
Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select Static Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP
Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection.
Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description 28 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces 5. Click Update. In the Static Ethernet settings area, configure the following settings: 6. Click Save and connect to save the profile and connect to the Internet immediately. Connecting using a DHCP Ethernet Connectivity Profile The following section explains how to connect to the Internet
using a DHCP Ethernet connectivity profile. A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP address, as assigned by the ISP. To connect using a DHCP Ethernet connectivity profile: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: 4. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Interface From the drop-down list, select the Ethernet interface for this connection. Default gateway Enter the default gateway IP address as provided by your ISP. Address Enter the static IP address provided by your ISP. Netmask Enter the subnet mask as provided by your ISP. Primary DNS Enter the primary DNS server details as provided by your ISP. Secondary DNS Enter the secondary DNS server details as
provided by your ISP. Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description Name Accept the default name or enter a custom name. Use as Select External. MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. 29 Advanced Firewall Administration Guide Working with Interfaces 5. Click Update and in the DHCP Ethernet settings area, configure the following settings:
6. Click Save and connect to save the profile and connect to the Internet immediately. Method Select DHCP Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail.
Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be
sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Interface From the drop-down list, select the Ethernet interface for this connection. DHCP Hostname Optionally enter a DHCP hostname, if provided by your ISP. MAC spoof Enter a spoof MAC value required. Setting Description 30 Smoothwall Ltd
Advanced Firewall Administration Guide Working with Interfaces Connecting using a PPP over Ethernet Connectivity Profile The following section explains how to connect to the Internet using a PPP over Ethernet connectivity profile. To connect using a PPP over Ethernet connection: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: 4. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description
Name Accept the default name or enter a custom name. Use as Select External. MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select PPP over Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts
identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. 31 Advanced Firewall Administration Guide Working with Interfaces 5. Click Update. In the PPP over Ethernet settings area, configure the following settings: 6. Click Save and connect to save the profile and connect to the Internet immediately. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP
Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection.
Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Service name If required, enter the service name as specified by your ISP. Concentrator If required, enter the concentrator name as specified by your ISP. Interface From the drop-down list, select the Ethernet interface for this connection. PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the Networking > Interfaces > PPP page and create one. Setting Description 32 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Connecting using a PPTP over Ethernet Connectivity Profile This section explains how to configure Advanced Firewall to use a PPTP modem for Internet connectivity.
To connect using a PPTP over Ethernet connection: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: 4. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description Name Accept the default name or enter a custom name. Use as Select External. MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment.
Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select PPPTP over Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. 33
Advanced Firewall Administration Guide Working with Interfaces 5. Click Update. In the PPTP over Ethernet settings area, configure the following settings: 6. Click Save and connect to save the profile and connect to the Internet immediately. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance
outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Interface From the drop-down list, select the Ethernet interface for this connection.
PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to Networking > Interfaces > Interfaces and create one. For more information, see Creating a PPP Profile on page 40. Address Enter the IP address assigned by your ISP. Netmask Enter the netmask assigned by your ISP. Gateway Enter the gateway assigned by your ISP Telephone Enter the dial telephone number as provided by your ISP. Setting Description 34 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Connecting using an ADSL/DSL Modem Connectivity Profile Advanced Firewall can connect to the Internet using an ADSL modem. Note: To connect using an ADSL modem, the ADSL device must have been either configured during the initial installation and setup or post-installation by launching the setup program from the system console. For further information, see the Advanced Firewall Installation and Setup Guide. If
your ADSL connection uses a PPPoE connection, see Connecting using a PPP over Ethernet Connectivity Profile on page 31 for more information. To connect using an ADSL/DSL modem connectivity profile: 1. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select ADSL modem. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. 35 Advanced Firewall Administration Guide Working with Interfaces 2. Click Update. In the ADSL modem settings area, configure the following settings: 3. Click Save and connect to save the profile and connect to the Internet immediately. Connecting using an ISDN Modem Connectivity Profile Note: The following sections apply if an ISDN modem is installed in your Advanced Firewall. This section explains how to configure Advanced Firewall to connect to the Internet using an ISDN modem for Internet connectivity. Note:To connect using an ISDN modem, an ISDN device must have been configured during the initial installation and setup of Advanced Firewall. Alternatively, ISDN devices can be configured post-installation by launching the setup program from
the system console. For further information, see the Advanced Firewall Installation and Setup Guide. To connect using an ISDN modem connectivity profile: 1. On the Networking > Interfaces > Connectivity page, configure the following settings: Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Service name Leave this field blank. It is not required for this type of profile. Concentrator Leave this field blank. It is not required for this type of profile. PPP Profile From the drop-down list, select the PPP profile for
this connection. Or, if no PPP profile has been created, click Configure PPP to go to Networking > Interfaces > PPP page and create one. For more information, see Creating a PPP Profile on page 40. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select ISDN TA. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Setting Description 36 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces 2. Click Update. In the ISDN settings area, configure the following settings: Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to
profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted,
the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection.
Setting Description PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the Networking > Interfaces > Interfaces page and create one. For more information, see Creating a PPP Profile on page 40. Telephone Enter the telephone number for the ISDN connection. Channels From the drop-down list, select either Single channel or Dual channel, depending on whether you are using one or two ISDN lines. Setting Description 37 Advanced Firewall Administration Guide Working with Interfaces 3. Click Save to save the profile or Save and connect to save the profile and use it to connect to the Internet immediately. Connecting Using a Dial-up Modem Connectivity Profile This section explains how to connect to the Internet using a dial-up modem for Internet connectivity. To connect using a dial-up modem connectivity profile:
1. On the Networking > Interfaces > Connectivity page, configure the following settings: Keep second channel up Select to force the second channel to remain open when its data rate falls below a worthwhile threshold. Note: ISDN connections sometimes suffer from changeable data throughput rates. If this occurs in dual channel mode, and the data-rate of the second channel decreases below a threshold where it is of no benefit, Advanced Firewall will automatically close it. Forcing the second channel to stay up will help prevent this from happening. Minimum time to keep second channel up (sec) Enter a minimum time, in seconds, if your ISDN connection experiences intermittent loss of data throughput for short periods of time. This option is of use when the second channel data-rate falls below the threshold for short periods of time. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile.
Method Select Modem. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted,
the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Setting Description 38 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces 2. Click Update. In the Modem settings area, configure the following settings: 3. Click Save and connect to save the profile and use it to connect to the Internet immediately. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the
primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to Networking > Interfaces > Interfaces and create one. For more information, see Creating a PPP Profile on page 40.
Modem profile From the drop-down list, select the modem profile to use. For more information about modem profiles, refer to the Advanced Firewall Operations Guide. Telephone Enter the telephone number for the connection. Setting Description 39 Advanced Firewall Administration Guide Working with Interfaces Creating a PPP Profile Up to five PPP profiles can be created to store username, password and connection-specific details for connections where Advanced Firewall controls the connecting device, including ISDN, and Ethernet/modem hybrid devices, attached to Advanced Firewall. A PPP profile contains the username, password and other settings used for dial-up type connections. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account. To create a PPP profile: 1. Navigate to the Networking > Interfaces > PPP page.
2. Configure the following settings: Setting Description Profiles From the drop-down list, select Empty. Profile name Enter a name for the profile. Dial on Demand Select to ensure that the PPP connection is only established if an outward- bound request is made. This may help reduce costs if your ISP uses per unit time billing. Dial on Demand for DNS Select to ensure that the system dials for DNS requests – this is normally the desired behavior. Idle timeout Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Enter 0 to disable this setting. 40 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces
3. Click Save to save your settings and create a PPP profile. Modifying Profiles To modify a profile: 1. On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the profile you wish to modify and click Select. 2. Make the changes. See Connecting Using an Internet Connectivity Profile on page 27 for information on the settings. 3. Click Save, Advanced Firewall modifies the profile. Note: Any changes made to a profile used in a current connection will only be applied following re- connection. Deleting Profiles To delete a profile: 1. On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the profile you wish to modify and click Select. 2. Click Delete. Advanced Firewall deletes the profile. Note: Deleting a profile used as part of a current connection will cause the current connection to close. Persistent connection Select to ensure that once this PPP connection has been
established, it will remain connected, regardless of the value entered in the Idle timeout field. Maximum retries Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. Username Enter your ISP assigned username. Password Enter your ISP assigned password. Method Choose the authentication method as specified by your ISP in this field. Script name Enter the name of a logon script here, if your ISP informs you to do so. Ensure that the relevant script type has been selected in the Method drop-down list. Type Specifies the DNS type used by your ISP. Manual – select if your ISP has provided you with DNS server addresses to enter. Automatic – select if your ISP automatically allocates DNS settings upon connection. Primary DNS If Manual has been selected, enter the primary DNS server IP address.
Secondary DNS If Manual has been selected, enter the secondary DNS server IP address. Setting Description 41 Advanced Firewall Administration Guide Working with Interfaces Working with Bridges It is possible to deploy Advanced Firewall in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. The following sections explain how to create, edit and delete bridges. Creating Bridges To create a bridge: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: 3. Click Add. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces page. Editing Bridges To edit a bridge:
1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 42 for information on the settings available. 3. Click Save changes. Advanced Firewall applies the changes. Deleting Bridges To delete a bridge: 1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete. 2. When prompted, click Delete to confirm you want to delete the bridge. Advanced Firewall deletes the bridge. Setting Description Name Enter a name for the bridge. Type Select Bridge. Ports From the ports listed as available, select the ports to be used as bridge members. Use as Select one of the following: External – Select to use the bridge as an external interface. Basic interface – Select to use the bridge as an interface with one or
more IP addresses on it. MAC Accept the displayed MAC address or enter a new one. 42 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Working with Bonded Interfaces Advanced Firewall enables you to bind two or more NICs into a single bond. Bonding enables the NICs to act as one thus providing high availability. Creating Bonds To create a bond: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: 3. Click Add. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces page. Editing Bonds To edit a bond: 1. On the Networking > Interfaces > Interfaces page, point to the bond and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 43 for information on the settings available.
3. Click Save changes. Advanced Firewall applies the changes. Deleting Bonds To delete a bond: 1. On the Networking > Interfaces > Interfaces page, point to the bond and click Delete. 2. When prompted, click Delete to confirm you want to delete the bond. Advanced Firewall deletes the bond. Setting Description Name Enter a name for the bond. Type Select Bonding. Ports From the ports listed as available, select the ports to be used as bond members. Use as Select one of the following: External – Select to use the bond as an external interface. Basic interface – Select to use the bond as an interface with one or more IP addresses on it. Bridge member – Select to use the bond as a member of a bridge. For more information, see Working with Bridges on page 42. MAC Accept the displayed MAC address or enter a new one.
43 Advanced Firewall Administration Guide Working with Interfaces Configuring IP Addresses The following sections explain how to add, edit and delete IP addresses used by interfaces. Note: External aliases are configured on the Networking > Interfaces > External aliases page. See Chapter 4, Creating an External Alias Rule on page 54 for more information. Adding an IP Address To add an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface you want to add an IP address to. 2. In the IP addresses dialog box, click Add new address. In the Add new address dialog box, configure the following settings: 3. Click Add. Advanced Firewall adds the IP address to the interface. Editing an IP Address To edit an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to edit.
2. In the IP addresses dialog box, point to the address and click Edit. 3. In the Edit address dialog box, make the changes needed and click Save changes. Advanced Firewall applies the changes. Deleting an IP Address To edit an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to delete. 2. In the IP addresses dialog box, point to the address and click Delete. 3. When prompted, click Delete. Advanced Firewall deletes the address. Setting Description Status Select Enabled to enable the IP address for the NIC. IP address Enter an IP address. Subnet mask Enter the subnet mask. Gateway Optionally, enter a gateway. 44 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Virtual LANs
Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. Each VLAN is treated by Advanced Firewall as an isolated network zone, just as if it were a regular network zone attached to a real NIC. Creating a VLAN To create a VLAN: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: 3. Click Add. The VLAN is added to the list of interfaces below where you can configure it. Setting Description Name Enter a name for the VLAN. Type Select VLAN. Parent interface From the drop-down list of NICs available, select the interface to use. VLAN ID If required, enter a tag in the range 1 - 4095 to create a separate network. Note: We do not recommend using a VLAN tag of 1 as this can cause problems with some equipment
Use as External – Select to use the VLAN as an external interface. Spoof MAC – Optionally, enter a spoof MAC if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier. Basic interface – Select to use the VLAN as a basic interface. Spoof MAC – Optionally, enter a spoof MAC if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier. Bridge member – Select to use the VLAN as part of a bridge. Bridge interface – From the drop-down list, select which bridge interface to use. For more information, see Working with Bridges on page 42. Spoof MAC – Optionally, enter a spoof MAC if required. Some cable modems require the MAC address of the connecting NIC to
be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier. 45 Advanced Firewall Administration Guide Working with Interfaces Editing a VLAN To edit a VLAN: 1. On the Networking > Interfaces > Interfaces page, point to the VLAN and click Edit. 2. In the Edit interface dialog box, make the changes needed and click Save changes. See Creating a VLAN on page 45 for information on the settings available. Deleting a VLAN To delete a VLAN: 1. On the Networking > Interfaces > Interfaces page, point to the VLAN and click Delete. 2. When prompted, click Delete to confirm. Advanced Firewall deletes the VLAN. 46 Smoothwall Ltd 4 Managing Your Network Infrastructure
This chapter describes how to manage various aspects of your Advanced Firewall network, including: • Creating Subnets on page 47 • Using RIP on page 49 • Sources on page 51 • Ports on page 52 • Creating an External Alias Rule on page 54 • Creating a Source Mapping Rule on page 55 • Working with Secondary External Interfaces on page 56 • Using DHCP on page 59 Creating Subnets Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches. Note: This functionality only applies to subnets available via an internal gateway. 47 Advanced Firewall Administration Guide Managing Your Network Infrastructure To create a subnet rule:
1. Navigate to the Networking > Routing > Subnets page. 2. Configure the following settings: 3. Click Add. The rule is added to the Current rules table. Editing and Removing Subnet Rules To edit or remove existing subnet rules, use Edit and Remove in the Current rules area. Setting Description Network Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Netmask Enter a network mask that specifies the size of the subnet when combined with the network field. Gateway Enter the IP address of the gateway device by which the subnet can be found. This will be an address on a locally recognized network zone. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Advanced Firewall is directly attached to.
Metric Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Comment Enter a description of the rule. Enabled Select to enable the rule. 48 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Using RIP The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds. Advanced Firewall’s RIP service can: • Operate in import, export or combined import/export mode • Support password and MD5 authentication • Export direct routes to the system’s internal interfaces. To configure the RIP service: 1. Navigate to the Networking > Routing > RIP page. 2. Configure the following settings:
Setting Description Enabled Select to enable the RIP service. Scan interval From the drop-down menu, select the time delay between routing table imports and exports. Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval. Note: There is a performance trade-off between the number of RIP- enabled devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. 49 Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Save. Direction From the drop-down menu, select how to manage routing information. The following options are available:
Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. Logging level From the drop-down menu, select the level of logging. RIP interfaces Select each interface that the RIP service should import/export routing information to/from. Authentication Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication: None
In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint. Password In this mode, a plain text password is specified which must match other RIP devices. MD5 In this mode, an MD5 hashed password is specified which must match other RIP devices. Password If Password is selected as the authentication method, enter a password for RIP authentication. Again If Password is selected as the authentication method, re- enter the password to confirm it. Direct routing interfaces Optionally, select interfaces whose information should also include routes to the RIP service’s own interfaces when exporting RIP data. This ensures that other RIP devices are able to route directly and
efficiently to each exported interface. Setting Description 50 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Sources The Sources page is used to configure source rules which determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Source rules can be created for individual hosts, ranges of hosts or subnet ranges. Creating Source Rules Source rules route outbound traffic from selected network hosts through a particular external interface. To create a source rule: 1. Navigate to the Networking > Routing > Sources page. 2. Configure the following settings: Setting Description Source IP or network
Enter the source IP or subnet range of internal network host(s) specified by this rule. For more information, see About IP Address Definitions on page 52. Internal interface From the drop-down menu, select the internal interface that the source IP must originate from to use the external connection. External interface From the drop-down menu, select the external interface that is used by the specified source IP or network for external communication. Alternatively, select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP, network and internal interface is routed via the primary external interface. Note: If the external interface is set to Exception, any traffic specified here will not be subject to any load balancing. Using Exception will always send traffic out via the primary, no matter what interface is currently being used by the primary connection. Comment Optionally, enter a description for the source rule. Enabled Select to activate the rule. 51
Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Add. Removing a Rule To remove one or more rules: 1. Select each rule in the Current rules area and click Remove. Editing a Rule To edit a rule: 1. Locate it within the Current rules region, select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values. 2. Alter the configuration values as necessary, and click Add. About IP Address Definitions Single or multiple IP addresses can be specified in a number of different manners: IP address – An identifier for a single network host, written as quartet of dotted decimal values, e.g. 192.168.10.1 IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. 192.168.10.0/255.255.255.0 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255
IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation, e.g. 192.168.10.0/24 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255. Ports The Ports page is where you route outbound traffic for selected ports through a particular external interface. For example, you can create a rule to send all SMTP traffic down a specific external interface. Note: The rules specified on the sources pages will always be examined first, so a rule will only travel down this list of ports if it does not first hit a sources rule. For more information, see Sources on page 51. 52 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Creating a Ports Rule Port rules route outbound traffic for selected ports through a particular external interface. To create a ports rule: 1. Navigate to the Networking > Routing > Ports page. 2. Configure the following settings:
3. Click Add to create the rule. The rule is created and listed in the Current rules area. Removing Rules To remove one or more rules: 1. Select each rule in the Current rules area and click Remove. Editing a Rule To edit a rule: 1. Select the rule in the Current rules area and click Edit. 2. In the Add a new rule area, make the changes you require and click Add. The rule is updated and listed in the Current rules area. Setting Description Protocol From the drop down menu, select the protocol the traffic uses. Service From the drop down menu, select the select the services, port range or group of ports. Port If the service is user defined, enter the port number. External interface From the drop-down menu, select the external interface to use. Select Exception to never route the traffic via an alternative interface.
Note: Using Exception will always send traffic out via the primary, no matter what interface is currently being used by the primary connection. Comment Enter a description of the rule. Enabled Select to enable the rule currently active. 53 Advanced Firewall Administration Guide Managing Your Network Infrastructure Creating an External Alias Rule Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced Firewall by creating external aliases. An external alias binds an additional public IP address to Smoothwall System’s external interface. To create an external alias rule: 1. Navigate to the Networking > Interfaces > External aliases page. 2. Configure the following settings: 3. Click Add. The external alias rule is added to the Current rules table. Setting Description External interface From the drop-down list, select the external interface to which
you want to bind an additional public IP address. Select Click to select the interface. Connectivity profile Used to determine when the external alias is active. Options include: All – The external alias will always be active, irrespective of the currently active connection profile. Named connection profile – The external alias will only be active if the named connection profile is currently active. This is particularly useful for creating aliases for connection profiles that are used as failover connections. Alias IP Enter the IP address of the external alias. This address should be provided by your ISP as part of an multiple static IP address allocation. Netmask Used to specify the network mask of the external alias. This value is usually the same as the external interface's netmask value. This value should be provided by your ISP. Comment A field used to assign a helpful message describing the external alias rule. Enabled Determines whether the external alias rule is currently active.
54 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Editing and Removing External Alias Rules To edit or remove existing external alias rules, use Edit and Remove in the Current rules region. Port Forwards from External Aliases Advanced Firewall extends your system’s port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias. No special configuration is required to use this feature. Use the existing Networking > Firewall > Port forwarding page and select the required external alias from the Source IP drop-down list. Creating a Source Mapping Rule Advanced Firewall enables you to map internal hosts to an external IP alias, instead of the default, real external IP, by creating source mapping rules. This allows outbound communication from specified hosts to appear to originate from the external alias IP address. A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address. If the incoming IP address is an external alias, and outbound mail fails to
mirror the IP address as its source, some SMTP servers will reject the mail. This is because the mail will not appear to originate from the correct IP address, i.e. the Advanced Firewall default external IP is not the MX for the email domain. This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic. To create a source mapping rule: 1. Navigate to the Networking > Firewall > Source mapping page. 55 Advanced Firewall Administration Guide Managing Your Network Infrastructure 2. Configure the following settings: 3. Click Add. The source mapping rule is added to the Current rules table. Editing and Removing Source Mapping Rules To edit or remove existing source mapping rules, use Edit and Remove in the Current rules area. Working with Secondary External Interfaces The Secondaries page is used to configure an additional, secondary external interface. A secondary external interface will operate independently of the primary external interface, NATing its own outbound traffic.
Once a secondary external interface is active, the system can be configured to selectively route different internal hosts, ranges of hosts and subnets out across either the primary or secondary external interface. Setting Description Source IP Enter the source IP or network of hosts to be mapped to an external. For a single host, enter its IP address. For a network of hosts, enter an appropriate IP address and subnet mask combination, for example, enter 192.168.100.0/255.255.255.0 will create a source mapping rule for hosts in the IP address range 192.168.100.1 through to 192.168.100.255. For all hosts, leave the field blank. Alias IP From the drop-down list, select the external alias that outbound communication is mapped to. Comment Enter a description of the rule. Enabled Select to enable the rule. 56 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure
Configuring a Secondary External Interface Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces. To configure a secondary external interface: 1. Navigate to the Networking > Interfaces > Secondaries page. 2. Configure the following settings: Setting Description Secondary external interface From the drop-down list, select the interface you want to use as the secondary external interface. Select Click to select the interface. Address Enter the IP address. Netmask Enter the netmask. Default gateway Enter the default gateway. Enabled Select to enable the interface Primary failover ping IP
Optionally, specify an IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address cannot be contacted, all outbound traffic will be redirected to the primary connection. If a secondary failover IP has been entered, it must also fail before failover routing is activated. 57 Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Save to save your settings and enable the secondary external interface. Secondary failover ping IP Optionally, specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address and the primary failover ping IP cannot be contacted, all
outbound traffic will be redirected to the primary connection. Load balance outgoing traffic Optionally, select to add the currently selected secondary address to the load balancing pool of connections. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have been added to the load balancing pool. Note: If no load balance options are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Optionally, select to add the currently selected secondary address to the proxy load balancing pool. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have themselves been added to the proxy load balancing pool. Note - If no load balance tick-box controls are selected, all traffic will be sent out
of the primary external connection. Weighting Optionally, select to set the weighting for load balancing on the currently selected secondary address. A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. For example: • A connection weighted 10 will be given 10 times as much load as a connection weighted 1. • A connection weighted 6 will be given 3 times as much load as a connection weighted 2. • A connection weighted 2 will be given twice as much load as a connection weighted 1. The weighting value is especially useful for load balancing external connections of differing speeds. Setting Description 58 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Using DHCP
Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. Advanced Firewall DHCP provides a fully featured DHCP server, with the following capabilities: • Support for 2 DHCP subnets • Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet • Automate the creation of static assignments using the ARP cache. Enabling DHCP To enable DHCP: 1. Navigate to the Services > DHCP > Global page. 2. Configure the following settings: 3. Click Save to enable the service. Setting Description Enabled Select to enable the DHCP service. Server Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts. Relay (forwarding proxy) Select to set the DHCP service to operate as a relay, forwarding
DHCP requests to another DHCP server. Enable logging Select to enable logging. 59 Advanced Firewall Administration Guide Managing Your Network Infrastructure Creating a DHCP Subnet The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic and static IP ranges defined. To create a DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Configure the following settings: Setting Description DHCP Subnet From the drop-down menu, select Empty and click Select. Subnet name Enter a name for the subnet. Network Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. For example: 192.168.10.0. 60 Smoothwall Ltd
Advanced Firewall Administration Guide Managing Your Network Infrastructure Netmask Define the subnet range by entering a network mask, for example 255.255.255.0. Primary DNS Enter the value that a requesting network host will receive for the primary DNS server it should use. Secondary DNS Optionally, enter the value that a requesting network host will receive for the secondary DNS server it should use. Default gateway Enter the value that a requesting network host will receive for the default gateway it should use. Enabled Determines whether the DHCP subnet is currently active. Click Advanced to access the following settings: Primary WINS Optionally, enter the value that a requesting network host will receive for the primary WINS server it should use. This is often not required on very small Microsoft Windows networks. Secondary WINS Optionally, enter the value that a requesting network host will receive for the secondary WINS server it should use. This is often not required on very small Microsoft Windows networks.
Primary NTP Optionally, enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. For more information, refer to the Advanced Firewall Operations Guide. Secondary NTP Optionally, enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. For more information, refer to the Advanced Firewall Operations Guide.. Default lease time (mins) Enter the lease time in minutes assigned to network hosts that do not request a specific lease time. The default value is usually sufficient. Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting, and being granted, impractically long DHCP leases. The default value is usually sufficient.
TFTP server Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Network boot filename Specify to the network booting client which file to download when booting off the above TFTP server. Domain name suffix Enter the domain name suffix that will be appended to the requesting host's hostname. Automatic proxy config URL Specify a URL which clients will use for determining proxy settings. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. Custom DHCP options Any custom DHCP options created on the Services > DHCP > Custom options page are listed for use on the subnet. For more information, see Creating Custom DHCP Options on page 65. Setting Description 61
Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Save. Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration is required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts. Editing a DHCP subnet To edit a DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. From the DHCP Subnet drop-down list, select the subnet and click Select. 3. Edit the settings displayed in the Settings area. 4. Click Save. Deleting a DHCP subnet To delete a DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. From the DHCP Subnet drop-down list, select the subnet and click Select. 3. Click Delete.
Adding a Dynamic Range Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts. To add a dynamic range to an existing DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select. 3. In the Add a new dynamic range, configure the following settings: 4. Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table. Setting Description Start address Enter the start of an IP range over which the DHCP server should supply dynamic addresses from. This address range should not contain the IPs of other machines on your LAN with static IP assignments. End address Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. For example, enter 192.168.10.15. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
Comment Enter a description of the dynamic range. Enabled Select to enable the dynamic range. 62 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Adding a Static Assignment Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing the unique MAC address of the requesting host’s network interface card. This is used to ensure that certain hosts are always leased the same IP address, as if they were configured with a static IP address. To add a static assignment to an existing DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. 3. Scroll to the Add a new static assignment area and configure the following settings: 4. Click Add static. The static assignment is added to the Current static assignments table. Adding a Static Assignment from the ARP Table
In addition to the previously described means of adding static DHCP assignments, it is possible to add static assignments automatically from MAC addresses detected in the ARP table. To add a static assignment from the ARP cache to an existing DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. 3. Scroll to the Add a new static assignment from ARP table area: 4. Select one or more MAC addresses from those listed and click Add static from ARP table. 5. Click Save. Setting Description MAC address Enter the MAC address of the network host’s NIC as reported by an appropriate network utility on the host system. This is entered as six pairs of hexadecimal numbers, with a space, colon or other separator character between each pair, e.g. 12 34 56 78 9A BC or 12:34:56:78:9A:BC IP address Enter the IP address that the host should be assigned. Comment Enter a description of the static assignment.
Enabled Select to enable the assignment. 63 Advanced Firewall Administration Guide Managing Your Network Infrastructure Editing and Removing Assignments To edit or remove existing dynamic ranges and static assignments, use the options available in the Current dynamic ranges and Current static hosts areas. Viewing DHCP Leases To view free leases: 1. Navigate to the Services > DHCP > DHCP leases page. 2. Select Show free leases and click Update. The following information is displayed: Field Description IP address The IP address assigned to the network host which submitted a DHCP request. Start time The start time of the DHCP lease granted to the network host that submitted a DHCP request. End time The end time of the DHCP lease granted to the network host that submitted a DHCP request. MAC address The MAC address of the network host that
submitted a DHCP request. Hostname The hostname assigned to the network host that submitted a DHCP request. State The current state of the DHCP lease. The state can be either Active, that is, currently leased; or Free, the IP address is reserved for the same MAC address or re-used if not enough slots are available. 64 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure DHCP Relaying Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host. To configure DHCP relaying: 1. Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page. 2. Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. Click Save. Note: DHCP relaying must be enabled on the Services > DHCP > Global page.
Creating Custom DHCP Options Advanced Firewall enables you to create and edit custom DHCP options for use on subnets. For example, to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server. To create a custom option: 1. Browse to the Services > DHCP > Custom options page. 65 Advanced Firewall Administration Guide Managing Your Network Infrastructure 2. Configure the following settings: 3. Click Add. Advanced Firewall creates the option and lists it in the Current custom options area. For information on using custom options, see Creating a DHCP Subnet on page 60. Setting Description Option code From the drop-down list, select the code to use. The codes available are between the values of 128 and 254, with 252 excluded as it is already allocated.
Option type From the drop-down list, select the option type. IP address – Select when creating an option which uses an IP address. Text – Select when creating an option which uses text. Descriptio n Enter a description for the option. This description is displayed on the Services > DHCP > DHCP server page. Comment Optionally, enter any comments relevant to the option. Enabled Select to enable the option. 66 Smoothwall Ltd 5 General Network Security Settings This chapter describes how to secure your Advanced Firewall network, including: • Blocking by IP on page 67 • Configuring Advanced Networking Features on page 69 • Working with Port Groups on page 72
Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware. IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network addresses to always be allowed. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks. 67 Advanced Firewall Administration Guide General Network Security Settings To create an IP block rule: 1. Navigate to the Networking > Filtering > IP block page. 2. Configure the following settings: Control Description Source IP or network Enter the source IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt:
• An individual network host, enter its IP address, for example: 192.168.10.1. • A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24. Destination IP or network Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: • An individual network host, enter its IP address, for example: 192.168.10.1. • A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 19 Drop packet Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Reject packet Select to cause an ICMP Connection Refused message to be sent back
to the originating IP, and no communication will be possible. Exception Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it. Log Select to log all activity from this IP. Comment Optionally, describe the IP block rule. 68 Smoothwall Ltd Advanced Firewall Administration Guide General Network Security Settings 3. Click Add. The rule is added to the Current rules table. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it. Editing and Removing IP Block Rules To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
Configuring Advanced Networking Features Advanced Firewall’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption. To configure advance networking features: 1. Navigate to the Networking > Settings > Advanced page. Enabled Select to enable the rule. Control Description 69 Advanced Firewall Administration Guide General Network Security Settings 2. Configure the following feature settings: Setting Description Block and ignore ICMP ping broadcasts – Select to prevent the system responding to broadcast ping messages from all network zones (including external). This can prevent the effects of a broadcast ping-based DoS attack. ICMP ping – Select to block all ICMP ping requests going to or through Advanced Firewall. This will effectively hide the machine from Internet Control
Message Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose. IGMP packets – Select this option to block and ignore multi- cast reporting Internet Group Management Protocol (IGMP) packets. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries. Multicast traffic – Select this option to block multicast messages on network address 224.0.0.0 from ISPs and prevent them generating large volumes of spurious log entries. SYN+FIN packets – Select to automatically discard packets used in SYN+FIN scans used passively scan systems. Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged. Enable SYN cookies – Select to defend the system against SYN flood attacks.
A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack. TCP timestamps – Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links. Selective ACKs – Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. Window scaling – Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. ECN – Select this option to enable Explicit Congestion Notification (ECN), a mechanism for avoiding network congestion. While effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default. ARP filter – Select this option to enable the ARP filter. This option can be enabled if your network is experiencing ARP flux. 70 Smoothwall Ltd
Advanced Firewall Administration Guide General Network Security Settings 3. Click Save to enable the settings you have selected. ARP table size You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the drop-down box. In normal situations, the default value of 2048 will be adequate, but in very big networks, select a bigger value. Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Advanced Firewall's network interfaces. Connection tracking table size Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the table’s maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements.
Occasionally, the default size, which is set according to the amount of memory, is insufficient – use this field to configure a larger size. SYN backlog queue size Select this option to set the maximum number of requests which may be waiting in a queue to be answered. The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service. Audit Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming, outgoing and forwarded traffic. Direct incoming traffic – Select to log all new connections to all interfaces that are destined for the firewall. Forwarded traffic – Select to log all new connections passing through one interface to another. Direct outgoing traffic – Select to log all new connections from any interface. Note: It is possible that auditing traffic generates vast amounts
of logging data. Ensure that the quantity of logs generated is acceptable. Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page. Drop all direct traffic on internal interfaces Select any internal interfaces which have hosts on them that do not require direct access to the system but do require access to other networks connected to Advanced Firewall. Setting Description 71 Advanced Firewall Administration Guide General Network Security Settings Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers.
Creating a Port Group To create a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. In the Port groups area, click New and configure the following settings: 3. Click Add. The port, ports or port range is added to the group. Setting Description Group name Enter a name for the port group and click Save. Name Enter a name for the port or range of ports you want to add to the group. Port Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 For non-consecutive ports, create a separate entry for each port number. Comment Optionally, add a descriptive comment for the port or port range. 72 Smoothwall Ltd Advanced Firewall Administration Guide General Network Security Settings
Adding Ports to Existing Port Groups To add a new port: 1. Navigate to the Networking > Settings > Port groups page. 2. Configure the following settings: 3. Click Add. The port, ports or range are added to the group. Editing Port Groups To edit a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to edit and click Select. 3. In the Current ports area, select the port you want to change and click Edit. 4. In the Add a new port, edit the port and click Add. The edited port, ports or range is updated. Deleting a Port Group To delete a Port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to delete and click Select. 3. Click Delete. Note: Deleting a port group cannot be undone. Setting Description
Port groups From the drop-down list, select the group you want to add a port to and click Select. Name Enter a name for the port or range of ports you want to add to the group. Port Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 Comment Optionally, add a descriptive comment for the port or port range. 73 6 Configuring Inter-Zone Security This chapter describes how to configure bridging between network zones, including: • About Zone Bridging Rules on page 75 • Creating a Zone Bridging Rule on page 76 • Editing and Removing Zone Bridge Rules on page 78 • A Zone Bridging Tutorial on page 78
• Group Bridging on page 80 About Zone Bridging Rules By default, all internal network zones are isolated by Advanced Firewall. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones. A zone bridging rule defines a bridge in the following terms: Term Description Zones Defines the two network zones between which the bridge exists. Direction Defines whether the bridge is accessible one-way or bi-directionally. Source Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host. Destination Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Service Defines what ports and services can be used across the bridge. 75 Advanced Firewall Administration Guide Configuring Inter- Zone Security
It is possible to create a narrow bridge, e.g. a one-way, single- host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, for example, a bi-directional, any-host to any-host bridge, using any port and protocol. In general, make bridges as narrow as possible to prevent unnecessary or undesirable use. Creating a Zone Bridging Rule Zone bridging rules enable communications between specific parts of separate internal networks. To create a zone bridging rule: 1. Navigate to the Networking > Filtering > Zone bridging page. 2. Configure the following settings: Protocol Defines what protocol can be used across the bridge. Setting Description Source interface From the drop-down menu, select the source network zone. Destination interface From the drop-down menu, select the destination network zone. Bi-directional Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface
and not vice versa, ensure that this option is not selected. Protocol From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Term Description 76 Smoothwall Ltd Advanced Firewall Administration Guide Configuring Inter- Zone Security 3. Click Add. The rule is added to the Current rules table. Source IP Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: • A single network host, enter its IP address, for example: 192.168.10.1. • A range of network hosts, enter an appropriate IP address range: for example, 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter an appropriate subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. • Any network host in the source network, leave the field blank.
Destination IP Enter the destination IP, IP range or subnet range to which access is permitted. To create a bridge to: • A single network, enter its IP address, for example, 192.168.10.1. • A range of network hosts, enter an IP address range, for example, 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter a subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. • To create a bridge to any network host in the destination network, leave the field blank. Service From the drop-down list, select the services, port range or group of ports to which access is permitted. Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. Note: This is only applicable to TCP and UDP. Port If User defined is selected as the destination port, specify the port number. Or, leave the field blank to permit access to all ports for the
relevant protocol. Comment Enter a description of the bridging rule. Enabled Select to enable the rule. Setting Description 77 Advanced Firewall Administration Guide Configuring Inter- Zone Security Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area. A Zone Bridging Tutorial In this tutorial, we will use the following two local network zones: Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created, neither zone can see or communicate with the other. In this example, we will create a DMZ that: • Allows restricted external access to a web server in the DMZ, from the Internet. • Does not allow access to the protected network from the DMZ. • Allows unrestricted access to the DMZ from the protected network.
A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ. Creating the Zone Bridging Rule To create the rule: 1. Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: 2. Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa. Network zone Description IP address Protected network Contains local user workstations and confidential business data. 192.168.100.0/24 DMZ Contains a web server. 192.168.200.0/24 Settings Description Source interface From the drop-down menu, select the protected network. Destination interface From the drop-down menu, select the DMZ. Protocol From the drop-down list, select All. Comment Enter a description of the rule.
Enabled Select to activate the bridging rule once it has been added. 78 Smoothwall Ltd Advanced Firewall Administration Guide Configuring Inter- Zone Security Allowing Access to the Web Server To allow access to a web server in the DMZ from the Internet: 1. Navigate to the Networking > Firewall > Port forwarding page and configure the following settings: 2. Click Add. Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones. As a extension to the previous example, a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network. To create the rule: 1. Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: 2. Click Add. Setting Description
Protocol From the drop-down list, select TCP. Destination IP Enter the IP address of the web server 192.168.200.10. Source From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server. Comment Enter a description, such as Port forward to DMZ web server. Enabled Select to activate the port forward rule once it has been added. Setting Description Source interface From the drop-down menu, select DMZ. Destination interface From the drop-down menu, select Protected Network. Protocol From the drop-down menu, select TCP. Source IP Enter the web server’s IP address: 192.168.200.10 Destination IP Enter the database’s IP address: 192.168.100.50 Service Select User defined. Port The database service is accessed on port 3306. Enter 3306. Comment Enter a comment: DMZ web server to Protected Network DB.
Enabled Select Enabled to activate the bridging rule once the bridging rule has been added. 79 Advanced Firewall Administration Guide Configuring Inter- Zone Security Group Bridging By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy, in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone. Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms: • Group – The group of users from the authentication sub- system that may access the bridge. • Zone – The destination network zone. • Destination – Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts. • Service – Defines what ports and services can be used across the bridge.
• Protocol – Defines what protocol can be used across the bridge. Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and protocol) or wide (e.g. allow access to any host, using any port and protocol). In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use. Group Bridging and Authentication Group bridging uses the core authentication mechanism, meaning that users must be pre- authenticated before group bridging rules can be enforced by Advanced Firewall. Users can authenticate themselves using the authentication system’s Login mechanism, either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page. Authentication can also be provided by any other mechanism used elsewhere in the system. For further information about authentication, see Chapter 9, Authentication and User Management on page 173. 80 Smoothwall Ltd Advanced Firewall Administration Guide Configuring Inter- Zone Security
Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. To create a group bridging rule: 1. Navigate to the Networking > Filtering > Group bridging page. 2. Configure the following settings: Setting Description Groups From the drop-down menu, select the group of users that this rule will apply to. Select Click to select the group. Destination interface Select the interface that the group will be permitted to access. Destination IP Enter the destination IP, IP range or subnet range that the group will be permitted to access. To create a rule to allow access to: • A single network host in the destination network, enter its IP address, for example: 192.168.10.1. • A range of network hosts in the destination network, enter an appropriate IP address range, for example: 192.168.10.1- 192.168.10.15. • A subnet range of network hosts in the destination network, enter
an appropriate subnet range, for example: 192.168.10.0/ 255.255.255.0 or 192.168.10.0/24. • Any network host in the destination network, leave the field blank. Protocol From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Service From the drop-down list, select the service, port or port range to be used. To restrict to a custom port, select User defined and enter a port number in the Port field. To allow any service or port to be used, select User defined and leave the Port field empty. 81 Advanced Firewall Administration Guide Configuring Inter- Zone Security 3. Click Add. The rule is added to the Current rules table. Editing and Removing Group Bridges To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules region. Port If applicable, enter a destination port or range of ports. If this field is blank,
all ports for the relevant protocol will be permitted. Comment Enter a description of the rule. Enabled Select to enable the rule. Setting Description 82 Smoothwall Ltd 7 Managing Inbound and Outbound Traffic This chapter describes: • Introduction to Port Forwards – Inbound Security on page 83 • Advanced Network and Firewall Settings on page 86 • Managing Outbound Traffic and Services on page 89 • Managing External Services on page 96 Introduction to Port Forwards – Inbound Security Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone. It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an external interface, regardless of whether the external interface connects to the Internet or some other
external network zone. Port Forward Rules Criteria Port forward rules can be configured to forward traffic based on the following criteria: Criterion Description External IP Forward traffic if it originated from a particular IP address, IP address range or subnet range. Source IP Forward traffic if it arrived at a particular external interface or external alias. 83 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60. Note:It is important to consider the security implications of each new port forward rule. Any network is only as secure as the services exposed upon it. Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been
forwarded to, they may gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security- sensitive network hosts. Use the Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, that is, a DMZ scenario. Creating Port Forward Rules To create a port forward rule: 1. Navigate to the Networking > Firewall > Port forwarding page. Port Forward traffic if it was destined for a particular port or range of ports. Protocol Forward traffic if it uses a particular protocol. Destination IP A port forward will send traffic to a specific destination IP. Destination port A port forward will send traffic to a specific destination port. Criterion Description 84 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic
2. Configure the following settings: 3. Click Add. The port forward rule is added to the Current rules table. Setting Description External interface From the drop-down menu, select the interface that the port forward will be bound to. By default, a port forward is bound to the primary external connection. However, if you have a secondary external connection you can assign a port forward explicitly to it. Select Click to select the external interface specified. Protocol From the drop-down list, select the network protocol for the traffic that you want to forward. For example, to port forward a HTTP request, which is a TCP-based protocol, choose the TCP option. External IP or network Enter the IP address, address range or subnet range of the external hosts allowed to use this rule. Or, to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any
network host to a web server), leave this field blank. Log Select to log all port forwarded traffic. IPS Select to deploy intrusion prevention. For more information, refer to your Advanced Firewall Operations Guide. Source IP Select the external IP alias that this rule will apply to. In most cases, this will be the IP of the default external connection. Source service From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined. Note: Only applies to the protocols TCP and UDP. User defined If User defined is selected in the Source service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Destination IP Enter the IP address of the network host to which traffic should be forwarded. Destination service From the drop-down menu, select the service, port, port range or group of ports. Or, select User defined. User defined If User defined is selected as the destination service, enter a destination port.
Leave this field empty to create a port forward that uses the source port as the destination port. If left blank and the source service value specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target. Comment Enter a description of the port forward rule. Enabled Select to enable the rule. 85 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Load Balancing Port Forwarded Traffic Advanced Firewall enables you to load balance port forwarded traffic to different network hosts. To load balance port forwards: 1. On the Networking > Firewall > Port forwarding page, create a port forward rule to the first network host. See Creating Port Forward Rules on page 84 for more information. 2. On the Networking > Firewall > Port forwarding page, create another port forward rule using exactly the same settings except for the destination IP to
the second network host. Advanced Firewall automatically balances the traffic between the hosts. Editing and Removing Port Forward Rules To edit or remove existing port forward rules, use Edit and Remove in the Current rules area. Advanced Network and Firewall Settings The following sections explain network application helpers, how you can manage bad traffic actions, reflective port forwarding and connectivity failback. Network Application Helpers Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly. To enable helper applications: 1. Navigate to the Networking > Firewall > Advanced page. 86 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic The following helper applications are available: To enable a helper application: 1. In the Network application helpers area, select the application(s) you require.
2. Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do. 3. Click Save changes. Managing Bad External Traffic By default, bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. This is what Internet hosts are meant to do. Using the Bad external traffic action option, you can drop traffic silently which enables you to ‘stealth’ your firewall and make things like port scans much harder to do. To manage bad external traffic: 1. Navigate to the Networking > Firewall > Advanced page. 2. From the Bad external traffic drop-down list, select Drop to silently discard the traffic and not send a message to the sender, or Reject to reject the traffic and notify the sender. 3. Click Save changes to implement your selection. Application Description FTP IP information is embedded within FTP traffic – this helper application ensures that FTP active mode client connections are not adversely affected by the
firewall. IRC IP information is embedded within IRC traffic – this helper application ensures that IRC communication is not adversely affected by the firewall. Advanced PPTP client support When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing. If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used. Note: When this application helper is enabled, it is not possible to forward PPTP traffic. For this reason, this option is not enabled by default. H323 When enabled, loads modules to enable pass-through of H323, a common protocol used in Voice over IP (VoIP) applications. Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive
incoming H323 calls through the use of a port forward on the H323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality. 87 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Configuring Reflective Port Forwards By default, port forwards are not accessible from within the same network where the destination of the forward resides. However, when enabled, the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would. To configure reflective port forwards: 1. Navigate to the Networking > Firewall > Advanced page. 2. Enable Reflective port forwards and click Save changes. Managing Connectivity Failback The following sections explain how to configure failback and
automatic failback for connectivity profiles. For more information on connectivity profiles, see Chapter 3, Connecting Using a Static Ethernet Connectivity Profile on page 27. Configuring Connectivity Failback The following section explains how to configure Advanced Firewall to revert to a specific connectivity profile after reboot if its primary connectivity profile has failed. To configure connectivity failback: 1. On the Networking > Firewall > Advanced page, go to the Connectivity Failback area. 2. From the Connectivity failback profile drop-down menu, select the profile to use after reboot if the primary connectivity profile has failed. 3. Click Save changes. Advanced Firewall applies and saves the changes. Configuring Automatic Failback It is possible to configure Advanced Firewall to enable automatic failback. When enabled, Advanced Firewall automatically attempts to revert to the connectivity failback profile specified in the Connectivity Failback area daily. This is attempted once a day. To configure automatic failback: 1. On the Networking > Firewall > Advanced page, go to the Connectivity Failback area.
2. Enable Automatic failback and click Save changes. Advanced Firewall applies and saves the changes. 88 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services The following sections discuss port and access rules which are used to control outbound network traffic and services. Working with Port Rules Port rules are used when creating outbound access rules which determine how outbound network traffic and services are managed. For more information on outbound access rules, Working with Outbound Access Policies on page 93. Predefined Port Rules Advanced Firewall contains a number of predefined, customizable port rules which allow or reject network traffic or specific services access on certain ports. Currently, the following port rules are predefined: Predefined port rules Description Allow all Allow unrestricted outbound access to the Internet.
Allow basic services Allow services common to most user computers, including web browsing (HTTP and HTTPS) and DNS on listed ports. Allow email services Allow email services on listed ports. Reject all Reject all outbound access to the Internet except for listed ports. Reject all P2P Reject all peer to peer outbound access to the Internet on listed ports. For more information, see Managing Blocked Services on page 92. Reject all with logging Reject all outbound access to the Internet except for listed ports and log the rejections. Reject known exploits Reject outbound access on the listed ports which are associated with many common exploits against programs and services. Reject MS ports Reject outbound access on the listed ports which are associated with Microsoft Windows local area networking. 89 Advanced Firewall Administration Guide Managing Inbound
and Outbound Traffic Creating a Port Rule It is possible to create a custom port rule. guaranteed To create a port rule: 1. Navigate to the Networking > Outgoing > Ports page. 2. Click Add new port rule. The following dialog box opens. 3. Configure the following settings: Setting Description Name Enter a name for the port rule. This name will be displayed where ever the rule can be selected. 90 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 4. Click Add. Advanced Firewall adds the port rule to the Port rules list. Click the rule’s content arrow. The ports/services in the rule are displayed. Note: Some services use unpredictable port numbers to evade port-based outbound access rules. To control access to these services, see, see Managing Blocked Services on page 92 5. Click Add new port/service.
The following dialog box opens. 6. Configure the following settings: Action Select one of the following actions: Reject only listed ports – Reject outbound access on listed ports but allow on all other ports. Allow only listed ports – Allow outbound access on listed ports but reject on all other ports. Rejection logging Select if you want to log outbound requests rejected by this rule. Note: This generates a lot of data and should be used with care. Stealth mode Select if you want to log but not reject outbound requests. Setting Description Status Select to enable the rule. Protocol From the drop-down menu, select the network protocol to add to the port. Destination port Select one of the following: • Any – Any destination port. • From the drop-down menu, select the port, port range or group of ports
you want to allow or deny access to. • Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. A port range is specified using from:to notation, for example: 1024:2048. Comment Enter a description of the port. Setting Description 91 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 7. Click Add. The port is added to the port rule. Managing Blocked Services Advanced Firewall is able to detect and block service activity such as Skype and BitTorrent using deep packet inspection. To configure blocking services: 1. On the Networking > Outgoing > Ports page, locate the port rule for which you want to configure services. 2. Click the rule’s content arrow. The ports/services contained in the rule are displayed. 3. Point to Blocked services and click Edit.
The following dialog box opens. 4. Select the services you want to block. Note: The types of services available depend on what Deep Packet Inspection licensing you have purchased. Contact your Smoothwall representative for more information 5. Click Save to save the settings and close the dialog box. Advanced Firewall applies the settings and starts blocking the services selected. Editing a Port Rule To edit a port rule: 1. On the Networking > Outgoing > Ports page, point to the port rule and select Edit. 2. In the Edit port rule dialog box, make any changes required. See Creating a Port Rule on page 90 for information on the settings available. 3. Click Save changes to apply the changes and close the dialog box. 92 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Deleting a Port Rule To delete a port rule: 1. On the Networking > Outgoing > Ports page, point to the rule and select Delete. When
prompted, click Delete to confirm that you want to delete the rule and its contents. Editing a Port Rule’s Contents To edit the contents of a port rule: 1. On the Networking > Outgoing > Ports page, click the rule’s content arrow. The ports/ services contained in the rule are displayed. 2. Point to the port/service and click Edit. In the Edit port/service dialog box, make any changes required. See Creating a Port Rule on page 90 for information on the settings available. 3. Click Save changes to apply the changes and close the dialog box. Working with Outbound Access Policies Advanced Firewall enables you to create policies which determine outbound access for network traffic and services depending on: • the group(s) an authenticated user belongs to, or • the source and/or destination of the traffic. Note: Once the network traffic matches a policy, Advanced Firewall does not apply any further policy matching. By default, Advanced Firewall contains a default outbound access policy which uses the Allow all port rule and allows unrestricted outbound access to the Internet.
You can reorder outbound access policies to suit your requirements. If the outbound network traffic or service does not match any policy, the Default policy is applied. Creating Outbound Access Policies for Groups The Groups section is used to assign outbound access policies to traffic or services from users in an authenticated groups of users. To assign a policy to a group of users: 1. Navigate to the Networking > Outgoing > Policies page. 2. Click Add new policy. 93 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic The following dialog box opens. 3. Configure the following settings: 4. Click Add. The policy is added to the list of groups. 5. Place the policy where it is required by selecting it and using Up or Down, or by dragging it to the correct position and clicking Save moves. Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching. Note:Group policies cannot be enforced in all circumstances. If
a user has not actively authenticated themselves, using the SSL Login page or by some other authentication method, the user is unknown to the system and a policy cannot be applied. Group policies are often more suitable for allowing access to ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service. Setting Description Status Select Enabled to enable the policy. Group From the drop-down menu, select the group to which the outbound access policy applies. Port rule From the drop-down menu, select which port rule to use in the outbound access policy. For more information on port rules, see Working with Port Rules on page 89. Comment Enter a description for the policy. 94 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Creating Outbound Access Policies for Traffic from Sources and/or Destinations When the source and/or destination IP addresses of outbound
traffic match a policy in the Sources and Destination addresses, Advanced Firewall checks that the traffic does not break the port rule(s) assigned to that source and/or destination. To create a policy: 1. Browse to the Networking > Outgoing > Policies page. 2. Click Add new Policy. 3. In the Add new policy dialog box, configure the following settings: 4. Click Add. The policy is added to the list of sources and destinations. Setting Description Status Select to enable the policy. Name Enter a name for the policy. Source Configure one of the following to apply the policy to. • Any – Any source IP address. • A single source IP address, a range (x.x.x.x-y.y.y.y) or a subnet (x.x.x.x/y). Destination Configure one of the following to apply the policy to. • Any – Any destination IP address. • A single destination IP address, a range (x.x.x.x-y.y.y.y) or a
subnet (x.x.x.x/y). Port rule From the drop-down list, select the port rule to apply. For more information, see Working with Port Rules on page 89. Comment Enter a description for the policy. 95 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 5. Place the policy where it is required by selecting it and using Up or Down, or by dragging the rule to the correct position and clicking Save moves. Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching. Editing a Policy To edit a policy: 1. On the Networking > Outgoing > Policies page, point to the rule and select Edit. 2. In the Edit policy dialog box, make any changes required. See Creating Outbound Access Policies for Traffic from Sources and/or Destinations on page 95 for information on the settings available. 3. Click Save changes to apply the changes and close the dialog box.
Deleting a Policy To delete a policy: 1. On the Networking > Outgoing > Policies page, point to the rule and select Delete. When prompted, click Delete to confirm that you want to delete the policy. Managing External Services Note: The External services page has been superseded by the functionality on the Networking > Outgoing > Policies page and has been deprecated. It will be removed in a future Advanced Firewall update. You can prevent local network hosts from using external services by creating appropriate policies to stop outbound traffic. To create an external service rule: 1. Navigate to the Networking > Outgoing > External services page and configure the following settings: Setting Description Service Select Empty from the drop-down list. Service rule name Enter a name for the rule. Protocol Select the protocol used by the service. Service From the drop-down menu, select the service, port, port range or group of
ports. Or, to specify a user defined port, select User defined. Port If User defined is selected in the Service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Rejection logging Select to log all traffic rejected by the external services rule Stealth mode Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs. 96 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 2. Click Save. In the Add a new rule area: 3. Click Add. The external service rule is added to the Current rules region: Editing and Removing External Service Rules To edit or remove existing external service rules, use Edit and Remove in the Current rules area. Setting Description Destination IP Enter the IP address of the external service to which the rule applies.
Comment Enter a description of the rule. Enabled Select to enable the rule. 97 8 Virtual Private Networking This chapter describes how to set up the virtual private networking (VPN) feature of Advanced Firewall, including: • Advanced Firewall VPN Features on page 100 • What is a VPN? on page 100 • About VPN Authentication on page 101 • Configuration Overview on page 104 • Working with Certificate Authorities and Certificates on page 105 • Managing Certificates on page 108 • Setting the Default Local Certificate on page 112 • Site-to-Site VPNs – IPSec on page 112 • IPSec Site to Site and X509 Authentication – Example on page 117
• IPSec Site to Site and PSK Authentication on page 121 • About Road Warrior VPNs on page 124 • IPSec Road Warriors on page 125 • Supported IPSec Clients on page 128 • Creating L2TP Road Warrior Connections on page 128 • VPNing Using L2TP Clients on page 132 • VPNing with SSL on page 137 • Managing SSL Road Warriors on page 139 • VPN Zone Bridging on page 144 • Secure Internal Networking on page 145 • Advanced VPN Configuration on page 147 99 Advanced Firewall Administration Guide Virtual Private Networking • Managing VPN Systems on page 153 • VPN Tutorials on page 156 • Working with SafeNet SoftRemote on page 167 Advanced Firewall VPN Features Advanced Firewall contains a rich set of Virtual Private Network (VPN) features:
What is a VPN? A VPN, in the broadest sense, is a network route between computer networks, or individual computers, across a public network. The public network, in most cases, is the Internet. Typically, a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are usually referred to as road warriors. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces. There are several technologies which implement VPNs. Some are wholly proprietary, others are open standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well established and open Internet standard. Many implementations of this standard exist, and generally all vendors of network security products will have an offering in their product portfolio. Feature Description IPSec site-to-site Industry-standard IPSec site-to-site VPN tunneling.
L2TP road warriors Mobile user VPN support using Microsoft Windows 2000 and XP, as well as older versions of Windows. No client software required; the software is part of the Windows operating system. IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote, as well as others. SSL VPN Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the user’s computer/laptop. Authentication Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). Certificate management Full certificate management controls built into the interface, with import and export capabilities in a number of formats. Self-signed certificates can be generated. Tunnel controls Individual controls for all VPN tunnels. Internal VPNs Support for VPNs routed over internal networks. Logging Comprehensive logging of individual VPN tunnels. 100 Smoothwall Ltd
Advanced Firewall Administration Guide Virtual Private Networking VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to connect mobile and home users, road warriors, to their office network. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. Tunnels can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making the tunnel and its content unintelligible and therefore private to the outside world. About VPN Gateways A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. A VPN gateway must perform a number of specific tasks: • Allow VPN tunnels to be configured. • Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted. • Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel. • Encrypt all data presented to the VPN tunnel into secure data packets. • Decrypt secure data received from the VPN tunnel. • Route all data received from the tunnel to the correct
computer on the LAN. • Allow VPN tunnels to be managed. Administrator Responsibilities A network administrator has three responsibilities: • Specify the tunnel – define the tunnel on each VPN gateway. • Configure authentication – define a secure means for each VPN gateway to identify the other. • Manage tunnels – control the opening and closing of tunnels. About VPN Authentication Authentication is the process of validating that a given entity, that is a person, system or device, is actually who or what it identifies itself to be. Since VPN gateways are not usually in the same physical location, it is not readily determinable that either gateway is genuine. A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. Conversely, the remote gateway must be assured that the initiating gateway is not an imposter. Advanced Firewall supports several authentication methods that can be used to validate a VPN gateway’s identity: Authentication method Description
Pre-Shared Key Usually referred to as PSK, this is a simplistic authentication method based on a password challenge. For more information, see PSK Authentication on page 102. 101 Advanced Firewall Administration Guide Virtual Private Networking A more in depth examination of the PSK and X509 authentication methods can be found in the following sections, including recommendations for the usage of each. PSK Authentication To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a shared password that only they know. When initiating a VPN connection, each gateway requests the other’s password. If the password received by each gateway matches the password stored by each gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic and a secure, trusted VPN tunnel can be established. The simplicity of PSK is both its strength and its weakness. While PSK tunnels are quick to set up, there are human and technological reasons that make this method unsuitable for larger organizations. Password protection is easily circumvented as passwords are frequently written down, spoken aloud or shared amongst administrator colleagues.
Some VPN configurations will also require multiple tunnels to use the same password – highly undesirable if your organization intends to create multiple road warrior VPN connections. PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. While it is possible to create large VPN networks based entirely on PSK authentication, such a scheme is likely to prove unmanageable in the long run and liable to misuse. X509 Authentication In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveler can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a CA can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport. X509 An industry strength and internationally recognized authentication method using a system of digital certificates, as published by the ITU-T and ISO standardization bodies. For more information, see X509 Authentication on page 102. Username/ password
In addition to using X509, all users of L2TP road warrior connections must enter a valid username and password, as specified when the L2TP tunnel definition is created. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated. Authentication method Description 102 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking About Digital Certificates A digital certificate, referred to here as a certificate, is an electronic document that uniquely identifies its owner, and contains the following information: Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA. However, it is not yet clear whether the certificate is a forgery – to prove absolute authenticity, X509 utilizes public-key cryptography. Public-key cryptography is an encryption mechanism that involves the use of a mathematically
related pair of encryption keys, one called a private key and the other called a public key. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa. It is computationally infeasible to derive either key from the other. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. If the private key is kept secret by its owner, and the public key is freely accessible to all, any message successfully decrypted using the public key can only have originated from the private key owner. This concept is exploited by CAs to sign all certificates they create, thus proving that the certificate is genuine. To sign a certificate, the CA takes the content of the certificate and encrypts it using its private key. The encrypted content is inserted into the certificate, much like a watermark or other security feature is added to a passport by a government. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. If the signature can be successfully decrypted and matches the issuer details declared in the certificate, the certificate is proven to be authentic. However, this only proves that the CA genuinely issued the certificate. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. This is solved by one further stage of encryption, this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature)
before presenting the certificate. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key). Advanced Firewall and Digital Certificates Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system. Advanced Firewall enables you to: • Create a trusted CA. • Create signed, digital certificates. Information Description Subject Information about who the certificate was issued to, their country, company name etc. Issuer Information about the CA that created and signed the certificate. Certificate ID An alternative identifier for the certificate owner in abbreviated form. Validity period The start and expiry dates, during which time the certificate is valid. 103
Advanced Firewall Administration Guide Virtual Private Networking • Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems. Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then imported, or they can be created by a separate CA such as the one included in Microsoft Windows 2000. The use of a local Advanced Firewall CA is recommended as a more convenient and equally secure approach. It is usual for a single CA to provide certificates for an entire network of peer systems, but there are alternative schemes that use multiple CAs which will be discussed later. Configuration Overview The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior VPNs, internal VPNs and management in great depth. As an overview to these sections, these are the steps required to create a typical site-to-site VPN connection: 1. On the master Advanced Firewall system, create a local Certificate Authority. For details, see Creating a CA on page 105. 2. Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system.
3. Install the master Advanced Firewall’s certificate as its default local certificate. 4. Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. 5. Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. 6. Import the CA certificate on the remote Advanced Firewall system, as exported by step 5. 7. Import and install the remote Advanced Firewall system’s certificate, as exported by step 5. 8. Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. 9. Bring the connection up. 10. Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on page 75. Note: For VPN configuration tutorials, see VPN Tutorials on page 156. 104 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private
Networking Working with Certificate Authorities and Certificates A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates. A certificate created by a known CA can be authenticated as genuine. The following sections explain how to create a local CA using Advanced Firewall, for the purpose of creating certificates for VPN tunnel authentication. They also explain how to export and import CA certificates so that a remote Advanced Firewall has knowledge of the CA. Maintenance tasks such as how to delete CAs are also discussed. Creating a CA To create your own certificates for use in VPN tunnel authentication, you require access to at least one CA. It is possible to purchase certificates from an externally managed CA, but this can be inconvenient and costly. This section explains how to create a CA using Advanced Firewall. If you already have a CA on your network, it may be useful to use that, in which case refer to Importing Another CA's Certificate on page 107. To create a CA: 1. Navigate to the VPN > VPN > Certificate authorities page. 2. Configure the following settings:
Setting Description Common name Enter an easily identifiable name. Email Enter an administrative email address. Organization Enter an organizational identifier. 105 Advanced Firewall Administration Guide Virtual Private Networking 3. Click Create Certificate Authority. The local CA is created and displayed. Once a CA has been created, you can use it to create digital certificates for network hosts. You can also export the CA’s own certificate to other systems which can use it to authenticate digital certificates issued by the CA. Exporting the CA Certificate Once a CA has been created, you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. There are two different export formats: To export the CA certificate: 1. Navigate to the VPN > VPN > Authorities page and configure the following settings: 2. Click Export and choose to save the file to disk from the dialog box launched by your browser.
You can deliver the certificate to another system without any special security requirements since it contains only public information. Department Enter a departmental identifier. Locality or town Enter a locality or town. State or province Enter a state or province. Country Enter a two letter country code. Life time From the drop-down menu, select the length of time that the CA will remain valid for. User defined (days) If User defined is selected as the life time value of the CA, enter the number of days the CA will be valid. Setting Description Name In the Installed Certificate Authority certificates area, locate and select the local CA certificate. Export format From the drop-down list, select the format in which to export the certificate authority’s certificate. The following formats are available: CA certificate in PEM – An ASCII (textual) certificate format commonly
used by Microsoft operating systems. Select this format if the certificate is to be used on another Smoothwall System. CA certificate in BIN – A binary certificate format, select if the certificate is to be used on a system which requires this format. Consult the system’s documentation for more information. Setting Description 106 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Importing Another CA's Certificate To authenticate a signed certificate produced by a non-local CA, you must import the non-local CA’s certificate into Advanced Firewall. This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA. Note: The certificate must be in PEM format to be imported. To import the CA's certificate: 1. Navigate to the VPN > VPN > Authorities page. 2. In the Import Certificate Authority certificate area, click Browse.
3. Locate and open the CA’s certificate that you wish to import. 4. Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority certificates list of certificates area. Deleting the Local Certificate Authority and its Certificate To delete the local CA and its certificate: 1. Navigate to the VPN > VPN > Authorities page. 2. In the Delete local Certificate Authority region, select Confirm delete. 3. Click Delete Certificate Authority. Note: Deleting the local CA will invalidate all certificates that it has created. Once the local CA has been deleted, the Create local Certificate Authority region will be displayed. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The Create local Certificate Authority region replaces the Delete local Certificate Authority region. Deleting an Imported CA Certificate To delete an imported CA's certificate: 1. Navigate to the VPN > VPN > Authorities page. 2. Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. 3. Click Delete. The CA certificate will no longer appear in the
Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it. 107 Advanced Firewall Administration Guide Virtual Private Networking Managing Certificates The following sections explain how to create, view, import, export and delete certificates in Advanced Firewall. Creating a Certificate Once a local Certificate Authority (CA) has been created, you can generate certificates. The first certificate created is usually for the Advanced Firewall system that the CA is installed on. This is because the Advanced Firewall VPN gateway is a separate entity to the CA, and therefore requires its own certificate. It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways, i.e. all other Advanced Firewall systems. To create a new signed certificate: 1. Navigate to the VPN > VPN > Certificates page. 108 Smoothwall Ltd
Advanced Firewall Administration Guide Virtual Private Networking 2. Scroll to the Create new signed certificate area and configure the following settings: 3. Click Create signed certificate. The certificate is listed in the Installed signed certificates area. Reviewing a Certificate You can review the content of a certificate. Reviewing certificates can be useful for checking certificate content and validity. To review a certificate: 1. Navigate to the VPN > VPN > Certificates page. 2. Locate the certificate that you wish to view in the Installed signed certificates region. 3. Click the certificate name. The content is displayed in a new browser window. 4. Close the browser window to return to Advanced Firewall. Setting Description ID type From the drop-down menu, select the certificates’s ID type. The options are: No ID – Not recommended but available for inter-operability with other VPN gateways.
Host & Domain Name – Recommended for most site-to-site VPN connections. This does not need to be a registered DNS name. IP address – Recommended for site-to-site VPNs whose gateways use static IP addresses. Email address – Recommended for road warrior or internal VPN connections. This does not need to be a real email address, although the use of a real email address is recommended. ID value Enter an ID value. For a site-to-site Advanced Firewall VPN this is typically a hostname. For a road warrior this is usually the user’s email address. Common name Enter a common name for the certificate, for example Head Office. Email Enter an email address for the individual or host system that will own this certificate. Organization Enter an organizational identifier for the certificate owner. Department Enter a departmental identifier for the certificate owner. Locality or town Enter a locality or town for the certificate owner. State or province Enter a state or province for the certificate
owner. Country Enter a two letter country code. Life time From the drop-down menu, select the length of time that the certificate will remain valid for. User defined (days) If User defined is selected as the life time value of the certificate, enter the number of days the certificate will be valid for. 109 Advanced Firewall Administration Guide Virtual Private Networking Exporting Certificates Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner. To export a certificate: 1. Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area. 2. Select the certificate you want to export and configure the following settings: 3. Click Export. Choose to save the certificate file (a .pem or
.der file) to disk in the dialog box launched by your browser software. The certificate will be saved to the browser’s local file system in the specified format. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. Exporting in the PKCS#12 Format PKCS#12 is a container format used to transport a certificate and its private key. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors. To export a certificate in the PKCS#12 container format: 1. Navigate to the VPN > VPN > Certificates page. 2. In the Installed signed certificates region, locate and select the certificate that you wish to export. 3. Enter and confirm a password in the Password and Again fields. 4. Click Export certificate and key as PKCS#12. 5. Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your browser software. The PKCS#12 file will be saved to the browser's local file system. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner.
Setting Description Export format From the drop-down menu, select the format in which to export the certificate. The following formats are available: Certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. Recommended for all Advanced Firewall to Advanced Firewall VPN connections. Certificate in DER – A binary certificate format for use with non- Advanced Firewall VPN gateways. Private key in DER – Exports just the private key in binary for use with non-Advanced Firewall VPN gateways. 110 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Importing a Certificate Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. This is the normal process for secondary Advanced Firewall systems, for example, branch office systems connecting to a head office that has a Advanced Firewall system and CA.
To import a certificate: 1. Navigate to the VPN > VPN > Certificates page. In the Import certificates area, configure the following settings: Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area. Deleting a Certificate To delete an installed certificate: 1. Navigate to the VPN > VPN > Certificates page. 2. In the Installed signed certificates region, locate and select the certificate that you wish to delete. 3. Click Delete. The signed certificate will be removed from the Installed signed certificates region. Setting Description Password Enter the password that was specified when the certificate was created. Import PKCS#12 filename To import a certificate in PKCS#12 format: 1. Click Browse and navigate to and select the certificate file. 2. Click Import certificate and key from PKCS#12. Import PEM filename To import a certificate in PEM format: 1. Click Browse and navigate to and select the certificate file. 2. Click Import certificate from PEM.
111 Advanced Firewall Administration Guide Virtual Private Networking Setting the Default Local Certificate One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. The default local certificate should be the certificate that identifies its host. To set the default local certificate: 1. Navigate to the VPN > VPN > Global page. 2. In the Default local certificate region, select the host’s certificate from the Certificate drop- down list and click Save. This certificate will now be used by default in all future tunnel specifications, unless otherwise specified. 3. When prompted by Advanced Firewall, click Restart to deploy the certificate. Site-to-Site VPNs – IPSec The following sections explain how to create a site-to-site VPN tunnel between two Advanced Firewall systems. The tunnel will use the IPSec protocol to create a secure, encrypted tunnel between head office and a branch office. 112 Smoothwall Ltd
Advanced Firewall Administration Guide Virtual Private Networking Recommended Settings For Advanced Firewall to Advanced Firewall connections, the following settings are recommended for maximum security and optimal performance: Creating an IPsec Tunnel To create a site-to-site tunnel: 1. On the Advanced Firewall at head office, browse to the VPN > VPN > IPSec subnets page. Note:Many parameters are used when creating an IPSec site-to- site VPN tunnel. For Advanced Firewall to Advanced Firewall connections, many settings can be left at their default values. However, for maximum compatibility with other VPN gateways, some settings may require adjustment. This section describes each parameter that can be configured when creating an IPSec tunnel. For more VPN tutorials, see VPN Tutorials on page 156. Setting Selection Encryption AES Authentication type ESP Hashing algorithm SHA Perfect Forward Secrecy Enabled
Compression Enabled – unless predominant VPN traffic is already encrypted or compressed. 113 Advanced Firewall Administration Guide Virtual Private Networking 2. Configure the following settings:. Setting Description Name Enter a descriptive name for the tunnel connection, for example: New York to London. Enabled Select to enable the connection. Local IP Enter the IP address of the external interface used on the local Advanced Firewall host. Note: This field should usually be left blank to automatically use the default external IP (recommended). Local network Specify the local subnet that the remote host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select the type of the ID that will be presented to the remote system. The choices available are:
Default local Certificate Subject – Uses the subject field of the default local certificate as the local certificate ID. Local IP – Uses the local IP address of the host as the local certificate ID. User specified Host & Domain Name – Uses a user specified host and domain name as the local certificate ID. User specified IP address – Uses a user specified IP address name as the local certificate ID. User specified Email address – Uses a user specified email address as the local certificate ID. User specified Certificate Subject – Uses a user specified certificate subject as the local certificate ID. Note: User specified types are mostly used when connecting to non- Advanced Firewall VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting. Local ID value This field is only used if the local ID type is a User specified type (this is typically used when connecting to non-Advanced Firewall VPN gateways). In most cases, you can leave this field blank because its value will be
automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). Remote IP or hostname Enter the IP address or hostname of the remote system. The remote IP can be left blank if the remote peer uses a dynamic IP address. Remote network This should specify the remote subnet that the local host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.20.0/255.255.255.0. 114 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 3. Optionally, click Advanced. Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections. Remote ID type From the drop-down menu, select the type of ID that the remote gateway is expected to present. The choices are: Remote IP (or ANY if blank Remote IP) – The remote ID is the
remote IP address, or any other form of presented ID User specified Host & Domain Name – Allows the user to specify a custom host and domain name that it should expect the remote gateway to present as ID. User specified IP address – Allows the user to specify a custom IP address that it should expect the remote gateway to present as ID. User specified Email address – Allows the user to specify a custom email address that it should expect the remote gateway to present as ID. User specified Certificate Subject – Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Advanced Firewall VPN gateways). Remote ID value Enter the value of the ID used in the certificate that the remote peer is expected to present. Authenticate by From the drop-down list, select the authentication method. For more information on PSK and X509 authentication, About VPN Authentication on page 101. Preshared key Enter the preshared key when PSK is selected as the authentication
method. Preshared key again Re-enter the preshared key entered in Preshared key field if PSK is selected as the authentication method. Use compression Select to compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels may decrease performance. The same rule applies when transferring data that is already compressed, for example streaming video. For any tunnel with a high proportion of encrypted or already- compressed traffic, compression is not recommended. For non- encrypted, uncompressed traffic compression is recommended. This setting must be the same on the tunnel specifications of both connecting gateways. Initiate the connection Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known.
Comment Enter a descriptive comment for the tunnel, for example: London connection .100 to Birmingham .250. Setting Description 115 Advanced Firewall Administration Guide Virtual Private Networking 4. Enter the following information: Setting Description Local certificate This is used in non-standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 147. Interface Select which interface will be used for this connection either on external or internal interfaces. PRIMARY means the connection will be on the external interface. Perfect Forward Secrecy Select to enable the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised.
PFS is recommended for maximum security. VPN gateways must agree on the use of PFS. Authentication type Select the authentication type used during the authentication process. This setting should be the same on both tunnel specifications of two connecting gateways. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended. Phase 1 cryptographic algo Select the encryption algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm
though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance. Phase 1 hash algo Select the hashing algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. MD5 – A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security. Phase 2 cryptographic algo
Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. 116 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 5. Click Add to create the tunnel. IPSec Site to Site and X509 Authentication – Example This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Advanced Firewall systems. Prerequisite Overview Before you start, you must do the following: 1. Create a CA on the local system for information on how to do this, see Creating a CA on page 105 2. Create certificates for the local and remote systems using Host and Domain Name as the ID type, for information on how to do this, see Creating a Certificate on page 108.
3. Install the local certificate as the default local certificate on the local system, for information on how to do this, see Importing a Certificate on page 111. Phase 2 hash algo Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Key life Set the length of time that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Key tries Set the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re- key a connection that it can't initiate. IKE lifetime Set how frequently, in minutes, the Internet Key Exchange keys are re- exchanged. Do not rekey Select to disable re-keying. This can be useful
when working with NAT- ed end-points. Local internal IP This optional setting is used when Advanced Firewall itself sends traffic in the IPsec tunnel. Note: If you do not use this setting, Advanced Firewall will not, itself, be able to send traffic in the IPsec tunnel. Enter the IP of the network interface to use when Advanced Firewall itself sends traffic in the tunnel. Setting Description 117 Advanced Firewall Administration Guide Virtual Private Networking 4. Export the CA certificate in PEM format, for information on how to do this, see Exporting Certificates on page 110. 5. Export the remote certificate in the PKCS#12 container format, for information on how to do this, see Exporting in the PKCS#12 Format on page 110. 6. Import and install the certificate as the default local certificate on the remote system, for information on how to do this, see Importing a Certificate on page 111. Once the above steps have been completed, proceed with
creating tunnel specifications on the local and remote systems as detailed in the following sections. Creating the Tunnel on the Primary System To create the tunnel on the primary system: 1. On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Local IP Leave empty. It will be automatically generated as the default external IP address at connection time Local network Specify the local network that the secondary system will be able to access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select Default local Certificate ID.
This will identify the primary system to the secondary system by using the host and domain name ID value in the primary system’s default local certificate. Local ID value Leave empty. Its value will be automatically retrieved by Advanced Firewall during the connection process. Remote IP or hostname If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field blank. Remote network Specify the network on the secondary system that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Remote ID type From the drop-down list, select User specified Host & Domain Name.
Remote ID value Enter the ID value (the hostname) of the secondary system’s default local certificate. 118 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add to create the tunnel specification and list it in the Current tunnels area: The advanced settings are left to their default values in this example. The next step is to create a matching tunnel specification on the remote system. Creating the Tunnel on the Secondary System To create the tunnel on the secondary system: 1. On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Authenticate by From the drop-down list, select Certificate provided by peer. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials. Preshared Key Leave empty. Preshared Key again Leave empty. Use compression Select to reduce bandwidth consumption. This is useful for low bandwidth connections, however, it will require more
processing power. Initiate the connection Do not select. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Comment Enter a descriptive comment. For example, Tunnel to Branch Office. Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Local IP Leave empty. It will be automatically generated as the default external IP address at connection time. Local network Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Local ID type From the drop-down list, select Default local
Certificate ID. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary system’s default local certificate. Local ID value Leave empty. Its value will be automatically retrieved by Advanced Firewall during the connection process. Remote IP or hostname Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact. Setting Description 119 Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add. All advanced settings can be safely left at their defaults. Checking the System is Active
Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems. To ensure the VPN subsystem is active on both systems: 1. On the primary system, navigate to the VPN > VPN > Control page. 2. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. 3. On the secondary system, navigate to the VPN > VPN > Control page. 4. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. Activating the IPSec tunnel Next, the secondary system should initiate the VPN connection. To initiate the VPN connection: 1. On the secondary system, navigate to the VPN > VPN > Control page. 2. In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up.
Remote network Enter the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Remote ID type From the drop-down list, select User specified Host & Domain Name. This matches the primary system’s certificate type of Host and Domain Name, as listed in Prerequisite Overview on page 117. Remote ID value Enter the ID value (the hostname) of the primary system’s default local certificate. Authenticate by From the drop-down list, select Certificate provided by peer. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials. Preshared Key Leave empty. Preshared Key again Leave empty. Use compression Select if you selected it on the primary system. Initiate the connection
Select as the secondary system is responsible for its connection to the primary Advanced Firewall system. Comment Enter a descriptive comment, for example, Tunnel to Head Office. Setting Description 120 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure that appropriate zone bridging rules are configured. For further information, see Chapter 6, Configuring Inter-Zone Security on page 75. IPSec Site to Site and PSK Authentication Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls. Creating the Tunnel Specification on Primary System To create the primary tunnel specification: 1. On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description
Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Local network Specify the local network that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. Local ID value Leave empty. It will be automatically generated as Local IP was chosen as the local ID type. Remote IP or hostname If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field
blank. Remote network Specify the network on the secondary system that the primary system will be able to access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Remote ID type From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondary’s IP address (if one was specified). Remote ID value Enter the local IP address of the secondary system. 121 Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add. All advanced settings can be safely left at their defaults. Advanced Firewall lists it in the Current tunnels area. The next step is to create a matching tunnel specification on the remote system. Creating the Tunnel Specification on the Secondary System To create the secondary tunnel specification: 1. On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure
the following settings: Authenticate by From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Preshared Key Enter a passphrase. Preshared Key again Re-enter the passphrase to confirm it. Use compression Select this option if you wish to reduce bandwidth consumption. It is useful for low bandwidth connections but requires more processing power. Initiate the connection Do not select this option. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Comment Enter a description, for example: Tunnel to Birmingham Branch Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is
completed. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Local network Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. Local ID value Leave empty. It will be automatically generated as Local IP was chosen as the local ID type. Remote IP or hostname Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Setting Description 122 Smoothwall Ltd
Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add. All advanced settings can be safely left at their defaults. Checking the System is Active Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems. To check the system is active: 1. On the primary system, navigate to the VPN > VPN > Control page. 2. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. 3. On the secondary system, navigate to the VPN > VPN > Control page. 4. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. Activating the PSK tunnel Next, the secondary system should initiate the VPN co nnection.
To activate the tunnel: 1. On the secondary system, navigate to the VPN > VPN > Control page. 2. In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. Remote network Specify the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Remote ID type From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondary's IP address (if one was specified). Remote ID value Enter the local IP address of the secondary system. Authenticate by From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Preshared Key Enter the same passphrase as was entered in the Preshared Key field on the primary system.
Preshared Key again Re-enter the passphrase to confirm it. Use compression Select this option if compression was enabled on the primary system. Initiate the connection Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system. Comment Enter a descriptive comment, for example, Tunnel to Head Office. Setting Description 123 Advanced Firewall Administration Guide Virtual Private Networking Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure that appropriate zone bridging rules are configured. For further information, see Chapter 6, Configuring Inter-Zone Security on page 75. About Road Warrior VPNs This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network. Advanced Firewall supports two different VPN protocols for creating road warrior connections:
• L2TP – L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. There are fewer configuration parameters to consider when creating a tunnel specification. However, all L2TP road warriors must connect to the same internal network. • IPSec – IPSec road warrior connections use the same technology that Advanced Firewall uses to create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other non-Microsoft operating systems. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. IPSec road warriors can be configured to connect to any internal network. Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 156. Configuration Overview Typically, a road warrior connection is configured as follows: 1. Create a certificate for each road warrior user, usually with the user's email address as its ID type. 2. Decide which VPN protocol best suits your road warrior's needs – L2TP for Win 2000/XP, IPSec for all others. 3. Decide which internal networks and what IP ranges to allocate to road warriors.
4. Create the tunnel specification on the Advanced Firewall system. 5. Install the certificate and any necessary client software on the road warrior system and configure. 6. Connect. 7. Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. For further information, see Chapter 6, Configuring Inter-Zone Security on page 75. When a road warrior connects to Advanced Firewall, it is given an IP address on a specified internal network. When connected, the road warrior client machine will, to all intents and purposes, be on the configured internal network. You can route to other subnets, including other VPN-connected ones. Other machines on the same internal network can see the client, just as if it was plugged into the network directly. 124 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers.
When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on the local network. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections, individually specified for each IPSec road warrior. Each user requires their own tunnel, so create as many tunnels as there are road warriors. IPSec Road Warriors Before creating a road warrior connection using IPSec, check the following list to assess whether it is the right choice: • Each connection can be routed to a different internal network. • Each connection can use different types of cryptographic and authentication settings. • Client software will need to be installed on road warrior systems. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. This includes overriding the default local certificate. Creating an IPSec Road Warrior To create an IPSec road warrior connection: 1. Navigate to the VPN > VPN > IPSec roadwarriors page. 2. Configure the following settings: Setting Description
Name Enter a descriptive name for the tunnel. Enabled Select to activate the tunnel once it has been added. 125 Advanced Firewall Administration Guide Virtual Private Networking 3. Click Advanced and enter the following information: Local network Enter the IP address and network mask combination of the local network. For example, 192.168.10.0/255.255.255.0. Note: It is possible to restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting. For example, if you wish to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to 192.168.2.10/3 Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255. Client IP Enter a client IP address for this connection. The IP address must be a valid and available address on the network specified in the Local network field. Local ID type From the drop-down list, select the local ID type.
Default local Certificate Subject is recommended for road warrior connections. Local ID value If you chose a User Specified ID type, enter a local ID value. Remote ID type From the drop-down list, select Remote IP (or ANY if blank Remote IP). This is recommended as it allows the road warrior to present any form of valid ID. Remote ID value Enter the value of the ID used in the certificate that the road warrior is expected to present. Authenticate by From the drop-down list, select one of the following options: To use the road warrior's certificate, select it. To use a certificate created by a different CA, choose Certificate presented by peer. Authenticating by a named certificate is recommended for ease of management. Preshared Key, select to use the global preshared key as defined on the VPN > VPN > Global. Use compression Select to reduce bandwidth consumption (useful for low bandwidth connections). This will require more processing power. Comment Enter a descriptive comment, for example: IPSec connection to Joe
Blogg's on .240. Setting Description Local certificate This is used in less standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 147. Interface Used to specify whether the road warrior will connect via an external IP or an internal interface. Perfect Forward Secrecy This enables the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS. Setting Description 126 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Authentication type Provides a choice of ESP or AH security during the authentication process. For further details, see below. This setting should be the same on both tunnel specifications of two connecting gateways.
ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended. Phase 1 cryptographic algo This selects the encryption algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger
encryption than 3DES. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance. Phase 1 hash algo This selects the hashing algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. MD5 – A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security. Phase 2 cryptographic algo This selects the encryption algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. Phase 2 hash algo This selects the hashing algorithm used for
the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Key life This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Setting Description 127 Advanced Firewall Administration Guide Virtual Private Networking 4. Click Add at the bottom of the page to add the tunnel to the list of current tunnels. Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those for a site-to-site IPSec connection. For details on the operation of each advanced control, see Section 5.1 Introduction to Site to Site VPNs. Supported IPSec Clients Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems:
• SafeNet SoftRemote LT • SafeNet SoftRemote 10 • SafeNet SoftRemote 9 Creating L2TP Road Warrior Connections This section covers the steps required to create an external road warrior connection using L2TP. Such connections have the following features: • All connections share the same, globally specified subnet. • Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP. • Very easy to configure. Creating a Certificate The first task when creating an L2TP road warrior connection is to create a certificate. For further information, see Creating a Certificate on page 108. A road warrior certificate is typically created using the user's email address as the certificate ID. Key tries This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero
value because if an active connection drops, it will persistently try to re- key a connection that it can't initiate. IKE lifetime Sets how frequently the Internet Key Exchange keys are re-exchanged. Do not Rekey Turns off re-keying which can be useful for example when working with NAT-ed end-points. Setting Description 128 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Configuring L2TP and SSL VPN Global Settings To configure L2TP and SSL VPN global settings: 1. On the VPN > VPN > Global page. Configure the following settings: 2. Click Save. Creating an L2TP Tunnel To create an external L2TP road warrior connection: 1. Navigate to the VPN > VPN > L2TP roadwarriors page. 2. Click Advanced to display all settings and configure the following settings: Setting Description
L2TP and SSL VPN client configuration settings Enter primary and secondary DNS settings. These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. If applicable, enter primary and secondary WINS settings.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. L2TP settings From the drop-down list, select the internal network that L2TP road warriors will be connected to. Setting Description Name Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP. Enabled Select to activate the tunnel once it has been added. Client IP Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the globally specified internal network. Username Enter a username for this connection. Password Enter a password for the tunnel.
129 Advanced Firewall Administration Guide Virtual Private Networking 3. Click Add to create the L2TP tunnel specification and add it to the Current tunnels region. Configuring an iPhone-compatible Tunnel Advanced Firewall enables you to configure iPhone-compatible tunnels. Configuring an iPhone- compatible tunnel entails: • setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page • creating the tunnel on the VPN > VPN > L2TP roadwarriors page. Note:Before you start, please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses, including IPSec and L2TP road warriors, must use the same authentication method, and, in the case of PSK, the same secret. In practice, this means that if you want to create a tunnel between an iPhone-compatible device and Advanced Firewall, you must: • not have any L2TP or IPSec road warriors, as they use certificates for authentication
• not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone- compatible device. To configure an iPhone-compatible tunnel: 1. On the VPN > VPN > Global page, configure the following settings: Again Re-enter the password to confirm it. Authenticate by From the drop down list, select one of the following options: Certificate presented by peer – If the certificate was created by a different CA, choose this option. Authenticating by a named certificate is recommended for ease of management. Common Name's organization certificate – The peer has a copy of the public part of the hosts certificate. Here both ends are Certificate Authorities, and each has installed the peer’s public certificate. L2TP client OS From the drop-down list, select the L2TP client’s operating system. Comment Enter a descriptive comment. Advanced Click Advanced to access more options. Local certificate From the drop-down list, select the default
local certificate to provide the Advanced Firewall’s default local certificate as proof of authenticity to the connecting road warrior. Interface Select PRIMARY. Setting Description IPSec Road Warrior (and L2TP) Preshared Key Preshared key – Enter a strong password which contains more than 6 characters. Again – Re-enter the password to confirm it. Setting Description 130 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 2. Click Save. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings: 3. Click Add. Advanced Firewall creates the tunnel and lists it in the Current tunnels area. 4. On the iPhone-compatible device, navigate to Settings > General > Network > VPN.
5. Select Add VPN Configuration and configure the following settings: 6. Select Save to save the tunnel configuration. The tunnel is now ready for use. L2TP and SSL VPN client configuration settings Enter the primary and secondary DNS settings. Setting Description Name Enter a descriptive name for the tunnel. For example: CEO's iPhone. Enabled Select to activate the tunnel once it has been added. Client IP Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Username Enter a username for this connection. Password Enter a password for the tunnel. Again Re-enter the password to confirm it. Comment Optionally, enter a description of the tunnel. Authenticate by Preshared key (iPhone compatible) – Select this option to use the preshared key entered in step 1..
L2TP client OS From the drop-down list, select Apple (iPhone compatible). Setting Description Description Enter a description for the tunnel. Server Enter Advanced Firewall’s external IP address. Account Enter the username as entered in step 2.. RSA SecurID Set to OFF. Password Enter the password as entered in step 2.. Secret Enter the PSK as configured in step 1.. Send All Traffic Set to ON on for routing to other VPNs. Proxy Set to OFF. Setting Description 131 Advanced Firewall Administration Guide Virtual Private Networking Using NAT-Traversal Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems. IPSec normally uses Protocol 50 which embeds IP addresses within the data packets – standard
NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. In this situation, the VPN cannot work. However, Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic – UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN gateway devices. Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above. Note: NAT-T is a VPN gateway feature, not a NATing feature. VPNing Using L2TP Clients This section explains the configuration process for supported Microsoft operating systems. L2TP Client Prerequisites To connect to an L2TP tunnel, a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle. Connecting Using Windows XP/2000
Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Specifically, one particular windows update is required for L2TP connections to function: • Q818043 – L2TP/IPSec NAT-T update. Information about this patch can be found at http://support.microsoft.com/?kbid=818043 The above update will already be installed if you are running Windows XP SP2 or above, or Windows 2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see http://windowsupdate.microsoft.com/ • One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store. 132 Smoothwall Ltd http://support.microsoft.com/?kbid=818043 http://windowsupdate.microsoft.com/ Advanced Firewall Administration Guide Virtual Private Networking Installing an L2TP Client The first step in the connection process is to run the L2TP Client Wizard. You can download it from here. It is a freely distributable application that automates much of the configuration process. Note: There is an alternative configuration method that uses a
command line tool, thus enabling an L2TP connection to be configured as part of a logon script. For details, see Advanced VPN Configuration on page 147. When started, the L2TP Client Wizard first ensures that the Q818043 hotfix is installed. If it is not, the program issues a warning. Assuming the hotfix is installed, it will then guide the user through the steps of configuring the connection to the Advanced Firewall system. To install the L2TP client: 1. Run the L2TP Client Wizard on the road warrior system. 2. View the license and click Next to agree to it. The following screen is displayed: 3. Click Browse and open the CA certificate file as exported during the certificate creation process. Click Next. 133 https://na13.salesforce.com/secur/login_portal.jsp?orgId=00D30 000001IAxZ&portalId=06030000000ZCsn&startURL=%2F501a 0000000VHzj Advanced Firewall Administration Guide Virtual Private Networking The following dialog opens: 4. Click Browse to locate and select the road warrior's host certificate file. This must be a
PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next. The following screen is displayed: 5. Ensure that the Launch New Connection Wizard option is selected and click Install. 134 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 6. The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched. 7. Click Next. The following screen is displayed: 8. Select Connect to the network at my workplace and click Next. 9. Select Virtual Private Network connection and click Next. 135 Advanced Firewall Administration Guide Virtual Private Networking The following screen is displayed: 10. Enter a name for the connection and click Next.
The following screen is displayed: 11. Enter Advanced Firewall’s host name or IP address and click Next. 136 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 12. Click Finish. The Connect dialog box is displayed 13. Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is enabled. Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted. VPNing with SSL Advanced Firewall supports OpenVPN SSL connections. Using light-weight clients, which can be easily configured and distributed, any user account able to authenticate to the directory service configured, plus the list of local users gain easy and secure VPN access to your network. All your users need to know is their Advanced Firewall user account name and password. Prerequisites
• An installed default local certificate, see Setting the Default Local Certificate on page 112 for more information. Configuring VPN with SSL The following section explains how to configure Advanced Firewall for VPNing with SSL. To configure SSL VPN settings: 1. Browse to the VPN > VPN > Global page. In the SSL VPN settings area, configure the following settings: Setting Description Enable SSL VPN Select to enable SSL VPN on Advanced Firewall. 137 Advanced Firewall Administration Guide Virtual Private Networking 2. Click Save to save the settings, and, at the top of the page, click Restart to apply the settings. Transport protocol Select the network protocol. The following options are available: TCP (HTTPS) – Select to run the SSL VPN connection over TCP on port 443, the standard HTTPS port. This protocol is preferred for
compatibility with filters between the client and the server. UDP (1194) – Select to run the SSL VPN connection over UDP on port 1194. This protocol is preferred for performance. SSL VPN network address Accept the default network address or enter a new one. SSL VPN users, when they connect, get an IP address on a virtual interface, within Advanced Firewall. The IP range must not be one not used for any physical network. If the default subnet, 10.110.0/24, is taken by any existing network, configure this setting to use range not taken on the network. Note: Because connected clients are placed on a virtual network, all machines they access must also have a route to this network. SSL VPN netmask Accept the default network netmask or enter a new one. Force clients to use SSL VPN as gateway Select to configure Advanced Firewall to force the client to send all its traffic through the SSL VPN connection. Advanced Firewall can force all connected clients to route
through it, which is generally better as it enforces the policy on the server end. SSL VPN client gateway(s) Usually, a client is configured to use Advanced Firewall’s primary external IP address as its gateway. However, if dynamic DNS is used, this will not work. Therefore, you have the option to set one or more different gateways. Enter one IP address or hostname per line. If set, the gate way(s) will be used by the SSL VPN clients as the connecting gateway host. If blank, the primary external IP address of the gateway will be used. Enable TLS authentication Select this setting to apply Transport Layer Security (TLS) authentication. TLS authentication can mitigate in a denial of service condition. Note: For systems which have never had VPN configured, this setting is on by default. For systems which have had VPN configured, this setting is off by default. Choose random gateway
Select this setting to enable clients to connect on a random address when multiple gateways are defined. This is good for load balancing over multiple links. Setting Description 138 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Managing SSL Road Warriors Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. See the sections that follow for more information. Note: On Windows Vista, to ensure that a user gets full VPN connectivity, add the user to the built- in network configuration operator group. Managing Group Access to SSL VPNs By default all groups are allowed to use SSL VPN. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access. To disable a group from using SSL VPN: 1. Browse to the VPN > VPN > SSL roadwarriors page. 2. From the Select group drop-down list, select the group you want to disable from using SSL VPN and then click Select. Advanced Firewall displays SSL
VPN group settings. 3. De-select the Enable option and click Save. Advanced Firewall disables access. 4. Repeat the steps above for any other groups you want to disable from using SSL VPN. Managing Custom Client Scripts for SSL VPNs Advanced Firewall enables you to upload or remove preconnect, connect and disconnect scripts which can carry out custom commands before or after a VPN comes up or goes down. You can also deploy scripts based on groups. Uploading Scripts To upload scripts: 1. Browse to the VPN > VPN > SSL roadwarriors page. 139 Advanced Firewall Administration Guide Virtual Private Networking 2. In the Select group area, accept the default settings to apply any uploaded scripts to all groups, or, from the Select group drop-down list, select the group to which the script(s) will be specifically deployed. Click Select. 3. To upload a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Browse.
4. When prompted, browse to and select the script. Click Upload preconnect script. Advanced Firewall uploads the script, displays the size of the script and a message confirming a successful upload. 5. Repeat the steps above to upload connect and disconnect scripts as required. Removing Scripts To remove scripts: 1. Browse to the VPN > VPN > SSL roadwarriors page. 2. In the Select group area, accept the default settings to remove any uploaded scripts from all groups, or, from the Select group drop-down list, select the group from which the script(s) will be specifically removed. Click Select. 3. To remove a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Remove preconnect script. 4. Advanced Firewall removes the script and displays a message confirming a successful removal. 5. Repeat the steps above to remove connect and disconnect scripts as required. Generating SSL VPN Archives You can generate an archive of the SSL VPN settings which can be distributed to users. Archives can contain SSL VPN settings and, optionally, custom client scripts.
To generate an SSL client archive: 1. On the VPN > VPN > Global page, configure the SSL VPN settings. For information on how, see Configuring VPN with SSL on page 137. 2. If you do not want to include custom scripts in the archive, you can generate the archive now. Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. See step 4. for what to do next. 3. If you want to include scripts in the archive, browse to the VPN > VPN > SSL roadwarriors page and configure the scripts. For information on how, see Managing Custom Client Scripts for SSL VPNs on page 139. 4. Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. 5. Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the Advanced Firewall portal to distribute the archive. For more information, refer to the Advanced Firewall Operations Guide. See Configuring and Connecting Clients on page 141 for information on how to install the SSL VPN software on clients.
140 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Note: An archive can be used for both internal and external use. See Configuring SSL VPN on Internal Networks on page 141 for more information on internal use. Configuring SSL VPN on Internal Networks Advanced Firewall’s SSL VPN functionality can be deployed to secure internal wireless interfaces. To configure SSL VPN on an internal network: 1. On the VPN > VPN > Global page, configure the SSL VPN settings, see Configuring VPN with SSL on page 137. 2. Click Advanced and, in the Additional SSL VPN client internal interfaces area, select the interface on which to deploy the SSL VPN. 3. Click Generate client archive. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL on page 137 for more information on external use. 4. Once saved, distribute the archive to users who require
secure access to the internal wireless interface. You can use the Advanced Firewall portal to distribute the archive. For more information, refer to the Advanced Firewall Operations Guide. Configuring and Connecting Clients The following sections explain how to install the SSL VPN client software. and connect using an SSL VPN connection. Installing the Software To install the SSL VPN client software: 1. Extract the client archive, see Configuring VPN with SSL on page 137, to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. The following screen opens: 2. Click Next to continue. 141 Advanced Firewall Administration Guide Virtual Private Networking The following screen opens: 3. Read the license and click I agree to continue. The following screen opens: 4. Accept the default components and click Next to continue.
The following screen opens: 5. Accept the default destination folder or click Browse to select a different destination. Click Install to continue. 142 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking The following screen opens: 6. Click Continue Anyway. The following screen opens: 7. Click Next to continue. The following screen opens: 8. Click Finish to complete the installation. 143 Advanced Firewall Administration Guide Virtual Private Networking Opening an SSL VPN Connection To open an SSL VPN connection: 1. In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is displayed:
2. Configure the following settings: 3. Click OK. The SSL VPN connection is opened. Closing an SSL VPN Connection To close an SSL VPN connection: 1. In the system tray, right click on OpenVPN GUI and select Disconnect. VPN Zone Bridging In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel, ensure that appropriate zone bridging rules are configured. L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road warriors also require zone bridging rules, and share their zone bridging configuration with IPSec subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Setting Description Username Enter the name of the user account to be used. Password Enter the password belonging to the account. 144 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Secure Internal Networking This part of the manual explains how Advanced Firewall can be used to provide secure internal
networking using VPN technology. An internal VPN capability can be useful in many situations, a few examples of typical scenarios are given below: • Secure wireless access – Commonly used wireless access protocols offer relatively weak levels of security, thus allowing potential intruders to directly access and intercept confidential data on an organization’s internal network. Advanced Firewall can ensure secure wireless access by providing an additional interface as an internal VPN gateway. By attaching a wireless access point to this interface, wireless clients can connect and create a secure tunnel to the desired internal network. Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access to any network resource. • Hidden network access – It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network. There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface. Creating an Internal L2TP VPN
To create an internal L2TP VPN connection: 1. Navigate to the VPN > VPN > Global page. 2. In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an internal network interface. 3. Optionally, click Advanced and configure the following settings: Setting Description Enable NAT- Traversal NAT-T is enabled by default and allows IPSec clients to connect from behind NATing devices. In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled. Enable Dead Peer Detection Used to activate a keep-alive mechanism on tunnels that support it. This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page.
If this feature is not used, it can take any time up to the re- keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default. In setups consisting exclusively of Advanced Firewall VPN gateways, it is recommended that this feature is enabled. 145 Advanced Firewall Administration Guide Virtual Private Networking 4. Click Save. Note:We advise you to limit any zone bridging from the nominated interface to other interfaces. Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region. If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness. 5. Create a certificate for the L2TP client. See Creating a Certificate on page 108. 6. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
7. Click Advanced and, from the Local certificate drop-down list, select Default. 8. Click Add. Advanced Firewall lists the tunnel in the Current tunnels area. To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 133. Copy TOS (Type Of Service) bits in and out of tunnels When selected, TOS bits are copied into the tunnel from the outside as VPN traffic is received, and conversely in the other direction. This makes it possible to treat the TOS bits of traffic inside the network (such as IP phones) in traffic shaping rules within Traffic and traffic shape them. If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic. Note: There is a theoretical possibility that enabling this setting can be used to spy on traffic Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to activate the tunnel once it has been added.
Client IP Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Username Enter a username for this connection. Password Enter a password for the connection. Again Re-enter the password to confirm it. Authenticate by To dedicate this connection to a specific user, choose the user’s certificate from the drop-down list. To allow any valid certificate holder to use this tunnel, choose Certificate provided by peer option. If your organization anticipates supporting many road warrior connections, authenticating by a specific certificate is recommended for ease of management. L2TP client OS From the drop-down list, select the L2TP client's OS. Comment Enter a descriptive comment. Setting Description 146 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Advanced VPN Configuration
The following sections explain how and when you might want to use non-standard configurations of CAs, certificates and tunnel definitions to: • Allow sites to autonomously manage their own road warriors • Create VPN links between co-operating organizations • Create VPN hubs that link networks of networks. Multiple Local Certificates In some instances, it may be desirable to install multiple local certificates that are used to identify the same host. There are a number of situations, where this might be desirable: • Autonomous management of road warrior tunnels from multiple sites. • Autonomous management of site-to-site tunnels from multiple sites. Multiple local certificates are typically used to de-centralize VPN management in larger networks. For instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of an multinational company. Each head office must be responsible for its own VPN links that connect its regional branches to its head office, as otherwise there would be a reliance on a single set of administrators in one country / time zone preparing certificates for the entire organization. Using the above example, each head office VPN gateway could utilize two local IDs (certificates):
• Country head office ID – This ID would be used by a head office to identify itself to head offices from other countries, to form VPN tunnels that make up the international WAN. • Head office ID – This ID would be used by a head office to identify itself to other domestic offices, so that it can manage VPN tunnel connectivity within its own region. The same concept can be applied to any situation where autonomous VPN management is required. To continue the above example, many of the offices within one particular country require a number of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway could utilize two local IDs (certificates): • Regional branch office ID – This ID would be used by a branch office to identify itself to the head office and other branch offices that make up the country-wide WAN. • Branch office ID – This ID would be used by a branch office to identify itself to its local road warriors, so that it can manage road warrior connectivity to its own branch. Creating Multiple Local Certificates This example will demonstrate how to delegate VPN management from an unconfigured master Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary Advanced Firewall system will be responsible for managing
site-to-site and road warrior connections within its own geography. Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced Firewall. 147 Advanced Firewall Administration Guide Virtual Private Networking Since this example covers configuration from scratch, you must follow the instructions from the step most appropriate to your current level of VPN connectivity. 1. On the master system, navigate to the VPN > VPN > Certificate authorities page. 2. Create a local Certificate Authority, see Creating a CA on page 105. 3. Create signed certificates for the master and secondary Advanced Firewall systems, see Managing Certificates on page 108. 4. Install the master signed certificate as the master Advanced Firewall's default local certificate, see Setting the Default Local Certificate on page 112. 5. Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs – IPSec on page 112. 6. Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
Exporting Certificates on page 110. 7. Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate on page 106. The remaining series of configuration steps are all carried out on the secondary Advanced Firewall system, firstly to create the primary site-to-site link. To create the primary site-to-site link: 1. On the secondary system, navigate to the VPN > VPN > Certificate authorities page. 2. Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate on page 107. 3. Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate on page 111. 4. Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on page 112. 5. Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to Default see Site-to-Site VPNs – IPSec on page 112. 6. Test the VPN connection. The next step is to create an additional CA on the secondary Advanced Firewall system. This additional CA will be used to create another local certificate for
the secondary Advanced Firewall system, as well as certificates for any further site-to- site or road warrior connections that it will be responsible for managing. To create an additional CA on the secondary Advanced Firewall system: 1. On the secondary system, navigate to the VPN > VPN > Certificate authorities page. 2. Create a new local Certificate Authority, see Creating a CA on page 105. 3. Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 108. 4. Create a new signed certificate for any host whose VPN connectivity will be managed by the secondary Advanced Firewall system. 5. Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate (created by the previous step) as the Local certificate. 148 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 6. Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity
will be managed by the secondary Advanced Firewall system. 7. Create the remote tunnel specification (this could be a road warrior client or another site-to-site gateway). Public Key Authentication It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other. During authentication, each host uses the other host's public key to decrypt the (private key encrypted) certificate it will be passed as identity credentials. This configuration does not require the CA that created either host's certificate to be known to either VPN gateway. This can be useful in many ways: • Simplified internal management, using certificates created by an external Certificate Authority. • Tunnelling between two separate organizations using certificates created by different (possibly external) CAs. • Alternative scheme to allow both ends of the tunnel to create their own CA and default local certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior connections. This achieves the same result as the previous technique described in the Multiple local certificates section. Note: The use of public key authentication should not be considered as a direct replacement for a stringent X509 based authentication setup. While public key
authentication does use some of the same technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As such, appropriate precautions should be taken when considering implementing this alternative authentication method. Configuring Both Ends of a Tunnel as CAs This configuration example uses public key authentication to connect two Advanced Firewall systems, each with their own CA so that they can manage their own site-to-site and road warrior connections. The following assumptions have been made: • Two Advanced Firewall systems. • Each Advanced Firewall has its own CA. • Each CA has created a signed certificate for its own local Advanced Firewall system. To create the tunnel specifications: 1. On both systems, navigate to the VPN > VPN > Certificates page. 2. Export the local certificates from both Advanced Firewall systems using the PEM format, see Exporting Certificates on page 110. 3. Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate on page 111.
149 Advanced Firewall Administration Guide Virtual Private Networking 4. Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the second Advanced Firewall system's host certificate in the Authenticate by drop-down list. 5. Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select the first Advanced Firewall system's host certificate in the Authenticate by drop-down list. The tunnel can now be established and authenticated between the two Advanced Firewall systems. In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and road warrior connections by using its own CA to create additional certificates. VPNs between Business Partners To create a VPN between two separate organizations (such as two firms working together as partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel specification. This example uses certificates created by an external, commercial CA so that each organization can
authenticate certificates presented by the other using a CA that is independent of both organizations. This configuration example assumes the following: • Local Advanced Firewall system. • Host certificates created by the same commercial CA. • Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system. • Host certificate, Certificate B created by the commercial CA for the other organization’s VN gateway. Firstly, import the certificate created for the local Advanced Firewall system (Certificate A). To import the certificate: 1. On the local system, navigate to the VPN > VPN > Certificates page. 2. Import Certificate A, see Importing a Certificate on page 111. Next, import the commercial CA's certificate: 1. On the system, navigate to the VPN > VPN > Certificates page. 2. Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's Certificate on page 107. Next, configure the local tunnel specification in co-operation
with the other organization. This is most likely to be an IPSec site-to-site connection, though it is possible that you could connect to their network as a road warrior. In either case, full consultation between both organizations is required to decide on the configuration options to be used on the respective VPN gateways. Follow these steps to create a site-to-site connection: 1. Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN > IPSec subnets page. 150 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 2. In the local tunnel specification, choose Default local cert subject or Default local cert subject alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified values if the other VPN gateway is not directly compatible with Advanced Firewall's communication of certificate subjects. 3. Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any default local certificate that might be configured. 4. Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that Advanced Firewall will authenticate Certificate B when is presented by the other organization’s VPN gateway.
5. Choose the remote ID type from the Remote ID type drop- down list that was entered during the creation of Certificate B using the commercial CA. 6. Confer with the other organization regarding all other configuration settings and ensure that they authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall as connection time. Extended Site to Site Routing A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple networks together by creating a centralized VPN hub. The hub is used to route traffic to between different networks and subnets by manipulation of the local and remote network settings in each tunnel specification. This potentially allows every network to be linked to every other network without the need for a fully routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network can be awkward to configure and maintain. This configuration example assumes the following: • Site A – Local network: 192.168.10.0/255.255.255.0 – Tunnel A connects to Site B. • Site B – Local network: 192.168.20.0/255.255.255.0 – Tunnel A connects to Site A, Tunnel C connects to Site C.
• Site C – Local network: 192.168.30.0/255.255.255.0 – Tunnel C connects to Site B. The advantage of this approach is that only one tunnel is required for each remote network. The disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the network. An improved approach would incorporate backup tunnel definitions that could be used to create a fail-over VPN hub elsewhere on the network. Site A Tunnel Definition A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote network settings: • Local network – 192.168.10.0/255.255.255.0 • Remote network – 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel A. 151 Advanced Firewall Administration Guide Virtual Private Networking Any traffic destined for the Site C network (any address in the range 192.168.30.0 to
192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its destination – Tunnel C from Site B will ensure this. Site B Tunnel Definitions First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and remote network settings: • Local network – 192.168.0.0/255.255.0.0 • Remote network – 192.168.10.0/255.255.255.0 With this configuration, any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the definition of the remote end of Tunnel A. Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and remote network settings: • Local network – 192.168.0.0/255.255.0.0 • Remote network – 192.168.30.0/255.255.255.0 With this configuration, any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the definition of the remote end of Tunnel C.
Site C tunnel definition A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote network settings: • Local network – 192.168.30.0/255.255.255.0 • Remote network – 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel C. Any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its destination – Tunnel A from Site B will ensure this. 152 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Managing VPN Systems The following sections document how to: • Control VPNs • Open and close tunnels
• Monitor and report tunnel activity • Display tunnel logging information • Update tunnel licensing. Automatically Starting the VPN System Advanced Firewall’s VPN system can be set to automatically start when the system is booted. This allows road warriors to tunnel in without having to wait for the system to be started. It also allows site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a site-to-site connection. To configure automatic start up: 1. Navigate to the VPN > VPN > Control page. 2. In the Automatic control area, select Start VPN sub-system automatically. 3. Click Save. 153 Advanced Firewall Administration Guide Virtual Private Networking Manually Controlling the VPN System The following sections explains how to start, restart, stop and view the status of the VPN system. Starting/Restarting the VPN system
To start or restart the VPN system: 1. Navigate to the VPN > VPN > Control page. 2. Click Restart in the Manual control region. Stopping the VPN system To stop the VPN system: 1. Navigate to the VPN > VPN > Control page. 2. Click Stop from the Manual control region. Viewing the VPN system status To view the VPN system status: 1. Navigate to the VPN > VPN > Control page. 2. Click Refresh in the Manual control region. 3. View the current status from the Current status information field. There are two possible system statuses: • Running – The VPN system is currently operational; tunnels can be connected. • Stopped – The VPN system is not currently operational; no tunnels can be connected. Viewing and Controlling Tunnels All configured tunnels can be viewed and controlled from the VPN > VPN > Control page.
There are two possible tunnel statuses: • Open – The tunnel is connected; communication across the tunnel can be made. • Closed – The tunnel is not connected; no communication across the tunnel can be made. IPSec Subnets Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel. • Control: – Open the tunnel connection – Close the tunnel connection. • Remote IP – The IP address of the other end of the tunnel. 154 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking IPSec Road Warriors IPSec road warrior connections are shown in the IPSec road warriors region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel.
• Control: – Open the tunnel connection – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. • Remote IP – The IP address of the other end of the tunnel. L2TP Road Warriors L2TP road warrior connections are shown in the L2TP Road Warriors region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel. • Control: – Open the tunnel connection – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. SSL Road Warriors SSL road warrior connections are shown in the SSL Road Warriors region of the VPN > VPN > Control page. The information displayed is: • Username – The name given to the tunnel. • Control
– Open the tunnel connection – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. • External IP – The IP address of the other end of the tunnel. VPN Logging VPN log entries can be found in the Logs and reports > Logs > IPSec page. 155 Advanced Firewall Administration Guide Virtual Private Networking VPN Tutorials The following tutorials cover the creation of the main types of VPN tunnels. The examples build on each other, i.e. the configuration settings in an example builds on that of the previous. Example 1: Preshared Key Authentication This first example begins with a simple two network VPN using shared secrets.The following networks are to be routed together via a VPN tunnel: We will use Preshared Key authentication initially. This is the easiest to setup. Configuring Network A
There is no need for a CA or any certificates. On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a parameter is not listed, leave it at its default value: All other settings can be left at their defaults. Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value. Local ID type Local IP Remote IP or hostname 200.0.0.1 Remote network 192.168.12.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker 156 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Configuring Network B Here a single tunnel is created:
Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. To create the zone bridge: 1. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi- directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should come up immediately. If this does not happen please refer to Troubleshooting VPNs on page 217. To actually test that the VPN is routing, ping a host on the remote network from a machine on the local one. You should also be able to connect to servers and desktops on the remote network using your standard tools. Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote system ID type and the remote system external IP in the Remote system ID Value. Parameter Description
Name Tunnel 1 Local network Set to the opposite end’s remote network value. Local ID type Local IP Remote IP or hostname 100.0.0.1 Remote network 192.168.0.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker 157 Advanced Firewall Administration Guide Virtual Private Networking Example 2: X509 Authentication In this example, the same network as used in Example 1 will be used, see Example 1: Preshared Key Authentication on page 156. This time we will improve the setup by using x509 authentication instead of PSK. Configuring Network A Network A will be configured to be the Certificate Authority in the system.
Begin by going to the Authorities page and setting up the CA. In this example, we will list only the required fields. You should, of course, enter values appropriate to your organization: From now on, we will enter My Company Ltd in all Organization fields on the certificates we create. Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the local workstation’s hard disk. You will need this file later. Switch to the certificates page, and create the local certificate. It requires ID information: The peer (the Network B machine) needs a certificate too: Parameter Description Common Name Network A Cert Auth Organization My Company Ltd Parameter Description ID Type Host & Domain name ID Value tunnela.mycompany.com Common Name Network A Local Cert Parameter Description ID Type Host & Domain name
ID Value tunnelb.mycompany.com Common Name Network B Cert 158 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this file tunnelb.p12. Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local certificate, and press Save. We will Restart the VPN shortly to make this change active. The tunnel specification is a little more complex. Here it is: Add the tunnel. Configuring Network B The first step is to import the certificates. To import the certificates: 1. On the Certificate authorities page, import the ca.pem file. 2. On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the passphrase used to create the export file in both boxes.
3. Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel configuration should look like this: Organization My Company Ltd Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. Local ID type Default local cert subject alt. name Remote IP or hostname 200.0.0.1 Remote network 192.168.12.0/24 Remote ID type Host & Domain name Remote ID value tunnelb.mycompany.com Authenticate by Certificate presented by peer Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. Local ID type Default local cert subject alt. name Remote IP or
hostname 100.0.0.1 Parameter Description 159 Advanced Firewall Administration Guide Virtual Private Networking Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID is the same as the Certificate ID. Examine the log for telltale messages. Example 3: Two Tunnels and Certificate Authentication We will now add an additional system, Network C to the VPN
network. We want Network C to be able to access both the Network A subnet and Network B. In Extended Site to Site Routing on page 151, we explained how to create centralized VPN hubs using extended subnetting. We will use this technique to allow Network B to route to Network C, and vice versa. Remote network 192.168.0.0/24 Remote ID type Host & Domain name Remote ID value tunnel.mycompany.com Authenticate by Certificate presented by peer Parameter Description 160 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Network A Configuration Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following properties for this certificate: Modify the existing tunnel to Network B. All settings are unchanged except: Notice how this subnet mask now covers all subnets in the VPN. Now we create a new tunnel to Advanced Firewall C:
Network B Configuration Modify the tunnel as follows: Parameter Description ID Type Host & Domain name ID Value tunnelc.mycompany.com Common Name Advanced Firewall C Cert Organization My Company Ltd Parameter Description Local subnet 192.168.0.0/16 Parameter Description Name Tunnel 2 Local subnet 192.168.0.0/16 Local ID type Default local cert subject alt. name Remote IP or hostname 250.0.0.1 Remote network 192.168.13.0/24 Remote ID type Host & Domain name
Remote ID value tunnelc.mycompany.com Authenticate by Certificate presented by peer Parameter Description Remote subnet 192.168.0.0/16 161 Advanced Firewall Administration Guide Virtual Private Networking Network C Configuration Import the certificate, and then create the tunnel to Network A: Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine on the Network A end from both of the Network B and Network C networks. Then you should test
that you can route across Network A by pinging a host on the Network C network from the Network B network. Example 4: IPSec Road Warrior Connection Now we will add a road warrior, running SafeNet SoftRemote. This road warrior will connect to the Network A gateway. In addition to being able to access the Network A local network (192.168.0.0/24), the road warrior will be able to access Network B and Network C as well. Parameter Description Name Tunnel 2 Local ID type Default local cert subject alt. name Remote IP or hostname 100.0.0.1 Remote network 192.168.0.0/16 Remote ID type Host & Domain name Remote ID value tunnela.mycompany.com Authenticate by Certificate presented by peer 162 Smoothwall Ltd
Advanced Firewall Administration Guide Virtual Private Networking The road warrior is required to assume an internal IP on Network A’s local network, in this case: 192.168.0.5: Network A Configuration Create a certificate with the following properties: Note: No ID is required on this certificate. Now create the IPSec road warrior tunnel: Parameter Description Common Name IPSec road warrior Organization My Company Ltd Parameter Description Name IPSec road warrior Local network 192.168.0.0/16 Local ID type Default local cert subject Client IP 192.168.0.5 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Certificate provided by peer 163
Advanced Firewall Administration Guide Virtual Private Networking Export the certificate in PKCS#12 format. We will call this file computercert.p12.You will also need the CA file, ca.pem. SoftRemote – Configuration This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. Full details, including detailed screen shots, are given in Working with SafeNet SoftRemote on page 167. After installing the client, begin by going to the Certificate Manager and importing the ca.pem and the computercert.p12 certificate. In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and will save a lot of time configuring the client. If you use different settings to those described in this tutorial, compression for example, then you will have to modify those settings. The following fields need to be filled in after importing the policy template. In road warrior: In My Identity: After making the changes, remember to save the Security
Policy. Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi- directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing To bring up the connection, the simplest way is to ping a host on the network behind the gateway. After a few retries, you should see the task bar icon change to show a yellow key. This indicates that the tunnel is up. Your client computer will then appear to be connected to the local network behind Parameter Description Gateway IP Address 100.0.0.1 Subnet 192.168.0.0 Mask 255.255.0.0 Parameter Description
Internal Network IP Address 192.168.0.5 164 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking the VPN gateway. This works both ways; a machine on the local network can connect to the road warrior. You should be able to browse web servers, and so on. Also, because the tunnel covers all three local networks, you should be able to connect to all three. Example 5: L2TP Road Warrior This example consists of an additional road warrior client, this time running Microsoft Windows XP and using Microsoft’s L2TP road warrior client. Network A Configuration Create a certificate with the following properties: Note: No ID is required on this certificate. Parameter Description Common Name L2TP road warrior Organization My Company Ltd 165
Advanced Firewall Administration Guide Virtual Private Networking Now create the L2TP road warrior tunnel: Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need the CA file, ca.pem. L2TP Client Configuration This tutorial only outlines the process of configuring an L2TP client. For detailed instructions, see Installing an L2TP Client on page 133. Begin by using the L2TPWizard to import the two certificates. After bringing up the New Connection wizard, the only details that must be configured is the VPN gateway external address, 100.0.0.1 in this example. In TCP/IP properties; Advanced settings, you can choose to use the remote network as the default gateway for the L2TP client. This option, enabled by default, is required if the client needs to be able to route to the Advanced Firewall B and Advanced Firewall C networks. This is because the L2TP client does not provide any facilities for setting up remote network masks. In the Connection dialog, enter the username and password as configured on the Advanced Firewall A gateway: Finally, press the Connect button to initiate a connection the Advanced Firewall A VPN gateway.
Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the L2TP interface. If you want traffic to flow in both directions, make the rule bi-directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Parameter Description Name L2TP road warrior Authenticate by Certificate provided by peer Client IP 192.168.0.6 Username road warrior Password microphone Parameter Description Username road warrior Password microphone 166 Smoothwall Ltd
Advanced Firewall Administration Guide Virtual Private Networking Working with SafeNet SoftRemote The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote. Configuring IPSec Road Warriors First, create a signed certificate for the road warriors. An ID type is not normally required, although it does no harm to include one when creating the certificate. When connected, each road warrior gets an IP address in a specified local network zone. The IP address should be a previously unused address and unique to the road warrior. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers. Each road warrior user will need their own IP address. On the VPN > VPN > IPSec roadwarrior page, the Client IP field is used to input the particular local network IP address. Such an IP address must be in a local network zone and currently unused. Set the Local ID type to Default local cert Subject, and set the Authenticate by setting to the certificate for this road warrior connection. Then add the tunnel. Each road warrior requires their own tunnel, so create as many tunnel as there are road warriors.
When connected, each road warrior client will, to all intents and purposes, be on the local network zone. It will be possible to route to other subnets, including VPN-connected ones. This also means that other machines in the network can see the client, just as if it was plugged in directly. Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This includes the encryption settings, and overriding the default local certificate. Using the Security Policy Template SoftRemote This documentation covers version both 9 and version 10 of this client. Older versions which support Virtual IP addresses should also inter-operate. Specifically, version 8 is known to work as well as version 9. However, you should consider upgrading to at least version 9 because of known security- related problems with version 8. We also recommend that the LT versions of this software be used, which do not incorporate Zone Alarm. Configuration of Zone Alarm will not be covered in this manual. NAT-T is handled automatically by this client. No extra configuration is required. Check the log messages in the client to see if NAT-T mode is being used as expected. 1. After installation, open the Certificate Manager. In the Root CA’s tab, import a CA .PEM from Advanced Firewall. 167
Advanced Firewall Administration Guide Virtual Private Networking 2. In the My Certificates tab, import a .P1. Enter the export password, and a short time later the certificate should appear in the list. Select the certificate, and click Verify (on the right). You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). This indicates the certificate is valid. 3. Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values, saving you from the chore of doing it yourself. For completeness, we will also describe how you would setup the client without the policy. 4. Import the Security Policy template, policytemplate.spd, which can be found in the extras folder on the installation CD. After importing this policy, a single connection, named road warrior will become available. 5. Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients, i.e. those described above, only a handful of settings must be entered. In the road warrior section: 6. Enter the Remote Subnet, Mask and the gateway’s hostname (or IP address).
168 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 7. In the My Identity section, enter the Internal Network IP Address.: 8. Enter the Internal Network IP Address. All other fields will be pre-filled. Obviously, if you are not using standard settings, as described in D.1, then you will have to modify those particular settings. For instance, if you are using compression, then you will have to enable it in the client. 9. Save the settings, and close the Security Policy Editor. 10. To bring up the connection to the Advanced Firewall gateway, you must send it a packet. The easiest way to do this is by pinging a host on the remote network. After a series of Request timed out messages you should start to get packets back, indicating that the VPN is up (you will also notice the system tray icon change). Creating a Connection without the Policy File We will now describe how to setup the client without using the security policy template. Before creating the connection, you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway.
1. Select Global Policy Settings from the Options menu. A window will appear, and you should tick the box marked Allow to specify internal network address. 169 Advanced Firewall Administration Guide Virtual Private Networking 2. Now go back to the tree control on the left and choose the New Connection node. You can rename this to something more appropriate, like road warrior. In this node, configure the remote Subnet address and Mask. 3. Choose Secure Gateway Tunnel from the Connect using drop- down list, and select an ID Type of Any. You should then enter either a Gateway IP Address or Gateway Hostname. 4. Next, move to the My Identity node. Select the certificate you imported earlier. The ID type’s default, the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter should be disabled, and Internet Interface set to Any. 5. In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified when the tunnel was created. 170 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking
6. Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm. Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then the equivalent setting in the Advanced Firewall, which defaults to 60 minutes (3600 seconds). This is necessary to ensure the tunnel is always re-keyed. 7. Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In this page you can select compression or not, as well as key life settings. 8. Once again, set the SA Life to 3000 seconds. 9. Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are available through the tool bar icon. Advanced Configuration Using the configuration previously described, the selected certificate will be required by the client in order to obtain a connection. This method is usually desired, but in other cases an Authenticate by setting of Certificate provided by peer can be more useful, especially if the client certificates are not installed onto the VPN gateway server. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For example, if you wish to restrict the connected road warriors so that they can only contact a specific
171 Advanced Firewall Administration Guide Virtual Private Networking IP address, for example 192.168.2.10, then you could set the Local network parameter to 192.168.2.10/32. Note that this setting is a network address, so you must always specify a network mask, even if that network mask covers only a single host. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones, the Local network setting can likewise be expanded to cover them. Visit the support portal and knowledge base for information on setting up other clients. 172 Smoothwall Ltd https://na13.salesforce.com/secur/login_portal.jsp?orgId=00D30 000001IAxZ&portalId=06030000000ZCsn&startURL=%2F/ui/s olution/ Solution BrowserPage?cid=02n30000000Ej32 9 Authentication and User Management
This chapter describes how to configure authentication methods, and manage users, including: • Configuring Global Authentication Settings on page 174 • About Directory Servers on page 175 • Managing Local Users on page 185 • Managing Groups of Users on page 186 • Mapping Groups on page 188 • Managing Temporarily Banned Users on page 189 • Managing User Activity on page 191 • About SSL Authentication on page 192 • Managing Kerberos Keytabs on page 196 173
Advanced Firewall Administration Guide Authentication and User Management Configuring Global Authentication Settings Configuring global authentication settings entails setting login timeout, the number of concurrent login sessions allowed and the type of authentication logging you require. To configure log-in and logging settings: 1. Navigate to the Services > Authentication > Settings page. 2. Configure the following settings: 3. Click Save changes. Advanced Firewall applies the changes. Setting Description Login timeout (minutes) Determines the length of time of inactivity after which a user is logged out. Accept the default or enter the time out period.
Note: Setting a short login timeout increases the load on the machine, particularly when using transparent NTLM or SSL Login. It also increase the rate of re-authentication requests. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. The behavior of some authentication mechanisms is automatically adjusted by the time-out period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time- out. For more information, see About the Login Time-out on page 213. Concurrent login sessions (per user) Concurrent login settings determine how many logins are allowed per user. The following options are available:
No limit – Select this option to allow an unlimited number of logins per user or enter the number of logins you want to allow users. Logging level Logging levels determine the type of authentication logging you want. The following options are available: Normal – Select this option to log user login and LDAP server information. Verbose – Select this option to log user login and LDAP server information, request, response and result information. This option is useful when troubleshooting possible authentication issues. 174 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Tip: Encourage users to pro-actively log-out of the system to ensure that other users of their
workstation cannot assume their privileges if login time-out is yet to occur. About Directory Servers The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to multiple directory servers in order to: • Retrieve groups configured in directories, and apply network and web filtering permissions to users based on group membership within directories • Verify the identity of a user who is trying to access network or Internet resources. Once the connection to a directory service has been configured, Advanced Firewall retrieves a list of the groups configured in the directory and maps them to the groups available in Advanced Firewall. When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership.
For information on how authentication works and interacts with other systems, see User Authentication on page 211. Currently, Advanced Firewall supports the following directory servers: Directory Description Microsoft Active Directory® F more information, see Configuring a Microsoft Active Directory Connection on page 176. For information on using the legacy method to connect to Active Directory, see Configuring an Active Directory Connection – Legacy Method on page 181. Novell eDirectory™ Apple® / Open LDAP
389 Directory Various directories which support the LDAP protocol. For more information, see Configuring an LDAP Connection on page 177 RADIUS Remote Authentication Dial In User Service. For more information, see Configuring a RADIUS Connection on page 179. Local users A directory of Advanced Firewall local users. For more information, see Configuring a Local Users Directory on page 184. 175 Advanced Firewall Administration Guide Authentication and User Management
Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Advanced Firewall to work with Microsoft Active Directory. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the secondary, DNS server containing the Active Directory information is specified correctly. This DNS server is used by Advanced Firewall for name lookups. For more information, see Advanced Firewall and DNS on page 213. • In Active Directory, choose or configure a non-privileged user account to use for joining the domain. Advanced Firewall stores this account’s credentials, for instance, when backing-up and replicating settings.
Note: We strongly recommend that you do not use an administrator account. The account that you use needs permission to modify the Computers container. To delegate these permissions to a non-privileged user account, choose Delegate Control on the Computers container, create a custom task to delegate and, for Computer objects, grant the full control, create and delete privileges. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized using NTP. For more information, refer to the Advanced Firewall Operations Guide. Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. To configure the connection: 1. On the Services > Authentication > Directories page, click
Add new directory. 2. In the Add new directory dialog box, select Active Directory and configure the following settings: Setting Description Status Select Enabled to enable the connection. Domain Enter the full DNS domain name of the domain. Other trusted domains will be accessible automatically. Username Enter the username of the user account. Password Enter the password for the user account. Confirm Re-enter the password to confirm it. 176 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management
3. Click Add. Advanced Firewall adds the directory to its list of directories and establishes the connection. 4. You must map Active Directory groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Configuring an LDAP Connection The following section explains what is required to configure a connection to an eDirectory, Apple / OpenLDAP or 389 directory server. To configure an LDAP connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select one of the following: eDirectory, Apple/ OpenLDAP Directory or 389 Directory and configure the following settings: Cache timeout
(minutes) Click Advanced. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed. Comment Optionally, enter a comment about the directory. Setting Description Status Select Enabled to enable the connection.
LDAP server Enter the directory’s IP address or hostname. Note: If using Kerberos as the bind method, you must enter the hostname. Username Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Normally it should look something like this: cn=user,ou=container,o=organization This is what is referred to in the Novell eDirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user,ou=sales,o=organization For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org
Consult your directory documentation for more information. Password Enter the password of a valid account. Note: A password is not required if using simple bind as the bind method. Setting Description 177 Advanced Firewall Administration Guide Authentication and User Management Confirm Re-enter the password to confirm it. Bind method Accept the default bind method, or from the drop- down list, select one of the following options: TLS (with password) – Select to use Transport Layer Security (TLS). Kerberos – Select to use Kerberos authentication.
Simple bind – Select to bind without encryption. This is frequently used by directory servers that do not require a password for authentication. Kerberos realm If using Kerberos, enter the Kerberos realm. Use capital letters. User search root Enter where in the directory, Advanced Firewall should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local In LDAP form, this is seen in the directory as dc=mycompany,dc=local. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users,dc=example,dc=org A Novell eDirectory will refer to this as the tree, taking the
same form as the OpenLDAP-based directories o=myorganization. Note: In larger directories, it may be a good idea to narrow down the user search root so Advanced Firewall does not have to look through the entire directory. For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base. Note: When working with multi domain environments, the user search root must be set to the top level domain. Group search roots Enter where in the directory, Advanced Firewall should start looking for user groups. Usually this will be the same location as configured in the user search root field. For example: ou=mygroups,dc=mydomain,dc=local Apple Open Directory uses the form:
cn=groups,dc=example,dc=org Note: With larger directories, it may be necessary to narrow down the group search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section. Cache timeout Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. Setting Description
178 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management 3. Click Add. Advanced Firewall adds the directory to its list of directories and establishes the connection. 4. You must map LDAP groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Configuring a RADIUS Connection You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. Prerequisites Before you configure any settings: • Configure the RADIUS server to accept queries from
Advanced Firewall. Consult your RADIUS server documentation for more information. LDAP port Accept the default or enter the LDAP port to use. Note: LDAPs (SSL) will be automatically used if you enter port number 636. Extra user search roots This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter one search root per line. Extra group search roots Optionally, enter where in the directory Advanced Firewall should start
looking for more user groups. Enter one search roots per line. For more information, see Working with Large Directories on page 214. Extra realms This setting enables you to configure subdomains manually using DNS. Use the following format: <realm><space><kdc server> For example: example.org kdc.example.org Enter one realm per line. Discover Kerberos realms through DNS Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover
Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Comment Optionally, enter a comment about the directory. Setting Description 179 Advanced Firewall Administration Guide Authentication and User Management Configuring the Connection To configure the connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select RADIUS and
configure the following settings: 3. Click Add. Advanced Firewall adds the directory to its list of directories and establishes the connection. 4. You must map RADIUS groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Note that you must use the same RADIUS group names as configured for the group_attribute parameter in your RADIUS server. For more information, refer to your RADIUS server documentation. Setting Description Status Select Enabled to enable the connection. RADIUS server Enter the hostname or IP address of the RADIUS server. Secret Enter the secret shared with the server.
Confirm Re-enter the secret to confirm it. Action on login failure Try next directory server – Select this option if users in RADIUS are unrelated to users in any other directory server. Deny access – Select this option if the RADIUS password should override the password set in another directory server, for example when using an authentication token. Identifying IP address Enter the IP address to use to identify the caller connecting to the RADIUS server, if it must be different to the internal IP address of the system. Obtain groups from RADIUS
If the RADIUS server can provide group information, select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. When not enabled, Advanced Firewall will use group information from the next directory server in the list. If there are no other directories in the list, Advanced Firewall will place all users in the Default Users group. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Port Accept the default port or specify a UDP port to use when communicating with the RADIUS server. The default is port 1812. Comment Optionally, enter a comment about the directory. 180 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Configuring an Active Directory Connection – Legacy Method Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection on page 176 for more information. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Advanced Firewall to work with Microsoft Active Directory.
Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • Run the Advanced Firewall Setup program and check that the DNS server containing the Active Directory information is specified correctly. This DNS server is used by Advanced Firewall for name lookups. For more information, see Advanced Firewall and DNS on page 213 and the Advanced Firewall Getting Started Guide. • Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. Note: Do not use the administrator account as the lookup user. Often the administrator account will not have a Windows 2000 username, preventing the account
from being used by the authentication service. Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use, search roots and any advanced settings required. To configure the connection: 1. Navigate to the Services > Authentication > Directories page. 2. In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. Advanced Firewall displays the settings for Active Directory. 3. Configure the following settings: Setting Description Status Select Enabled to enable the connection. 181
Advanced Firewall Administration Guide Authentication and User Management Active Directory server Enter the directory server’s full hostname. Note: For Microsoft Active Directory, Advanced Firewall requires DNS servers that can resolve the Active Directory server hostnames. Often, these will be the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also, Advanced Firewall and DNS on page 213 for more information. Username Enter the username of a valid account.
Enter the username without the domain. The domain will be added automatically by Advanced Firewall. In a multi domain environment, the username must be a user in the top level domain. For more information, see Active Directory on page 214. Password Enter the password of a valid account. Confirm Re-enter the password to confirm it. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed. Kerberos realm Optionally, select Automatic or enter the Kerberos realm. User search root Optionally, to configure Advanced Firewall to start looking for user accounts at the top level of the directory, select Automatic. Or enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local search root. Note: When working with multi-domain environments, the user search root must be set to the top level domain. Group search root Optionally, to configure Advanced Firewall to start looking for user groups at the top level of the directory, select Automatic. Or enter the group search root to start looking in, for example:
ou=mygroups,dc=mydomain,dc=local Note: Some directories will not return more than 1 000 results for a search, so if there are more than 1 000 groups in the directory, a more specific group search root needs to be configured. Comment Optionally, enter a comment about the directory server and the settings used. Enabled Select this option to enable the connection to the directory server. Setting Description 182 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management 4. Optionally, click Advanced to access and configure the following settings: 5. Click Add. Advanced Firewall adds the directory to its list of
directories and establishes the connection. 6. You must map Active Directory groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Setting Description LDAP port Accept the default, or enter the LDAP port to use. Discover Kerberos realms through DNS Select this option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Use sAMAccountName
This setting applies when using Microsoft Windows NT4 or older installations. Enter the sAMAccountName to override the userPrincipleName. NetBIOS workgroup This setting applies when using NTLM authentication with Guardian. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or pre- Windows 2000 domain name, is not the same as the Active Directory domain. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup. Extra user search roots This option enables you to enter directory-specific user search
paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line. Extra group search roots Optionally, enter where in the directory, Advanced Firewall should start looking for more user groups. Enter search roots one per line. For more information, see Working with Large Directories on page 214. Extra realms This setting enables you to configure subdomains manually, as opposed to automatically, using DNS. Use the following format: <realm><space><kdc server>
For example: example.org kdc.example.org Enter one realm per line. 183 Advanced Firewall Administration Guide Authentication and User Management Configuring a Local Users Directory Advanced Firewall stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. To configure a local users directory: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select Local users and
configure the following settings: 3. Click Add. Advanced Firewall adds the directory to its list of directories. For information on adding and managing local users, see Managing Local Users on page 185. Reordering Directory Servers Tip: If most of your users are in one directory, list that directory first so as to reduce the number of queries required. If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the RADIUS server first. To reorder directory servers: 1. On the Services > Authentication > Directories page, select the directory server you want to move and click Up or Down until the server is where you want it. 2. Repeat the step above for any other directories you want to move.
3. Click Save moves. Advanced Firewall applies the changes. Tip: You can also drag and drop directories to where you want them. Just remember to click Save moves. Editing a Directory Server To edit a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Edit. The Edit directory dialog box opens, 2. Make the changes required, see About Directory Servers on page 175 for information on the settings available. 3. Click Save changes. Advanced Firewall applies the changes. Setting Description Status Select Enabled to enable the connection. Name Accept the default name or enter a new name.
Comment Optionally, enter a comment about the directory. 184 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Deleting a Directory Server To delete a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Delete. When prompted, confirm that you want to delete the directory. Advanced Firewall deletes the server. Diagnosing Directories It is possible to review a directory’s status and run diagnostic tests on it. To diagnose a directory: 1. On the Services > Authentication > Directories page, point to the directory server and click
Diagnose. Advanced Firewall displays current directory connection, user account and status information. Tip: You can diagnose multiple directories at the same time. Select the directories and click Diagnose. Managing Local Users Advanced Firewall stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. Adding Users To add a user to a local user directory: 1. On the Services > Authentication > Directories page, click on the local user directory you want to add a user to. Advanced Firewall displays any current local users 2. Click Add new user. In the Add new user dialog box, configure the following settings:
3. Click Add. Advanced Firewall saves the information. 4. Repeat the steps above to add more users. Setting Description Enabled Select to enable the user account. Username Enter the user account name. Password Enter the password associated with the user account. Passwords must be a minimum of six characters long. Repeat password Re-enter the password to confirm it. Select group From the drop-down menu, select a group to assign the user account to. 185 Advanced Firewall Administration Guide Authentication and User Management
Editing Local Users To edit an existing user's details: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account you want to edit. Advanced Firewall displays current local users. 2. Point to the user account and click Edit. In the Edit user dialog box, make the changes required. See Adding Users on page 185 for more information on the settings available. 3. Click Save changes. Advanced Firewall applies the changes. Deleting Users To delete users: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account(s) you want to delete. Advanced Firewall displays current local users. 2. Point to the user account and click Delete. When prompted,
confirm that you want to delete the account. Advanced Firewall deletes the account. 3. Repeat the steps above to delete other accounts. Managing Groups of Users The following sections discuss groups of users and how to manage them. About Groups Advanced Firewall uses the concept of groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organization’s structure. Groups can be renamed by administrators to describe the users that they contain.
Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups: Group Description Unauthenticated IPs The main purpose of this group is to allow certain authentication- enabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated. Note: This group cannot be renamed or deleted. 186 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Adding Groups It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000 groups. To add a group:
1. On the Services > Authentication > Groups page, click Add new group. 2. In the Add new group dialog box, enter the following information: 3. Click Add. Advanced Firewall creates the group and lists on the changes. Editing Groups Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups To edit a group: 1. On the Services > Authentication > Groups page, point to the group and click Edit. 2. In the Edit group dialog box, enter the following information: Default Users Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define
permissions and restrictions for users that are not specifically mapped to an Advanced Firewall group, i.e. users that can be authenticated, but who are not mapped to a specific Advanced Firewall authentication group. Note: This group cannot be renamed or deleted. Banned Users This purpose of this group is to contain users who are banned from using an authentication-enabled service. Note: This group cannot be renamed or deleted. Network Administrators This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of
permissions or restrictions. Field Description Name Enter a name for the group. Comment Optionally, enter a comment. Field Description Name When renaming a group, enter a new name. Comment Edit or enter a new comment. Group Description 187 Advanced Firewall Administration Guide Authentication and User Management 3. Click Save changes. Advanced Firewall applies the changes. Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups To delete a group or groups: 1. On the Services > Authentication > Groups page, select the group(s) and click Delete. 2. When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s). Mapping Groups Once you have successfully configured a connection to a directory, you can map the groups Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the users in the groups. Note: These instructions are only for directories, not configured as Local users. For a detailed description of how to lap local users, see Managing Local Users on page 185. To map directories to Advanced Firewall groups, do the
following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and click Add new group mapping. 3. Configure the following parameters: — Depending on the directory service configured, add or select the directory group to map from. — From the drop-down menu, select the relevant Advanced Firewall group. — Select this option to enable or disable the group mapping. 4. Click Add. Remapping Groups It is possible to change group mappings.
To remap groups, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. C lick Edit. 4. Change the Directory group and, or, the Local group as required. 5. Click Save changes. 188 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Deleting Group Mappings It is possible to delete group mappings. To delete one or more group mappings, do the following:
1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. Click Delete. 4. Click Delete to confirm the deletion. Managing Temporarily Banned Users Advanced Firewall enables you to temporarily ban specific user accounts. When temporarily banned, the user is added to the Banned users group. Note: You can apply any web filtering policy to the Banned users group. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more information, refer to the Advanced Firewall Operations Guide. To ban an account temporarily:
1. Navigate to the Services > Authentication > Temporary bans page. 2. Click Add new temporary ban. In the Add new temporary ban dialog box, configure the following settings: Setting Description Status Select Enabled to enable the ban immediately. Username Enter the user name of the account you want to ban. 189 Advanced Firewall Administration Guide Authentication and User Management 3. Click Add. Advanced Firewall enforces the ban immediately. Tip: You can edit the block page displayed to banned users so that it gives them information on the ban in force. For more information, refer to the Advanced Firewall Operations Guide.
Tip: There is also a ban option on the Services > Authentication > User activity page, for more information, see Managing User Activity on page 191. Removing Temporary Bans To remove a ban: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, select the ban and click Remove. Advanced Firewall removes the ban. Removing Expired Bans To remove bans which have expired: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, click Remove all expired. Advanced Firewall removes all bans which have expired. Ban expires Click and select when the ban expires.
Comment Optionally, enter a comment explaining why the account has been banned. Setting Description 190 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Managing User Activity Advanced Firewall enables you to see who is logged in and who has recently logged out. You can also log users out and/or ban them. Viewing User Activity To view activity: 1. Navigate to the Services > Authentication > User activity page. Advanced Firewall displays who is logged in, who recently logged out, the group(s) the user
belongs to their source IP and the method of user authentication. Recently logged out users are listed for 15 minutes. Logging Users Out To log a user out: 1. On the Services > Authentication > User activity page, point to the user you want to log out and click Log user out. Advanced Firewall logs the user out immediately and lists them as logged out. Note: Logging a user out is not the same as blocking a user from accessing web content. Connection-based authentication will automatically log the user back in. If the user is using SSL login, they will be prompted to authenticate again. Banning Users To ban a user: 1. On the Services > Authentication > User activity page, point to the user you want to ban
and click Ban user. Advanced Firewall copies the user’s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. For more information, see Creating a Temporary Ban on page 189. 191 Advanced Firewall Administration Guide Authentication and User Management About SSL Authentication Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized, per-user basis. When SSL Login is configured, network users requesting port 80 for outbound web access will be automatically redirected to a secure login page, the SSL Login page, and prompted for their user credentials. The SSL Login page can be manually accessed by users wishing
to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service, for example, group bridging, or where only a small subset of users require authentication. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login. Customizing the SSL Login Page When using SSL as an authentication method, it is possible to customize the title image, background image and message displayed on an SSL login page. 192 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and
User Management Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. To upload a custom title image: 1. Browse to the Services > Authentication > SSL login page. 2. Click the Title image Browse/Select file button. Using your browser’s controls, locate and select the file. 3. Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login page. Customizing the Background Image It is possible to customize the background image used on an SSL login page. To upload a background image:
1. On the Services > Authentication > SSL login page, click the Background image Browse/ Select file button. Using your browser’s controls, locate and select the file. 2. Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login page. Removing Custom Files To remove a custom file: 1. Browse to the Services > Authentication > SSL login page. 2. To remove the title image, adjacent to Title image, click Delete. 3. To remove the background image, adjacent to Background image, click Delete. 193 Advanced Firewall Administration Guide Authentication and User Management
Customizing the Message It is possible to provide users with a customized message. To customize the login message: 1. Navigate to the Services > Authentication > SSL login page. 2. In the Customize SSL Login area, enter your custom message in the SSL login page text box. 3. Click Save changes to apply the new message. Reviewing SSL Login Pages You can review SSL Login pages. To review the SSL Login page: 1. In the web browser of your choice, enter your Advanced Firewall system’s IP address and / login. For example: http://192.168.72.141/login or, using HTTPS, https:// 192.168.72.141:442/login. Advanced Firewall displays the SSL login page.
Configuring SSL Login Note:If you add Guardian to an Advanced Firewall installation which does not have SSL login configured, the SSL login redirection section will not be available. If you add Guardian to an Advanced Firewall installation which already has SSL login configured, ensure that SSL Login redirection is not enabled both on interface(s) on this page and in a web proxy authentication policy. For more information on web proxy authentication policies, refer to the Guardian Administration Guide. SSL Login authentication is configured on a per-interface basis. 194 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management To configure SSL Login:
1. Navigate to the Services > Authentication > SSL login page. 2. In the SSL login redirection area, select each interface on which you want to activate SSL Login. 3. Click Save changes. Advanced Firewall enables SSL Login on the selected interfaces. Creating SSL Login Exceptions SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets from being automatically redirected to the SSL Login page. Tip: This option is useful when avoiding requiring servers to authenticate. To create an SSL login exception: 1. Browse to the Services > Authentication > SSL login page. 2. Locate the SSL login redirection area. In the Redirect exception addresses field, enter an IP address, IP range or subnet that should not be redirected to the
SSL Login. 3. Repeat the step above on a new line for each further exception you want to make. 4. Click Save changes. 195 Advanced Firewall Administration Guide Authentication and User Management Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For other directory servers, it is necessary to import keytabs manually, see the following section for information on how to do this. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By importing and using Kerberos keytabs, Advanced Firewall services, such as authentication, can use the interoperability features provided by Kerberos.
For information on using Kerberos as the authentication method in authentication policies, refer to the Advanced Firewall Operations Guide. Adding Keytabs The following section explains how to add Kerberos keytabs into Advanced Firewall. For information on generating keytabs, consult the documentation delivered with your directory server. Also, available at the time of writing, see http://technet.microsoft.com/en-us/library/ cc753771%28v=WS.10%29.aspx which discusses how to get a keytab from Active Directory. To add a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. Click Add new keytab and configure the following settings: 3. Click Add. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area.
4. Repeat the steps above for any other keytabs you need to import. Setting Description Status Accept the default setting to enable the keytab. Name Enter a descriptive name for the keytab. File Using your browser, locate and select the keytab. Comment Optionally, enter a comment to describe the keytab. 196 Smoothwall Ltd http://technet.microsoft.com/en- us/library/cc753771%28v=WS.10%29.aspx http://technet.microsoft.com/en- us/library/cc753771%28v=WS.10%29.aspx Advanced Firewall Administration Guide Authentication and User Management Managing Keytabs
The following sections explain how to enable, view, edit and delete Kerberos keytabs. Disabling Keytabs Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required, for example, when troubleshooting. To disable a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the setting. Advanced Firewall disables the keytab. Viewing Keytab Content It is possible to view the contents of a Kerberos keytab.
To view a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, click the keytab’s display arrow. Advanced Firewall displays the content. Editing Keytabs It is possible to change the name of the Kerberos keytab file. To change the name of the Kerberos keytab file: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, change the name as required
and click Save changes. Advanced Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. To delete a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Delete. 3. When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the keytab. 197
10 Centrally Managing Smoothwall Systems This chapter describes how to configure, and maintain a centrally managed Smoothwall system, including: • About Centrally Managing Smoothwall Systems on page 199 • Setting up a Centrally Managed Smoothwall System on page 200 • Managing Nodes in a Smoothwall System on page 205 • Using BYOD in a Centrally Managed System on page 209 About Centrally Managing Smoothwall Systems Advanced Firewall’s central management enables you to monitor and manage nodes in a Smoothwall system. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the
parent node. Configuring and managing a Smoothwall system entails: • Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally Managed Smoothwall System on page 200 • Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on page 206 • Applying updates, for more information, see Scheduling and Applying Updates to One or More Nodes on page 207 • Rebooting nodes as required, for more information, see Rebooting Nodes on page 208 • Disabling nodes as required, for more information, see Disabling Nodes on page 209. 199
Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Pre-requirements Before you start to set up a centrally managed Smoothwall system: • Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. For more information, refer to the Advanced Firewall Operations Guide • Check that you have administrator access to all of the computers you want to include in the system • Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system. Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails:
• Configuring the parent node in the system • Configuring child nodes settings, installing the central management key and enabling SSH on child nodes • Adding child nodes to the system. Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. To configure the parent node: 1. Log in to the instance of Advanced Firewall you want to function as the parent node. 2. Browse to the System > Central management > Local node settings page. 200 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing
Smoothwall Systems 3. Configure the following settings: 4. Click Save. This instance of Advanced Firewall becomes the parent node and can be used to centrally manage the Smoothwall system. Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. To configure a child node: 1. On the system’s parent node, browse to the System > Central management > Local node settings page. 2. Configure the following settings: Setting Description Local node options Parent node – Select this option to enable central management and
configure this instance of Advanced Firewall as the parent node in the Smoothwall system. Setting Description Local node options Parent node – Check that this option is selected so that you can generate a central management key for installation on child nodes. Manage central management keys Central management key – Click Download to download and save the central management key in a secure, accessible location for distribution to the child nodes in the system. 201 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems 3. On the Smoothwall system you want to add as a child node,
browse to the System > Central management > Local node settings page and configure the following settings: 4. On the System > Administration > Admin options page, select SSH and click Save. 5. Repeat step 3. and step 4. above on any other machines you want to use as child nodes. When finished, you are ready to add them the system. See Adding Child Nodes to the System on page 202 for more information. Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes, you are ready to add them to the system. You can add nodes: • Manually by adding each node separately, see Manually Adding Child Nodes on page 202 • By importing node information from a CSV file, for more
information, see Importing Nodes into the System on page 203. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. To add child nodes manually: 1. On the parent node, browse to the System > Central management > Child nodes page. Setting Description Local node options Child node – Select this option to configure this machine as a child node in the system. Click Save to save this setting. Manage central management keys Upload central management key – Using your browser’s controls, browse to and select the key. Click Save to upload the key to
the child node. Note: If you are reconfiguring a child node to be the child of a new parent, reboot the child node to apply the changes. 202 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems 2. Click Add node and configure the following settings: 3. Select Enable node and click Confirm. When prompted, review the node details and then click Save to add the node. 4. Repeat step 2. and step 3. for each node you want to add to the system. 5. When you have added all of the nodes, browse to the System > Central management > Overview page. The parent node lists the child nodes and displays their current status. For
more information, see Monitoring Node Status on page 206. Importing Nodes into the System If child node information is available in a comma separated format (CSV) file, you can import it directly into the parent node. About the CSV File Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered as follows: Name,IP/hostname,Centrallogging,Monitorstatus,Centralresourc es, Replicationprofile,Enabled,Comment Setting Description Node details Node name – Enter a unique name to identify the node. Node names may only consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported.
IP/hostname – Enter the IP address or hostname of the child node. Comment – Optionally, enter a comment describing the child node. Node settings Replication profile – From the drop-down list, select the replication profile to be deployed on the child node. The replication profile enables the sharing of system settings between nodes. For information on configuring a replication profile, refer to the Advanced FirewallOperations Guide. Central logging – Select to enable central logging for the child node. Note: Do not select this option if you want to access the child node’s logs on the child node itself. Allow parent to monitor status – Select to enable central
monitoring for the child node. Allow parent to manage resources – Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. Note: Currently, this option only applies to Advanced Firewall with Guardian installed. When enabled and quotas have been used in a web filtering policy, the parent ensures that users cannot access content for longer than allowed by using different child nodes. 203 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems The possible values for the fields are as follows: For full information on what the settings do, see Manually
Adding Child Nodes on page 202. Importing Node Information The following steps explain how to import node information from a CSV file. For more information on CSV files, see About the CSV File on page 203. To import node information from a CSV file: 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Click Import CSV, browse to the file and select it. Click Import to import the contents of the file. 3. The parent node displays the contents of the file and notifies you of any errors in the file. Field Value Name The node name. This field is required. Note: If the name is the same as that of a child node already in the
system, the child node in the system will be overwritten. A node name may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. IP/hostname The IP or hostname of the node. This field is required. Central logging Determines if central logging is enabled or disabled. This field is required. Enabled – Enter: yes, on, or 1. Disabled – Enter: no, off, or 0. Note: Do not enable this option if you want to access the child node’s logs on the child node itself. Monitor status Determines if central monitoring is enabled or disabled. This field is required. Enabled – Enter: yes, on, or 1.
Disabled – Enter: no, off, or 0. Central resources Determines if resources are managed by the parent. This field is required. Note: Currently, this option only applies to Advanced Firewall with Guardian installed. Enabled – Enter: yes, on, or 1. Disabled – Enter: no, off, or 0. Replication profile The name of the replication profile used on the node. This field is optional and may be empty. For more information, refer to the Advanced Firewall Operations Guide. Enabled Determines if the node settings are enabled or disabled. This field is required.
Enabled – Enter: yes, on, or 1. Disabled – Enter: no, off, or 0. Comment A comment. This field is optional. It may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. 204 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Note: Importing settings from a CSV file will overwrite existing nodes with the same name. 4. Click Confirm to import the information in the file. The parent node imports the node information and displays it. Editing Child Node Settings When required, it is possible to edit child node settings.
To edit a child node’s settings: 1. Browse to the System > Central management > Child nodes page, locate the node you want to edit and click Edit node. 2. Make the changes required, see Manually Adding Child Nodes on page 202 for full information on the settings. 3. Click Confirm, review the changes and then click Save to save and implement the changes. Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. To delete a node: 1. On the System > Central management > Child nodes page, locate the node you want to delete and click Delete node. When prompted, click Delete to confirm the deletion.
2. Repeat the step above for any other nodes you want to delete. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: • Monitoring node status • Applying updates to nodes • Scheduling updates for application at a specific time • Rebooting nodes when necessary • Disabling nodes when necessary 205 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the
Smoothwall system. It also displays the nodes’ current status and whether updates for the nodes are available. To monitor node status: 1. On the parent node, browse to the System > Central management > Overview page. The parent node displays current node status, for example: Node information is contained in the following fields: Field Description Name The Name field displays the name of the node. Click on the name to log in to the node. Status The Status field displays the current state of the node. Click on the Status text to display detailed information on the node. For more information, see Accessing the Node Details Page on page 207. The following statuses are possible:
OK – the node is functioning and does not require attention. Critical – the node requires immediate attention. Click on the node’s status field for more information. Warning – the node does not require immediate attention but should be checked for problems. Click on the node’s status field for more information. Updates The Updates field enables you to schedule the application of available updates. For more information, see Scheduling and Applying Updates to One or More Nodes on page 207. Click on the Updates text to display detailed information on the node. 206 Smoothwall Ltd
Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Accessing the Node Details Page It is possible to view detailed information on a node by accessing the node details page. To access a node details page: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want more information on and click on its Status text. Advanced Firewall displays the node details page. 3. Click on the displayed headings for more information. 4. Click Refresh node to refresh the information displayed. 5. Click Reboot node to reboot the node. Working with Updates You can review and apply updates to a node as they become
available. You can also apply updates to one or more nodes immediately or at a later date. Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. To review and apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Click the Updates tab and then click the Status field of the node. The node details are displayed. 3. Click on the Updates line to review detailed information about the updates available. To apply the updates to the node, click Schedule update. The Schedule node update page is displayed. 4. In the Install updates area, select one of the following options:
5. Click Schedule update. The updates are applied to the node as specified in the previous step and the node is rebooted. Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. To apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate and select the node(s) that require updates and click Schedule update. The Schedule node update page is displayed. Option Description Now Select to apply the updates to the node immediately. Later From the drop-down list, select when you want the updates applied to the node.
207 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems 3. In the Install updates area, select one of the following options: 4. Click Schedule update. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. Clearing Schedule Updates It is possible to clear any scheduled updates. To clear scheduled updates: 1. On the System > Central management > Overview page or the node details page, under Updates, click Clear schedule. 2. Advanced Firewall displays the updates that are currently scheduled. Click Clear schedule to
clear the updates. Rebooting Nodes When required, you can reboot a child node from the system’s parent node. To reboot a child node: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want to reboot and click on the Status text. The node details are displayed. 3. Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of the following options: 4. Click Schedule reboot. The node is rebooted. Option Description Now Select to apply the update(s) to the node(s) immediately.
Later From the drop-down list, select when you want the update(s) applied to the node(s). Option Description Now Select to reboot the node immediately. Later From the drop-down list, select when you want to reboot the node. 208 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Disabling Nodes It is possible to disable nodes locally and system-wide. Disabling Nodes Locally You may need to work on a child node in a system and, e.g. want to stop replication settings from
being applied by the parent. You can do this by disabling the child node locally. To disable a node locally: 1. On the node you want to disable, browse to the System > Central management > Local node settings page. 2. In the Local node options area, select Disable and click Save. 3. Repeat the step above for any other nodes in the system that you want to disable. Note: On the parent node, on the System > Central management > Overview page, nodes that have been disabled locally will be listed as Node uncontactable. Disabling Nodes System-wide You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do this by disabling the child node system-wide. To disable a node system-wide:
1. On the parent node, browse to the System > Central management > Child nodes page. 2. Locate the node you want to disable area, select Disable and click Save. 3. Repeat the steps above for any other nodes in the system that you want to disable system-wide. Using BYOD in a Centrally Managed System It is possible to provide a “bring your own device” (BYOD) service in a centrally managed Smoothwall System. In such a configuration, you can choose to have a single node, typically the parent node, receive RADIUS requests and forward them onto the other RADIUS servers, or have a number of nodes act as the RADIUS server for the network access server (NAS) for authentication requests, authorization requests, accounting packets, or a mixture of all three. For a detailed description of how to configure Advanced Firewall to support a BYOD service,
including an example of a centrally managed implementation, refer to the Advanced Firewall Operations Guide. 209 Appendix A: User Authentication In this appendix: • Overview on page 211 • Advanced Firewall and DNS on page 213 • Working with Large Directories on page 214 • Active Directory on page 214 • About Kerberos on page 215 Overview
Advanced Firewall's authentication system enables the identity of internal network users to be verified, such that service permissions and restrictions can be dynamically applied according to a user's group membership. • Identity verification – authenticate users by checking supplied identity credentials, for example, usernames and passwords, against known user profile information. • Identity confirmation – provide details of known authenticated users at a particular IP address. Verifying User Identity Credentials In order to authenticate users, Advanced Firewall must be able to verify the identity credentials, usernames and passwords, supplied by network users. Credentials are verified against the authentication system's local user database. Network users must provide their identity credentials when using an authentication-enabled service for the first time. If the credentials cannot be verified by the
authentication system, i.e. a matching username and password cannot be found in the local user database, the user's identity status will 211 Advanced Firewall Administration Guide User Authentication be set to 'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no, access to authentication-enabled services. A user that is authenticated can be described as being logged in. About Authentication Mechanisms All authentication-enabled services use the authentication system to discover what users are accessing them. Once a particular user is known, an authentication-enabled service can enforce customized permissions and restrictions. Authentication-enabled services can interact with the authentication system in the following ways: • Passive interrogation of whether there is an already-
authenticated user at a particular IP address, and if so their details • Active provision of user-supplied identity credentials, for onward authentication. The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism. The Core Authentication Mechanism This is a special type of authentication mechanism that uses the first interaction method exclusively, i.e. it only ever asks the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the user's status is returned by the authentication system as 'Unauthenticated'. Other Authentication Mechanisms All other authentication mechanisms use a combination of the previously discussed interactions.
Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. If the user has been authenticated, appropriate permissions and restrictions can be enforced by the requesting service. However, if the user is currently unauthenticated, the second type of interaction occurs – i.e. the requesting service pro-actively provides end-user identity credentials to the authentication system, for onward authentication. Thus, it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials. Choosing an Authentication Mechanism As discussed in the preceding sections, all authentication- enabled services must use some kind of authentication mechanism to interact with the authentication system. Some authentication-enabled services offer no choice of mechanism used – in such cases, the authentication mechanism will always be 'Core authentication'. 212 Smoothwall Ltd
Advanced Firewall Administration Guide User Authentication About the Login Time-out The login time-out is the length of time that a user's authenticated status will last once they are authenticated. Time-out does not occur if Advanced Firewall can determine that the same user is still active – for example, by seeing continued web browsing from the same user. However, if Advanced Firewall sees no activity from a particular user for the length of time specified by the time-out period, the user's authenticated status will be invalidated. The login time-out affects the load on the local system. Lower time-out values increase the frequency of re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values that are too low may adversely affect system performance, resulting in failed login attempts. However, longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights, if the original user fails to pro-actively
log-out. Advanced Firewall and DNS Advanced Firewall’s authentication service uses internal DNS servers for name lookups. Internal DNS servers are specified using Advanced Firewall’s setup program. Advanced Firewall’s DNS proxy server uses external DNS servers for name lookups. External DNS servers are specified when setting up an Advanced Firewall connectivity profile. In this way, Advanced Firewall can be configured to use an internal DNS server and the internal DNS server can, in turn, be configured to use Advanced Firewall as its DNS forwarder. A Common DNS Pitfall Often Advanced Firewall is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. This is not the correct way to configure DNS servers on any
client. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. This means the client assumes that it does not matter which DNS server it uses, as all DNS servers will have access to the same information. With the proliferation of private networks and internal DNS zones, this no longer is the case. A DNS client will behave in the following way when looking up a host: • If a reply of “host not found” is received, the client will NOT ask other DNS servers • If the DNS is not answering, the client will try to ask another DNS server • The client will ask randomly between configured DNS servers Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work,
or at least, will not work reliably. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. The easiest way to do this is to configure the DNS server to use a forwarder, like Advanced Firewall’s DNS proxy server. 213 Advanced Firewall Administration Guide User Authentication Working with Large Directories The Additional Group search roots option enables you to specify several OUs in which to search for groups. When dealing with large directories, a search through the entire directory can take a long time and make the Advanced Firewall Include groups page unwieldy to manage. Normally, a specified group search root can help in narrowing the scope of where to search for groups, but if groups are distributed in multiple OUs, one group
search root may not be enough. Consider, for example, a directory with 5000 users and 2500 groups. Setting the group search root to the top level of the directory would result in an Include groups page with 2500 entries. This would probably take a long time to load and be hard to get an overview of. The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are located. In the groups search root, the administrator enters the path for the primary OU and in the additional groups search, the second OU is entered: User search root: dc=domain,dc=local Group search root: ou=guardiangroups,dc=domain,dc=local Additional group search root: ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local The above example is for a multi domain Active Directory installation, where the second OU is in the
sub-domain sub1. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group. Active Directory The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication. Active Directory Username Types A user account on a Windows 2000+ server will have 2 types of usernames: • A Windows 2000+ username, which takes the form of [email protected] • An old style Windows NT 4 username, which has no domain attached to it. When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain, the Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames.
In order for Advanced Firewall authentication to be able to successfully look up and authenticate Windows users, a Windows 2000+ username needs to be present. 214 Smoothwall Ltd Advanced Firewall Administration Guide User Authentication Accounts and NTLM Identification When using NTLM identification on an Active Directory server that has been set up with no pre- Windows 2000 access permissions, the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in. About Kerberos The following sections document Kerberos pre-requisites and list some points to try if troubleshooting.
Kerberos Pre-requisites and Limitations The following are pre-requisites and known limitations when using Kerberos as an authentication method: • Forward and reverse DNS must be working • All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail • Internet E6 will not work in non-transparent mode. Troubleshooting Check the following when troubleshooting a service that uses Kerberos: • Make sure all the prerequisites have been met, see Kerberos Pre-requisites and Limitations on page 215 • Try another browser for fault-finding • In Safari, try the fully qualified domain name (FQDN) if the
short form does not work • Check if the user logged on before the keytab was created? Try logging off then on again. • Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on again. • Double check you are logged on with a domain account • When exporting your own keytabs: cryptography as that used by the client uppercase fully qualified forms of each hostname. 215
Appendix B: Troubleshooting VPNs In this appendix: • Site-to-site Problems on page 217 • L2TP Road Warrior Problems on page 218 • Windows Networking Issues on page 219 Site-to-site Problems All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software. Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. Failure to get a ping echo would indicate that: • The remote Advanced Firewall is not running
• You have the wrong IP address for the remote Advanced Firewall • There is a network connection problem – check routers, hubs and cables etc. • There is a problem at your Internet Service Provider • Advanced Firewall has ping disabled via the admin interface • Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate Ethernet card. • Check the routing information displayed in Advanced Firewall's status page, there must be a default route (gateway). • Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel goes into OPEN mode but no packets will flow between the two networks, it is possible
that one of the ISPs involved is blocking the ESP or AH packets. 217 Advanced Firewall Administration Guide Troubleshooting VPNs • To simplify the problem, attempt to get a connection with shared secrets before moving on to certificates. • Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network addresses are mirrored. This is where most people make mistakes. • Each node on the VPN network must have its own unique certificate. At least one field in the subject must be different. The subject is a composite of the information fields supplied when the certificate is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously fields like company name can be common to all certificates.
• A different local network address must be configured at both ends of the tunnel; they cannot both use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address. Be consistent with IDs. For example: • Hosts on static IPs should use the hostname for the gateway as the ID. • Hosts on dynamic IPs should use the administrator's email address. • Clients should usually not use an ID, unless they are using an unusual client that requires one. L2TP Road Warrior Problems The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. The most likely reason for a failure at this stage is an incorrect or invalid certificate. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. However, because the vast majority of parameter values are predefined it is generally not
likely for an IPSec protocol error other then a certificate problem to occur. First of all, verify the correct certificate is installed using the Microsoft MMC tool. There must be a CA certificate, as well as a host certificate, present in the system. Also verify the certificate is within its valid time window. If the certificate is newly created, and the time is set incorrectly by only an hour or so, the connection will be refused because the certificate is not valid. MMC has facilities for verifying that a host certificate is recognized as being valid. Note that the error messages produced by the L2TP client can be somewhat strange. Modem not responding can mean that there was an IPSec certificate error, for instance. Check the IPSec logs first when looking for causes of problems. As a last resort, you can also enable debug logging on the Windows client. Enabling L2TP Debugging In a default configuration, Microsoft's L2TP client does not produce any log files. This can make
diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues. To enable IPSec-level logging if you are using Windows 2000 or XP, you must create a registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServic esPolicyAgentOakle y 218 Smoothwall Ltd Advanced Firewall Administration Guide Troubleshooting VPNs Add a REG_DWORD value named 'EnableLogging'. Set the value to 1 to enable logging, or 0 to disable it. After changing this value, the VPN service must be restarted. From the command line: net stop policyagent followed by: net start policyagent The log file will be in Windows system directory:
debugoakley.log The following URL is Microsoft's own guide to debugging L2TP connection problems: http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Note: Smoothwall does not endorse manually editing the registry. Incorrectly altering registry values may result in registry corruption and render the computer unusable. Windows Networking Issues In order to facilitate network browsing under Microsoft Windows across the VPN, it is necessary to make sure both ends of the tunnel are properly configured. In small, single subnet Windows networks, network browsing is facilitated via network broadcasts. In these small networks, network neighborhood will just work without any configuration required. If a road warrior were to connect in, though, it would be unable to browse the network unless the administrator has configured the network to enable it. This is
because network broadcasts do not normally cross network boundaries, such as routers and VPNs. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. If you are familiar with setting up multiple subnets of Windows machines, then the problem to be solved is the same. In the case of road warrior connections, the details depend on the client in use. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. These parameters are configured in the Global Settings page. For inexperienced Windows administrators, the following notes are provided to assist with configuring your network to enable network browsing across the VPN. For NT networks, you will require a WINS server, normally running on your PDC. This WINS server is analogous to a DNS server for the Windows machines. Each of your desktop machines and servers should be configured to use the central WINS server in its
network properties box. Any road warriors connecting in should also be set to use this WINS server. If this is done then when they are connected to the office network via the VPN, they should be able to browse the office network, attach to printers and shares, etc. In more complex arrangements, such as two subnets of Windows machines with a VPN between the two, it is necessary to set-up either one WINS server and share it between the subnets, or have one on each and configure a replicating system between the two. Again, the problem to be resolved is identical to that which the administrator would face with two normally routed networks. 219 http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Appendix C: Hosting Tutorials
In this appendix: • Basic Hosting Arrangement on page 221 • Extended Hosting Arrangement on page 222 • More Advanced Hosting Arrangement on page 224 Basic Hosting Arrangement In this example, a DMZ has been configured with a network address of 192.168.1.0/24, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. Within the DMZ there are two servers: Web server .2 – This server will have an internal IP address of 192.168.1.2 and present an external IP address of 216.1.1.2. Mail server .3 – This server will have an internal IP address of 192.168.1.3 and present an external IP address of 216.1.1.3.Related Topics: To configure this scenario:
1. First create the external aliases: Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 221 Advanced Firewall Administration Guide Hosting Tutorials 2. Next, add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3
Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .3 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .3 POP3 3. Finally, add the source mappings: Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Mail Server .3 Extended Hosting Arrangement In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. Within the DMZ are three servers:
Web server .2 – This server will have an internal IP address of 192.168.1.2 and present an external IP address of 216.1.1.2. It supports both HTTP and HTTPS. Web server .3 – This server will have an internal IP address of 192.168.1.3 and present an external IP address of 216.1.1.3. It should only be accessible to external hosts in the range 100.100.100.0/24 and 100.100.101.0/24. Mail server .4 – This server will have an internal IP address of 192.168.1.4 and present an external IP address of 216.1.1.4 To configure this scenario: 1. First create the external aliases: Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 222 Smoothwall Ltd
Advanced Firewall Administration Guide Hosting Tutorials Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 Alias IP: 216.1.1.4 | Netmask: 255.255.255.0 Comment: External Alias .4 2. Next, add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTPS (443) Destination port: HTTPS (443) Comment: Web Server .2 HTTPS Protocol: TCP External IP: 100.100.100.0/24
Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: 100.100.10.0/24 Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .4 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: POP3 (110) Destination port: POP3 (110)
Comment: Mail Server .4 POP3 3. Finally, add the source mappings: Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 223 Advanced Firewall Administration Guide Hosting Tutorials Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Web Server .3 Source IP: 192.168.1.4 | Alias IP: 216.1.1.4 Comment: Mail Server .4 More Advanced Hosting Arrangement In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. A local private network, 192.168.10.0/24 contains 3 servers: SQL Server .2 – Internal IP: 192.168.10.2
Mail Server [int] .3 – Internal IP: 192.168.10.3 Intranet Web Server .4 – External IP: 216.1.1.4, Internal IP: 192.168.10.4, restricted users. A DMZ network, 192.168.1.0/24 contains 5 servers: Web Server .2 – External IP: 216.1.1.2, Internal IP: 192.168.1.2, bridged to SQL Server .2. Web Server .3 – External IP: 216.1.1.3, Internal IP: 192.168.1.3. Virtual Web Server .5 – External IP: 216.1.1.5, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .6. Virtual Web Server .6 – External IP: 216.1.1.6, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .5. Mail Server [ext. out] – External IP: 216.1.1.7, Internal IP:
192.168.1.6, for outgoing mail. Mail Server [ext. in] – External IP: 216.1.1.7, Internal IP: 192.168.1.7, relaying to Mail Server [int] .3. To configure this scenario: 1. First create the external aliases: Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 Alias IP: 216.1.1.4 | Netmask: 255.255.255.0 Comment: External Alias .4 Alias IP: 216.1.1.5 | Netmask: 255.255.255.0 Comment: External Alias .5 Alias IP: 216.1.1.6 | Netmask: 255.255.255.0 Comment: External Alias .6 Alias IP: 216.1.1.7 | Netmask: 255.255.255.0 Comment: External Alias .7 224 Smoothwall Ltd
Advanced Firewall Administration Guide Hosting Tutorials 2. Next, add the port forwards: Port forwards for example 3. Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.10.4 Source port: HTTP (80)
Destination port: HTTP (80) Comment: Intranet Web Server .4 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.5 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.6 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .7 SMTP Protocol: TCP External IP: <BLANK>
Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .7 POP3 225 Advanced Firewall Administration Guide Hosting Tutorials 3. Next, add the zone bridges: Zone bridging for example 3. Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.2 Destination IP: 192.168.10.2 Destination port: User defined, 3306 Comment: Web Server .2 to SQL Server .2 Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.7 Destination IP: 192.168.10.3
Destination port: SMTP (25) Comment: Mail Server [ext. in] .7 to Mail Server [int.] .3 4. Finally, add the source mappings: Source mapping for example 3. Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Web Server .3 Source IP: 192.168.10.4 | Alias IP: 216.1.1.4 Comment: Intranet Web Server .4 Source IP: 192.168.1.5 | Alias IP: 216.1.1.5 Comment: Virtual Web Server .5 & .6 Source IP: 192.168.1.6 | Alias IP: 216.1.1.6 Comment: Mail Server [ext. out] .6 226 Smoothwall Ltd Glossary Numeric A
2-factor authentication The password to a token used with the token. In other words: 2- factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together. 3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key. Acceptable Use Policy See AUP Access control The process of preventing unauthorized access to computers, programs, processes, or systems. Active Directory Microsoft directory service for organizations. It contains information about organizational units, users and computers. ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser.
AES Advanced Encryption Standard A method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256- bit. AES provides high security with fast performance across multiple platforms. AH Authentication Header Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy. Algorithm Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. 227
Advanced Firewall Administration Guide Glossary B C Alias or External Alias In Smoothwall terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface. ARP Address Resolution Protocol A protocol that maps IP addresses to NIC MAC addresses. ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses. AUP Acceptable Use Policy An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization’s email and Internet systems. The policy explains
the organization’s position on how its users should conduct communication within and outside of the organization both for business and personal use. Authentication The process of verifying identity or authorization. Bandwidth Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps. BIN A binary certificate format, 8-bit compatible version of PEM. Buffer Overflow An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code. CA Certificate Authority A trusted network entity, responsible for issuing and managing
x509 digital certificates. Certificate A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. Cipher A cryptographic algorithm. Ciphertext Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm. Client Any computer or program connecting to, or requesting the services of, another computer or program. Cracker A malicious hacker. Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection.
Cryptography The study and use of methods designed to make information unintelligible. 228 Smoothwall Ltd Advanced Firewall Administration Guide Glossary D E Default Gateway The gateway in a network that will be used to access another network if a gateway is not specified for use. Denial of Service Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt while it attempts to respond to each request. DER Distinguished Encoding Rules A certificate format typically used by Windows operating
systems. DES Data Encryption Standard A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST. DHCP Dynamic Host Control Protocol A protocol for automatically assigning IP addresses to hosts joining a network. Dial-Up A telephone based, non-permanent network connection, established using a modem. DMZ Demilitarized Zone An additional separate subnet, isolated as much as possible from protected networks.
DNS Domain Name Service A name resolution service that translates a domain name to an IP address and vice versa. Domain Controller A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server. Dynamic token A device which generates one-time passwords based on a challenge/ response procedure. Egress filtering The control of traffic leaving your network. Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it.
ESP Encapsulating Security Payload A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. Exchange Server A Microsoft messaging system including mail server, email client and groupware applications (such as shared calendars). Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. 229 Advanced Firewall Administration Guide Glossary F G H
I Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. FIPS Federal Information Processing Standards. See NIST. Firewall A combination of hardware and software used to prevent access to private network resources. Gateway A network point that acts as an entrance to another network. Green In Smoothwall terminology, green identifies the protected network. Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent.
Host A computer connected to a network. Hostname A name used to identify a network host. HTTP Hypertext Transfer Protocol The set of rules for transferring files on the World Wide Web. HTTPS A secure version of HTTP using SSL. Hub A simple network device for connecting networks and network hosts. ICMP Internet Control Message Protocol One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. IDS Intrusion Detection System
IP Internet Protocol IPS Intrusion Prevention System IP Address A 32-bit number that identifies each sender and receiver of network data. 230 Smoothwall Ltd Advanced Firewall Administration Guide Glossary K L M IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. IPSec Internet Protocol Security An internationally recognized VPN protocol suite developed by the Internet
Engineering Task Force (IETF). IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. ISP An Internet Service Provider provides Internet connectivity. Key A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext. Kernel The core part of an operating system that provides services to all other parts the operating system. Key space The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space. L2F Layer 2 Forwarding
A VPN system, developed by Cisco Systems. L2TP Layer 2 Transport Protocol A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. LAN Local Area Network A network between hosts in a similar, localized geography. Leased Lines Or private circuits A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company. Lockout A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user. MAC Address Media Access Control
An address which is the unique hardware identifier of a NIC. 231 Advanced Firewall Administration Guide Glossary N O P MX Record Mail eXchange An entry in a domain name database that specifies an email server to handle a domain name's email. NAT-T Network Address Translation Traversal A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough
NIC Network Interface Card NIST National Institute of Standards and Technology NIST produces security and cryptography related standards and publishes them as FIPS documents. NTP Network Time Protocol A protocol for synchronizing a computer's system clock by querying NTP Servers. OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization. Password A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data. PEM Privacy Enhanced Mail
A popular certificate format. Perfect Forward Secrecy A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised. PFS See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. Ping A program used to verify that a specific IP address can be seen from another. PKCS#12 Public Key Cryptography Standards # 12 A portable container file format for transporting certificates and private keys.
232 Smoothwall Ltd Advanced Firewall Administration Guide Glossary Q PKI Public Key Infrastructure A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates. Plaintext Data that has not been encrypted, or ciphertext that has been decrypted. Policy Contains content filters and, optionally time settings and authentication requirements, to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization. Port A service connection point on a computer system
numerically identified between 0 and 65536. Port 80 is the HTTP port. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. PPP Point-to-Point Protocol Used to communicate between two computers via a serial interface. PPTP Peer-to-Peer Tunnelling Protocol A widely used Microsoft tunnelling standard deemed to be relatively insecure.
Private Circuits See Leased Lines. Private Key A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. Protocol A formal specification of a means of computer communication. Proxy An intermediary server that mediates access to a service. PSK Pre-Shared Key An authentication mechanism that uses a password exchange and matching process to determine authenticity. Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner.
PuTTY A free Windows / SSH client. QOS Quality of Service In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth. 233 Advanced Firewall Administration Guide Glossary R S RAS Remote Access Server A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by VPNs. Red In Smoothwall, red is used to identify the Unprotected Network (typically the
Internet). RIP Routing Information Protocol A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Road Warrior An individual remote network user, typically a travelling worker 'on the road' requiring access to a organization’s network via a laptop. Usually has a dynamic IP address. Route A path from one network point to another. Routing Table A table used to provide directions to other networks and hosts. Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another.
Security policy A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances. Server In general, a computer that provides shared resources to network users. SIP Session Initiation Protocol A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications. Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action
by entering a single password. Site-To-Site A network connection between two LANs, typically between two business sites. Usually uses a static IP address. Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. Spam Junk email, usually unsolicited. SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. Squid A high performance proxy caching server for web clients. 234 Smoothwall Ltd Advanced Firewall Administration Guide Glossary T U
V X SSH Secure Shell A command line interface used to securely access a remote computer. SSL A cryptographic protocol which provides secure communications on the Internet. SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration. Strong encryption A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame. Subnet An identifiably separate part of an organization’s
network. Switch An intelligent cable junction device that links networks and network hosts together. Syslog A server used by other hosts to remotely record logging information. Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. Tunneling The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. User name / user ID A unique name by which each user is known to the system. VPN Virtual Private Network
A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet. VPN Gateway An endpoint used to establish, manage and control VPN connections. X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. 235 Index A accessing 6 active directory cache timeout 177 domain 176
extra realm 183 password 176 status 176 username 176 active directory legacy cache timeout 182 discover kerberos realms through dns 183 extra group search roots 183 extra realms 183 extra user search roots 183 kerberos realm 182 netbios domain name 183 password 182
port 183 sam account name 183 server 182 server username 182 status 181 user search root 182 admin 6 admin options 17 administration 17 administrative users 17 adsl modem settings 36 advanced 11, 12 alerts 7 settings 7
application helper 86 ftp 87 h323 passthrough support 87 irc 87 pptp client support 87 archives 16 arp filter 70 arp table size 71 audit 71 authentication 13, 101, 173 choosing 212 diagnostics 174 mechanisms 212 time-out 174 B banned users 187
bond 43 bridge 42 bridging groups 80 rules 75 zones 75 C ca 18, 19 central management 199 about 199 pre-requirements 200 central management key 201 centrally manage 199 certs 19 ca 18 237
Advanced Firewall Administration Guide Index child node 201 cluster 199 connection methods 27 dial-up modem 38 ethernet 27 ethernet/modem hybrid 27 isdn modem 36 modem 27 connection profiles 27 creating 27 deleting 41 modifying 41 connection tracking 71
connections 25 connectivity 11 console connecting via 21 control 19 control page 6 create 7 csv 203 importing nodes 203 csv files 203 custom categories 15 D database settings 9 deep packet inspection 92 default interface 26
users 187 denial of service 69 dhcp 16 custom options 16 leases 16 relay 16 server 16 dhcp ethernet 29 settings 30 diagnostics 18, 174 dial-up modem 38 directories 13 directory settings 175 prerequisites 176, 179, 181 dns 14
dynamic 14 proxy 14 static 14 documentation 2 DoS 70 dpi 92 E ECN 70 email 8, 9 enable arp filter 70 ethernet 27 external access 17 aliases 11 external services 12, 96 editing 97
removing 97 F failover 18 filtering 10 filters 15 firewall 8, 9 accessing browser 6 connecting 21 firmware upload 18 ftp 14, 87 G global 16, 19 group bridging 10, 80 groups 9, 13, 186 banned users 187 default users 187
mapping 188 network administrators 187 renaming 187 unauthenticated ips 186 H h323 passthrough support 87 hardware 18 hostname 17 https 6 hybrid 27 I icmp 70 ICMP ping 70 ICMP ping broadcast 70 ids 9, 15 igmp 70 IGMP packets 70 im 238 Smoothwall Ltd
Advanced Firewall Administration Guide Index proxy 8 im proxy 9 information 6 instant messenger 14 interface bond 43 bridge 42 interfaces 11 internal aliases 11 inter-zone security 75 intrusion detection 15 intrusion detection system 15 ip address defining 52
block 10 tools 18 ips 9, 85 ipsec 8, 9 roadwarriors 19 subnets 19 irc 87 isdn modem 36 settings 37 isp 27 K kerberos keytabs 13 L l2tp roadwarriors 19 layer 7 application control 92
ldap directory bind method 178 cache timeout 178 discover kerberos realms through dns 179 extra group search root 179 extra realms 179 extra user search roots 179 group search roots 178 kerberos realm 178 password 177 port 179 server 177 status 177
user search root 178 username 177 licenses 16 local users 184 activity 191 adding 185 configuring 184 deleting 186 editing 186 managing 185 status 184 log settings 9 logs 9
M mac spoof 30 maintenance 16 message censor 15 custom categories 15 filters 15 time 15 modem 18, 27 settings 39 modules 16 multicast traffic 70 N network administrators 187 interface 26 networking 9, 12
source mapping 55 node 205 add 202 child 201 child delete 205 child edit 205 configure child 17 csv 203 delete 205 disable 209 edit 205 import 203 local settings 17
manage 205 monitor 206 parent 200 reboot 208 review 206 update 207 239 Advanced Firewall Administration Guide Index O OpenVPN 137 outbound access port rules 89 source rules 93 outgoing 12
output settings 9 P pages central management 17 info alerts 7 alerts 7 custom 7 logs 9 firewall 9 ids 9 im proxy 8, 9 ips 9 ipsec 9
system 9 web proxy 9 realtime 8 firewall 8 ipsec 8 portal 8 system 8 traffic graphs 8 reports reports 7 saved 7 scheduled reports 7
settings alert settings 7 database settings 9 groups 9 log settings 9 output settings 9 information 6 main 6 networking 9, 12 filtering 10 group bridging 10 ip block 10 zone bridging 10
firewall 11 advanced 11 port forwarding 11 source mapping 11 interfaces 11 connectivity 11 external aliases 11 interfaces 11 internal aliases 11 ppp 11 secondaries 11 outgoing 12 external services 12
policies 12 ports 12 routing 10 ports 10 rip 10 sources 10 subnets 10 settings advanced 12 port groups 12 services 12 authentication 13
directories 13 groups 13 kerberos keytabs 13 settings 13 ssl login 13 temporary bans 13 user activity 13 dhcp dhcp custom options 16 dhcp leases 16 dhcp relay 16 dhcp server 16 global 16
dns 14 dns proxy 14 dynamic dns 14 static dns 14 ids 15 intrusion system 240 Smoothwall Ltd Advanced Firewall Administration Guide Index detection 15 policies 15 signatures 15 message censor 15
proxies 14 ftp 14 im proxy 14 sip 14 web proxy 14 snmp 14 user portal 13 groups 13 portals 13 user exceptions 13 system administration 17 admin options 17
administrative users 17 external access 17 central management child nodes 17 local node settings 17 overview 17 diagnostics 18 configuration report 18 functionality test 18 ip tools 18 traffic analysis 18 whois 18
hardware 18 failover 18 firmware upload 18 modem 18 ups 18 maintenance 16 archives 16 licenses 16 modules 16 scheduler 16 shutdown 16 updates 16 preferences 17
hostname 17 registration options 17 time 17 vpn 18 ca 19 certs 19 control 19 global 19 ipsec roadwarriors 19 ipsec subnets 19 l2tp roadwarriors 19 ssl roadwarriors 19
parent node 200 passwords 6 policies 15 outgoing 12 port forwarding 11 port forwards 83 comment 85 creating 84 criteria 83 destination address 85 destination port 85 editing 86 enabled 85 external ip 85
ips 85 logging 85 protocol 85 removing 86 source IP 85 source port 85 user defined 85 port groups 12 port rules 89 creating 90 deleting 93, 96 editing 92, 96 modes 89 preset 89
viewing 93 portal 8, 13 portals 13 ports 10, 12 ppp 11 ppp over ethernet settings 32 ppp profile creating 40 241 Advanced Firewall Administration Guide Index pptp client support 87 pptp over ethernet settings 34 preferences 17 primary dns 26
proxies 14 R radius action on login failure 180 cache timeout 180 identifying IP address 180 obtain groups from radius 180 port 180 secret 180 server 180 status 180 realtime 8 email 8, 9 reboot 208
registration options 17 reports 7, 99 custom 7 reports 7 scheduled 7 reverse proxy 9, 14 rip 10 routing 10 rules external service 96 group bridging 81 internal alias 56 ip blocking 67 port 52 port forward 83
source 93 source mapping 55 subnet 47 zone bridging 76 S scheduled reports 7 scheduler 16 secondaries 11 secondary dns 26 selective ACK 70 services authentication 13, 174 dhcp 16 dns 14 ids 15
message censor 15 portal 13 rip 49 snmp 14 settings 9, 13 shutdown 16 signatures 15 sip 14 site address 23 snmp 14 snmp 14 source mapping 11, 55 source rules 93 sources 10 ssh 21 client 21 SSL 137
ssl login 13 accessing the page 194 customizing 192 exceptions 195 ssl roadwarriors 19 static ethernet settings 29 subnets 10 SYN backlog queue 71 SYN cookies 70 SYN+FIN packets 70 system 8, 9 T TCP timestamps 70 telephony settings 40
temporary ban 189 temporary bans 13 time 17 time out 174 time slots 15 time-out 213 traffic analysis 18 graphs 8 training 1 tutorial vpn 156 zone bridging 78 242 Smoothwall Ltd Advanced Firewall Administration Guide Index U unauthenticated ips 186
unknown entity 22 updates 16 ups 18 user activity 13, 191 identity 211 user exceptions 13 users banned 187 default 187 local 185 network administrators 187 temporary ban 189 unauthenticated IPs 186 V virtual lans 45
vlan 45 vpn 18, 99 authentication 101 psk 102 x509 102 W web proxy 9, 14 whois 18 window scaling 70 Z zone bridge narrow 76 rule create 76 settings 76
tutorial 78 wide 76 zone bridging 10, 75 243 About This GuideAudience and ScopeOrganization and UseConventionsRelated Documentation1 IntroductionOverview of Advanced FirewallAnnual Renewal2 Advanced Firewall OverviewAccessing Advanced FirewallDashboardLogs and reportsReportsAlertsRealtimeLogsSettingsNetworkingFilteringR outingInterfacesFirewallOutgoingSettingsServicesAuthenticatio nUser PortalProxiesSNMPDNSMessage CensorIntrusion SystemDHCPSystemMaintenanceCentral ManagementPreferencesAdministrationHardwareDiagnosticsCer tificatesVPNConfiguration GuidelinesSpecifying Networks, Hosts and PortsUsing CommentsCreating, Editing and Removing RulesConnecting via the ConsoleConnecting Using a ClientSecure CommunicationUnknown Entity
WarningInconsistent Site Address3 Working with InterfacesConfiguring Global Settings for InterfacesConnecting Using an Internet Connectivity ProfileConnecting Using a Static Ethernet Connectivity ProfileConnecting using a DHCP Ethernet Connectivity ProfileConnecting using a PPP over Ethernet Connectivity ProfileConnecting using a PPTP over Ethernet Connectivity ProfileConnecting using an ADSL/DSL Modem Connectivity ProfileConnecting using an ISDN Modem Connectivity ProfileConnecting Using a Dial-up Modem Connectivity ProfileCreating a PPP ProfileModifying ProfilesDeleting ProfilesWorking with BridgesCreating BridgesEditing BridgesDeleting BridgesWorking with Bonded InterfacesCreating BondsEditing BondsDeleting BondsConfiguring IP AddressesAdding an IP AddressEditing an IP AddressDeleting an IP AddressVirtual LANsCreating a VLANEditing a VLANDeleting a VLAN4 Managing Your Network InfrastructureCreating SubnetsEditing and Removing Subnet RulesUsing RIPSourcesCreating Source RulesRemoving a RuleEditing a RuleAbout IP Address DefinitionsPortsCreating a Ports RuleCreating an External Alias RuleEditing and Removing External Alias RulesPort Forwards from External AliasesCreating a Source Mapping RuleEditing and Removing Source Mapping RulesWorking with Secondary External InterfacesConfiguring a Secondary External InterfaceUsing DHCPEnabling DHCPCreating a DHCP SubnetEditing a DHCP
subnetDeleting a DHCP subnetAdding a Dynamic RangeAdding a Static AssignmentAdding a Static Assignment from the ARP TableEditing and Removing AssignmentsViewing DHCP LeasesDHCP RelayingCreating Custom DHCP Options5 General Network Security SettingsBlocking by IPCreating IP Blocking RulesEditing and Removing IP Block RulesConfiguring Advanced Networking FeaturesWorking with Port GroupsCreating a Port GroupAdding Ports to Existing Port GroupsEditing Port GroupsDeleting a Port Group6 Configuring Inter-Zone SecurityAbout Zone Bridging RulesCreating a Zone Bridging RuleEditing and Removing Zone Bridge RulesA Zone Bridging TutorialCreating the Zone Bridging RuleAllowing Access to the Web ServerAccessing a Database on the Protected NetworkGroup BridgingGroup Bridging and AuthenticationCreating Group Bridging RulesEditing and Removing Group Bridges7 Managing Inbound and Outbound TrafficIntroduction to Port Forwards – Inbound SecurityPort Forward Rules CriteriaCreating Port Forward RulesLoad Balancing Port Forwarded TrafficEditing and Removing Port Forward RulesAdvanced Network and Firewall SettingsNetwork Application HelpersManaging Bad External TrafficConfiguring Reflective Port ForwardsManaging Connectivity FailbackManaging Outbound Traffic and ServicesWorking with Port RulesWorking with Outbound Access PoliciesManaging External Services8 Virtual Private NetworkingAdvanced
Firewall VPN FeaturesWhat is a VPN?About VPN GatewaysAdministrator ResponsibilitiesAbout VPN AuthenticationPSK AuthenticationX509 AuthenticationConfiguration OverviewWorking with Certificate Authorities and CertificatesCreating a CAExporting the CA CertificateImporting Another CA's CertificateDeleting the Local Certificate Authority and its CertificateDeleting an Imported CA CertificateManaging CertificatesCreating a CertificateReviewing a CertificateExporting CertificatesExporting in the PKCS#12 FormatImporting a CertificateDeleting a CertificateSetting the Default Local CertificateSite-to-Site VPNs – IPSecRecommended SettingsCreating an IPsec TunnelIPSec Site to Site and X509 Authentication – ExamplePrerequisite OverviewCreating the Tunnel on the Primary SystemCreating the Tunnel on the Secondary SystemChecking the System is ActiveActivating the IPSec tunnelIPSec Site to Site and PSK AuthenticationCreating the Tunnel Specification on Primary SystemCreating the Tunnel Specification on the Secondary SystemChecking the System is ActiveActivating the PSK tunnelAbout Road Warrior VPNsConfiguration OverviewIPSec Road WarriorsCreating an IPSec Road WarriorSupported IPSec ClientsCreating L2TP Road Warrior ConnectionsCreating a CertificateConfiguring L2TP and SSL VPN Global SettingsCreating an L2TP TunnelConfiguring an iPhone-compatible TunnelUsing NAT-
TraversalVPNing Using L2TP ClientsL2TP Client PrerequisitesConnecting Using Windows XP/2000Installing an L2TP ClientVPNing with SSLPrerequisitesConfiguring VPN with SSLManaging SSL Road WarriorsManaging Group Access to SSL VPNsManaging Custom Client Scripts for SSL VPNsGenerating SSL VPN ArchivesConfiguring SSL VPN on Internal NetworksConfiguring and Connecting ClientsVPN Zone BridgingSecure Internal NetworkingCreating an Internal L2TP VPNAdvanced VPN ConfigurationMultiple Local CertificatesCreating Multiple Local CertificatesPublic Key AuthenticationConfiguring Both Ends of a Tunnel as CAsVPNs between Business PartnersExtended Site to Site RoutingManaging VPN SystemsAutomatically Starting the VPN SystemManually Controlling the VPN SystemViewing and Controlling TunnelsVPN LoggingVPN TutorialsExample 1: Preshared Key AuthenticationExample 2: X509 AuthenticationExample 3: Two Tunnels and Certificate AuthenticationExample 4: IPSec Road Warrior ConnectionExample 5: L2TP Road WarriorWorking with SafeNet SoftRemoteConfiguring IPSec Road WarriorsUsing the Security Policy Template SoftRemoteCreating a Connection without the Policy FileAdvanced Configuration9 Authentication and User ManagementConfiguring Global Authentication SettingsAbout Directory ServersConfiguring a Microsoft Active Directory ConnectionConfiguring an LDAP
ConnectionConfiguring a RADIUS ConnectionConfiguring an Active Directory Connection – Legacy MethodConfiguring a Local Users DirectoryReordering Directory ServersEditing a Directory ServerDeleting a Directory ServerDiagnosing DirectoriesManaging Local UsersAdding UsersEditing Local UsersDeleting UsersManaging Groups of UsersAbout GroupsAdding GroupsEditing GroupsDeleting GroupsMapping GroupsRemapping GroupsDeleting Group MappingsManaging Temporarily Banned UsersCreating a Temporary BanRemoving Temporary BansRemoving Expired BansManaging User ActivityViewing User ActivityLogging Users OutBanning UsersAbout SSL AuthenticationCustomizing the SSL Login PageReviewing SSL Login PagesConfiguring SSL LoginCreating SSL Login ExceptionsManaging Kerberos KeytabsAdding KeytabsManaging Keytabs10 Centrally Managing Smoothwall SystemsAbout Centrally Managing Smoothwall SystemsPre-requirementsSetting up a Centrally Managed Smoothwall SystemConfiguring the Parent NodeConfiguring Child NodesAdding Child Nodes to the SystemEditing Child Node SettingsDeleting Nodes in the SystemManaging Nodes in a Smoothwall SystemMonitoring Node StatusAccessing the Node Details PageWorking with UpdatesRebooting NodesDisabling NodesUsing BYOD in a Centrally Managed SystemAppendix A: User AuthenticationOverviewVerifying User Identity
CredentialsAbout Authentication MechanismsOther Authentication MechanismsChoosing an Authentication MechanismAbout the Login Time-outAdvanced Firewall and DNSA Common DNS PitfallWorking with Large DirectoriesActive DirectoryActive Directory Username TypesAccounts and NTLM IdentificationAbout KerberosKerberos Pre-requisites and LimitationsTroubleshootingAppendix B: Troubleshooting VPNsSite-to-site ProblemsL2TP Road Warrior ProblemsEnabling L2TP DebuggingWindows Networking IssuesAppendix C: Hosting TutorialsBasic Hosting ArrangementExtended Hosting ArrangementMore Advanced Hosting ArrangementGlossaryIndex

More Related Content

PPT
Unix Web servers and FireWall
webhostingguy
 
PPT
Unix Web servers and FireWall
webhostingguy
 
PDF
Host Based Security Best Practices
webhostingguy
 
DOCX
Backtrack Manual Part4
Nutan Kumar Panda
 
PDF
Activity 5
Heidi Owens
 
PDF
Placing backdoors-through-firewalls
Akapo Damilola
 
PPTX
PPT ON CYBER SECURITY FRAMEWORK & CYBER AUDITING IN CRPF .pptx
hcrosdr
 
DOCX
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
carliotwaycave
 
Unix Web servers and FireWall
webhostingguy
 
Unix Web servers and FireWall
webhostingguy
 
Host Based Security Best Practices
webhostingguy
 
Backtrack Manual Part4
Nutan Kumar Panda
 
Activity 5
Heidi Owens
 
Placing backdoors-through-firewalls
Akapo Damilola
 
PPT ON CYBER SECURITY FRAMEWORK & CYBER AUDITING IN CRPF .pptx
hcrosdr
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
carliotwaycave
 

Similar to INFA 620Lab 4 Firewall.docx (20)

PDF
07_04_2023_33676344534444567643345667.pdf
JaveedKhan59
 
DOC
It04 roshan basnet
rosu555
 
ODP
Ubuntu getting started
Ernesto Celis
 
PPTX
6 th
Erm78
 
PPT
Unix Web servers and FireWall
webhostingguy
 
PDF
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
PDF
Configuration Firewalld On CentOS 8
Kaan Aslandağ
 
PDF
Dumpscafe Exam CompTIA-XK0-005 Free demo
Dumpcollection
 
DOC
Taishaun_OwnensCNS-533_Lab
Taishaun Owens
 
PDF
Tutorial mikrotik step by step
Dewa Ketut Setiawan
 
DOCX
Citrix command lines
princesly
 
PDF
Blockchain Hyperledger Lab
Dev_Events
 
PDF
Bsd routers
HARRY CHAN PUTRA
 
PDF
Nat mikrotik
louisraj
 
PPT
Netdefender
krishna Maddikara
 
PPT
Net Defender
krishna maddikara
 
PDF
snortinstallguide
Liễu Hồng
 
PPTX
Operating system security
Sarmad Makhdoom
 
PDF
50357 a enu-labmanual01
Frank olazo
 
ODT
Kioptrix 2014 5
Jayesh Patel
 
07_04_2023_33676344534444567643345667.pdf
JaveedKhan59
 
It04 roshan basnet
rosu555
 
Ubuntu getting started
Ernesto Celis
 
6 th
Erm78
 
Unix Web servers and FireWall
webhostingguy
 
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Configuration Firewalld On CentOS 8
Kaan Aslandağ
 
Dumpscafe Exam CompTIA-XK0-005 Free demo
Dumpcollection
 
Taishaun_OwnensCNS-533_Lab
Taishaun Owens
 
Tutorial mikrotik step by step
Dewa Ketut Setiawan
 
Citrix command lines
princesly
 
Blockchain Hyperledger Lab
Dev_Events
 
Bsd routers
HARRY CHAN PUTRA
 
Nat mikrotik
louisraj
 
Netdefender
krishna Maddikara
 
Net Defender
krishna maddikara
 
snortinstallguide
Liễu Hồng
 
Operating system security
Sarmad Makhdoom
 
50357 a enu-labmanual01
Frank olazo
 
Kioptrix 2014 5
Jayesh Patel
 
Ad

More from jaggernaoma (20)

DOCX
Attached is a joint letter to Capitol Hill to advocate for increased.docx
jaggernaoma
 
DOCX
Attached is a copy of an interview done with a Tribal member regardi.docx
jaggernaoma
 
DOCX
Attached Files Week 5 - trace IP Physical Location.rtf (38..docx
jaggernaoma
 
DOCX
Attached here is a psychology article I need to be summarized. Pleas.docx
jaggernaoma
 
DOCX
Attached Files News Analysis Sample.docxNews Analysis Sam.docx
jaggernaoma
 
DOCX
Attached Files  SOC-220_SOCIAL PROBLEMS PRESENTATION.docx
jaggernaoma
 
DOCX
Attached below you will find the series of 4 questions. This assignm.docx
jaggernaoma
 
DOCX
Attached below isWEEK 4 As always, include references. As alwa.docx
jaggernaoma
 
DOCX
Attached are two articles in one document. Write thoughtful resp.docx
jaggernaoma
 
DOCX
Attached are the instructions to the assignment.Written Assign.docx
jaggernaoma
 
DOCX
Attached are the instructions and rubric! Research Paper #2.docx
jaggernaoma
 
DOCX
Attached are the guidelines for the Expertise Sharing Project. M.docx
jaggernaoma
 
DOCX
Attached are the documents needed to complete the assignment. The in.docx
jaggernaoma
 
DOCX
Attached are the 3 documents1. Draft copy submitted2. Sam.docx
jaggernaoma
 
DOCX
attached are directions needed to complete this essay! Please make s.docx
jaggernaoma
 
DOCX
Attach is the checklist For this Assignment, write a 3 and half pa.docx
jaggernaoma
 
DOCX
Attach and submit the final draft of your Narrative Essay. Remember .docx
jaggernaoma
 
DOCX
Atomic Theory Scientists and Their ContributionsScientist .docx
jaggernaoma
 
DOCX
Atomic models are useful because they allow us to picture what is in.docx
jaggernaoma
 
DOCX
Atoms and Electrons AssignmentLook at these websites to he.docx
jaggernaoma
 
Attached is a joint letter to Capitol Hill to advocate for increased.docx
jaggernaoma
 
Attached is a copy of an interview done with a Tribal member regardi.docx
jaggernaoma
 
Attached Files Week 5 - trace IP Physical Location.rtf (38..docx
jaggernaoma
 
Attached here is a psychology article I need to be summarized. Pleas.docx
jaggernaoma
 
Attached Files News Analysis Sample.docxNews Analysis Sam.docx
jaggernaoma
 
Attached Files  SOC-220_SOCIAL PROBLEMS PRESENTATION.docx
jaggernaoma
 
Attached below you will find the series of 4 questions. This assignm.docx
jaggernaoma
 
Attached below isWEEK 4 As always, include references. As alwa.docx
jaggernaoma
 
Attached are two articles in one document. Write thoughtful resp.docx
jaggernaoma
 
Attached are the instructions to the assignment.Written Assign.docx
jaggernaoma
 
Attached are the instructions and rubric! Research Paper #2.docx
jaggernaoma
 
Attached are the guidelines for the Expertise Sharing Project. M.docx
jaggernaoma
 
Attached are the documents needed to complete the assignment. The in.docx
jaggernaoma
 
Attached are the 3 documents1. Draft copy submitted2. Sam.docx
jaggernaoma
 
attached are directions needed to complete this essay! Please make s.docx
jaggernaoma
 
Attach is the checklist For this Assignment, write a 3 and half pa.docx
jaggernaoma
 
Attach and submit the final draft of your Narrative Essay. Remember .docx
jaggernaoma
 
Atomic Theory Scientists and Their ContributionsScientist .docx
jaggernaoma
 
Atomic models are useful because they allow us to picture what is in.docx
jaggernaoma
 
Atoms and Electrons AssignmentLook at these websites to he.docx
jaggernaoma
 
Ad

Recently uploaded (20)

PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Lesson notes of climatology university.
sgladness67
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
master seminar digital applications in india
ananyaray35
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 

INFA 620Lab 4 Firewall.docx

  • 1. INFA 620 Lab 4: Firewall Introduction You are the Network Security Administrator for an organization. You are responsible for the configuration of a firewall that segregates the enterprise network from the external network. You will strategically allow authorized incoming and outgoing traffic while denying all unauthorized traffic. In this lab, we going to practice setting up a Smoothwall firewall in a UMUC remote lab. Smothwall is a Linux kernel- based firewall. It has a rich graphics interface and it implements
  • 2. the firewall using UNIX/Linux iptables. (See http://linux.die.net/man/8/iptables). The manual for the Smoothwall firewall can be found at: http://www.smoothwall.com/media/114580/AdvancedFirewall- admin.pdf. The exercise does not require you to read the entire manual. We are going to experiment with inbound and outbound traffic filtering aspects (Chapter 7) of the firewall. The UMUC remote environment for this lab is shown in the figure below. Notice the firewall/router separates the100.100.0.X External network (virtual Internet) from the 198.168.1.x Enterprise machines. This firewall will be controlling the in- and out-bound traffic of the enterprise. Designed and written by Jeffrey Karlan Page 10 of 24 INFA 620 Firewall Lab ManualCopyright UMUC 2016Page 8 of 36 INFA 620 Firewall Lab Manual Copyright UMUC 2016 Page 12 of 23 Step by Step Instructions for Performing the Lab Activity 1) From the Virtual Machine screen, double click the console for Enterprise. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to Enterprise. Double click VNC Viewer. Enter remote host address 10.5.14.110 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.)
  • 3. 2) This is Enterprise (Centos) 3) Double click Firewall GUI 4) Supply Username and Password and Click OK 5) This is Firewall (Smoothwall) 6) Click Networking > Outgoing. This is where you will configure rules to allow or deny network traffic from our internal Enterprise network to the External Virtual Internet. 7) Notice the Interface Defaults section the current selection is “Blocked with Exceptions”. This means that all traffic from Enterprise network to External network that is not explicitly allowed is implicitly denied. This method of administering a firewall is known as maintaining a “Whitelist”. If we were to implicitly allow all network traffic except for explicitly denied protocols it is known as maintaining a “Blacklist”. In network administration maintaining a whitelist is considered best practice. Our Firewall has an interface on the Enterprise Internal network known as the Green Interface, and an interface on the External network known as the Red interface. 8) Minimize Smoothwall and return to Enterprise desktop 9) Double click Scripts > Double click Traffic. 10) Each of the scripts in this folder will simulate 5 packets of traffic using their named protocol from the Enterprise network to the External network.
  • 4. 11) Together we will enable HTTP traffic from Enterprise to External. HTTP is needed in order for users to browse websites on the internet. Double Click Web Browser 12) Click the + button to open a new tab 13) In the browser bar type 100.100.0.100 > Enter. Firefox should be unable to connect. Firewall is implicitly denying http traffic. 14) Minimize Firefox and return to the Desktop > Scripts > Traffic Folder > Double Click HTTP.sh 15) Select run in terminal 16) Your output should look like this. We sent 5 packets to 100.100.0.100 and Firewall blocked them. 17) Maximize or reopen Firefox to return to Firewall Click Networking > Outgoing 18) In the “Add exception area” Leave Application as “User defined” type 80 at the Port. In Comment type “Allow HTTP to External”. Leave the Enabled checkbox checked. Click Add 19) Current exceptions should have this entry: 20) Open a new browser tab and go to 100.100.0.100 again. If this page came up you successfully allowed HTTP traffic from the Enterprise network to External. 21) Return to Enterprise desktop > Scripts > Traffic > Double
  • 5. click http.sh > Run in Terminal 22) Your output should now look like this. This means the HTTP packets successfully reached their destination at 100.100.0.100 23) (50 Points) On your own you will now create 7 more rules on Firewall to allow the following protocols to reach the External network. Use the scripts in the traffic folder to test each rule. a. DNS b. FTP c. HTTPS d. POP3 e. RDP f. SMTP g. Telnet 24) There are services hosted on the Enterprise network that require access from the External network. Your Enterprise has a single public IP Address, 100.100.0.1. By default Firewall blocks all incoming traffic on its public facing interface. You will configure port forwarding explicitly to allow traffic on specific ports to reach destinations on the Enterprise network, while denying traffic on all other ports. 25) From the Virtual Machine screen, double click the console for External. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to External. Double click VNC Viewer. Enter remote host address 10.5.14.11 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.) 26) This is External (Kali Linux) 27) Double click the Web Browser on the desktop
  • 6. 28) In the browser bar type infa620.umuc.com > enter. The browser should not be able to display the webpage 29) Return to the External Desktop and open the Scripts folder > Traffic folder > HTTP.sh 30) Select Run in Terminal 31) Your output should look like this. Firewall is blocking traffic on port 80 32) Get back to the Firewall GUI in the Enterprise (You may need to re-authenticate using root/aspring2013): 33) Select Networking > Incoming 34) Enter Port: 80 and Destination IP: 192.168.1.20 > Comment: Allow Traffic on Port 80 to Webserver > Leave Enabled Checkbox Checked > Click AddComment by Chris J. Wade: It was not clear which was the source and which was the destination. SRC ports required and DST ports can be any 35) Your current rule should look like this: 36) On External open the web browser and go to web address: infa620.umuc.com If you see this page you have successfully allowed External traffic access to your Enterprise webserver. 37) On External desktop click Scripts > Traffic > http.sh > Run in Terminal Your output should look like this: This means that 5 packets successfully reached the webserver
  • 7. on the Enterprise network through Firewall. 38) Score (50) On your own you will now 6 more port forwarding rules on Firewall to allow the following protocols to reach the proper address on the Internal network. a. FTP – 192.168.1.30 b. DNS – 192.168.1.10 c. HTTPS – 192.168.1.20 d. POP3 – 192.168.1.30 e. RDP – 192.168.1.10 f. SMTP – 192.168.1.30 g. Telnet – 192.168.1.10 Use the scripts in the traffic folder to test each rule.Test the functionality of your rule For example, use the FTP.sh script (on External Desktop > Scripts > Traffic > FTP.sh) to test the FTP setup. 39) Your working firewall is configured, so you will export the firewall configuration to submit as proof of work. Please return to Enterprise Desktop. 40) Scripts > Show iptables Firewall.sh > Run in terminal > Password: > Enter > File > Save Contents ow 41) Name your file yourLastName_Initial_Firewall_Config.txt (example: Smith_b__Firewall_Config.txt) > Save to Desktop 42) Places > INFA Share 43) Drag your Firewall Config.txt to the INFA Share Folder 44) Return to Jumpbox Desktop > Click INFA Share Folder,
  • 8. your Firewall Config.txt should be in that folder. 45) Open a Windows Explorer on the Jumpbox and locate the C drive on your local machine under “Other’ 46) Drill down to C:UsersyournameDocuments 47) Drag file from INFAShare on Jumpbox to Documents folder on your local machine. The screen below shows a file named, readme. But it should be the Firewall Configuration file, Smith_b__Firewall_Config.txt in our case. Submit this file to your LEO Lab 4 folder. INFA 620 Firewall Lab Manual Copywright UMUC 2014Page 11 of 24 "Have We Chosen the Right Employee?" Please respond to the following: Once an organization has recruited candidates and they are going through the application process, how do they select the right employee? There are a number of tools and assessments that are used in selecting candidates for any given role. Please respond to the following question: • Out of all the selection assessments presented in the text, choose one (1) that you believe is most effective for selecting a candidate for any given role. List three (3) benefits for that assessment and describe why you believe each benefit would be appropriate for selecting the right employee. Next, give your opinion on the extent to which the use of technology in the selection process adds value to organizations, and provide at least one (1) example to support your answer.
  • 9. Unified Threat Management Advanced Firewall Administration Guide For future reference Advanced Firewall serial number: Date installed: Smoothwall contact: Smoothwall® Advanced Firewall, Administration Guide, October 2014 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Advanced Firewall. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: [email protected] © 2001 – 2014 Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron.
  • 10. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Advanced Firewall contains graphics taken from the Open Icon
  • 11. Library project http:// openiconlibrary.sourceforge.net/ Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom Email [email protected] Web www.smoothwall.net Telephone USA and Canada: United Kingdom: All other countries: 1 800 959 3760 0870 1 999 500 +44 870 1 999 500 Fax USA and Canada: United Kingdom: All other countries: 1 888 899 9164 0870 1 991 399 +44 870 1 991 399 Contents About This Guide...................................................... 1 Audience and Scope ......................................................................... 1 Organization and Use ....................................................................... 1 Conventions............................................................................
  • 12. ........... 2 Related Documentation.................................................................... 2 Chapter 1 Introduction ............................................................... 3 Overview of Advanced Firewall ....................................................... 3 Annual Renewal................................................................................. 4 Chapter 2 Advanced Firewall Overview.................................... 5 Accessing Advanced Firewall .......................................................... 5 Dashboard ......................................................................................... 6 Logs and reports ............................................................................... 6 Reports ..................................................................................... 7 Alerts ......................................................................................... 7 Realtime................................................................................. ... 8 Logs .......................................................................................... 9 Settings................................................................................... .. 9 Networking ...................................................................................... 10 Filtering ................................................................................... 10
  • 13. Routing ................................................................................... 10 Interfaces................................................................................ 11 Firewall.................................................................................. .. 11 Outgoing ................................................................................. 12 Settings................................................................................... 12 Services.................................................................................. .......... 12 Authentication ........................................................................ 13 User Portal.............................................................................. 13 Proxies ................................................................................... 14 SNMP ...................................................................................... 14 DNS ......................................................................................... 14 Message Censor .................................................................... 15 iii Advanced Firewall Administration Guide Contents Intrusion System .................................................................... 15 DHCP ...................................................................................... 16 System
  • 14. ............................................................................................. 16 Maintenance........................................................................... 16 Central Management ............................................................. 17 Preferences ............................................................................ 17 Administration........................................................................ 17 Hardware ................................................................................ 18 Diagnostics...................................................................... ....... 18 Certificates ............................................................................. 18 VPN ............................................................................................... .... 19 Configuration Guidelines................................................................ 19 Specifying Networks, Hosts and Ports ................................ 19 Using Comments ................................................................... 20 Creating, Editing and Removing Rules ................................ 20 Connecting via the Console ........................................................... 21 Connecting Using a Client .................................................... 21 Secure Communication .................................................................. 22 Unknown Entity Warning.......................................................
  • 15. 22 Inconsistent Site Address ..................................................... 23 Chapter 3 Working with Interfaces ......................................... 25 Configuring Global Settings for Interfaces ................................... 26 Connecting Using an Internet Connectivity Profile ..................... 27 Connecting Using a Static Ethernet Connectivity Profile .. 27 Connecting using a DHCP Ethernet Connectivity Profile .. 29 Connecting using a PPP over Ethernet Connectivity Profile . ............................................................................................... .. 31 Connecting using a PPTP over Ethernet Connectivity Profile ............................................................................................... .. 33 Connecting using an ADSL/DSL Modem Connectivity Profile ........................................................................................ ....... .. 35 Connecting using an ISDN Modem Connectivity Profile ... 36 Connecting Using a Dial-up Modem Connectivity Profile . 38 Creating a PPP Profile .................................................................... 40 Modifying Profiles .................................................................. 41 Deleting Profiles..................................................................... 41 Working with Bridges ..................................................................... 42 Creating Bridges .................................................................... 42
  • 16. Editing Bridges....................................................................... 42 Deleting Bridges .................................................................... 42 Working with Bonded Interfaces ................................................... 43 Creating Bonds ...................................................................... 43 Editing Bonds ................................................................. ........ 43 Deleting Bonds....................................................................... 43 Configuring IP Addresses .............................................................. 44 Adding an IP Address ............................................................ 44 Editing an IP Address ............................................................ 44 Deleting an IP Address.......................................................... 44 iv Smoothwall Ltd Advanced Firewall Administration Guide Contents Virtual LANs ..................................................................................... 45 Creating a VLAN..................................................................... 45 Editing a VLAN ....................................................................... 46 Deleting a VLAN ..................................................................... 46
  • 17. Chapter 4 Managing Your Network Infrastructure ................ 47 Creating Subnets ............................................................................ 47 Editing and Removing Subnet Rules ................................... 48 Using RIP ......................................................................................... 49 Sources ............................................................................................ 51 Creating Source Rules .......................................................... 51 Removing a Rule .................................................................... 52 Editing a Rule ......................................................................... 52 About IP Address Definitions................................................ 52 Ports ............................................................................................... .. 52 Creating a Ports Rule ............................................................ 53 Creating an External Alias Rule ..................................................... 54 Editing and Removing External Alias Rules ........................ 55 Port Forwards from External Aliases ................................... 55 Creating a Source Mapping Rule .................................................. 55 Editing and Removing Source Mapping Rules ................... 56 Working with Secondary External Interfaces
  • 18. ............................... 56 Configuring a Secondary External Interface ....................... 57 Using DHCP ..................................................................................... 59 Enabling DHCP....................................................................... 59 Creating a DHCP Subnet....................................................... 60 Editing a DHCP subnet.......................................................... 62 Deleting a DHCP subnet ....................................................... 62 Adding a Dynamic Range...................................................... 62 Adding a Static Assignment ................................................. 63 Adding a Static Assignment from the ARP Table ............... 63 Editing and Removing Assignments .................................... 64 Viewing DHCP Leases ........................................................... 64 DHCP Relaying....................................................................... 65 Creating Custom DHCP Options .......................................... 65 Chapter 5 General Network Security Settings ....................... 67 Blocking by IP.................................................................................. 67 Creating IP Blocking Rules ................................................... 67 Editing and Removing IP Block Rules ................................. 69 Configuring Advanced Networking Features ............................... 69 Working with Port
  • 19. Groups.............................................................. 72 Creating a Port Group ........................................................... 72 Adding Ports to Existing Port Groups.................................. 73 Editing Port Groups ............................................................... 73 Deleting a Port Group............................................................ 73 Chapter 6 Configuring Inter-Zone Security ............................ 75 About Zone Bridging Rules ............................................................ 75 v Advanced Firewall Administration Guide Contents Creating a Zone Bridging Rule ...................................................... 76 Editing and Removing Zone Bridge Rules .................................... 78 A Zone Bridging Tutorial ................................................................ 78 Creating the Zone Bridging Rule.......................................... 78 Allowing Access to the Web Server ..................................... 79 Accessing a Database on the Protected Network ............. 79 Group Bridging ................................................................................ 80 Group Bridging and Authentication ..................................... 80 Creating Group Bridging Rules ............................................ 81 Editing and Removing Group Bridges ................................. 82
  • 20. Chapter 7 Managing Inbound and Outbound Traffic............. 83 Introduction to Port Forwards – Inbound Security ...................... 83 Port Forward Rules Criteria .................................................. 83 Creating Port Forward Rules ................................................ 84 Load Balancing Port Forwarded Traffic .............................. 86 Editing and Removing Port Forward Rules ......................... 86 Advanced Network and Firewall Settings..................................... 86 Network Application Helpers................................................ 86 Managing Bad External Traffic ............................................. 87 Configuring Reflective Port Forwards ................................. 88 Managing Connectivity Failback .......................................... 88 Managing Outbound Traffic and Services .................................... 89 Working with Port Rules ....................................................... 89 Working with Outbound Access Policies ............................ 93 Managing External Services .......................................................... 96 Chapter 8 Virtual Private Networking ..................................... 99 Advanced Firewall VPN Features ................................................ 100 What is a VPN?
  • 21. .............................................................................. 100 About VPN Gateways .......................................................... 101 Administrator Responsibilities ........................................... 101 About VPN Authentication............................................................ 101 PSK Authentication.............................................................. 102 X509 Authentication ............................................................ 102 Configuration Overview ................................................................ 104 Working with Certificate Authorities and Certificates............... 105 Creating a CA ....................................................................... 105 Exporting the CA Certificate............................................... 106 Importing Another CA's Certificate.................................... 107 Deleting the Local Certificate Authority and its Certificate... ............................................................................................... 107 Deleting an Imported CA Certificate.................................. 107 Managing Certificates .................................................................. 108 Creating a Certificate .......................................................... 108 Reviewing a Certificate ....................................................... 109 Exporting Certificates .........................................................
  • 22. 110 Exporting in the PKCS#12 Format ..................................... 110 Importing a Certificate ........................................................ 111 Deleting a Certificate........................................................... 111 vi Smoothwall Ltd Advanced Firewall Administration Guide Contents Setting the Default Local Certificate ........................................... 112 Site-to-Site VPNs – IPSec............................................................. 112 Recommended Settings...................................................... 113 Creating an IPsec Tunnel .................................................... 113 IPSec Site to Site and X509 Authentication – Example ............. 117 Prerequisite Overview ......................................................... 117 Creating the Tunnel on the Primary System ..................... 118 Creating the Tunnel on the Secondary System ................ 119 Checking the System is Active ........................................... 120 Activating the IPSec tunnel................................................. 120 IPSec Site to Site and PSK Authentication ................................. 121 Creating the Tunnel Specification on Primary System .... 121 Creating the Tunnel Specification on the Secondary System ...............................................................................................
  • 23. 122 Checking the System is Active ........................................... 123 Activating the PSK tunnel ................................................... 123 About Road Warrior VPNs ............................................................ 124 Configuration Overview....................................................... 124 IPSec Road Warriors .................................................................... 125 Creating an IPSec Road Warrior ........................................ 125 Supported IPSec Clients .............................................................. 128 Creating L2TP Road Warrior Connections ................................. 128 Creating a Certificate .......................................................... 128 Configuring L2TP and SSL VPN Global Settings .............. 129 Creating an L2TP Tunnel..................................................... 129 Configuring an iPhone-compatible Tunnel........................ 130 Using NAT-Traversal ........................................................... 132 VPNing Using L2TP Clients .......................................................... 132 L2TP Client Prerequisites ................................................... 132 Connecting Using Windows XP/2000 ................................ 132 Installing an L2TP Client ..................................................... 133
  • 24. VPNing with SSL............................................................................ 137 Prerequisites ........................................................................ 137 Configuring VPN with SSL .................................................. 137 Managing SSL Road Warriors...................................................... 139 Managing Group Access to SSL VPNs .............................. 139 Managing Custom Client Scripts for SSL VPNs ............... 139 Generating SSL VPN Archives ............................................ 140 Configuring SSL VPN on Internal Networks...................... 141 Configuring and Connecting Clients.................................. 141 VPN Zone Bridging........................................................................ 144 Secure Internal Networking ......................................................... 145 Creating an Internal L2TP VPN ........................................... 145 Advanced VPN Configuration ...................................................... 147 Multiple Local Certificates .................................................. 147 Creating Multiple Local Certificates .................................. 147 Public Key Authentication................................................... 149 Configuring Both Ends of a Tunnel as CAs ....................... 149 VPNs between Business Partners...................................... 150 Extended Site to Site Routing............................................. 151
  • 25. Managing VPN Systems ............................................................... 153 vii Advanced Firewall Administration Guide Contents Automatically Starting the VPN System ............................ 153 Manually Controlling the VPN System ............................... 154 Viewing and Controlling Tunnels........................................ 154 VPN Logging......................................................................... 155 VPN Tutorials ................................................................................. 156 Example 1: Preshared Key Authentication ........................ 156 Example 2: X509 Authentication......................................... 158 Example 3: Two Tunnels and Certificate Authentication . 160 Example 4: IPSec Road Warrior Connection..................... 162 Example 5: L2TP Road Warrior........................................... 165 Working with SafeNet SoftRemote ............................................. 167 Configuring IPSec Road Warriors ...................................... 167 Using the Security Policy Template SoftRemote.............. 167 Creating a Connection without the Policy File.................. 169 Advanced Configuration ..................................................... 171 Chapter 9 Authentication and User Management ............... 173 Configuring Global Authentication Settings
  • 26. ............................... 174 About Directory Servers ............................................................... 175 Configuring a Microsoft Active Directory Connection ..... 176 Configuring an LDAP Connection ...................................... 177 Configuring a RADIUS Connection .................................... 179 Configuring an Active Directory Connection – Legacy Meth- od .......................................................................................... 181 Configuring a Local Users Directory ................................. 184 Reordering Directory Servers............................................. 184 Editing a Directory Server ................................................... 184 Deleting a Directory Server................................................. 185 Diagnosing Directories........................................................ 185 Managing Local Users .................................................................. 185 Adding Users........................................................................ 185 Editing Local Users.............................................................. 186 Deleting Users...................................................................... 186 Managing Groups of Users .......................................................... 186 About Groups ....................................................................... 186 Adding Groups ..................................................................... 187
  • 27. Editing Groups ..................................................................... 187 Deleting Groups ................................................................... 188 Mapping Groups............................................................................ 188 Remapping Groups.............................................................. 188 Deleting Group Mappings ................................................... 189 Managing Temporarily Banned Users......................................... 189 Creating a Temporary Ban.................................................. 189 Removing Temporary Bans ................................................ 190 Removing Expired Bans ...................................................... 190 Managing User Activity ................................................................ 191 Viewing User Activity........................................................... 191 Logging Users Out............................................................... 191 Banning Users...................................................................... 191 About SSL Authentication ............................................................ 192 viii Smoothwall Ltd
  • 28. Advanced Firewall Administration Guide Contents Customizing the SSL Login Page....................................... 192 Reviewing SSL Login Pages ............................................... 194 Configuring SSL Login ........................................................ 194 Creating SSL Login Exceptions.......................................... 195 Managing Kerberos Keytabs ....................................................... 196 Adding Keytabs.................................................................... 196 Managing Keytabs ............................................................... 197 Chapter 10 Centrally Managing Smoothwall Systems .......... 199 About Centrally Managing Smoothwall Systems....................... 199 Pre-requirements................................................................. 200 Setting up a Centrally Managed Smoothwall System ............... 200 Configuring the Parent Node .............................................. 200 Configuring Child Nodes ..................................................... 201 Adding Child Nodes to the System .................................... 202 Editing Child Node Settings................................................ 205 Deleting Nodes in the System ............................................ 205 Managing Nodes in a Smoothwall System ................................. 205 Monitoring Node Status ......................................................
  • 29. 206 Accessing the Node Details Page ...................................... 207 Working with Updates ......................................................... 207 Rebooting Nodes ................................................................. 208 Disabling Nodes ................................................................... 209 Using BYOD in a Centrally Managed System............................. 209 Appendix A User Authentication .............................................. 211 Overview ........................................................................................ 211 Verifying User Identity Credentials .................................... 211 About Authentication Mechanisms .................................... 212 Other Authentication Mechanisms .................................... 212 Choosing an Authentication Mechanism .......................... 212 About the Login Time-out ................................................... 213 Advanced Firewall and DNS......................................................... 213 A Common DNS Pitfall ........................................................ 213 Working with Large Directories ................................................... 214 Active Directory............................................................................. 214
  • 30. Active Directory Username Types...................................... 214 Accounts and NTLM Identification..................................... 215 About Kerberos ............................................................................. 215 Kerberos Pre-requisites and Limitations .......................... 215 Troubleshooting................................................................... 215 Appendix B Troubleshooting VPNs.......................................... 217 Site-to-site Problems.................................................................... 217 L2TP Road Warrior Problems ...................................................... 218 Enabling L2TP Debugging................................................... 218 Windows Networking Issues........................................................ 219 ix Advanced Firewall Administration Guide Contents Appendix C Hosting Tutorials................................................... 221 Basic Hosting Arrangement ......................................................... 221 Extended Hosting Arrangement .................................................. 222 More Advanced Hosting Arrangement ....................................... 224 Glossary ................................................................. 227
  • 31. Index....................................................................... 237 x Smoothwall Ltd About This Guide Smoothwall’s Advanced Firewall is a licenced feature of your Smoothwall System. This manual provides guidance for configuring Advanced Firewall. Audience and Scope This guide is aimed at system administrators maintaining and deploying Advanced Firewall. This guide assumes the following prerequisite knowledge: • An overall understanding of the functionality of the Smoothwall System • An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: • Chapter 1, Introduction on page 3 • Chapter 2, Advanced Firewall Overview on page 5
  • 32. • Chapter 3, Working with Interfaces on page 25 • Chapter 4, Managing Your Network Infrastructure on page 47 • Chapter 5, General Network Security Settings on page 67 • Chapter 6, Configuring Inter-Zone Security on page 75 • Chapter 7, Managing Inbound and Outbound Traffic on page 83 • Chapter 8, Virtual Private Networking on page 99 1 Advanced Firewall Administration Guide About This Guide • Chapter 9, Authentication and User Management on page 173 • Chapter 10, Centrally Managing Smoothwall Systems on page 199 • Appendix A:User Authentication on page 211 • Appendix B:Troubleshooting VPNs on page 217 • Appendix C:Hosting Tutorials on page 221 • Glossary on page 227 • Index on page 237 Conventions The following typographical conventions are used in this guide: This guide is written in such a way as to be printed on both
  • 33. sides of the paper. Related Documentation The following guides provide additional information relating to Advanced Firewall: • Advanced Firewall Installation Guide, which describes how to install Advanced Firewall • Advanced Firewall Operations Guide, which describes how to maintain Advanced Firewall • Advanced Firewall Upgrade Guide, which describes how to upgrade Advanced Firewall • Advanced Firewall User Portal Guide, which describes how to use the Advanced Firewall user portal • http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base and the latest product manuals. Item Convention Example Key product terms Initial Capitals Advanced Firewall Cross-references and references to other guides Italics See Chapter 1, Introduction on page 3 Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics http://<my_ip>/portal
  • 34. 2 Smoothwall Ltd http://www.smoothwall.net/support 1 Introduction This chapter introduces Advanced Firewall, including: • Overview of Advanced Firewall on page 3 • Annual Renewal on page 4 Overview of Advanced Firewall Advanced Firewall is the Unified Threat Management system for enterprise networks. Combining the functions of perimeter and internal firewalls, Advanced Firewall employs Microsoft Active Directory/ LDAP user authentication for policy based access control to local network zones and Internet services. Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. Advanced Firewall provides: • Perimeter firewall – multiple Internet connections with load sharing and automatic connection failover • User authentication – policy-based access control and user authentication with support for Microsoft Active Directory, Novell eDirectory and other LDAP authentication servers
  • 35. • Load balancer – the ideal solution for the efficient and resilient use of multiple Internet connections. • Internal firewall – segregation of networks into physically separate zones with user-level access control of inter-zone traffic • Email Security: anti-spam, anti-malware, mail relay and control. • VPN Gateway – site-to-site, secure remote access and secure wireless connections. 3 Advanced Firewall Administration Guide Introduction Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. 4 Smoothwall Ltd 2 Advanced Firewall Overview In this chapter: • How to access Advanced Firewall • An overview of the pages used to configure and manage Advanced Firewall.
  • 36. Accessing Advanced Firewall To access Advanced Firewall: 1. In a web browser, enter the address of your Advanced Firewall, for example: https://192.168.72.141:441 Note: The example address above uses HTTPS to ensure secure communication with your Advanced Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Advanced Firewall as described in the Advanced Firewall Installation and Setup Guide. 2. Accept Advanced Firewall’s certificate.The login screen is displayed. 5 Advanced Firewall Administration Guide Advanced Firewall Overview 3. Enter the following information: 4. Click Login. The Dashboard opens. The following sections give an overview of Advanced Firewall’s default sections and pages. Dashboard The dashboard is the default home page of your Advanced Firewall system. It displays service
  • 37. information and customizable summary reports. Logs and reports The Logs and reports section contains the following sub- sections and pages: Field Information Username Enter admin This is the default Advanced Firewall administrator account. Password Enter the password you specified for the admin account when installing Advanced Firewall. 6 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Reports Alerts Pages Description Summary Displays a number of generated reports. For more information, refer to the Advanced Firewall Operations Guide. Reports Where you generate and organize reports. For more information, refer to the Advanced Firewall Operations Guide. Recent and saved Lists recently-generated and previously saved
  • 38. reports. For more information, refer to the Advanced Firewall Operations Guide. Scheduled Sets which reports are automatically generated and delivered. For more information, refer to the Advanced Firewall Operations Guide. Custom Enables you to create and view custom reports. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Alerts Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Advanced Firewall Operations Guide. Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Advanced Firewall Operations Guide. 7 Advanced Firewall Administration Guide Advanced Firewall Overview Realtime Pages Description System A real time view of the system log with some filtering options. For more information, refer to the Advanced Firewall Operations Guides.
  • 39. Firewall A real time view of the firewall log with some filtering options. For more information, refer to the Advanced Firewall Operations Guide. IPSec A real time view of the IPSec log with some filtering options. For more information, see Realtime IPsec Information on page 113. Email Displays the email log viewer running in real time mode. For more information, see Email Logs on page 122. Portal A real time view of activity on user portals. For more information, refer to the Advanced Firewall Operations Guide. IM proxy A real time view of recent instant messaging conversations. For more information, see Realtime Instant Messaging on page 114. Traffic graphs Displays a real time bar graph of the bandwidth being used. For more information, refer to the Advanced Firewall Operations Guide. 8 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Logs Settings Pages Description
  • 40. System Simple logging information for the internal system services. For more information, refer to the Advanced Firewall Operations Guide. Firewall Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Advanced Firewall Operations Guide. IPSec Displays diagnostic information for VPN tunnels. For more information, see IPSec Logs on page 120. Email Displays sender, recipient, subject and other email message information. For more information, see Email Logs on page 122. IDS Displays network traffic detected by the intrusion detection system (IDS). For more information, see IDS Logs on page 124. IPS Displays network traffic detected by the intrusion detection system (IPS). For more information, see IPS Logs on page 125. IM proxy Displays information on instant messaging conversations. For more information, see IM Proxy Logs on page 126. Web proxy Displays detailed analysis of web proxy usage. For more information, see Web Proxy Logs on page 63. Reverse proxy Displays information on reverse proxy usage. For more information, see Reverse Proxy Logs on page 127.
  • 41. Log settings Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Datastore settings Contains settings to manage the storing of log files. For more information, refer to the Advanced Firewall Operations Guide. Groups Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Advanced Firewall Operations Guide Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Advanced Firewall Operations Guide. 9 Advanced Firewall Administration Guide Advanced Firewall Overview Networking The Networking section contains the following sub-sections and pages: Filtering
  • 42. Routing Pages Description Zone bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 75. Group bridging Used to define the network zones that are accessible to authenticated groups of users. For more information, see Group Bridging on page 80. IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 67. Pages Description Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Creating Subnets on page 47. RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using RIP on page 49. Sources Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. For more information, see Sources on page
  • 43. 51. Ports Used to create rules to set the external interface based on the destination port. For more information, see Ports on page 52. 10 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Interfaces Firewall Pages Description Interfaces Configure and display information on your Advanced Firewall’s internal interfaces. For more information, see Configuring Global Settings for Interfaces on page 26. Internal aliases Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the need for physical switches. For more information, see Working with Secondary External Interfaces on page 56. External aliases Used to create IP address aliases on static Ethernet external interfaces. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. For more
  • 44. information, see Creating an External Alias Rule on page 54. Connectivity Used to create external connection profiles and implement them. For more information, see Connecting Using a Static Ethernet Connectivity Profile on page 27. PPP Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. For more information, see Creating a PPP Profile on page 40. Secondaries Used to configure an additional, secondary external interface. For more information, see Working with Secondary External Interfaces on page 56 Pages Description Port forwarding Used to forward incoming connection requests to internal network hosts. For more information, see Introduction to Port Forwards – Inbound Security on page 83. Source mapping Used to map specific internal hosts or subnets to an external alias. For more information, see Creating a Source Mapping Rule on page 55 Advanced Used to enable or disable NAT-ing helper modules and manage bad external traffic. For more information, see Network Application Helpers on page 86.
  • 45. 11 Advanced Firewall Administration Guide Advanced Firewall Overview Outgoing Settings Services The Services section contains the following sub-sections and pages: Pages Description Policies Used to assign outbound access controls to IP addresses and networks. For more information, see Working with Outbound Access Policies on page 93. Ports Used to define lists of outbound destination ports and services that should be blocked or allowed. For more information, see Managing Outbound Traffic and Services on page 89. External services Used to define a list of external services that should always be accessible to internal network hosts. For more information, see Managing External Services on page 96. Pages Description Port groups Create and edit groups of ports for use throughout
  • 46. Advanced Firewall. For more information, see Working with Port Groups on page 72. Advanced Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 69. 12 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Authentication User Portal Pages Description Settings Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 174. Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Servers on page 175. Groups Used to customize group names. For more information, see Managing Groups of Users on page 186. Temporary bans Enables you to manage temporarily banned user
  • 47. accounts. For more information, see Managing Temporarily Banned Users on page 189. User activity Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 191. SSL login Used to customize the end-user SSL login page and configure SSL login redirection and exceptions. For more information, see About SSL Authentication on page 192. Kerberos keytabs This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 196. BYOD Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Portals This page enables you to configure and manage user portals. For more information, refer to the Advanced Firewall Operations Guide. Group access This page enables you to assign groups of users to portals. For more information, refer to the Advanced Firewall Operations Guide.
  • 48. User access This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Advanced Firewall Operations Guide. 13 Advanced Firewall Administration Guide Advanced Firewall Overview Proxies SNMP DNS Pages Description Web proxy Used to configure and enable the web proxy service, allowing controlled access to the Internet for local network hosts. For more information, see Managing the Web Proxy Service. Instant messenger Used to configure and enable instant messaging proxying. For more information, see Instant Messenger Proxying on page 41. SIP Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. For more information, see SIP Proxying on page 43. FTP Used to configure and enable a proxy to manage FTP traffic. For more
  • 49. information, see FTP Proxying on page 46. Reverse proxy The reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. For more information, see Reverse Proxy Service on page 50. Pages Description SNMP Used to activate Advanced Firewall’s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Static DNS Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information, see Adding Static DNS Hosts on page 54. DNS proxy Used to provide a DNS proxy service for local network hosts. For more information, see Enabling the DNS Proxy Service on page 55 Dynamic DNS Used to configure access to third-party dynamic DNS service providers. For more information, see Managing Dynamic DNS on page 55. 14 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall
  • 50. Overview Message Censor Intrusion System Pages Description Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Advanced Firewall Operations Guide. Filters This is where you create and manage filters for matching particular types of message content. For more information, refer to the Advanced Firewall Operations Guide. Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the Advanced Firewall Operations Guide. Custom categories Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Signatures Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. For more information, see
  • 51. Uploading Custom Signatures on page 68. Policies Enables you to configure Advanced Firewall’s intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information, see Creating Custom Policies on page 67. IDS Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). For more information, see Deploying Intrusion Detection Policies on page 64. IPS Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). For more information, see Deploying Intrusion Prevention Policies on page 65. 15 Advanced Firewall Administration Guide Advanced Firewall Overview DHCP System The System section contains the following sub-sections and pages: Maintenance Pages Description Global Used to enable the Dynamic Host Configuration Protocol
  • 52. (DHCP) service and set its mode of operation. For more information, see Enabling DHCP on page 59. DHCP server Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information, see Creating a DHCP Subnet on page 60. DHCP leases Used to view all current DHCP leases, including IP address, MAC address, hostname, lease start and end time, and the current lease state. For more information, see Viewing DHCP Leases on page 64. DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP server, and re-route DHCP responses back to the requesting host. For more information, see DHCP Relaying on page 65. Custom options Used to create and edit custom DHCP options. For more information, see Creating Custom DHCP Options on page 65. Pages Description Updates Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Advanced Firewall Operations Guide. Modules Used to upload, view, check, install and remove
  • 53. Advanced Firewall modules. For more information, refer to the Advanced Firewall Operations Guide. Licenses Used to display and update license information for the licensable components of the system. For more information, refer to the Advanced Firewall Operations Guide. Archives Used to create and restore archives of system configuration information. For more information, refer to the Advanced Firewall Operations Guide. Scheduler Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the Advanced Firewall Operations Guide. Shutdown Used to shutdown or reboot the system. For more information, refer to the Advanced Firewall Operations Guide. 16 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Central Management Preferences
  • 54. Administration Pages Description Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 205. Child nodes This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 201. Local node settings This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page 200. Pages Description User interface Used to manage Advanced Firewall’s dashboard settings. For more information, refer to the Advanced Firewall Operations Guide. Time Used to manage Advanced Firewall’s time zone, date and time settings. For more information, refer to the Advanced Firewall Operations Guide. Registration options Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to
  • 55. Smoothwall. For more information, refer to the Advanced Firewall Operations Guide. Hostname Used to configure Advanced Firewall’s hostname. For more information, refer to the Advanced Firewall Operations Guide. Pages Description Admin options Used to enable secure access to Advanced Firewall using SSH, and to enable referral checking. For more information, refer to the Advanced Firewall Operations Guide. External access Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Advanced Firewall. For more information, refer to the Advanced Firewall Operations Guide. Administrative users Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Advanced Firewall Operations Guide. 17 Advanced Firewall Administration Guide Advanced Firewall Overview Hardware Diagnostics
  • 56. Certificates Pages Description UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Advanced Firewall Operations Guide. Failover Used to specify what Advanced Firewall should do in the event of a hardware failure. For more information, see Managing Hardware Failover on page 164. Modem Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, see Configuring Modems on page 169. Firmware upload Used to upload firmware used by USB modems. For more information, see Installing and Uploading Firmware on page 170. Pages Description Functionality tests Used to ensure that your current Advanced Firewall settings are not likely to cause problems. For more information, refer to the Advanced Firewall Operations Guide. Configuration report Used to create diagnostic files for support purposes. For more information, refer to the Advanced Firewall Operations Guide.
  • 57. IP tools Contains the ping and trace route IP tools. For more information, refer to the Advanced Firewall Operations Guide. Whois Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Advanced Firewall Operations Guide. Traffic analysis Used to generate and display detailed information on current traffic. For more information, refer to the Advanced Firewall Operations Guide. Page Description Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, see Managing CA Certificates on page 176. 18 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview VPN The VPN section contains the following pages: Configuration Guidelines This section provides guidance about how to enter suitable
  • 58. values for frequently required configuration settings. Specifying Networks, Hosts and Ports IP Address An IP address defines the network location of a single network host. The following format is used: 192.168.10.1 IP Address Range An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example: 192.168.10.1-192.168.10.20 Pages Description Control Used to show the current status of the VPN system and enable you to stop and restart the service. For more information, see Managing VPN Systems on page 153. Certificate authorities Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates on this page. For more information, see Working with Certificate
  • 59. Authorities and Certificates on page 105. Certificates Used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates. For more information, see Managing Certificates on page 108. Global Used to configure global settings for the VPN system. For more information, see Setting the Default Local Certificate on page 112. IPSec subnets Used to configure IPSec subnet VPN tunnels. For more information, see Site- to-Site VPNs – IPSec on page 112. IPSec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information, see IPSec Road Warriors on page 125. L2TP roadwarriors Used to create and manage L2TP road warrior VPN tunnels. For more information, see Creating L2TP Road Warrior Connections on page 128. SSL roadwarriors Enables you to configure and upload custom SSL VPN client scripts. For more information, see Managing Custom Client Scripts for SSL VPNs on page 139. 19 Advanced Firewall Administration Guide Advanced Firewall Overview
  • 60. 192.168.10.1-192.168.12.255 Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: 192.168.10.0/255.255.255.0 192.168.10.0/24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples: 255.255.255.0 255.255.0.0 255.255.248.0 Service and Ports A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop- down list and enter the numeric port number into the adjacent User defined field. Examples: 21 7070
  • 61. Port Range A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used: 137:139 Using Comments Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information. Creating, Editing and Removing Rules Much of Advanced Firewall is configured by creating rules – for example, IP block rules and administration access rules. 20 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Creating a Rule To create a rule: 1. Enter configuration details in the Add a new rule area.
  • 62. 2. Click Add to create the rule and add it to the appropriate Current rules area. Editing a Rule To edit a rule: 1. Find the rule in the Current rules area and select its adjacent Mark option. 2. Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values. 3. Change the configuration values as necessary. 4. Click Add to re-create the edited rule and add it to the Current rules area. Removing a Rule To remove one or more rules: 1. Select the rule(s) to be removed in the Current rules area. 2. Click Remove to remove the selected rule(s). Note: The same processes for creating, editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc. Connecting via the Console You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol.
  • 63. Note: By default, Advanced Firewall only allows SSH access if it has been specifically configured. See Configuring Administration Access Options on page 154 for more information. Connecting Using a Client When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application, such as PuTTY. To connect using an SSH client: 1. Check SSH access is enabled on Advanced Firewall. See Configuring Administration Access Options on page 154 for more information. 21 Advanced Firewall Administration Guide Advanced Firewall Overview 2. Start PuTTY or an equivalent client. 3. Enter the following information: 4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Advanced Firewall command line. ‘ Secure Communication When you connect your web browser to Advanced Firewall’s web-based interface on a HTTPS port
  • 64. for the first time, your browser will display a warning that Advanced Firewall’s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. Unknown Entity Warning This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Advanced Firewall’s certificate is a self-signed certificate. Note: The data traveling between your browser and Advanced Firewall is secure and encrypted. To remove this warning, your web browser needs to be told to trust certificates generated by Advanced Firewall. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser’s documentation for information on how to import the certificate. Field Description Host Name (or IP address) Enter Advanced Firewall’s host name or IP address. Port Enter 222 Protocol Select SSH.
  • 65. 22 Smoothwall Ltd Advanced Firewall Administration Guide Advanced Firewall Overview Inconsistent Site Address Your browser will generate a warning if Advanced Firewall’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Advanced Firewall’s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption. 23
  • 66. 3 Working with Interfaces This chapter describes how to configure the interfaces (network interface cards) on your Advanced Firewall, including: • Configuring Global Settings for Interfaces on page 26 • Connecting Using an Internet Connectivity Profile on page 27 • Creating a PPP Profile on page 40 • Working with Bridges on page 42 • Working with Bonded Interfaces on page 43 • Configuring IP Addresses on page 44 • Virtual LANs on page 45 25 Advanced Firewall Administration Guide Working with Interfaces Configuring Global Settings for Interfaces Global settings determine Advanced Firewall’s default gateway, and primary and secondary DNS addresses. To configure global settings: 1. Browse to the Networking > Interfaces > Interfaces page. The following settings global interface settings are available: Setting Description
  • 67. Default gateway This setting determines Advanced Firewall’s default gateway. When using a connectivity profile to connect to the Internet, select the Use external connectivity profile option. For more information, see Connecting Using an Internet Connectivity Profile on page 27. Primary DNS If Advanced Firewall is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure. For more information, see Advanced Firewall and DNS on page 213. Secondary DNS Enter the IP address of the secondary DNS server, if one is available. 26 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Connecting Using an Internet Connectivity Profile Advanced Firewall supports the following Internet connection methods: Up to five different connections to the Internet can be defined, each stored in its own connectivity profile. Each profile defines the type of connection that should be used and appropriate settings.
  • 68. The following sections explain how to connect using different connection methods. Connecting Using a Static Ethernet Connectivity Profile The following section explains how to connect to the Internet using a static ethernet connectivity profile. A static Ethernet connection enables Advanced Firewall to use a static IP address as assigned by your ISP. To connect using a static ethernet connectivity profile: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: Connection Method Description Ethernet An Ethernet NIC routed to an Internet connection, not controlled by Advanced Firewall. Modem An internal or external modem connected to the Internet via an ISP, controlled by Advanced Firewall. A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to
  • 69. control the behavior of dial-up modem devices. Ethernet/modem hybrid An Ethernet NIC routed to an external modem connected to the Internet via an ISP, controlled by Advanced Firewall. Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description Name Accept the default name or enter a custom name. Use as Select External. 27 Advanced Firewall Administration Guide Working with Interfaces 4. On the Networking > Interfaces > Connectivity page, configure the following settings: MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment.
  • 70. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select Static Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP
  • 71. Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection.
  • 72. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description 28 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces 5. Click Update. In the Static Ethernet settings area, configure the following settings: 6. Click Save and connect to save the profile and connect to the Internet immediately. Connecting using a DHCP Ethernet Connectivity Profile The following section explains how to connect to the Internet
  • 73. using a DHCP Ethernet connectivity profile. A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP address, as assigned by the ISP. To connect using a DHCP Ethernet connectivity profile: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: 4. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Interface From the drop-down list, select the Ethernet interface for this connection. Default gateway Enter the default gateway IP address as provided by your ISP. Address Enter the static IP address provided by your ISP. Netmask Enter the subnet mask as provided by your ISP. Primary DNS Enter the primary DNS server details as provided by your ISP. Secondary DNS Enter the secondary DNS server details as
  • 74. provided by your ISP. Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description Name Accept the default name or enter a custom name. Use as Select External. MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. 29 Advanced Firewall Administration Guide Working with Interfaces 5. Click Update and in the DHCP Ethernet settings area, configure the following settings:
  • 75. 6. Click Save and connect to save the profile and connect to the Internet immediately. Method Select DHCP Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail.
  • 76. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be
  • 77. sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Interface From the drop-down list, select the Ethernet interface for this connection. DHCP Hostname Optionally enter a DHCP hostname, if provided by your ISP. MAC spoof Enter a spoof MAC value required. Setting Description 30 Smoothwall Ltd
  • 78. Advanced Firewall Administration Guide Working with Interfaces Connecting using a PPP over Ethernet Connectivity Profile The following section explains how to connect to the Internet using a PPP over Ethernet connectivity profile. To connect using a PPP over Ethernet connection: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: 4. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description
  • 79. Name Accept the default name or enter a custom name. Use as Select External. MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select PPP over Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts
  • 80. identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. 31 Advanced Firewall Administration Guide Working with Interfaces 5. Click Update. In the PPP over Ethernet settings area, configure the following settings: 6. Click Save and connect to save the profile and connect to the Internet immediately. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP
  • 81. Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection.
  • 82. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Service name If required, enter the service name as specified by your ISP. Concentrator If required, enter the concentrator name as specified by your ISP. Interface From the drop-down list, select the Ethernet interface for this connection. PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the Networking > Interfaces > PPP page and create one. Setting Description 32 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Connecting using a PPTP over Ethernet Connectivity Profile This section explains how to configure Advanced Firewall to use a PPTP modem for Internet connectivity.
  • 83. To connect using a PPTP over Ethernet connection: 1. On the Networking > Interfaces > Interfaces page, configure the following setting: 2. Point to the network interface card (NIC) you want to use and select Edit. 3. In the Edit interface dialog box, configure the following settings: 4. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Default gateway Select Use external connectivity profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. However, if more than one default gateway has been configured, and you do not select this option, you may lose connectivity to Advanced Firewall if your network is not set up correctly. Setting Description Name Accept the default name or enter a custom name. Use as Select External. MTU Optionally, enter the maximum transmission unit (MTU) value required in your environment.
  • 84. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select PPPTP over Ethernet. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. 33
  • 85. Advanced Firewall Administration Guide Working with Interfaces 5. Click Update. In the PPTP over Ethernet settings area, configure the following settings: 6. Click Save and connect to save the profile and connect to the Internet immediately. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance
  • 86. outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Interface From the drop-down list, select the Ethernet interface for this connection.
  • 87. PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to Networking > Interfaces > Interfaces and create one. For more information, see Creating a PPP Profile on page 40. Address Enter the IP address assigned by your ISP. Netmask Enter the netmask assigned by your ISP. Gateway Enter the gateway assigned by your ISP Telephone Enter the dial telephone number as provided by your ISP. Setting Description 34 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Connecting using an ADSL/DSL Modem Connectivity Profile Advanced Firewall can connect to the Internet using an ADSL modem. Note: To connect using an ADSL modem, the ADSL device must have been either configured during the initial installation and setup or post-installation by launching the setup program from the system console. For further information, see the Advanced Firewall Installation and Setup Guide. If
  • 88. your ADSL connection uses a PPPoE connection, see Connecting using a PPP over Ethernet Connectivity Profile on page 31 for more information. To connect using an ADSL/DSL modem connectivity profile: 1. On the Networking > Interfaces > Connectivity page, configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select ADSL modem. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields.
  • 89. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic
  • 90. Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. 35 Advanced Firewall Administration Guide Working with Interfaces 2. Click Update. In the ADSL modem settings area, configure the following settings: 3. Click Save and connect to save the profile and connect to the Internet immediately. Connecting using an ISDN Modem Connectivity Profile Note: The following sections apply if an ISDN modem is installed in your Advanced Firewall. This section explains how to configure Advanced Firewall to connect to the Internet using an ISDN modem for Internet connectivity. Note:To connect using an ISDN modem, an ISDN device must have been configured during the initial installation and setup of Advanced Firewall. Alternatively, ISDN devices can be configured post-installation by launching the setup program from
  • 91. the system console. For further information, see the Advanced Firewall Installation and Setup Guide. To connect using an ISDN modem connectivity profile: 1. On the Networking > Interfaces > Connectivity page, configure the following settings: Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description Service name Leave this field blank. It is not required for this type of profile. Concentrator Leave this field blank. It is not required for this type of profile. PPP Profile From the drop-down list, select the PPP profile for
  • 92. this connection. Or, if no PPP profile has been created, click Configure PPP to go to Networking > Interfaces > PPP page and create one. For more information, see Creating a PPP Profile on page 40. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile. Method Select ISDN TA. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Setting Description 36 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces 2. Click Update. In the ISDN settings area, configure the following settings: Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to
  • 93. profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted,
  • 94. the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection.
  • 95. Setting Description PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the Networking > Interfaces > Interfaces page and create one. For more information, see Creating a PPP Profile on page 40. Telephone Enter the telephone number for the ISDN connection. Channels From the drop-down list, select either Single channel or Dual channel, depending on whether you are using one or two ISDN lines. Setting Description 37 Advanced Firewall Administration Guide Working with Interfaces 3. Click Save to save the profile or Save and connect to save the profile and use it to connect to the Internet immediately. Connecting Using a Dial-up Modem Connectivity Profile This section explains how to connect to the Internet using a dial-up modem for Internet connectivity. To connect using a dial-up modem connectivity profile:
  • 96. 1. On the Networking > Interfaces > Connectivity page, configure the following settings: Keep second channel up Select to force the second channel to remain open when its data rate falls below a worthwhile threshold. Note: ISDN connections sometimes suffer from changeable data throughput rates. If this occurs in dual channel mode, and the data-rate of the second channel decreases below a threshold where it is of no benefit, Advanced Firewall will automatically close it. Forcing the second channel to stay up will help prevent this from happening. Minimum time to keep second channel up (sec) Enter a minimum time, in seconds, if your ISDN connection experiences intermittent loss of data throughput for short periods of time. This option is of use when the second channel data-rate falls below the threshold for short periods of time. Setting Description Profiles Select Empty from drop-down list and click Select. Profile name Enter a name for the connection profile.
  • 97. Method Select Modem. Auto connect on boot By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here. Automatic failover to profile Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted,
  • 98. the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Setting Description 38 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces 2. Click Update. In the Modem settings area, configure the following settings: 3. Click Save and connect to save the profile and use it to connect to the Internet immediately. Secondary failover ping IP Optionally, enter a secondary IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the
  • 99. primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Setting Description PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to Networking > Interfaces > Interfaces and create one. For more information, see Creating a PPP Profile on page 40.
  • 100. Modem profile From the drop-down list, select the modem profile to use. For more information about modem profiles, refer to the Advanced Firewall Operations Guide. Telephone Enter the telephone number for the connection. Setting Description 39 Advanced Firewall Administration Guide Working with Interfaces Creating a PPP Profile Up to five PPP profiles can be created to store username, password and connection-specific details for connections where Advanced Firewall controls the connecting device, including ISDN, and Ethernet/modem hybrid devices, attached to Advanced Firewall. A PPP profile contains the username, password and other settings used for dial-up type connections. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account. To create a PPP profile: 1. Navigate to the Networking > Interfaces > PPP page.
  • 101. 2. Configure the following settings: Setting Description Profiles From the drop-down list, select Empty. Profile name Enter a name for the profile. Dial on Demand Select to ensure that the PPP connection is only established if an outward- bound request is made. This may help reduce costs if your ISP uses per unit time billing. Dial on Demand for DNS Select to ensure that the system dials for DNS requests – this is normally the desired behavior. Idle timeout Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Enter 0 to disable this setting. 40 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces
  • 102. 3. Click Save to save your settings and create a PPP profile. Modifying Profiles To modify a profile: 1. On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the profile you wish to modify and click Select. 2. Make the changes. See Connecting Using an Internet Connectivity Profile on page 27 for information on the settings. 3. Click Save, Advanced Firewall modifies the profile. Note: Any changes made to a profile used in a current connection will only be applied following re- connection. Deleting Profiles To delete a profile: 1. On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the profile you wish to modify and click Select. 2. Click Delete. Advanced Firewall deletes the profile. Note: Deleting a profile used as part of a current connection will cause the current connection to close. Persistent connection Select to ensure that once this PPP connection has been
  • 103. established, it will remain connected, regardless of the value entered in the Idle timeout field. Maximum retries Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. Username Enter your ISP assigned username. Password Enter your ISP assigned password. Method Choose the authentication method as specified by your ISP in this field. Script name Enter the name of a logon script here, if your ISP informs you to do so. Ensure that the relevant script type has been selected in the Method drop-down list. Type Specifies the DNS type used by your ISP. Manual – select if your ISP has provided you with DNS server addresses to enter. Automatic – select if your ISP automatically allocates DNS settings upon connection. Primary DNS If Manual has been selected, enter the primary DNS server IP address.
  • 104. Secondary DNS If Manual has been selected, enter the secondary DNS server IP address. Setting Description 41 Advanced Firewall Administration Guide Working with Interfaces Working with Bridges It is possible to deploy Advanced Firewall in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. The following sections explain how to create, edit and delete bridges. Creating Bridges To create a bridge: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: 3. Click Add. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces page. Editing Bridges To edit a bridge:
  • 105. 1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 42 for information on the settings available. 3. Click Save changes. Advanced Firewall applies the changes. Deleting Bridges To delete a bridge: 1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete. 2. When prompted, click Delete to confirm you want to delete the bridge. Advanced Firewall deletes the bridge. Setting Description Name Enter a name for the bridge. Type Select Bridge. Ports From the ports listed as available, select the ports to be used as bridge members. Use as Select one of the following: External – Select to use the bridge as an external interface. Basic interface – Select to use the bridge as an interface with one or
  • 106. more IP addresses on it. MAC Accept the displayed MAC address or enter a new one. 42 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Working with Bonded Interfaces Advanced Firewall enables you to bind two or more NICs into a single bond. Bonding enables the NICs to act as one thus providing high availability. Creating Bonds To create a bond: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: 3. Click Add. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces page. Editing Bonds To edit a bond: 1. On the Networking > Interfaces > Interfaces page, point to the bond and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 43 for information on the settings available.
  • 107. 3. Click Save changes. Advanced Firewall applies the changes. Deleting Bonds To delete a bond: 1. On the Networking > Interfaces > Interfaces page, point to the bond and click Delete. 2. When prompted, click Delete to confirm you want to delete the bond. Advanced Firewall deletes the bond. Setting Description Name Enter a name for the bond. Type Select Bonding. Ports From the ports listed as available, select the ports to be used as bond members. Use as Select one of the following: External – Select to use the bond as an external interface. Basic interface – Select to use the bond as an interface with one or more IP addresses on it. Bridge member – Select to use the bond as a member of a bridge. For more information, see Working with Bridges on page 42. MAC Accept the displayed MAC address or enter a new one.
  • 108. 43 Advanced Firewall Administration Guide Working with Interfaces Configuring IP Addresses The following sections explain how to add, edit and delete IP addresses used by interfaces. Note: External aliases are configured on the Networking > Interfaces > External aliases page. See Chapter 4, Creating an External Alias Rule on page 54 for more information. Adding an IP Address To add an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface you want to add an IP address to. 2. In the IP addresses dialog box, click Add new address. In the Add new address dialog box, configure the following settings: 3. Click Add. Advanced Firewall adds the IP address to the interface. Editing an IP Address To edit an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to edit.
  • 109. 2. In the IP addresses dialog box, point to the address and click Edit. 3. In the Edit address dialog box, make the changes needed and click Save changes. Advanced Firewall applies the changes. Deleting an IP Address To edit an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to delete. 2. In the IP addresses dialog box, point to the address and click Delete. 3. When prompted, click Delete. Advanced Firewall deletes the address. Setting Description Status Select Enabled to enable the IP address for the NIC. IP address Enter an IP address. Subnet mask Enter the subnet mask. Gateway Optionally, enter a gateway. 44 Smoothwall Ltd Advanced Firewall Administration Guide Working with Interfaces Virtual LANs
  • 110. Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. Each VLAN is treated by Advanced Firewall as an isolated network zone, just as if it were a regular network zone attached to a real NIC. Creating a VLAN To create a VLAN: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: 3. Click Add. The VLAN is added to the list of interfaces below where you can configure it. Setting Description Name Enter a name for the VLAN. Type Select VLAN. Parent interface From the drop-down list of NICs available, select the interface to use. VLAN ID If required, enter a tag in the range 1 - 4095 to create a separate network. Note: We do not recommend using a VLAN tag of 1 as this can cause problems with some equipment
  • 111. Use as External – Select to use the VLAN as an external interface. Spoof MAC – Optionally, enter a spoof MAC if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier. Basic interface – Select to use the VLAN as a basic interface. Spoof MAC – Optionally, enter a spoof MAC if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier. Bridge member – Select to use the VLAN as part of a bridge. Bridge interface – From the drop-down list, select which bridge interface to use. For more information, see Working with Bridges on page 42. Spoof MAC – Optionally, enter a spoof MAC if required. Some cable modems require the MAC address of the connecting NIC to
  • 112. be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier. 45 Advanced Firewall Administration Guide Working with Interfaces Editing a VLAN To edit a VLAN: 1. On the Networking > Interfaces > Interfaces page, point to the VLAN and click Edit. 2. In the Edit interface dialog box, make the changes needed and click Save changes. See Creating a VLAN on page 45 for information on the settings available. Deleting a VLAN To delete a VLAN: 1. On the Networking > Interfaces > Interfaces page, point to the VLAN and click Delete. 2. When prompted, click Delete to confirm. Advanced Firewall deletes the VLAN. 46 Smoothwall Ltd 4 Managing Your Network Infrastructure
  • 113. This chapter describes how to manage various aspects of your Advanced Firewall network, including: • Creating Subnets on page 47 • Using RIP on page 49 • Sources on page 51 • Ports on page 52 • Creating an External Alias Rule on page 54 • Creating a Source Mapping Rule on page 55 • Working with Secondary External Interfaces on page 56 • Using DHCP on page 59 Creating Subnets Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches. Note: This functionality only applies to subnets available via an internal gateway. 47 Advanced Firewall Administration Guide Managing Your Network Infrastructure To create a subnet rule:
  • 114. 1. Navigate to the Networking > Routing > Subnets page. 2. Configure the following settings: 3. Click Add. The rule is added to the Current rules table. Editing and Removing Subnet Rules To edit or remove existing subnet rules, use Edit and Remove in the Current rules area. Setting Description Network Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Netmask Enter a network mask that specifies the size of the subnet when combined with the network field. Gateway Enter the IP address of the gateway device by which the subnet can be found. This will be an address on a locally recognized network zone. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Advanced Firewall is directly attached to.
  • 115. Metric Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Comment Enter a description of the rule. Enabled Select to enable the rule. 48 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Using RIP The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds. Advanced Firewall’s RIP service can: • Operate in import, export or combined import/export mode • Support password and MD5 authentication • Export direct routes to the system’s internal interfaces. To configure the RIP service: 1. Navigate to the Networking > Routing > RIP page. 2. Configure the following settings:
  • 116. Setting Description Enabled Select to enable the RIP service. Scan interval From the drop-down menu, select the time delay between routing table imports and exports. Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval. Note: There is a performance trade-off between the number of RIP- enabled devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. 49 Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Save. Direction From the drop-down menu, select how to manage routing information. The following options are available:
  • 117. Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. Logging level From the drop-down menu, select the level of logging. RIP interfaces Select each interface that the RIP service should import/export routing information to/from. Authentication Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication: None
  • 118. In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint. Password In this mode, a plain text password is specified which must match other RIP devices. MD5 In this mode, an MD5 hashed password is specified which must match other RIP devices. Password If Password is selected as the authentication method, enter a password for RIP authentication. Again If Password is selected as the authentication method, re- enter the password to confirm it. Direct routing interfaces Optionally, select interfaces whose information should also include routes to the RIP service’s own interfaces when exporting RIP data. This ensures that other RIP devices are able to route directly and
  • 119. efficiently to each exported interface. Setting Description 50 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Sources The Sources page is used to configure source rules which determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Source rules can be created for individual hosts, ranges of hosts or subnet ranges. Creating Source Rules Source rules route outbound traffic from selected network hosts through a particular external interface. To create a source rule: 1. Navigate to the Networking > Routing > Sources page. 2. Configure the following settings: Setting Description Source IP or network
  • 120. Enter the source IP or subnet range of internal network host(s) specified by this rule. For more information, see About IP Address Definitions on page 52. Internal interface From the drop-down menu, select the internal interface that the source IP must originate from to use the external connection. External interface From the drop-down menu, select the external interface that is used by the specified source IP or network for external communication. Alternatively, select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP, network and internal interface is routed via the primary external interface. Note: If the external interface is set to Exception, any traffic specified here will not be subject to any load balancing. Using Exception will always send traffic out via the primary, no matter what interface is currently being used by the primary connection. Comment Optionally, enter a description for the source rule. Enabled Select to activate the rule. 51
  • 121. Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Add. Removing a Rule To remove one or more rules: 1. Select each rule in the Current rules area and click Remove. Editing a Rule To edit a rule: 1. Locate it within the Current rules region, select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values. 2. Alter the configuration values as necessary, and click Add. About IP Address Definitions Single or multiple IP addresses can be specified in a number of different manners: IP address – An identifier for a single network host, written as quartet of dotted decimal values, e.g. 192.168.10.1 IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. 192.168.10.0/255.255.255.0 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255
  • 122. IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation, e.g. 192.168.10.0/24 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255. Ports The Ports page is where you route outbound traffic for selected ports through a particular external interface. For example, you can create a rule to send all SMTP traffic down a specific external interface. Note: The rules specified on the sources pages will always be examined first, so a rule will only travel down this list of ports if it does not first hit a sources rule. For more information, see Sources on page 51. 52 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Creating a Ports Rule Port rules route outbound traffic for selected ports through a particular external interface. To create a ports rule: 1. Navigate to the Networking > Routing > Ports page. 2. Configure the following settings:
  • 123. 3. Click Add to create the rule. The rule is created and listed in the Current rules area. Removing Rules To remove one or more rules: 1. Select each rule in the Current rules area and click Remove. Editing a Rule To edit a rule: 1. Select the rule in the Current rules area and click Edit. 2. In the Add a new rule area, make the changes you require and click Add. The rule is updated and listed in the Current rules area. Setting Description Protocol From the drop down menu, select the protocol the traffic uses. Service From the drop down menu, select the select the services, port range or group of ports. Port If the service is user defined, enter the port number. External interface From the drop-down menu, select the external interface to use. Select Exception to never route the traffic via an alternative interface.
  • 124. Note: Using Exception will always send traffic out via the primary, no matter what interface is currently being used by the primary connection. Comment Enter a description of the rule. Enabled Select to enable the rule currently active. 53 Advanced Firewall Administration Guide Managing Your Network Infrastructure Creating an External Alias Rule Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced Firewall by creating external aliases. An external alias binds an additional public IP address to Smoothwall System’s external interface. To create an external alias rule: 1. Navigate to the Networking > Interfaces > External aliases page. 2. Configure the following settings: 3. Click Add. The external alias rule is added to the Current rules table. Setting Description External interface From the drop-down list, select the external interface to which
  • 125. you want to bind an additional public IP address. Select Click to select the interface. Connectivity profile Used to determine when the external alias is active. Options include: All – The external alias will always be active, irrespective of the currently active connection profile. Named connection profile – The external alias will only be active if the named connection profile is currently active. This is particularly useful for creating aliases for connection profiles that are used as failover connections. Alias IP Enter the IP address of the external alias. This address should be provided by your ISP as part of an multiple static IP address allocation. Netmask Used to specify the network mask of the external alias. This value is usually the same as the external interface's netmask value. This value should be provided by your ISP. Comment A field used to assign a helpful message describing the external alias rule. Enabled Determines whether the external alias rule is currently active.
  • 126. 54 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Editing and Removing External Alias Rules To edit or remove existing external alias rules, use Edit and Remove in the Current rules region. Port Forwards from External Aliases Advanced Firewall extends your system’s port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias. No special configuration is required to use this feature. Use the existing Networking > Firewall > Port forwarding page and select the required external alias from the Source IP drop-down list. Creating a Source Mapping Rule Advanced Firewall enables you to map internal hosts to an external IP alias, instead of the default, real external IP, by creating source mapping rules. This allows outbound communication from specified hosts to appear to originate from the external alias IP address. A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address. If the incoming IP address is an external alias, and outbound mail fails to
  • 127. mirror the IP address as its source, some SMTP servers will reject the mail. This is because the mail will not appear to originate from the correct IP address, i.e. the Advanced Firewall default external IP is not the MX for the email domain. This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic. To create a source mapping rule: 1. Navigate to the Networking > Firewall > Source mapping page. 55 Advanced Firewall Administration Guide Managing Your Network Infrastructure 2. Configure the following settings: 3. Click Add. The source mapping rule is added to the Current rules table. Editing and Removing Source Mapping Rules To edit or remove existing source mapping rules, use Edit and Remove in the Current rules area. Working with Secondary External Interfaces The Secondaries page is used to configure an additional, secondary external interface. A secondary external interface will operate independently of the primary external interface, NATing its own outbound traffic.
  • 128. Once a secondary external interface is active, the system can be configured to selectively route different internal hosts, ranges of hosts and subnets out across either the primary or secondary external interface. Setting Description Source IP Enter the source IP or network of hosts to be mapped to an external. For a single host, enter its IP address. For a network of hosts, enter an appropriate IP address and subnet mask combination, for example, enter 192.168.100.0/255.255.255.0 will create a source mapping rule for hosts in the IP address range 192.168.100.1 through to 192.168.100.255. For all hosts, leave the field blank. Alias IP From the drop-down list, select the external alias that outbound communication is mapped to. Comment Enter a description of the rule. Enabled Select to enable the rule. 56 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure
  • 129. Configuring a Secondary External Interface Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces. To configure a secondary external interface: 1. Navigate to the Networking > Interfaces > Secondaries page. 2. Configure the following settings: Setting Description Secondary external interface From the drop-down list, select the interface you want to use as the secondary external interface. Select Click to select the interface. Address Enter the IP address. Netmask Enter the netmask. Default gateway Enter the default gateway. Enabled Select to enable the interface Primary failover ping IP
  • 130. Optionally, specify an IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address cannot be contacted, all outbound traffic will be redirected to the primary connection. If a secondary failover IP has been entered, it must also fail before failover routing is activated. 57 Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Save to save your settings and enable the secondary external interface. Secondary failover ping IP Optionally, specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address and the primary failover ping IP cannot be contacted, all
  • 131. outbound traffic will be redirected to the primary connection. Load balance outgoing traffic Optionally, select to add the currently selected secondary address to the load balancing pool of connections. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have been added to the load balancing pool. Note: If no load balance options are enabled, all traffic will be sent out of the primary external connection. Load balance web proxy traffic Optionally, select to add the currently selected secondary address to the proxy load balancing pool. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have themselves been added to the proxy load balancing pool. Note - If no load balance tick-box controls are selected, all traffic will be sent out
  • 132. of the primary external connection. Weighting Optionally, select to set the weighting for load balancing on the currently selected secondary address. A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. For example: • A connection weighted 10 will be given 10 times as much load as a connection weighted 1. • A connection weighted 6 will be given 3 times as much load as a connection weighted 2. • A connection weighted 2 will be given twice as much load as a connection weighted 1. The weighting value is especially useful for load balancing external connections of differing speeds. Setting Description 58 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Using DHCP
  • 133. Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. Advanced Firewall DHCP provides a fully featured DHCP server, with the following capabilities: • Support for 2 DHCP subnets • Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet • Automate the creation of static assignments using the ARP cache. Enabling DHCP To enable DHCP: 1. Navigate to the Services > DHCP > Global page. 2. Configure the following settings: 3. Click Save to enable the service. Setting Description Enabled Select to enable the DHCP service. Server Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts. Relay (forwarding proxy) Select to set the DHCP service to operate as a relay, forwarding
  • 134. DHCP requests to another DHCP server. Enable logging Select to enable logging. 59 Advanced Firewall Administration Guide Managing Your Network Infrastructure Creating a DHCP Subnet The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic and static IP ranges defined. To create a DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Configure the following settings: Setting Description DHCP Subnet From the drop-down menu, select Empty and click Select. Subnet name Enter a name for the subnet. Network Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. For example: 192.168.10.0. 60 Smoothwall Ltd
  • 135. Advanced Firewall Administration Guide Managing Your Network Infrastructure Netmask Define the subnet range by entering a network mask, for example 255.255.255.0. Primary DNS Enter the value that a requesting network host will receive for the primary DNS server it should use. Secondary DNS Optionally, enter the value that a requesting network host will receive for the secondary DNS server it should use. Default gateway Enter the value that a requesting network host will receive for the default gateway it should use. Enabled Determines whether the DHCP subnet is currently active. Click Advanced to access the following settings: Primary WINS Optionally, enter the value that a requesting network host will receive for the primary WINS server it should use. This is often not required on very small Microsoft Windows networks. Secondary WINS Optionally, enter the value that a requesting network host will receive for the secondary WINS server it should use. This is often not required on very small Microsoft Windows networks.
  • 136. Primary NTP Optionally, enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. For more information, refer to the Advanced Firewall Operations Guide. Secondary NTP Optionally, enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. For more information, refer to the Advanced Firewall Operations Guide.. Default lease time (mins) Enter the lease time in minutes assigned to network hosts that do not request a specific lease time. The default value is usually sufficient. Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting, and being granted, impractically long DHCP leases. The default value is usually sufficient.
  • 137. TFTP server Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Network boot filename Specify to the network booting client which file to download when booting off the above TFTP server. Domain name suffix Enter the domain name suffix that will be appended to the requesting host's hostname. Automatic proxy config URL Specify a URL which clients will use for determining proxy settings. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. Custom DHCP options Any custom DHCP options created on the Services > DHCP > Custom options page are listed for use on the subnet. For more information, see Creating Custom DHCP Options on page 65. Setting Description 61
  • 138. Advanced Firewall Administration Guide Managing Your Network Infrastructure 3. Click Save. Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration is required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts. Editing a DHCP subnet To edit a DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. From the DHCP Subnet drop-down list, select the subnet and click Select. 3. Edit the settings displayed in the Settings area. 4. Click Save. Deleting a DHCP subnet To delete a DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. From the DHCP Subnet drop-down list, select the subnet and click Select. 3. Click Delete.
  • 139. Adding a Dynamic Range Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts. To add a dynamic range to an existing DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select. 3. In the Add a new dynamic range, configure the following settings: 4. Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table. Setting Description Start address Enter the start of an IP range over which the DHCP server should supply dynamic addresses from. This address range should not contain the IPs of other machines on your LAN with static IP assignments. End address Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. For example, enter 192.168.10.15. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
  • 140. Comment Enter a description of the dynamic range. Enabled Select to enable the dynamic range. 62 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure Adding a Static Assignment Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing the unique MAC address of the requesting host’s network interface card. This is used to ensure that certain hosts are always leased the same IP address, as if they were configured with a static IP address. To add a static assignment to an existing DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. 3. Scroll to the Add a new static assignment area and configure the following settings: 4. Click Add static. The static assignment is added to the Current static assignments table. Adding a Static Assignment from the ARP Table
  • 141. In addition to the previously described means of adding static DHCP assignments, it is possible to add static assignments automatically from MAC addresses detected in the ARP table. To add a static assignment from the ARP cache to an existing DHCP subnet: 1. Navigate to the Services > DHCP > DHCP server page. 2. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. 3. Scroll to the Add a new static assignment from ARP table area: 4. Select one or more MAC addresses from those listed and click Add static from ARP table. 5. Click Save. Setting Description MAC address Enter the MAC address of the network host’s NIC as reported by an appropriate network utility on the host system. This is entered as six pairs of hexadecimal numbers, with a space, colon or other separator character between each pair, e.g. 12 34 56 78 9A BC or 12:34:56:78:9A:BC IP address Enter the IP address that the host should be assigned. Comment Enter a description of the static assignment.
  • 142. Enabled Select to enable the assignment. 63 Advanced Firewall Administration Guide Managing Your Network Infrastructure Editing and Removing Assignments To edit or remove existing dynamic ranges and static assignments, use the options available in the Current dynamic ranges and Current static hosts areas. Viewing DHCP Leases To view free leases: 1. Navigate to the Services > DHCP > DHCP leases page. 2. Select Show free leases and click Update. The following information is displayed: Field Description IP address The IP address assigned to the network host which submitted a DHCP request. Start time The start time of the DHCP lease granted to the network host that submitted a DHCP request. End time The end time of the DHCP lease granted to the network host that submitted a DHCP request. MAC address The MAC address of the network host that
  • 143. submitted a DHCP request. Hostname The hostname assigned to the network host that submitted a DHCP request. State The current state of the DHCP lease. The state can be either Active, that is, currently leased; or Free, the IP address is reserved for the same MAC address or re-used if not enough slots are available. 64 Smoothwall Ltd Advanced Firewall Administration Guide Managing Your Network Infrastructure DHCP Relaying Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host. To configure DHCP relaying: 1. Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page. 2. Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. Click Save. Note: DHCP relaying must be enabled on the Services > DHCP > Global page.
  • 144. Creating Custom DHCP Options Advanced Firewall enables you to create and edit custom DHCP options for use on subnets. For example, to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server. To create a custom option: 1. Browse to the Services > DHCP > Custom options page. 65 Advanced Firewall Administration Guide Managing Your Network Infrastructure 2. Configure the following settings: 3. Click Add. Advanced Firewall creates the option and lists it in the Current custom options area. For information on using custom options, see Creating a DHCP Subnet on page 60. Setting Description Option code From the drop-down list, select the code to use. The codes available are between the values of 128 and 254, with 252 excluded as it is already allocated.
  • 145. Option type From the drop-down list, select the option type. IP address – Select when creating an option which uses an IP address. Text – Select when creating an option which uses text. Descriptio n Enter a description for the option. This description is displayed on the Services > DHCP > DHCP server page. Comment Optionally, enter any comments relevant to the option. Enabled Select to enable the option. 66 Smoothwall Ltd 5 General Network Security Settings This chapter describes how to secure your Advanced Firewall network, including: • Blocking by IP on page 67 • Configuring Advanced Networking Features on page 69 • Working with Port Groups on page 72
  • 146. Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware. IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network addresses to always be allowed. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks. 67 Advanced Firewall Administration Guide General Network Security Settings To create an IP block rule: 1. Navigate to the Networking > Filtering > IP block page. 2. Configure the following settings: Control Description Source IP or network Enter the source IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt:
  • 147. • An individual network host, enter its IP address, for example: 192.168.10.1. • A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24. Destination IP or network Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: • An individual network host, enter its IP address, for example: 192.168.10.1. • A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 19 Drop packet Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Reject packet Select to cause an ICMP Connection Refused message to be sent back
  • 148. to the originating IP, and no communication will be possible. Exception Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it. Log Select to log all activity from this IP. Comment Optionally, describe the IP block rule. 68 Smoothwall Ltd Advanced Firewall Administration Guide General Network Security Settings 3. Click Add. The rule is added to the Current rules table. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it. Editing and Removing IP Block Rules To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
  • 149. Configuring Advanced Networking Features Advanced Firewall’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption. To configure advance networking features: 1. Navigate to the Networking > Settings > Advanced page. Enabled Select to enable the rule. Control Description 69 Advanced Firewall Administration Guide General Network Security Settings 2. Configure the following feature settings: Setting Description Block and ignore ICMP ping broadcasts – Select to prevent the system responding to broadcast ping messages from all network zones (including external). This can prevent the effects of a broadcast ping-based DoS attack. ICMP ping – Select to block all ICMP ping requests going to or through Advanced Firewall. This will effectively hide the machine from Internet Control
  • 150. Message Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose. IGMP packets – Select this option to block and ignore multi- cast reporting Internet Group Management Protocol (IGMP) packets. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries. Multicast traffic – Select this option to block multicast messages on network address 224.0.0.0 from ISPs and prevent them generating large volumes of spurious log entries. SYN+FIN packets – Select to automatically discard packets used in SYN+FIN scans used passively scan systems. Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged. Enable SYN cookies – Select to defend the system against SYN flood attacks.
  • 151. A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack. TCP timestamps – Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links. Selective ACKs – Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. Window scaling – Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. ECN – Select this option to enable Explicit Congestion Notification (ECN), a mechanism for avoiding network congestion. While effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default. ARP filter – Select this option to enable the ARP filter. This option can be enabled if your network is experiencing ARP flux. 70 Smoothwall Ltd
  • 152. Advanced Firewall Administration Guide General Network Security Settings 3. Click Save to enable the settings you have selected. ARP table size You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the drop-down box. In normal situations, the default value of 2048 will be adequate, but in very big networks, select a bigger value. Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Advanced Firewall's network interfaces. Connection tracking table size Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the table’s maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements.
  • 153. Occasionally, the default size, which is set according to the amount of memory, is insufficient – use this field to configure a larger size. SYN backlog queue size Select this option to set the maximum number of requests which may be waiting in a queue to be answered. The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service. Audit Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming, outgoing and forwarded traffic. Direct incoming traffic – Select to log all new connections to all interfaces that are destined for the firewall. Forwarded traffic – Select to log all new connections passing through one interface to another. Direct outgoing traffic – Select to log all new connections from any interface. Note: It is possible that auditing traffic generates vast amounts
  • 154. of logging data. Ensure that the quantity of logs generated is acceptable. Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page. Drop all direct traffic on internal interfaces Select any internal interfaces which have hosts on them that do not require direct access to the system but do require access to other networks connected to Advanced Firewall. Setting Description 71 Advanced Firewall Administration Guide General Network Security Settings Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers.
  • 155. Creating a Port Group To create a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. In the Port groups area, click New and configure the following settings: 3. Click Add. The port, ports or port range is added to the group. Setting Description Group name Enter a name for the port group and click Save. Name Enter a name for the port or range of ports you want to add to the group. Port Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 For non-consecutive ports, create a separate entry for each port number. Comment Optionally, add a descriptive comment for the port or port range. 72 Smoothwall Ltd Advanced Firewall Administration Guide General Network Security Settings
  • 156. Adding Ports to Existing Port Groups To add a new port: 1. Navigate to the Networking > Settings > Port groups page. 2. Configure the following settings: 3. Click Add. The port, ports or range are added to the group. Editing Port Groups To edit a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to edit and click Select. 3. In the Current ports area, select the port you want to change and click Edit. 4. In the Add a new port, edit the port and click Add. The edited port, ports or range is updated. Deleting a Port Group To delete a Port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to delete and click Select. 3. Click Delete. Note: Deleting a port group cannot be undone. Setting Description
  • 157. Port groups From the drop-down list, select the group you want to add a port to and click Select. Name Enter a name for the port or range of ports you want to add to the group. Port Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 Comment Optionally, add a descriptive comment for the port or port range. 73 6 Configuring Inter-Zone Security This chapter describes how to configure bridging between network zones, including: • About Zone Bridging Rules on page 75 • Creating a Zone Bridging Rule on page 76 • Editing and Removing Zone Bridge Rules on page 78 • A Zone Bridging Tutorial on page 78
  • 158. • Group Bridging on page 80 About Zone Bridging Rules By default, all internal network zones are isolated by Advanced Firewall. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones. A zone bridging rule defines a bridge in the following terms: Term Description Zones Defines the two network zones between which the bridge exists. Direction Defines whether the bridge is accessible one-way or bi-directionally. Source Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host. Destination Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Service Defines what ports and services can be used across the bridge. 75 Advanced Firewall Administration Guide Configuring Inter- Zone Security
  • 159. It is possible to create a narrow bridge, e.g. a one-way, single- host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, for example, a bi-directional, any-host to any-host bridge, using any port and protocol. In general, make bridges as narrow as possible to prevent unnecessary or undesirable use. Creating a Zone Bridging Rule Zone bridging rules enable communications between specific parts of separate internal networks. To create a zone bridging rule: 1. Navigate to the Networking > Filtering > Zone bridging page. 2. Configure the following settings: Protocol Defines what protocol can be used across the bridge. Setting Description Source interface From the drop-down menu, select the source network zone. Destination interface From the drop-down menu, select the destination network zone. Bi-directional Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface
  • 160. and not vice versa, ensure that this option is not selected. Protocol From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Term Description 76 Smoothwall Ltd Advanced Firewall Administration Guide Configuring Inter- Zone Security 3. Click Add. The rule is added to the Current rules table. Source IP Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: • A single network host, enter its IP address, for example: 192.168.10.1. • A range of network hosts, enter an appropriate IP address range: for example, 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter an appropriate subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. • Any network host in the source network, leave the field blank.
  • 161. Destination IP Enter the destination IP, IP range or subnet range to which access is permitted. To create a bridge to: • A single network, enter its IP address, for example, 192.168.10.1. • A range of network hosts, enter an IP address range, for example, 192.168.10.1-192.168.10.15. • A subnet range of network hosts, enter a subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. • To create a bridge to any network host in the destination network, leave the field blank. Service From the drop-down list, select the services, port range or group of ports to which access is permitted. Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. Note: This is only applicable to TCP and UDP. Port If User defined is selected as the destination port, specify the port number. Or, leave the field blank to permit access to all ports for the
  • 162. relevant protocol. Comment Enter a description of the bridging rule. Enabled Select to enable the rule. Setting Description 77 Advanced Firewall Administration Guide Configuring Inter- Zone Security Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area. A Zone Bridging Tutorial In this tutorial, we will use the following two local network zones: Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created, neither zone can see or communicate with the other. In this example, we will create a DMZ that: • Allows restricted external access to a web server in the DMZ, from the Internet. • Does not allow access to the protected network from the DMZ. • Allows unrestricted access to the DMZ from the protected network.
  • 163. A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ. Creating the Zone Bridging Rule To create the rule: 1. Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: 2. Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa. Network zone Description IP address Protected network Contains local user workstations and confidential business data. 192.168.100.0/24 DMZ Contains a web server. 192.168.200.0/24 Settings Description Source interface From the drop-down menu, select the protected network. Destination interface From the drop-down menu, select the DMZ. Protocol From the drop-down list, select All. Comment Enter a description of the rule.
  • 164. Enabled Select to activate the bridging rule once it has been added. 78 Smoothwall Ltd Advanced Firewall Administration Guide Configuring Inter- Zone Security Allowing Access to the Web Server To allow access to a web server in the DMZ from the Internet: 1. Navigate to the Networking > Firewall > Port forwarding page and configure the following settings: 2. Click Add. Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones. As a extension to the previous example, a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network. To create the rule: 1. Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: 2. Click Add. Setting Description
  • 165. Protocol From the drop-down list, select TCP. Destination IP Enter the IP address of the web server 192.168.200.10. Source From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server. Comment Enter a description, such as Port forward to DMZ web server. Enabled Select to activate the port forward rule once it has been added. Setting Description Source interface From the drop-down menu, select DMZ. Destination interface From the drop-down menu, select Protected Network. Protocol From the drop-down menu, select TCP. Source IP Enter the web server’s IP address: 192.168.200.10 Destination IP Enter the database’s IP address: 192.168.100.50 Service Select User defined. Port The database service is accessed on port 3306. Enter 3306. Comment Enter a comment: DMZ web server to Protected Network DB.
  • 166. Enabled Select Enabled to activate the bridging rule once the bridging rule has been added. 79 Advanced Firewall Administration Guide Configuring Inter- Zone Security Group Bridging By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy, in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone. Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms: • Group – The group of users from the authentication sub- system that may access the bridge. • Zone – The destination network zone. • Destination – Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts. • Service – Defines what ports and services can be used across the bridge.
  • 167. • Protocol – Defines what protocol can be used across the bridge. Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and protocol) or wide (e.g. allow access to any host, using any port and protocol). In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use. Group Bridging and Authentication Group bridging uses the core authentication mechanism, meaning that users must be pre- authenticated before group bridging rules can be enforced by Advanced Firewall. Users can authenticate themselves using the authentication system’s Login mechanism, either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page. Authentication can also be provided by any other mechanism used elsewhere in the system. For further information about authentication, see Chapter 9, Authentication and User Management on page 173. 80 Smoothwall Ltd Advanced Firewall Administration Guide Configuring Inter- Zone Security
  • 168. Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. To create a group bridging rule: 1. Navigate to the Networking > Filtering > Group bridging page. 2. Configure the following settings: Setting Description Groups From the drop-down menu, select the group of users that this rule will apply to. Select Click to select the group. Destination interface Select the interface that the group will be permitted to access. Destination IP Enter the destination IP, IP range or subnet range that the group will be permitted to access. To create a rule to allow access to: • A single network host in the destination network, enter its IP address, for example: 192.168.10.1. • A range of network hosts in the destination network, enter an appropriate IP address range, for example: 192.168.10.1- 192.168.10.15. • A subnet range of network hosts in the destination network, enter
  • 169. an appropriate subnet range, for example: 192.168.10.0/ 255.255.255.0 or 192.168.10.0/24. • Any network host in the destination network, leave the field blank. Protocol From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Service From the drop-down list, select the service, port or port range to be used. To restrict to a custom port, select User defined and enter a port number in the Port field. To allow any service or port to be used, select User defined and leave the Port field empty. 81 Advanced Firewall Administration Guide Configuring Inter- Zone Security 3. Click Add. The rule is added to the Current rules table. Editing and Removing Group Bridges To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules region. Port If applicable, enter a destination port or range of ports. If this field is blank,
  • 170. all ports for the relevant protocol will be permitted. Comment Enter a description of the rule. Enabled Select to enable the rule. Setting Description 82 Smoothwall Ltd 7 Managing Inbound and Outbound Traffic This chapter describes: • Introduction to Port Forwards – Inbound Security on page 83 • Advanced Network and Firewall Settings on page 86 • Managing Outbound Traffic and Services on page 89 • Managing External Services on page 96 Introduction to Port Forwards – Inbound Security Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone. It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an external interface, regardless of whether the external interface connects to the Internet or some other
  • 171. external network zone. Port Forward Rules Criteria Port forward rules can be configured to forward traffic based on the following criteria: Criterion Description External IP Forward traffic if it originated from a particular IP address, IP address range or subnet range. Source IP Forward traffic if it arrived at a particular external interface or external alias. 83 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60. Note:It is important to consider the security implications of each new port forward rule. Any network is only as secure as the services exposed upon it. Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been
  • 172. forwarded to, they may gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security- sensitive network hosts. Use the Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, that is, a DMZ scenario. Creating Port Forward Rules To create a port forward rule: 1. Navigate to the Networking > Firewall > Port forwarding page. Port Forward traffic if it was destined for a particular port or range of ports. Protocol Forward traffic if it uses a particular protocol. Destination IP A port forward will send traffic to a specific destination IP. Destination port A port forward will send traffic to a specific destination port. Criterion Description 84 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic
  • 173. 2. Configure the following settings: 3. Click Add. The port forward rule is added to the Current rules table. Setting Description External interface From the drop-down menu, select the interface that the port forward will be bound to. By default, a port forward is bound to the primary external connection. However, if you have a secondary external connection you can assign a port forward explicitly to it. Select Click to select the external interface specified. Protocol From the drop-down list, select the network protocol for the traffic that you want to forward. For example, to port forward a HTTP request, which is a TCP-based protocol, choose the TCP option. External IP or network Enter the IP address, address range or subnet range of the external hosts allowed to use this rule. Or, to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any
  • 174. network host to a web server), leave this field blank. Log Select to log all port forwarded traffic. IPS Select to deploy intrusion prevention. For more information, refer to your Advanced Firewall Operations Guide. Source IP Select the external IP alias that this rule will apply to. In most cases, this will be the IP of the default external connection. Source service From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined. Note: Only applies to the protocols TCP and UDP. User defined If User defined is selected in the Source service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Destination IP Enter the IP address of the network host to which traffic should be forwarded. Destination service From the drop-down menu, select the service, port, port range or group of ports. Or, select User defined. User defined If User defined is selected as the destination service, enter a destination port.
  • 175. Leave this field empty to create a port forward that uses the source port as the destination port. If left blank and the source service value specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target. Comment Enter a description of the port forward rule. Enabled Select to enable the rule. 85 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Load Balancing Port Forwarded Traffic Advanced Firewall enables you to load balance port forwarded traffic to different network hosts. To load balance port forwards: 1. On the Networking > Firewall > Port forwarding page, create a port forward rule to the first network host. See Creating Port Forward Rules on page 84 for more information. 2. On the Networking > Firewall > Port forwarding page, create another port forward rule using exactly the same settings except for the destination IP to
  • 176. the second network host. Advanced Firewall automatically balances the traffic between the hosts. Editing and Removing Port Forward Rules To edit or remove existing port forward rules, use Edit and Remove in the Current rules area. Advanced Network and Firewall Settings The following sections explain network application helpers, how you can manage bad traffic actions, reflective port forwarding and connectivity failback. Network Application Helpers Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly. To enable helper applications: 1. Navigate to the Networking > Firewall > Advanced page. 86 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic The following helper applications are available: To enable a helper application: 1. In the Network application helpers area, select the application(s) you require.
  • 177. 2. Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do. 3. Click Save changes. Managing Bad External Traffic By default, bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. This is what Internet hosts are meant to do. Using the Bad external traffic action option, you can drop traffic silently which enables you to ‘stealth’ your firewall and make things like port scans much harder to do. To manage bad external traffic: 1. Navigate to the Networking > Firewall > Advanced page. 2. From the Bad external traffic drop-down list, select Drop to silently discard the traffic and not send a message to the sender, or Reject to reject the traffic and notify the sender. 3. Click Save changes to implement your selection. Application Description FTP IP information is embedded within FTP traffic – this helper application ensures that FTP active mode client connections are not adversely affected by the
  • 178. firewall. IRC IP information is embedded within IRC traffic – this helper application ensures that IRC communication is not adversely affected by the firewall. Advanced PPTP client support When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing. If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used. Note: When this application helper is enabled, it is not possible to forward PPTP traffic. For this reason, this option is not enabled by default. H323 When enabled, loads modules to enable pass-through of H323, a common protocol used in Voice over IP (VoIP) applications. Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive
  • 179. incoming H323 calls through the use of a port forward on the H323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality. 87 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Configuring Reflective Port Forwards By default, port forwards are not accessible from within the same network where the destination of the forward resides. However, when enabled, the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would. To configure reflective port forwards: 1. Navigate to the Networking > Firewall > Advanced page. 2. Enable Reflective port forwards and click Save changes. Managing Connectivity Failback The following sections explain how to configure failback and
  • 180. automatic failback for connectivity profiles. For more information on connectivity profiles, see Chapter 3, Connecting Using a Static Ethernet Connectivity Profile on page 27. Configuring Connectivity Failback The following section explains how to configure Advanced Firewall to revert to a specific connectivity profile after reboot if its primary connectivity profile has failed. To configure connectivity failback: 1. On the Networking > Firewall > Advanced page, go to the Connectivity Failback area. 2. From the Connectivity failback profile drop-down menu, select the profile to use after reboot if the primary connectivity profile has failed. 3. Click Save changes. Advanced Firewall applies and saves the changes. Configuring Automatic Failback It is possible to configure Advanced Firewall to enable automatic failback. When enabled, Advanced Firewall automatically attempts to revert to the connectivity failback profile specified in the Connectivity Failback area daily. This is attempted once a day. To configure automatic failback: 1. On the Networking > Firewall > Advanced page, go to the Connectivity Failback area.
  • 181. 2. Enable Automatic failback and click Save changes. Advanced Firewall applies and saves the changes. 88 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services The following sections discuss port and access rules which are used to control outbound network traffic and services. Working with Port Rules Port rules are used when creating outbound access rules which determine how outbound network traffic and services are managed. For more information on outbound access rules, Working with Outbound Access Policies on page 93. Predefined Port Rules Advanced Firewall contains a number of predefined, customizable port rules which allow or reject network traffic or specific services access on certain ports. Currently, the following port rules are predefined: Predefined port rules Description Allow all Allow unrestricted outbound access to the Internet.
  • 182. Allow basic services Allow services common to most user computers, including web browsing (HTTP and HTTPS) and DNS on listed ports. Allow email services Allow email services on listed ports. Reject all Reject all outbound access to the Internet except for listed ports. Reject all P2P Reject all peer to peer outbound access to the Internet on listed ports. For more information, see Managing Blocked Services on page 92. Reject all with logging Reject all outbound access to the Internet except for listed ports and log the rejections. Reject known exploits Reject outbound access on the listed ports which are associated with many common exploits against programs and services. Reject MS ports Reject outbound access on the listed ports which are associated with Microsoft Windows local area networking. 89 Advanced Firewall Administration Guide Managing Inbound
  • 183. and Outbound Traffic Creating a Port Rule It is possible to create a custom port rule. guaranteed To create a port rule: 1. Navigate to the Networking > Outgoing > Ports page. 2. Click Add new port rule. The following dialog box opens. 3. Configure the following settings: Setting Description Name Enter a name for the port rule. This name will be displayed where ever the rule can be selected. 90 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 4. Click Add. Advanced Firewall adds the port rule to the Port rules list. Click the rule’s content arrow. The ports/services in the rule are displayed. Note: Some services use unpredictable port numbers to evade port-based outbound access rules. To control access to these services, see, see Managing Blocked Services on page 92 5. Click Add new port/service.
  • 184. The following dialog box opens. 6. Configure the following settings: Action Select one of the following actions: Reject only listed ports – Reject outbound access on listed ports but allow on all other ports. Allow only listed ports – Allow outbound access on listed ports but reject on all other ports. Rejection logging Select if you want to log outbound requests rejected by this rule. Note: This generates a lot of data and should be used with care. Stealth mode Select if you want to log but not reject outbound requests. Setting Description Status Select to enable the rule. Protocol From the drop-down menu, select the network protocol to add to the port. Destination port Select one of the following: • Any – Any destination port. • From the drop-down menu, select the port, port range or group of ports
  • 185. you want to allow or deny access to. • Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. A port range is specified using from:to notation, for example: 1024:2048. Comment Enter a description of the port. Setting Description 91 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 7. Click Add. The port is added to the port rule. Managing Blocked Services Advanced Firewall is able to detect and block service activity such as Skype and BitTorrent using deep packet inspection. To configure blocking services: 1. On the Networking > Outgoing > Ports page, locate the port rule for which you want to configure services. 2. Click the rule’s content arrow. The ports/services contained in the rule are displayed. 3. Point to Blocked services and click Edit.
  • 186. The following dialog box opens. 4. Select the services you want to block. Note: The types of services available depend on what Deep Packet Inspection licensing you have purchased. Contact your Smoothwall representative for more information 5. Click Save to save the settings and close the dialog box. Advanced Firewall applies the settings and starts blocking the services selected. Editing a Port Rule To edit a port rule: 1. On the Networking > Outgoing > Ports page, point to the port rule and select Edit. 2. In the Edit port rule dialog box, make any changes required. See Creating a Port Rule on page 90 for information on the settings available. 3. Click Save changes to apply the changes and close the dialog box. 92 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Deleting a Port Rule To delete a port rule: 1. On the Networking > Outgoing > Ports page, point to the rule and select Delete. When
  • 187. prompted, click Delete to confirm that you want to delete the rule and its contents. Editing a Port Rule’s Contents To edit the contents of a port rule: 1. On the Networking > Outgoing > Ports page, click the rule’s content arrow. The ports/ services contained in the rule are displayed. 2. Point to the port/service and click Edit. In the Edit port/service dialog box, make any changes required. See Creating a Port Rule on page 90 for information on the settings available. 3. Click Save changes to apply the changes and close the dialog box. Working with Outbound Access Policies Advanced Firewall enables you to create policies which determine outbound access for network traffic and services depending on: • the group(s) an authenticated user belongs to, or • the source and/or destination of the traffic. Note: Once the network traffic matches a policy, Advanced Firewall does not apply any further policy matching. By default, Advanced Firewall contains a default outbound access policy which uses the Allow all port rule and allows unrestricted outbound access to the Internet.
  • 188. You can reorder outbound access policies to suit your requirements. If the outbound network traffic or service does not match any policy, the Default policy is applied. Creating Outbound Access Policies for Groups The Groups section is used to assign outbound access policies to traffic or services from users in an authenticated groups of users. To assign a policy to a group of users: 1. Navigate to the Networking > Outgoing > Policies page. 2. Click Add new policy. 93 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic The following dialog box opens. 3. Configure the following settings: 4. Click Add. The policy is added to the list of groups. 5. Place the policy where it is required by selecting it and using Up or Down, or by dragging it to the correct position and clicking Save moves. Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching. Note:Group policies cannot be enforced in all circumstances. If
  • 189. a user has not actively authenticated themselves, using the SSL Login page or by some other authentication method, the user is unknown to the system and a policy cannot be applied. Group policies are often more suitable for allowing access to ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service. Setting Description Status Select Enabled to enable the policy. Group From the drop-down menu, select the group to which the outbound access policy applies. Port rule From the drop-down menu, select which port rule to use in the outbound access policy. For more information on port rules, see Working with Port Rules on page 89. Comment Enter a description for the policy. 94 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic Creating Outbound Access Policies for Traffic from Sources and/or Destinations When the source and/or destination IP addresses of outbound
  • 190. traffic match a policy in the Sources and Destination addresses, Advanced Firewall checks that the traffic does not break the port rule(s) assigned to that source and/or destination. To create a policy: 1. Browse to the Networking > Outgoing > Policies page. 2. Click Add new Policy. 3. In the Add new policy dialog box, configure the following settings: 4. Click Add. The policy is added to the list of sources and destinations. Setting Description Status Select to enable the policy. Name Enter a name for the policy. Source Configure one of the following to apply the policy to. • Any – Any source IP address. • A single source IP address, a range (x.x.x.x-y.y.y.y) or a subnet (x.x.x.x/y). Destination Configure one of the following to apply the policy to. • Any – Any destination IP address. • A single destination IP address, a range (x.x.x.x-y.y.y.y) or a
  • 191. subnet (x.x.x.x/y). Port rule From the drop-down list, select the port rule to apply. For more information, see Working with Port Rules on page 89. Comment Enter a description for the policy. 95 Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 5. Place the policy where it is required by selecting it and using Up or Down, or by dragging the rule to the correct position and clicking Save moves. Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching. Editing a Policy To edit a policy: 1. On the Networking > Outgoing > Policies page, point to the rule and select Edit. 2. In the Edit policy dialog box, make any changes required. See Creating Outbound Access Policies for Traffic from Sources and/or Destinations on page 95 for information on the settings available. 3. Click Save changes to apply the changes and close the dialog box.
  • 192. Deleting a Policy To delete a policy: 1. On the Networking > Outgoing > Policies page, point to the rule and select Delete. When prompted, click Delete to confirm that you want to delete the policy. Managing External Services Note: The External services page has been superseded by the functionality on the Networking > Outgoing > Policies page and has been deprecated. It will be removed in a future Advanced Firewall update. You can prevent local network hosts from using external services by creating appropriate policies to stop outbound traffic. To create an external service rule: 1. Navigate to the Networking > Outgoing > External services page and configure the following settings: Setting Description Service Select Empty from the drop-down list. Service rule name Enter a name for the rule. Protocol Select the protocol used by the service. Service From the drop-down menu, select the service, port, port range or group of
  • 193. ports. Or, to specify a user defined port, select User defined. Port If User defined is selected in the Service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Rejection logging Select to log all traffic rejected by the external services rule Stealth mode Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs. 96 Smoothwall Ltd Advanced Firewall Administration Guide Managing Inbound and Outbound Traffic 2. Click Save. In the Add a new rule area: 3. Click Add. The external service rule is added to the Current rules region: Editing and Removing External Service Rules To edit or remove existing external service rules, use Edit and Remove in the Current rules area. Setting Description Destination IP Enter the IP address of the external service to which the rule applies.
  • 194. Comment Enter a description of the rule. Enabled Select to enable the rule. 97 8 Virtual Private Networking This chapter describes how to set up the virtual private networking (VPN) feature of Advanced Firewall, including: • Advanced Firewall VPN Features on page 100 • What is a VPN? on page 100 • About VPN Authentication on page 101 • Configuration Overview on page 104 • Working with Certificate Authorities and Certificates on page 105 • Managing Certificates on page 108 • Setting the Default Local Certificate on page 112 • Site-to-Site VPNs – IPSec on page 112 • IPSec Site to Site and X509 Authentication – Example on page 117
  • 195. • IPSec Site to Site and PSK Authentication on page 121 • About Road Warrior VPNs on page 124 • IPSec Road Warriors on page 125 • Supported IPSec Clients on page 128 • Creating L2TP Road Warrior Connections on page 128 • VPNing Using L2TP Clients on page 132 • VPNing with SSL on page 137 • Managing SSL Road Warriors on page 139 • VPN Zone Bridging on page 144 • Secure Internal Networking on page 145 • Advanced VPN Configuration on page 147 99 Advanced Firewall Administration Guide Virtual Private Networking • Managing VPN Systems on page 153 • VPN Tutorials on page 156 • Working with SafeNet SoftRemote on page 167 Advanced Firewall VPN Features Advanced Firewall contains a rich set of Virtual Private Network (VPN) features:
  • 196. What is a VPN? A VPN, in the broadest sense, is a network route between computer networks, or individual computers, across a public network. The public network, in most cases, is the Internet. Typically, a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are usually referred to as road warriors. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces. There are several technologies which implement VPNs. Some are wholly proprietary, others are open standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well established and open Internet standard. Many implementations of this standard exist, and generally all vendors of network security products will have an offering in their product portfolio. Feature Description IPSec site-to-site Industry-standard IPSec site-to-site VPN tunneling.
  • 197. L2TP road warriors Mobile user VPN support using Microsoft Windows 2000 and XP, as well as older versions of Windows. No client software required; the software is part of the Windows operating system. IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote, as well as others. SSL VPN Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the user’s computer/laptop. Authentication Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). Certificate management Full certificate management controls built into the interface, with import and export capabilities in a number of formats. Self-signed certificates can be generated. Tunnel controls Individual controls for all VPN tunnels. Internal VPNs Support for VPNs routed over internal networks. Logging Comprehensive logging of individual VPN tunnels. 100 Smoothwall Ltd
  • 198. Advanced Firewall Administration Guide Virtual Private Networking VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to connect mobile and home users, road warriors, to their office network. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. Tunnels can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making the tunnel and its content unintelligible and therefore private to the outside world. About VPN Gateways A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. A VPN gateway must perform a number of specific tasks: • Allow VPN tunnels to be configured. • Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted. • Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel. • Encrypt all data presented to the VPN tunnel into secure data packets. • Decrypt secure data received from the VPN tunnel. • Route all data received from the tunnel to the correct
  • 199. computer on the LAN. • Allow VPN tunnels to be managed. Administrator Responsibilities A network administrator has three responsibilities: • Specify the tunnel – define the tunnel on each VPN gateway. • Configure authentication – define a secure means for each VPN gateway to identify the other. • Manage tunnels – control the opening and closing of tunnels. About VPN Authentication Authentication is the process of validating that a given entity, that is a person, system or device, is actually who or what it identifies itself to be. Since VPN gateways are not usually in the same physical location, it is not readily determinable that either gateway is genuine. A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. Conversely, the remote gateway must be assured that the initiating gateway is not an imposter. Advanced Firewall supports several authentication methods that can be used to validate a VPN gateway’s identity: Authentication method Description
  • 200. Pre-Shared Key Usually referred to as PSK, this is a simplistic authentication method based on a password challenge. For more information, see PSK Authentication on page 102. 101 Advanced Firewall Administration Guide Virtual Private Networking A more in depth examination of the PSK and X509 authentication methods can be found in the following sections, including recommendations for the usage of each. PSK Authentication To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a shared password that only they know. When initiating a VPN connection, each gateway requests the other’s password. If the password received by each gateway matches the password stored by each gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic and a secure, trusted VPN tunnel can be established. The simplicity of PSK is both its strength and its weakness. While PSK tunnels are quick to set up, there are human and technological reasons that make this method unsuitable for larger organizations. Password protection is easily circumvented as passwords are frequently written down, spoken aloud or shared amongst administrator colleagues.
  • 201. Some VPN configurations will also require multiple tunnels to use the same password – highly undesirable if your organization intends to create multiple road warrior VPN connections. PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. While it is possible to create large VPN networks based entirely on PSK authentication, such a scheme is likely to prove unmanageable in the long run and liable to misuse. X509 Authentication In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveler can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a CA can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport. X509 An industry strength and internationally recognized authentication method using a system of digital certificates, as published by the ITU-T and ISO standardization bodies. For more information, see X509 Authentication on page 102. Username/ password
  • 202. In addition to using X509, all users of L2TP road warrior connections must enter a valid username and password, as specified when the L2TP tunnel definition is created. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated. Authentication method Description 102 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking About Digital Certificates A digital certificate, referred to here as a certificate, is an electronic document that uniquely identifies its owner, and contains the following information: Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA. However, it is not yet clear whether the certificate is a forgery – to prove absolute authenticity, X509 utilizes public-key cryptography. Public-key cryptography is an encryption mechanism that involves the use of a mathematically
  • 203. related pair of encryption keys, one called a private key and the other called a public key. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa. It is computationally infeasible to derive either key from the other. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. If the private key is kept secret by its owner, and the public key is freely accessible to all, any message successfully decrypted using the public key can only have originated from the private key owner. This concept is exploited by CAs to sign all certificates they create, thus proving that the certificate is genuine. To sign a certificate, the CA takes the content of the certificate and encrypts it using its private key. The encrypted content is inserted into the certificate, much like a watermark or other security feature is added to a passport by a government. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. If the signature can be successfully decrypted and matches the issuer details declared in the certificate, the certificate is proven to be authentic. However, this only proves that the CA genuinely issued the certificate. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. This is solved by one further stage of encryption, this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature)
  • 204. before presenting the certificate. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key). Advanced Firewall and Digital Certificates Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system. Advanced Firewall enables you to: • Create a trusted CA. • Create signed, digital certificates. Information Description Subject Information about who the certificate was issued to, their country, company name etc. Issuer Information about the CA that created and signed the certificate. Certificate ID An alternative identifier for the certificate owner in abbreviated form. Validity period The start and expiry dates, during which time the certificate is valid. 103
  • 205. Advanced Firewall Administration Guide Virtual Private Networking • Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems. Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then imported, or they can be created by a separate CA such as the one included in Microsoft Windows 2000. The use of a local Advanced Firewall CA is recommended as a more convenient and equally secure approach. It is usual for a single CA to provide certificates for an entire network of peer systems, but there are alternative schemes that use multiple CAs which will be discussed later. Configuration Overview The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior VPNs, internal VPNs and management in great depth. As an overview to these sections, these are the steps required to create a typical site-to-site VPN connection: 1. On the master Advanced Firewall system, create a local Certificate Authority. For details, see Creating a CA on page 105. 2. Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system.
  • 206. 3. Install the master Advanced Firewall’s certificate as its default local certificate. 4. Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. 5. Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. 6. Import the CA certificate on the remote Advanced Firewall system, as exported by step 5. 7. Import and install the remote Advanced Firewall system’s certificate, as exported by step 5. 8. Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. 9. Bring the connection up. 10. Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on page 75. Note: For VPN configuration tutorials, see VPN Tutorials on page 156. 104 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private
  • 207. Networking Working with Certificate Authorities and Certificates A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates. A certificate created by a known CA can be authenticated as genuine. The following sections explain how to create a local CA using Advanced Firewall, for the purpose of creating certificates for VPN tunnel authentication. They also explain how to export and import CA certificates so that a remote Advanced Firewall has knowledge of the CA. Maintenance tasks such as how to delete CAs are also discussed. Creating a CA To create your own certificates for use in VPN tunnel authentication, you require access to at least one CA. It is possible to purchase certificates from an externally managed CA, but this can be inconvenient and costly. This section explains how to create a CA using Advanced Firewall. If you already have a CA on your network, it may be useful to use that, in which case refer to Importing Another CA's Certificate on page 107. To create a CA: 1. Navigate to the VPN > VPN > Certificate authorities page. 2. Configure the following settings:
  • 208. Setting Description Common name Enter an easily identifiable name. Email Enter an administrative email address. Organization Enter an organizational identifier. 105 Advanced Firewall Administration Guide Virtual Private Networking 3. Click Create Certificate Authority. The local CA is created and displayed. Once a CA has been created, you can use it to create digital certificates for network hosts. You can also export the CA’s own certificate to other systems which can use it to authenticate digital certificates issued by the CA. Exporting the CA Certificate Once a CA has been created, you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. There are two different export formats: To export the CA certificate: 1. Navigate to the VPN > VPN > Authorities page and configure the following settings: 2. Click Export and choose to save the file to disk from the dialog box launched by your browser.
  • 209. You can deliver the certificate to another system without any special security requirements since it contains only public information. Department Enter a departmental identifier. Locality or town Enter a locality or town. State or province Enter a state or province. Country Enter a two letter country code. Life time From the drop-down menu, select the length of time that the CA will remain valid for. User defined (days) If User defined is selected as the life time value of the CA, enter the number of days the CA will be valid. Setting Description Name In the Installed Certificate Authority certificates area, locate and select the local CA certificate. Export format From the drop-down list, select the format in which to export the certificate authority’s certificate. The following formats are available: CA certificate in PEM – An ASCII (textual) certificate format commonly
  • 210. used by Microsoft operating systems. Select this format if the certificate is to be used on another Smoothwall System. CA certificate in BIN – A binary certificate format, select if the certificate is to be used on a system which requires this format. Consult the system’s documentation for more information. Setting Description 106 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Importing Another CA's Certificate To authenticate a signed certificate produced by a non-local CA, you must import the non-local CA’s certificate into Advanced Firewall. This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA. Note: The certificate must be in PEM format to be imported. To import the CA's certificate: 1. Navigate to the VPN > VPN > Authorities page. 2. In the Import Certificate Authority certificate area, click Browse.
  • 211. 3. Locate and open the CA’s certificate that you wish to import. 4. Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority certificates list of certificates area. Deleting the Local Certificate Authority and its Certificate To delete the local CA and its certificate: 1. Navigate to the VPN > VPN > Authorities page. 2. In the Delete local Certificate Authority region, select Confirm delete. 3. Click Delete Certificate Authority. Note: Deleting the local CA will invalidate all certificates that it has created. Once the local CA has been deleted, the Create local Certificate Authority region will be displayed. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The Create local Certificate Authority region replaces the Delete local Certificate Authority region. Deleting an Imported CA Certificate To delete an imported CA's certificate: 1. Navigate to the VPN > VPN > Authorities page. 2. Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. 3. Click Delete. The CA certificate will no longer appear in the
  • 212. Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it. 107 Advanced Firewall Administration Guide Virtual Private Networking Managing Certificates The following sections explain how to create, view, import, export and delete certificates in Advanced Firewall. Creating a Certificate Once a local Certificate Authority (CA) has been created, you can generate certificates. The first certificate created is usually for the Advanced Firewall system that the CA is installed on. This is because the Advanced Firewall VPN gateway is a separate entity to the CA, and therefore requires its own certificate. It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways, i.e. all other Advanced Firewall systems. To create a new signed certificate: 1. Navigate to the VPN > VPN > Certificates page. 108 Smoothwall Ltd
  • 213. Advanced Firewall Administration Guide Virtual Private Networking 2. Scroll to the Create new signed certificate area and configure the following settings: 3. Click Create signed certificate. The certificate is listed in the Installed signed certificates area. Reviewing a Certificate You can review the content of a certificate. Reviewing certificates can be useful for checking certificate content and validity. To review a certificate: 1. Navigate to the VPN > VPN > Certificates page. 2. Locate the certificate that you wish to view in the Installed signed certificates region. 3. Click the certificate name. The content is displayed in a new browser window. 4. Close the browser window to return to Advanced Firewall. Setting Description ID type From the drop-down menu, select the certificates’s ID type. The options are: No ID – Not recommended but available for inter-operability with other VPN gateways.
  • 214. Host & Domain Name – Recommended for most site-to-site VPN connections. This does not need to be a registered DNS name. IP address – Recommended for site-to-site VPNs whose gateways use static IP addresses. Email address – Recommended for road warrior or internal VPN connections. This does not need to be a real email address, although the use of a real email address is recommended. ID value Enter an ID value. For a site-to-site Advanced Firewall VPN this is typically a hostname. For a road warrior this is usually the user’s email address. Common name Enter a common name for the certificate, for example Head Office. Email Enter an email address for the individual or host system that will own this certificate. Organization Enter an organizational identifier for the certificate owner. Department Enter a departmental identifier for the certificate owner. Locality or town Enter a locality or town for the certificate owner. State or province Enter a state or province for the certificate
  • 215. owner. Country Enter a two letter country code. Life time From the drop-down menu, select the length of time that the certificate will remain valid for. User defined (days) If User defined is selected as the life time value of the certificate, enter the number of days the certificate will be valid for. 109 Advanced Firewall Administration Guide Virtual Private Networking Exporting Certificates Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner. To export a certificate: 1. Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area. 2. Select the certificate you want to export and configure the following settings: 3. Click Export. Choose to save the certificate file (a .pem or
  • 216. .der file) to disk in the dialog box launched by your browser software. The certificate will be saved to the browser’s local file system in the specified format. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. Exporting in the PKCS#12 Format PKCS#12 is a container format used to transport a certificate and its private key. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors. To export a certificate in the PKCS#12 container format: 1. Navigate to the VPN > VPN > Certificates page. 2. In the Installed signed certificates region, locate and select the certificate that you wish to export. 3. Enter and confirm a password in the Password and Again fields. 4. Click Export certificate and key as PKCS#12. 5. Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your browser software. The PKCS#12 file will be saved to the browser's local file system. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner.
  • 217. Setting Description Export format From the drop-down menu, select the format in which to export the certificate. The following formats are available: Certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. Recommended for all Advanced Firewall to Advanced Firewall VPN connections. Certificate in DER – A binary certificate format for use with non- Advanced Firewall VPN gateways. Private key in DER – Exports just the private key in binary for use with non-Advanced Firewall VPN gateways. 110 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Importing a Certificate Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. This is the normal process for secondary Advanced Firewall systems, for example, branch office systems connecting to a head office that has a Advanced Firewall system and CA.
  • 218. To import a certificate: 1. Navigate to the VPN > VPN > Certificates page. In the Import certificates area, configure the following settings: Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area. Deleting a Certificate To delete an installed certificate: 1. Navigate to the VPN > VPN > Certificates page. 2. In the Installed signed certificates region, locate and select the certificate that you wish to delete. 3. Click Delete. The signed certificate will be removed from the Installed signed certificates region. Setting Description Password Enter the password that was specified when the certificate was created. Import PKCS#12 filename To import a certificate in PKCS#12 format: 1. Click Browse and navigate to and select the certificate file. 2. Click Import certificate and key from PKCS#12. Import PEM filename To import a certificate in PEM format: 1. Click Browse and navigate to and select the certificate file. 2. Click Import certificate from PEM.
  • 219. 111 Advanced Firewall Administration Guide Virtual Private Networking Setting the Default Local Certificate One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. The default local certificate should be the certificate that identifies its host. To set the default local certificate: 1. Navigate to the VPN > VPN > Global page. 2. In the Default local certificate region, select the host’s certificate from the Certificate drop- down list and click Save. This certificate will now be used by default in all future tunnel specifications, unless otherwise specified. 3. When prompted by Advanced Firewall, click Restart to deploy the certificate. Site-to-Site VPNs – IPSec The following sections explain how to create a site-to-site VPN tunnel between two Advanced Firewall systems. The tunnel will use the IPSec protocol to create a secure, encrypted tunnel between head office and a branch office. 112 Smoothwall Ltd
  • 220. Advanced Firewall Administration Guide Virtual Private Networking Recommended Settings For Advanced Firewall to Advanced Firewall connections, the following settings are recommended for maximum security and optimal performance: Creating an IPsec Tunnel To create a site-to-site tunnel: 1. On the Advanced Firewall at head office, browse to the VPN > VPN > IPSec subnets page. Note:Many parameters are used when creating an IPSec site-to- site VPN tunnel. For Advanced Firewall to Advanced Firewall connections, many settings can be left at their default values. However, for maximum compatibility with other VPN gateways, some settings may require adjustment. This section describes each parameter that can be configured when creating an IPSec tunnel. For more VPN tutorials, see VPN Tutorials on page 156. Setting Selection Encryption AES Authentication type ESP Hashing algorithm SHA Perfect Forward Secrecy Enabled
  • 221. Compression Enabled – unless predominant VPN traffic is already encrypted or compressed. 113 Advanced Firewall Administration Guide Virtual Private Networking 2. Configure the following settings:. Setting Description Name Enter a descriptive name for the tunnel connection, for example: New York to London. Enabled Select to enable the connection. Local IP Enter the IP address of the external interface used on the local Advanced Firewall host. Note: This field should usually be left blank to automatically use the default external IP (recommended). Local network Specify the local subnet that the remote host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select the type of the ID that will be presented to the remote system. The choices available are:
  • 222. Default local Certificate Subject – Uses the subject field of the default local certificate as the local certificate ID. Local IP – Uses the local IP address of the host as the local certificate ID. User specified Host & Domain Name – Uses a user specified host and domain name as the local certificate ID. User specified IP address – Uses a user specified IP address name as the local certificate ID. User specified Email address – Uses a user specified email address as the local certificate ID. User specified Certificate Subject – Uses a user specified certificate subject as the local certificate ID. Note: User specified types are mostly used when connecting to non- Advanced Firewall VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting. Local ID value This field is only used if the local ID type is a User specified type (this is typically used when connecting to non-Advanced Firewall VPN gateways). In most cases, you can leave this field blank because its value will be
  • 223. automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). Remote IP or hostname Enter the IP address or hostname of the remote system. The remote IP can be left blank if the remote peer uses a dynamic IP address. Remote network This should specify the remote subnet that the local host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.20.0/255.255.255.0. 114 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 3. Optionally, click Advanced. Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections. Remote ID type From the drop-down menu, select the type of ID that the remote gateway is expected to present. The choices are: Remote IP (or ANY if blank Remote IP) – The remote ID is the
  • 224. remote IP address, or any other form of presented ID User specified Host & Domain Name – Allows the user to specify a custom host and domain name that it should expect the remote gateway to present as ID. User specified IP address – Allows the user to specify a custom IP address that it should expect the remote gateway to present as ID. User specified Email address – Allows the user to specify a custom email address that it should expect the remote gateway to present as ID. User specified Certificate Subject – Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Advanced Firewall VPN gateways). Remote ID value Enter the value of the ID used in the certificate that the remote peer is expected to present. Authenticate by From the drop-down list, select the authentication method. For more information on PSK and X509 authentication, About VPN Authentication on page 101. Preshared key Enter the preshared key when PSK is selected as the authentication
  • 225. method. Preshared key again Re-enter the preshared key entered in Preshared key field if PSK is selected as the authentication method. Use compression Select to compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels may decrease performance. The same rule applies when transferring data that is already compressed, for example streaming video. For any tunnel with a high proportion of encrypted or already- compressed traffic, compression is not recommended. For non- encrypted, uncompressed traffic compression is recommended. This setting must be the same on the tunnel specifications of both connecting gateways. Initiate the connection Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known.
  • 226. Comment Enter a descriptive comment for the tunnel, for example: London connection .100 to Birmingham .250. Setting Description 115 Advanced Firewall Administration Guide Virtual Private Networking 4. Enter the following information: Setting Description Local certificate This is used in non-standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 147. Interface Select which interface will be used for this connection either on external or internal interfaces. PRIMARY means the connection will be on the external interface. Perfect Forward Secrecy Select to enable the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised.
  • 227. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS. Authentication type Select the authentication type used during the authentication process. This setting should be the same on both tunnel specifications of two connecting gateways. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended. Phase 1 cryptographic algo Select the encryption algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm
  • 228. though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance. Phase 1 hash algo Select the hashing algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. MD5 – A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security. Phase 2 cryptographic algo
  • 229. Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. 116 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 5. Click Add to create the tunnel. IPSec Site to Site and X509 Authentication – Example This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Advanced Firewall systems. Prerequisite Overview Before you start, you must do the following: 1. Create a CA on the local system for information on how to do this, see Creating a CA on page 105 2. Create certificates for the local and remote systems using Host and Domain Name as the ID type, for information on how to do this, see Creating a Certificate on page 108.
  • 230. 3. Install the local certificate as the default local certificate on the local system, for information on how to do this, see Importing a Certificate on page 111. Phase 2 hash algo Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Key life Set the length of time that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Key tries Set the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re- key a connection that it can't initiate. IKE lifetime Set how frequently, in minutes, the Internet Key Exchange keys are re- exchanged. Do not rekey Select to disable re-keying. This can be useful
  • 231. when working with NAT- ed end-points. Local internal IP This optional setting is used when Advanced Firewall itself sends traffic in the IPsec tunnel. Note: If you do not use this setting, Advanced Firewall will not, itself, be able to send traffic in the IPsec tunnel. Enter the IP of the network interface to use when Advanced Firewall itself sends traffic in the tunnel. Setting Description 117 Advanced Firewall Administration Guide Virtual Private Networking 4. Export the CA certificate in PEM format, for information on how to do this, see Exporting Certificates on page 110. 5. Export the remote certificate in the PKCS#12 container format, for information on how to do this, see Exporting in the PKCS#12 Format on page 110. 6. Import and install the certificate as the default local certificate on the remote system, for information on how to do this, see Importing a Certificate on page 111. Once the above steps have been completed, proceed with
  • 232. creating tunnel specifications on the local and remote systems as detailed in the following sections. Creating the Tunnel on the Primary System To create the tunnel on the primary system: 1. On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Local IP Leave empty. It will be automatically generated as the default external IP address at connection time Local network Specify the local network that the secondary system will be able to access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select Default local Certificate ID.
  • 233. This will identify the primary system to the secondary system by using the host and domain name ID value in the primary system’s default local certificate. Local ID value Leave empty. Its value will be automatically retrieved by Advanced Firewall during the connection process. Remote IP or hostname If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field blank. Remote network Specify the network on the secondary system that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Remote ID type From the drop-down list, select User specified Host & Domain Name.
  • 234. Remote ID value Enter the ID value (the hostname) of the secondary system’s default local certificate. 118 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add to create the tunnel specification and list it in the Current tunnels area: The advanced settings are left to their default values in this example. The next step is to create a matching tunnel specification on the remote system. Creating the Tunnel on the Secondary System To create the tunnel on the secondary system: 1. On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Authenticate by From the drop-down list, select Certificate provided by peer. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials. Preshared Key Leave empty. Preshared Key again Leave empty. Use compression Select to reduce bandwidth consumption. This is useful for low bandwidth connections, however, it will require more
  • 235. processing power. Initiate the connection Do not select. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Comment Enter a descriptive comment. For example, Tunnel to Branch Office. Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Local IP Leave empty. It will be automatically generated as the default external IP address at connection time. Local network Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Local ID type From the drop-down list, select Default local
  • 236. Certificate ID. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary system’s default local certificate. Local ID value Leave empty. Its value will be automatically retrieved by Advanced Firewall during the connection process. Remote IP or hostname Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact. Setting Description 119 Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add. All advanced settings can be safely left at their defaults. Checking the System is Active
  • 237. Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems. To ensure the VPN subsystem is active on both systems: 1. On the primary system, navigate to the VPN > VPN > Control page. 2. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. 3. On the secondary system, navigate to the VPN > VPN > Control page. 4. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. Activating the IPSec tunnel Next, the secondary system should initiate the VPN connection. To initiate the VPN connection: 1. On the secondary system, navigate to the VPN > VPN > Control page. 2. In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up.
  • 238. Remote network Enter the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Remote ID type From the drop-down list, select User specified Host & Domain Name. This matches the primary system’s certificate type of Host and Domain Name, as listed in Prerequisite Overview on page 117. Remote ID value Enter the ID value (the hostname) of the primary system’s default local certificate. Authenticate by From the drop-down list, select Certificate provided by peer. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials. Preshared Key Leave empty. Preshared Key again Leave empty. Use compression Select if you selected it on the primary system. Initiate the connection
  • 239. Select as the secondary system is responsible for its connection to the primary Advanced Firewall system. Comment Enter a descriptive comment, for example, Tunnel to Head Office. Setting Description 120 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure that appropriate zone bridging rules are configured. For further information, see Chapter 6, Configuring Inter-Zone Security on page 75. IPSec Site to Site and PSK Authentication Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls. Creating the Tunnel Specification on Primary System To create the primary tunnel specification: 1. On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description
  • 240. Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Local network Specify the local network that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. Local ID value Leave empty. It will be automatically generated as Local IP was chosen as the local ID type. Remote IP or hostname If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field
  • 241. blank. Remote network Specify the network on the secondary system that the primary system will be able to access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Remote ID type From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondary’s IP address (if one was specified). Remote ID value Enter the local IP address of the secondary system. 121 Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add. All advanced settings can be safely left at their defaults. Advanced Firewall lists it in the Current tunnels area. The next step is to create a matching tunnel specification on the remote system. Creating the Tunnel Specification on the Secondary System To create the secondary tunnel specification: 1. On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure
  • 242. the following settings: Authenticate by From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Preshared Key Enter a passphrase. Preshared Key again Re-enter the passphrase to confirm it. Use compression Select this option if you wish to reduce bandwidth consumption. It is useful for low bandwidth connections but requires more processing power. Initiate the connection Do not select this option. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Comment Enter a description, for example: Tunnel to Birmingham Branch Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to ensure that the tunnel can be activated once configuration is
  • 243. completed. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Local network Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Local ID type From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. Local ID value Leave empty. It will be automatically generated as Local IP was chosen as the local ID type. Remote IP or hostname Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Setting Description 122 Smoothwall Ltd
  • 244. Advanced Firewall Administration Guide Virtual Private Networking 2. Click Add. All advanced settings can be safely left at their defaults. Checking the System is Active Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems. To check the system is active: 1. On the primary system, navigate to the VPN > VPN > Control page. 2. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. 3. On the secondary system, navigate to the VPN > VPN > Control page. 4. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. Activating the PSK tunnel Next, the secondary system should initiate the VPN co nnection.
  • 245. To activate the tunnel: 1. On the secondary system, navigate to the VPN > VPN > Control page. 2. In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. Remote network Specify the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Remote ID type From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondary's IP address (if one was specified). Remote ID value Enter the local IP address of the secondary system. Authenticate by From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Preshared Key Enter the same passphrase as was entered in the Preshared Key field on the primary system.
  • 246. Preshared Key again Re-enter the passphrase to confirm it. Use compression Select this option if compression was enabled on the primary system. Initiate the connection Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system. Comment Enter a descriptive comment, for example, Tunnel to Head Office. Setting Description 123 Advanced Firewall Administration Guide Virtual Private Networking Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure that appropriate zone bridging rules are configured. For further information, see Chapter 6, Configuring Inter-Zone Security on page 75. About Road Warrior VPNs This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network. Advanced Firewall supports two different VPN protocols for creating road warrior connections:
  • 247. • L2TP – L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. There are fewer configuration parameters to consider when creating a tunnel specification. However, all L2TP road warriors must connect to the same internal network. • IPSec – IPSec road warrior connections use the same technology that Advanced Firewall uses to create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other non-Microsoft operating systems. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. IPSec road warriors can be configured to connect to any internal network. Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 156. Configuration Overview Typically, a road warrior connection is configured as follows: 1. Create a certificate for each road warrior user, usually with the user's email address as its ID type. 2. Decide which VPN protocol best suits your road warrior's needs – L2TP for Win 2000/XP, IPSec for all others. 3. Decide which internal networks and what IP ranges to allocate to road warriors.
  • 248. 4. Create the tunnel specification on the Advanced Firewall system. 5. Install the certificate and any necessary client software on the road warrior system and configure. 6. Connect. 7. Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. For further information, see Chapter 6, Configuring Inter-Zone Security on page 75. When a road warrior connects to Advanced Firewall, it is given an IP address on a specified internal network. When connected, the road warrior client machine will, to all intents and purposes, be on the configured internal network. You can route to other subnets, including other VPN-connected ones. Other machines on the same internal network can see the client, just as if it was plugged into the network directly. 124 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers.
  • 249. When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on the local network. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections, individually specified for each IPSec road warrior. Each user requires their own tunnel, so create as many tunnels as there are road warriors. IPSec Road Warriors Before creating a road warrior connection using IPSec, check the following list to assess whether it is the right choice: • Each connection can be routed to a different internal network. • Each connection can use different types of cryptographic and authentication settings. • Client software will need to be installed on road warrior systems. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. This includes overriding the default local certificate. Creating an IPSec Road Warrior To create an IPSec road warrior connection: 1. Navigate to the VPN > VPN > IPSec roadwarriors page. 2. Configure the following settings: Setting Description
  • 250. Name Enter a descriptive name for the tunnel. Enabled Select to activate the tunnel once it has been added. 125 Advanced Firewall Administration Guide Virtual Private Networking 3. Click Advanced and enter the following information: Local network Enter the IP address and network mask combination of the local network. For example, 192.168.10.0/255.255.255.0. Note: It is possible to restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting. For example, if you wish to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to 192.168.2.10/3 Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255. Client IP Enter a client IP address for this connection. The IP address must be a valid and available address on the network specified in the Local network field. Local ID type From the drop-down list, select the local ID type.
  • 251. Default local Certificate Subject is recommended for road warrior connections. Local ID value If you chose a User Specified ID type, enter a local ID value. Remote ID type From the drop-down list, select Remote IP (or ANY if blank Remote IP). This is recommended as it allows the road warrior to present any form of valid ID. Remote ID value Enter the value of the ID used in the certificate that the road warrior is expected to present. Authenticate by From the drop-down list, select one of the following options: To use the road warrior's certificate, select it. To use a certificate created by a different CA, choose Certificate presented by peer. Authenticating by a named certificate is recommended for ease of management. Preshared Key, select to use the global preshared key as defined on the VPN > VPN > Global. Use compression Select to reduce bandwidth consumption (useful for low bandwidth connections). This will require more processing power. Comment Enter a descriptive comment, for example: IPSec connection to Joe
  • 252. Blogg's on .240. Setting Description Local certificate This is used in less standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 147. Interface Used to specify whether the road warrior will connect via an external IP or an internal interface. Perfect Forward Secrecy This enables the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS. Setting Description 126 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Authentication type Provides a choice of ESP or AH security during the authentication process. For further details, see below. This setting should be the same on both tunnel specifications of two connecting gateways.
  • 253. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended. Phase 1 cryptographic algo This selects the encryption algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger
  • 254. encryption than 3DES. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance. Phase 1 hash algo This selects the hashing algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. MD5 – A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security. Phase 2 cryptographic algo This selects the encryption algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. Phase 2 hash algo This selects the hashing algorithm used for
  • 255. the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Key life This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Setting Description 127 Advanced Firewall Administration Guide Virtual Private Networking 4. Click Add at the bottom of the page to add the tunnel to the list of current tunnels. Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those for a site-to-site IPSec connection. For details on the operation of each advanced control, see Section 5.1 Introduction to Site to Site VPNs. Supported IPSec Clients Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems:
  • 256. • SafeNet SoftRemote LT • SafeNet SoftRemote 10 • SafeNet SoftRemote 9 Creating L2TP Road Warrior Connections This section covers the steps required to create an external road warrior connection using L2TP. Such connections have the following features: • All connections share the same, globally specified subnet. • Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP. • Very easy to configure. Creating a Certificate The first task when creating an L2TP road warrior connection is to create a certificate. For further information, see Creating a Certificate on page 108. A road warrior certificate is typically created using the user's email address as the certificate ID. Key tries This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero
  • 257. value because if an active connection drops, it will persistently try to re- key a connection that it can't initiate. IKE lifetime Sets how frequently the Internet Key Exchange keys are re-exchanged. Do not Rekey Turns off re-keying which can be useful for example when working with NAT-ed end-points. Setting Description 128 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Configuring L2TP and SSL VPN Global Settings To configure L2TP and SSL VPN global settings: 1. On the VPN > VPN > Global page. Configure the following settings: 2. Click Save. Creating an L2TP Tunnel To create an external L2TP road warrior connection: 1. Navigate to the VPN > VPN > L2TP roadwarriors page. 2. Click Advanced to display all settings and configure the following settings: Setting Description
  • 258. L2TP and SSL VPN client configuration settings Enter primary and secondary DNS settings. These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. If applicable, enter primary and secondary WINS settings.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. L2TP settings From the drop-down list, select the internal network that L2TP road warriors will be connected to. Setting Description Name Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP. Enabled Select to activate the tunnel once it has been added. Client IP Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the globally specified internal network. Username Enter a username for this connection. Password Enter a password for the tunnel.
  • 259. 129 Advanced Firewall Administration Guide Virtual Private Networking 3. Click Add to create the L2TP tunnel specification and add it to the Current tunnels region. Configuring an iPhone-compatible Tunnel Advanced Firewall enables you to configure iPhone-compatible tunnels. Configuring an iPhone- compatible tunnel entails: • setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page • creating the tunnel on the VPN > VPN > L2TP roadwarriors page. Note:Before you start, please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses, including IPSec and L2TP road warriors, must use the same authentication method, and, in the case of PSK, the same secret. In practice, this means that if you want to create a tunnel between an iPhone-compatible device and Advanced Firewall, you must: • not have any L2TP or IPSec road warriors, as they use certificates for authentication
  • 260. • not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone- compatible device. To configure an iPhone-compatible tunnel: 1. On the VPN > VPN > Global page, configure the following settings: Again Re-enter the password to confirm it. Authenticate by From the drop down list, select one of the following options: Certificate presented by peer – If the certificate was created by a different CA, choose this option. Authenticating by a named certificate is recommended for ease of management. Common Name's organization certificate – The peer has a copy of the public part of the hosts certificate. Here both ends are Certificate Authorities, and each has installed the peer’s public certificate. L2TP client OS From the drop-down list, select the L2TP client’s operating system. Comment Enter a descriptive comment. Advanced Click Advanced to access more options. Local certificate From the drop-down list, select the default
  • 261. local certificate to provide the Advanced Firewall’s default local certificate as proof of authenticity to the connecting road warrior. Interface Select PRIMARY. Setting Description IPSec Road Warrior (and L2TP) Preshared Key Preshared key – Enter a strong password which contains more than 6 characters. Again – Re-enter the password to confirm it. Setting Description 130 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 2. Click Save. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings: 3. Click Add. Advanced Firewall creates the tunnel and lists it in the Current tunnels area. 4. On the iPhone-compatible device, navigate to Settings > General > Network > VPN.
  • 262. 5. Select Add VPN Configuration and configure the following settings: 6. Select Save to save the tunnel configuration. The tunnel is now ready for use. L2TP and SSL VPN client configuration settings Enter the primary and secondary DNS settings. Setting Description Name Enter a descriptive name for the tunnel. For example: CEO's iPhone. Enabled Select to activate the tunnel once it has been added. Client IP Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Username Enter a username for this connection. Password Enter a password for the tunnel. Again Re-enter the password to confirm it. Comment Optionally, enter a description of the tunnel. Authenticate by Preshared key (iPhone compatible) – Select this option to use the preshared key entered in step 1..
  • 263. L2TP client OS From the drop-down list, select Apple (iPhone compatible). Setting Description Description Enter a description for the tunnel. Server Enter Advanced Firewall’s external IP address. Account Enter the username as entered in step 2.. RSA SecurID Set to OFF. Password Enter the password as entered in step 2.. Secret Enter the PSK as configured in step 1.. Send All Traffic Set to ON on for routing to other VPNs. Proxy Set to OFF. Setting Description 131 Advanced Firewall Administration Guide Virtual Private Networking Using NAT-Traversal Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems. IPSec normally uses Protocol 50 which embeds IP addresses within the data packets – standard
  • 264. NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. In this situation, the VPN cannot work. However, Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic – UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN gateway devices. Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above. Note: NAT-T is a VPN gateway feature, not a NATing feature. VPNing Using L2TP Clients This section explains the configuration process for supported Microsoft operating systems. L2TP Client Prerequisites To connect to an L2TP tunnel, a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle. Connecting Using Windows XP/2000
  • 265. Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Specifically, one particular windows update is required for L2TP connections to function: • Q818043 – L2TP/IPSec NAT-T update. Information about this patch can be found at http://support.microsoft.com/?kbid=818043 The above update will already be installed if you are running Windows XP SP2 or above, or Windows 2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see http://windowsupdate.microsoft.com/ • One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store. 132 Smoothwall Ltd http://support.microsoft.com/?kbid=818043 http://windowsupdate.microsoft.com/ Advanced Firewall Administration Guide Virtual Private Networking Installing an L2TP Client The first step in the connection process is to run the L2TP Client Wizard. You can download it from here. It is a freely distributable application that automates much of the configuration process. Note: There is an alternative configuration method that uses a
  • 266. command line tool, thus enabling an L2TP connection to be configured as part of a logon script. For details, see Advanced VPN Configuration on page 147. When started, the L2TP Client Wizard first ensures that the Q818043 hotfix is installed. If it is not, the program issues a warning. Assuming the hotfix is installed, it will then guide the user through the steps of configuring the connection to the Advanced Firewall system. To install the L2TP client: 1. Run the L2TP Client Wizard on the road warrior system. 2. View the license and click Next to agree to it. The following screen is displayed: 3. Click Browse and open the CA certificate file as exported during the certificate creation process. Click Next. 133 https://na13.salesforce.com/secur/login_portal.jsp?orgId=00D30 000001IAxZ&portalId=06030000000ZCsn&startURL=%2F501a 0000000VHzj Advanced Firewall Administration Guide Virtual Private Networking The following dialog opens: 4. Click Browse to locate and select the road warrior's host certificate file. This must be a
  • 267. PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next. The following screen is displayed: 5. Ensure that the Launch New Connection Wizard option is selected and click Install. 134 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 6. The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched. 7. Click Next. The following screen is displayed: 8. Select Connect to the network at my workplace and click Next. 9. Select Virtual Private Network connection and click Next. 135 Advanced Firewall Administration Guide Virtual Private Networking The following screen is displayed: 10. Enter a name for the connection and click Next.
  • 268. The following screen is displayed: 11. Enter Advanced Firewall’s host name or IP address and click Next. 136 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 12. Click Finish. The Connect dialog box is displayed 13. Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is enabled. Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted. VPNing with SSL Advanced Firewall supports OpenVPN SSL connections. Using light-weight clients, which can be easily configured and distributed, any user account able to authenticate to the directory service configured, plus the list of local users gain easy and secure VPN access to your network. All your users need to know is their Advanced Firewall user account name and password. Prerequisites
  • 269. • An installed default local certificate, see Setting the Default Local Certificate on page 112 for more information. Configuring VPN with SSL The following section explains how to configure Advanced Firewall for VPNing with SSL. To configure SSL VPN settings: 1. Browse to the VPN > VPN > Global page. In the SSL VPN settings area, configure the following settings: Setting Description Enable SSL VPN Select to enable SSL VPN on Advanced Firewall. 137 Advanced Firewall Administration Guide Virtual Private Networking 2. Click Save to save the settings, and, at the top of the page, click Restart to apply the settings. Transport protocol Select the network protocol. The following options are available: TCP (HTTPS) – Select to run the SSL VPN connection over TCP on port 443, the standard HTTPS port. This protocol is preferred for
  • 270. compatibility with filters between the client and the server. UDP (1194) – Select to run the SSL VPN connection over UDP on port 1194. This protocol is preferred for performance. SSL VPN network address Accept the default network address or enter a new one. SSL VPN users, when they connect, get an IP address on a virtual interface, within Advanced Firewall. The IP range must not be one not used for any physical network. If the default subnet, 10.110.0/24, is taken by any existing network, configure this setting to use range not taken on the network. Note: Because connected clients are placed on a virtual network, all machines they access must also have a route to this network. SSL VPN netmask Accept the default network netmask or enter a new one. Force clients to use SSL VPN as gateway Select to configure Advanced Firewall to force the client to send all its traffic through the SSL VPN connection. Advanced Firewall can force all connected clients to route
  • 271. through it, which is generally better as it enforces the policy on the server end. SSL VPN client gateway(s) Usually, a client is configured to use Advanced Firewall’s primary external IP address as its gateway. However, if dynamic DNS is used, this will not work. Therefore, you have the option to set one or more different gateways. Enter one IP address or hostname per line. If set, the gate way(s) will be used by the SSL VPN clients as the connecting gateway host. If blank, the primary external IP address of the gateway will be used. Enable TLS authentication Select this setting to apply Transport Layer Security (TLS) authentication. TLS authentication can mitigate in a denial of service condition. Note: For systems which have never had VPN configured, this setting is on by default. For systems which have had VPN configured, this setting is off by default. Choose random gateway
  • 272. Select this setting to enable clients to connect on a random address when multiple gateways are defined. This is good for load balancing over multiple links. Setting Description 138 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Managing SSL Road Warriors Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. See the sections that follow for more information. Note: On Windows Vista, to ensure that a user gets full VPN connectivity, add the user to the built- in network configuration operator group. Managing Group Access to SSL VPNs By default all groups are allowed to use SSL VPN. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access. To disable a group from using SSL VPN: 1. Browse to the VPN > VPN > SSL roadwarriors page. 2. From the Select group drop-down list, select the group you want to disable from using SSL VPN and then click Select. Advanced Firewall displays SSL
  • 273. VPN group settings. 3. De-select the Enable option and click Save. Advanced Firewall disables access. 4. Repeat the steps above for any other groups you want to disable from using SSL VPN. Managing Custom Client Scripts for SSL VPNs Advanced Firewall enables you to upload or remove preconnect, connect and disconnect scripts which can carry out custom commands before or after a VPN comes up or goes down. You can also deploy scripts based on groups. Uploading Scripts To upload scripts: 1. Browse to the VPN > VPN > SSL roadwarriors page. 139 Advanced Firewall Administration Guide Virtual Private Networking 2. In the Select group area, accept the default settings to apply any uploaded scripts to all groups, or, from the Select group drop-down list, select the group to which the script(s) will be specifically deployed. Click Select. 3. To upload a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Browse.
  • 274. 4. When prompted, browse to and select the script. Click Upload preconnect script. Advanced Firewall uploads the script, displays the size of the script and a message confirming a successful upload. 5. Repeat the steps above to upload connect and disconnect scripts as required. Removing Scripts To remove scripts: 1. Browse to the VPN > VPN > SSL roadwarriors page. 2. In the Select group area, accept the default settings to remove any uploaded scripts from all groups, or, from the Select group drop-down list, select the group from which the script(s) will be specifically removed. Click Select. 3. To remove a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Remove preconnect script. 4. Advanced Firewall removes the script and displays a message confirming a successful removal. 5. Repeat the steps above to remove connect and disconnect scripts as required. Generating SSL VPN Archives You can generate an archive of the SSL VPN settings which can be distributed to users. Archives can contain SSL VPN settings and, optionally, custom client scripts.
  • 275. To generate an SSL client archive: 1. On the VPN > VPN > Global page, configure the SSL VPN settings. For information on how, see Configuring VPN with SSL on page 137. 2. If you do not want to include custom scripts in the archive, you can generate the archive now. Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. See step 4. for what to do next. 3. If you want to include scripts in the archive, browse to the VPN > VPN > SSL roadwarriors page and configure the scripts. For information on how, see Managing Custom Client Scripts for SSL VPNs on page 139. 4. Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. 5. Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the Advanced Firewall portal to distribute the archive. For more information, refer to the Advanced Firewall Operations Guide. See Configuring and Connecting Clients on page 141 for information on how to install the SSL VPN software on clients.
  • 276. 140 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Note: An archive can be used for both internal and external use. See Configuring SSL VPN on Internal Networks on page 141 for more information on internal use. Configuring SSL VPN on Internal Networks Advanced Firewall’s SSL VPN functionality can be deployed to secure internal wireless interfaces. To configure SSL VPN on an internal network: 1. On the VPN > VPN > Global page, configure the SSL VPN settings, see Configuring VPN with SSL on page 137. 2. Click Advanced and, in the Additional SSL VPN client internal interfaces area, select the interface on which to deploy the SSL VPN. 3. Click Generate client archive. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL on page 137 for more information on external use. 4. Once saved, distribute the archive to users who require
  • 277. secure access to the internal wireless interface. You can use the Advanced Firewall portal to distribute the archive. For more information, refer to the Advanced Firewall Operations Guide. Configuring and Connecting Clients The following sections explain how to install the SSL VPN client software. and connect using an SSL VPN connection. Installing the Software To install the SSL VPN client software: 1. Extract the client archive, see Configuring VPN with SSL on page 137, to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. The following screen opens: 2. Click Next to continue. 141 Advanced Firewall Administration Guide Virtual Private Networking The following screen opens: 3. Read the license and click I agree to continue. The following screen opens: 4. Accept the default components and click Next to continue.
  • 278. The following screen opens: 5. Accept the default destination folder or click Browse to select a different destination. Click Install to continue. 142 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking The following screen opens: 6. Click Continue Anyway. The following screen opens: 7. Click Next to continue. The following screen opens: 8. Click Finish to complete the installation. 143 Advanced Firewall Administration Guide Virtual Private Networking Opening an SSL VPN Connection To open an SSL VPN connection: 1. In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is displayed:
  • 279. 2. Configure the following settings: 3. Click OK. The SSL VPN connection is opened. Closing an SSL VPN Connection To close an SSL VPN connection: 1. In the system tray, right click on OpenVPN GUI and select Disconnect. VPN Zone Bridging In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel, ensure that appropriate zone bridging rules are configured. L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road warriors also require zone bridging rules, and share their zone bridging configuration with IPSec subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Setting Description Username Enter the name of the user account to be used. Password Enter the password belonging to the account. 144 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Secure Internal Networking This part of the manual explains how Advanced Firewall can be used to provide secure internal
  • 280. networking using VPN technology. An internal VPN capability can be useful in many situations, a few examples of typical scenarios are given below: • Secure wireless access – Commonly used wireless access protocols offer relatively weak levels of security, thus allowing potential intruders to directly access and intercept confidential data on an organization’s internal network. Advanced Firewall can ensure secure wireless access by providing an additional interface as an internal VPN gateway. By attaching a wireless access point to this interface, wireless clients can connect and create a secure tunnel to the desired internal network. Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access to any network resource. • Hidden network access – It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network. There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface. Creating an Internal L2TP VPN
  • 281. To create an internal L2TP VPN connection: 1. Navigate to the VPN > VPN > Global page. 2. In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an internal network interface. 3. Optionally, click Advanced and configure the following settings: Setting Description Enable NAT- Traversal NAT-T is enabled by default and allows IPSec clients to connect from behind NATing devices. In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled. Enable Dead Peer Detection Used to activate a keep-alive mechanism on tunnels that support it. This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page.
  • 282. If this feature is not used, it can take any time up to the re- keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default. In setups consisting exclusively of Advanced Firewall VPN gateways, it is recommended that this feature is enabled. 145 Advanced Firewall Administration Guide Virtual Private Networking 4. Click Save. Note:We advise you to limit any zone bridging from the nominated interface to other interfaces. Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region. If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness. 5. Create a certificate for the L2TP client. See Creating a Certificate on page 108. 6. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
  • 283. 7. Click Advanced and, from the Local certificate drop-down list, select Default. 8. Click Add. Advanced Firewall lists the tunnel in the Current tunnels area. To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 133. Copy TOS (Type Of Service) bits in and out of tunnels When selected, TOS bits are copied into the tunnel from the outside as VPN traffic is received, and conversely in the other direction. This makes it possible to treat the TOS bits of traffic inside the network (such as IP phones) in traffic shaping rules within Traffic and traffic shape them. If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic. Note: There is a theoretical possibility that enabling this setting can be used to spy on traffic Setting Description Name Enter a descriptive name for the tunnel. Enabled Select to activate the tunnel once it has been added.
  • 284. Client IP Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Username Enter a username for this connection. Password Enter a password for the connection. Again Re-enter the password to confirm it. Authenticate by To dedicate this connection to a specific user, choose the user’s certificate from the drop-down list. To allow any valid certificate holder to use this tunnel, choose Certificate provided by peer option. If your organization anticipates supporting many road warrior connections, authenticating by a specific certificate is recommended for ease of management. L2TP client OS From the drop-down list, select the L2TP client's OS. Comment Enter a descriptive comment. Setting Description 146 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Advanced VPN Configuration
  • 285. The following sections explain how and when you might want to use non-standard configurations of CAs, certificates and tunnel definitions to: • Allow sites to autonomously manage their own road warriors • Create VPN links between co-operating organizations • Create VPN hubs that link networks of networks. Multiple Local Certificates In some instances, it may be desirable to install multiple local certificates that are used to identify the same host. There are a number of situations, where this might be desirable: • Autonomous management of road warrior tunnels from multiple sites. • Autonomous management of site-to-site tunnels from multiple sites. Multiple local certificates are typically used to de-centralize VPN management in larger networks. For instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of an multinational company. Each head office must be responsible for its own VPN links that connect its regional branches to its head office, as otherwise there would be a reliance on a single set of administrators in one country / time zone preparing certificates for the entire organization. Using the above example, each head office VPN gateway could utilize two local IDs (certificates):
  • 286. • Country head office ID – This ID would be used by a head office to identify itself to head offices from other countries, to form VPN tunnels that make up the international WAN. • Head office ID – This ID would be used by a head office to identify itself to other domestic offices, so that it can manage VPN tunnel connectivity within its own region. The same concept can be applied to any situation where autonomous VPN management is required. To continue the above example, many of the offices within one particular country require a number of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway could utilize two local IDs (certificates): • Regional branch office ID – This ID would be used by a branch office to identify itself to the head office and other branch offices that make up the country-wide WAN. • Branch office ID – This ID would be used by a branch office to identify itself to its local road warriors, so that it can manage road warrior connectivity to its own branch. Creating Multiple Local Certificates This example will demonstrate how to delegate VPN management from an unconfigured master Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary Advanced Firewall system will be responsible for managing
  • 287. site-to-site and road warrior connections within its own geography. Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced Firewall. 147 Advanced Firewall Administration Guide Virtual Private Networking Since this example covers configuration from scratch, you must follow the instructions from the step most appropriate to your current level of VPN connectivity. 1. On the master system, navigate to the VPN > VPN > Certificate authorities page. 2. Create a local Certificate Authority, see Creating a CA on page 105. 3. Create signed certificates for the master and secondary Advanced Firewall systems, see Managing Certificates on page 108. 4. Install the master signed certificate as the master Advanced Firewall's default local certificate, see Setting the Default Local Certificate on page 112. 5. Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs – IPSec on page 112. 6. Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
  • 288. Exporting Certificates on page 110. 7. Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate on page 106. The remaining series of configuration steps are all carried out on the secondary Advanced Firewall system, firstly to create the primary site-to-site link. To create the primary site-to-site link: 1. On the secondary system, navigate to the VPN > VPN > Certificate authorities page. 2. Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate on page 107. 3. Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate on page 111. 4. Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on page 112. 5. Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to Default see Site-to-Site VPNs – IPSec on page 112. 6. Test the VPN connection. The next step is to create an additional CA on the secondary Advanced Firewall system. This additional CA will be used to create another local certificate for
  • 289. the secondary Advanced Firewall system, as well as certificates for any further site-to- site or road warrior connections that it will be responsible for managing. To create an additional CA on the secondary Advanced Firewall system: 1. On the secondary system, navigate to the VPN > VPN > Certificate authorities page. 2. Create a new local Certificate Authority, see Creating a CA on page 105. 3. Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 108. 4. Create a new signed certificate for any host whose VPN connectivity will be managed by the secondary Advanced Firewall system. 5. Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate (created by the previous step) as the Local certificate. 148 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 6. Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity
  • 290. will be managed by the secondary Advanced Firewall system. 7. Create the remote tunnel specification (this could be a road warrior client or another site-to-site gateway). Public Key Authentication It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other. During authentication, each host uses the other host's public key to decrypt the (private key encrypted) certificate it will be passed as identity credentials. This configuration does not require the CA that created either host's certificate to be known to either VPN gateway. This can be useful in many ways: • Simplified internal management, using certificates created by an external Certificate Authority. • Tunnelling between two separate organizations using certificates created by different (possibly external) CAs. • Alternative scheme to allow both ends of the tunnel to create their own CA and default local certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior connections. This achieves the same result as the previous technique described in the Multiple local certificates section. Note: The use of public key authentication should not be considered as a direct replacement for a stringent X509 based authentication setup. While public key
  • 291. authentication does use some of the same technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As such, appropriate precautions should be taken when considering implementing this alternative authentication method. Configuring Both Ends of a Tunnel as CAs This configuration example uses public key authentication to connect two Advanced Firewall systems, each with their own CA so that they can manage their own site-to-site and road warrior connections. The following assumptions have been made: • Two Advanced Firewall systems. • Each Advanced Firewall has its own CA. • Each CA has created a signed certificate for its own local Advanced Firewall system. To create the tunnel specifications: 1. On both systems, navigate to the VPN > VPN > Certificates page. 2. Export the local certificates from both Advanced Firewall systems using the PEM format, see Exporting Certificates on page 110. 3. Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate on page 111.
  • 292. 149 Advanced Firewall Administration Guide Virtual Private Networking 4. Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the second Advanced Firewall system's host certificate in the Authenticate by drop-down list. 5. Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select the first Advanced Firewall system's host certificate in the Authenticate by drop-down list. The tunnel can now be established and authenticated between the two Advanced Firewall systems. In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and road warrior connections by using its own CA to create additional certificates. VPNs between Business Partners To create a VPN between two separate organizations (such as two firms working together as partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel specification. This example uses certificates created by an external, commercial CA so that each organization can
  • 293. authenticate certificates presented by the other using a CA that is independent of both organizations. This configuration example assumes the following: • Local Advanced Firewall system. • Host certificates created by the same commercial CA. • Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system. • Host certificate, Certificate B created by the commercial CA for the other organization’s VN gateway. Firstly, import the certificate created for the local Advanced Firewall system (Certificate A). To import the certificate: 1. On the local system, navigate to the VPN > VPN > Certificates page. 2. Import Certificate A, see Importing a Certificate on page 111. Next, import the commercial CA's certificate: 1. On the system, navigate to the VPN > VPN > Certificates page. 2. Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's Certificate on page 107. Next, configure the local tunnel specification in co-operation
  • 294. with the other organization. This is most likely to be an IPSec site-to-site connection, though it is possible that you could connect to their network as a road warrior. In either case, full consultation between both organizations is required to decide on the configuration options to be used on the respective VPN gateways. Follow these steps to create a site-to-site connection: 1. Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN > IPSec subnets page. 150 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 2. In the local tunnel specification, choose Default local cert subject or Default local cert subject alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified values if the other VPN gateway is not directly compatible with Advanced Firewall's communication of certificate subjects. 3. Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any default local certificate that might be configured. 4. Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that Advanced Firewall will authenticate Certificate B when is presented by the other organization’s VPN gateway.
  • 295. 5. Choose the remote ID type from the Remote ID type drop- down list that was entered during the creation of Certificate B using the commercial CA. 6. Confer with the other organization regarding all other configuration settings and ensure that they authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall as connection time. Extended Site to Site Routing A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple networks together by creating a centralized VPN hub. The hub is used to route traffic to between different networks and subnets by manipulation of the local and remote network settings in each tunnel specification. This potentially allows every network to be linked to every other network without the need for a fully routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network can be awkward to configure and maintain. This configuration example assumes the following: • Site A – Local network: 192.168.10.0/255.255.255.0 – Tunnel A connects to Site B. • Site B – Local network: 192.168.20.0/255.255.255.0 – Tunnel A connects to Site A, Tunnel C connects to Site C.
  • 296. • Site C – Local network: 192.168.30.0/255.255.255.0 – Tunnel C connects to Site B. The advantage of this approach is that only one tunnel is required for each remote network. The disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the network. An improved approach would incorporate backup tunnel definitions that could be used to create a fail-over VPN hub elsewhere on the network. Site A Tunnel Definition A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote network settings: • Local network – 192.168.10.0/255.255.255.0 • Remote network – 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel A. 151 Advanced Firewall Administration Guide Virtual Private Networking Any traffic destined for the Site C network (any address in the range 192.168.30.0 to
  • 297. 192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its destination – Tunnel C from Site B will ensure this. Site B Tunnel Definitions First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and remote network settings: • Local network – 192.168.0.0/255.255.0.0 • Remote network – 192.168.10.0/255.255.255.0 With this configuration, any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the definition of the remote end of Tunnel A. Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and remote network settings: • Local network – 192.168.0.0/255.255.0.0 • Remote network – 192.168.30.0/255.255.255.0 With this configuration, any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the definition of the remote end of Tunnel C.
  • 298. Site C tunnel definition A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote network settings: • Local network – 192.168.30.0/255.255.255.0 • Remote network – 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel C. Any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its destination – Tunnel A from Site B will ensure this. 152 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Managing VPN Systems The following sections document how to: • Control VPNs • Open and close tunnels
  • 299. • Monitor and report tunnel activity • Display tunnel logging information • Update tunnel licensing. Automatically Starting the VPN System Advanced Firewall’s VPN system can be set to automatically start when the system is booted. This allows road warriors to tunnel in without having to wait for the system to be started. It also allows site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a site-to-site connection. To configure automatic start up: 1. Navigate to the VPN > VPN > Control page. 2. In the Automatic control area, select Start VPN sub-system automatically. 3. Click Save. 153 Advanced Firewall Administration Guide Virtual Private Networking Manually Controlling the VPN System The following sections explains how to start, restart, stop and view the status of the VPN system. Starting/Restarting the VPN system
  • 300. To start or restart the VPN system: 1. Navigate to the VPN > VPN > Control page. 2. Click Restart in the Manual control region. Stopping the VPN system To stop the VPN system: 1. Navigate to the VPN > VPN > Control page. 2. Click Stop from the Manual control region. Viewing the VPN system status To view the VPN system status: 1. Navigate to the VPN > VPN > Control page. 2. Click Refresh in the Manual control region. 3. View the current status from the Current status information field. There are two possible system statuses: • Running – The VPN system is currently operational; tunnels can be connected. • Stopped – The VPN system is not currently operational; no tunnels can be connected. Viewing and Controlling Tunnels All configured tunnels can be viewed and controlled from the VPN > VPN > Control page.
  • 301. There are two possible tunnel statuses: • Open – The tunnel is connected; communication across the tunnel can be made. • Closed – The tunnel is not connected; no communication across the tunnel can be made. IPSec Subnets Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel. • Control: – Open the tunnel connection – Close the tunnel connection. • Remote IP – The IP address of the other end of the tunnel. 154 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking IPSec Road Warriors IPSec road warrior connections are shown in the IPSec road warriors region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel.
  • 302. • Control: – Open the tunnel connection – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. • Remote IP – The IP address of the other end of the tunnel. L2TP Road Warriors L2TP road warrior connections are shown in the L2TP Road Warriors region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel. • Control: – Open the tunnel connection – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. SSL Road Warriors SSL road warrior connections are shown in the SSL Road Warriors region of the VPN > VPN > Control page. The information displayed is: • Username – The name given to the tunnel. • Control
  • 303. – Open the tunnel connection – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. • External IP – The IP address of the other end of the tunnel. VPN Logging VPN log entries can be found in the Logs and reports > Logs > IPSec page. 155 Advanced Firewall Administration Guide Virtual Private Networking VPN Tutorials The following tutorials cover the creation of the main types of VPN tunnels. The examples build on each other, i.e. the configuration settings in an example builds on that of the previous. Example 1: Preshared Key Authentication This first example begins with a simple two network VPN using shared secrets.The following networks are to be routed together via a VPN tunnel: We will use Preshared Key authentication initially. This is the easiest to setup. Configuring Network A
  • 304. There is no need for a CA or any certificates. On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a parameter is not listed, leave it at its default value: All other settings can be left at their defaults. Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value. Local ID type Local IP Remote IP or hostname 200.0.0.1 Remote network 192.168.12.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker 156 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Configuring Network B Here a single tunnel is created:
  • 305. Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. To create the zone bridge: 1. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi- directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should come up immediately. If this does not happen please refer to Troubleshooting VPNs on page 217. To actually test that the VPN is routing, ping a host on the remote network from a machine on the local one. You should also be able to connect to servers and desktops on the remote network using your standard tools. Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote system ID type and the remote system external IP in the Remote system ID Value. Parameter Description
  • 306. Name Tunnel 1 Local network Set to the opposite end’s remote network value. Local ID type Local IP Remote IP or hostname 100.0.0.1 Remote network 192.168.0.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker 157 Advanced Firewall Administration Guide Virtual Private Networking Example 2: X509 Authentication In this example, the same network as used in Example 1 will be used, see Example 1: Preshared Key Authentication on page 156. This time we will improve the setup by using x509 authentication instead of PSK. Configuring Network A Network A will be configured to be the Certificate Authority in the system.
  • 307. Begin by going to the Authorities page and setting up the CA. In this example, we will list only the required fields. You should, of course, enter values appropriate to your organization: From now on, we will enter My Company Ltd in all Organization fields on the certificates we create. Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the local workstation’s hard disk. You will need this file later. Switch to the certificates page, and create the local certificate. It requires ID information: The peer (the Network B machine) needs a certificate too: Parameter Description Common Name Network A Cert Auth Organization My Company Ltd Parameter Description ID Type Host & Domain name ID Value tunnela.mycompany.com Common Name Network A Local Cert Parameter Description ID Type Host & Domain name
  • 308. ID Value tunnelb.mycompany.com Common Name Network B Cert 158 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this file tunnelb.p12. Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local certificate, and press Save. We will Restart the VPN shortly to make this change active. The tunnel specification is a little more complex. Here it is: Add the tunnel. Configuring Network B The first step is to import the certificates. To import the certificates: 1. On the Certificate authorities page, import the ca.pem file. 2. On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the passphrase used to create the export file in both boxes.
  • 309. 3. Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel configuration should look like this: Organization My Company Ltd Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. Local ID type Default local cert subject alt. name Remote IP or hostname 200.0.0.1 Remote network 192.168.12.0/24 Remote ID type Host & Domain name Remote ID value tunnelb.mycompany.com Authenticate by Certificate presented by peer Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. Local ID type Default local cert subject alt. name Remote IP or
  • 310. hostname 100.0.0.1 Parameter Description 159 Advanced Firewall Administration Guide Virtual Private Networking Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID is the same as the Certificate ID. Examine the log for telltale messages. Example 3: Two Tunnels and Certificate Authentication We will now add an additional system, Network C to the VPN
  • 311. network. We want Network C to be able to access both the Network A subnet and Network B. In Extended Site to Site Routing on page 151, we explained how to create centralized VPN hubs using extended subnetting. We will use this technique to allow Network B to route to Network C, and vice versa. Remote network 192.168.0.0/24 Remote ID type Host & Domain name Remote ID value tunnel.mycompany.com Authenticate by Certificate presented by peer Parameter Description 160 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking Network A Configuration Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following properties for this certificate: Modify the existing tunnel to Network B. All settings are unchanged except: Notice how this subnet mask now covers all subnets in the VPN. Now we create a new tunnel to Advanced Firewall C:
  • 312. Network B Configuration Modify the tunnel as follows: Parameter Description ID Type Host & Domain name ID Value tunnelc.mycompany.com Common Name Advanced Firewall C Cert Organization My Company Ltd Parameter Description Local subnet 192.168.0.0/16 Parameter Description Name Tunnel 2 Local subnet 192.168.0.0/16 Local ID type Default local cert subject alt. name Remote IP or hostname 250.0.0.1 Remote network 192.168.13.0/24 Remote ID type Host & Domain name
  • 313. Remote ID value tunnelc.mycompany.com Authenticate by Certificate presented by peer Parameter Description Remote subnet 192.168.0.0/16 161 Advanced Firewall Administration Guide Virtual Private Networking Network C Configuration Import the certificate, and then create the tunnel to Network A: Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine on the Network A end from both of the Network B and Network C networks. Then you should test
  • 314. that you can route across Network A by pinging a host on the Network C network from the Network B network. Example 4: IPSec Road Warrior Connection Now we will add a road warrior, running SafeNet SoftRemote. This road warrior will connect to the Network A gateway. In addition to being able to access the Network A local network (192.168.0.0/24), the road warrior will be able to access Network B and Network C as well. Parameter Description Name Tunnel 2 Local ID type Default local cert subject alt. name Remote IP or hostname 100.0.0.1 Remote network 192.168.0.0/16 Remote ID type Host & Domain name Remote ID value tunnela.mycompany.com Authenticate by Certificate presented by peer 162 Smoothwall Ltd
  • 315. Advanced Firewall Administration Guide Virtual Private Networking The road warrior is required to assume an internal IP on Network A’s local network, in this case: 192.168.0.5: Network A Configuration Create a certificate with the following properties: Note: No ID is required on this certificate. Now create the IPSec road warrior tunnel: Parameter Description Common Name IPSec road warrior Organization My Company Ltd Parameter Description Name IPSec road warrior Local network 192.168.0.0/16 Local ID type Default local cert subject Client IP 192.168.0.5 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Certificate provided by peer 163
  • 316. Advanced Firewall Administration Guide Virtual Private Networking Export the certificate in PKCS#12 format. We will call this file computercert.p12.You will also need the CA file, ca.pem. SoftRemote – Configuration This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. Full details, including detailed screen shots, are given in Working with SafeNet SoftRemote on page 167. After installing the client, begin by going to the Certificate Manager and importing the ca.pem and the computercert.p12 certificate. In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and will save a lot of time configuring the client. If you use different settings to those described in this tutorial, compression for example, then you will have to modify those settings. The following fields need to be filled in after importing the policy template. In road warrior: In My Identity: After making the changes, remember to save the Security
  • 317. Policy. Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi- directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Testing To bring up the connection, the simplest way is to ping a host on the network behind the gateway. After a few retries, you should see the task bar icon change to show a yellow key. This indicates that the tunnel is up. Your client computer will then appear to be connected to the local network behind Parameter Description Gateway IP Address 100.0.0.1 Subnet 192.168.0.0 Mask 255.255.0.0 Parameter Description
  • 318. Internal Network IP Address 192.168.0.5 164 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking the VPN gateway. This works both ways; a machine on the local network can connect to the road warrior. You should be able to browse web servers, and so on. Also, because the tunnel covers all three local networks, you should be able to connect to all three. Example 5: L2TP Road Warrior This example consists of an additional road warrior client, this time running Microsoft Windows XP and using Microsoft’s L2TP road warrior client. Network A Configuration Create a certificate with the following properties: Note: No ID is required on this certificate. Parameter Description Common Name L2TP road warrior Organization My Company Ltd 165
  • 319. Advanced Firewall Administration Guide Virtual Private Networking Now create the L2TP road warrior tunnel: Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need the CA file, ca.pem. L2TP Client Configuration This tutorial only outlines the process of configuring an L2TP client. For detailed instructions, see Installing an L2TP Client on page 133. Begin by using the L2TPWizard to import the two certificates. After bringing up the New Connection wizard, the only details that must be configured is the VPN gateway external address, 100.0.0.1 in this example. In TCP/IP properties; Advanced settings, you can choose to use the remote network as the default gateway for the L2TP client. This option, enabled by default, is required if the client needs to be able to route to the Advanced Firewall B and Advanced Firewall C networks. This is because the L2TP client does not provide any facilities for setting up remote network masks. In the Connection dialog, enter the username and password as configured on the Advanced Firewall A gateway: Finally, press the Connect button to initiate a connection the Advanced Firewall A VPN gateway.
  • 320. Creating a Zone Bridge In order for traffic to flow down the tunnel, you must create a zone bridge. On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network and the L2TP interface. If you want traffic to flow in both directions, make the rule bi-directional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 75. Parameter Description Name L2TP road warrior Authenticate by Certificate provided by peer Client IP 192.168.0.6 Username road warrior Password microphone Parameter Description Username road warrior Password microphone 166 Smoothwall Ltd
  • 321. Advanced Firewall Administration Guide Virtual Private Networking Working with SafeNet SoftRemote The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote. Configuring IPSec Road Warriors First, create a signed certificate for the road warriors. An ID type is not normally required, although it does no harm to include one when creating the certificate. When connected, each road warrior gets an IP address in a specified local network zone. The IP address should be a previously unused address and unique to the road warrior. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers. Each road warrior user will need their own IP address. On the VPN > VPN > IPSec roadwarrior page, the Client IP field is used to input the particular local network IP address. Such an IP address must be in a local network zone and currently unused. Set the Local ID type to Default local cert Subject, and set the Authenticate by setting to the certificate for this road warrior connection. Then add the tunnel. Each road warrior requires their own tunnel, so create as many tunnel as there are road warriors.
  • 322. When connected, each road warrior client will, to all intents and purposes, be on the local network zone. It will be possible to route to other subnets, including VPN-connected ones. This also means that other machines in the network can see the client, just as if it was plugged in directly. Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This includes the encryption settings, and overriding the default local certificate. Using the Security Policy Template SoftRemote This documentation covers version both 9 and version 10 of this client. Older versions which support Virtual IP addresses should also inter-operate. Specifically, version 8 is known to work as well as version 9. However, you should consider upgrading to at least version 9 because of known security- related problems with version 8. We also recommend that the LT versions of this software be used, which do not incorporate Zone Alarm. Configuration of Zone Alarm will not be covered in this manual. NAT-T is handled automatically by this client. No extra configuration is required. Check the log messages in the client to see if NAT-T mode is being used as expected. 1. After installation, open the Certificate Manager. In the Root CA’s tab, import a CA .PEM from Advanced Firewall. 167
  • 323. Advanced Firewall Administration Guide Virtual Private Networking 2. In the My Certificates tab, import a .P1. Enter the export password, and a short time later the certificate should appear in the list. Select the certificate, and click Verify (on the right). You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). This indicates the certificate is valid. 3. Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values, saving you from the chore of doing it yourself. For completeness, we will also describe how you would setup the client without the policy. 4. Import the Security Policy template, policytemplate.spd, which can be found in the extras folder on the installation CD. After importing this policy, a single connection, named road warrior will become available. 5. Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients, i.e. those described above, only a handful of settings must be entered. In the road warrior section: 6. Enter the Remote Subnet, Mask and the gateway’s hostname (or IP address).
  • 324. 168 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking 7. In the My Identity section, enter the Internal Network IP Address.: 8. Enter the Internal Network IP Address. All other fields will be pre-filled. Obviously, if you are not using standard settings, as described in D.1, then you will have to modify those particular settings. For instance, if you are using compression, then you will have to enable it in the client. 9. Save the settings, and close the Security Policy Editor. 10. To bring up the connection to the Advanced Firewall gateway, you must send it a packet. The easiest way to do this is by pinging a host on the remote network. After a series of Request timed out messages you should start to get packets back, indicating that the VPN is up (you will also notice the system tray icon change). Creating a Connection without the Policy File We will now describe how to setup the client without using the security policy template. Before creating the connection, you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway.
  • 325. 1. Select Global Policy Settings from the Options menu. A window will appear, and you should tick the box marked Allow to specify internal network address. 169 Advanced Firewall Administration Guide Virtual Private Networking 2. Now go back to the tree control on the left and choose the New Connection node. You can rename this to something more appropriate, like road warrior. In this node, configure the remote Subnet address and Mask. 3. Choose Secure Gateway Tunnel from the Connect using drop- down list, and select an ID Type of Any. You should then enter either a Gateway IP Address or Gateway Hostname. 4. Next, move to the My Identity node. Select the certificate you imported earlier. The ID type’s default, the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter should be disabled, and Internet Interface set to Any. 5. In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified when the tunnel was created. 170 Smoothwall Ltd Advanced Firewall Administration Guide Virtual Private Networking
  • 326. 6. Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm. Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then the equivalent setting in the Advanced Firewall, which defaults to 60 minutes (3600 seconds). This is necessary to ensure the tunnel is always re-keyed. 7. Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In this page you can select compression or not, as well as key life settings. 8. Once again, set the SA Life to 3000 seconds. 9. Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are available through the tool bar icon. Advanced Configuration Using the configuration previously described, the selected certificate will be required by the client in order to obtain a connection. This method is usually desired, but in other cases an Authenticate by setting of Certificate provided by peer can be more useful, especially if the client certificates are not installed onto the VPN gateway server. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For example, if you wish to restrict the connected road warriors so that they can only contact a specific
  • 327. 171 Advanced Firewall Administration Guide Virtual Private Networking IP address, for example 192.168.2.10, then you could set the Local network parameter to 192.168.2.10/32. Note that this setting is a network address, so you must always specify a network mask, even if that network mask covers only a single host. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones, the Local network setting can likewise be expanded to cover them. Visit the support portal and knowledge base for information on setting up other clients. 172 Smoothwall Ltd https://na13.salesforce.com/secur/login_portal.jsp?orgId=00D30 000001IAxZ&portalId=06030000000ZCsn&startURL=%2F/ui/s olution/ Solution BrowserPage?cid=02n30000000Ej32 9 Authentication and User Management
  • 328. This chapter describes how to configure authentication methods, and manage users, including: • Configuring Global Authentication Settings on page 174 • About Directory Servers on page 175 • Managing Local Users on page 185 • Managing Groups of Users on page 186 • Mapping Groups on page 188 • Managing Temporarily Banned Users on page 189 • Managing User Activity on page 191 • About SSL Authentication on page 192 • Managing Kerberos Keytabs on page 196 173
  • 329. Advanced Firewall Administration Guide Authentication and User Management Configuring Global Authentication Settings Configuring global authentication settings entails setting login timeout, the number of concurrent login sessions allowed and the type of authentication logging you require. To configure log-in and logging settings: 1. Navigate to the Services > Authentication > Settings page. 2. Configure the following settings: 3. Click Save changes. Advanced Firewall applies the changes. Setting Description Login timeout (minutes) Determines the length of time of inactivity after which a user is logged out. Accept the default or enter the time out period.
  • 330. Note: Setting a short login timeout increases the load on the machine, particularly when using transparent NTLM or SSL Login. It also increase the rate of re-authentication requests. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. The behavior of some authentication mechanisms is automatically adjusted by the time-out period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time- out. For more information, see About the Login Time-out on page 213. Concurrent login sessions (per user) Concurrent login settings determine how many logins are allowed per user. The following options are available:
  • 331. No limit – Select this option to allow an unlimited number of logins per user or enter the number of logins you want to allow users. Logging level Logging levels determine the type of authentication logging you want. The following options are available: Normal – Select this option to log user login and LDAP server information. Verbose – Select this option to log user login and LDAP server information, request, response and result information. This option is useful when troubleshooting possible authentication issues. 174 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Tip: Encourage users to pro-actively log-out of the system to ensure that other users of their
  • 332. workstation cannot assume their privileges if login time-out is yet to occur. About Directory Servers The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to multiple directory servers in order to: • Retrieve groups configured in directories, and apply network and web filtering permissions to users based on group membership within directories • Verify the identity of a user who is trying to access network or Internet resources. Once the connection to a directory service has been configured, Advanced Firewall retrieves a list of the groups configured in the directory and maps them to the groups available in Advanced Firewall. When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership.
  • 333. For information on how authentication works and interacts with other systems, see User Authentication on page 211. Currently, Advanced Firewall supports the following directory servers: Directory Description Microsoft Active Directory® F more information, see Configuring a Microsoft Active Directory Connection on page 176. For information on using the legacy method to connect to Active Directory, see Configuring an Active Directory Connection – Legacy Method on page 181. Novell eDirectory™ Apple® / Open LDAP
  • 334. 389 Directory Various directories which support the LDAP protocol. For more information, see Configuring an LDAP Connection on page 177 RADIUS Remote Authentication Dial In User Service. For more information, see Configuring a RADIUS Connection on page 179. Local users A directory of Advanced Firewall local users. For more information, see Configuring a Local Users Directory on page 184. 175 Advanced Firewall Administration Guide Authentication and User Management
  • 335. Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Advanced Firewall to work with Microsoft Active Directory. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the secondary, DNS server containing the Active Directory information is specified correctly. This DNS server is used by Advanced Firewall for name lookups. For more information, see Advanced Firewall and DNS on page 213. • In Active Directory, choose or configure a non-privileged user account to use for joining the domain. Advanced Firewall stores this account’s credentials, for instance, when backing-up and replicating settings.
  • 336. Note: We strongly recommend that you do not use an administrator account. The account that you use needs permission to modify the Computers container. To delegate these permissions to a non-privileged user account, choose Delegate Control on the Computers container, create a custom task to delegate and, for Computer objects, grant the full control, create and delete privileges. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized using NTP. For more information, refer to the Advanced Firewall Operations Guide. Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. To configure the connection: 1. On the Services > Authentication > Directories page, click
  • 337. Add new directory. 2. In the Add new directory dialog box, select Active Directory and configure the following settings: Setting Description Status Select Enabled to enable the connection. Domain Enter the full DNS domain name of the domain. Other trusted domains will be accessible automatically. Username Enter the username of the user account. Password Enter the password for the user account. Confirm Re-enter the password to confirm it. 176 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management
  • 338. 3. Click Add. Advanced Firewall adds the directory to its list of directories and establishes the connection. 4. You must map Active Directory groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Configuring an LDAP Connection The following section explains what is required to configure a connection to an eDirectory, Apple / OpenLDAP or 389 directory server. To configure an LDAP connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select one of the following: eDirectory, Apple/ OpenLDAP Directory or 389 Directory and configure the following settings: Cache timeout
  • 339. (minutes) Click Advanced. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed. Comment Optionally, enter a comment about the directory. Setting Description Status Select Enabled to enable the connection.
  • 340. LDAP server Enter the directory’s IP address or hostname. Note: If using Kerberos as the bind method, you must enter the hostname. Username Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Normally it should look something like this: cn=user,ou=container,o=organization This is what is referred to in the Novell eDirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user,ou=sales,o=organization For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org
  • 341. Consult your directory documentation for more information. Password Enter the password of a valid account. Note: A password is not required if using simple bind as the bind method. Setting Description 177 Advanced Firewall Administration Guide Authentication and User Management Confirm Re-enter the password to confirm it. Bind method Accept the default bind method, or from the drop- down list, select one of the following options: TLS (with password) – Select to use Transport Layer Security (TLS). Kerberos – Select to use Kerberos authentication.
  • 342. Simple bind – Select to bind without encryption. This is frequently used by directory servers that do not require a password for authentication. Kerberos realm If using Kerberos, enter the Kerberos realm. Use capital letters. User search root Enter where in the directory, Advanced Firewall should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local In LDAP form, this is seen in the directory as dc=mycompany,dc=local. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users,dc=example,dc=org A Novell eDirectory will refer to this as the tree, taking the
  • 343. same form as the OpenLDAP-based directories o=myorganization. Note: In larger directories, it may be a good idea to narrow down the user search root so Advanced Firewall does not have to look through the entire directory. For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base. Note: When working with multi domain environments, the user search root must be set to the top level domain. Group search roots Enter where in the directory, Advanced Firewall should start looking for user groups. Usually this will be the same location as configured in the user search root field. For example: ou=mygroups,dc=mydomain,dc=local Apple Open Directory uses the form:
  • 344. cn=groups,dc=example,dc=org Note: With larger directories, it may be necessary to narrow down the group search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section. Cache timeout Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. Setting Description
  • 345. 178 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management 3. Click Add. Advanced Firewall adds the directory to its list of directories and establishes the connection. 4. You must map LDAP groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Configuring a RADIUS Connection You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. Prerequisites Before you configure any settings: • Configure the RADIUS server to accept queries from
  • 346. Advanced Firewall. Consult your RADIUS server documentation for more information. LDAP port Accept the default or enter the LDAP port to use. Note: LDAPs (SSL) will be automatically used if you enter port number 636. Extra user search roots This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter one search root per line. Extra group search roots Optionally, enter where in the directory Advanced Firewall should start
  • 347. looking for more user groups. Enter one search roots per line. For more information, see Working with Large Directories on page 214. Extra realms This setting enables you to configure subdomains manually using DNS. Use the following format: <realm><space><kdc server> For example: example.org kdc.example.org Enter one realm per line. Discover Kerberos realms through DNS Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover
  • 348. Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Comment Optionally, enter a comment about the directory. Setting Description 179 Advanced Firewall Administration Guide Authentication and User Management Configuring the Connection To configure the connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select RADIUS and
  • 349. configure the following settings: 3. Click Add. Advanced Firewall adds the directory to its list of directories and establishes the connection. 4. You must map RADIUS groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Note that you must use the same RADIUS group names as configured for the group_attribute parameter in your RADIUS server. For more information, refer to your RADIUS server documentation. Setting Description Status Select Enabled to enable the connection. RADIUS server Enter the hostname or IP address of the RADIUS server. Secret Enter the secret shared with the server.
  • 350. Confirm Re-enter the secret to confirm it. Action on login failure Try next directory server – Select this option if users in RADIUS are unrelated to users in any other directory server. Deny access – Select this option if the RADIUS password should override the password set in another directory server, for example when using an authentication token. Identifying IP address Enter the IP address to use to identify the caller connecting to the RADIUS server, if it must be different to the internal IP address of the system. Obtain groups from RADIUS
  • 351. If the RADIUS server can provide group information, select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. When not enabled, Advanced Firewall will use group information from the next directory server in the list. If there are no other directories in the list, Advanced Firewall will place all users in the Default Users group. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.
  • 352. Port Accept the default port or specify a UDP port to use when communicating with the RADIUS server. The default is port 1812. Comment Optionally, enter a comment about the directory. 180 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Configuring an Active Directory Connection – Legacy Method Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection on page 176 for more information. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Advanced Firewall to work with Microsoft Active Directory.
  • 353. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • Run the Advanced Firewall Setup program and check that the DNS server containing the Active Directory information is specified correctly. This DNS server is used by Advanced Firewall for name lookups. For more information, see Advanced Firewall and DNS on page 213 and the Advanced Firewall Getting Started Guide. • Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. Note: Do not use the administrator account as the lookup user. Often the administrator account will not have a Windows 2000 username, preventing the account
  • 354. from being used by the authentication service. Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use, search roots and any advanced settings required. To configure the connection: 1. Navigate to the Services > Authentication > Directories page. 2. In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. Advanced Firewall displays the settings for Active Directory. 3. Configure the following settings: Setting Description Status Select Enabled to enable the connection. 181
  • 355. Advanced Firewall Administration Guide Authentication and User Management Active Directory server Enter the directory server’s full hostname. Note: For Microsoft Active Directory, Advanced Firewall requires DNS servers that can resolve the Active Directory server hostnames. Often, these will be the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also, Advanced Firewall and DNS on page 213 for more information. Username Enter the username of a valid account.
  • 356. Enter the username without the domain. The domain will be added automatically by Advanced Firewall. In a multi domain environment, the username must be a user in the top level domain. For more information, see Active Directory on page 214. Password Enter the password of a valid account. Confirm Re-enter the password to confirm it. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.
  • 357. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed. Kerberos realm Optionally, select Automatic or enter the Kerberos realm. User search root Optionally, to configure Advanced Firewall to start looking for user accounts at the top level of the directory, select Automatic. Or enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local search root. Note: When working with multi-domain environments, the user search root must be set to the top level domain. Group search root Optionally, to configure Advanced Firewall to start looking for user groups at the top level of the directory, select Automatic. Or enter the group search root to start looking in, for example:
  • 358. ou=mygroups,dc=mydomain,dc=local Note: Some directories will not return more than 1 000 results for a search, so if there are more than 1 000 groups in the directory, a more specific group search root needs to be configured. Comment Optionally, enter a comment about the directory server and the settings used. Enabled Select this option to enable the connection to the directory server. Setting Description 182 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management 4. Optionally, click Advanced to access and configure the following settings: 5. Click Add. Advanced Firewall adds the directory to its list of
  • 359. directories and establishes the connection. 6. You must map Active Directory groups to Advanced Firewall groups. For a detailed description of how to do this, see Mapping Groups on page 188. Setting Description LDAP port Accept the default, or enter the LDAP port to use. Discover Kerberos realms through DNS Select this option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Use sAMAccountName
  • 360. This setting applies when using Microsoft Windows NT4 or older installations. Enter the sAMAccountName to override the userPrincipleName. NetBIOS workgroup This setting applies when using NTLM authentication with Guardian. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or pre- Windows 2000 domain name, is not the same as the Active Directory domain. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup. Extra user search roots This option enables you to enter directory-specific user search
  • 361. paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line. Extra group search roots Optionally, enter where in the directory, Advanced Firewall should start looking for more user groups. Enter search roots one per line. For more information, see Working with Large Directories on page 214. Extra realms This setting enables you to configure subdomains manually, as opposed to automatically, using DNS. Use the following format: <realm><space><kdc server>
  • 362. For example: example.org kdc.example.org Enter one realm per line. 183 Advanced Firewall Administration Guide Authentication and User Management Configuring a Local Users Directory Advanced Firewall stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. To configure a local users directory: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select Local users and
  • 363. configure the following settings: 3. Click Add. Advanced Firewall adds the directory to its list of directories. For information on adding and managing local users, see Managing Local Users on page 185. Reordering Directory Servers Tip: If most of your users are in one directory, list that directory first so as to reduce the number of queries required. If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the RADIUS server first. To reorder directory servers: 1. On the Services > Authentication > Directories page, select the directory server you want to move and click Up or Down until the server is where you want it. 2. Repeat the step above for any other directories you want to move.
  • 364. 3. Click Save moves. Advanced Firewall applies the changes. Tip: You can also drag and drop directories to where you want them. Just remember to click Save moves. Editing a Directory Server To edit a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Edit. The Edit directory dialog box opens, 2. Make the changes required, see About Directory Servers on page 175 for information on the settings available. 3. Click Save changes. Advanced Firewall applies the changes. Setting Description Status Select Enabled to enable the connection. Name Accept the default name or enter a new name.
  • 365. Comment Optionally, enter a comment about the directory. 184 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Deleting a Directory Server To delete a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Delete. When prompted, confirm that you want to delete the directory. Advanced Firewall deletes the server. Diagnosing Directories It is possible to review a directory’s status and run diagnostic tests on it. To diagnose a directory: 1. On the Services > Authentication > Directories page, point to the directory server and click
  • 366. Diagnose. Advanced Firewall displays current directory connection, user account and status information. Tip: You can diagnose multiple directories at the same time. Select the directories and click Diagnose. Managing Local Users Advanced Firewall stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. Adding Users To add a user to a local user directory: 1. On the Services > Authentication > Directories page, click on the local user directory you want to add a user to. Advanced Firewall displays any current local users 2. Click Add new user. In the Add new user dialog box, configure the following settings:
  • 367. 3. Click Add. Advanced Firewall saves the information. 4. Repeat the steps above to add more users. Setting Description Enabled Select to enable the user account. Username Enter the user account name. Password Enter the password associated with the user account. Passwords must be a minimum of six characters long. Repeat password Re-enter the password to confirm it. Select group From the drop-down menu, select a group to assign the user account to. 185 Advanced Firewall Administration Guide Authentication and User Management
  • 368. Editing Local Users To edit an existing user's details: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account you want to edit. Advanced Firewall displays current local users. 2. Point to the user account and click Edit. In the Edit user dialog box, make the changes required. See Adding Users on page 185 for more information on the settings available. 3. Click Save changes. Advanced Firewall applies the changes. Deleting Users To delete users: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account(s) you want to delete. Advanced Firewall displays current local users. 2. Point to the user account and click Delete. When prompted,
  • 369. confirm that you want to delete the account. Advanced Firewall deletes the account. 3. Repeat the steps above to delete other accounts. Managing Groups of Users The following sections discuss groups of users and how to manage them. About Groups Advanced Firewall uses the concept of groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organization’s structure. Groups can be renamed by administrators to describe the users that they contain.
  • 370. Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups: Group Description Unauthenticated IPs The main purpose of this group is to allow certain authentication- enabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated. Note: This group cannot be renamed or deleted. 186 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Adding Groups It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000 groups. To add a group:
  • 371. 1. On the Services > Authentication > Groups page, click Add new group. 2. In the Add new group dialog box, enter the following information: 3. Click Add. Advanced Firewall creates the group and lists on the changes. Editing Groups Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups To edit a group: 1. On the Services > Authentication > Groups page, point to the group and click Edit. 2. In the Edit group dialog box, enter the following information: Default Users Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define
  • 372. permissions and restrictions for users that are not specifically mapped to an Advanced Firewall group, i.e. users that can be authenticated, but who are not mapped to a specific Advanced Firewall authentication group. Note: This group cannot be renamed or deleted. Banned Users This purpose of this group is to contain users who are banned from using an authentication-enabled service. Note: This group cannot be renamed or deleted. Network Administrators This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of
  • 373. permissions or restrictions. Field Description Name Enter a name for the group. Comment Optionally, enter a comment. Field Description Name When renaming a group, enter a new name. Comment Edit or enter a new comment. Group Description 187 Advanced Firewall Administration Guide Authentication and User Management 3. Click Save changes. Advanced Firewall applies the changes. Deleting Groups
  • 374. Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups To delete a group or groups: 1. On the Services > Authentication > Groups page, select the group(s) and click Delete. 2. When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s). Mapping Groups Once you have successfully configured a connection to a directory, you can map the groups Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the users in the groups. Note: These instructions are only for directories, not configured as Local users. For a detailed description of how to lap local users, see Managing Local Users on page 185. To map directories to Advanced Firewall groups, do the
  • 375. following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and click Add new group mapping. 3. Configure the following parameters: — Depending on the directory service configured, add or select the directory group to map from. — From the drop-down menu, select the relevant Advanced Firewall group. — Select this option to enable or disable the group mapping. 4. Click Add. Remapping Groups It is possible to change group mappings.
  • 376. To remap groups, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. C lick Edit. 4. Change the Directory group and, or, the Local group as required. 5. Click Save changes. 188 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Deleting Group Mappings It is possible to delete group mappings. To delete one or more group mappings, do the following:
  • 377. 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. Click Delete. 4. Click Delete to confirm the deletion. Managing Temporarily Banned Users Advanced Firewall enables you to temporarily ban specific user accounts. When temporarily banned, the user is added to the Banned users group. Note: You can apply any web filtering policy to the Banned users group. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more information, refer to the Advanced Firewall Operations Guide. To ban an account temporarily:
  • 378. 1. Navigate to the Services > Authentication > Temporary bans page. 2. Click Add new temporary ban. In the Add new temporary ban dialog box, configure the following settings: Setting Description Status Select Enabled to enable the ban immediately. Username Enter the user name of the account you want to ban. 189 Advanced Firewall Administration Guide Authentication and User Management 3. Click Add. Advanced Firewall enforces the ban immediately. Tip: You can edit the block page displayed to banned users so that it gives them information on the ban in force. For more information, refer to the Advanced Firewall Operations Guide.
  • 379. Tip: There is also a ban option on the Services > Authentication > User activity page, for more information, see Managing User Activity on page 191. Removing Temporary Bans To remove a ban: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, select the ban and click Remove. Advanced Firewall removes the ban. Removing Expired Bans To remove bans which have expired: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, click Remove all expired. Advanced Firewall removes all bans which have expired. Ban expires Click and select when the ban expires.
  • 380. Comment Optionally, enter a comment explaining why the account has been banned. Setting Description 190 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management Managing User Activity Advanced Firewall enables you to see who is logged in and who has recently logged out. You can also log users out and/or ban them. Viewing User Activity To view activity: 1. Navigate to the Services > Authentication > User activity page. Advanced Firewall displays who is logged in, who recently logged out, the group(s) the user
  • 381. belongs to their source IP and the method of user authentication. Recently logged out users are listed for 15 minutes. Logging Users Out To log a user out: 1. On the Services > Authentication > User activity page, point to the user you want to log out and click Log user out. Advanced Firewall logs the user out immediately and lists them as logged out. Note: Logging a user out is not the same as blocking a user from accessing web content. Connection-based authentication will automatically log the user back in. If the user is using SSL login, they will be prompted to authenticate again. Banning Users To ban a user: 1. On the Services > Authentication > User activity page, point to the user you want to ban
  • 382. and click Ban user. Advanced Firewall copies the user’s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. For more information, see Creating a Temporary Ban on page 189. 191 Advanced Firewall Administration Guide Authentication and User Management About SSL Authentication Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized, per-user basis. When SSL Login is configured, network users requesting port 80 for outbound web access will be automatically redirected to a secure login page, the SSL Login page, and prompted for their user credentials. The SSL Login page can be manually accessed by users wishing
  • 383. to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service, for example, group bridging, or where only a small subset of users require authentication. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login. Customizing the SSL Login Page When using SSL as an authentication method, it is possible to customize the title image, background image and message displayed on an SSL login page. 192 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and
  • 384. User Management Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. To upload a custom title image: 1. Browse to the Services > Authentication > SSL login page. 2. Click the Title image Browse/Select file button. Using your browser’s controls, locate and select the file. 3. Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login page. Customizing the Background Image It is possible to customize the background image used on an SSL login page. To upload a background image:
  • 385. 1. On the Services > Authentication > SSL login page, click the Background image Browse/ Select file button. Using your browser’s controls, locate and select the file. 2. Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login page. Removing Custom Files To remove a custom file: 1. Browse to the Services > Authentication > SSL login page. 2. To remove the title image, adjacent to Title image, click Delete. 3. To remove the background image, adjacent to Background image, click Delete. 193 Advanced Firewall Administration Guide Authentication and User Management
  • 386. Customizing the Message It is possible to provide users with a customized message. To customize the login message: 1. Navigate to the Services > Authentication > SSL login page. 2. In the Customize SSL Login area, enter your custom message in the SSL login page text box. 3. Click Save changes to apply the new message. Reviewing SSL Login Pages You can review SSL Login pages. To review the SSL Login page: 1. In the web browser of your choice, enter your Advanced Firewall system’s IP address and / login. For example: http://192.168.72.141/login or, using HTTPS, https:// 192.168.72.141:442/login. Advanced Firewall displays the SSL login page.
  • 387. Configuring SSL Login Note:If you add Guardian to an Advanced Firewall installation which does not have SSL login configured, the SSL login redirection section will not be available. If you add Guardian to an Advanced Firewall installation which already has SSL login configured, ensure that SSL Login redirection is not enabled both on interface(s) on this page and in a web proxy authentication policy. For more information on web proxy authentication policies, refer to the Guardian Administration Guide. SSL Login authentication is configured on a per-interface basis. 194 Smoothwall Ltd Advanced Firewall Administration Guide Authentication and User Management To configure SSL Login:
  • 388. 1. Navigate to the Services > Authentication > SSL login page. 2. In the SSL login redirection area, select each interface on which you want to activate SSL Login. 3. Click Save changes. Advanced Firewall enables SSL Login on the selected interfaces. Creating SSL Login Exceptions SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets from being automatically redirected to the SSL Login page. Tip: This option is useful when avoiding requiring servers to authenticate. To create an SSL login exception: 1. Browse to the Services > Authentication > SSL login page. 2. Locate the SSL login redirection area. In the Redirect exception addresses field, enter an IP address, IP range or subnet that should not be redirected to the
  • 389. SSL Login. 3. Repeat the step above on a new line for each further exception you want to make. 4. Click Save changes. 195 Advanced Firewall Administration Guide Authentication and User Management Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For other directory servers, it is necessary to import keytabs manually, see the following section for information on how to do this. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By importing and using Kerberos keytabs, Advanced Firewall services, such as authentication, can use the interoperability features provided by Kerberos.
  • 390. For information on using Kerberos as the authentication method in authentication policies, refer to the Advanced Firewall Operations Guide. Adding Keytabs The following section explains how to add Kerberos keytabs into Advanced Firewall. For information on generating keytabs, consult the documentation delivered with your directory server. Also, available at the time of writing, see http://technet.microsoft.com/en-us/library/ cc753771%28v=WS.10%29.aspx which discusses how to get a keytab from Active Directory. To add a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. Click Add new keytab and configure the following settings: 3. Click Add. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area.
  • 391. 4. Repeat the steps above for any other keytabs you need to import. Setting Description Status Accept the default setting to enable the keytab. Name Enter a descriptive name for the keytab. File Using your browser, locate and select the keytab. Comment Optionally, enter a comment to describe the keytab. 196 Smoothwall Ltd http://technet.microsoft.com/en- us/library/cc753771%28v=WS.10%29.aspx http://technet.microsoft.com/en- us/library/cc753771%28v=WS.10%29.aspx Advanced Firewall Administration Guide Authentication and User Management Managing Keytabs
  • 392. The following sections explain how to enable, view, edit and delete Kerberos keytabs. Disabling Keytabs Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required, for example, when troubleshooting. To disable a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the setting. Advanced Firewall disables the keytab. Viewing Keytab Content It is possible to view the contents of a Kerberos keytab.
  • 393. To view a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, click the keytab’s display arrow. Advanced Firewall displays the content. Editing Keytabs It is possible to change the name of the Kerberos keytab file. To change the name of the Kerberos keytab file: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, change the name as required
  • 394. and click Save changes. Advanced Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. To delete a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Delete. 3. When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the keytab. 197
  • 395. 10 Centrally Managing Smoothwall Systems This chapter describes how to configure, and maintain a centrally managed Smoothwall system, including: • About Centrally Managing Smoothwall Systems on page 199 • Setting up a Centrally Managed Smoothwall System on page 200 • Managing Nodes in a Smoothwall System on page 205 • Using BYOD in a Centrally Managed System on page 209 About Centrally Managing Smoothwall Systems Advanced Firewall’s central management enables you to monitor and manage nodes in a Smoothwall system. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the
  • 396. parent node. Configuring and managing a Smoothwall system entails: • Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally Managed Smoothwall System on page 200 • Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on page 206 • Applying updates, for more information, see Scheduling and Applying Updates to One or More Nodes on page 207 • Rebooting nodes as required, for more information, see Rebooting Nodes on page 208 • Disabling nodes as required, for more information, see Disabling Nodes on page 209. 199
  • 397. Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Pre-requirements Before you start to set up a centrally managed Smoothwall system: • Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. For more information, refer to the Advanced Firewall Operations Guide • Check that you have administrator access to all of the computers you want to include in the system • Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system. Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails:
  • 398. • Configuring the parent node in the system • Configuring child nodes settings, installing the central management key and enabling SSH on child nodes • Adding child nodes to the system. Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. To configure the parent node: 1. Log in to the instance of Advanced Firewall you want to function as the parent node. 2. Browse to the System > Central management > Local node settings page. 200 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing
  • 399. Smoothwall Systems 3. Configure the following settings: 4. Click Save. This instance of Advanced Firewall becomes the parent node and can be used to centrally manage the Smoothwall system. Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. To configure a child node: 1. On the system’s parent node, browse to the System > Central management > Local node settings page. 2. Configure the following settings: Setting Description Local node options Parent node – Select this option to enable central management and
  • 400. configure this instance of Advanced Firewall as the parent node in the Smoothwall system. Setting Description Local node options Parent node – Check that this option is selected so that you can generate a central management key for installation on child nodes. Manage central management keys Central management key – Click Download to download and save the central management key in a secure, accessible location for distribution to the child nodes in the system. 201 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems 3. On the Smoothwall system you want to add as a child node,
  • 401. browse to the System > Central management > Local node settings page and configure the following settings: 4. On the System > Administration > Admin options page, select SSH and click Save. 5. Repeat step 3. and step 4. above on any other machines you want to use as child nodes. When finished, you are ready to add them the system. See Adding Child Nodes to the System on page 202 for more information. Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes, you are ready to add them to the system. You can add nodes: • Manually by adding each node separately, see Manually Adding Child Nodes on page 202 • By importing node information from a CSV file, for more
  • 402. information, see Importing Nodes into the System on page 203. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. To add child nodes manually: 1. On the parent node, browse to the System > Central management > Child nodes page. Setting Description Local node options Child node – Select this option to configure this machine as a child node in the system. Click Save to save this setting. Manage central management keys Upload central management key – Using your browser’s controls, browse to and select the key. Click Save to upload the key to
  • 403. the child node. Note: If you are reconfiguring a child node to be the child of a new parent, reboot the child node to apply the changes. 202 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems 2. Click Add node and configure the following settings: 3. Select Enable node and click Confirm. When prompted, review the node details and then click Save to add the node. 4. Repeat step 2. and step 3. for each node you want to add to the system. 5. When you have added all of the nodes, browse to the System > Central management > Overview page. The parent node lists the child nodes and displays their current status. For
  • 404. more information, see Monitoring Node Status on page 206. Importing Nodes into the System If child node information is available in a comma separated format (CSV) file, you can import it directly into the parent node. About the CSV File Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered as follows: Name,IP/hostname,Centrallogging,Monitorstatus,Centralresourc es, Replicationprofile,Enabled,Comment Setting Description Node details Node name – Enter a unique name to identify the node. Node names may only consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported.
  • 405. IP/hostname – Enter the IP address or hostname of the child node. Comment – Optionally, enter a comment describing the child node. Node settings Replication profile – From the drop-down list, select the replication profile to be deployed on the child node. The replication profile enables the sharing of system settings between nodes. For information on configuring a replication profile, refer to the Advanced FirewallOperations Guide. Central logging – Select to enable central logging for the child node. Note: Do not select this option if you want to access the child node’s logs on the child node itself. Allow parent to monitor status – Select to enable central
  • 406. monitoring for the child node. Allow parent to manage resources – Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. Note: Currently, this option only applies to Advanced Firewall with Guardian installed. When enabled and quotas have been used in a web filtering policy, the parent ensures that users cannot access content for longer than allowed by using different child nodes. 203 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems The possible values for the fields are as follows: For full information on what the settings do, see Manually
  • 407. Adding Child Nodes on page 202. Importing Node Information The following steps explain how to import node information from a CSV file. For more information on CSV files, see About the CSV File on page 203. To import node information from a CSV file: 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Click Import CSV, browse to the file and select it. Click Import to import the contents of the file. 3. The parent node displays the contents of the file and notifies you of any errors in the file. Field Value Name The node name. This field is required. Note: If the name is the same as that of a child node already in the
  • 408. system, the child node in the system will be overwritten. A node name may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. IP/hostname The IP or hostname of the node. This field is required. Central logging Determines if central logging is enabled or disabled. This field is required. Enabled – Enter: yes, on, or 1. Disabled – Enter: no, off, or 0. Note: Do not enable this option if you want to access the child node’s logs on the child node itself. Monitor status Determines if central monitoring is enabled or disabled. This field is required. Enabled – Enter: yes, on, or 1.
  • 409. Disabled – Enter: no, off, or 0. Central resources Determines if resources are managed by the parent. This field is required. Note: Currently, this option only applies to Advanced Firewall with Guardian installed. Enabled – Enter: yes, on, or 1. Disabled – Enter: no, off, or 0. Replication profile The name of the replication profile used on the node. This field is optional and may be empty. For more information, refer to the Advanced Firewall Operations Guide. Enabled Determines if the node settings are enabled or disabled. This field is required.
  • 410. Enabled – Enter: yes, on, or 1. Disabled – Enter: no, off, or 0. Comment A comment. This field is optional. It may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. 204 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Note: Importing settings from a CSV file will overwrite existing nodes with the same name. 4. Click Confirm to import the information in the file. The parent node imports the node information and displays it. Editing Child Node Settings When required, it is possible to edit child node settings.
  • 411. To edit a child node’s settings: 1. Browse to the System > Central management > Child nodes page, locate the node you want to edit and click Edit node. 2. Make the changes required, see Manually Adding Child Nodes on page 202 for full information on the settings. 3. Click Confirm, review the changes and then click Save to save and implement the changes. Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. To delete a node: 1. On the System > Central management > Child nodes page, locate the node you want to delete and click Delete node. When prompted, click Delete to confirm the deletion.
  • 412. 2. Repeat the step above for any other nodes you want to delete. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: • Monitoring node status • Applying updates to nodes • Scheduling updates for application at a specific time • Rebooting nodes when necessary • Disabling nodes when necessary 205 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the
  • 413. Smoothwall system. It also displays the nodes’ current status and whether updates for the nodes are available. To monitor node status: 1. On the parent node, browse to the System > Central management > Overview page. The parent node displays current node status, for example: Node information is contained in the following fields: Field Description Name The Name field displays the name of the node. Click on the name to log in to the node. Status The Status field displays the current state of the node. Click on the Status text to display detailed information on the node. For more information, see Accessing the Node Details Page on page 207. The following statuses are possible:
  • 414. OK – the node is functioning and does not require attention. Critical – the node requires immediate attention. Click on the node’s status field for more information. Warning – the node does not require immediate attention but should be checked for problems. Click on the node’s status field for more information. Updates The Updates field enables you to schedule the application of available updates. For more information, see Scheduling and Applying Updates to One or More Nodes on page 207. Click on the Updates text to display detailed information on the node. 206 Smoothwall Ltd
  • 415. Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Accessing the Node Details Page It is possible to view detailed information on a node by accessing the node details page. To access a node details page: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want more information on and click on its Status text. Advanced Firewall displays the node details page. 3. Click on the displayed headings for more information. 4. Click Refresh node to refresh the information displayed. 5. Click Reboot node to reboot the node. Working with Updates You can review and apply updates to a node as they become
  • 416. available. You can also apply updates to one or more nodes immediately or at a later date. Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. To review and apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Click the Updates tab and then click the Status field of the node. The node details are displayed. 3. Click on the Updates line to review detailed information about the updates available. To apply the updates to the node, click Schedule update. The Schedule node update page is displayed. 4. In the Install updates area, select one of the following options:
  • 417. 5. Click Schedule update. The updates are applied to the node as specified in the previous step and the node is rebooted. Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. To apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate and select the node(s) that require updates and click Schedule update. The Schedule node update page is displayed. Option Description Now Select to apply the updates to the node immediately. Later From the drop-down list, select when you want the updates applied to the node.
  • 418. 207 Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems 3. In the Install updates area, select one of the following options: 4. Click Schedule update. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. Clearing Schedule Updates It is possible to clear any scheduled updates. To clear scheduled updates: 1. On the System > Central management > Overview page or the node details page, under Updates, click Clear schedule. 2. Advanced Firewall displays the updates that are currently scheduled. Click Clear schedule to
  • 419. clear the updates. Rebooting Nodes When required, you can reboot a child node from the system’s parent node. To reboot a child node: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want to reboot and click on the Status text. The node details are displayed. 3. Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of the following options: 4. Click Schedule reboot. The node is rebooted. Option Description Now Select to apply the update(s) to the node(s) immediately.
  • 420. Later From the drop-down list, select when you want the update(s) applied to the node(s). Option Description Now Select to reboot the node immediately. Later From the drop-down list, select when you want to reboot the node. 208 Smoothwall Ltd Advanced Firewall Administration Guide Centrally Managing Smoothwall Systems Disabling Nodes It is possible to disable nodes locally and system-wide. Disabling Nodes Locally You may need to work on a child node in a system and, e.g. want to stop replication settings from
  • 421. being applied by the parent. You can do this by disabling the child node locally. To disable a node locally: 1. On the node you want to disable, browse to the System > Central management > Local node settings page. 2. In the Local node options area, select Disable and click Save. 3. Repeat the step above for any other nodes in the system that you want to disable. Note: On the parent node, on the System > Central management > Overview page, nodes that have been disabled locally will be listed as Node uncontactable. Disabling Nodes System-wide You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do this by disabling the child node system-wide. To disable a node system-wide:
  • 422. 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Locate the node you want to disable area, select Disable and click Save. 3. Repeat the steps above for any other nodes in the system that you want to disable system-wide. Using BYOD in a Centrally Managed System It is possible to provide a “bring your own device” (BYOD) service in a centrally managed Smoothwall System. In such a configuration, you can choose to have a single node, typically the parent node, receive RADIUS requests and forward them onto the other RADIUS servers, or have a number of nodes act as the RADIUS server for the network access server (NAS) for authentication requests, authorization requests, accounting packets, or a mixture of all three. For a detailed description of how to configure Advanced Firewall to support a BYOD service,
  • 423. including an example of a centrally managed implementation, refer to the Advanced Firewall Operations Guide. 209 Appendix A: User Authentication In this appendix: • Overview on page 211 • Advanced Firewall and DNS on page 213 • Working with Large Directories on page 214 • Active Directory on page 214 • About Kerberos on page 215 Overview
  • 424. Advanced Firewall's authentication system enables the identity of internal network users to be verified, such that service permissions and restrictions can be dynamically applied according to a user's group membership. • Identity verification – authenticate users by checking supplied identity credentials, for example, usernames and passwords, against known user profile information. • Identity confirmation – provide details of known authenticated users at a particular IP address. Verifying User Identity Credentials In order to authenticate users, Advanced Firewall must be able to verify the identity credentials, usernames and passwords, supplied by network users. Credentials are verified against the authentication system's local user database. Network users must provide their identity credentials when using an authentication-enabled service for the first time. If the credentials cannot be verified by the
  • 425. authentication system, i.e. a matching username and password cannot be found in the local user database, the user's identity status will 211 Advanced Firewall Administration Guide User Authentication be set to 'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no, access to authentication-enabled services. A user that is authenticated can be described as being logged in. About Authentication Mechanisms All authentication-enabled services use the authentication system to discover what users are accessing them. Once a particular user is known, an authentication-enabled service can enforce customized permissions and restrictions. Authentication-enabled services can interact with the authentication system in the following ways: • Passive interrogation of whether there is an already-
  • 426. authenticated user at a particular IP address, and if so their details • Active provision of user-supplied identity credentials, for onward authentication. The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism. The Core Authentication Mechanism This is a special type of authentication mechanism that uses the first interaction method exclusively, i.e. it only ever asks the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the user's status is returned by the authentication system as 'Unauthenticated'. Other Authentication Mechanisms All other authentication mechanisms use a combination of the previously discussed interactions.
  • 427. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. If the user has been authenticated, appropriate permissions and restrictions can be enforced by the requesting service. However, if the user is currently unauthenticated, the second type of interaction occurs – i.e. the requesting service pro-actively provides end-user identity credentials to the authentication system, for onward authentication. Thus, it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials. Choosing an Authentication Mechanism As discussed in the preceding sections, all authentication- enabled services must use some kind of authentication mechanism to interact with the authentication system. Some authentication-enabled services offer no choice of mechanism used – in such cases, the authentication mechanism will always be 'Core authentication'. 212 Smoothwall Ltd
  • 428. Advanced Firewall Administration Guide User Authentication About the Login Time-out The login time-out is the length of time that a user's authenticated status will last once they are authenticated. Time-out does not occur if Advanced Firewall can determine that the same user is still active – for example, by seeing continued web browsing from the same user. However, if Advanced Firewall sees no activity from a particular user for the length of time specified by the time-out period, the user's authenticated status will be invalidated. The login time-out affects the load on the local system. Lower time-out values increase the frequency of re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values that are too low may adversely affect system performance, resulting in failed login attempts. However, longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights, if the original user fails to pro-actively
  • 429. log-out. Advanced Firewall and DNS Advanced Firewall’s authentication service uses internal DNS servers for name lookups. Internal DNS servers are specified using Advanced Firewall’s setup program. Advanced Firewall’s DNS proxy server uses external DNS servers for name lookups. External DNS servers are specified when setting up an Advanced Firewall connectivity profile. In this way, Advanced Firewall can be configured to use an internal DNS server and the internal DNS server can, in turn, be configured to use Advanced Firewall as its DNS forwarder. A Common DNS Pitfall Often Advanced Firewall is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. This is not the correct way to configure DNS servers on any
  • 430. client. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. This means the client assumes that it does not matter which DNS server it uses, as all DNS servers will have access to the same information. With the proliferation of private networks and internal DNS zones, this no longer is the case. A DNS client will behave in the following way when looking up a host: • If a reply of “host not found” is received, the client will NOT ask other DNS servers • If the DNS is not answering, the client will try to ask another DNS server • The client will ask randomly between configured DNS servers Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work,
  • 431. or at least, will not work reliably. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. The easiest way to do this is to configure the DNS server to use a forwarder, like Advanced Firewall’s DNS proxy server. 213 Advanced Firewall Administration Guide User Authentication Working with Large Directories The Additional Group search roots option enables you to specify several OUs in which to search for groups. When dealing with large directories, a search through the entire directory can take a long time and make the Advanced Firewall Include groups page unwieldy to manage. Normally, a specified group search root can help in narrowing the scope of where to search for groups, but if groups are distributed in multiple OUs, one group
  • 432. search root may not be enough. Consider, for example, a directory with 5000 users and 2500 groups. Setting the group search root to the top level of the directory would result in an Include groups page with 2500 entries. This would probably take a long time to load and be hard to get an overview of. The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are located. In the groups search root, the administrator enters the path for the primary OU and in the additional groups search, the second OU is entered: User search root: dc=domain,dc=local Group search root: ou=guardiangroups,dc=domain,dc=local Additional group search root: ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local The above example is for a multi domain Active Directory installation, where the second OU is in the
  • 433. sub-domain sub1. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group. Active Directory The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication. Active Directory Username Types A user account on a Windows 2000+ server will have 2 types of usernames: • A Windows 2000+ username, which takes the form of [email protected] • An old style Windows NT 4 username, which has no domain attached to it. When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain, the Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames.
  • 434. In order for Advanced Firewall authentication to be able to successfully look up and authenticate Windows users, a Windows 2000+ username needs to be present. 214 Smoothwall Ltd Advanced Firewall Administration Guide User Authentication Accounts and NTLM Identification When using NTLM identification on an Active Directory server that has been set up with no pre- Windows 2000 access permissions, the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in. About Kerberos The following sections document Kerberos pre-requisites and list some points to try if troubleshooting.
  • 435. Kerberos Pre-requisites and Limitations The following are pre-requisites and known limitations when using Kerberos as an authentication method: • Forward and reverse DNS must be working • All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail • Internet E6 will not work in non-transparent mode. Troubleshooting Check the following when troubleshooting a service that uses Kerberos: • Make sure all the prerequisites have been met, see Kerberos Pre-requisites and Limitations on page 215 • Try another browser for fault-finding • In Safari, try the fully qualified domain name (FQDN) if the
  • 436. short form does not work • Check if the user logged on before the keytab was created? Try logging off then on again. • Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on again. • Double check you are logged on with a domain account • When exporting your own keytabs: cryptography as that used by the client uppercase fully qualified forms of each hostname. 215
  • 437. Appendix B: Troubleshooting VPNs In this appendix: • Site-to-site Problems on page 217 • L2TP Road Warrior Problems on page 218 • Windows Networking Issues on page 219 Site-to-site Problems All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software. Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. Failure to get a ping echo would indicate that: • The remote Advanced Firewall is not running
  • 438. • You have the wrong IP address for the remote Advanced Firewall • There is a network connection problem – check routers, hubs and cables etc. • There is a problem at your Internet Service Provider • Advanced Firewall has ping disabled via the admin interface • Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate Ethernet card. • Check the routing information displayed in Advanced Firewall's status page, there must be a default route (gateway). • Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel goes into OPEN mode but no packets will flow between the two networks, it is possible
  • 439. that one of the ISPs involved is blocking the ESP or AH packets. 217 Advanced Firewall Administration Guide Troubleshooting VPNs • To simplify the problem, attempt to get a connection with shared secrets before moving on to certificates. • Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network addresses are mirrored. This is where most people make mistakes. • Each node on the VPN network must have its own unique certificate. At least one field in the subject must be different. The subject is a composite of the information fields supplied when the certificate is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously fields like company name can be common to all certificates.
  • 440. • A different local network address must be configured at both ends of the tunnel; they cannot both use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address. Be consistent with IDs. For example: • Hosts on static IPs should use the hostname for the gateway as the ID. • Hosts on dynamic IPs should use the administrator's email address. • Clients should usually not use an ID, unless they are using an unusual client that requires one. L2TP Road Warrior Problems The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. The most likely reason for a failure at this stage is an incorrect or invalid certificate. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. However, because the vast majority of parameter values are predefined it is generally not
  • 441. likely for an IPSec protocol error other then a certificate problem to occur. First of all, verify the correct certificate is installed using the Microsoft MMC tool. There must be a CA certificate, as well as a host certificate, present in the system. Also verify the certificate is within its valid time window. If the certificate is newly created, and the time is set incorrectly by only an hour or so, the connection will be refused because the certificate is not valid. MMC has facilities for verifying that a host certificate is recognized as being valid. Note that the error messages produced by the L2TP client can be somewhat strange. Modem not responding can mean that there was an IPSec certificate error, for instance. Check the IPSec logs first when looking for causes of problems. As a last resort, you can also enable debug logging on the Windows client. Enabling L2TP Debugging In a default configuration, Microsoft's L2TP client does not produce any log files. This can make
  • 442. diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues. To enable IPSec-level logging if you are using Windows 2000 or XP, you must create a registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServic esPolicyAgentOakle y 218 Smoothwall Ltd Advanced Firewall Administration Guide Troubleshooting VPNs Add a REG_DWORD value named 'EnableLogging'. Set the value to 1 to enable logging, or 0 to disable it. After changing this value, the VPN service must be restarted. From the command line: net stop policyagent followed by: net start policyagent The log file will be in Windows system directory:
  • 443. debugoakley.log The following URL is Microsoft's own guide to debugging L2TP connection problems: http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Note: Smoothwall does not endorse manually editing the registry. Incorrectly altering registry values may result in registry corruption and render the computer unusable. Windows Networking Issues In order to facilitate network browsing under Microsoft Windows across the VPN, it is necessary to make sure both ends of the tunnel are properly configured. In small, single subnet Windows networks, network browsing is facilitated via network broadcasts. In these small networks, network neighborhood will just work without any configuration required. If a road warrior were to connect in, though, it would be unable to browse the network unless the administrator has configured the network to enable it. This is
  • 444. because network broadcasts do not normally cross network boundaries, such as routers and VPNs. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. If you are familiar with setting up multiple subnets of Windows machines, then the problem to be solved is the same. In the case of road warrior connections, the details depend on the client in use. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. These parameters are configured in the Global Settings page. For inexperienced Windows administrators, the following notes are provided to assist with configuring your network to enable network browsing across the VPN. For NT networks, you will require a WINS server, normally running on your PDC. This WINS server is analogous to a DNS server for the Windows machines. Each of your desktop machines and servers should be configured to use the central WINS server in its
  • 445. network properties box. Any road warriors connecting in should also be set to use this WINS server. If this is done then when they are connected to the office network via the VPN, they should be able to browse the office network, attach to printers and shares, etc. In more complex arrangements, such as two subnets of Windows machines with a VPN between the two, it is necessary to set-up either one WINS server and share it between the subnets, or have one on each and configure a replicating system between the two. Again, the problem to be resolved is identical to that which the administrator would face with two normally routed networks. 219 http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Appendix C: Hosting Tutorials
  • 446. In this appendix: • Basic Hosting Arrangement on page 221 • Extended Hosting Arrangement on page 222 • More Advanced Hosting Arrangement on page 224 Basic Hosting Arrangement In this example, a DMZ has been configured with a network address of 192.168.1.0/24, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. Within the DMZ there are two servers: Web server .2 – This server will have an internal IP address of 192.168.1.2 and present an external IP address of 216.1.1.2. Mail server .3 – This server will have an internal IP address of 192.168.1.3 and present an external IP address of 216.1.1.3.Related Topics: To configure this scenario:
  • 447. 1. First create the external aliases: Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 221 Advanced Firewall Administration Guide Hosting Tutorials 2. Next, add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3
  • 448. Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .3 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .3 POP3 3. Finally, add the source mappings: Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Mail Server .3 Extended Hosting Arrangement In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. Within the DMZ are three servers:
  • 449. Web server .2 – This server will have an internal IP address of 192.168.1.2 and present an external IP address of 216.1.1.2. It supports both HTTP and HTTPS. Web server .3 – This server will have an internal IP address of 192.168.1.3 and present an external IP address of 216.1.1.3. It should only be accessible to external hosts in the range 100.100.100.0/24 and 100.100.101.0/24. Mail server .4 – This server will have an internal IP address of 192.168.1.4 and present an external IP address of 216.1.1.4 To configure this scenario: 1. First create the external aliases: Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 222 Smoothwall Ltd
  • 450. Advanced Firewall Administration Guide Hosting Tutorials Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 Alias IP: 216.1.1.4 | Netmask: 255.255.255.0 Comment: External Alias .4 2. Next, add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTPS (443) Destination port: HTTPS (443) Comment: Web Server .2 HTTPS Protocol: TCP External IP: 100.100.100.0/24
  • 451. Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: 100.100.10.0/24 Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .4 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: POP3 (110) Destination port: POP3 (110)
  • 452. Comment: Mail Server .4 POP3 3. Finally, add the source mappings: Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 223 Advanced Firewall Administration Guide Hosting Tutorials Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Web Server .3 Source IP: 192.168.1.4 | Alias IP: 216.1.1.4 Comment: Mail Server .4 More Advanced Hosting Arrangement In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. A local private network, 192.168.10.0/24 contains 3 servers: SQL Server .2 – Internal IP: 192.168.10.2
  • 453. Mail Server [int] .3 – Internal IP: 192.168.10.3 Intranet Web Server .4 – External IP: 216.1.1.4, Internal IP: 192.168.10.4, restricted users. A DMZ network, 192.168.1.0/24 contains 5 servers: Web Server .2 – External IP: 216.1.1.2, Internal IP: 192.168.1.2, bridged to SQL Server .2. Web Server .3 – External IP: 216.1.1.3, Internal IP: 192.168.1.3. Virtual Web Server .5 – External IP: 216.1.1.5, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .6. Virtual Web Server .6 – External IP: 216.1.1.6, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .5. Mail Server [ext. out] – External IP: 216.1.1.7, Internal IP:
  • 454. 192.168.1.6, for outgoing mail. Mail Server [ext. in] – External IP: 216.1.1.7, Internal IP: 192.168.1.7, relaying to Mail Server [int] .3. To configure this scenario: 1. First create the external aliases: Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 Alias IP: 216.1.1.4 | Netmask: 255.255.255.0 Comment: External Alias .4 Alias IP: 216.1.1.5 | Netmask: 255.255.255.0 Comment: External Alias .5 Alias IP: 216.1.1.6 | Netmask: 255.255.255.0 Comment: External Alias .6 Alias IP: 216.1.1.7 | Netmask: 255.255.255.0 Comment: External Alias .7 224 Smoothwall Ltd
  • 455. Advanced Firewall Administration Guide Hosting Tutorials 2. Next, add the port forwards: Port forwards for example 3. Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.10.4 Source port: HTTP (80)
  • 456. Destination port: HTTP (80) Comment: Intranet Web Server .4 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.5 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.6 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .7 SMTP Protocol: TCP External IP: <BLANK>
  • 457. Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .7 POP3 225 Advanced Firewall Administration Guide Hosting Tutorials 3. Next, add the zone bridges: Zone bridging for example 3. Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.2 Destination IP: 192.168.10.2 Destination port: User defined, 3306 Comment: Web Server .2 to SQL Server .2 Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.7 Destination IP: 192.168.10.3
  • 458. Destination port: SMTP (25) Comment: Mail Server [ext. in] .7 to Mail Server [int.] .3 4. Finally, add the source mappings: Source mapping for example 3. Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Web Server .3 Source IP: 192.168.10.4 | Alias IP: 216.1.1.4 Comment: Intranet Web Server .4 Source IP: 192.168.1.5 | Alias IP: 216.1.1.5 Comment: Virtual Web Server .5 & .6 Source IP: 192.168.1.6 | Alias IP: 216.1.1.6 Comment: Mail Server [ext. out] .6 226 Smoothwall Ltd Glossary Numeric A
  • 459. 2-factor authentication The password to a token used with the token. In other words: 2- factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together. 3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key. Acceptable Use Policy See AUP Access control The process of preventing unauthorized access to computers, programs, processes, or systems. Active Directory Microsoft directory service for organizations. It contains information about organizational units, users and computers. ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser.
  • 460. AES Advanced Encryption Standard A method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256- bit. AES provides high security with fast performance across multiple platforms. AH Authentication Header Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy. Algorithm Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. 227
  • 461. Advanced Firewall Administration Guide Glossary B C Alias or External Alias In Smoothwall terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface. ARP Address Resolution Protocol A protocol that maps IP addresses to NIC MAC addresses. ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses. AUP Acceptable Use Policy An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization’s email and Internet systems. The policy explains
  • 462. the organization’s position on how its users should conduct communication within and outside of the organization both for business and personal use. Authentication The process of verifying identity or authorization. Bandwidth Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps. BIN A binary certificate format, 8-bit compatible version of PEM. Buffer Overflow An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code. CA Certificate Authority A trusted network entity, responsible for issuing and managing
  • 463. x509 digital certificates. Certificate A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. Cipher A cryptographic algorithm. Ciphertext Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm. Client Any computer or program connecting to, or requesting the services of, another computer or program. Cracker A malicious hacker. Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection.
  • 464. Cryptography The study and use of methods designed to make information unintelligible. 228 Smoothwall Ltd Advanced Firewall Administration Guide Glossary D E Default Gateway The gateway in a network that will be used to access another network if a gateway is not specified for use. Denial of Service Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt while it attempts to respond to each request. DER Distinguished Encoding Rules A certificate format typically used by Windows operating
  • 465. systems. DES Data Encryption Standard A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST. DHCP Dynamic Host Control Protocol A protocol for automatically assigning IP addresses to hosts joining a network. Dial-Up A telephone based, non-permanent network connection, established using a modem. DMZ Demilitarized Zone An additional separate subnet, isolated as much as possible from protected networks.
  • 466. DNS Domain Name Service A name resolution service that translates a domain name to an IP address and vice versa. Domain Controller A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server. Dynamic token A device which generates one-time passwords based on a challenge/ response procedure. Egress filtering The control of traffic leaving your network. Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it.
  • 467. ESP Encapsulating Security Payload A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. Exchange Server A Microsoft messaging system including mail server, email client and groupware applications (such as shared calendars). Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. 229 Advanced Firewall Administration Guide Glossary F G H
  • 468. I Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. FIPS Federal Information Processing Standards. See NIST. Firewall A combination of hardware and software used to prevent access to private network resources. Gateway A network point that acts as an entrance to another network. Green In Smoothwall terminology, green identifies the protected network. Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent.
  • 469. Host A computer connected to a network. Hostname A name used to identify a network host. HTTP Hypertext Transfer Protocol The set of rules for transferring files on the World Wide Web. HTTPS A secure version of HTTP using SSL. Hub A simple network device for connecting networks and network hosts. ICMP Internet Control Message Protocol One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. IDS Intrusion Detection System
  • 470. IP Internet Protocol IPS Intrusion Prevention System IP Address A 32-bit number that identifies each sender and receiver of network data. 230 Smoothwall Ltd Advanced Firewall Administration Guide Glossary K L M IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. IPSec Internet Protocol Security An internationally recognized VPN protocol suite developed by the Internet
  • 471. Engineering Task Force (IETF). IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. ISP An Internet Service Provider provides Internet connectivity. Key A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext. Kernel The core part of an operating system that provides services to all other parts the operating system. Key space The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space. L2F Layer 2 Forwarding
  • 472. A VPN system, developed by Cisco Systems. L2TP Layer 2 Transport Protocol A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. LAN Local Area Network A network between hosts in a similar, localized geography. Leased Lines Or private circuits A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company. Lockout A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user. MAC Address Media Access Control
  • 473. An address which is the unique hardware identifier of a NIC. 231 Advanced Firewall Administration Guide Glossary N O P MX Record Mail eXchange An entry in a domain name database that specifies an email server to handle a domain name's email. NAT-T Network Address Translation Traversal A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough
  • 474. NIC Network Interface Card NIST National Institute of Standards and Technology NIST produces security and cryptography related standards and publishes them as FIPS documents. NTP Network Time Protocol A protocol for synchronizing a computer's system clock by querying NTP Servers. OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization. Password A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data. PEM Privacy Enhanced Mail
  • 475. A popular certificate format. Perfect Forward Secrecy A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised. PFS See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. Ping A program used to verify that a specific IP address can be seen from another. PKCS#12 Public Key Cryptography Standards # 12 A portable container file format for transporting certificates and private keys.
  • 476. 232 Smoothwall Ltd Advanced Firewall Administration Guide Glossary Q PKI Public Key Infrastructure A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates. Plaintext Data that has not been encrypted, or ciphertext that has been decrypted. Policy Contains content filters and, optionally time settings and authentication requirements, to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization. Port A service connection point on a computer system
  • 477. numerically identified between 0 and 65536. Port 80 is the HTTP port. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. PPP Point-to-Point Protocol Used to communicate between two computers via a serial interface. PPTP Peer-to-Peer Tunnelling Protocol A widely used Microsoft tunnelling standard deemed to be relatively insecure.
  • 478. Private Circuits See Leased Lines. Private Key A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. Protocol A formal specification of a means of computer communication. Proxy An intermediary server that mediates access to a service. PSK Pre-Shared Key An authentication mechanism that uses a password exchange and matching process to determine authenticity. Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner.
  • 479. PuTTY A free Windows / SSH client. QOS Quality of Service In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth. 233 Advanced Firewall Administration Guide Glossary R S RAS Remote Access Server A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by VPNs. Red In Smoothwall, red is used to identify the Unprotected Network (typically the
  • 480. Internet). RIP Routing Information Protocol A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Road Warrior An individual remote network user, typically a travelling worker 'on the road' requiring access to a organization’s network via a laptop. Usually has a dynamic IP address. Route A path from one network point to another. Routing Table A table used to provide directions to other networks and hosts. Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another.
  • 481. Security policy A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances. Server In general, a computer that provides shared resources to network users. SIP Session Initiation Protocol A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications. Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action
  • 482. by entering a single password. Site-To-Site A network connection between two LANs, typically between two business sites. Usually uses a static IP address. Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. Spam Junk email, usually unsolicited. SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. Squid A high performance proxy caching server for web clients. 234 Smoothwall Ltd Advanced Firewall Administration Guide Glossary T U
  • 483. V X SSH Secure Shell A command line interface used to securely access a remote computer. SSL A cryptographic protocol which provides secure communications on the Internet. SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration. Strong encryption A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame. Subnet An identifiably separate part of an organization’s
  • 484. network. Switch An intelligent cable junction device that links networks and network hosts together. Syslog A server used by other hosts to remotely record logging information. Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. Tunneling The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. User name / user ID A unique name by which each user is known to the system. VPN Virtual Private Network
  • 485. A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet. VPN Gateway An endpoint used to establish, manage and control VPN connections. X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. 235 Index A accessing 6 active directory cache timeout 177 domain 176
  • 486. extra realm 183 password 176 status 176 username 176 active directory legacy cache timeout 182 discover kerberos realms through dns 183 extra group search roots 183 extra realms 183 extra user search roots 183 kerberos realm 182 netbios domain name 183 password 182
  • 487. port 183 sam account name 183 server 182 server username 182 status 181 user search root 182 admin 6 admin options 17 administration 17 administrative users 17 adsl modem settings 36 advanced 11, 12 alerts 7 settings 7
  • 488. application helper 86 ftp 87 h323 passthrough support 87 irc 87 pptp client support 87 archives 16 arp filter 70 arp table size 71 audit 71 authentication 13, 101, 173 choosing 212 diagnostics 174 mechanisms 212 time-out 174 B banned users 187
  • 489. bond 43 bridge 42 bridging groups 80 rules 75 zones 75 C ca 18, 19 central management 199 about 199 pre-requirements 200 central management key 201 centrally manage 199 certs 19 ca 18 237
  • 490. Advanced Firewall Administration Guide Index child node 201 cluster 199 connection methods 27 dial-up modem 38 ethernet 27 ethernet/modem hybrid 27 isdn modem 36 modem 27 connection profiles 27 creating 27 deleting 41 modifying 41 connection tracking 71
  • 491. connections 25 connectivity 11 console connecting via 21 control 19 control page 6 create 7 csv 203 importing nodes 203 csv files 203 custom categories 15 D database settings 9 deep packet inspection 92 default interface 26
  • 492. users 187 denial of service 69 dhcp 16 custom options 16 leases 16 relay 16 server 16 dhcp ethernet 29 settings 30 diagnostics 18, 174 dial-up modem 38 directories 13 directory settings 175 prerequisites 176, 179, 181 dns 14
  • 493. dynamic 14 proxy 14 static 14 documentation 2 DoS 70 dpi 92 E ECN 70 email 8, 9 enable arp filter 70 ethernet 27 external access 17 aliases 11 external services 12, 96 editing 97
  • 494. removing 97 F failover 18 filtering 10 filters 15 firewall 8, 9 accessing browser 6 connecting 21 firmware upload 18 ftp 14, 87 G global 16, 19 group bridging 10, 80 groups 9, 13, 186 banned users 187 default users 187
  • 495. mapping 188 network administrators 187 renaming 187 unauthenticated ips 186 H h323 passthrough support 87 hardware 18 hostname 17 https 6 hybrid 27 I icmp 70 ICMP ping 70 ICMP ping broadcast 70 ids 9, 15 igmp 70 IGMP packets 70 im 238 Smoothwall Ltd
  • 496. Advanced Firewall Administration Guide Index proxy 8 im proxy 9 information 6 instant messenger 14 interface bond 43 bridge 42 interfaces 11 internal aliases 11 inter-zone security 75 intrusion detection 15 intrusion detection system 15 ip address defining 52
  • 497. block 10 tools 18 ips 9, 85 ipsec 8, 9 roadwarriors 19 subnets 19 irc 87 isdn modem 36 settings 37 isp 27 K kerberos keytabs 13 L l2tp roadwarriors 19 layer 7 application control 92
  • 498. ldap directory bind method 178 cache timeout 178 discover kerberos realms through dns 179 extra group search root 179 extra realms 179 extra user search roots 179 group search roots 178 kerberos realm 178 password 177 port 179 server 177 status 177
  • 499. user search root 178 username 177 licenses 16 local users 184 activity 191 adding 185 configuring 184 deleting 186 editing 186 managing 185 status 184 log settings 9 logs 9
  • 500. M mac spoof 30 maintenance 16 message censor 15 custom categories 15 filters 15 time 15 modem 18, 27 settings 39 modules 16 multicast traffic 70 N network administrators 187 interface 26 networking 9, 12
  • 501. source mapping 55 node 205 add 202 child 201 child delete 205 child edit 205 configure child 17 csv 203 delete 205 disable 209 edit 205 import 203 local settings 17
  • 502. manage 205 monitor 206 parent 200 reboot 208 review 206 update 207 239 Advanced Firewall Administration Guide Index O OpenVPN 137 outbound access port rules 89 source rules 93 outgoing 12
  • 503. output settings 9 P pages central management 17 info alerts 7 alerts 7 custom 7 logs 9 firewall 9 ids 9 im proxy 8, 9 ips 9 ipsec 9
  • 504. system 9 web proxy 9 realtime 8 firewall 8 ipsec 8 portal 8 system 8 traffic graphs 8 reports reports 7 saved 7 scheduled reports 7
  • 505. settings alert settings 7 database settings 9 groups 9 log settings 9 output settings 9 information 6 main 6 networking 9, 12 filtering 10 group bridging 10 ip block 10 zone bridging 10
  • 506. firewall 11 advanced 11 port forwarding 11 source mapping 11 interfaces 11 connectivity 11 external aliases 11 interfaces 11 internal aliases 11 ppp 11 secondaries 11 outgoing 12 external services 12
  • 507. policies 12 ports 12 routing 10 ports 10 rip 10 sources 10 subnets 10 settings advanced 12 port groups 12 services 12 authentication 13
  • 508. directories 13 groups 13 kerberos keytabs 13 settings 13 ssl login 13 temporary bans 13 user activity 13 dhcp dhcp custom options 16 dhcp leases 16 dhcp relay 16 dhcp server 16 global 16
  • 509. dns 14 dns proxy 14 dynamic dns 14 static dns 14 ids 15 intrusion system 240 Smoothwall Ltd Advanced Firewall Administration Guide Index detection 15 policies 15 signatures 15 message censor 15
  • 510. proxies 14 ftp 14 im proxy 14 sip 14 web proxy 14 snmp 14 user portal 13 groups 13 portals 13 user exceptions 13 system administration 17 admin options 17
  • 511. administrative users 17 external access 17 central management child nodes 17 local node settings 17 overview 17 diagnostics 18 configuration report 18 functionality test 18 ip tools 18 traffic analysis 18 whois 18
  • 512. hardware 18 failover 18 firmware upload 18 modem 18 ups 18 maintenance 16 archives 16 licenses 16 modules 16 scheduler 16 shutdown 16 updates 16 preferences 17
  • 513. hostname 17 registration options 17 time 17 vpn 18 ca 19 certs 19 control 19 global 19 ipsec roadwarriors 19 ipsec subnets 19 l2tp roadwarriors 19 ssl roadwarriors 19
  • 514. parent node 200 passwords 6 policies 15 outgoing 12 port forwarding 11 port forwards 83 comment 85 creating 84 criteria 83 destination address 85 destination port 85 editing 86 enabled 85 external ip 85
  • 515. ips 85 logging 85 protocol 85 removing 86 source IP 85 source port 85 user defined 85 port groups 12 port rules 89 creating 90 deleting 93, 96 editing 92, 96 modes 89 preset 89
  • 516. viewing 93 portal 8, 13 portals 13 ports 10, 12 ppp 11 ppp over ethernet settings 32 ppp profile creating 40 241 Advanced Firewall Administration Guide Index pptp client support 87 pptp over ethernet settings 34 preferences 17 primary dns 26
  • 517. proxies 14 R radius action on login failure 180 cache timeout 180 identifying IP address 180 obtain groups from radius 180 port 180 secret 180 server 180 status 180 realtime 8 email 8, 9 reboot 208
  • 518. registration options 17 reports 7, 99 custom 7 reports 7 scheduled 7 reverse proxy 9, 14 rip 10 routing 10 rules external service 96 group bridging 81 internal alias 56 ip blocking 67 port 52 port forward 83
  • 519. source 93 source mapping 55 subnet 47 zone bridging 76 S scheduled reports 7 scheduler 16 secondaries 11 secondary dns 26 selective ACK 70 services authentication 13, 174 dhcp 16 dns 14 ids 15
  • 520. message censor 15 portal 13 rip 49 snmp 14 settings 9, 13 shutdown 16 signatures 15 sip 14 site address 23 snmp 14 snmp 14 source mapping 11, 55 source rules 93 sources 10 ssh 21 client 21 SSL 137
  • 521. ssl login 13 accessing the page 194 customizing 192 exceptions 195 ssl roadwarriors 19 static ethernet settings 29 subnets 10 SYN backlog queue 71 SYN cookies 70 SYN+FIN packets 70 system 8, 9 T TCP timestamps 70 telephony settings 40
  • 522. temporary ban 189 temporary bans 13 time 17 time out 174 time slots 15 time-out 213 traffic analysis 18 graphs 8 training 1 tutorial vpn 156 zone bridging 78 242 Smoothwall Ltd Advanced Firewall Administration Guide Index U unauthenticated ips 186
  • 523. unknown entity 22 updates 16 ups 18 user activity 13, 191 identity 211 user exceptions 13 users banned 187 default 187 local 185 network administrators 187 temporary ban 189 unauthenticated IPs 186 V virtual lans 45
  • 524. vlan 45 vpn 18, 99 authentication 101 psk 102 x509 102 W web proxy 9, 14 whois 18 window scaling 70 Z zone bridge narrow 76 rule create 76 settings 76
  • 525. tutorial 78 wide 76 zone bridging 10, 75 243 About This GuideAudience and ScopeOrganization and UseConventionsRelated Documentation1 IntroductionOverview of Advanced FirewallAnnual Renewal2 Advanced Firewall OverviewAccessing Advanced FirewallDashboardLogs and reportsReportsAlertsRealtimeLogsSettingsNetworkingFilteringR outingInterfacesFirewallOutgoingSettingsServicesAuthenticatio nUser PortalProxiesSNMPDNSMessage CensorIntrusion SystemDHCPSystemMaintenanceCentral ManagementPreferencesAdministrationHardwareDiagnosticsCer tificatesVPNConfiguration GuidelinesSpecifying Networks, Hosts and PortsUsing CommentsCreating, Editing and Removing RulesConnecting via the ConsoleConnecting Using a ClientSecure CommunicationUnknown Entity
  • 526. WarningInconsistent Site Address3 Working with InterfacesConfiguring Global Settings for InterfacesConnecting Using an Internet Connectivity ProfileConnecting Using a Static Ethernet Connectivity ProfileConnecting using a DHCP Ethernet Connectivity ProfileConnecting using a PPP over Ethernet Connectivity ProfileConnecting using a PPTP over Ethernet Connectivity ProfileConnecting using an ADSL/DSL Modem Connectivity ProfileConnecting using an ISDN Modem Connectivity ProfileConnecting Using a Dial-up Modem Connectivity ProfileCreating a PPP ProfileModifying ProfilesDeleting ProfilesWorking with BridgesCreating BridgesEditing BridgesDeleting BridgesWorking with Bonded InterfacesCreating BondsEditing BondsDeleting BondsConfiguring IP AddressesAdding an IP AddressEditing an IP AddressDeleting an IP AddressVirtual LANsCreating a VLANEditing a VLANDeleting a VLAN4 Managing Your Network InfrastructureCreating SubnetsEditing and Removing Subnet RulesUsing RIPSourcesCreating Source RulesRemoving a RuleEditing a RuleAbout IP Address DefinitionsPortsCreating a Ports RuleCreating an External Alias RuleEditing and Removing External Alias RulesPort Forwards from External AliasesCreating a Source Mapping RuleEditing and Removing Source Mapping RulesWorking with Secondary External InterfacesConfiguring a Secondary External InterfaceUsing DHCPEnabling DHCPCreating a DHCP SubnetEditing a DHCP
  • 527. subnetDeleting a DHCP subnetAdding a Dynamic RangeAdding a Static AssignmentAdding a Static Assignment from the ARP TableEditing and Removing AssignmentsViewing DHCP LeasesDHCP RelayingCreating Custom DHCP Options5 General Network Security SettingsBlocking by IPCreating IP Blocking RulesEditing and Removing IP Block RulesConfiguring Advanced Networking FeaturesWorking with Port GroupsCreating a Port GroupAdding Ports to Existing Port GroupsEditing Port GroupsDeleting a Port Group6 Configuring Inter-Zone SecurityAbout Zone Bridging RulesCreating a Zone Bridging RuleEditing and Removing Zone Bridge RulesA Zone Bridging TutorialCreating the Zone Bridging RuleAllowing Access to the Web ServerAccessing a Database on the Protected NetworkGroup BridgingGroup Bridging and AuthenticationCreating Group Bridging RulesEditing and Removing Group Bridges7 Managing Inbound and Outbound TrafficIntroduction to Port Forwards – Inbound SecurityPort Forward Rules CriteriaCreating Port Forward RulesLoad Balancing Port Forwarded TrafficEditing and Removing Port Forward RulesAdvanced Network and Firewall SettingsNetwork Application HelpersManaging Bad External TrafficConfiguring Reflective Port ForwardsManaging Connectivity FailbackManaging Outbound Traffic and ServicesWorking with Port RulesWorking with Outbound Access PoliciesManaging External Services8 Virtual Private NetworkingAdvanced
  • 528. Firewall VPN FeaturesWhat is a VPN?About VPN GatewaysAdministrator ResponsibilitiesAbout VPN AuthenticationPSK AuthenticationX509 AuthenticationConfiguration OverviewWorking with Certificate Authorities and CertificatesCreating a CAExporting the CA CertificateImporting Another CA's CertificateDeleting the Local Certificate Authority and its CertificateDeleting an Imported CA CertificateManaging CertificatesCreating a CertificateReviewing a CertificateExporting CertificatesExporting in the PKCS#12 FormatImporting a CertificateDeleting a CertificateSetting the Default Local CertificateSite-to-Site VPNs – IPSecRecommended SettingsCreating an IPsec TunnelIPSec Site to Site and X509 Authentication – ExamplePrerequisite OverviewCreating the Tunnel on the Primary SystemCreating the Tunnel on the Secondary SystemChecking the System is ActiveActivating the IPSec tunnelIPSec Site to Site and PSK AuthenticationCreating the Tunnel Specification on Primary SystemCreating the Tunnel Specification on the Secondary SystemChecking the System is ActiveActivating the PSK tunnelAbout Road Warrior VPNsConfiguration OverviewIPSec Road WarriorsCreating an IPSec Road WarriorSupported IPSec ClientsCreating L2TP Road Warrior ConnectionsCreating a CertificateConfiguring L2TP and SSL VPN Global SettingsCreating an L2TP TunnelConfiguring an iPhone-compatible TunnelUsing NAT-
  • 529. TraversalVPNing Using L2TP ClientsL2TP Client PrerequisitesConnecting Using Windows XP/2000Installing an L2TP ClientVPNing with SSLPrerequisitesConfiguring VPN with SSLManaging SSL Road WarriorsManaging Group Access to SSL VPNsManaging Custom Client Scripts for SSL VPNsGenerating SSL VPN ArchivesConfiguring SSL VPN on Internal NetworksConfiguring and Connecting ClientsVPN Zone BridgingSecure Internal NetworkingCreating an Internal L2TP VPNAdvanced VPN ConfigurationMultiple Local CertificatesCreating Multiple Local CertificatesPublic Key AuthenticationConfiguring Both Ends of a Tunnel as CAsVPNs between Business PartnersExtended Site to Site RoutingManaging VPN SystemsAutomatically Starting the VPN SystemManually Controlling the VPN SystemViewing and Controlling TunnelsVPN LoggingVPN TutorialsExample 1: Preshared Key AuthenticationExample 2: X509 AuthenticationExample 3: Two Tunnels and Certificate AuthenticationExample 4: IPSec Road Warrior ConnectionExample 5: L2TP Road WarriorWorking with SafeNet SoftRemoteConfiguring IPSec Road WarriorsUsing the Security Policy Template SoftRemoteCreating a Connection without the Policy FileAdvanced Configuration9 Authentication and User ManagementConfiguring Global Authentication SettingsAbout Directory ServersConfiguring a Microsoft Active Directory ConnectionConfiguring an LDAP
  • 530. ConnectionConfiguring a RADIUS ConnectionConfiguring an Active Directory Connection – Legacy MethodConfiguring a Local Users DirectoryReordering Directory ServersEditing a Directory ServerDeleting a Directory ServerDiagnosing DirectoriesManaging Local UsersAdding UsersEditing Local UsersDeleting UsersManaging Groups of UsersAbout GroupsAdding GroupsEditing GroupsDeleting GroupsMapping GroupsRemapping GroupsDeleting Group MappingsManaging Temporarily Banned UsersCreating a Temporary BanRemoving Temporary BansRemoving Expired BansManaging User ActivityViewing User ActivityLogging Users OutBanning UsersAbout SSL AuthenticationCustomizing the SSL Login PageReviewing SSL Login PagesConfiguring SSL LoginCreating SSL Login ExceptionsManaging Kerberos KeytabsAdding KeytabsManaging Keytabs10 Centrally Managing Smoothwall SystemsAbout Centrally Managing Smoothwall SystemsPre-requirementsSetting up a Centrally Managed Smoothwall SystemConfiguring the Parent NodeConfiguring Child NodesAdding Child Nodes to the SystemEditing Child Node SettingsDeleting Nodes in the SystemManaging Nodes in a Smoothwall SystemMonitoring Node StatusAccessing the Node Details PageWorking with UpdatesRebooting NodesDisabling NodesUsing BYOD in a Centrally Managed SystemAppendix A: User AuthenticationOverviewVerifying User Identity
  • 531. CredentialsAbout Authentication MechanismsOther Authentication MechanismsChoosing an Authentication MechanismAbout the Login Time-outAdvanced Firewall and DNSA Common DNS PitfallWorking with Large DirectoriesActive DirectoryActive Directory Username TypesAccounts and NTLM IdentificationAbout KerberosKerberos Pre-requisites and LimitationsTroubleshootingAppendix B: Troubleshooting VPNsSite-to-site ProblemsL2TP Road Warrior ProblemsEnabling L2TP DebuggingWindows Networking IssuesAppendix C: Hosting TutorialsBasic Hosting ArrangementExtended Hosting ArrangementMore Advanced Hosting ArrangementGlossaryIndex