NetSecure 6100 User Manual
Contents
1. 113 Chapter 6 Logging Object Name Value Type sysLocation DisplayString 6 8 2 INTERFACE GROUP Table 6 3 shows the Interface Group Table 6 3 Interface Group Object Name Value Type ifNumber Integer32 6 8 3 ADDRESS TRANSLATION GROUP Table 6 4 shows the Address Translation Group Table 6 4 Address Translation Group Object Name Value Type atlflndex INTEGER atPhysAddress PhysAddress atNetAddress NetworkAddress 6 8 4 IP GROUP Table 6 5 shows the IP Group Table 6 5 IP Group Object Name Value Type ipForwarding INTEGER ipDefault TTL INTEGER ipInReceives Counter32 ipInHdrErrors Counter32 ipInAddrErrors Counter32 114 Chapter 6 Logging Object Name Value Type ipForwDatagrams Counter32 ipInUnknownProtos Counter32 ipInDiscards Counter32 ipInDelivers Counter32 ipOutRequests Counter32 ipOutDiscards Counter32 ipOutNoRoutes Counter32 ipReasmTimeout Counter32 ipReasmReqds Counter32 ipReasmOKs Counter32 ipReasmFails Counter32 ipFragOKs Counter32 ipFragFails Counter32 ipFragCreates Counter32 6 8 5 IP ADDRESS Table 6 6 shows the IP Address Table Table 6 6 IP Address Table Object Name Value Type ipAdEntlflndex INTEGER ipAdEntNetMask lpAddress ipAdEntBeastAddr INTEGER ipAdEntReasmMaxSize INTEGER 115 Chapter 6 Logging 6 8 6 IP ROUTE Table 6 7 shows the IP Route Table T2. sscssscssssssssssscssssssssessssssssssesesees 209 10 1 NETWORK ADDRESS TRANSLATION QW cesceccseesecesecceseceeeeeencensccesseneontescentencensees 209 10 2 CONFIGURING SOURCE NETWORK ADDRESS TRANSLATION ecce 211 10 2 1 ABOUT PORT ADDRESS TRANSLATION PAT J ciscucisanravsnvinssstndastnsaeicinswnesucnnsioeiiccbsticlattndseaiisnen 211 xii NetSecure 6100 Users Manual 10 2 2 CONFIGURING DYNAMIC IP DIP POOLS s lt caisssissmievaiossizaronicomaniioeenineniobineuan 212 10 3 SOURCE NAT CONFIGURATIONS s0cnmiuniucunmnnidpnelewnmmnasenaaeenaaiy 213 10 3 1 CONFIGURING SOURCE NAT MANY TO ONE WITH PORT ADDRESS TRANSLATION sicsesssavaansrestsnbvastovesansiae stones aneri eA Aa E EAEE E e Eei 213 10 3 2 CONFIGURING SOURCE NAT MANY TO MANY WITH PORT ADDRESS TRANSLATION oeenn ie n i A sant se E asi tee 213 10 4 CONFIGURING DESTINATION NAT AND PORT MAPPING ccsceeesesseseeseseseeneees 215 10 5 DESTINATION NAT CONFIGURATIONS ccscscscssscseessscssessssssessessssessssnssssseaneseenentens 216 10 5 1 CONFIGURING DESTINATION NAT ONE TO ONE sssesssesssseessseesssneessseeessesssneessseeesness 216 10 5 2 CONFIGURING DESTINATION NAT ONE TO ONE WITH PORT MAPPING 000 00 217 10 5 3 CONFIGURING DESTINATION NAT MANY TO ONE csssssessssesssseesssseesssessseesssnecssneeessees 217 10 5 4 CONFIGURING DESTINATION NAT MANY TO ONE WITH PORT MAPPING 0 0 217 10 5 5 CONF
3. ADMIN MAIL SERVER CONFIGURE THE SECURITY APPLIANCE TO SEND E MAIL NOTIFICATION USING THE ADMIN MAIL OPTION E mail message notification can be configured allowing the security appliance to send e mail messages Using the set admin command with the mail option will allow configuration of the mail server IP address or name and the administrators e mail addresses o setadmin mail server name ip _addr name o set admin mail mail addr1 mail addr2 e mail_addr Example Sending e mail message to the administrator of the SECURITY APPLIANCE using the SMTP server IP 10 0 0 5 and the e mail adress admin yourcompany com o Mail server 10 0 0 5 o Recipient address1 admin yourcompany com Oo save GUI Example Sending e mail message to the administrator of the SECURITY APPLIANCE using the SMTP server IP 10 0 0 5 and the e mail adress admin yourcompany com o Logging gt SMTP o Enter the following then click Apply System Name admin System Contact admin yourcompany com Location 10 0 0 5 108 6 6 2 6 6 3 Chapter 6 Logging DELETING THE ADMIN MAIL SERVER To delete the e mail messages settings use the unset admin mail command with the server name option unset admin mail server name REMOVING E MAIL ADDRESSES FROM THE ADMIN MAIL SERVER To remove an e mail address so messages are no longer sent to that e mail address use the unset admin mail address with the mail addr1 mail addr2 option unset admin
4. Chapter 6 Logging 6 9 CONFIGURING SNMP ON THE SECURITY APPLIANCE The following SNMP attributes can be configured on the security appliance They include Community String Allows the SNMP community string and host to be set on the security appliance UDP Listening Port Sets the SNMP listening port on the security appliance System Name Allows the administrator to set the SNMP system name System Location Sets the security appliance system location System Contact Sets the SNMP system contact GUI Example Configure SNMP settings o Logging gt SNMP o Enter the following SNMP settings and click Apply Type System Name NetSecure 6100 Type System Contact Jon Smith Type System Location Lab Type Listen Port 161 Type Trap Host 162 o SNMP gt Community gt Edit o Enter the following SNMP Community settings and click Apply Type Name public Type Host 192 168 1 1 6 9 1 ENABLING SNMP ON A SPECIFIED INTERFACE To allow the SNMP monitoring system to contact and pull the SNMP information from the security appliance SNMP must be enabled on that specified interface 122 6 9 2 6 9 3 Chapter 6 Logging set interface interface name manage snmp Example To enable SNMP on theETHO interface set interface ethO manage snmp GUI Example To enable SNMP on theETHO interface o Network gt Interface gt Edit for ethernet0 o Enter the following then click Apply Manage option SNMP
5. set vpn to_newyork manual 1230 1230 gateway 4 4 4 1 outgoing interface eth1 esp aes128 key 1111222233334444 auth sha 1 key 11112222333344445555666677778888 set route trust route 0 0 0 0 0 interface eth1 gateway 4 4 4 254 set policy top name vpnto_newyork from trust to untrust sfo New York any tunnel vpn sfo_nyo set policy top name vpnfrom_newyork from untrust totrust New York sfo any tunnel vpn sfo_nyo save GUI Example Manual key VPN implementation San Francisco office Interfaces Oo Network gt Interface gt Edit for ethernet0 141 Chapter 7 Virtual Private Networks O Enter the following then click Apply Zone Name Trust IP Address Netmask 10 0 0 0 24 Interface Mode NAT Network gt Interface gt Edit for eth1 Enter the following then click Apply Zone Name Untrust IP Address Netmask 4 4 4 1 24 Addresses VPN Objects gt Address Objects gt Add Object Enter the following then click Apply Name SFO IP Address Netmask 10 0 0 0 24 Zone Trust Objects gt Address Objects gt Add Object Enter the following then click Apply Name New York IP Address Netmask 192 168 100 0 24 Zone Untrust VPN gt Manual Key Edit Enter the following then click Apply Tunnel Name to_newyork Gateway IP 4 4 4 1 Outgoing interface eth1 Local SPI 1230 Remote SPI 1230 Encryption Algorithm aes 128 Hex Key 1111222233334444 Authentication Algorithm sha 1
6. 3 2 3 2 1 3 2 2 CREATING AND MODIFYING CUSTOM SECURITY ZONES This section describes how to create modify and delete a custom security zone This section includes the following topics a Creating Custom Security Zones a Deleting Custom Security Zones E Blocking Within a Zone E Viewing Zone Configurations CREATING CUSTOM SECURITY ZONES Use the set zone command with the name_str option to create a custom security zone o set zone name name_str Example Creating the SALES zone o set zone name sales Oo save GUI Example Creating the SALES zone o Network gt Zone gt Add Zone o Create the following zone then click Apply Zone Name Sales DELETING CUSTOM SECURITY ZONES Use the unset zone command to delete a security zone 18 Chapter 3 Security Zone and Interfaces o unset zone name_str Example Deleting the SALES security zone o unset zone sales Oo save GUI Example Deleting the SALES security zone o Network gt Zone o Remove the following zone then click Apply Zone Name Sales NOTE If a security zone is bound to an interface you cannot delete the zone until you unbind it from the interface For information about interface commands refer to 3 3 19 Chapter3 Security Zone and Interfaces 3 2 3 CONFIGURING INTERFACES AND SUBINTERFACES BLOCKING WITHIN A ZONE By default all hosts within a security zone are allowed to co
7. To configure the SNMP system contact use the set snmp contact command and specify the security appliance system contact set snmp contact contact_str 124 6 9 9 6 9 10 6 9 11 6 9 12 Chapter 6 Logging DELETING THE SNMP SYSTEM CONTACT To delete the SNMP system contact use the unset snmp contact command unset snmp contact VIEWING THE SNMP SETTINGS To view the SNMP settings use the get snmp command with the settings option This will display the current SNMP settings o cli gt get snmp settings o Listening port 161 o System name NetSecure 6100 o Location Lab o Contact Jon Smith o cli gt VIEW THE SNMP COMMUNITY SETTINGS To view the SNMP community settings use the get snmp command with the community option This will display the current SNMP community settings o cli gt get snmp community o Community string public Host name 192 168 1 1 VIEW THE SNMP STATISTICS To view the SNMP statistics use the get snmp command with the statistics option This will display the current SNMP statistics o cli gt get snmp statistics 125 Chapter 6 Logging In pkts Out pkts In bad versions In bad community names In bad community uses In asn parse errors In bad types In too bigs In no such names In bad values In read onlys In gen errs In total req vars In total set vars In get requests In get nexts In set requests In get responses In traps Out too bigs
8. ddr2 dram size 0x40000000 bytes CAM SIZE nsss 18 Mbits reset to default config none running platform type security appliance calibration frequency 38 4Mhz running boot image primary running mos image primary total mos reboot count 1 mos last reboot date 2006 05 22 16 58 07 UTC 73 Chapter4 System Management 4 6 2 4 6 3 post result ddr2 memory test passed jffs2 flash memory test passed test i2C bus passed test fan temp controller passed test phy control dev passed test rtc device passed test external tcam passed test fiber ext loopback passed test copper ext loopback passed GUI Example Viewing SYSTEM INFORMATION System gt Status CREATING ALIASES Use the set alias command to create an alias that is a named variable containing the initial characters of a command line interface CLI command set alias name_str string Example Creating an ALIAS To create an alias called int_O for the get interface ethO use the set alias command o set alias int_0 get interface eth0 Oo save DELETING ALIASES To remove an alias use the unset alias command 74 4 6 4 4 6 5 4 6 6 Chapter 4 System Management unset alias name_str Example Deleting an ALIAS To remove a previously created alias
9. o setinterface eth1 ip 4 4 4 1 o setinterface eth1 zone untrust Oo save Optional To verify the new interface settings use the get interface command o get interface ethO eth1 GUI Example Configuring Interface ETH1 m Network gt Interface gt Edit for eth1 m 2Enter the following then click Apply o Zone Name Untrust o Static IP select this option when present o IP Address Netmask 10 0 0 1 24 CONFIGURING NETWORK ADDRESS TRANSLATION NAT To configure the lt NetSecure 6100 gt to support a large number of hosts on the ethO interface behind a single public IP address assigned to the eth1 interface you must configure network address translation NAT For additional information regarding NAT configurations refer to Chapter 10 Address Translation Use the set interface command to apply NAT to all packets as they pass through the ethO interface o set interface ethO nat o save Optional To verify the new interface settings execute the get interface 2 2 2 9 2 2 10 Chapter 2 Getting Started command o get interface ethO CONFIGURING THE DEFAULT ROUTE Use the set route command to configure the default route for all traffic The set route command consists of the destination network the interface name and the IP address to forward packets from that interface Using the network in Figure 2 2 as an example use the set route command to configure the lt NetSecure 6100 gt
10. Encryption Authenticated Tunnel Mode ESP Figure 7 3 Using Tunnel Mode 131 Chapter 7 Virtual Private Networks The AH protocol provides data integrity authentication and anti replay protection The AH protocol uses a secret key and a hash function either Message Digest MD5 or Secure Hash Algorithm 1 SHA 1 to authenticate the packet with a checksum calculation or hash based message authentication code HMAC Table 7 1 explains MD5 and SHA1 Table 7 1 MD5 and SHA 1 Description Hash Description Function MD5 A one way hash function This hash function takes variable length messages and formats them to a fixed length using a 16 byte key to produce a 128 bit hash SHA 1 A one way hash function This hash function takes variable length messages and formats them to a fixed length using a 20 byte key to produce a 160 bit hash The ESP protocol ensures privacy encryption source authentication and content integrity authentication ESP includes the ability to encrypt encrypt and authenticate and authenticate only where SHA 1or MD5 provides authentication Use the following encryption algorithms to encrypt Data Encryption Standard DES Uses either a 40 or 56 bit encryption algorithm Triple DES 83DES Uses a more powerful version of DES encryption Encrypts the date in three rounds with a 168 bit key Advanced Encryption Standard AES An emerging encryption standard that can
11. Messages related to normal events including administration changes m Warning Messages Events that could affect the functionality of the security appliance m Error Messages Messages that include error conditions that may exist on the security appliance Critical Messages Events that could affect functionality of the security appliance m Alert Messages Events that require immediate attention by you that include attacks against the security appliance E Emergency Messages Messages that may need immediate attention by the administrator E Debug Messages Message_ information used to diagnose or troubleshooting specific issues with the security appliance 102 Chapter 6 Logging LOG MODULES To allow for more flexible log management each of the different software components can have a unique log setting The software modules are as follows m ARP CFG m Log m Upset m NAT m Session m Policy m Route m RIP m SNMP m DoS P m RIP m FUB SRMMGR 103 Chapter 6 Logging 6 4 TRAFFIC AND EVENT LOG MANAGEMENT To get log information from the security appliance at least one destination must be specified Log destinations include m Console m Internal E E mail m Syslog m SSH 104 6 5 6 5 1 6 5 2 Chapter 6 Logging LOG MODULE SETTINGS SETTING LOG MODULES To enable logging for a specific software module use the set log module command with the software module optio
12. Out no such names Out bad values Out read onlys Out gen errs get requests Out get nexts 126 6 9 13 Chapter 6 Logging o Out set requests 0 o Out get responses 0 o Out traps 0 o Silent drops 0 o Proxy drops 0 GUI Example View the SNMP statistics o Logging gt SNMP o Select the Get SNMP Statistics Button VIEWING THE INTERFACE STATISTICS To view the interface statistics for a specific physical interface use the get counter command and specify the specific interface get counter statistics interface interface name Example To view the interface statistics for the ETHO interface o get counter statistics interface ethO o Cli gt get counter statistics interface ethO o Hardware counters for interface eth0 o dos syn drops 0 dos fin drops 0 o dos icmp drops 0 dos frag drops 0 o dos udp drops 0 dos other drops 0 o in pkts 71367 in bytes 6090575 o in reassembled pkts 0 in fragment timeout 0 o in short frames 0 in crc errors 0 o in dropped vians 0 in arp pkts 157 o in icmp pkts O in tcp pkts 1450 127 Chapter 6 Logging O O in udp pkts 0 in vlan pkts 0 in gre pkts 0 in esp pass thru pkts 0 in ah pass thru pkts 0 in bad protocol pkts 0 in policy deny 1000 in no route 0 in no sa with policy 0 in policy permit 6 in no dip O in bad policy 0 in ipsec sa fail O in ipsec crypto err 0 in ipsec esp only 0 in ipsec esp na 0 in ipsec esp a
13. Port mapping increases the number of services supported for a single address by changing the destination port in one to one NAT and many to one NAT configurations Unlike port address translation which randomly assigns the port during translation port mapping uses a policy assigned port Original Destination IP Address Translated Destination IP Address IP Packet TCP Segment or UDP Datagram Figure 10 3 Destination NAT with Port Mapping Use the set policy command with the nat dst ip and port options to specify destination NAT and port mapping in the policy set policy from zone to zone src_addr dst_addr srvc nat dst ip nat_addr port prt_nbr permit 215 Chapter 10 Address Translation 10 5 10 5 1 DESTINATION NAT CONFIGURATIONS This section describes in detail the types of destination NAT configurations you can use with the appliance This section includes the following topics H Configuring Destination NAT One to One H Configuring Destination NAT One to One with Port Mapping Configuring Destination NAT Many to One H Configuring Destination NAT Many to One with Port Mapping m Configuring Destination NAT Many to Many CONFIGURING DESTINATION NAT ONE TO ONE In a one to one destination NAT configuration a single destination address translates to a different address that the security policy specifies refer to Figure 10 4 The most common use for one to one NAT is to allow hosts on the Inter
14. The thre interface modes are NAT enabled route and transparent mode You can configure additional NAT policies such as one to one NAT many to one NAT many to many NAT and port address translation PAT through security policies For information on configuring NAT through security policies refer to Chapter 10 Address Translation CONFIGURING NAT ENABLED MODE Interfaces configured with NAT enabled mode translate the source IP address of all traffic to the IP address of the egress interface This configuration enables the appliance to hide the IP addresses of hosts on the interface configured in NAT enabled mode from remote hosts Use the set interface command with the nat option to configure NAT enabled mode on an interface set interface interface name nat displays a network diagram of an appliance with the ethO interface configured in NAT enabled mode When a host on the ethO interface needs access to information located on the Internet the source IP address of all traffic from that host is translated to the IP address of the egress interface In this case the new translated source IP address is 128 196 10 2 28 3 4 2 Chapter 3 Security Zone and Interfaces Figure 3 7 NAT Enabled Mode Example Configuring NAT Enabled Mode configure NAT enabled mode on the ethO interface of the appliance in o set interface ethO nat o save GUI Example Configuring NAT Enabled Mode o Network gt Interface gt Edit for
15. When a responding TCP packet arrives the appliance compares the information in the header with the state entries currently in the state table If the appliance finds a match it allows the responding packet to pass through the firewall If the appliance does not find a match it drops or rejects the packet Table 5 1 lists the range of network and operating system specific attacks that the security appliance can detect and defend against Table 5 1 Network and Operating System Specific Attacks Back Orifice Occurs when a hacker attempts to drop a Trojan horse Attack communicating over port 31337 onto a remote computer If the attempt is successful a hacker can take screen captures execute keyboard commands make file transfers and install applications on the victim computer Inikiller Attack Communicates over port 9989 and allows an attacker to destroy ini files on remote workstations IP Spoof An attacker forms and sends messages to a computer as if they were communicating on the same trusted network A hacker enlists a number of techniques to find a trusted host modify the IP header information and attempt to spoof ICMP Router An attacker supersedes the default route for the host by Discovery inserting a more specific route Once the new route is added Protocol IRDP an attacker can forward all traffic from the host in order to gather information launch a man in the middle attack or create a DoS by adding or rest
16. o set interface eth1 zone untrust o set interface eth1 ip 162 198 10 1 24 Addresses o set address trust nyo 192 168 100 0 24 o set address untrust San Francisco 10 0 0 0 24 VPN o setvpn to_sanfrancisco manual 1230 1230 gateway 4 4 4 1 o outgoing interface ethi esp aes128 key 1111222233334444 o auth sha 1 key 11112222333344445555666677778888 Routing o set route trust route 0 0 0 0 0 interface eth1 gateway 162 198 10 254 Policies o set policy top name vpnto_sanfrancisco from trust to untrust nyo San Francisco any tunnel vpn sfo_nyo o set policy top name vpnfrom_sanfrancisco from untrust to trust San Francisco nyo any tunnel vpn sfo_nyo 138 Oo Chapter 7 Virtual Private Networks save GUI Example Manual key VPN implementationm New York office Interfaces O O Network gt Interface gt Edit for ethernet0 Enter the following then click Apply Zone Name Trust IP Address Netmask 192 168 100 1 24 Interface Mode NAT o Network gt Interface gt Edit for eth1 Enter the following then click Apply Zone Name Untrust IP Address Netmask 162 198 10 1 24 Addresses o Objects gt Address Objects gt Add Object o Enter the following then click Apply Name NYO IP Address Netmask 192 168 100 0 24 Zone Trust o Objects gt Address Objects gt Add Object 4 Enter the following then click Apply Name San Francisco IP Address Netmask 10 0 0 0 24 Zone Untrust VPN o VPN gt Manual Key Edit 2 Enter
17. the appliance have an implicit route automatically created in the routing table Networks without an implicit route require a static route that identifies the next hop gateway and interface to forward traffic going to the destination network In Figure 8 1 a static route is configured on the appliance to forward traffic from workstations on the 10 0 0 0 24 network to a server on the 163 Chapter 8 Routing 10 0 100 0 24 network The static route identifies 10 0 0 100 as the gateway address for all traffic going to the 10 0 100 0 24 network Figure 8 1 Using a Static Route 8 1 1 ADDING STATIC ROUTES Use the set route command with the gateway and interface options to add a static route set route ip addr mask gateway ip _addr interface interface name Example Adding a static route In the network described in Figure 8 1 a static route is added to allow hosts on the 10 0 0 0 24 network to access a server with the IP address of 10 0 100 254 o set route 10 0 100 0 24 gateway 10 0 0 100 interface etho o save GUI Example Adding a static route o Network gt Routing Add o Enter the following then click Apply Network address 10 0 100 0 Netmask 24 Interface ethoO Gateway 10 0 0 100 164 Chapter 8 Routing 8 1 2 DELETING STATIC ROUTES Use the unset route command to delete a static route unset route ip _addr mask gateway ip addr interface interface name MODIFYING STATIC ROUTES To mod
18. 24 Zone Trust Objects gt Add Address Object Enter the following then click Apply Name Mktg_ Subnet IP Address Netmask 10 0 2 0 24 Zone Trust Objects gt Add Address Object Enter the following then click Apply Name Sales Subnet IP Address Netmask 10 0 3 0 24 Zone Trust Objects gt Add Address Group Enter the following then click Apply Name New_York_Office Zone Trust Go Add Fianace_Subnet Mtkg_ Subnet and Sales Subnet DELETING ADDRESS GROUPS Use the unset group command with the address option to delete and address unset group address zone grp_name NOTE You cannot delete the group if it is bound to a policy 194 9 3 7 9 3 8 Chapter 9 Policy Configuration DELETING ADDRESS OBJECTS FROM AN ADDRESS GROUP Use the unset group command with the address and remove options to remove an address object from an address group unset group address zone grp_name remove adr_obj NOTE If you remove all of the address objects out of an address group the address group name is not deleted ADDING COMMENTS TO ADDRESS GROUPS Use the set group command with the address and comment options to add a comment that describes the address group set group address zone grp_name comment text Example Adding the comment ALL DEPARTMENTS to the group object NEW_YORK_OFFICE o set group address trust New_York_Office comment All Departments Oo save GUI Example
19. Adding the comment ALL DEPARTMENTS to the group object NEW_YORK_OFFICE o Objects gt Address Groups o Enter the following then click Apply Zone Trust Go Edit New_York_Office Comment All_ Departments 195 Chapter 9 Policy Configuration 9 4 9 4 1 9 4 2 CONFIGURING SERVICE OBJECTS Service objects used in policies consist of a transport protocol and an associated port number For example FTP is associated with protocol TCP and port number 21 HTTP is TCP port 80 and SSL is TCP port 443 You can select service objects from a predefined list or you can create a custom service object This section describes how to create modify and delete address objects The following topics are included in this section m Viewing Predefined Service Objects H Configuring Custom Service Objects m Deleting Service Objects m Modifying Service Objects E Configuring Service Timeouts VIEWING PREDEFINED SERVICE OBJECTS To view predefined service objects use the get service command get service pre defined For a list of predefined services refer to Appendix Pre defined Services CONFIGURING CUSTOM SERVICE OBJECTS Use the set service command with the name protocol src port and dst port options to create a custom service object set service name_str protocol prot_type src port range dst port range Example Adding a custom service object 196 Chapter 9 Policy Configuration o set serv
20. Chapter 5 Attack Detection amp Prevention 5 4 ABOUT DENIAL OF SERVICE DOS AND DDOS ATTACKS Not all attacks attempt to gain unauthorized access into a protected network Some attacks attempt to hinder normal network activity by sending large amounts of bogus data consuming all of the resources on that host or hosts These attacks are called denial of service DoS or distributed denial of service DDoS attacks Table 5 2 lists these attacks Table 5 2 DoS and DdoS Attacks Attack Name Description Smurf Attack Fraggle Attack Swamps an Internet connection with many ICMP reply messages The attack happens when a hacker sends an ICMP request to an Internet Broadcast address causing all of the machines on that network to reply Since the IP address is likely a spoofed one access to the Internet for t he machine is cut off Very similar to a smurf attack but performed over UDP instead of ICMP Land Attack An attacker sends a packet with the same source and destination information as another machine on a network This causes the real machine on the network to think that it sent the packet to itself causing a resource slowdown SYN Flood Ping of Death Uses packets that have an unreachable source address to establish a large number of connections This type of attack exhausts all resources available on a network device so it no longer processes valid requests Sends a large IP packet request that is large
21. Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Trust Destination Zone Untrust Source Address ny_local Destination Address sf_destination Service Any Tunnel VPN From SF Policy gt Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination Zone Trust Source Address sf_destination Destination Address ny_local Service Any Tunnel VPN From SF Example San Francisco office using IKE Chapter 7 Virtual Private Networks Interfaces o set interface ethO zone trust o set interface ethO ip 10 0 0 0 24 o set interface nat o set interface eth1 zone untrust o set interface eth1 ip 4 4 4 1 Addresses o set address trust sf_local 10 0 0 0 24 o set address untrust ny_destination 192 168 100 0 24 VPN o setike p1 proposal encryptaesp1 preshare group5 esp aes128 sha 1 o set ike p2 proposal encryptaesp2 preshare group5 esp aes128 sha 1 seconds 28800 o set ike gateway to_newyork address 162 198 10 1 main outgoing interface eth1 preshare password proposal encryptaesp1 o set vpn sfo_nyo gateway to_newyork proposal encryptaesp2 Routing o set route trust route 0 0 0 0 0 interface eth1 gateway 4 4 4 254 Policies o set policy top name vpnto_newyork from trust to untrust sf_local ny_destination and tunnel vpn sfo_nyo o set policy top name vpnfrom_newyork from untrus
22. Example To disable SNMP on the ETHO interface unset interface ethO manage snmp GUI To disable SNMP on the ETHO interface o Network gt Interface gt Edit for ethernet0 o Enter the following then click Apply Manage option Uncheck SNMP CONFIGURING THE SNMP COMMUNITY STRING To configure the SNMP community string use the set snmp community command This will allow the community string and the host IP address to be entered set snmp community string host host OID CONFIGURING THE SNMP LISTENER PORT To configure the SNMP listener port use the set snmp port command and specify the SNMP listener port the security appliance listen on set snmp port port NOTE The default SNMP listener port is 161 123 Chapter 6 Logging 6 9 4 6 9 5 6 9 6 6 9 7 6 9 8 CONFIGURING THE SNMP SYSTEM NAME To configure the SNMP system name use the set snmp name command and specify the name to be used as the system name set snmp name name_str DELETING THE SNMP SYSTEM NAME To delete the SNMP system name use the unset snmp name command unset snmp name CONFIGURING THE SNMP SYSTEM LOCATIONS To configure the SNMP system location use the set snmp location command and specify the physical location of the security appliance set snmp location location DELETING THE SNMP LOCATION To delete the SNMP location use the unset snmp location command unset snmp location CONFIGURING THE SNMP SYSTEM CONTACT
23. For any traffic that exceeds the limit the network interface might drop or delay it The security appliance uses policy control to limit the amount of traffic on a specified interface If traffic exceeds the rate that the administrator sets the security appliances drops additional packets CONFIGURING ICMP FLOOD PREVENTION To configure the rate limit for ICMP traffic for a specific zone use the set zone command with the icmp flood attack threshold option This enables you to set limits per second on the number of ICMP packets allowed through that zone to a specific host set zone zone name screen icmp flood attack threshold number Example Setting the ICMP threshold 94 5 6 2 5 6 3 Chapter 5 Attack Detection amp Prevention Set the ICMP threshold to 1 000 on the untrust zone o set zone untrust screen icmp flood attack threshold 1000 Oo save GUI Example Setting the ICMP threshold o Policy gt Attack Settings Edit Zone for unturst o Enter the following then click Apply ICMP flood attack threshold 1000 CONFIGURING UDP FLOOD PREVENTION To configure the rate limit for UDP datagrams in a specific zone use the set zone command with the udp flood attack threshold option set zone zone name screen udp flood attack threshold number This sets a rate limit for the number of UDP datagrams allowed through the zone to a specific host per second The maximum threshold for the udp flood attack t
24. Redistribute routes learned from different routing protocols such as OSPF BGP or statically configured routes into the RIP instance You can also optionally configure other RIP parameters such as the following Global parameters such as timers and trusted RIP neighbors which are set at the global level for the RIP protocol m Interface parameters such as neighbor authentication which are set on a per interface basis for the RIP protocol Security related RIP parameters which are set at either the global level or on a per interface basis see Security Configuration 170 8 6 Chapter 8 Routing ENABLING AND DISABLING RIP ON INTERFACES By default RIP is disabled on all interfaces and you must explicitly enable it on an interface When you disable RIP at the interface level RIP does not transmit or receive packets on the specified interface Interface configuration parameters are preserved when you disable RIP on an interface To enable RIP on an interface enter set interface name protocol rip enable To disable RIP on an interface enter unset interface name protocol rip GUI Example To globally enable RIP o Network gt Routing gt RIP o Enter the following RIP information then click Apply Select Enable RIP option GUI Example Reject default route leadrned by RIP o Network gt Routing gt RIP o Enter the following RIP information then click Apply Select Reject Default Route Learne
25. THE CLOCK TO USE NTP To configure automatic updates to the clock through NTP use the set clock command set clock ntp CONFIGURING THE TIME ZONE To configure the time zone setting for the clock use the set clock command The timezone number parameter represents the difference between your local time and standard Greenwich Mean Time The number can be between 12 and 12 For instance the Pacific Time zone is represented by 8 set clock timezone number Example Confiuring the CLOCK TIME ZONE to PACIFIC TIME ZONE GMT 8 o set clock timezone 8 Oo save GUI Example Confiuring the CLOCK TIME ZONE to PACIFIC TIME ZONE GMT 8 o System gt Date Time o Select the following then click Apply Set Time Zone 8 hours 4 8 Chapter 4 System Management USING DOMAIN NAME SERVICE DNS The Domain Name Service DNS host IP address allows the lt NetSecure 6100 gt to resolve or match domain names to IP addresses You must specify a DNS host in order to resolve domain names to IP addresses Use the set dns command to configure one DNS host IP address for the appliance set dns host host dns1 dns2 You can configure additional DNS host IP addresses as necessary GUI Example Confiuring the CLOCK TIME ZONE to PACIFIC TIME ZONE GMT 8 o setdns host dns1 206 13 31 12 Oo save GUI Example Setting the primary DNS host IP address as 206 13 31 12 o Interface gt DNS o Enter the followi
26. Table 6 10 ICMP Group Scalars Object Name Value Type tcpRtoAlgorithm INTEGER tcpRtoMin Integer32 tcpRtoMax Integer32 tcpMaxConn Integer32 tcpActiveOpens Counter32 tcpPassiveOpens Counter32 tcpAttemptFails Counter32 tcpEstabResets Counter32 tcpCurrEstab Counter32 6 8 10 TCP CONNECTION Table 6 11 shows the TCP Connection Table Table 6 11 TCP Connection Table Object Name Value Type tcpConnState INTEGER tcpConnLocalAddress lpAddress tcpConnLocalPort INTEGER tcoConnRemAddress lpAddress tcoConnRemPort INTEGER 118 Chapter 6 Logging 6 8 11 UDP GROUP SCALARS Table 6 12 shows the UDP Scalars Table Table 6 12 UDP Scalars Table Object Name Value Type udpInDatagrams Counter32 udpNoPorts Counter32 udpInErrors Counter32 udpOutDatagrams Counter32 6 8 12 UDP LISTENER Table 6 13 shows the UDP Listener Table Table 6 13 UDP Listener Table Object Name Value Type udpLocalAddress lpAddress udpLocalPort INTEGER 6 8 13 SNMP GROUP Table 6 14 shows the SNMP Group Table Table 6 14 SNMP Group Table Object Name Value Type snmpInPkts Counter32 snmpOutPkts Counter32 snmpInBadVersions Counter32 snmpInBadCommunityNames Counter32 snmpInBadCommunityUses Counter32 snmpInASNParseErrs Counter32 119 Chapter 6 Logging Object Name Value Type snmpInNoSuchNames Counter32 snmpIinBadValues Counter32
27. Trust Zone Urtrust Default Gateway 10 06 04 a Viockstation A IP Management IP Internet 10 0 0 250 Bro 1400254 Figure 3 9 Transparent Mode Transparent Mode Management In order to manage the lt NetSecure 6100 gt through the network you must configure a management interface In Transparent mode the logical management interface brO is utilized NOTE On the 2 port appliances brO represents both ethO and eth1 as a logical interface and is specifically designed to be used for management traffic while in Transparent mode NOTE On all other appliances with 8 ports this translates to 4 bridge ports brO ethO and eth4 bri eth1 and eth5 br2 eth2 and eth6 and br3 eth3 and eth7 These ports can configured independently ethO and eth4 in Transparent mode eth1 2 3 5 6 7 in Route Nat mode or you can configure all 4 bridge ports in a complex Transparent mode design These bridge to ports assignments are hard coded within the appliance and cannot be modified In addition to configuring the brO management interface a default route is required to be configured in order for the lt NetSecure 6100 gt to communicate to host s that are outside its immediate network subnet For example if SNMP or SSH is required from a host that is somewhere on the Internet the lt NetSecure 6100 gt will need a route configured to the default gateway If the host requesting the management traffic exists somewhere deep within the LAN network a
28. WARRANTIES EXPRESSED OR IMPLIED THERE ARE NO WARRANTIES THAT EXTEND BEYOND THE FACE HEREOF INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND IN NO EVENT SHALL TAINET BE LIABLE FOR CONSEQUENTIAL DAMAGES If DISTRIBUTOR extends to its customers any additional warranty with respect to Products that is broader in scope than the warranty provided by TAINET DISTRIBUTOR shall be solely responsible for any and all liabilities obligations and damages resulting from the extension of such warranty TAINET shall not be liable to any person for any special or indirect damages including but not limited to lost profits from any cause whatsoever arising from or in any way connected with the manufacture sale handling repair maintenance or use of the Products and in no event shall TAINET s liability exceed the purchase price of the Products Software Products are provided as is and without warranty of any kind TAINET disclaims all warranties including the implied warranties of merchantability and fitness for a particular purpose TAINET shall not be liable for any loss of use interruption of business or indirect special incidental or consequential damages of any kind TAINET shall do its best to provide end users with Software updates during the warranty period under this Agreement iv NetSecure 6100 Users Manual TAINET has not been notified of any intellectual property rights or othe
29. a policy that allows HTTP traffic initiated from Host A in the trust zone to Server B in the untrust zone using the following command o set policy from trust to untrust Host _A Server_B http permit o save If Server B initiates an HTTP connection the appliance drops the packet since no configured policy allows any HTTP requests from the untrust zone to the trust zone Figure 9 2 Interzone Policy oa Ys N ip a SK S Trust Zone f Untrust Zone f HTTP Request f ae Security Appliance YA HTTP Request A NetSecure6100 XX Host A J NS Server B J N Figure 9 2 Interzone Policy CONFIGURING INTRAZONE POLICIES Intrazone policies control traffic to and from all hosts within the same zone By default all hosts configured in the same zone can communicate Therefore a policy allowing communication between hosts within a zone is unnecessary In Figure 9 3 intrazone blocking is enabled to restrict hosts from communicating with each other Intrazone blocking denies all traffic between two or more subnets configured to be in the same zone Use the set zone command with the block option to block intrazone communication set zone name_str block NOTE Intrazone blocking is disabled by default All communication among hosts on a zone is allowed 179 Chapter 9 Policy Configuration 9 1 2 3 CONFIGURING GLOBAL POLICIES Global policies are not assigned to a specific zone and e
30. disable SSH on a specific interface use the unset ssh command unset ssh enabled interface interface name VIEWING SSH SETTINGS To view users who log in using SSH or to view the host key currently used for SSH use the get ssh command get ssh host key report Chapter4 System Management 4 3 4 3 1 MANAGING USERS FOR THE lt NetSecure 6100 gt The lt NetSecure 6100 gt has a single global administrator account with the user name admin This account has the following administrative privileges Manage the root system of the appliance Add remove and manage all other administrators Establish and manage virtual systems and assign physical or logical interfaces to them Add remove and manage security zones Assign interfaces to security zones Perform asset recovery Reset the device to its default settings Update the firmware Load configuration files Clear all active sessions of additional read only users CHANGING YOUR ADMINISTRATOR PASSWORD Since all lt NetSecure 6100 gt appliances come pre configured with the same password you must change the admin password to create a unique password for your organization Use the set admin command set admin password password_str NOTE You cannot change the administrator user name admin GUI Example Changing the ADMINISTRATOR password o System gt Admin gt Administrators Chapter 4 System Management o Enter the following password
31. eth0 o Enter the following then click Apply Interface Mode NAT CONFIGURING ROUTE MODE Route mode maintains the source IP address of all traffic as it traverses across interfaces Route mode requires that all interfaces have a unique IP address and netmask By default all newly configured interfaces are in route mode Use the set interface command with the route option to configure route mode on an interface set interface interface name route NOTE To change the interface mode from NAT Mode to Route Mode use the set interface interface name route Example Configure Route mode 29 Chapter3 Security Zone and Interfaces Configure route mode on the ethO and eth1 interfaces of the appliance displayed in Figure 3 8 o set interface ethO route o set interface eth1 route o save GUI Example Configure Route mode o Network gt Interface gt Edit for eth0 o Enter the following then click Apply Interface Mode Route o Network gt Interface gt Edit for eth1 o Enter the following then click Apply Interface Mode Route Figure 3 8 Route Mode All traffic from ethO to eth1 and from eth1 to ethO maintains their original source IP addresses 3 4 3 Chapter 3 Security Zone and Interfaces VIEWING INTERFACE INFORMATION Use the get interface command to display interface information The following information appears for each physical and logical interface Name The name assigned to the in
32. hash Media Access Control MAC Address The hardware address that uniquely defines each Ethernet interface in use on a local area network LAN The MAC address commonly refers to the Ethernet address or a node on a LAN When connected to the Internet the MAC address tracks the IP address of a node The lt NetSecure 6100 gt software creates a table that references the MAC address to a known IP address NAT Traversal NAT T Network Address Translation method that allows IP Security IPsec packets to pass through a NAT device that might be along its path by detecting and encapsulating the Internet Key Exchange IKE packets as User Datagram Protocol UDP The most common port used to perform NAT T is UDP port 500 Netmask Identifies the sub network and the hosts that are available An example 10 0 0 0 255 255 255 0 10 0 0 0 24 refers to all hosts in the 10 0 0 0 subnet Network Address Translation NAT A standard that allows machines on a local area network LAN to use a set of IP addresses for internal use and another IP address or set of addresses to access external traffic Most NAT devices are used to enable multiple machines on a LAN to access the Internet using a single external address 239 Appendix B Glossary Network Time Protocol NTP Protocol built on top of TCP IP and used to synchronize local timekeeping with reference to radio atomic or other clocks located on the Internet This protocol is capable of provi
33. in November 1994 by RFC 1723 which describes RIP 2 the second version of RIP These RFCs described an extension of RIP s capabilities but did not attempt to obsolete the previous version of RIP RIP 2 enabled RIP messages to carry more information which permitted the use of a simple authentication mechanism to secure table updates Any host that uses RIP is assumed to have interfaces to one or more networks These are referred to as its directly connected networks The protocol relies on access to certain information about each of these networks There are different types of RIP packets Explaining the processing of IP datagrams and fragments is beyond the scope of this document RIPv2 enables RIP messages to carry more information which permits the use of a simple authentication mechanism to secure table updates More importantly RIPv2 supports subnet masks a critical feature that was not available in RIPv1 169 Chapter 8 Routing 8 5 CONFIGURING RIP The following describes configuration steps for RIP By default RIP is disabled Virtual Router VR is currently not supported thus there is only one instance of RIP running at one time on a lt NetSecure 6100 gt This section describes the following basic steps to configure RIP on a lt NetSecure 6100 gt m Enable the RIP instance globally m Enable RIP on interfaces that connect to other RIP routers Configure remote RIP neighbors across IPSec tunnels m
34. interface Enter the following address information then click Apply Type eth1 IP address 1 1 1 1 type eth1 Netmask 24 Type eth1 manage ip 1 1 1 102 CONFIGURING HA PRIORITY VALUES 1 TO 254 The priority of the device sets whether the device will be primary or secondary The number closest to 1 will be designated primary On Node set ha priority 10 hb interval 1000 hb threshold 3 grat arp 4 On Node 2 set ha priority 20 hb interval 1000 hb threshold 3 grat arp 4 hb interval is the heart beat interval in milliseconds and can be up to 1000 hb threshold is the number of unsuccessful tries before fail over happens grat arp is the number of gratuitous arps a device sends when transitioning between primary and secondary After setting the initial parameters HA should be enabled by running the following command on both designated primary and secondary nodes 223 Chapter 11 High Availability o set ha config sync o getha link NOTE The get command shows HA link information GUI Example Set HA interface and WAN port for node o HA gt Configuration o Enter the following HA information then click Apply Select HA Interface ethO Select WAN Port eth1 Type Peer ip 192 168 1 102 GUI Example HA interface and WAN port for node 2 o HA gt Configuration o Enter the following HA information then click Apply Select HA Interface ethO Select WAN Port eth1 Type Peer ip 192 168 1 101 GUI Example Set HA
35. network LAN segment As traffic is sent to a hub port the hub port forwards it to all other ports on the hub so all other network devices can view that traffic Internet Control Message Protocol ICMP An extension of IP used to report packet errors and control or transmit information Ping is an example of an ICMP message that is used to test connectivity of a device Internet A network that allows millions of computers to be connected as a single global network Originally developed by the U S Defense Department the Internet was designed as a way to prevent communication breakdown in the event of nuclear war Today the Internet is used as a way to share information including e mail files and newsgroups Internet Key Exchange IKE A method used to exchange keys to encrypt and authenticate data over an unsecured medium such as the Internet Internet Protocol IP Protocol that specifies the format for a packet also called a datagram Datagrams are commonly used in connectionless best effort delivery systems like the Internet IP defines how information is passed between systems across a network IP Address A32 bit numeric address with four spaces usually separated by a period that identifies a node or network device An IP address can be a combination of four numbers from O through 255 For example 172 16 31 2 represents an IP address IP Security IPsec A set of protocols developed by the Internet Engineering Task Forc
36. packets from your machine to an Internet host showing you the number of hops and time required to reach the host along the path To execute the trace route command o trace route ip _addr dom_name Example TRACEROUTE www yahoo com o trace route www yahoo com GUI Example TRACEROUTE www yahoo com o System gt Tools o Enter the following then click Apply Diagnostic Tool Traceroute Traceroute www yahoo com Chapter 5 Attack Detection amp Prevention Chapter 5 Attack Detection amp Prevention This chapter describes different types of denial of service DoS and distributed denial of service DDoS attacks that can affect the lt NetSecure 6100 gt It also describes how you can prevent such attacks and how to configure attack prevention options This chapter includes the following topics m Network Attacks m Attack Stages m Detecting an Attack m Preventing Network Port Attacks m About Denial of Service DoS and DDoS Attacks m Preventing Network Port Attacks m Additional Attack Detection and Prevention m Viewing Attack Settings 5 1 NETWORK ATTACKS Attackers invade a protected network for any of the following reasons To gather information about the hosts on the protected network including details about o Topology of the network o Number of active hosts on the network o Different services or ports available on an active host o Type of operating system on the active machines 85
37. range of IP addresses that DHCP assigns Each client computer on the LAN has its TCP IP software configured to request an IP address from the DHCP server This protocol reduces the work necessary to administer a large IP network Encryption The ability for a network device to translate data into a secret code Encryption is an effective way to protect data so that only the intended recipient can decode it All encryption uses a public private key pairing so that a user can encrypt and decrypt the specific data A device allows encryption using the private key and only users with the public key can decrypt that information Encapsulating Security Payload ESP AH Protocol that defines the IP security 236 Appendix B Glossary used for the protocol IP Security IPsec IPsec defines the keys algorithms and networks that are encrypted ESP provides both authentication and encryption while AH or Authentication provides only authentication ESP is defined as protocol 50 Ethernet A local area network LAN technology developed by Xerox Corporation along with DEC and Intel in the 1970s Ethernet is a best effort technology that uses Carrier Sense Multiple Access Collision Detection CSMA CD technology Ethernet is flexible and can run over a variety of cables including coaxial thin coaxial twisted pair and fiber optic Ethernet defines the standard for which computers connect in a LAN segment Extended Authentication XAUTH A method t
38. specified manual key VPN tunnel NOTE Manual key VPN requires two policies for each VPN tunnel one policy that allows encryption and decryption on ingress traffic and another policy that allows encryption and decryption on egress traffic Manual Key VPN funnel Scetiiogy SF jenni iP P NY iath 62 t08 1 mewy 4 S4 swew 54 Figure 7 5 Example of Manual Key VPN Table 7 4 Example of Encryption and Authentication Settings Manual Key Setting Value Encryption AES128 Authentication SHA 1 Protocol ESP Local SPI 1230 Remote SPI 1230 Encryption Key 11112222333344445555666677778888 Authentication Key 111122223333444455556666777788889999aaaa Follow these steps to configure the required VPN tunnels in Table 7 2 Define your security zone and interface IP Create address objects for the local and remote end points m Define the remote gateway and SPI to be used refer to Table 7 2 Define the authentication and encryption keys to be used refer to Table 7 2 E Seta route for the VPN Chapter 7 Virtual Private Networks Create policies to allow traffic to ingress and egress though the newly created VPN tunnel Example Manual key VPN implementationm New York office Refer to Figure 7 4 and Figure 7 5 for the following example of a manual key VPN implementation Interfaces o set interface ethO zone trust o set interface ethO ip 192 168 100 1 24 o set interface nat
39. start 00 00 stop 23 59 comment Block weekend Internet access o set policy from trust to untrust any any any deny schedule weekend 205 Chapter 9 Policy Configuration 9 6 4 9 6 5 oO save GUI Example Create a recurring schedule E O Objects gt Add Schedule Enter the following then click Apply Name weekend Comment Block weekend Internet access Recurring Sunday start 00 00 Sunday end 23 59 Saturday start 00 00 Saturday end 23 59 Policy gt Add Policy Enter the following then click Apply Location Action Deny Source Zone Trust Destination Zone Untrust Source Address any Destination Address any Service any Schedule weekend DELETING SCHEDULES To delete a schedule use the unset scheduler command unset scheduler name_str VIEWING SCHEDULES Use the get scheduler command with the once recurrent or name options to view all configured schedules oO get scheduler once Chapter 9 Policy Configuration o get scheduler recurrent o get scheduler name_str 207 Chapter 10 Address Translation Chapter 10 Address Translation This chapter describes the different methods of address translation that you can enable for traffic passing through the appliance This chapter includes the following topics Network Address Translation Configuring Source Network Address Translation Source NAT Configurations Configuring Destination NAT and Port M
40. static route may have to be added Note brO responds to request on both the Untrust and Trust zone and therefore if 34 3 4 4 2 2 Chapter 3 Security Zone and Interfaces filtering of the management request is required then the Manage ip function should be used Following is the CLI example for Figure 3 9 o set zone name Accounting o set zone name Finance o set interface ethO ip 0 0 0 0 0 o set interface ethO transparent o set interface ethO zone trust o set interface eth1 ip 0 0 0 0 0 o setinterface eth1 transparent o set interface eth1 zone untrust o set interface brO ip 10 0 0 254 24 o set interface brO manage ping o set route 0 0 0 0 0 interface brO gateway 10 0 0 1 o set policy from trust to untrust any any any permit o set policy from untrust to trust any any any deny Transparent Mode VLAN Filtering Some network administrators desire the ability to apply security policies between various VLAN networks Due to the performance hit that most L3 switches take when doing L3 L4 ACL filtering administrators are less likely to utilize their core switches for such task The lt NetSecure 6100 gt can be deployed in such environments and be utilized as a VLAN policy enforcer The lt NetSecure 6100 gt can be placed directly between the VLAN switch trunk and the external VLAN router it can then intercept recognize various VLAN tagged packets and apply zone based policies to these types of traffic This i
41. these situations you might want to disable split horizon This applies to IGRP and RIP If an interface is configured with secondary IP addresses and split horizon is enabled updates might not be sourced by every secondary address One routing update is sourced per network number unless split horizon is disabled 173 Chapter 8 Routing 8 9 ENABLE RIP AUTHENTICATION RIP Version 1 does not support authentication If you are sending and receiving RIP Version 2 packets you can enable RIP authentication on an interface The lt NetSecure 6100 gt VPN Firewall supports two modes of authentication on an interface for which RIP authentication is enabled plain text authentication and MD5 authentication The default authentication in every RIP Version 2 packet is none 174 8 10 Chapter 8 Routing ACCEPTING PACKETS WITH NON ZERO RESERVED FIELDS Some of the reserved fields in RIP version 1 packets must be zero while in RIP version 2 packets most of these reserved fields can contain nonzero values By default RIP discards version 1 packets that have nonzero values in the reserved fields and version 2 packets that have nonzero values in the fields that must be zero This default behavior implements RIP v1 2 specifications 175 Chapter 9 Policy Configuration Chapter 9 Policy Configuration This chapter describes how to create and apply security policies This chapter includes the following topics 9 1 a Abou
42. 0 24 Untrust Untrust IKE Gateway GWA 10 0 0 100 GWB 172 16 10 100 Policies local_lan gt peer_lan local_lan gt peer_lan any service vpn1 any service vpn1 peer_lan gt local_lan peer_lan gt local_lan any service vpn1 any service vpn1 Management Interface The BrO 10 0 0 110 Zone BrO 172 16 10 100 brO interface must be on the Untrust Zone Untrust Untrust Zone This determines the direction in which the encrypted traffic will flow Configuration Elements VF4000 A VF4000 B External Router IP 10 0 0 5 172 16 10 5 Default Route 0 0 0 0 0 eth brO 0 0 0 0 0eth brO gateway 10 0 0 5 gateway 172 16 10 5 7 3 4 CONFIGURATION OF VF A o set interface brO ip 10 0 0 100 24 o set interface brO zone untrust o set interface ethO ip 0 0 0 0 0 o set interface ethO transparent o setinterface ethO zone trust o setinterface eth1 ip 0 0 0 0 0 156 Chapter 7 Virtual Private Networks o setinterface eth1 transparent o setinterface eth1 zone untrust o set route 0 0 0 0 0 interface brO gateway 10 0 0 5 metric 1 o set address trust local_lan 10 0 0 0 24 o set address untrust peer_lan 172 16 10 0 24 o set ike gateway gw1 address 172 16 10 100 main outgoing interface brO preshare o password sec level compatible o set vpn vpni gateway gw1 sec level compatible o set policy top from trust to untrust local_lan peer_lan any tunnel vpn o vpn o set policy top from untrust
43. 1 Network gt Route Add Enter the following then click Apply Network Address 0 0 0 0 Netmask 0 Interface eth1 Gateway 4 4 4 254 Policy gt Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Trust Destination Zone Untrust Source Address sf_local Destination Address ny_destination Service Any Tunnel VPN From SF Policy gt Configuration Edit Enter the following then click Apply Enable Policy 153 Chapter 7 Virtual Private Networks 7 3 2 1 7 3 2 2 Location Top Action Tunnel Source Zone Untrust Destination Zone Trust Source Address ny_ destination Destination Address sf_local Service Any Tunnel VPN From SF DELETING AN IKE VPN TUNNEL To delete an IKE VPN tunnel you will use the unset ike command to delete phase 1 and unset vpn command to delete phase 2 O O unset ike gateway name_str unset vpn name_str MODIFYING AN IKE VPN TUNNEL To modify an IKE VPN tunnel you must first delete the tunnel information and re add the tunnel with the appropriate changes Example Modifying an IKE VPN tunnel To change the VPN tunnel name on a previously created VPN tunnel from to_newyork to New_York O O unset ike gateway to_newyork unset vpn sfo_nyo set ike gateway New_York address 162 198 10 1 main outgoing interface eth1 preshare password proposal encryptaesp1 set vpn sfo_
44. 100 Backup1 Backup2 Timeout 3 Account Type xauth Source Interface RADIUS shared secret test RADIUS server port 1812 RADIUS of retry 1 cli gt Figure 3 12 shows a primary and secondary RADIUS server using the following attributes Figure 3 12 Configuring a Primary and Secondary RADIUS Server m Auth_name security m Primary RADIUS server IP 10 0 0 250 Secondary RADIUS server IP 10 0 0 251 m RADIUS Shared Secret password m RADIUS Timeout 5 m RADIUS Port 1850 m RADIUS Retry 3 51 Chapter3 Security Zone and Interfaces m RADIUS SRC Interface ethO To configure the following RADIUS attributes follow these steps set auth server security server name 10 0 0 250 set auth server security backup1 10 0 0 251 set auth server security radius secret password set auth server security radius timeout 5 set auth server security radius port 1850 set auth server security radius retries 3 set auth server security src interface ethO save GUI Example Configuring a Primary and Secondary RADIUS server 1 System gt Authentication gt Add Authentication Server 2 Enter the following RADIUS information and click Apply m O Type Name Test Type IP Domain 10 0 0 250 Type backup1 10 0 0 251 Type shared secret password Type RADIUS port 1850 Type RADIUS timeout 5 Type number of retries 3 3 Select the ethO interface To view the RADIUS server settings use the get
45. 15Transmission Group DOT3STATS Table ccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaees 120 Table 6 16 Transmission Group DOT3COLLISION Table ceeecceseeeeeeeeeeeeeeeeeeeeaees 121 Table 7 1 MD5 and SHA 1 Description cccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaeeeeeeeeeeeeeseeeeaeaees 132 Table 7 2 Required Manual Key VPN ParameterS 22 eeeeeeeeeeeeeeeeeeenneeeeeeeeeeeeeeeneeaaees 135 Table 7 3 Policy Requirements for Manual Key VPN cccceeeeeeeeeeeeeneeeeeeeeeeeeeeeeeeaaees 136 Table 7 4 Example of Encryption and Authentication Settings ssssssssssseeseeeeeeees 137 Table 7 5 Required Phase 1 and Phase 2 IKE Proposal SettingS cceceeeeeteeeeeeees 145 Table 7 6 IKE Encryption and Authentication Settings cccceceeeeeeeeeeeneeeeeeeeeeeeeeeenaees 146 Table 9 1 Addresses and Zones ccccceeeessseeeceeeeeeeeeeseeseeeaeaeeeeeeeeessnsaeeeaaeeeeesseeeenseeaees 181 Table 9 2 One time Schedule aj ccmesectc ete cess ce teaete cet catecchiaeiaceiecete ce dpapbanrissetn cclieebabe tasers te cets 204 Table 9 3 Rec rning SCM COUN Geass tesen cay eet nienie bape y em cticen hae te ey bape cy Sapee ee teehee ices teen 204 Table A 1 Pre defined Service eeeccccceecceeeeeeeeecceeeeeeeeeeeeeeeaaeeeeeeeeeeeeesenaaaaaeeeeeeeeeeeeeennaaaees 233 Table A 2 Protocol Sicer A E A aaa eauarnaaee 234 Chapter 1 Overview Chapter 1 Overview The N
46. 4 8 4 4 9 Chapter 4 System Management Example Saving the configuration file for EXPORT The following example saves the configuration file to a server at IP address 192 168 0 3 from the ethd interface with the filename mttcurrent txt save config from flash to tftp 192 168 0 3 mttflash txt GUI Example Saving the configuration file for EXPORT o System gt Configuration o TFTP Server Address 192 168 0 3 o File Name mttflash txt o Select the save configuration button VIEW THE RUNNING CONFIGURATION To view the current running configuration stored on the flash use the get config command get config VIEW THE SAVED CONFIGURATION To view the current saved configuration stored in the flash use the get config command with the saved option get config saved GUI Example View the saved configuration o System gt Configuration o Select the Display Configuration button 69 Chapter4 System Management 4 5 4 5 1 4 5 2 RESETTING AND RESTARTING THE lt NetSecure 6100 gt This section describes how to reset the appliance and associated hardware and software as well as how to restart the lt NetSecure 6100 gt This section includes the following topics m Resetting the Appliance Resetting the Software m Restarting the lt NetSecure 6100 gt RESETTING THE APPLIANCE You can use one of the following methods to reset the appliance to its default configuration m If you have manage
47. AN traffic through the security appliance a subinterface is required For every VLAN a subinterface is configured on the corresponding physical interface of the appliance Figure 3 6 displays the location of the ethO and eth1 interfaces on the lt NetSecure 6100 gt Figure 3 6 EthO and Eth1 Locations eth ath sole ae 28 os Copper SFP Copper SFP This section describes the commands used to configure interfaces bind them to a security zone and move them between zones This section also describes performing the same tasks with subinterfaces This section includes the following topics a Configuring Interfaces a Binding Interfaces to a Security Zone a Moving Interfaces between Security Zones a Configuring Subinterfaces a Deleting Subinterfaces CONFIGURING INTERFACES Use the set interface command with the ip option to assign an IP address and netmask to the interfaces on the appliance o set interface interface name ip ip _addr mask 23 Chapter3 Security Zone and Interfaces 3 3 2 Example Configuring the ETHO interface with the IP address 10 0 0 1 24 o setinterface ethO ip 10 0 0 1 24 Oo save GUI Example Configuring the ETHO interface with the IP address 10 0 0 1 24 o Network gt Interface gt Edit eth0 o Enter the following address information then click Apply Type Interface IP 10 0 0 1 Type Netmask 24 By default the interface belongs to the trust zone and is placed in ro
48. AURO m N Tunwet intiatioe Ropet Marte Passo OF onset Nempe Erte gt n ane Peor RADIUS Chasags Rept Kone Penrod Pr RADIJ ChatengeReqnonse Pel veteateso a oritorkn enone RADIUS P emonse 1 User tries to establish a VPN Tunnel with the security appliance 2 The security appliance prompts the remote user for a username and password 3 6 2 10 11 12 Chapter 3 Security Zone and Interfaces User provides his username and password to the security appliance The security appliance queries the RADIUS server to verify the authentication The RADIUS server verifies the username and password and if they are correct sends a RADIUS Challenge message to the security appliance The security appliance sends the Challenge message to the user User responds to the Challenge question by entering other information in thisexample a Pin code The RADIUS server can be used to authenticate the pin code itself or optionally use a 3 party authentication server to authenticate the pin code In this example there is a 3 party server and the RADIUS server connects to the 3 party to verify the pin code The 3 party server verifies the pin code and gives verification response The RADIUS server sends RADIUS Response to the security appliance The security appliance sends XAUTH response to User VPN Client User VPN Client acknowledges RADIUS CLIENT ATTRIBUTES To allow
49. AVAILABILITY High Availability HA provides continuous service to end users when link and or node failures occur HA functionality interfaces with almost all subsystems of the product HA functionality includes three interacting state machines to provide heartbeat election and synchronization functions Synchronization is accomplished over a TCP session using a custom protocol to synchronize configuration data between the two nodes 219 Chapter 11 High Availability 11 2 SOFTWARE ARCHITECTURE OVERVIEW Figure 11 1 illustrates the high level view of a two node redundant system to synchronize state information between the nodes Heartbeat FSM UDP via eth port Primary Node A CLI parameter for HA Secondary Node B Node Election FSM triggered by Heartbeat JP DOWN events Data Synchronization FSM HA port EthX TCP based Physical IP IPA Primary sends data to secondary HA port EthX Manage IP IPM Physical IP IPB Figure 11 1 High Availability Functionality Implemented through Custom Finite State Machines FSM 220 11 3 CLI COMMANDS Chapter 11 High Availability Following is a partial list of supported HA commands For more complete information on these commands see the CLI Reference Guide Command get ha link set unset ha config sync set ha preempt set ha priority set ha interface Description Displays HA link information Enables or disables synchronization between member
50. Al E Back orifice Bg iIni killer m Netbus Netspy Priority m Ripper m Senna spy m 8 Small server E Seb seven E Striker NOTE In addition you set the global port attack option to all to prevent all attacks listed above Alternatively you can set the global port attack option to none to disable attack prevention Example Preventing network port attacks To enable all network port attack detection and prevention for the global zone o set policy global port attack all 92 Chapter 5 Attack Detection amp Prevention Oo save GUI Example Preventing network port attacks o Policy gt Attack Configuration Global o Select the following then click Apply Check All To unset port attacks use the unset policy global command o unset policy global port attack attack_str Oo save 93 Chapter 5 Attack Detection amp Prevention 5 6 5 6 1 CONFIGURING THE lt NetSecure 6100 gt TO DEFEND AGAINST DOS AND DDOS ATTACKS Rate limiting is the most common method to defend against DoS and DDoS attacks refer to Figure 5 1 for an example of a DoS attack You can configure options on the appliance to apply various rate limits to ICMP TCP and UDP traffic Figure 5 1 Example of a DoS Attack Rate limiting is a function in which a network interface limits the number of packets sent or received allowing traffic that is less than or equal to the rate to be sent
51. CONFIGURING MAXIMUM TRANSMISSION UNIT MTU SETTINGS 41 3 5 2 CONFIGURING INTERFACE LINK UP DOWN eececesecsseceseceseceseceseeeseeeseeeeeeseaeeeaeeeaeeeaaes 42 3 5 3 CONFIGURING ADDRESS RESOLUTION PROTOCOL ARP ee eeceeeeeeeeeeeeeeeeneeeaees 42 3 6 AUTHENTICATION USING RADIUS 5 tescissorcasinieesastinssnegnuisatasncceabeansachinieadssaseuscsashoudsoattnas 46 3 6 1 HOW THE RADIUS CHALLENGE RESPONSE MODE WORKS cee eeceseeeceeeneeeneeeneeenees 46 3 6 2 RADIUS CLIENT ATTRIBUTES vieoe teisiin ane aep dices EAEEREN 47 36 3 RADIUS BACKUP SERVER victvcsessctecivesstonsaesssesdesbinesstaetskedeneluieaststacsdvsbivesssaataeds EEEN E EKES 50 3 7 ALTERNATE CONNECTION METHODS jo iscisssssscssenvesaitassancesaseacedoasseccesustesessanndoassasusencsas 54 3 7 1 PPPoE POINT TO POINT PROTOCOL OVER ETHERNET 0 ceeceecceeceeseeeseeeeeeeeeeeneeeeeenaes 54 3 1 2 SETTING UP PPPOB amp s cc saiesictsctcesisyategsietaadestedtaccaaishgenusiieses eie tess Rl ee sakes iad eee eet 54 CHAPTER 4 SYSTEM MANAGEMENT ccccsssssscsssccssccssssssssscsssscssscssssssseees D7 4 1 USING THE CONSOLE TO MANAGE THE lt NETSECURE 6100 cceeeseeseeeeeeeeeeeeeeeees 57 4 1 1 ABOUT CONSOLE CABLE REQUIREMENTS 1 0 0 ciceescescesecsseceeeeseeeeeeeseneeeseeeaeecaaecsaeceaeeaeens 58 41 2 ACCESSING THE CONSOLE sicccctcc steven adiahec decane sauteed ate sals REEERE tieeboeetteneeaiuus 59 4 1 3 RE ENABLING THE CONSOLE INTERFACE 1 0 ccceeccceseceseceseceseeeeeeeee
52. Chapter 5 Attack Detection amp Prevention To try to overwhelm the network with bogus traffic to induce a denial of service To cause damage to or steal data from a protected host To gain access to a protected host to steal confidential information To gain access to a protected host to launch additional attacks To gain control of the firewall access control list 86 Chapter 5 Attack Detection amp Prevention 5 2 ATTACK STAGES Attacks usually happen in two steps m The attacker gathers information by o Performing an IP address sweep to determine which hosts on the network are active o Determining the active ports on host found during the IP address sweep o Determining the current operating system of the host and weaknesses in that operating system m The attacker launches the attack by o Concealing the attack o Executing the attack o Removing or hiding evidence of the attack Chapter 5 Attack Detection amp Prevention 5 3 DETECTING AN ATTACK To prevent hackers from exploiting a network the appliance uses stateful inspection to dynamically filter and secure all network connections Stateful inspection enables the appliance to note components in the IP packet and TCP segment headers including the source and destination IP addresses source and destination ports and packet sequence numbers This information maintains the state of each TCP session and UDP session traversing a security policy
53. D From To Src address Dst address Service Action State ENABLE POLICY LOGGING By default logging per policy is disabled To enable policy logging use the set policy command with the log option set policy from src_zone to dst_zone src_addr dst_addr srvc permit deny reject For additional information about logging refer to Chapter 1 Overview 9 3 9 3 1 Chapter 9 Policy Configuration CONFIGURING ADDRESS OBJECTS Before you can configure any policies to deny or permit access to or from a host or network you must create address objects and assign them to a zone These objects can be a single host a subnet or a group of multiple address objects This section describes how to create modify and delete address objects The following topics are included in this section Creating Address Objects m Deleting Address Objects m Modifying Address Objects m Creating Address Groups m Adding Objects to an Address Group m Deleting Address Groups m Adding Comments to Address Groups CREATING ADDRESS OBJECTS All address objects bind to a security zone specified during creation Use the set address command to create host objects or subnet objects which are defined by an IP address and subnet mask set address zone name_str ip_addr mask NOTE The pre defined address object any refers to all hosts in that zone Example Creating an address object Chapter 9 Policy Configuration Figure 9 4 A
54. HE lt NetSecure 6100 gt For secure remote management of the security appliance use an SSH program such as SecureCRT from Van Dyke Technologies Inc Before you can establish an SSH session with the appliance you must generate an SSH host key and enable SSH on the specified interface as described in this section GENERATING SSH HOST KEYS To encrypt an SSH session use the exec ssh command to generate an SSH host key exec ssh gen hostkey ENABLE SSH GLOBALLY After generating the SSH Hostkey ssh must be enabled globally on the lt NetSecure 6100 gt set ssh enable ENABLING SSH ON A SPECIFIC INTERFACE You can enable SSH management on any interface To enable SSH on a specific interface use set ssh command with the interface option set ssh enabled interface interface name Example Enabling SSH on the ETHO interface o setinterface ethO manage ssh 62 4 2 4 4 2 5 Chapter 4 System Management Oo save GUI Example Enabling SSH on the ETHO interface o Network gt Interface gt Edit for ethernet0 o Select the following then click Apply Management Option SSH Example Enable SSH on a VLAN interface ETH0 100 o set ssh enabled interface eth0 100 Oo save GUI Example Enable SSH on a VLAN interface ETHO0 100 o Network gt Interface gt Edit for ethernet0 100 o Select the following then click Apply Management Option SSH DISABLING SSH ON A SPECIFIC INTERFACE To
55. Headquarters No 25 Alley 15 Lane 120 Sec 1 Nei Hu Rd Taipei 114 Taiwan TEL 886 2 26583000 FAX 886 2 26583232 Beijing Branch 3F A Building 113 Zhi Chun Lu HaiDian District Beijing China Zip Code 100086 TEL 86 10 62522081 87 FAX 86 10 62522077 USER S MANUAL Hi Performance Network Security Solution NetSecure 6100 Version 1 0 Date 2007 1 10 P N 0700800097 NetSecure 6100 Users Manual Copyright 2007 TAINET Communication System Corp All rights reserved Notice This document is protected by the international copyright law No part of this publication may be reproduced by any means without the expressed permission of Tainet Communication System Corporation TAINET is a registered trademark and NetSecure 6100 is a trademark of Tainet Communication System Corporation Other product names mentioned in this manual are used for identification purposes only and may be trademarks or trademarks of their respective companies The information provided from Tainet Communication System Corporation is believed to be accurate Any changes and enhancements to the product and to the information thereof will be documented and issued as a new release to this manual Trademark All products and services mentioned herein are the trademarks service marks registered trademarks or registered service marks of their respective owners NetSec ure 6100 Users Manual About This Manual This section gu
56. Hex Key 11112222333344445555666677778888 Routing Oo oO Policies Chapter 7 Virtual Private Networks Network gt Route Add Enter the following then click Apply Network Address 0 0 0 0 Netmask 0 Interface eth1 Gateway 4 4 4 254 Policy gt Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Trust Destination Zone Untrust Source Address SFO Destination Address New York Service Any Tunnel VPN From SF Policy gt Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination Zone Trust Source Address New York Destination Address SFO Service Any Tunnel VPN From SF Chapter 7 Virtual Private Networks 7 2 3 7 2 4 DELETING MANUAL KEY VPN TUNNELS Use the unset vpn command to delete a manual key VPN tunnel unset vpn vpn_name MODIFYING MANUAL KEY VPN TUNNELS To modify a manual key VPN tunnel first delete the tunnel using the unset vpn command and then add the tunnel again with the appropriate changes using the set vpn command Example Modifying a manual key VPN tunnel Use the unset vpn command to change the name of the VPN tunnel previously created on an appliance from to_newyork to sales_ office o unset vpn to_newyork o set vpn Sales Office manual local spi 1230 remote spi 1230 gateway 4 4 4 1 outgoing interface eth1 e
57. IGURING DESTINATION NAT MANY TO MANY sscssssssssssesssseessseessseesssneessseesnees 217 CHAPTER 11 HIGH AVAILABILITY sccsccsssssssccecseccscssscsccscsensesseseseenseeeeess 219 11 1 ABOUT HIGH AVAILABILITY sasscsvsccasasiesissdavastsnautensssaseegbnst dues tdventtaarsnceniiadtvesaiaadveseaite 219 11 2 SOFTWARE ARCHITECTURE OVERVIEW csccsssscsssssssssssssssssssossonssscesssssessssssssessessees 220 113 lt CLICOMMANDS cnisia i aa a aaa ag EEES E EATE 221 ILA HA CONFIGURATION ecann niia i a ten haene 222 11 4 1 CONFIGURING THE PRIMARY AND SECONDARY IP ADDRESSES FOR THE DIVES AOE csr cee tase cel voted a canis vata nec 222 11 4 2 CONFIGURING HA PRIORITY VALUES 1 TO 254 sceessssssseesssesssesssneesssneessesssneessneesnees 223 CHAPTER 12 PKI amp X 509 DIGITAL CERTIFICATES ccccscsssssceecceceeeeees 227 12 1 ABOUT PUBLIC KEY INFRASTRUCTURE AND X 509 DIGITAL CERTIFICATES 227 122 PRI BASICS cenere iniae a E E E E EO 228 12 2 1 A TYPICAL DIGITAL CERTIFICATE pocniccenscccsonnisatconnpni aioa bonnn 228 12 2 2 SELF SIGNED CERTIFICATE sssesesiiiitissssstei tt tsssstststtiissssssntttiierssstttttiersssstntnttersesstntttttterst 229 123 CLT COMMANDS ceina a R A E GKN 230 12 3 1 GENERATING A SELF SIGNED CERTIFICATE scessscsscssssssssssssseessssessssessseessssassnessseessnees 230 12 3 2 CREATING A CERTIFICATE REQUEST ssccssssssrivnntsntssosubhnaeantsicsssstmroians ssoiasnctiovssoassararncpnionsents 231 12 3 3 IM
58. IN no ack o Policy gt Attack Settings Edit Zone for untrust 97 Chapter 5 Attack Detection amp Prevention o Select the following then click Apply Screen FIN no ACK 98 5 7 Chapter 5 Attack Detection amp Prevention ADDITIONAL ATTACK DETECTION AND PREVENTION In addition to the configurable attack settings the appliance detects and prevents the following network and DoS attacks Land Attack TCP SYN and FIN flags set IP spoof IRDP Teardrop attack TCP no flags set Ping of Death Smurf attack TCP no flags set Unknown IP protocol UDP bomb Chapter 5 Attack Detection amp Prevention 5 8 VIEWING ATTACK SETTINGS To view the current attack settings per zone use the get zone command with the screen and zone name to view the current settings get zone zone name screen Example Viewing attacks setting on untrust zone o Cli gt get zone untrust screen o ID 2 o Type Pre defined o Zone untrust o Intra zone block Off o Flags IlcmpFrag IcmpLarge FinNoAck o SynFlood 65535 o FinFlood 65535 o cmpFlood 16777215 o FragFlood 16777215 GUI Example Viewing attacks setting on untrust zone o Network gt Zone Edit for untrust o Select the following then click Apply Screen 100 Chapter 6 Logging Chapter 6 Logging This Chapter describes the options available for event logging storing and receiving logs and Simple Network Management Prot
59. ING SERVICE OBJECTS ereere eenia oirein ETRA E SA 197 9AA MODIFYING SERVICE OBJEC PS iscrio i i E lactecsscathelas bee sertinige satheer HAEEREN ES 197 94 5 CONFIGURING SERVICE TIMEOUTS wi ssccesissscccsssaseceussdistevesivacestes sures sontessausbieyssineneravienedes ENSA 198 9 5 CONFIGURING SERVICE GROUPS sccssissescscctisatevasssadesodbadaeveasatievedsasdanaevasdecantashspensionsencs 199 9 5 1 CREATING SERVICE GROUPS 0 cscs ee cndecivis inn lalies i i a aaa 199 9 5 2 DELETING SERVICE GROUPS iiiscsceinersectetiscsints toeceautes ccsielen ead ERNE E OE RE EE ates 200 9 5 3 REMOVING SERVICE OBJECTS FROM GROUPS cee ceeceeeceseeeeeeeeeeeeaeeeaeesaaecnaeenaeenaeenaeens 201 9 5 4 MODIFYING SERVICE GROUPS 00 ceccseeesseceecesecesecesecsseeseesseeseneseaeesaeesaaesaaecaeenaeenaeeaeee 201 9 5 5 ADDING COMMENTS TO SERVICE GROUPS 1 cee eeceecseeeeeeeeeeeeeseeeaeeeaeesaaecnaeceaesnaeenaeees 202 9 6 ABOUT SCHEDULES sneren a A S E E 203 9 6 1 CREATING ONE TIME SCHEDULES S preiero ieit EENKEER ENEE E 203 9 6 2 CREATING RECURRING SCHEDULES 0 ceccseecseecseeeeseeeseeeeneeeeceeeseeaeseaeeeaeeeeaessaesnaeeaeees 204 9 6 3 ADDING SCHEDULES TO POLICIES os cscceseccscecsstassicasiecoensscusaeesuees deasalessteasieusstssoteesepssnecsiseiestes 205 9 6 4 DELETING SCHEDULES sisted trond alewdeactivis noi lanin Glancisiesiibe denial a a aa 206 9 65 VIEWING SCHEDULES occiorient e a EE ERA EE EEEE E S EE Eaa NE Eti 206 CHAPTER 10 ADDRESS TRANSLATION
60. LATION You must understand the following concepts before you install the lt NetSecure 6100 gt for the first time m Basic understanding of TCP IP m IP addresses and subnet masks Network Address Translation NAT For more information refer to Chapter 10 Creating a policy For more information refer to Chapter 9 m Routing For more information refer to Chapter 8 Security zones For more information refer to Chapter 3 2 2 2 2 1 2 2 2 Chapter 2 Getting Started INSTALLING THE lt NetSecure 6100 gt This section guides you through the installation of the lt NetSecure 6100 gt Once you are familiar with the previous section 2 1BEFORE YOU INSTALL prepare to proceed with the actual installation To install the lt NetSecure 6100 gt perform the tasks described in the following sections a Connecting the Power a Connecting the lt NetSecure 6100 gt to Other Network Devices a Configuring the lt NetSecure 6100 gt CONNECTING THE POWER You must connect a power source to the lt NetSecure 6100 gt before you configure the appliance To connect the power m On the lt NetSecure 6100 gt plug the DC connector end of the power cable into the DC power receptacle on the back of the appliance m Plug the AC adapter end into a surge protected AC power source The lt NetSecure 6100 gt is now powered ON CONNECTING THE lt NetSecure 6100 gt TO OTHER NETWORK DEVICES Once the power is connected
61. PORTING PASC I UMUC TE cartes ns eens yioebaaen wiper ci tbo 232 12 3 4 USING A CERTIFICATE FOR A VEN TUNNEL jwicissossescdinsineiinesseaiatshinesenebuctsttaniinceensacesiialiontal 232 APPENDIX A PRE DEFINED SERVICE esseseseesesesosseseseececesoscesesoeoeseececesesosceseseeo 233 APPENDIX B GLOSSARY seeseseecccesesoesesosceseeecceeesosceseseecccesosoesesesescesesossesoscseseseee 235 xiii NetSec ure 6100 Users Manual FIGURES Figure 1 1 shows the graphics used in illustrations in this guide ecceeeeeeeeeeeeeeeeeetteees 4 Figure 2 1 Connecting the lt NetSecure 6100 gt to other Network Device 0 ceeeeeeeeeeees 8 Fig re 2 2 Network Protectio gresrenteputemsdseutverdenunvaybanrtuentucuacauieeunseumaiuiuanleauvveyiueubeuiurvivayivry ue 11 Fig re 3 1 Security LONG ripsiin aienea aeaaaee aeaaaee eire eainiie aai 16 Figure 3 2 Security Zones and Interfaces cccceeecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeeeeees 16 Figure 3 3 Security Zone Trust and Untrust ceccccceeeeeeeeeeseeeeeeeeeeeeeeeeeeeeeaaeeeeeeeeeeeeeeee 17 Figure 3 4 Custom Security ZONES ccccceceeeeeeeeeeeeeeceeeeeeeeeeeeeeaaaeeeeeeeeeeeeeseeaaaeaeeeeeeeeeeeee 17 Figure 3 5 Get Zone Command Example eeeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeee 21 Figure 3 6 Eth0 and Eth1 Locations sicccts sntecutscvcucetnasshantiemenentionsstasasansneetineutineutiensnantineettackianeenst 23 Figur
62. THE SNMP SETTINGS i sesiccccstiscnsateediassecesieaseanes chsdeardeasesesntsvessussnrescleasresdsvedensond 125 6 9 11 VIEW THE SNMP COMMUNITY SETTINGS 000 cesceseceseceseceseeeeeeseaeeeseesaeesaaesaesnaeenaeee 125 6 9 12 VIEW THE SNMP STATISTICS wp sccsseadsacstersccgentiisscesdsstesenabiavstasdiadieelaesdiedaicenisidnsesacnenecbeneete 125 6 9 13 VIEWING THE INTERFACE STATISTICS 1 00 cee eccecssecsseceseceeceeeeeeeeeeeeseaeeeaeesaeecaesnaeseaeenaeee 127 CHAPTER 7 VIRTUAL PRIVATE NETWORKS ecctcccrccscteesceessceeens 129 7 1 7 1 1 7 1 2 7 1 3 7 1 4 7 1 5 7 1 6 7 1 7 7 2 7 2 1 P22 7 2 3 VIRTUAL PRIVATE NETWORKS vxcprnticssnisssoieuvinshastdcsandiondantasnsdleabonstdeesenwsiesansunceasandiestes 129 ABOUT IP SECURITY IPSEC secs ciscceesbeistessetsacnesscbetsuesesascaveteaceniossuscovsca seb etesasndesedsubardecevesesbive 130 TRANSPORT MODE ic cccsssecdivedetieneusdovectertcbicsss tastciiies devs suebbvertsisbh esata a AAEE G EEA 130 TUNNEL MODE ides st cdsanssaeeierd ovessesloustvschvssavesasapeerlivsressiibandssslaast AAE ERA E ES EAE EEEE ETSE 131 THE DIFFIE HELEMAN GROUP esiisa i a aiai 132 SECURITY ASSOCIATION cincina i a a a aa 133 SITE TO SITE VPN REQUIREMENTS vernceneneeosnesiiei npea iieiaeie p ada Ea N EEE 133 VPN SPECIAL CONSIDERATION S cirie eito EORNA ENEDES E A EEEE REA 134 CONFIGURING MANUAL KEY VPN IMPLEMENTATIONS ceecceeseeeceeeeeeeneeeeees 135 CREATING MANUAL KEY VPN TUNNELS eeeessesesrrsressrsrissrrriesrrsr
63. TWORK ADDRESS TRANSLATION When performing source NAT the policy translates the source IP address to a different address The source IP address is either translated to a single address or to an address randomly chosen from a pool of addresses defined in a dynamic IP DIP pool Figure 10 1 displays an example of source IP address translation Original Source IP Address Translated Source IP Address Figure 10 1 Source IP Address Translation Use the set policy command with the nat src option to specify source NAT in the policy set policy from zone to zone src_ad dst_ad srvc nat src permit If you configure the policy without specifying a DIP pool ID the policy uses the source address of the egress interface as the translated address Use the set policy command with the nat sre and dip id options to specify the source NAT to use a random address from the DIP pool set policy from zone to zone src_ad dst_ad srvc nat src dip id id permit ABOUT PORT ADDRESS TRANSLATION PAT PAT translates the original source port to a random source port to maintain the uniqueness of all outbound connections After an outbound connection is made the lt NetSecure 6100 gt software enters the combination of the translated source IP address translated source port and destination IP address in the session table As more hosts from the original source network set up connections in the session table the entries all have the same trans
64. The output of the command should provide the certificate request as follows MIIBCZzCBtgIBADAfMROWGwYDVQQDFBRmd0BtaXNObGVOb2VOZWNoLm NvbTBcMA0G CSqGSIlb3DQEBAQUAADsAMEgCQQC 8TWjn4871ZIL PHBLjQyJ9QbSAvib DIMptoV 2PjW9lAyx8HL7xJ5UwkRgHro8eQ77jX1 BFzIXWARcFshIClI3AgMBAAGgMjA wBgkq hkiG9wOBCQ4xIZAHMB8GA1 UdEQQYMBaCFGZ3QG1pc3RsZXRvZXRIY2g uY29tMA0G CSqGSlb3DQEBBQUAA0DEACE65SiSOOgh53bIQKpBBI8aOrhEIdFL5 uzYC2 xRaN6tX 2z90 9hiwOJoV nugm4C C2 UuZTWT QyLEVs53HilQ 231 Chapter 12 PKI amp X 509 Digital C ertificates 12 3 3 12 3 4 The complete output needs to be copied and pasted on a PKCS10 based certificate enrollment webpage or provider to the CA in expected format IMPORTING A CERTIFICATE The CA will issue a certificate based on the certificate request that we provided This certificate can be imported into the appliance as follows exec pki x509 tftp 192 168 65 197 cert name test crt The IP Address needs to be replaced by the IP Address of the TFTP server where the file is available and the test crt should be replaced with the actual file name for the certificate USING A CERTIFICATE FOR A VPN TUNNEL The following commands are available to assign certificate authentication for an IKE Gateway set ike gateway test cert mycert 2 peer_cacert all peer_cert_type pkcs7 m The command assumes that the IKE gateway test is already created with the correct proposals m The mycert variable provides the cert to be used with this gat
65. U 1450 NOTE The default MTU size set for each interface is 1500 It is recommended that the MTU size on the eth1 interface matches the MTU size of the next hop router CONFIGURING INTERFACE LINK UP DOWN Use the set interface command with the phy option to set the state of any physical or logical interface to up or down o set interface interface name phy link up o set interface interface name phy link down Example Changing the ETHO interface state to Down set interface ethO phy link down Example Changing the ETHO interface state to UP set interface ethO phy link up CONFIGURING ADDRESS RESOLUTION PROTOCOL ARP The lt NetSecure 6100 gt keeps an active list of all hosts directly connected to any physical or logical interface in its ARP table This table includes the hosts IP address and Media Access Control MAC addresses Use the get arp command to view the current ARP table entries get arp Chapter 3 Security Zone and Interfaces 3 5 3 1 CLEARING CURRENT ARP ENTRIES Use the clear arp command to clear a specific entry or all current ARP entries clear arp ip_addr all 3 5 3 2 ADDING STATIC ARP ENTRIES Use the set arp command to add a static ARP entry set arp ip addr mac_adar Example Adding a static ARP entry Use the set arp command to add a static ARP entry for a host connected on the ethO interface with an IP address of 10 0 0 1 and a MAC address of aa bb cc dd ee ff
66. Users Manual LIMITED WARRANTY TAINET s DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makes relating to Products and for ensuring that replacements and other adjustments required in connection with the said warranties are satisfactory TAINET warrants to DISTRIBUTOR that the Products to be delivered hereunder will be free of defects in material and workmanship under normal use and service for a period of twenty four 24 months twelve 12 months in Taiwan following the date of shipment to DISTRIBUTOR If during the warranty period any component part of the equipment becomes defective by reason of material or workmanship and DISTRIBUTOR notifies TAINET of such defect within seven days after knowing of such defect TAINET shall for any Product that TAINET agrees is defective at its option supply a replacement part request return of equipment to its plant for repair or perform necessary repair at the equipment s location At TAINET s option DISTRIBUTOR shall destroy any Product that TAINET agrees is defective and shall provide satisfactory proof of such destruction to TAINET TAINET is not responsible for Products damaged by misuse neglect accident or improper installation or if repairs or modifications were made by persons other than TAINET s own authorized service personnel unless such repairs by others were made with the written consent of TAINET THE ABOVE WARRANTY IS IN LIEU OF ALL OTHER
67. WORD 00 ccseesseceeeeseeeseeeeeeeeeeeneeeaeeeaeeeaeecaaecaeenaeenaeens 65 43 4 VIEWING CURRENT USERS siesejsccisve deesizess oidtGeatssasdaasccasendecsusdes EAE a i 65 4 4 MANAGING SOFTWARE FOR THE lt NETSECURE 6100 eccceeecceceseeeeeeeeeceeeeessseeeeeeees 66 4 4 1 STORING SOFTWARE IMAGE FILES IN FLASH MEMORY 0 eeeeceeeeereeeneecneeenaecnaeenaeens 66 Vii NetSec ure 6100 Users Manual 4 4 2 DOWNLOADING NEW SOFTWARE 00 ccccecccsceesseceseeeeeseeeesaeceeceeceaeeeesaecseaaeceeaeecseeseaeeseaeeeeenees 66 4 4 3 UPLOADING NEW SOFTWARE 0 ccc ceccceceecceesseeseseeceeeeesaeceeaaecseneeceaeeecsaecseaaecseaeeceaeeseaaeeseaeecenees 66 4 4 4 SAVING MOS SOFTWARE TO FLASH MEMORY USING TFTP eecccceeececeeeeeetteeeeneeeeeeees 67 4 4 5 SAVING BOOT SOFTWARE TO FLASH MEMORY USING TPFTP 0 cccceccceceteeeetteeeeneeeeeeees 68 4 4 6 SETTING THE SOFTWARE AS PRIMARY OR SECONDARY cceecceceseceeneeceeeeeetaeeneateeeenees 68 4 4 7 SAVING THE CONFIGURATION FILE FOR EXPORT 000 eccccccecceeesseceeneeceeeeeceaeeeeaeeneateeenees 68 4 4 8 VIEW THE RUNNING CONFIGURATION 00cccccceecceesseeeesseceeeeeceeeeessaecseaaecseneecsaeeesaaecneaueeenees 69 4 4 9 VIEW THE SAVED CONFIGURATION cccccceccceceseeesstecesseeceeneeceeeessaeceeaaeceeneeceaeeseaaecseaueseeees 69 4 5 RESETTING AND RESTARTING THE lt NETSECURE 6100 gt cccccccesssssecesessteeeensseeeens 70 4 5 1 RESETTING THE APPLIANCE vec ccscisctvaccvenstendeceasstdest
68. a laptop or desktop machine E To access the lt NetSecure 6100 gt console interface launch a terminal emulation program NOTE Hyper Terminal by Hillgraeve Inc is a suitable terminal emulation program and is included with most Windows operating systems The default login credentials are admin and admin These credentials are case sensitive m Enter the following settings in the terminal application o Baud Rate 38 400 o Parity No o Data Bits 8 o Stop Bit 1 o Flow Control None m Press Enter to view the login prompt m At the login prompt type admin m Atthe password prompt type admin 2 2 5 CONFIGURING THE SOFTWARE To configure the lt NetSecure 6100 gt software for the first time perform the steps 9 Chapter 2 Getting Started 2 2 6 2 2 7 in the following sections m Changing the Admin Password Configuring Interfaces Configuring Network Address Translation NAT Configuring the Default Route Configuring a Policy from Trust to Untrust m Viewing the Policy Configuration CHANGING THE ADMIN PASSWORD Because all lt NetSecure 6100s gt are preconfigured with the same password you must change the admin password Use the set admin command to change the password o set admin password password_str Oo save CONFIGURING INTERFACES Configure the lt NetSecure 6100 gt to protect a network like that displayed in Figure 2 2 This configuration allows all wor
69. able 6 7 IP Route Table Object Name Value Type ipRouteDest lpAddress ipRoutelflndex INTEGER ipRouteMetric1 INTEGER ipRouteMetric2 INTEGER ipRouteMetric3 INTEGER ipRouteMetric4 INTEGER ipRouteNextHop lpAddress ipRouteType INTEGER ipRouteProto INTEGER ipRouteAge INTEGER ipRouteMask lpAddress ipRouteMetric5 INTEGER ipRoutelnfo OBJECT ID 6 8 7 IP NET TO MEDIA Table 6 8 shows the IP Net to Media Table Table 6 8 IP Net to Media Table Object Name Value Type ipNetToMedialflndex INTEGER ipNetToMediaPhysAddress PhysAddress ipNetToMediaNetAddress lpAddress ipNetToMediaType INTEGER 116 Chapter 6 Logging 6 8 8 ICMP GROUP SCALARS Table 6 9 shows the ICMP Group Scalars Table Table 6 9 ICMP Group Scalars Object Name Value Type icmpInMsgs Counter32 icmpInErrors Counter32 icmpInRedirects Counter32 icmpInEchos Counter32 icmpInEchoReps Counter32 icmpInTimestamps Counter32 icmpInTimestampReps Counter32 icmpInAddrMasks Counter32 icmpInAddrMaskReps Counter32 icmpOutMsgs Counter32 icmpOutErrors Counter32 icmpOutDestUnreachs Counter32 icmpOutTimeExcds Counter32 icmpOutParmProbs Counter32 icmpOutSrcQuenchs Counter32 icmpOutRedirects Counter32 icmpOutEchos Counter32 icmpOutAddrMaskReps Counter32 117 Chapter 6 Logging 6 8 9 TCP GROUP SCALARS Table 6 10 shows the TCP Group Scalars Table
70. ace name 49 Chapter3 Security Zone and Interfaces 3 6 3 RADIUS BACKUP SERVER In addition to the primary RADIUS server two additional RADIUS servers can be defined enabling the security appliance with a backup RADIUS server option if the primary RADIUS server were to fail and become unresponsive This allows users to continue authentication into the network Backup1 IP Address or domain name of primary backup server Backup2 IP Address or domain name of secondary backup server 3 6 3 1 CONFIGURING THE RADIUS BACKUP SERVER To configure the RADIUS backup server use the set auth server command with the backup option set auth server auth_name backup1 backup2 ip _addr dom_name 3 6 3 2 VIEWING THE RADIUS CONFIGURATION To view the RADIUS configuration on the security appliance use the get auth server command and view all settings or by ID get auth server all id Example View the RADIUS configuration using the all option cli gt get auth server all ID Auth Server Server Name Type Acct Type Role 0 RADIUS 192 168 1 100 RADIUS xauth cli gt GUI Example View the currentRADIUS configuration System gt Authentication gt Authentication Server 50 Chapter 3 Security Zone and Interfaces Shows all Radius server configurations Example View the RADIUS configuration by specifying the ID 0 E o o cli gt get auth server id 0 ID 0 AuthServer RADIUS Type RADIUS Server Name IP 192 168 1
71. aeenaeees 111 6 7 3 SYSLOG MESSAGE FORMAT wijsccsncadisiesns shen lesiesdesdesenablavsiasaaieneisieslicbsidebinsliheteaianebeseers 111 6 74 SYSLOG MESSAGE SAMPLE yi siccssssagcctssatsen icvcerssslaccsietes fectsten edd ivhgstes pees a EEEE EiS 111 6 8 SNMP MIB GROUPS rencot itoan asotea a aan e irae aE ea Eaa anaa enS aN eaat 113 6 8 1 SYSTEM GROUP recse nnie E E E EE E ahead E AE eE 113 6 8 2 INTERFACE GROUP wcssseccssecnsestecetiessvan aiara A E EAEE AAAA EEE EAT iE 114 6 8 3 ADDRESS TRANSLATION GROUP icc ceeeseescecesecesecesecesecsseesseeseneseaeeeaeesaeesaaesaaeseaeeeaeee 114 6 8 4 UP GROUP sareret iie E TEREA E E EAEE E tale dad tncd edd REET ON AEE EE 114 NetSec ure 6100 Users Manual 6 8 3 IP ADDRESS icra desdectdeeuatelasecane cratered sds beasdetia tel tinaaecizcevieh des bea doen eM love cate ieee viol a iai 115 6 8 0 TP ROU DB iiiar sce secedbicasut ces exe RTR AEEA EAE EEA biased vcue sus ates fax anced AAEE E 116 6 8 7 PNET TO MBDIAS staseeccressceiidpate cate seytelncudathe AEREE E EEEN EREE OE EEEE 116 6 8 8 ICMP GROUP SCALARS seriesiraresssr i rerinin rina eterio EENE FEEN ERa EEO EADAE EE aN E ENEE EEES EEEE 117 6 8 9 TOP GROUP SCALARS asieriosaeisiiii oe ii eatae EEEE AEE E AANE REEE EEEE EES 118 6 8 10 TCP CONNECTION wissiciicceticceteed slancaclacctas sesaetlaiesieed ii ai aa aaa 118 6 8 11 UDP GROUP SCALARS 0s ccsciicccieacccevinseaseseesedscdegtieetebsnecevlabsanceaye nuste
72. ales to Accounting any SQL sql permit TRANSPARENT MODE SIMPLE ACL FUNCTIONS As firewalls are placed deeper within high speed transmission points many network integrators are looking for simple methods of applying ACL s to specific types of traffic without causing disruption to their existing network topology ISP s and Telco s are seeking methods to restrict various protocols or IP address traversing their central network while maintaining high transmission speeds Due to the nature of firewalls and packet filters the option of enabling and disabling various security functions is somewhat limited The lt NetSecure 6100 gt provides the network administrator the option to bypass various security functions on the lt NetSecure 6100 gt in order to accommodate their network needs These bypass functions are global and will be applied to both the ingress and egress interfaces NOTE For detailed information on the transparent commands used in the following examples see the CLI Reference Guide 38 Chapter 3 Security Zone and Interfaces 3 4 4 3 1 Ability to bypass pass MPLS packets unset transparent bypass mpls This command will allow MPLS packets to traverse the lt NetSecure 6100 gt The default function of the lt NetSecure 6100 gt is to bypass i e drop such packets GUI Example Pass MPLS packets in transparent mode o Policy gt Advanced gt Bypass o De select the MPLS option and click Apply 3 4 4 3 2 A
73. ant to include Example Modifying a service group Modify the service group Web Services to add HTTP and DNS o unset group service Web_ Services o set group service Web_Services add http o set group service Web_Services add dns Oo save GUI Example Modifying a service group o Objects gt Service Groups o Enter the following then click Apply Remove Web_ Services o 3QObjects gt Add Service Group o Enter the following then click Apply Name Web_ Services Add http and dns 201 Chapter 9 Policy Configuration 9 5 5 ADDING COMMENTS TO SERVICE GROUPS Use the set group command with the service and comment options to add a comment that describes the address group set group service grp_name comment text NOTE If you remove all of the services in a service group that service group name is not deleted 202 Chapter 9 Policy Configuration 9 6 9 6 1 ABOUT SCHEDULES A schedule is an object that defines the day and time a policy is action takes place This section describes how to create add view and delete schedules The following topics are included in this section m Creating One time Schedules Creating Recurring Schedules m Adding Schedules to Policies m Deleting Schedules m Viewing Schedules CREATING ONE TIME SCHEDULES NOTE Schedules must have minimum start and stop times of at least five minutes Use the set scheduler command with the once option to
74. apping Destination NAT Configurations 10 1 NETWORK ADDRESS TRANSLATION Enabling Network Address Translation NAT on traffic passing through the appliance modifies the IP address in the IP packet header Optionally enabling NAT also modifies the port number in the transmission control protocol TCP segment or user datagram protocol UDP datagram You can enable NAT either on the interface or through the security policy database This chapter describes how to enable NAT through the security policy database For information on enabling NAT on the interface refer to Chapter 3 Security Zone and Interfaces There are four primary NAT configurations One to one NAT Enables translation of a single public IP address into a private IP address One to one NAT is often used to allow a host on a private network to be accessed from the Internet Many to one NAT Enables translation of multiple private IP addresses into a single public IP address allowing all hosts on the private network to access the Internet as a single entity 209 Chapter 10 Address Translation m Many to many NAT Enables translation of multiple private IP addresses into multiple public IP addresses The length of defined ranges need not match m Port Address Translation PAT Enables translations of the original source port number to a different randomly assigned port number 210 10 2 10 2 1 Chapter 10 Address Translation CONFIGURING SOURCE NE
75. arent Mode wioscccsaciccccoctsareascuses cctwormaseteunetancerastnetmadiomaactaatenduye 155 Figure 8 1 Using a Static Route cc cccccccee cece eeeeeeeceeee eee eeeeeeeaaaaeeeeeeeeeeeeesaaaaaeeeeeeeeeeeeees 164 Figure 8 2 Get Route Command Output ceeeeeeeeeeeeeee terete eeeeeeneeeeeeeeeeeeeeeceaaeeeeeeeeeeeeeee 167 Figure 8 3 Get Route Command with ip_addr option OutpUt cece ee eeeeeeeeeeeeeeeeeeeeees 168 Figure 9 1 Display the use of Security POliCieS cccececeeeeeeeeeeeeccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee 178 Figure 9 2 Interzone Policy yataiscehetpectclateadats states reeieardateandatsedelnadatecdulundeeedesadelpedcaudalvtdeysdebtidelnadevsdsenddds 179 Fig re 9 3 Intrazone POl CY ississsiirirererrarirsnintirnriananrnnnirirnnnanairi tiner iece sisal ein naknan anaa 180 Fig re 9 4 Address CS CG esetei eene ce Siege ee eeren ep cey cp E EAE EEEa HAEEREN eens 190 Figure 9 5 Address 0 6 annie temne nena canon nee eee ee eee 193 Figure 9 6 Service GroupS isis ccm ainncearncationeedcteares dacuoten datuaten ose tecocnutindetnete cat wceoanamantes 200 Figure 10 1 Source IP Address Translation cccceeeeeeeeeeeeeneeeeeeeeeeeeeeeeeceeeeeeeeeeeeeeees 211 Figure 10 2 Source IP Address Translation with Port Address Translation 000 213 Figure 10 3 Destination NAT with Port Mapping ccccceeeeeeceeeeneeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeees 215 Figure 10 4 Destination N
76. ate address objects for the local and remote end points m Define the remote gateway and key exchange mode along with pre shared secret E Create the IKE VPN E Seta route for the VPN Create policies to allow traffic to ingress and egress though the newly created VPN tunnel Example New York office using IKE Interfaces o setinterface ethO zone trust o setinterface ethO ip 192 168 100 1 24 o set interface nat o setinterface eth1 zone untrust o set interface eth1 ip 162 198 10 1 24 Addresses o set address trust ny_local 192 168 100 0 24 o set address untrust sf_destination 10 0 0 0 24 147 Chapter 7 Virtual Private Networks VPN o Routing set ike p1 proposal encryptaesp1 preshare group5 esp aes 128 sha 1 set ike p2 proposal encryptaesp2 preshare group5 esp aes 128 sha 1 seconds 28800 set ike gateway to_sanfrancisco address 4 4 4 1 main outgoing interface eth1 preshare password proposal encryptaesp1 set vpn sfo_nyo gateway to_sanfrancisco proposal encryptaesp2 set route trust route 0 0 0 0 0 interface eth1 gateway 162 198 10 254 Policies O set policy top name vpnto_sanfrancisco from trust to untrust ny_local sf_destination any tunnel vpn sfo_nyo set policy top name vpnfrom_sanfrancisco from untrust to trust sf_destination ny_local any tunnel vpn sfo_nyo save GUI Example New York office using IKE Interfaces Network gt Interface gt Edit for ethe
77. auth server id 0 command E O cli gt get auth server id 0 ID 0 AuthServer security 52 Chapter 3 Security Zone and Interfaces Type RADIUS Server Name IP 10 0 0 250 Backup1 10 0 0 251 Backup2 Timeout 5 Account Type xauth Source Interface ethO RADIUS shared secret password RADIUS server port 1850 RADIUS of retry 3 cli gt 53 Chapter3 Security Zone and Interfaces 3 7 3 7 1 3 7 2 ALTERNATE CONNECTION METHODS PPPoE POINT TO POINT PROTOCOL OVER ETHERNET PPPoE lets Internet Service Providers ISPs use their existing Radius authentication systems from their Dial Up service on a Broadband Ethernet based service Since Dial Up is PPP and most broadband connections are Ethernet Point to Point Protocol over Ethernet PPPoE merges the Point to Point Protocol PPP with the Ethernet protocol Many users can share the same physical connection but access control billing and type of service are handled on a per user basis Some security devices support a PPPoE client allowing compatibly with DSL Ethernet Direct and cable networks run by ISPs using PPPoE for client Internet access SETTING UP PPPoE The following example illustrates how to define the untrusted interface of a security device for PPPoE connections and how to initiate PPPoE service In this example the security device receives a dynamically assigned IP address for its Untrust zone interface eth1 from the ISP In th
78. authenticated to each other and to use the information in identity certificates Users are certified by a third party also known as a Certificate Authority Figure 12 1 Digital Certificate Overview Certificate Authority eo Digital Certificate igital Certificate Encrypted Communication Figure 12 1 Digital Certificate Overview 12 2 1 A TYPICAL DIGITAL CERTIFICATE The following figure shows a typical Digital Certificate 228 Chapter 12 PKI amp X 509 Digital Certificates Certificate og General Details Certification Path Show lt All gt v Field Value Aj E version v3 E serial number 36 e7 ad 9c E Signature algorithm sha IRSA Issuer CA 1 CA Data ViaCode GB Evald from Thursday March 11 1999 4 1 E valid to Monday March 11 2019 4 48 E Subject CA 1 CA Data ViaCode GB E Public key RSA 1024 Bits v Edit Properties Copy to File Figure 12 2 Typical Digital Certificate The certificate contains Digital Certificate Version mE Serial Number m Signature Algorithm m Issuer information m Validity dates mE Subject name m Public Key CRL Distribution points E etc 12 2 2 SELF SIGNED CERTIFICATE A self signed certificate is an identity certificate that is signed by its own creator The device software supports self signed certificate for VPN authentication A remote party s certificates needs to be imported as a trusted certificat
79. bility to bypass pass Unicast packets unset transparent bypass unicast This command allows the bridging of non IP unicast packets The default behavior of the lt NetSecure 6100 gt is to bypass i e drop such packets GUI Example Pass UNICAST packets in transparent mode o Policy gt Advanced gt Bypass o De select the Non IP Unicast option and click Apply 3 4 4 3 3 Ability to bypass pass non ip Broadcast Multicast traffic set transparent bypass bmcast This command will bypass i e drop non ip broadcast and multicast packets The default behavior of the lt NetSecure 6100 gt is to pass i e allow such packets GUI Example Pass NON IP Brodcast packets in transparent mode Check the Non IP Broadcast option and click Apply 3 4 4 3 4 Ability to bypass pass DDOS traffic unset transparent bypass ddos This command allows DDOS attacks and packets to traverse the lt NetSecure 39 Chapter3 Security Zone and Interfaces 6100 gt The default behavior of the lt NetSecure 6100 gt is to bypass i e drop such packets GUI Example ByPass Dos and Ddos checking in transparent mode Check the DDoS option and click Apply 3 4 4 3 5 Ability to bypass pass VLAN Policy filtering unset transparent bypass vlan policy This command will enable the Transparent VLAN function covered in 3 4 4 2 2 Transparent Mode VLAN Filtering The default behavior is to use the source physical ingress port for source zone deriva
80. called int_0 unset alias int_O VIEWING CURRENT ALIASES To view a previously created alias use the get alias command get alias CONFIGURING DOMAIN NAMES To configure the lt NetSecure 6100 gt to respond to a specifically configured domain use the set domain command set domain name_str Example Configuring the domain name MTAPPLIANCE o set domain MTAPPLIANCE Oo save GUI Example Configuring the domain name MTAPPLIANCE o Network gt DNS gt add Domain Name o Enter the following then click Apply Domain Name MTAPPLIANCE DELETING DOMAIN NAMES To delete a previously configured domain name use the unset domain command 75 Chapter4 System Management o unset domain Oo save 4 6 7 CONFIGURING HOST NAMES To configure a host name on the lt NetSecure 6100 gt use the set host command set host name_str Example Confiuring the hose name MTTAPPLIANCE o set host MTAppliance Oo save GUI Example Confiuring the hose name MTTAPPLIANCE o Network gt DNS gt add Host Name o Enter the following then click Apply Host Name MTAPPLIANCE 4 6 8 DELETING HOST NAMES To delete a previously configured host name use the unset hostname command unset host 76 4 7 4 7 1 Chapter 4 System Management USING NETWORK TIME PROTOCOL NTP The lt NetSecure 6100 gt uses Network Time Protocol NTP to update its internal date and time and to include the date and t
81. ce nf Internet nn Business Regional Partner Office Main Office Figure 7 1 VPN Connectivity ABOUT IP SECURITY IPSEC IPsec is a suite of protocols developed by the Internet Engineering Task Force IETF to enable secure exchange at the IP level The most common implementation of IPsec is seen in VPN deployments IPsec can be broken down into two different modes and protocols The modes include Transport and Tunnel and the protocols include AH and ESP TRANSPORT MODE Transport mode is a method by which the data portion of a packet is encrypted while the IP header information is sent in the clear The original packet can be authenticated with AH while the original data can be encrypted with ESP and the IP header remains in clear text Figure 7 2 shows VPNs using transport mode 130 Chapter 7 Virtual Private Networks a A Authenticated Transport Mode AH Original Header ESP Header Encryption Authenticated Transport Mode ESP Figure 7 2 VPNs Using Transport Mode 7 1 3 TUNNEL MODE In tunnel mode refer toFigure 7 3 all data is encrypted including the IP header All of the original data is encapsulated into a new IP payload and includes a new IP header The original packet can be encrypted authenticated or both this is determined by using AH ESP or a combination of both The Original Packet is Encapsulated New Header AH Header Authenticated Tunnel Mode AH New Header ESP Header
82. ceceeeeeceeeeeseneeeesaes 171 8 7 DISABLE ROUTE SUMMARIZATION scorciatoia nsee r E EE ERTES 172 8 8 ENABLE OR DISABLE SPLIT HORIZON 5 sasescsnsecanesncaacsasnidcxvesedenesivedadsepeocadesasstaceeniaexe 173 8 9 ENABLE RIP AUTHENTICATION oss ccssisssavtecdsvandiesasavdeccsasnancssaneavedssarsedetaantsersannsondsianseacs 174 8 10 ACCEPTING PACKETS WITH NON ZERO RESERVED FIELDS eters 175 CHAPTER 9 POLICY CONFIGURATION sscsssssssssssssssssssssssssesssessosesees 177 9 1 ABOUT SECURITY POLICIES lt c iaucotencssdenceuinenscerdicstenstncohentearieteasetnenreidedeuacteieaateneeanene 177 9 1 1 ABOUT TRAFFIC FLOW AMONG POLICIES 00 ec ceeceeccesceseeeeeeeeeeeeeeeeaeesaeesaecnaeenaeenasenaeee 177 91 2 ABOUT SECURITY POLICY TYPES niesienia i aa iiaa 178 9 2 CONFIGURING POLICIES orina a S E R eee 181 921 CREATING POLICIES petrecea iri a A EE E EA ENR G EREE ARRENE E EEEE NEES 181 NetSec ure 6100 Users Manual 9 2 2 NAMING POLICTES iss teicvoscvasovscosttaeieceeduectzsovios cveswes EAEI RA T KARR AAA aaia 183 9 2 3 REORDERING POLICES ossessione oiera eten AREAREN EEEE LEN EA DEER EEEN AERA E ESEESE 184 924 DISABLING POLICIES 6 cased cid ceescsthestetucateearattecd EA EENE REEERE REENE 185 92 5 RE ENABLING POLICIES voreissisensrsseriresres inini iai kea nener EEEN EAE EEE EAA EEEE ETIE EE EEEE NEES 185 9 2 6 DELETING POLICIES tie sssddeccteduecscttereltiaieicsted E EE A E E EEEE AAE E E NER 185 9 2 7 VIEWING POLICIES srccccciccncnc
83. ckets and apply traffic policies using its zone based filter This function is called Transparent VLAN filtering and is described in 3 4 4 2 2 Transparent Mode VLAN Filtering TRANSPARENT MODE SIMPLE DEPLOYMENT In Figure 3 9 the lt NetSecure 6100 gt is deployed as a transparent mode firewall Interface ethO and eth1 are configured in transparent mode with the address of 0 0 0 0 Interface ethO is configured in the Trust Zone and eth1 will assigned to the Untrust zone A policy configured to any from the Trust zone to the Untrust zone To restrict external traffic from accessing the Trust zone a policy will be needed to deny ANY AIl from the Untrust to Trust zone In Figure 3 9 if Workstation A makes a request to www yahoo com the workstation performs a DNS query for www yahoo com the return address for the site will be a routable Internet address The host then performs an arp for its default gateway and sends the packet to the router 10 0 0 1 The lt NetSecure 6100 gt inspects the outgoing request and runs the packet through its Policy engine Due to the permit policy created earlier this packet will be left intact and allowed out through the eth1 interface of the lt NetSecure 6100 gt During the inspection process a session is added for this packet meaning the return packet will be flagged as a valid trust packet 33 Chapter3 Security Zone and Interfaces 3 4 4 2 1 WWM eit bert corn 0 0 0 0 24 E 00 0 0 0 Cetoaa6 Zone
84. command with the IP option unset syslog config ip DISABLING THE SYSLOG HOST LOG OPTIONS To disable the syslog host log option use the unset syslog config ip log and specify the current log option to disable unset syslog config ip log all traffic event SYSLOG MESSAGE FORMAT When the security appliance generates and sends syslog messages for delivery to the syslog server the format for the messages is standard SYSLOG MESSAGE SAMPLE o 192 168 65 230 lt 134 gt Jun 02 12 13 54 2006 vendor name o id security_appliance policy 117 INFO o 6 id 1 o proto 1 Oo src 64 62 250 2 0 o 6dst 64 79 127 67 0 packet dropped due to policy deny 111 Chapter 6 Logging Table 6 1 shows the syslog message format Table 6 1 Syslog Message Format Jun 02 Month and Displays the month and day when Day Stamp the message was generated 12 13 54 Time stamp Displays the time stamp when the message was generated The format is as follows HH MM SS 2006 Year Stamp Displays the year when the message was generated Vendor name Device name Displays the vendor name Security_Appliance Device id Displays the hostname for the appliance Software Displays the software module name module name that generated the log message Software Displays the software module module process ID that generated the log process ID message INFO Log level Displays the log severity level Device ID Displays the ID number of t
85. configured in Untrust zone Policies can be written to allow or deny traffic between zones Figure 3 2 Security Zones and Interfaces hterfces eto j etl eto 100 Sib we maces There are four default security zones configured on the appliance that you cannot delete Trust The trust zone is commonly used to segment internal networks from the wide area network WAN and Demilitarized Zone DMZ m Untrust The untrust zone is commonly used for the WAN The untrust zone has default security enabled to prevent Denial of Service Attacks DoS m DMZ The DMZ zone is commonly used to segment publicly accessible servers from the local area network LAN and WAN Global The global zone is used to apply policies independent of zones Figure 3 3 displays the security appliance with two security zones trust and untrust The trust zone is configured for the LAN and the untrust zone is configured for the WAN Security policies can now enforce access control between the two zones 16 Chapter 3 Security Zone and Interfaces Figure 3 3 Security Zone Trust and Untrust Securty a par van NetSecure6 100 In addition to the four default zones additional custom zones refer to Figure 3 4 can be created to further divide the internal network into more granular segments Figure 3 4 Custom Security Zones Policies control traffic baranan Panne NetSecure6 100 17 Chapter3 Security Zone and Interfaces
86. create a schedule object for a one time event set scheduler name once start date time stop date time comment text Table 9 2 explains the parameters in the above command 203 Chapter 9 Policy Configuration 9 6 2 Table 9 2 One time Schedule Description The name field assigns a name to the schedule Schedules are assigned to policies by referring to the schedule name The once option is used to define a one time event Use the start option and specify a day and time to allow traffic matching the policy to pass through Use the stop option and specify a day and time stop traffic matching the policy to pass through comment The date field requires an mm dd yyyy format Use the comment command to add a comment associated with the schedule text The text field is a line of text CREATING RECURRING SCHEDULES Use the set scheduler command with the recurrent option to create a schedule object for a recurring event set scheduler name recurrent day start time stop time comment text Table 9 3 explains the parameters in the above command Parameter name recurrent Table 9 3 Recurring Schedule Description The name field assigns a name to the schedule Schedules are assigned to policies by referring to the schedule name The recurrent option is used to define a recurring event The day field requires an mm dd yyyy format stop Use
87. ct Interface PPPoE 56 Chapter 4 System Management Chapter 4 System Management This chapter describes the management options for the lt NetSecure 6100 gt including software management system management and user account management The following topics are included in this chapter m Using the Console to Manage the lt NetSecure 6100 gt m Using SSH to Manage the lt NetSecure 6100 gt m Managing Users for the lt NetSecure 6100 gt m Managing Software for the lt NetSecure 6100 gt E Resetting and Restarting the lt NetSecure 6100 gt m Additional System Management Tasks m Using Network Time Protocol NTP m Using Domain Name Service DNS m Using Ping m Using Traceroute 4 1 USING THE CONSOLE TO MANAGE THE lt NetSecure 6100 gt You must perform initial configuration of the lt NetSecure 6100 gt using the console interface After you configure the lt NetSecure 6100 gt for the first time you can manage it through the console or using a secure shell SSH Refer to 4 2 57 Chapter4 System Management USING SSH TO MANAGE THE lt NetSecure 6100 gt This section describes how to work with the console and includes the following topics m About Console Cable Requirements m Accessing the Console m Re enabling the Console Interface m Viewing Console Interface Settings E Setting the Console Display H Setting the Console Timeout m Exiting the Console ABOUT CONSOLE CABLE REQUIREMENTS Table 4 1 lists the re
88. ction describes the Transparent Mode feature It includes the following topics a Transparent Mode Overview a Transparent Mode Simple Deployment a Transparent Mode Simple ACL Functions TRANSPARENT MODE OVERVIEW When the lt NetSecure 6100 gt is configured to run in Transparent mode the device is configured with the same network on both interfaces In this mode the lt NetSecure 6100 gt functions like a layer 2 switch or bridge As packets traverse through the firewall they will do so without having their src dest IP MAC address information changed in the header allowing the lt NetSecure 6100 gt to be deployed in complex networks un obtrusively In Transparent mode the lt NetSecure 6100 gt can be deployed deep within a core 32 3 4 4 2 Chapter 3 Security Zone and Interfaces network as it will pass all traffic without additional configuration All routing protocols and broadcast protocols can be passed seamlessly through the lt NetSecure 6100 gt While in this mode the lt NetSecure 6100 gt can be further configured to bypass various network security functions that in some cases are not desired by the network security administrator In addition to passing various protocols without interception the lt NetSecure 6100 gt Transparent mode supports VLAN 802 1q recognition and filtering If desired the lt NetSecure 6100 gt can be deployed into an existing VLAN network and be configured to recognize the various 802 1q pa
89. d Phase 1 and Phase 2 Proposal Settings Table 7 5 Required Phase 1 and Phase 2 IKE Proposal Settings Name that uniquely identifies the VPN tunnel IPSec Gateway IP address or Fully Qualified Domain Name Pre Shared Secret Pass phrase used to authenticate VPN appliance IKE Identity IPv4 address e mail address or FQDN 145 Chapter 7 Virtual Private Networks Tunnel Name Name that uniquely identifies the VPN tunnel Phase 1 Exchange proposal to determine how to authenticate and secure the channel Phase 2 Exchange that allows an SA to be created allowing ee ecasate ranean t ang Pat Prefect Forward Secrecy Generates a new key for every message sent through an SA Local Network The local network attached to the VF 2112 Destination Network Network to which the VPN tunnel will terminate Figure 7 6 shows an IKE VPN using a pre shared secret Figure 7 6 IKE VPN Using a Pre Shared Secret Table 7 6 shows the IKE Encryption and Authentication Settings Table 7 6 IKE Encryption and Authentication Settings Parameter Description Encryption AES128 Authentication SHA 1 146 7 3 2 Chapter 7 Virtual Private Networks Parameter Description DH Group 5 SA Lifetime 28800 Pre shared Secret password CONFIGURING AN IKE TUNNEL USING A PRE SHARED SECRET Setting up a VPN tunnel using IKE requires the following steps m Define your security zone interface IP Cre
90. d by RIP GUI Example Disable advertise default route o Network gt Routing gt RIP o Enter the following RIP information then Click Apply Uncheck the Advertise Default route 171 Chapter 8 Routing 8 7 DISABLE ROUTE SUMMARIZATION By default RIPv2 supports automatic route summarization The software summarizes subprefixes to the classful network boundary when crossing classful network boundaries If you have disconnected subnets you should disable automatic route summarization to advertise the subnets When route summarization is disabled the software transmits subnet and host routing information across classful network boundaries To disable automatic summarization which is enabled by default use the following command in router configuration mode set router rip auto summary disable 172 8 8 Chapter 8 Routing ENABLE OR DISABLE SPLIT HORIZON Normally routers that are connected to broadcast type IP networks and that use distance vector routing protocols employ the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks information about routes from being advertised by a router to any interface from which that information originated This behavior usually optimizes communication among multiple routers particularly when links are broken However with non broadcast networks such as Frame Relay and SMDS situations can arise for which this behavior is less than ideal For
91. ddress Objects E CE Trust Zone Address Object 10 0 0 0 24 gt Trust_Network 10 0 0 100 32 John 10 0 0 101 32 C Matt r 3 SN 10 0 0 250 32 gt MailServer P Figure 9 4 Address Objects To create the address objects shown in Figure 9 4 Create an address object for the IP address 10 0 0 100 using the name John Create an address object for the IP address 10 0 0 101 using the name Matt Create an address object for the IP address 10 0 0 250 using the name MailServer m Create an address object for the subnet 10 0 0 0 24 using the name Trust_Network oO oO oO o o set address trust John 10 0 0 100 32 set address trust Matt 10 0 0 101 32 set address trust MailServer 10 0 0 250 32 set address trust Trust_Network 10 0 0 0 24 save GUI Example Creating an address object Oo oO Objects gt Add Address Object Enter the following then click Apply Name John IP Address Netmask 10 0 0 100 32 Zone Trust 190 9 3 2 9 3 3 Chapter 9 Policy Configuration o Objects gt Add Address Object o Enter the following then click Apply Name Matt IP Address Netmask 10 0 0 101 32 Zone Trust o Objects gt Add Address Object o Enter the following then click Apply Name MailServer IP Address Netmask 10 0 0 250 32 Zone Trust o Objects gt Add Address Object o Enter the following then click Apply Name Trust_Network IP Addr
92. ding accuracies typically within a millisecond to a network device Next Hop An IP address used in a routing table to enable forwarding of traffic for a specific network Packet A unit of data routed between a source and destination over the Internet or a packet switched network Public Key Infrastructure PKI PKI is designed to be used with IPSec instead of PSK and Manual Key It provides a higher level of security Port Address Translation PAT Translates the original source port number to a different randomly assigned port number Port Mapping Changes the original destination port number on a packet to a different predetermined port number PPPoE Point to Point Protocol over Ethernet Used to allow ISPs the use of their existing Radius authentication systems from their Dial Up service on a Broadband Ethernet based service Remote authentication dial in user service RADIUS provides an authentication authorization and accounting protocol for applications such as network access or IP mobility When used it is intended to work in both local and remote situations RJ 45 An 8 wire connector commonly used to connect multiple computers into a local area network LAN Standard RJ 45 connectors are slightly wider than the standard RJ 11 connector used for all telephone connections Router A device that forwards packets between various networks using both the network layer information and router tables Routers can be used eit
93. e 229 Chapter 12 PKI amp X 509 Digital C ertificates 12 3 12 3 1 CLI COMMANDS This section contains typical uses of CLI Commands with PKI Generating a Self Signed Certificate on 12 3 1 m Creating a Certificate Request on 12 3 2 m Importing a certificate on 12 3 3 m Using a Certificate for a VPN tunnel on 12 3 4 For more information on CLI Commands see the CLI Reference Guide GENERATING A SELF SIGNED CERTIFICATE First we need to set an identifier set pki x509 cert fqdn support tainet net Next we need to generate a key pair sizes of 512 768 1024 2048 supposed exec pki rsa new key 1024 The following command is used to see a list of key pairs get pki x509 list key pair Next we generate a self signed certificate exec pki x509 self signed cert key pair 1 Once you have generated a certificate you can see it with the following set of commands get pki x509 list cert The output will be as follows Chapter 12 PKI amp X 509 Digital Certificates Getting OTHER PKI OBJECT IDX ID num X509 Certificate Subject Distinguish Name You can also get details of the cert as follows get pki x509 cert 2 The output will be as follows X509 Certificate Details Serial Number O2Subject CN support tainet net Issuer Name CN support tainet net 12 3 2 CREATING A CERTIFICATE REQUEST To obtain a PKCS10 certificate request based on the key pair generated get pki x509 pkcs10 1
94. e src_addr dst_addr srvc permit deny reject Use the set policy command with the name option to add a name to an existing policy set policy id number name name from src_zone to dst_zone src_addr dst_addr srvc permit deny reject Example Adding a name to the policy from the previous example o set policy id 1 name ftpcorp from untrust to trust any 4 4 4 4 ftp permit o save GUI Example Adding a name to the policy from the previous example o Policy gt Configuration Edit o Enter the following then click Apply Enable Policy Name ftpcorp Action permit Source Zone untrust Destination Zone trust Source Address any Destination 4 4 4 4 Service FTP Chapter 9 Policy Configuration 9 2 3 REORDERING POLICES Because the policy database is searched from top to bottom when matching against traffic you should order polices in the database from most specific to least specific Doing this ensures that a more general policy does not block a more specific policy as illustrated by the policy example below In this example policy 2 never matches against FTP requests initiated from the trust zone to a server on the untrust zone because the deny policy follows a more general allow policy Example Reordering policies Set policy id 2 from trust to untrust any any ftp deny GUI Example Reordering policies o Policy gt Configuration gt Edit for ID1 o Enter the following then click Appl
95. e IETF to enable secure exchange at the IP level The most common implementation of IPsec is seen in virtual private network VPN deployments IPsec enables VPNs to take advantage of authentication integrity and confidentiality Internet Security Association and Key Management Protocol ISAKMP Protocol that uses a common framework to provide information about Security Association SA attributes These include the negotiation modification and deletion of SA Local Area Network LAN Any network technology that connects multiple 238 Appendix B Glossary machines in a local office or building LAN networks usually consist of a main connection point like a switch or hub and enable all machines on that segment to communicate LAN networks have a limited range of around 1 640 feet or 500 meters Man in the Middle Attack MTM Incident allowing a hacker to read insert and modify all messages between two parties without the parties knowing their link was compromised The attacker must have the ability to observe and intercept all messages going between the two victims Maximum Transmission Unit MTU The largest physical packet size measure in bytes that a network can transmit Any messages larger than the MTU divide into smaller packets before being sent Message Digest 5 MD5 A one way hash function This hash function takes a variable length message and formats it to a fixed length using a 16 bit key to produce 128 bit
96. e 3 7 NAT Enabled Mode cise cess fteciet enedaedatscdeisletntds esidalesdcecdetedetadsideegdetedseeutdsleadaisads 29 Fig r 3 8 Route Mod Osise en anan aa e a aa raae aia aaa ae aaae ia EERE 30 Fig r 3 9 Transparent ModE isisisi sinense eriin aei eniai eenean ii aai 34 Figure 3 10 Transparent Mode with VLAN Filtering sssssssssseesssssnnnnnnnnnesererrrnnnnrnssserrrrrnnne 36 Figure 3 11 RADIUS Challenge Response Message Exchang ccceeeeeeeeeeeeeeeeeeeeeeeeees 46 Figure 3 12 Configuring a Primary and Secondary RADIUS Servet seeeeeeeeeeeeeeeees 51 Figure 5 1 Example of a DoS Attack ccccccccccee eee ceeeeeeeeee eee eeeeeeeaaaeeeeeeeeeeeeeesecaaaeaeeeeeeeeeeenee 94 Figure 7 1 VPN COMME CTIVIDY eccrine setsinnsteceoienitcesisuniesgeneneiieniestdcnieuananeiianeaderreanmubadetiuepecensendeevene 130 Figure 7 2 VPNs Using Transport Mode ccccceecccceeeeeeeeeeeeeeaeeeeeeeeeeeeeseneaaeeeeeeeeeeeeeeee 131 Figure 7 3 Using Tunnel NOG iseis cscesrseiaissleadeticincdaieldalestebedelnadetidsladeldides cet deecdelbndesadebeienedelsdeieadsts 131 Figure 7 4 Site to site VPN sescsincacestanciasinactcoscanide MouseneldeuiteuiaasunianlGenieauhiceiieasaireceseeuianice 133 Figure 7 5 Example of Manual Key VPN sssssssssssssssssssssssssrrrrnnsssserrrrrrnrnnnsserrrrrnnnnnnnserrrrnnnnn n 137 Figure 7 6 IKE VPN Using a Pre Shared SeCret cccccceeceeeeeeeenceeeeeeeeeeeeeeneeneeeeeeeeeeeeeees 146 Figure 7 7 VPN in Transp
97. e certified it to transmit data that has not been as classified top secret DES uses a 64 bit key to encrypt and decrypt data into 64 bit block enabling it fixed output for variable 235 Appendix B Glossary length input Data Encryption Standard Cipher Block Chaining DES CBC Standard that enables the use of Triple DES or 3DES By enabling CBC the DES encryption occurs three times enabling generation of the 56 bit key three times The 3DES standard uses a key length of 168 bits Datagram A self contained data packet sent over an IP network Default Route A standard entry in a routing table that enables traffic to be forwarded for destination networks that are not explicitly defined on a specific network device The normal representation of the default route is 0 0 0 0 0 Demilitarized Zone DMZ Usually a small network that sits between the trusted local area network LAN and the public Internet DMZ enables administrators to apply different polices to traffic that might need to be accessed from the public Internet Domain Name A name that can identify one or more IP addresses URLs normally use domain names to identify particular web pages Domain Name System DNS An Internet system that translates domain names into IP addresses Dynamic host configuration protocol DHCP Protocol that automatically assigns IP addresses to computers on a local area network LAN Typically a system administrator designates a
98. e policy is applied and the packet is dropped If the source and destination zones are the same then the CARD2 G software searches intrazone policies first If there is no match then the software searches global policies If there is still no match the software applies a default zone policy that drops the packet Trust Zone Nese Host 1 DMZ Zone Mail Server e HTTP Server Host 1 Request Connections initiated from Zone Trust are permitted Host 1 Host 1 Request Host 1 A state entry is created allowing reply traffic Host 1 Rejected 5 Host 1 Rejected _ Mail Server Mail Server Reply Mail Server Mail Server Reply Mail Server Request Any Connections initiated from the DMZ to the Trust HTTP Server Zone are rejected Request Figure 9 1 Display the use of ABOUT SECURITY POLICY TYPES security policies You can configure three types of policies for the appliance 9 1 2 1 CONFIGURING INTERZONE POLICIES Interzone Policy Refer to Configuring Interzone Policies Intrazone Policies Refer to Configuring Intrazone Policies Global Policies Refer to Configuring Global Policies An interzone policy controls traffic between zones These policies can allow deny 178 9 1 2 2 Chapter 9 Policy Configuration or reject traffic that is to pass from one zone and destined for another For example in Figure 9 2 the appliance is configured with
99. e source address src_grp is an address group consisting of a subnet address range or multiple hosts set policy from zone to zone src_grp dst_addr port nat src permit CONFIGURING SOURCE NAT MANY TO MANY WITH PORT ADDRESS TRANSLATION In a source NAT many to many NAT configuration all source IP addresses 213 Chapter 10 Address Translation translate to an IP address dynamically taken from a DIP pool on the egress interface The total number of translated addresses available in the DIP pool might be less than the number of source addresses in the source network In this case addresses from the DIP pool can be used multiple times for source NAT sessions PAT is then used to ensure each outgoing session is unique in the session table Use the set policy command with the nat src and dip id options to specify source NAT in the policy set policy from zone to zone src_grp dst_addr port nat src dip id id permit In this configuration the source address src_grp is an address group consisting of a subnet address range or multiple hosts 214 Chapter 10 Address Translation 10 4 CONFIGURING DESTINATION NAT AND PORT MAPPING Destination NAT can translate a single destination address to a single address one to one translate one range of destination addresses to a single address many to one or translate one range of destination addresses to another range of addresses many to many refer to Figure 10 3
100. eceeecatesiveced cccencateseeeesdeccescaneteeensbesdaeeeteteveruteteeesdaeceee 113 Table 6 3 Interface Group ccccecccceeeeeeeeeeeeeeaeeeeeeeeeeeeeaaaaaaeeeeeeeeeeeeeaaaaaaaaaeeeeeeeeeeeeeenaaaees 114 Table 6 4 Address Translation Group cccsecccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaeaaeeeeeeeeeeeeeeaaaas 114 Table6 5 IP Group sac arceesesacetreiclncateeacesde nese cdelesdetandataedclsatetnd daea daua nada Eaa NECETE EEan ada CaA 114 Table 6 6 IP Address Table mernin nnan arani a aea aa aaa akie Draen 115 146l 6 7 IP Ro te Taplin ea eer ere ere eee re ee eee ee 116 Table 6 8 IP Net to Media Table uo eeeeceeceeceeceeeeeeeeeeeeeaeaeeeeeeeeeeeeeseeaaeeaeeeeeeeeeeeeeeeaaaees 116 Table 6 9 ICMP Group Scalars ccicrris steer detaasenastactadoteasindetuadndethaseuacsasendsuadincetuasinacdaateudei 117 Table 6 10 ICMP Group Scalars 6 csciecacncsitniesitncin cen cicctraindustaitnandindndnisdininnendinsatuencuctinemddaldranduduencids 118 Table 6 11 TCP Connection Table ccccceceeeccceccccceeeeeeeeeeenaeeeeeeeeeeeeeaaaaaaeeeeeeeeeeeeeeensaaaees 118 Table 6 12 UDP Scalars Table ccccccceeseeessseccceeeeeeeeeeeeenseeeeeeeeeeeseeesenaeeeseeeeeeseeeeseseeaees 119 Table 6 13 UDP Listener Table ececeeeeeeceeeecceeeeeeeeeeseeeeaeeeeeeeeeeeeeesnaaaaeaeeeeeeeeeeseeenaaaees 119 Table 6 14 SNMP Group Table isisicasssescse ceca sicendaseds seietneienadataldebadeliiinwadalisiditeatebs deunedetiidtuedabsdeuatiens 119 Table 6
101. eceeseaaeeecseaaeeeeneaaeeeeneaaeeeeseaaes 8 2 2 4 CONNECTING THE CONSOLE CABLE Qu cccccccccesssseeeesenececeeseeeeceseeeeecssseeecseeeeeeeeseeeaeesseeeaeens 9 2 2 5 CONFIGURING THE SOPT WARE sacescoscececscssceecssvadaecs conceeedseaceeca cosccacdseadeacadesdeaenseagcacadeacenasneadaneness 9 2 2 6 CHANGING THE ADMIN PASSWORD 0 0 ccccccsesesssceeeceeseeeeseesaececeesaeeeceeaaeceesesaeeeesesaeseeseaaes 10 2 21 CONFIGURING INTERFACES ereire intenet KEAREN EE NOE EEE EEEE 10 2 2 8 CONFIGURING NETWORK ADDRESS TRANSLATION NAT eessesssssssssesssssrrerssrrssssrsee 12 2 2 9 CONFIGURING THE DEFAULT ROUTE eeesssssersssseessssersssseresssressssreessseesssseeessseessssreesssressssreee 13 2 2 10 CONFIGURING A POLICY FROM TRUST TO UNTRUST 0 0 0 cccccccceesteeeceeneeeeeesaeeeeneaaes 13 2 2 11 VIEWING THE POLICY CONFIGURATION 0 0 ceccccccccecsenseceeseeceeeesesaeeecsesaeeecsesaeeeesesaeeseneaaes 14 CHAPTER 3 SECURITY ZONE AND INTERFACES csscssssssssssssessveeee LS 3 1 SECURITY ZONES ootan ere EE R e e E EA E E 15 3 2 CREATING AND MODIFYING CUSTOM SECURITY ZONES eeceeecceeeseeeeeeeeeeeeeees 18 3 2 1 CREATING CUSTOM SECURITY ZONES 00 cceccccsseceseesseeetesnesseesseessecesscesecsnnesnsesenesensnensteeees 18 3 2 2 DELETING CUSTOM SECURITY ZONES ccceccccsseesessscsenseesesessseasseasecessaeessesnssecseseuaesaanseaes 18 3 2 3 BLOCKING WITHIN A ZONE ciecccceietisscteesacicedisesecbiecassieteuts paecidaded dsiscbe
102. eeeneesaeeeaeeeaaecaecnaeenaeens 60 4 1 4 VIEWING CONSOLE INTERFACE SETTINGS ooo cecceeeceeeceseeeseeseeeseaeeeaeeeaeecaaecnaessaeenaeen 60 4 1 55 SETTING THE CONSOLE DISPLAY wicca en isinidiebssientbaceetie a canissanssedsotsavtelivevee seanenviseaiease 60 4 1 6 SETTING THE CONSOLE TIMEOUT oacvcscccsccccessisnsseisiccstesccsnsenssecesassansuetsossastysessereuseeseenuseansuese 60 41 7 EXITING THE CONSOLE woiissssctivses cstiaeadal oo eneore oere EEE ap E EEEN TENS EEEE PEE DEEE 61 4 2 USING SSH TO MANAGE THE lt NETSECURE 6100 gt 0 eeccceescecssececeeececsseeecseeeessseeeenseees 62 4 2 1 GENERATING SSH HOST KEYS sic scceteesiccsciesdiesers cise adthavendecs ixeetvescvadivassssnagelasie Aa iiiki 62 4 2 2 ENABLE SSH GLOBALLY ocrni otona E E EAEE Pa Aa ANONRA Eae DME IRETE REKETE 62 4 2 3 ENABLING SSH ON A SPECIFIC INTERFACE eesessessssseisreesisrseseroresesetssssseesiesossesoseseisssssessts 62 4 2 4 DISABLING SSH ON A SPECIFIC INTERFACE 1 0 eeccecceseceseceseeeeeeeeeeeeeeeeaeeeaeesaaecnaecnaeenaeen 63 4 2 5 VIEWING SSH SETTINGS sists i aesccssts casey ccasecevencostevsia natch ibn cueds TEA EARN 63 4 3 MANAGING USERS FOR THE lt NETSECURE 61005 200 00 eccceeseecescceeeeececeeeceseeeeeseseeeenaeees 64 4 3 1 CHANGING YOUR ADMINISTRATOR PASSWORD ecceeeceeeceseeeeeeeeeeeeaeeeaeecaaecaesnaeenaeens 64 4 3 2 ABOUT ADDITIONAL TYPES OF USERS 0 c i ecccceesseceseceseceeceseeeeeeeeeeseaeesaeeeaeecaaecaesaeeaeen 65 4 3 3 CHANGING THE ADMIN R PASS
103. eeesseeeeeees TT 4 7 1 CONFIGURING NTP SETTINGS ccc ccesccssssecsscecesccesnsecssncecssaceencesenaecsensecsseeeenseesenaecseaaeceanees 77 4 7 2 CONFIGURING THE NTP UPDATE INTERVAL 2 0 cece ceccseceececeeeeeesaeceeaaeceeneeceaeeesaaeeneaeeeeeees 78 4 7 3 VIEWING CURRENT NTP SETTINGS 00 occ ccccecccecesecesseeessaeceeeeeceeeessaeceeaaeceeneeceaeessaecseaaeseeees 78 4 7 4 DELETING NTP SERVER IP ENTRIES 0 ccccecccecescesseceeaeceeeeececeessaecseauecseneeceaeeseaaecneaeeseeees 78 4 7 5 CONFIGURING MANUAL UPDATE USING NTP u cece ceccceceeeeeeaeceeaaeceeeeeceaeessaaeeneaaeeeanees 79 4 7 6 MAINTAINING CLOCK SETTINGS WITH NTP 0 c ccc cccccceesceceseeeesaeceesaeceeeeecseeeeaeeneeeeeeeees 79 4 7 7 CONFIGURING THE CLOCK TO USE NTP eeseesessesssssssssssssssssssssesssrsssesssessseesseessressresseess 80 4 7 8 CONFIGURING THE TIME ZONE nyrer iii rii tai a ea Te naa iE A ERER EE AE EEEE S 80 4 8 USING DOMAIN NAME SERVICE DNS scaedivtccctanicetdasselecsiesienstalsstichiancetessaacoecteameiecaane 81 4 8 1 DELETING DNS HOST IP ADDRESSES esessesrressrrssrrsersseersoersoesssersseesseesseesseesseesseesstesseesseees 82 4 8 2 DISPLAYING CURRENT DNS HOST SETTINGS eesesseesesssssssssssssssssssssssssesssesssressressresseess 82 4 9 USING PING a sacets eere ea E eri a e E E E r REES EESE 83 4 10 USING AAT acest aired iiei eean a aA akanan Savansemadsaetatiaaliaat 84 CHAPTER 5 ATTACK DETECTION amp PREVENTION sesseesseesseesseosseesseessee
104. enennateasiesenttnenssdbacenderesevardeenadeendeecuienea iavees 70 45 2 RESETTING THE SOFT WARE cs cicscccvevsstesssiccesscousedvss saccade KENEK HNS KEKENAN tne cuvnabanddeestan cenesaviadess 70 4 5 3 RESTARTING THE lt NetSecure 6100 gt 00 0 cece ceccceceeccesseeceeseeceeneeceeeeesaecseaaeceeneeceaeeesaaeeneaaeeeeees 71 4 6 ADDITIONAL SYSTEM MANAGEMENT TASKS cccccceessccecssssececeessececesessaeeeenssneeeees 12 4 6 1 VIEWING SYSTEM INFORMATION 000 cccceccccsessseceeeeeeeeeeeesaeceeaeeceaeeessaeceeaaeceeaeeceaeessaaeeneaaeeenees 72 4 6 2 CREATING ALIASES wath indsin deci iiid aanieatisbadaneidaciandaiauaiidnaineelaan au neleiieeds 74 4 6 3 DELETING ALIASES scoccare in ea E aN S ts vis cas cS EESTE EE N ER Ea P EERE Eiio 74 4 6 4 VIEWING CURRENT ALIASES 1000 ccccccccccessecsenceceeeessaecesaaeceeneeceaceecsaecseaaecseneeceaeeseaaecseaaeceeees 75 4 6 5 CONFIGURING DOMAIN NAMES 2000 ccccccceseeceeceeseaeeeeaaeceeneeceaeeecaaecseaaeceeneeceaeeseaeceeaaeceeees 75 4 6 6 DELETING DOMAIN NAMES 1 cescscssccsenecssnsecssceensecesececesaccensceesoescseaaecensceenaceseaseceeaseesanees 75 4 6 7 CONFIGURING HOST NAMES 0000 cccccccceccsccessseeseececeeceeesaeceeaaecseneeceaceeesaecseaaecseneeceaeeseaaecseauessnees 76 4 6 8 DELETING HOST NAMEEG ccc c cccccccssscesstasssosessssesesscosscecssscesesssessscessceesesssecsbecsssensesseccesensssanees 76 4 7 USING NETWORK TIME PROTOCOL NTP ccssssccsssssstecesssseececssssesecesssse
105. ess Netmask 10 0 0 0 24 Zone Trust DELETING ADDRESS OBJECTS Use the unset address command to delete an address object unset address zone name_str MODIFYING ADDRESS OBJECTS To modify the name IP address or subnet mask of an existing address object first delete the object then re create the object with the new settings Example Modify an address object Change the name of the address object from MailServer to MailServerNY o unset address trust MailServer o set address trust MailServerNY 10 200 0 0 24 191 Chapter 9 Policy Configuration 9 3 4 Oo save GUI Example Modify an address object o Objects gt Address Objects o Select the following then click Apply Remove MailServer o Objects gt Add Address Objects o Enter the following then click Apply Name MailServerNY IP Address Netmask 10 200 0 0 24 Zone Trust Use the get address command to view all address objects and address groups get address The command displays all objects grouped by their zone membership Use the get address command and specify a zone to view all address objects and address groups in that zone get address zone Use the get address command and specify the zone and object name to view the address object by name get address zone name adr_obj CREATING ADDRESS GROUPS Address groups include multiple address objects Use the set group command with the address option to create an addres
106. esstsdoiespsessessonaneevessessos 101 6 1 LOGGING of ctsasarco aia acess E E A E E E 101 6 2 LOGGING LEVELS cerren aE E E E ome Reereeabers 102 6 3 LOG MODULES 12s assssanssaseivsiasasmeacuuncenusunsisnsenpunieavetcvansnenagedeseaadteaarsaacontgteussiatastereavesssmeaants 103 6 4 TRAFFIC AND EVENT LOG MANAGEMENT sssesesseesseesssseessressersssesssersseessresseeesee 104 6 5 EOG MODUL E SETTINGS rerna a a E E E R 105 631 SETTING LOG MODULES sccis iioii ta ieai EEEE REETAN EEEE E EENE 105 6 5 2 DISABLING LOG MODULE SETTINGS oninia arrora a ee a E E nE EEEE EENE EESE 105 6 5 3 VIEWING THE LOG MODULE SETTINGS eeeeessreesierissirrisserrrssresrssresresressinteesesernsreetestt 106 6 5 4 VIEWING THE TRAFFIC AND EVENT LOG eeesseeserierisrissrrrrssresesresrrsressirrresesrissresesrs 107 6 6 ADMIN MAIL SERVER cs sicccicserpeanqnctieatnndacenusea lieu shaaavessandaceindand Ee E AET ea E Oea ETAPIS 108 6 6 1 CONFIGURE THE SECURITY APPLIANCE TO SEND E MAIL NOTIFICATION USING THEADMIN MATIC OPTION crei iernii preine e enea Ea E Ei 108 6 6 2 DELETING THE ADMIN MAIL SERVER seesssssssesssesssssessessresessrssseseessesntssesuesntesossteseseensessesses 109 6 6 3 REMOVING E MAIL ADDRESSES FROM THE ADMIN MAIL SERVER 109 6 7 a Gr IM AINIAG EIEN Tseng ceateug tne u E E E 110 6 7 1 DELETING THE SYSLOG HOST IP ADDRESS 0 ceeceeeeeeeeeeeeeeeeeeaeesaeesaaesnaeenaeenaeees 111 6 7 2 DISABLING THE SYSLOG HOST LOG OPTIONS 1 0 eee eeeeeeeeeeeeeeeeaeeeaeesaecnaesn
107. et command and entering y at the prompt Log in to the appliance Use the get system command to verify the version of software loaded on the appliance SAVING MOS SOFTWARE TO FLASH MEMORY USING TFTP Use the save software command to upload new mos software using TFTP o save software from tftp ip_addr filename o mos pri sec 67 Chapter4 System Management 4 4 5 4 4 6 4 4 7 SAVING BOOT SOFTWARE TO FLASH MEMORY USING TFTP Use the save software command to upload new boot software using TFTP o save software from tftp ip_addr filename o boot pri sec SETTING THE SOFTWARE AS PRIMARY OR SECONDARY After you upload the new software image to the appliance you must set the image as the primary or secondary software image Use the set image command to set the software as primary or secondary set image mos pri sec GUI Example Setting the software as PRIMARY or SECONDARY o System gt Software o Select Nextboot for the primary or secondary software image SAVING THE CONFIGURATION FILE FOR EXPORT To save the current configuration file to your local workstation use a TFTP server running locally on your machine and use the save config command save config from flash to tftp ip_addr filename GUI Example Saving the configuration file for EXPORT o System gt Configuration o Type the TFTP Server Address o Type the File Name o Select the save configuration button 68 4
108. etSecure 6100 is a Gigabit security appliance that addresses the security requirements of today s high performance networks on the perimeter and interior LAN segments Equipped with an extensive firewall feature set the NetSecure 6100 has the capability to protect network hosts from wide ranging and high volume attacks meant to take network resources offline Features available on the lt NetSecure 6100 gt include m Stateful packet inspection m IPsec VPN m Prevention of 30 DoS and DDoS attacks m Extensive Network Address Translation NAT features including one to one many to one many to many and port address translation PAT 802 1Q VLAN support Granular access control using network objects services and schedules m Zone based security E Secure CLI management using SSH 1 1 ABOUT DOCUMENT CONVENTIONS This section explains the Command Line Interface CLI the browser based graphical user interface WebGUI and the illustration conventions used in this guide Chapter 1 Overview 1 1 1 COMMAND LINE INTERFACE CLI CONVENTIONS The following conventions are used when presenting the syntax of the command line interface CLI m Values inside square brackets are optional m Values inside braces are required m For commands that require a selection from a pre defined list of values each value in the list is separated by a pipe m Variables appear in italic m When a CLI command appears within the conte
109. etwork Address Translation cc eeeeeeeeeeeeeeeeeeeeneeeeeeeeeeeeeees 216 Figure 10 5 Destination Network Address Translation with Address Shifting 000 218 XIV NetSecure 6100 Users Manual Figure 11 1 High Availability Functionality Implemented through Custom Finite State Machines FSM ri sated et acta oa peetetneeeetnenereetn es bactigae te noeeanlel eto gteemisgeentsggesnetneeenetaesa 220 Figure 12 1 Digital Certificate Overview eeeeeececcceeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeaaeeeeeeeeeeeeeeees 228 Figure 12 2 Typical Digital Certificate 0 0 2 2 eeeeeceeeccceeeeeeeeeeeesneeeeeeeeeeeeeeesnnaeeeeaeeeeeeeeeeeas 229 NetSec ure 6100 Users Manual TABLES Table 1 1 Variable CLI Values Used in This Guide c cccceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeneeeeeeeeeees 2 Table 2 1 Console Cable Pin Out sssecccs ecg tesdetlaca betel peccebeseeicelecncacuseap Mee iiavchteiecpiae Maesecetespioaegs 8 Table 4 1 Console Cable Pin out ii ssc teeter ee ewied cee Seep coy iepreebyeewtvey lence vaySeauteey oeveenyieeveuteewady 58 Table 5 1 Network and Operating System Specific AttaCkS cccccccceseeeeeeeeeeeeeeeeeeeneees 88 Table 5 2 DoS and DdoS AUACKS cnccdiciscrntccincuniciuntedcnerasiueedacimnsenceiaaetiuaderasiueBentcewteastiues 90 Table 6 1 Syslog Message Format 00 ceeeceeeeeccceeeeeeeeseeeeeeeeeeeeeeeeeeneaaaaaeeeeeeeeeeeeeenaaaees 112 Table 6 2 System Group sasccccecccisecesscdeccch
110. eway m The peer_cacert all means that the peer can use a CA cert issued by any of the Cas configured on our system m The peer_cert_type is the type of CA certificate that we are expecting the peer to send us 232 Appendix A Pre Defined Service Appendix A Pre Defined Service This appendix lists all of the pre defined services defined on the security appliance including the name protocol port group inactivity timeout and flag id Pre defined services use the protocol numbers listed in Table A 1 Protocols are listed in Table A 2 Table A 1 Pre defined Service Protocol Port Group Timeout min Flag ID 0 65535 other 5190 5191 remote Default Default Pre defined Pre defined BGP 179 other Default Pre defined DHCP Relay 67 info seeking Default Pre defined DNS 17 53 info seeking Default Pre defined 6 79 info seeking Default Pre defined 6 6 6 21 remote 21 remote 21 remote Default Default Default Pre defined Pre defined Pre defined GOPHER 6 70 info seeking Default Pre defined HTTP 6 80 info seeking Default Pre defined HTTPS ICMP INFO 6 1 443 security 0 65535 other Default Default Pre defined Pre defined ICMP TIMESTAMP 1 0 65535 other Default Pre defined 17 500 security Default Pre defined Internet Locator Service 6 389 info seeking Default Pre defined IRC L2TP MAIL NetMeeting 6 6660 6669 rem
111. he device Protocol Displays the protocol or service number number src 64 62 250 2 0 Source IP Displays the source IP address and address and port number of the packet port number dst 64 79 127 67 0 Destination IP Displays the destination IP address address and and port number of the packet port number packet dropped Message txt Displays the log message due to policy deny 112 6 8 6 8 1 Chapter 6 Logging SNMP MIB GROUPS Simple Network Management protocol SNMP is a protocol used by network management systems for monitoring network attached devices for conditions that warrant administrator attention The SNMP agent that resides on the security appliance will allow for SNMP v1 and 2c get functionality The following Management Information Base MIB groups are supported m System group 1 3 6 1 2 1 1 RFC 1213 m Interface group 1 3 6 1 2 1 2 RFC 2233 m Address Translation group 1 3 6 1 2 1 3 m P group 1 3 6 1 2 1 4 RFC 2011 m ICMP group 1 3 6 1 2 1 5 RFC 1213 m TCP group 1 3 6 1 2 1 6 RFC 2012 m UDP group 1 3 6 1 2 1 7 RFC 2013 m Transmission group Ethernet 1 3 6 1 2 1 10 RFC 1643 m SNMP group 1 3 6 1 2 1 11 RFC 1213 SYSTEM GROUP Table 6 2 shows the System Group Table 6 2 System Group Object Name Value Type sysDescr DisplayString sysObjectID OBJECT ID sysUpTime TimeTicks sysContact DisplayString sysName DisplayString
112. he service option to create a service group set group service name_str Use the set group command with the service and add options to add service objects to a service group 199 Chapter 9 Policy Configuration set group service name_str add service_object Example Changing a service TIMEOUT Services HTTP P rt Service Group a ll Figure 9 6 Service Groups Use the following commands to create a service group called Web_Service as displayed in Figure 9 6 o set group service Web_Services o set group service Web_Services add http o set group service Web_ Services add https o set group service Web_Services add dns o save GUI Example Changing a service TIMEOUT o Objects gt Add Service Group o Enter the following then click Apply Name Web_ Services Add http https dns 9 5 2 DELETING SERVICE GROUPS Use the unset group command with the service option to delete a service group unset group service name_str 9 5 3 9 5 4 Chapter 9 Policy Configuration REMOVING SERVICE OBJECTS FROM GROUPS Use the unset group command with the service and remove options to remove a specific service from the group unset group service name_str remove name_str To remove all services in the group use the clear option MODIFYING SERVICE GROUPS To modify a service group you must first remove the service group and all of the service objects Then add the group again with those service objects you w
113. her on a local area network LAN or wide area network WAN The most command use for a router is to connect a LAN to an Internet Service Provider ISP Routing Information Protocol RIP One of the most commonly used interior 240 Appendix B Glossary gateway protocol IGP routing protocols on internal networks and to a lesser extent networks connected to the Internet which helps routers dynamically adapt to changes of network connections by communicating information about which networks each router can reach and how far away those networks are Routing Table Table that contains real time information on all networks available through the router Most routing tables include media access control MAC and IP address information Secure Hash Algorithm 1 SHA 1 A one way hash function This hash function takes variable length messages and formats it to a fixed length using a 20 byte key to produce a 160 bit hash Secure Shell SSH A protocol that enables secure device management SSH is used to securely manage the lt NetSecure 6100 gt Security Association SA A method for creating a virtual private network VPN tunnel The SA includes all of the required security perimeters to secure communication Since this communication is bidirectional two SAs are required to establish communication Security Parameter Index SPI A hexadecimal number used to uniquely define each virtual private network VPN tunnel The SPI determi
114. hreshold is 64 000 CONFIGURING SYN FLOOD PREVENTION A host or multiple hosts that sends a large number of invalid SYN packets can overwhelm network devices This causes network devices to allocate more resources to process the invalid SYN requests leaving fewer resources available to process legitimate traffic requests If you apply rate limits to restrict the number of SYN packets allowed through a zone the appliance detects and protects against SYN flood attacks Use the set zone command with the syn flood attack threshold option to set a limit on the number of SYN packets that a specific zone can receive per second before being dropped set zone zone name screen syn flood attack threshold number 95 Chapter 5 Attack Detection amp Prevention 5 6 4 Example Setting the SYN flood threshold Set the SYN flood attack threshold to 5 000 on the untrust zone o set zone untrust screen syn flood attack threshold 5000 Oo save GUI Example Setting the SYN flood threshold o Policy gt Attack Settings Edit Zone for untrust o Enter the following then click Apply SYN flood attack threshold 5000 CONFIGURING FIN FLOOD PREVENTION Setting a rate limit for FIN packets allows the appliance to detect and prevent FIN flood attacks Use the set zone command with the fin flood attack threshold option to limit the number of FIN packets that a specific zone can receive per second before being dropped set zone
115. ice Transmission Control Protocol Internet Protocol TCP IP A set of communication protocols that defines how a host communicates with another host Hosts can be located on the same local area network LAN or across a wide area network WAN TCP IP allows machines to communicate even if they do not use the same operating system Trivial File Transfer Protocol TFTP A simple form of the File Transfer Protocol FTP that uses User Datagram Protocol UDP to transfer data and provides no security User Datagram Protocol UDP A connectionless protocol that like TCP runs within an IP network UDP runs fewer error checks and is classified as a best effort protocol Uniform Resource Locator URL The standard used to obtain the location of resources or global addresses found on the World Wide Web Unshielded Twisted Pair UTP A standard cable used for telephone lines UTP is also used for Ethernet connections and is often referred to as 10BaseT Virtual Local Area Network VLAN A logical collection of nodes on a network rather than a physical collection It enables the nodes to be in the same broadcast domain even though they might not be located on the same physical switch Users on the VLAN are identified using tags in the frame header and are often referred to in the IEEE standard 802 1Q Virtual Private Networking VPN An easy cost effective way for business to use the public Internet to allow secure remote access into a pri
116. ice custom protocol tcp src port 1 65535 dst port 23005 23005 9 4 3 9 4 4 Oo save GUI Example Adding a custom service object o Objects gt Add Custom Service o Enter the following then click Apply Name telnet_custom TCP Source Port Low 1 Source Port High 65535 Destination Port Low 23005 Destination Port Low 23005 DELETING SERVICE OBJECTS Use the unset command to delete an existing service object o unset service name_str MODIFYING SERVICE OBJECTS To modify the values of an existing service object first delete the object and then re create the object with the new settings Example Modifying a custom service Change the destination port on Telnet_Custom to port 24000 o unset service Telnet Custom o set service Telnet Custom protocol tcp src port 1 65535 dst port 24000 24000 Oo save GUI Example Modifying a custom service 197 Chapter 9 Policy Configuration 9 4 5 o Objects gt Custom Service o Select the following then click Apply Remove telnet_custom o Objects gt Add Custom Service o Enter the following then click Apply Name telnet_custom TCP Source Port Low 1 Source Port High 65535 Destination Port Low 24000 Destination Port Low 24000 CONFIGURING SERVICE TIMEOUTS Set the threshold timeout in minutes for a predefined service or custom service using the set service command with the timeout option set service name_str timeout mi
117. ides users on how to use the manual effectively The manual contains information needed to install configure and operate TAINET s NetSecure 6100 The summary of this manual is as follows Chapter 1 Overview Chapter 2 Getting Started Chapter 3 Security Zones and Interfaces Chapter 4 System Management Chapter 5 Attack Detection and Prevention Chapter 6 Logging Chapter 7 Virtual Private Networks Chapter 8 Routing Chapter 9 Policy Configuration Chapter 10 Address Translation Chapter 11 High Availability Chapter 12 PKI and X 509 Digital Certificates Appendix A Pre defined Service Appendix B Glossary NetSecure 6100 Users Manual Symbols Used in This Manual 3 types of symbols may be used throughout this manual These symbols are used to advise the users when a special condition arises such as a safety or operational hazard or to present extra information to the users These symbols are explained below Warning This symbol and associated text are used when death or injury to the user may result if operating instructions are not followed properly Caution This symbol and associated text are used when damages to the equipment or impact to the operation may result if operating instructions are not followed properly Note This symbol and associated text are used to provide the users with extra information that may be helpful when following the main instructions in this manual NetSec ure 6100
118. ify an existing static route first delete the route and then add a new route entry with the desired route changes Example Modifying a static route Modify the gateway on a previously created static route from 10 0 0 100 to 10 0 0 20 o unset route 10 0 100 0 24 gateway 10 0 0 100 interface ethO o set route 10 0 100 0 24 gateway 10 0 0 200 interface ethO Oo save GUI Example Modifying a static route o Network gt Routing o Select the following then click Apply Remove 10 0 100 0 o Network gt Routing Add o Enter the following then click Apply Network address 10 0 200 0 Netmask 24 Interface ethoO Gateway 10 0 0 100 165 Chapter 8 Routing 8 2 SETTING THE DEFAULT ROUTE If a specific route for traffic is unknown to a server or a routing table the default route forwards all traffic to the default interface you define Use the set route command to define the default route for all traffic set route 0 0 0 0 0 interface interface name gateway ip_addr Example Setting the default route Configure the default route on the appliance in Figure 8 1 to use the ethi interface and a gateway of 4 4 4 1 which is the IP address of the next hop gateway o set route 0 0 0 0 0 gateway 4 4 4 1 interface eth1 Oo save GUI Example Setting the default route o Network gt Routing Add o Enter the following then click Apply Network address 0 0 0 0 Netmask 0 Interface ethot Gate
119. ilable through the lt NetSecure 6100 gt management interface This section includes the following topics Viewing System Information Creating Aliases Deleting Aliases Viewing Current Aliases Configuring Domain Names Deleting Domain Names Configuring Host Names Deleting Host Names VIEWING SYSTEM INFORMATION You can use the get system command to display the following information about the lt NetSecure 6100 gt hardware and firmware Software Version System Uptime Vendor Name Vendor Contact Product Model Product Serial Number MAC Addresses To view system information use the get system command 72 Chapter 4 System Management get system get system system information build version vf2112v2r1b17 build date Tue May 16 18 29 03 UTC 2006 system uptime 01 03 22 manufacture information setting vendor id a n 01 vendor name lt vendor gt vendor contact lt vendor gt manufacture code 00 manufacture date 2006 02 28 12 21 00 UTC product model NetSecure 6100 product serial number 0001 02 0606 0074 ethernet 1 mac address 0 60 26 20 0 94 ethernet 2 mac address 0 60 26 20 0 95 hardware revision number 0 0 resources information flash bootrom size 0x2000000 bytes flash jffs2 size 0x2000000 bytes
120. ime in its log messages This protocol is required for any policies schedules For additional information on schedules refer to Chapter 9 Policy Configuration This section describes how to use NTP with the lt NetSecure 6100 gt in the following topics a Configuring NTP Settings a Configuring the NTP Update Interval a Viewing Current NTP Settings a Deleting NTP Server IP Entries a Configuring Manual Update using NTP a Maintaining Clock Settings with NTP Configuring the Clock to Use NTP a Configuring the Time Zone CONFIGURING NTP SETTINGS To configure the NTP settings used to update the date and time for the appliance use the set ntp server command o set ntp server ip_addr dom_name o 6 primary backup1 backup2 Example Setting the PRIMARY NTP server IP as 207 245 143 147 o set ntp server 207 245 143 147 primary Oo save 77 Chapter4 System Management 4 7 2 4 7 3 4 7 4 GUI Example Setting the PRIMARY NTP server IP as 207 245 143 147 o System gt Date Time o Enter the following then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can use a fully qualified domain name in place of an IP address CONFIGURING THE NTP UPDATE INTERVAL The lt NetSecure 6100 gt performs an NTP update at regular intervals to check the current date and time The default NTP interval is 60 minutes To configure the NTP update interval use the set ntp server command set n
121. information and click Apply Select the admin user Type old password Type new password Confirm new password 4 3 2 ABOUT ADDITIONAL TYPES OF USERS The security appliance can support one additional user called admin r with read only access to the management interface 4 3 3 CHANGING THE ADMIN R PASSWORD To change the admin r password use the set admin r command set admin r password password_str NOTE You cannot change the user name admin r GUI Example Changing the ADMIN R password o System gt Admin gt Administrators o Enter the following password information and click Apply Select the admin r user Type old password Type new password Confirm new password 4 3 4 VIEWING CURRENT USERS To view users currently logged into the administration console use the get admin command get admin current user Chapter4 System Management 4 4 4 4 1 4 4 2 4 4 3 MANAGING SOFTWARE FOR THE lt NetSecure 6100 gt Before you upgrade the lt NetSecure 6100 gt software make sure that you have the following m You have root privilege to access the appliance You have a console connection or SSH session to manage the appliance m You have an installed and running TFTP server on your computer m An Ethernet connection to the appliance exists You use this connection to transfer software from the TFTP server to the lt NetSecure 6100 gt flash memory m You saved the newest software image t
122. ing the VPN tunnel to not respond or allow traffic to 158 7 4 2 7 4 3 Chapter 7 Virtual Private Networks pass This service interruption could last until the SA lifetime expires if DPD were not used To configure DPD use the set ike command along with the DPD option to set how many missed r u there message are allowed before the VPN tunnel is torn down the rebuilt o setike gateway name_str dpd always send o set ike gateway name_str dpd interval number o setike gateway name_str dpd retry number NAT TRAVERSAL NAT T NAT T allows encrypted VPN traffic to be encapsulated as a UDP datagram using port 500 During phase 1 of the VPN negotiation the VPN appliance s will determine automatically if any device along their path has applied NAT to the VPN packets If NAT is applied along the specific path the VPN appliances will then encapsulate the VPN traffic as UDP datagrams using port 500 To enable NAT Traversal use the set ike command set ike gateway name_str nat traversal PERFECT FORWARD SECRECY PFS PFS is a condition in which an encryption system changes encryption keys often and ensures that no two sets of keys have any relation Unless specified all new p2 proposals defined have PFS enabled To disable PFS you will use the set ike command with the no pfs option to disable PFS for the defined p2 proposal o set ike p2 proposal name_str no pfs preshare o dh_group protocol encryption authe
123. innenenoncninanai n a a a aa 185 92 8 ENABLE POLICY LOGGING iioccccsscecsceassecpseesctetenacctehenescttyecnsceeviens stapsiasnt ER E Ra 188 9 3 CONFIGURING ADDRESS OBJECTS scssscasstacsscesseedensseaassnessacdonnsoaasecassazduaasoarevessvaaceaners 189 9 3 1 CREATING ADDRESS OBJECTS sus sisiescatinssctesieestidan edi ienss E E E aS 189 9 3 2 DELETING ADDRESS OBJECTS sicictestecccdsevivs ves veascedancvtstiedes sugested aiedvre ddzgeatrbsbinave cide oiiae 191 93 3 MODIFYING ADDRESS OBJECTS w ccccccccsisscecssessetvescesonessstsacessdeednesssseadeoscenspensstenseeactensseestanss 191 93 4 CREATING ADDRESS GROUPS amp scsiecdecedaccsriscscdciesscncsanlacertadeabiava dbase tintesutbaverdetibeuasiecderteien 192 9 3 5 DDING OBJECTS TO AN ADDRESS GROUP eee eecceseceseeeseeeeeeeeeeeeaeesaeeeaaesaesnaeenaeenaeees 193 9 3 6 DELETING ADDRESS GROUPS 1 cscccccsideseceseessiecctekoeecoceysnasueesseesseaveienstevsiensetnaotaserrasnecsessesede 194 9 3 7 DELETING ADDRESS OBJECTS FROM AN ADDRESS GROUP eee eeeesseenteeeeeneeneeees 195 9 3 8 ADDING COMMENTS TO ADDRESS GROUPS eeceecceseeeeeeeeeeeeeeeaeesaeesaeesaecsaeenaeenaeen 195 9 4 CONFIGURING SERVICE OBJECTS cssecaccasseiesndesevesunaceiasnvesvaedvhasenasedaseanspanionedercaeeetnens 196 9 4 1 VIEWING PREDEFINED SERVICE OBJECTS 0000 ecceeceeccssceseeeeeeeeeeeseeeeaeeeaeeeaaecnaessaeseaeenaeee 196 9 4 2 CONFIGURING CUSTOM SERVICE OBJECTS eeceeceeccseeseeseeeeseeeseesaeesaaesnaecsaesnaeenaeee 196 94 3 DELET
124. is case the security device acts as a PPPoE client Before setting up the site in this example for PPPoE service you must have the following Digital subscriber line DSL modem and line Account with ISP m Username and password obtained from the ISP Every TCP IP connection that a host in the Trust zone makes to the Untrust zone automatically goes through the PPPoE encapsulation process 54 Chapter 3 Security Zone and Interfaces NOTE When enabling PPPoE the trust interface must be in NAT or Route mode Example To set interfaces and PPPoE o set interface ethernetO zone trust o set interface ethernetO ip 192 168 0 1 24 o setinterface ethernet1 zone untrust o set pppoe interface ethernet1 o set pppoe username name_sir password pswd_str To test your PPPoE connection o set pppoe enable o get pppoe GUI Example To set interfaces and PPPoE 1 Network gt PPPoE gt Edit Enter the following PPPoE information and click Apply o Type Username name o Type Password password o Select PPPoE enable Network gt Interface gt Edit etho Enter the following interface information and click Apply o Select Zone Trust o Select Interface Mode NAT o Type IP Address 192 168 0 1 o Type Netmask 24 Network gt Interface gt Edit eth1 55 Chapter3 Security Zone and Interfaces 6 Enter the following interface information and click Apply o Select Zone Untrust o Sele
125. isc cachecredecaceearissscdssceaceatlavertsdeathuad dace latintesutbavertatetwuaste eccsdiee 160 TAS VIEW AVPN TUNNED sienet aeoiee aanne EEEE EE EENE E ENTERAS EAEEREN NEEE N EE EEEE EE ERES 160 TA 6 VIEW IKE INFORMATION ociscene a aii idii 160 TAT VIEW IKE GATEWAY ij scsntsscaend stesadedd alendeaciiviiins EEE E A a a a aaa 161 74 8 VIEW IKE PHASE 1 PROPOSALS viccssisesccisiesccissssegcsnatti casieten dad iatevesi Darbectessubaasienectiavenenuetibdess 161 149 VIEW IKE PHASE 2 PROPOSALS vic cssscectspivacenststhgceau ied cossited dad A nE NE EEEE ip OERE EER 161 CHAPTER 8 ROUTING sesscsssssscssusocsossicesscsessossosscsossessssorsossecosso sisessossscot ssiissstosi 163 8 1 STAMC ROUTES norn a ae tart E E NS 163 S1 ADDING STATIC ROUTES eiieeii ieii o itae ENEE EEEE ASEE E E aT 164 9 1 2 DELETING STATIC ROUTES isis sussstesctseseesdsrveen senior E E N A ERA EE E FOE TEER EES 165 8 1 3 MODIFYING STATIG ROUTES 0 ssi ccsiesscccssscastccessslescvbssscseusdsaneseranss dese a iaia anii aaa 165 8 2 SETTING THE DEFAULT ROUT Eopsccscsssetastesedssctapiatedetatassiopesassasaad sadsceetaanasadssauedcctaanesecs 166 8 3 DISPLAYING ROUTE INFORMATION cccsscccsecssesssccsseccsecssccssecesenssecssenesencesssencseaees 167 8 4 ROUTING INFORMATION PROTOCOL RIP ccceesceessseeceseeeceeeeeceeeeeceeeeeceteeesnteeeeaaes 169 8 5 CONFIGURING RIP ieee er EEE REA dnphuapesvenadegan E EESE ET EEEN 170 8 6 ENABLING AND DISABLING RIP ON INTERFACES eecceeesceceee
126. ither allow or deny packets to all zones Use the set zone command and specify global as the zone to create a global policy o set policy global src_addr dst_addr srvc permit deny reject NOTE You must configure the src_addr and dst_adar in the global zone Chapter 9 Policy Configuration 9 2 CONFIGURING POLICIES This section describes how to create modify and delete policies This section includes the following topics m Creating Policies m Naming Policies m Reordering Polices m Disabling Policies m Re enabling Policies m Deleting Policies m Viewing Policies 9 2 1 CREATING POLICIES The service type location of end points and policy action are the primary elements of a policy Use the set policy command to create a policy set policy from src_zone to dst_zone src_addr dst_addr srvc permit deny reject tunnel Table 9 1 explains the parameters in the above command Table 9 1 Addresses and Zones Parameter Description src_zone The src_zone and dst_zone objects are used to define the dst_zone direction of the policy and whether the traffic is interzone or intrazone 181 Chapter 9 Policy Configuration src_addr The src_addr and dst_addr are source and destination dst_addr address objects This information is also used for route lookups determining the ingress and egress interface of the policy srvc The srvc object defines the desti
127. ity Zone and Interfaces o Select the following then click Apply Management Option Ping SETTING THE INTERFACE SPEED When you configure the lt NetSecure 6100 gt the interface auto negotiates to 1000Mbps To set the interface to support 100Mbps or 10Mbps use the set interface command with the speed option set interface interface name speed 100Mb 10Mb auto NOTE 100Mbps and 10Mbps half duplex are not supported Chapter3 Security Zone and Interfaces 3 6 3 6 1 AUTHENTICATION USING RADIUS Remote Authentication Dial ln User Service RADIUS authenticates the local users and remote users on a company network RADIUS works as a client server system that keeps the authentication information for users remote access servers and VPN gateways in one database The authentication messages between the RADIUS client and the RADIUS server always use an authentication key This authentication key or shared secret must be configured the same on both the RADIUS server and client Without this key hackers cannot get to the authentication messages HOW THE RADIUS CHALLENGE RESPONSE MODE WORKS In the RADIUS Challenge Response mode there is an additional Challenge Response sequence of messages before the successful completion of user authentication The following example illustrates the Challenge Response authentication mode with RADIUS Figure 3 11 Figure 3 11 RADIUS Challenge Response Message Exchange J efe 3 Perty
128. kstations connected to the etho interface to use the lt NetSecure 6100 gt as their default gateway to the Internet In this configuration the etho interface is connected to the inside LAN Switch and the eth1 interface is connected to your Internet router The etho interface is bound to the zone trust and the eth1 interface is bound to the zone untrust This allows you to manage access control between the zones 10 Chapter 2 Getting Started Figure 2 2 Network Protection Zone Trust Zone Untrust eth IP 10 0 0 1 eth1 IP 4 4 4 1 f o Seburity Appliance T Router NetSecure6100 Gateway Internet f 4 4 4 4 254 Figure 2 2 Network Protection Use the set interface command to assign the zone IP address and netmask to both interfaces as shown in Figure 2 2 Example Configuring Interface ETHO Use the set interface command to bind the ethO interface to the trust zone with an IP address and netmask of 10 0 0 1 24 o set interface ethO ip 10 0 0 1 24 o setinterface ethO zone trust o save GUI Example Configuring Interface ETHO m Network gt Interface gt Edit for eth0O m Enter the following then click Apply o Zone Name Trust o Static IP select this option when present o IP Address Netmask 10 0 0 1 24 Chapter 2 Getting Started 2 2 8 Example Configuring Interface ETH1 Use the set interface command to bind the eth1 interface to the trust zone with an IP address and netmask of 4 4 4 1 24
129. lated source IP address but different translated source ports 211 Chapter 10 Address Translation 10 2 2 CONFIGURING DYNAMIC IP DIP POOLS Use dynamic IP DIP pools to create a pool of IP addresses to use for source NAT policies Use the set interface command with the dip option to create a DIP pool of addresses on the egress interface set interface interface name dip dip id start address end address Addresses in the DIP pool must be on the same subnet as the corresponding egress interface You can create multiple DIP pools created each identified with a different dip id number Use the unset interface command with the dip option to delete a DIP pool from the interface unset interface interface name dip dip id 212 10 3 10 3 1 10 3 2 Chapter 10 Address Translation SOURCE NAT CONFIGURATIONS This section describes two types of source NAT configurations that you can use with this appliance o Source NAT or Many to One with Port Address Translation o Destination NAT and Port Mapping CONFIGURING SOURCE NAT MANY TO ONE WITH PORT ADDRESS TRANSLATION In a source NAT many to one NAT configuration all original source IP addresses on a network translate to a single IP address Figure 10 2 UDP Datagram Figure 10 2 Source IP Address Translation with Port Address Translation Use the set policy command with the nat src option to specify source NAT in the policy In this configuration th
130. mail mail addr1 109 Chapter 6 Logging 6 7 SYSLOG MANAGEMENT The security appliance can generate syslog messages specified for delivery to multiple syslog servers The syslog protocol uses a standard transport mechanism along with a standard format for all messages This allows multiple network devices to send syslog information that can formatted into custom reports Up to three syslog servers can be specified using the set syslog command o set syslog config ip address o set syslog config ip address log all event traffic set syslog config ip address facilities local local1 local2 local3 local4 local5 local6 local7 o set syslog config ip address port port_number Example Configure both traffice and event message to be sent using SYSLOG to a server at IP address 10 0 0 200 with the facility of Local0 o set syslog config 10 0 0 200 o set syslog config 10 0 0 200 log all o set syslog config 10 0 0 200 facilities local Oo save GUI Example Configure both traffice and event message to be sent using SYSLOG to a server at IP address 10 0 0 200 with the facility of Local0 o Logging gt Syslog Settings 2 Enter the following then click Apply Enable Syslog Messages IP Host Name 10 0 0 200 Facility local0 Event Log Traffic Log 110 6 7 1 6 7 2 6 7 3 6 7 4 Chapter 6 Logging DELETING THE SYSLOG HOST IP ADDRESS To delete the syslog host IP address use the unset syslog config
131. ment access to the lt NetSecure 6100 gt use the unset all command to reset the appliance back to factory defaults m If you do not have management access perform a hardware reset which erases the firmware and system settings Although the reset deletes the system configuration file you can access the appliance using the default login credentials Performing a hardware reset to the lt NetSecure 6100 gt removes the current firmware image along with the current configuration file If you have not saved a backup configuration file to the local flash or a workstation on your network you will have to reconfigure the lt Security Applicance RESETTING THE SOFTWARE Through the administration console use the unset all command to reset the lt NetSecure 6100 gt to factory default settings This command erases the current configuration and returns the configuration file to factory default A restart is required after unset all 70 4 5 3 Chapter 4 System Management RESTARTING THE lt NetSecure 6100 gt Through the management interface you can use the reset command to restart the lt NetSecure 6100 gt appliance reset NOTE Choose No when prompted to Save Config GUI Example Restarting the SECURITY APPLIANCE o System gt Software o Select the reboot button 71 Chapter4 System Management 4 6 4 6 1 ADDITIONAL SYSTEM MANAGEMENT TASKS This section describes the additional system management options ava
132. mmunicate with each other Intrazone blocking disables host to host communication within a security zone Use the set zone command with the block option to enable intrazone blocking on a specified security zone o set zone name_str block Example Enable Intrazone blocking on the SALES security zone o set zone sales block Oo save GUI Example Enable Intrazone blocking on the SALES security zone o Network gt Zone gt Edit for Sales o Check the following then click Apply Block Intra Zone Communication Use the unset zone command with the block option to disable intrazone blocking on a specified security zone o unset zone name_str block Exampe Disabling Intrazone blocking on the SALES security zone o unset zone sales block Oo save GUI Example Disabling Intrazone blocking on the SALES security zone o Network gt Zone gt Edit for Sales 20 Chapter 3 Security Zone and Interfaces o Uncheck the following then click Apply Block Intra Zone Communication 3 2 4 VIEWING ZONE CONFIGURATIONS Use the get zone command to display information on all security zones The following information appears for each zone E Zone name The name assigned to the interface m Zone ID The ID number assigned to the zone m Type The security settings on the zone m Intrazone block On or off m Interfaces bound Lists all physical and logical i
133. n the desired logging level and message destination set log module module level all informational notification warning error critical alert emergency debug destination console internal email syslog ssh Example Set the log module for ARP using the log level all with a destination of the console o setlog module arp level all destination console Oo save GUI Example Set the log module for ARP using the log level all with a destination of the console Logging gt Log Settings Select the following then click Apply Module arp Destination Console All DISABLING LOG MODULE SETTINGS To disable the software module settings use the unset log module command unset log module module level all informational notification warning error critical alert emergency debug destination console internal email syslog ssh 105 Chapter 6 Logging 6 5 3 VIEWING THE LOG MODULE SETTINGS To view the log module settings use the get log settings command get log setting Levels 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information 7 Debugging 8 Tracing disabled Module Console Internal Email Syslog Current SSH interface 7 7 service i a ike 5 7 2 6 5 4 Chapter 6 L
134. nation port for the traffic permit The permit action allows traffic matching the policy to pass through deny The deny action drops traffic matching the policy reject The reject action sends a TCP reset to the transmitter tunnel The tunnel action allows the encryption using IPsec of traffic that matches the policy Refer to the following related topics Naming Policies Creating a name or alias to the refer to the policy m Enable Policy Logging Turning policy logging on or off m About Schedules Adding day and time schedules for the policy Example Create a policy Allow FTP traffic from the eth1 interface in the untrust zone to a server with IP address 4 4 4 4 on the ethO interface in the trust zone o set address trust FTPtrust 4 4 4 4 o set policy from untrust to trust any FTPtrust ftp permit Oo save GUI Example Create a policy o Objects gt Add Address Object o Enter the following then click Apply Name FTP Trust IP Address Netmask 4 4 4 4 24 Zone Trust o Policy gt Add Policy 182 9 2 2 Chapter 9 Policy Configuration o Enter the following then click Apply Location Action Permit Source Zone Untrust Destination Zone Trust Source Address Any Destination Address FTPTrust Service FTP NAMING POLICIES Use the set policy command with the name option to add a name when you create the policy set policy name name_str from src_zone to dst_zon
135. nes which key the lt NetSecure 6100 gt uses to encrypt or decrypt packets Simple Network Management Protocol SNMP forms part of the internet protocol suite as defined by the Internet Engineering Task Force The protocol is used by network management systems for monitoring network attached devices for conditions that warrant administrative attention Static Route A user definable route that defines how a packet is to move between a source and destination Static routes are a manual entry that allows administrators to set default route mapping before the beginning of a route These routes work well in networks that have a predictable path for all network traffic Subinterface A logical segment for a physical connection A subinterface allows administrators to split the bandwidth between multiple networks connected to the same physical port On the lt NetSecure 6100 gt the IEEE standard 802 1Q is used to tag and identify the subinterface 241 Appendix B Glossary Subnet A network that shares a common address component Subnets are defined as all hosts whose IP addresses have the same prefix on a TCP IP network Subnet Mask Determines the subnet an IP address belongs to The subnet mask also enables networks to be broken into smaller blocks Syslog A protocol used to generate and send log messages Syslog traffic is usually sent to a host running a syslog daemon allowing collection and storage of log messages from a network dev
136. net to access hosts on a Demilitarized Zone DMZ Original Cestination IP Address Translated Destination IP Address Figure 10 4 Destination Network Address Translation Use the set policy command with the nat dst ip option to specify destination NAT in the policy set policy from zone to zone src_addr dst_addr port nat dst ip nat_addr permit 216 10 5 2 10 5 3 10 5 4 10 5 5 Chapter 10 Address Translation CONFIGURING DESTINATION NAT ONE TO ONE WITH PORT MAPPING Use the set policy command with the nat dst ip and port options to specify destination NAT from a single address and port to a single address and port set policy from zone to zone src_addr dst_addr port nat dst ip nat_addr port prt_nbr permit CONFIGURING DESTINATION NAT MANY TO ONE In a many to one destination NAT configuration a group of destination addresses translates to a single address that the policy specifies Use the set policy command with the nat dst ip option to specify destination NAT in the policy In this configuration the destination address dst_grp is an address group consisting of a subnet address range or multiple hosts set policy from zone to zone src_addr dst_grp port nat dst ip nat_addr permit CONFIGURING DESTINATION NAT MANY TO ONE WITH PORT MAPPING Use the set policy command with the nat dst ip and port options to specify destination NAT from an address group and port to a single add
137. ng then click Apply Primary DNS Server IP Address 206 13 31 12 Example Setting a secondary DNS host IP address as 206 13 28 12 o setdns host dns2 206 13 28 12 Oo save GUI Example Setting a secondary DNS host IP address as 206 13 28 12 o Interface gt DNS o Enter the following then click Apply Secondary DNS Server IP Address 206 13 28 12 81 Chapter4 System Management 4 8 1 4 8 2 DELETING DNS HOST IP ADDRESSES To delete a DNS host IP address use the unset dns command unset dns host dns1 dns2 Example Deleting the secondary DNS host IP address 206 13 28 12 o unset dns2 Oo save GUI Example Deleting the secondary DNS host IP address 206 13 28 12 o Interface gt DNS o Delete the following then click Apply Secondary DNS Server IP Address 206 13 28 12 DISPLAYING CURRENT DNS HOST SETTINGS To display the current DNS host IP settings use the get dns command o get dns host settings 82 4 9 Chapter 4 System Management USING PING To test connectivity to other hosts connected to the lt NetSecure 6100 gt for Internet connectivity use the ping command ping ip _addr dom_name EXAMPLE PING WWW YAHOO COM ping www yahoo com GUI EXAMPLE PING WWW YAHOO COM o System gt Tools o Enter the following then click Apply Diagnostic Tool Ping Ping www yahoo com Chapter4 System Management 4 10 USING TRACEROUTE You can use traceroute to trace
138. ng the get ike gateway command you can view the current IKE information including current id gateway name gateway id mode and proposal information Optionally you can get this information for a specific tunnel by specifying the tunnel name get ike gateway name_str VIEW IKE PHASE 1 PROPOSALS To view the IKE phase 1 proposal information use the get ike p1proposal command Optionally you can specify by name the proposal to view get ike p1 proposal name_str VIEW IKE PHASE 2 PROPOSALS To view the IKE phase 2 proposal information use the get ike p2proposal command Optionally you can specify by name the proposal to view get ike p2 proposal name_str 161 Chapter 8 Routing Chapter 8 Routing This chapter describes the routing options available for configuration on the security appliance This chapter includes the following topics m Static Routes E Setting the Default Route Displaying Route Information m Routing Information Protocol RIP Configuring RIP m Enabling and Disabling RIP on Interfaces m Disable Route Summarization m Enable or Disable Split Horizon m Enable RIP Authentication m Accepting Packets with Non Zero Reserved Fields 8 1 STATIC ROUTES An implicit or explicit route must be defined in the routing table for traffic to move between interfaces on the appliance The destination network interface and gateway define this route Networks that are directly attached to an interface on
139. nterface to a zone set interface interface name zone name_str Example Configuring a subinterface with IP address and zone Use the set interface command to create a subinterface for the VLAN with VLAN id 120 on the physical interface ethO Assign the subinterface to the trust zone with the IP address 192 168 100 1 24 o set interface ethO 120 ip 192 168 100 1 24 o setinterface ethO 120 zone trust Oo save GUI Example Configuring a subinterface with IP address and zone o Network gt Interface gt Edit for eth0O o Enter the following then click Apply VLAN ID 120 IP Address Netmask 192 168 100 1 24 Zone Name Trust DELETING SUBINTERFACES You must remove all policies bound to a subinterface before you can delete a subinterface After you remove all policies use the unset interface command to delete the subinterface 26 Chapter 3 Security Zone and Interfaces unset interface interface name Example Deleting the subinterface ETHO 120 o unset interface ethO 120 Oo save GUI Example Deleting the subinterface ETH0 120 o Network gt Interface gt Remove for eth0 120 o Select the following Are you sure you want to remove Yes Chapter3 Security Zone and Interfaces 3 4 3 4 1 CONFIGURING INTERFACE MODES You can configure interfaces with one of thre interface modes that determine whether the source IP address of traffic is translated to the IP address of the egress interface
140. nterfaces bound to the zone Use the get zone command to display information on a specific zone o get zone interface name Use the get zone all command to display information on all zones o get zone all Figure 1 1 shows an example of the get zone command cli gt get zone ID 0 Type Pre defined Zone global Intra zone block Off Flags IlcmpFrag IcmpLarge FinNoAck SynFlood 65535 FinFlood 65535 IcmpFlood 16777215 FragFlood 16777215 ID 1 Type Pre defined Zone dmz Intra zone block Off Flags IlcmpFrag IcmpLarge FinNoAck SynFlood 65535 FinFlood 65535 IcmpFlood 16777215 FragFlood 16777215 ID 2 Type Pre defined Zone untrust Intra zone block Off Flags lompFrag IempLarge FinNoAck SynFlood 65535 FinFlood 65535 IcmpFlood 16777215 FragFlood 16777215 ID 3 Type Pre defined Zone trust Intra zone block Off Flags IlcmpFrag lcmpLarge FinNoAck SynFlood 65535 FinFlood 65535 IcmpFlood 16777215 FragFlood 16777215 Figure 3 5 Get Zone Command Example 21 Chapter3 Security Zone and Interfaces GUI Example Get Zone o Network gt Zone gt Zone Table Shows current zones available for configuration 3 3 3 3 1 Chapter 3 Security Zone and Interfaces CONFIGURING INTERFACES AND SUBINTERFACES Each physical interface on the security appliance supports up to 100 virtual LANs VLANs for a maximum of 200 total per appliance on two port appliances and 240 on appliances with more than two ports To route VL
141. ntication o lifetime NOTE PFS must be enabled on both ends of a VPN configuration 159 Chapter 7 Virtual Private Networks 7 4 4 7 4 5 7 4 6 REPLAY PROTECTION Replay protection allows the lt NetSecure 6100 gt to check the sequence numbers of the VPN packets to determine if the packet has been received or not If the packet does not fit into a specific number sequence the packet will dropped Replay protection will detect and protect against man in the middle attacks Replay detection is enabled by default on all IKE VPN tunnels To disable replay protection use the set vpn command with the no replay option set vpn name_str gateway gw_address no replay VIEW A VPN TUNNEL To view the current VPN tunnels use the get vpn command You can view all tunnels specified by name or type using the auto or manual options Auto will show all tunnels using IKE while manual will show all Manual Key tunnels get vpn name_str auto manual Example To view the VPN tunnel TO_NEWYORK get vpn to_newyork GUI Example To view the VPN tunnel TO_ NEWYORK o VPN gt IKE Settings o Select the following then click Apply Edit to_ newyork VIEW IKE INFORMATION To view IKE information use the get ike command with the option to view the gateways p1 proposals p2 proposals cookies and id modes 160 7 4 7 7 4 8 7 4 9 Chapter 7 Virtual Private Networks VIEW IKE GATEWAY Usi
142. nutes Use the default service timeout 5 minutes or specify a new threshold Example Changing a service TIMEOUT Increase the timeout on the predefined service FTP from 5 minutes to 15 minutes o set service ftp timeout 15 Oo save You can use the following options to define the additional properties of the service o Code Values and Type for ICMP Services o Timeout Value 198 9 5 9 5 1 Chapter 9 Policy Configuration CONFIGURING SERVICE GROUPS You can use service groups to select a set of service objects and put them into group using a single name After you add service objects to a service group you can apply the services to a security policy thus simplifying administration A service group can consist of pre defined services or custom services Service groups have the following limitations m Service groups cannot have the same name as a pre defined or custom service m You cannot delete a service group until you first remove it from the policy m A service group cannot have another service group as a member m The all inclusive service term ANY cannot be added to groups This section describes how to create modify and delete service groups The following topics are included in this section m Creating Service Groups m Deleting Service Groups m Deleting Service Objects m Modifying Service Groups m Adding Comments to Service Groups CREATING SERVICE GROUPS Use the set group command with t
143. nyo gateway to_newyork proposal encryptaesp2 save GUI Example Modifying an IKE VPN tunnel 154 o VPN gt IKE Gateways Chapter 7 Virtual Private Networks o Select the following then click Apply Remove to_newyork o VPN gt IKE Settings o Select the following then click Apply Remove sfo_nyo o VPN gt IKE Gateway Edit o Enter the following then click Apply Gateway name New_York Remote IPsec Gateway IP 162 198 10 1 Outgoing interface eth1 Phase 1 Proposal encryptaesp1 7 3 3 TRANSPARENT MODE VPN DEPLOYMENT NOTE For information on Transparent Mode see 3 4 4 CONFIGURING TRANSPARENT MODE Figure 7 7 shows a VPN setup between two appliances running in transparent mode 1000 024 eto etri 10 0 0100 10 0 0100 A Management IP Router A IP 1QQ0 5 orkstation A IP Workstation 10 0 0 110 reer 10 0 0 250 172 16 10 024 eto 172 16 10 100 ss Management IP Workstation B IP 172 1810100 472 1610 250 eth1 172 16 10 100 Router B IP 172 16105 Figure 7 7 VPN in Transparent Mode In Figure 7 7 the appliances will be used in transparent mode but will also terminate VPN between two sites 155 Chapter 7 Virtual Private Networks Configuration Elements VF4000 A VF4000 B ethO 0 0 0 0 ethO 0 0 0 0 Untrust Zone eth1 0 0 0 0 eth1 0 0 0 0 Addresses Local_lan 10 0 0 0 2 Local_lan Trust Peer_lan 172 16 10 0 24 Trust 172 16 10 0 24 Peer_lan 10 0 0
144. o configure a manual key VPN set vpn name_str manual local spi remote spi gateway ip addr outgoing interface interface protocol encryption key encryption_key auth authentication key authentication_key Table lists the required parameters to configure one side of a manual key VPN tunnel Refer to the CLI Reference Guide and Command Descriptions for additional manual key parameters Table 7 2 Required Manual Key VPN Parameters vpn name_str VPN Tunnel Name Name that uniquely identifies the VPN tunnel manual Manual key VPN Specifies the tunnel as manual local spi Security Parameter Index SPI Hexadecimal value four remote spi to ten characters in length gateway ip addr IPsec Gateway IP address of fully qualified domain name outgoing interface Outgoing Interface The interface for which the VPN interface tunnel is bound protocol Protocol AH or ESP encryption Encryption DES 3DES or AES 128 192 and 256 key Encryption Key Hexadecimal value 116 characters in encryption_key length 135 Chapter 7 Virtual Private Networks Parameter Description auth Authentication SHA 1 or MD5 authentication key Authentication Key Hexadecimal value 32 characters in authentication_key length Policy Requirements Local Network The local network attached to the lt NetSecure 6100 gt Destination Network Network to which the VPN t
145. o perform user authentication in a separate phase after the IKE authentication or phase 1 exchange The authentication name must match the XAUTH configuration name in order to allow the user to authentication and permit access Firewall A hardware device or software application or a combination of both that provides a system that protects a network segment from unauthorized use usually from Internet hackers Most firewalls are installed to protect users from unauthorized Internet access but can be deployed to create additional network security File Transfer Protocol FTP A protocol used to transfer data over a network or the Internet FTP is commonly used to download or upload files from or to a server Gateway A special purpose device often referred to as a router that transfers IP datagrams from one network to another until they reach their final destination High Availability HA Provides the ability to service end users i e sessions with little or no interruption when failures occur Host Name A unique name that a host on a network is known as and is used to identify the host during data transfers Hyper Text Transfer Protocol HTTP The protocol that the World Wide Web uses HTTP defines how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands 237 Appendix B Glossary Hub A common connection point for multiple devices on a local area
146. o setarp 10 0 0 1 aabbccddeeff Oo save GUI Example Adding a static ARP entry o Network gt ARP Add o Enter the following then click Apply IP Address 10 0 0 1 MAC Address aabbccddeeff Interface ETHO 3 5 3 3 DELETING STATIC ARP ENTRIES Use the unset arp command to remove a static ARP entry unset arp ip addr mac_addr Chapter3 Security Zone and Interfaces 3 5 3 4 3 5 3 5 3 5 3 6 SETTING THE ARP TIMEOUT The default timeout for all ARP entries is 5000 seconds Use the set arp age command to increase or decrease the allowed ARP timeout set arp age number Example Setting the ARP TIMEOUT to 1800 seconds o set arp age 1800 Oo save GUI Example Setting the ARP TIMEOUT to 1800 seconds o Network gt ARP o Enter the following then click Apply ARP Cache Entry Timeout Seconds 1800 ENABLING INTERFACE MANAGEMENT Use the set interface interface name with the management option to turn on the specific interface management options set interface interface name manage http https ping snmp ssh DISABLING INTERFACE MANAGEMENT Use the unset interface interface name with the management option to turn off the specific interface management options Example Allow the ETHO interface to respond to PING set interface ethO manage ping GUI Example Allow the ETHO interface to respond to PING o Network gt Interface gt Edit for eth0 44 3 5 3 7 Chapter 3 Secur
147. o the TFTP server STORING SOFTWARE IMAGE FILES IN FLASH MEMORY The lt NetSecure 6100 gt can store the following software image files in flash memory m New software image Currently saved software image Factory default software image DOWNLOADING NEW SOFTWARE Please contact your sales representative for latest software images UPLOADING NEW SOFTWARE To upload new software for the lt NetSecure 6100 gt 66 4 4 4 Chapter 4 System Management Make sure you have the latest version of software for the appliance This can be obtained from your sales representative Place a copy of the latest software for the appliance into the root directory of the TFTP server program Make sure a TFTP server is running on a PC and the appliance can access it Log in as admin on the appliance using an application such as SSH or HyperTerminal if directly connected through the console port On the appliance enter save software from tftp ip_addr filename mos pri sec where the ip_addr is the IP address of your computer and filename is the file name of the appliance software In addition you must specify either the primary or secondary image location pri sec This will download the image from the TFTP server to the primary or secondary location After saving the image to either the primary or secondary slot execute the set image nextboot pri command to set it as the active image Reset the appliance by executing the res
148. ocol SNMP m Logging m Logging Levels m Log Modules mE Traffic and Event Log Management m Log Module Settings m Admin Mail Server m Syslog Management a SNMP MIB Groups a Configuring SNMP on the NetSecure 6100 6 1 LOGGING Logging is the process of recording and storing information about a specific event On the security appliance a single activity that occurs such as denying a packet from passing through a zone is considered an individual event Since the security appliance will be used to protect network infrastructures it becomes extremely important to record all events showing a possible security problem Logging is an important part of an effective network security policy For example an increased number of denied packets from the same source can show an unauthorized person tried to access your network You can configure your firewall to log a variety of events including denied packets network attacks and IKE information 101 Chapter 6 Logging 6 2 LOGGING LEVELS The security appliance provides many different log messages related to the operation of the appliance including administration configuration changes self generating messages and alarms regarding the operational behavior and attacks The security appliance uses the categories listed below to categorize the different events information Messages Information messages regarding the general operation of the security appliance m Notification Messages
149. ogging VIEWING THE TRAFFIC AND EVENT LOG The security appliance has maximum storage of 2Mb for event logging In the event that the 2Mb limit is reached the security appliance will over write the oldest event logs and replace them with newer events All messages logged will include date and time To view the event log you will use the get log messages command to show the event logs to show all events logged cli gt get log message Jun 09 20 28 58 2006 vendor name id security_ appliance policy 1 17 INFO id 1 proto 1 src 64 62 250 2 0 dst 64 79 127 67 0 packet dropped due to policy deny Jun 09 20 29 05 2006 vendor name id security_ appliance policy 117 INFO id 1 proto 1 src 64 62 250 2 0 dst 64 79 127 67 0 packet dropped due to policy deny Jun 09 20 29 11 2006 vendor name id security_ appliance policy 117 INFO id 1 proto 1 src 64 62 250 2 0 dst 64 79 127 67 0 packet dropped due to policy deny Jun 09 20 29 16 2006 vendor name id security_ appliance policy 117 INFO id 1 proto 1 src 64 62 250 2 0 dst 64 79 127 67 0 packet dropped due to policy deny cli gt NOTE The event logs stored local to the security appliance will be erased if the appliance is powered down or rebooted You should configure a syslog server to collect all logs GUI Example View the traffic and event logs o Reports gt System Log gt Events o Shows the current log messages stored in the flash 107 Chapter 6 Logging 6 6 6 6 1
150. olicy database with the exception of global policy in table format The table appears with the following columns 185 Chapter 9 Policy Configuration ID From To Src address Dst address Service Action State Use the get policy command with the all option to display all policies in the policy database including global policies in table format get policy all The table appears with these columns ID From To Src address Dst address Service Action State Use the get policy command with the id option to display a specific policy get policy id number This command returns the following information about the policy with the specified ID number o get policy id 202 186 E O ID 202 Name Action permit Status enabled From trust To trust Src any Dst any Service any NAT off Schedule N A Chapter 9 Policy Configuration Use the get policy command with from or to option to display all policies that match the src_zone and dst_zone parameters in table format The table appears with the following columns get policy from src_zone to dst_zone ID From To Src address Dst address Service Action State Use the get policy command with the global option to display all global policies in the policy database in table format get policy global Chapter 9 Policy Configuration 9 2 8 The table appears with these columns I
151. oring default routes Chapter 5 Attack Detection amp Prevention Attack Name Description Netbus Attack NetSpy Attack Affects Windows 95 98 and NT operating systems A netbus attack allows hackers to install a Trojan horse that enables them to open and close CD ROM drives start applications and redirect URLs Hackers install a Trojan horse enabling control of a remote system via port 1024 Senna Spy Attack A Trojan horse attack that allows the hacker to take control of a remote workstation via port 13000 Allows the attacker to perform illicit activity on that machine Striker Attack Form of a Trojan horse attack that allows a hacker to crasha system over port 2565 Sub Seven Attack Attackers send a Trojan horse over ports 6667 6711 and 27374 Allows the hacker to perform illicit activities on the remote machine This attack is particularly dangerous because IRC messages can be sent back to the hacker letting them know if the system is up or down Port Scan A hacker sends requests to all ports one at a time to determine whether the port is in use by a system This allows the hacker to take advantage of weaknesses in a specific system Port scanning is used by hackers to gather information about a specific network or range of IP addresses Priority Attack A hacker communicates over port 16969 The hacker drops a Trojan horse to enable illicit activity on a remote machine
152. ote Default Pre defined 6 1701 remote Default Pre defined LDAP 6 389 info seeking Default Pre defined 6 6 25 email 1720 remote 233 Default Default Pre defined Pre defined Appendix A Pre Defined Service Name NFS Protocol Port Group 111 reChapter 1mote Timeout min Default Flag ID Pre defined NNTP 119 info seeking Default Pre defined NTP 123 other Default Pre defined PC Anywhere 5632 remote Default Pre defined PING 0 65535 other Default Pre defined POP3 110 email Default Pre defined PPTP 1723 security Defautl Pre defined Real Media 7070 info seeking Default Pre defined RLOGIN 513 remote Default Pre defined SNMP 17 161 other Default Pre defined SSH SYSLOG TALK TCP ANY TELNET TFTP TRACEROUTE UDP ANY UUCP VDO Live 17 1 17 17 69 remote 0 65535 other 0 65535 other 540 remote 7000 7010 info seeking Default Default Default Default Default Pre defined Pre defined Pre defined Pre defined Pre defined WINFRAME 1494 remote Default Pre defined X WINDOWS 6000 6063 remote Default Pre defined Table A 2 Protocols Protocol Protocol Number TCP UDP 17 ICMP 1 Appendix B Glossary Appendix B Glossary 1000Base T The specification that describes the use of Gigabit Etherne
153. piias E R EEE 119 6 83 12 UDP LISTENER cresen eenaa cose Ee er EE E E AEE chateadl EEEE EE EEES 119 6 8 13 SNMP GROUP seeriates aoire iee r E E EE E NE E EErEE ETT 119 6 8 14 TRANSMISSION GROUP DOT3STATS seeseesseeeesesreesrsresserrisserrrssresissresresresenteesesriesresteses 120 6 8 15 TRANSMISSION GROUP DOT3COLLISION 0 eens ceseceeeceseeeeeeeeneeeaeeeaeeeaaesnaeseaeenaeee 121 6 9 CONFIGURING SNMP ON THE SECURITY APPLIANCE cee cecccecesceeeeseeeeeeeeeees 122 6 9 1 ENABLING SNMP ON A SPECIFIED INTERFACE 0000 ceeceecceseceseeeeeeeeeeeeaeeeaeesaaecnaeenaeenaeees 122 6 9 2 CONFIGURING THE SNMP COMMUNITY STRING seeesseesereeresrrsrrsrrerrsressrrrresersresresresrs 123 6 9 3 CONFIGURING THE SNMP LISTENER PORT eeseeeseressierissrrrrssresrssresresressirrensessresreseste 123 6 9 4 CONFIGURING THE SNMP SYSTEM NAME eseriesieriesirrissrrrrssrrsrssrreresressesressesreesreseests 124 6 9 5 DELETING THE SNMP SYSTEM NAME 1 cc cccecssecsseceeceseceseeeseeeseeeeeeseneeeaeesaeecaesnaeenaeenaeens 124 6 9 6 CONFIGURING THE SNMP SYSTEM LOCATIONS 1 ceeceecceeeeeeeeeeeeeeaeeeaeeeneesnaeenaeenaeees 124 6 9 7 DELETING THE SNMP LOCATION cc ccccccccccestsessteseeseesasensseessceedecsstesseessrensnensnessoeesseeteneeseeess 124 6 9 8 CONFIGURING THE SNMP SYSTEM CONTACT ee ceeceeecsseeeeeeeeeeeeaeeeaeesaecnaeenaeenaeees 124 6 9 9 DELETING THE SNMP SYSTEM CONTACT ou ccceccesceseceseceseceeeeeeeeeeeeseaeeeaeesaeecaesnaesnaeenaeees 125 6 9 10 VIEWING
154. priority for node 1 o HA gt Configuration o Enter the following HA information then click Apply Set HA Priority 10 Set hb interval 1000 Set hb threshold 3 Set grat arp 4 GUI Example Set HA priority for node 2 o HA gt Configuration o Enter the following HA information then click Apply Set HA Priority 20 Set hb interval 1000 Set hb threshold 3 Set grat arp 4 224 Chapter 11 High Availability GUI Example Set HA configuration synchronization o HA gt Config Sync o Select the HA Configuration Synchronization button GUI Example Display the HA link information o HA gt Information 225 Chapter 12 PKI amp X 509 Digital Certificates Chapter 12 PKI amp X 509 Digital Certificates This chapter describes the Public Key Infrastructure PKI and X 509 Digital Certificates feature It includes the following topics m About Public Key Infrastructure and X 509 Digital Certificates m PKI Basics 8 CLI Commands 12 1 ABOUT PUBLIC KEY INFRASTRUCTURE AND X 509 DIGITAL CERTIFICATES PKI is designed to be used with IPSec instead of PSK and Manual Key Although complex to set up it provides a higher level of security Different ways to use PKI include m Use of self signed certificate m Use a Certificate Authority E Certificate revocation lists Chain validation 227 Chapter 12 PKI amp X 509 Digital C ertificates 12 2 PKI BASICS PKI arrangements enable users to be
155. quired pin out for the console cable used to manage the lt NetSecure 6100 gt Table 4 1 Console Cable Pin out Female 2x5 Header Female DB9 a en ee ee O OIN oO o1 oO o gt z O Chapter 4 System Management 4 1 2 ACCESSING THE CONSOLE You must initially configure the lt NetSecure 6100 gt through the console interface For administration console access you must connect the null modem cable included in the packaging to configure the lt NetSecure 6100 gt 4 1 2 1 1 To access the console 1 Connect the female 2x5 header of the modem cable to the lt NetSecure 6100 gt 2 Connect the other female DB9 connector to a serial interface on the laptop or desktop machine 3 To access the lt NetSecure 6100 gt management interface you will need to launch a terminal emulation program Hyper Terminal by Hillgraeve Inc is a suitable terminal emulation program and is included on most versions the Windows operating system The default login credentials are admin and password 4 Enter the following port settings o Baud Rate 38 400 o Parity No o Data Bits 8 o Stop Bits 1 o Flow Control None 5 Press Enter to see the login prompt 6 At the login prompt type admin 7 Atthe password prompt type admin NOTE If you log into the lt NetSecure 6100 gt for the first time use the default login credentials If you changed your password use the login name admin and you
156. r new password 59 Chapter4 System Management NOTE Information for long commands might display incorrectly if the console window is resized to larger than 80 character columns RE ENABLING THE CONSOLE INTERFACE To re enable the console interface after it is disabled use the unset console command unset console disable VIEWING CONSOLE INTERFACE SETTINGS To view current console interface settings including users who are logged in and to display information for the console interface use the get console command get console SETTING THE CONSOLE DISPLAY Use the set console command to set the number of lines to display without a break If the page display number is set to 0 no page breaks are used when information is displayed The default display number is 22 lines for each page set console page number Example Setting the Console Page display to 50 o set console page 50 Oo save SETTING THE CONSOLE TIMEOUT To set the inactivity value for the console interface use the set console command with the timeout option The timeout value is represented in minutes 60 Chapter 4 System Management The default inactivity timeout is 10 minutes set console timeout number Example Setting the Console TIMEOUT to 15 minutes o set console timeout 15 Oo save EXITING THE CONSOLE To exit the console type exit Chapter4 System Management 4 2 4 2 1 4 2 2 4 2 3 USING SSH TO MANAGE T
157. r than 65 536 Since IP allows fragmentation an attacker could send multiple IP packets that when assembled are larger than 65 536 This causes systems to crash or freeze Teardrop Attack An attacker sends a large data packet in need of fragmentation This fragmentation enables the attacker to set an offset at the beginning of the packet allowing the end machine to reassemble the large packet During reassembly the hacker uses a confusing offset that might crash the Chapter 5 Attack Detection amp Prevention Attack Name Description receiving machine or cause it to go offline UDP Bomb Enable hackers to craft packets with illegal values in certain fields If these packets reach older machines these illegal packets might crash the machine WinNuke A DoS attack targeted at machines running Windows Using the NetBIOS port 139 an attacker sends a TCP packet with an urgent URG flag to a host with an established connection causing the Windows machine to crash Chapter 5 Attack Detection amp Prevention 5 5 PREVENTING NETWORK PORT ATTACKS Using the global zone you can configure the security appliance with additional port attack prevention that will be enabled or disabled on the global zone Use the set policy command to enable detection and prevention of network port attacks set policy global port attacks attack_str You can use the following specific port attacks in the set policy command
158. ress and port set policy from zone to zone src_addr dst_addr port nat dst ip nat_addr port prt_nbr permit CONFIGURING DESTINATION NAT MANY TO MANY Use the set policy command with the nat dst ip option to specify destination NAT that translates a group of destination addresses to an address from a specified address range 217 __ Chapter 10 Address Translation set policy from zone to zone src_addr dst_grp port nat dst ip nat_addr_begin nat_addr_end permit The NAT address range is specified by nat_addr_begin and nat_addr_end Destination NAT in a many to many configuration employs address shifting to translate the first destination address in an address range to the first address from the destination NAT range The translated addresses maintain consistency Refer to Figure 10 5 for an example Original Destination IP Address Transiated Destination IP Address Src IP Dst IP Src IP Dst IP a aa J gt aa Src IP Dat IP Src iP Dst IP 5 5 5 5 444 2 5 5 5 5 10 0 0 2 Src IP Dst IP Src iP Dst IP 5 5 5 5 4443 5 5 5 5 10 0 0 3 al Figure 10 5 Destination Network Address Translation with Address Shifting 218 Chapter 11 High Availability Chapter 11 High Availability This chapter describes the High Availability feature It includes the following topics About High Availability m Software Architecture overview mE CLI Commands m HA Configuration 11 1 ABOUT HIGH
159. rity Zone and Interfaces VLAN interfaces and Zones This will give an administrator the ability to filter various source dest address s zones based on the VLAN ID 3 4 4 2 3 CLI Configuration o set interface ethO ip 0 0 0 0 0 o set interface ethO transparent o set interface ethO zone trust o set interface eth1 ip 0 0 0 0 0 o set interface ethO transparent o set interface eth1 zone untrust o set interface br0 5 ip 10 2 1 1 24 o set interface br0 5 zone ManageNet o set interface br0 5 manage ssh ping o set route 0 0 0 0 0 interface brO gateway o unset transparent bypass vlan policy o set zone name ManageNet o set zone name Engineering o set zone name Accounting o set zone name Finance o set zone name Lab o set zone name Sales o set address Finance webserver 192 168 200 10 32 set address Accounting SQLServer 192 168 100 100 32 37 Chapter3 Security Zone and Interfaces 3 4 4 3 o set transparent vlan Engineering tag 100 zone Engineering o set transparent vlan Accounting tag 200 zone Accounting o set transparent vlan Finance tag 300 zone Finance o set transparent vlan Lab tag 400 zone Lab o set transparent vlan Sales tag 500 zone Sales o set transparent vlan ManageNet tag 5 zone ManageNet o set policy from Engineering to Lab any any any permit o set policy from Lab to Engineering any any ssh permit o set policy from Sale to Finance any webserver http permit o set policy from S
160. rnet0 Enter the following then click Apply Zone Name Trust IP Address Netmask 192 168 100 1 24 Interface Mode NAT Network gt Interface gt Edit for eth1 Enter the following then click Apply Zone Name Untrust IP Address Netmask 162 198 10 1 24 Chapter 7 Virtual Private Networks Addresses VPN Objects gt Address Objects gt Add Object Enter the following then click Apply Name ny_local IP Address Netmask 192 168 100 0 24 Zone Trust Objects gt Address Objects gt Add Object Enter the following then click Apply Name sf_destination IP Address Netmask 10 0 0 0 24 Zone Untrust VPN gt Phase 1 Proposal Edit Enter the following then click Apply Name encryptaesp1 Authentication Method PSK DH Group Group 5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 VPN gt Phase 2 Proposal Edit Enter the following then click Apply Name encryptaesp2 PSF PSF Group5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 Seconds 28800 VPN gt IKE Gateway Edit Enter the following then click Apply Gateway name to_sanfrancisco Remote IPsec Gateway IP 4 4 4 1 Outgoing interface eth1 Phase 1 Proposal encryptaesp1 149 Chapter 7 Virtual Private Networks Routing O O Policies Network gt Route Add Enter the following then click Apply Network Address 0 0 0 0 Netmask 0 Interface eth1 Gateway 162 198 10 254 Policy gt
161. rs which may be infringed by the Products or the promotion marketing sale or resale or servicing thereof in the Territory but TAINET makes NO WARRANTY EXPRESS OR IMPLIED WITH RESPECT THERETO NetSec ure 6100 Users Manual CONTENTS 1 1 ABOUT DOCUMENT CONVENTIONS ssssiscssccisssevensasneenitataaseesabitvedsasdaca sunnesed sannsecabasanendiaste 1 1 1 1 COMMAND LINE INTERFACE CLI CONVENTIONS 00 cee cee eecceeeeeeneeeeeeeeeaeecnaeenaeenaeenaeees 2 1 1 2 BROWSER BASED GRAPHICAL USER INTERFACE WEBGUI CONVENTIONS 3 1 1 3 ILLUSTRATION CONVENTIONS cerveses eeN eene EEE EEEN EE E E ae 4 CHAPTER 2 GETTING STARTED eeseessereeeoescerceeooeseesoesoesoeeooroeeooesoeeoesoesoeeoesoeeeese D 2 1 BEFORE Y OU TINS CAL ssiesasacstnuniansessansnwvanianveceupeinancseoseantaranasionsesasareteenieercneaueanavine 5 24 1 INSTALLATION PRECAUTIONS tcisseeccsscceesttisavesa tases ateiaveervasatestibeaserarasdedsdnesatGetvesatdeavtuaieeacaddedeaee 5 2 1 2 WHAT YOU MUST KNOW FOR INSTALLATION 1 ccccccccessseecessseeeceeseeeeeseeeeeeessseeeeessseeaeens 6 2 2 INSTALLING THE lt NETSECURE 6100 gt scciisssssccssseaces inatasecvaidsswciaitaadiarracausselesaibaciaeecaalbneeaiauts 7 2al CONNECTING THE POWER seriinin e n n TEE AEEA OER EEN 7 2 2 2 CONNECTING THE lt NetSecure 6100 gt TO OTHER NETWORK DEVICES cccccccceeseeees 7 2 2 3 CONFIGURING THE lt NetSeure 6100 gt ccccccccssecessssceceeseeeceeseaa
162. rsresresreserrissrertesreee 135 CREATING SECURITY POLICY WITH THE VPN TUNNELS 136 DELETING MANUAL KEY VPN TUNNELS 1 0 ccceescesseesnseceseceaeceaecsseeseeeeeeeseneeeaeeeaaeeaaes 144 X NetSecure 6100 Users Manual 7 2 4 MODIFYING MANUAL KEY VPN TUNNELS 0 eeceeceeeeeeeeeeeeeeeeeeaeesaeesaaesaesnaeseaesnaeen 144 1 3 CONFIGURING INTERNET KEY EXCHANGE gscscssssicassess cccesasndesasesecascpesonccegaaecdeesexedeess 145 7 3 1 CREATING IKE PHASE 1 AND PHASE 2 PROPOSALS eeeeeereeresrrerierrerrsriresrrrrssresresress 145 7 3 2 CONFIGURING AN IKE TUNNEL USING A PRE SHARED SECRET 1 eee eeeeeeteee 147 7 3 3 TRANSPARENT MODE VPN DEPLOYMENT 0 ccc ceeceecceseeeseeeeeeeeeeeeeeeeaeeeaeecaeesnaeenaeeeaeenaeen 155 7 3 4 CONFIGURATION OB VE A iccisctssiscnsdiaeecs cessrecbesaccivisssnsvnsecadatesdeestnedas eodiedendaannabisebipaaentebareaeee 156 7 35 CONFIGURATION OF VE Boissccisssiacestssesseesvissecversiaaci cheen sovtye onncevvians steal aunt cosa esblphbnecsevaaie Ra 157 74 ADVANCED VPN CONFIGURATION OPTIONS 0 cccceeccecesseeceeececeeeeeceeeeeceteeeseeeeesaes 158 14 1 DEAD PEER DETECTION DPD s cisisscdgviscciieet din cti tenes aaea E a ES 158 742 INAT TRAVERSAL NALLT csc cessiascteceedvecteseuivs ves eva cceduncvbetiesden sageatol atedvre ddegearbatinavecidiateenieeneedive 159 7 4 3 PERFECT FORWARD SECRECY PES 0 cecesceseceseceseceseceseeseeesseeseneseaeeeaeesaeesaaecaeseaeeeaeenaeee 159 ThA REPLAY PROTECTION i cdesccccc
163. rver command and specify the auth_name used to configure the RADIUS server name unset auth server auth_name CONFIGURING THE RADIUS SHARED SECRET To configure the RADIUS shared secret use the set auth server radius command with the secret option 3 6 2 4 3 6 2 5 3 6 2 6 3 6 2 7 Chapter 3 Security Zone and Interfaces set auth server auth_name radius secret password_str CONFIGURING THE RADIUS PORT To configure the RADIUS port use the set auth server radius command with the port option set auth server auth_name radius port value NOTE The acceptable value for the RADIUS port is in the range 102465535 CONFIGURING THE RADIUS TIMEOUT To configure the RADIUS Retry Timeout use the set auth server radius command with the timeout option set auth server auth_name radius timeout value NOTE The acceptable value for the RADIUS timeout is in the range of 3 180 seconds CONFIGURING THE RADIUS RETRY To configure the RADIUS Retry use the set auth server radius command with the retries option set auth server auth_name radius retries value NOTE The acceptable value for the retry is in the range 1 30 CONFIGURING THE RADIUS SRC INTERFACE To allow the security appliance to communicate with the RADIUS server a source interface must be specified To configure the RADIUS SRC Interface use the set auth server command with the src interface option set auth server auth_name src interface interf
164. s of the vsd group Used to preempt the primary node and take over the role of primary node Sets HA parameters Sets interface parameters 221 Chapter 11 High Availability 11 4 11 4 1 HA CONFIGURATION CONFIGURING THE PRIMARY AND SECONDARY IP ADDRESSES FOR THE INTERFACE NOTE etho is the LAN side and eth1 is the WAN side On Node Designated primary o setint ethO ip 192 168 1 1 24 o set int ethO manage ip 192 168 1 101 24 o setintethi ip 1 1 1 1 24 o setint ethi manage ip 1 1 1 101 24 Similary on Node 2 Designated secondary o set int ethO ip 192 168 1 2 24 o setint ethO manage ip 192 168 1 102 24 o setint eth ip 1 1 1 2 24 o setint ethi manage ip 1 1 1 102 24 NOTE manage ip on eth1 is only required to manage the appliance from the WAN side If no management is required from the WAN side then only one IP Address is required on the WAN side On Node 1 set ha interface ethO wan port eth1 peer ip 192 168 1 102 Similarly on Node 2 set ha interface ethO wan port eth1 peer ip 192 168 1 101 GUI Example Configuring the primary and secondary IP addresses for the 222 11 4 2 Chapter 11 High Availability interface Network gt Interface Select edit ethO interface Enter the following address information then click Apply Type eth0 IP address 192 168 1 1 Type ethO Netmask 24 Type ethO manage ip 192 168 1 101 Network gt Interface Select edit eth1
165. s possible through the additional lookup parameter activated in the Policy engine when configured in this mode The VLAN tag id which is bound to a zone and through proper configuration prompts the lt NetSecure 6100 gt to inspect the VLAN 35 Chapter3 Security Zone and Interfaces traffic and be on the lookout for the 802 1q header The lt NetSecure 6100 gt then correlates the q tag to the configured Zone and applies the policy engine to this packet In Figure 3 10 the lt NetSecure 6100 gt is deployed in an environment with 5 existing VLAN networks which represents 5 different departmental networks o VLAN 100 Engineer o VLAN 200 Accounting o VLAN 300 Finance o VLAN 400 Lab o VLAN 500 Sales To further secure management traffic an additional VLAN network is created solely for management access This is done by creating a sub interface for brO In this scenario we will create a VLAN called br0 5 Figure 3 10 Transparent Mode with VLAN Filtering Eth br0 5 Managemert 10 2 1 1 24 Zone Routed Mode VLAN br0 5 10 2 1 0 24 Zone ManageNet VLAN 100 10 0 1 0 24 Zone Engineering VLAN 200 192 168 100 0 24 Zone Accounting VLAN 300 192 168 200 0 24 Zone Finance VLAN 400 172 27 16 024 Zone Lab VLAN 500 10 0 200 0 24 Zone Sales Figure 3 10 Transparent Mode with VLAN Filtering In Figure 3 10 the lt NetSecure 6100 gt will be in Transparent mode with multiple 36 Chapter 3 Secu
166. s OD 5 1 NETWORK ATTACKS ene n a a E EER A A ES 85 52 ALTACK STAGES se cee acacia iea E A AR E E E A E E 87 NetSecure 6100 Users Manual 5 3 DETECTINGAN ATTACK orenean e e E E E a 88 5 4 ABOUT DENIAL OF SERVICE DOS AND DDOS ATTACKS 00 eeeceeesneeeeteees 90 5 5 PREVENTING NETWORK PORT ATTACKS cscsscsicncincaacsaveadsavesndeessvecacsseiagbansactacceeteiaseees 92 5 6 CONFIGURING THE lt NETSECURE 6100 gt TO DEFEND AGAINST DOS AND DDOS ATTACKS cisien N E EAS EEEE RR sans RARE AE EARE RA EREE RE E EEEE 94 5 6 1 CONFIGURING ICMP FLOOD PREVENTION 0 cscecssecseceseceseceseceeeesseeeseeseeeseneeeaeeeaeeenaes 94 5 6 2 CONFIGURING UDP FLOOD PREVENTION o oo eececsseceeceseceseceeceseeeeeeeseeseneseneeeaeeeaaeenaee 95 5 6 3 CONFIGURING SYN FLOOD PREVENTION cee eececsessecsseceseceaeeeaeenseeeseeeseeeeeeeeaeeeaeeeaeeenaes 95 5 6 4 CONFIGURING FIN FLOOD PREVENTION eeecsceescecnseceseceaeeeseeeseeeseeeseeseeeseaeeeaeeeaaeenaes 96 5 6 5 CONFIGURING IP FRAGMENT PREVENTION uo cee eccecssecsseceeceseeeseceeeeseeeseeseneseneeeaeeenaeenaes 97 5 6 6 CONFIGURING TCP FIN NO ACK ooo ceceeeeseseeeseeeseeeseecsaecaaecaecesecssecsseesseesseeseneseneeeaaeeaaeenaes 97 5 7 ADDITIONAL ATTACK DETECTION AND PREVENTION ceccceseseeeeeseeeeeteeeeneees 99 5 8 VIEWING ATTACK SETTINGS sicesccssccosisssavtccduvactocasiguteacsasaasensasnsded nagsedetasusiacvssesdadaiaeeace 100 CHAPTER 6 LOGGING iecssssssssacscscscccesscassasivosacssunsstaceaseasacec
167. s group set group address zone grp_name 192 9 3 5 Chapter 9 Policy Configuration DDING OBJECTS TO AN ADDRESS GROUP Use the set group command with the address and add options to add an address object to an address group set group address zone grp_name add adr_obj The following limitations apply to address groups m Address groups cannot have the same name as an address object m if the policy database references an address group you cannot delete the address group until you first remove it from the policy database m One address group cannot have another address group as a member Example Creating an address group Figure 9 5 Address Groups Address Objects n N Address Group pa z i Figure 9 5 Address Groups To create the address objects and address group in Figure 9 5 follow these steps o set address trust Finance_Subnet 10 0 1 0 24 o set address trust Mktg_Subnet 10 0 2 0 24 o set address trust Sales Subnet 10 0 3 0 24 o set group address trust New_York_Office o set group address trust New_York_Office add Finance_Subnet o set group address trust New_York_Office add Mktg_ Subnet 193 Chapter 9 Policy Configuration 9 3 6 set group address trust New_York_Office add Sales_Subnet save GUI Example Creating an address group Objects gt Add Address Object Enter the following then click Apply Name Finance_ Subnet IP Address Netmask 10 0 1 0
168. sn tebe es doesutbditesdasties 20 3 2 4 VIEWING ZONE CONFIGURATIONS 000 eeceesceeseeeseeescecaeceaecsseenseeseesseeeseeseeeseaeeeaaeeaeeenaes 21 3 3 CONFIGURING INTERFACES AND SUBINTERFACES 00 eco ceecceeeceeeeeeeeeseeeseneeeenaeees 23 3 3 1 CONFIGURING INTERFACES joissce dsitesdelatens dessiasiscnrnscnttivescel E EES 23 3 3 2 BINDING INTERFACES TO A SECURITY ZONE cei eeceeseceseceseceneceeeeeeeeeeeeeseeseaeeeaeeeaeeeaaes 24 3 3 3 MOVING INTERFACES BETWEEN SECURITY ZONES 1 00 ceeceeceseceseceseeeeeeeeeeseneeeaeeeaeeenaes 25 3 3 4 CONFIGURING SUBINTERFACES 0000 ceeceecseseeeseeeeeeseecsaecaecsaecsaecssecsseeseeesseeseeeseneeeaeeeaaeenaes 25 33 5 DELETING SUBINTERFACGES eco iyssevesczesovgessanstacddeeraen atevessstest asta Aaa AKEE EEEE i Aii 26 NetSecure 6100 Users Manual 3 4 CONFIGURING INTERFACE MODES wssisccastcasinsesastaceantsessentisntssasdnasesadboustedansuncssscsesuesnceny 28 3 4 1 CONFIGURING NAT ENABLED MODE 1 eicceccceceeseesceenseceneceaecesecesecsseeseeeeseeseneseneeeaeeeaaeenaes 28 342 CONFIGURING ROUTE MODE oeiee erica ieas EEE A EREE E EEEN E 29 3 4 3 VIEWING INTERFACE INFORMATION cccccsscesseessseenssessonececesseesseeesscesseesseeseseonacoeaaeeaatonae 31 3 4 4 CONFIGURING TRANSPARENT MODE ccc ccceesceescesseecscecsseceaeceaecnaecnseeeeeeeeeeeeeseaeeeaeeeaaeeaaes 32 3 5 ADVANCED INTERFACE SETTINGS scssisasaccccsasseassesnsiadsasnases sostanedassnosenssnated snatavantsadesdeos 41 3 5 1
169. snmpInReadOnlys Counter32 snmpInGenErrs Counter32 snmplnTotalReqVars Counter32 snmpInGetResponses Counter32 snmplinTraps Counter32 snmpOutTooBigs Counter32 snmpOutNoSuchNames Counter32 snmpOutBadValues Counter32 snmpOutGenErrs Counter32 snmpOutGetRequests Counter32 snmpOutGetNexts Counter32 snmpOutSetRequests Counter32 snmpOutGetResponses Counter32 snmpOutTraps Counter32 snmpEnableAuthenTraps INTEGER snmpSilentDrops Counter32 snmpProxyDrops Counter32 6 8 14 TRANSMISSION GROUP DOT3STATS Table 6 15 shows the Transmission Group DOT3STATS Table Table 6 15Transmission Group DOT3STATS Table Object Name Value Type dot3StatsIndex INTEGER dot3StatsAlignmentErrors Counter32 dot3StatsF CSErrors Counter32 dot3StatsSingleCollisionFrames Counter32 dot3StatsMultipleCollisionFrames Counter32 120 Chapter 6 Logging dot3StatsSQETestErrors Counter32 dot3StatsDeferredTransmissions Counter32 dot3StatsLateCollisions Counter32 dot3StatsExcessiveCollisions Counter32 dot3StatsInternalMacTransmitErrors Counter32 dot3StatsCarrierSenseErrors Counter32 dot3StatsIndex INTEGER dot3StatsAlignmentErrors Counter32 6 8 15 TRANSMISSION GROUP DOT3COLLISION Table 6 16 shows the Transmission Group DOT3COLLISION Table Table 6 16 Transmission Group DOT3COLLISION Table Object Name Value Type dot3CollCount Counter32 dot3CollFrequencies Counter32
170. sp aes128 key 1111222233334444 auth sha 1 key 11112222333344445555666677778888 Oo save 7 3 7 3 1 Chapter 7 Virtual Private Networks CONFIGURING INTERNET KEY EXCHANGE Internet Key Exchange IKE VPN uses a pre shared secret to allow the creation of a VPN tunnel between two or more VPN appliances During the IKE negotiation phase the pre shared secret creates keys that encrypt and decrypt packets Unlike manual key implementations IKE VPNs have an SA lifetime This lifetime determines when the current keys being used for encryption and decryption expire After the SA expires the IKE session uses the pre shared secret to randomly generate new keys for the encryption and decryption process At a minimum you need to define an IKE Phase 1 proposal IKE Phase 2 proposal IKE gateway and security policy in order to configure an IKE VPN tunnel using a pre shared secret CREATING IKE PHASE 1 AND PHASE 2 PROPOSALS Use the set ike p1 proposal or set ike p2 proposal commands to create an IKE Phase 1 proposal or IKE Phase 2 proposal respectively o set ike pi proposal name_str preshare dh group protocol encryption o set ike p2 proposal name_str dh_group protocol encryption authentication lifetime o set ike gateway name_str ip address str mainjaggressive outgoing interface name preshare name_str proposal p1_name o set vpn name_str gateway gw_name proposal p2_name Table 7 5 shows the require
171. t Security Policies a Configuring Policies a Configuring Address Objects a Configuring Service Objects a Configuring Service Groups E About Schedules ABOUT SECURITY POLICIES A policy allows denies or rejects specific traffic based on the source destination and service type sent in a single direction between two end points The unidirectional nature of policies requires that two policies are configured for traffic that is initiated from either side of two end points ABOUT TRAFFIC FLOW AMONG POLICIES The default behavior of the appliance is to deny traffic from one zone to another To permit communication from one zone to another you must configure a policy After you use the set policy command to create a policy the policy enters the policy database and is immediately active The source zone destination zone and order of a policy within the database are important The lt NetSecure 6100 gt software assigns each policy an ID number 177 Chapter 9 Policy Configuration which numerically orders all policies in ascending order Incoming traffic is first determined to be interzone or intrazone using the source and destination zone information It is then matched against policies in the database from top to bottom If the source and destination zones are different then the interzone policies are searched for a matching policy If there is no match then the global policies are searched If there is no match a default zon
172. t interface ethO zone trust Oo save GUI Example Moving the ETHO Interface to the trust security zone o Network gt Interface gt Edit for eth0 o Select the following then click Apply Zone Name Trust CONFIGURING SUBINTERFACES A subinterface is a logical interface that uses an 802 1q tag to identify membership to a specific VLAN on a physical interface After you configure a subinterface and assign it to a zone traffic can pass from VLANs associated with the subinterface to other physical or logical interfaces on the appliance Additionally security policies assigned to a zone containing a subinterface enforces that policy on all traffic to and from that subinterface The interface name that refers to the subinterface has the following format physical interface name vlan_id For example interface eth0 125 is the subinterface for the VLAN with VLAN id 125 located on the eth0 physical interface 25 Chapter3 Security Zone and Interfaces 3 3 5 Use the set interface command to bind a subinterface to a physical interface You must specify the vlan_id that defines the 802 1q tag The name of the physical interface associated with the VLAN ID and subinterface IP address are required to create the subinterface set interface physical interface name vlan_id ip ip _addr mask NOTE The vlan_id must fall within the range of 1 to 4000 Once the subinterface is created use the set interface command to add the subi
173. t over copper Cat 5 wire It defines data rates of 1 Gigabit per second Gb s over a distance not to exceed 100 meters Advanced Encryption Standard AES An emerging encryption standard that can use a 128 192 or 256 bit encryption key This new standard supports easier interoperability with other security appliances as it becomes widely adapted Address Resolution Protocol ARP A protocol used to map an internal IP address to physical machines that a local network recognizes A table called an ARP Cache stores and correlates the IP address and physical address assigned for a specific host ARP provides the protocol rules for making this correlation and provides address communication in both directions Advertisement A method used by routers to send information to other network devices This could include an IP address network mask or other data Authentication Header AH A method that provides integrity and authentication but not privacy as IP data is not encrypted AH contains an authentication value based on a symmetric key hash function Bridge A device that enables the connection of multiple network segments while using the same network and mask Data Encryption Standard DES A standard that uses either a 40 or 56 bit encryption algorithm developed by the National Institute of Standards and Technology NIST DES uses a block encryption method that was originally developed by IBM in the 1970s The U S Government has sinc
174. t policy from trust to untrust any any any permit Chapter 3 Security Zone and Interfaces Chapter 3 Security Zone and Interfaces This chapter describes how to configure zones interfaces modes of operation and advanced interface settings for the security appliance This chapter includes the following topics a Security Zones E Creating and Modifying Custom Security Zones E Configuring Interfaces and Subinterfaces E Configuring Interface Modes E Advanced Interface Settings E Authentication Using RADIUS a Alternate Connection Methods 3 1 SECURITY ZONES Security zones are a logical grouping of physical and logical interfaces on an appliance A security zone can consist of one physical interface or a group of many physical and logical interfaces Security policies incorporate security zones to efficiently manage access control policies of traffic that traverses zones and interfaces Figure 3 1 displays the interface ethO configured in the trust zone with two subinterfaces VLAN 100 and 105 Two additional subinterfaces are added in the DMZ zone VLAN 200 and 210 The eth1 interface is configured in the untrust zone 15 Chapter3 Security Zone and Interfaces Figure 3 1 Security Zone Figure 3 2shows the interface ethO being configured in the trust zone along with two additional subinterfaces VLAN 100 and 105 Additionally two subinterfaces have been added in the DMZ zone VLAN 200 and 210 The eth1 interface is
175. t to trust ny_destination sf_local any tunnel vpn sfo_nyo o save GUI Example San Francisco office using IKE 151 Chapter 7 Virtual Private Networks Interfaces Network gt Interface gt Edit for ethernet0 Enter the following then click Apply Zone Name Trust IP Address Netmask 10 0 0 0 24 Interface Mode NAT Network gt Interface gt Edit for eth1 Enter the following then click Apply Zone Name Untrust IP Address Netmask 4 4 4 1 24 Addresses VPN Objects gt Address Objects gt Add Object Enter the following then click Apply Name sf_local IP Address Netmask 10 0 0 0 24 Zone Trust Objects gt Address Objects gt Add Object Enter the following then click Apply Name ny_destination IP Address Netmask 192 168 100 0 24 Zone Untrust VPN gt Phase 1 Proposal Edit Enter the following then click Apply Name encryptaesp1 Authentication Method PSK DH Group Group 5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 VPN gt Phase 2 Proposal Edit 152 oO Routing Policies Chapter 7 Virtual Private Networks Enter the following then click Apply Name encryptaesp2 PSF PSF Group5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 Seconds 28800 VPN gt IKE Gateway Edit Enter the following then click Apply Gateway name to_sanfrancisco Remote IPsec Gateway IP 4 4 4 1 Outgoing interface eth1 Phase 1 Proposal encryptaesp
176. ter VPN Tunnel Security Appliance Switch Internet Cloud Sai pIE Office TEET 4 A or HRE l Laptop HE HEHE Security Zone Large Office if i gt Server Workstation Single Subnet Figure 1 1 shows the graphics used in illustrations in this guide Chapter 2 Getting Started Chapter 2 Getting Started This chapter describes how to install configure and manage the lt NetSecure 6100 gt This chapter includes the following topics a Before You Install a Installing the lt NetSecure 6100 gt 2 1 BEFORE YOU INSTALL Familiarize yourself with the following topics before installing the lt NetSecure 6100 gt a Before You Install a Installing the lt NetSecure 6100 gt 2 1 1 INSTALLATION PRECAUTIONS Warning Obey these precautions when you install the lt NetSecure 6100 gt Observing these precautions can prevent injuries equipment failures and potential shutdown of the lt NetSecure 6100 gt Warning Always assume the power supply for the lt NetSecure 6100 gt is connected to the power outlet Chapter 2 Getting Started Caution Room temperature might not be adequate for long term use of the lt NetSecure 6100 gt for optimum environmental requirements for the lt NetSecure 6100 gt refer to the NetSecure 6100 Specifications Guide Caution Be careful of additional hazards including frayed power cords wet or moist floors and missing safety grounds WHAT YOU MUST KNOW FOR INSTAL
177. terface IP address subnet The IP address and subnet assigned to the interface Zone The zone assigned to the interface Media Access Control MAC Address The MAC address assigned to the interface VLAN ldentifies any VLANs configured on the interface Status Shows the link status of an interface as either U up or D down MTU Size Displays the current MTU size set for the interface Manage IP Shows the IP address from which the interface can be managed Management Options Ping ssh http https snmp Mode NAT route transparent Use the get interface command to display information on a specific interface get interface interface name Use the get interface all command to display information on all interfaces get interface all Example Get Interface ETHO o Cli gt get int ethO o if_index 1 mode route o admin status up link status up o mtu 1500 31 Chapter3 Security Zone and Interfaces 3 4 4 3 4 4 1 o configured type copper speed auto mode full duplex o negotiated type copper speed 1000 mode full duplex o ip 192 168 65 49 24 mac 0060 2620 0094 o manage ip 0 0 0 0 mac 0060 2620 0094 o ping disabled SSH disabled HTTP enabled HTTPS enabled SNMP disabled o Telnet disabled DHCP disabled o zone global GUI Example Get Interface ETHO o Network gt Interface gt Edit for ETHO o Displays interface for ETHO CONFIGURING TRANSPARENT MODE This se
178. th hosts in the main office In order to create a secure connection a security appliance is placed on the edge of each network to provide firewall and VPN functionality ed Internet p Office Figure 7 4 Site to site VPN 133 Chapter 7 Virtual Private Networks Creating a VPN tunnel between multiple lt NetSecure 6100 gt appliances requires the following configuration The static IP address is assigned to the eth1 interface on each of the appliances The trusted networks connect to the ethO interface of the appliance The pre shared secret or pass phrase for the tunnel uses the same configuration for each SA The type of encryption used to encrypt the data is DES 3DES or AES The type of authentication used to authenticate the data is MD5 or SHA 1 VPN SPECIAL CONSIDERATIONS Before implementing a VPN configuration between two or more networks consider the following Trusted networks between multiple appliances must have a unique subnet addresses You must properly configure devices connected to the ethO interface to gain access across the VPN tunnel IP addresses on the eth1 interface of each appliance are required Chapter 7 Virtual Private Networks 7 2 CONFIGURING MANUAL KEY VPN IMPLEMENTATIONS In a manual key implementation the VPN tunnel is configured with a static set of encryption keys and authentication keys 7 2 1 CREATING MANUAL KEY VPN TUNNELS Use the set vpn command with the manual option t
179. the RADIUS client to interact with the RADIUS server the proper attributes must be configured on both the RADIUS client and server These attributes include Auth_Name Allows all the RADIUS attributes to be configured into a single RADIUS group RADIUS Server Name tThe IP address or DNS name of the RADIUS server 47 Chapter3 Security Zone and Interfaces 3 6 2 1 3 6 2 2 3 6 2 3 RADIUS Shared Secret A shared secret must be configured on the security appliance and the server to allow encrypted communication RADIUS Port The port number on which the RADIUS server is listening The default RADIUS port used by the security appliance is 1812 RADIUS Timeout The time interval the security appliance must wait before sending another authentication request if the previous request had not been answered The default RADIUS timeout value for the security appliance is 3 seconds RADIUS Retry he number of retries the RADIUS client will send to the RADIUS server The default RADIUS retry value for the security appliance is 1 RADIUS SRC Interface The source interface from which the security appliance will send the RADIUS requests CONFIGURING THE RADIUS SERVER NAME To configure the RADIUS server name use the set auth server command with the server name option o set auth server auth_name server name ip_addr o dom_name DELETING THE RADIUS SERVER NAME To delete the RADIUS server name use the unset auth se
180. the following then click Apply Tunnel Name to_ sanfrancisco Gateway IP 4 4 4 1 Outgoing interface eth1 Local SPI 1230 Remote SPI 1230 Encryption Algorithm aes 128 139 Chapter 7 Virtual Private Networks Routing Policies Hex Key 1111222233334444 Authentication Algorithm sha 1 Hex Key 11112222333344445555666677778888 Network gt Route Add Enter the following then click Apply Network Address 0 0 0 0 Netmask 0 Interface eth1 Gateway 162 198 10 254 Policy gt Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Trust Destination Zone Untrust Source Address NYO Destination Address San Francisco Service Any Tunnel VPN From SF Policy gt Configuration Edit Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination Zone Trust Source Address San Francisco Destination Address NYO Service Any Tunnel VPN From SF Example Manual key VPN implementation San Francisco office 140 Chapter 7 Virtual Private Networks Interfaces E O set interface ethO zone trust set interface ethO ip 10 0 0 0 24 set interface nat set interface eth1 zone untrust set interface eth1 ip 4 4 4 1 Addresses VPN O Routing o Policies O set address trust sfo 10 0 0 0 24 set address untrust New York 192 168 100 0 24
181. the start option and specify a time to allow traffic matching the policy to pass through Use the stop option and specify a time stop traffic matching the policy to pass through 204 9 6 3 Chapter 9 Policy Configuration Parameter Description day The day field is a day of the week The list choices are e Monday Tuesday Wednesday Thursday Friday Saturday Sunday comment Use the comment command to add a comment associated with the schedule text The text field is a line of text A recurrent schedule can accept two sets of start stop commands You can use these commands for schedules that are enabled or disabled throughout the day with the exception of a specific period of time set scheduler name recurrent day start time stop time start time stop time Specify the same schedule name in multiple set scheduler commands to add additional days to the same schedule ADDING SCHEDULES TO POLICIES Use the set policy command with the schedule option to add a schedule to a policy set policy from zone to zone src_adr dst_adr srvc schedule name_str Example Create a recurring schedule Create a recurring schedule to block Internet access on the weekend for all machines on the trust zone o set scheduler weekend recurrent sunday start 00 00 stop 23 59 comment Block weekend Internet access o set scheduler weekend recurrent saturday
182. tion Chapter 3 Security Zone and Interfaces 3 5 3 5 1 ADVANCED INTERFACE SETTINGS If you choose to use advanced interface settings you can modify the following elements of the security appliance m Configuring Maximum Transmission Unit MTU Settings Configuring Interface Link Up Down Configuring Address Resolution Protocol ARP m Enabling Interface Management m Disabling Interface Management H Setting the Interface Speed CONFIGURING MAXIMUM TRANSMISSION UNIT MTU SETTINGS The Maximum Transmission Unit MTU is the largest IP datagram that can be transferred using a specific link If a packet exceeds the MTU size set on a specific interface the network device can fragment the packet or if permitted send a Path MTU request to the host in question The host should accept the request and send smaller packets that do not exceed the MTU limit You can only configure MTU settings on the physical interfaces of the appliance Use the set interface command with the mtu option to set the MTU size for a specific interface set interface interface name mtu size Example Settingt the MTU size on theETH1 interface to 1450 o setinterface eth1 mtu 1450 Oo save GUI Example Settingt the MTU size on theETH1 interface to 1450 41 Chapter3 Security Zone and Interfaces 3 5 2 3 5 3 o Network gt Interface gt Edit for eth1 o Enter the following then click Apply Maximum Transfer Unit MT
183. to the lt NetSecure 6100 gt you can connect it to other network devices Use either of the two Ethernet interfaces labeled ethO and eth1 Use these interfaces to connect other network devices as necessary Figure 2 1 displays the eth1 interface connected to an Internet router using a twisted pair Ethernet cable while the ethO interface is connected to a switch on 7 Chapter 2 Getting Started your local area network LAN using another twisted pair Ethernet cable Net Secure 6100 Twisted Pair Cables Internet Router LAN Switch Figure 2 1 Connecting the lt NetSecure 6100 gt to other Network Device 2 2 3 CONFIGURING THE lt NetSeure 6100 gt After you supply power to the lt NetSecure 6100 gt use the console interface to initially configure the card Table 2 1 lists the required console cable pin out that you use to manage the lt NetSecure 6100 gt Table 2 1 Console Cable Pin Out Female 2x5 Header Female DB9 1 1 2 6 3 2 4 7 5 3 6 8 7 4 8 9 9 5 10 NC Chapter 2 Getting Started 2 2 4 CONNECTING THE CONSOLE CABLE To use the console interface you must connect the null modem cable included in the product packaging To connect the console cable to the lt NetSecure 6100 gt Connect the female 2x5 header of the console cable to the console port on the lt NetSecure 6100 gt Connect the other female DB9 connector to a serial interface on
184. to trust peer_lan local_lan any tunnel vpn o vpn 7 3 5 CONFIGURATION OF VF B o set interface brO ip 172 16 10 100 24 o set interface brO zone untrust o set interface ethO ip 0 0 0 0 0 o set interface ethO transparent o set interface ethO zone trust o set interface eth1 ip 0 0 0 0 0 o set interface eth1 transparent 157 Chapter 7 Virtual Private Networks 7 4 7 4 1 o set interface eth1 zone untrust set route 0 0 0 0 0 interface brO gateway 172 16 10 5metric 1 set address trust local_lan 172 16 10 0 24 set address untrust peer_lan 10 0 0 0 24 set ike gateway gw1 address 10 0 0 100 main outgoing interface brO preshare password sec level compatible set vpn vpni gateway gw1 sec level compatible set policy top from trust to untrust local_lan peer_lan any tunnel vpn vpn set policy top from untrust to trust peer_lan local_lan any tunnel vpn vpn1 ADVANCED VPN CONFIGURATION OPTIONS Some advanced options are available but not always required to be configured for each tunnel They include dead peer detection DPD DF Bit settings NAT Traversal NAT T perfect forward secrecy PFS and anti replay protection DEAD PEER DETECTION DPD Dead Peer Detection DPD allows two or more VPN appliances to send communication to determine the validity of a VPN tunnel Without DPD a situation could arise where communication between one or more VPN appliances is interrupted unexpectedly caus
185. to use the eth1 interface and a gateway address of 4 4 4 254 for the default route of all traffic o set route 0 0 0 0 0 interface ethi gateway 4 4 4 254 o save Optional to verify the default route settings execute the get route summary command o get route summary CONFIGURING A POLICY FROM TRUST TO UNTRUST The default policy behavior is to not allow traffic to or from any zone that does not match a policy In the example in Figure 2 2 you must create a policy allowing any traffic from the trust to the untrust zone This is a common policy to enable hosts on the LAN connected to the trust zone to browse the Internet using a web browser Use the set policy command to create a policy allowing any traffic going from the trust zone to the untrust zone o set policy from trust to untrust any any any permit Oo save NOTE For more information about configuring policies refer to Chapter 9 Policy 13 Chapter 2 Getting Started Configuration 2 2 11 VIEWING THE POLICY CONFIGURATION Use the get config command to view the policy configuration o get config This command returns the following information which is based on the network diagram in Figure 2 2 Interfaces o set interface ethO ip 10 0 0 1 24 o setinterface ethO zone trust o set interface ethO nat o setinterface eth ip 4 4 4 1 24 o setinterface eth1 untrust Route o set route 0 0 0 0 0 interface ethi gateway 4 4 4 254 Policy o se
186. tp interval number The NTP interval is displayed in minutes Example Changing the NTP update interval to 120 o set ntp interval 120 Oo save VIEWING CURRENT NTP SETTINGS To view current NTP server settings use the get ntp command get ntp DELETING NTP SERVER IP ENTRIES To delete an NTP server IP entry use the unset ntp server command unset ntp server ip addr dom_name Example Deleting an NTP server entry using the IP address 78 4 7 5 4 7 6 Chapter 4 System Management 207 245 143 147 o unset ntp server 207 245 143 147 Oo save GUI Example Deleting an NTP server entry using the IP address 207 245 143 147 o System gt Date Time o Remove the following then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can configure multiple NTP server IP addresses to ensure the lt NetSecure 6100 gt always displays the correct date and time CONFIGURING MANUAL UPDATE USING NTP To initiate a manual NTP update use the exec ntp command exec ntp update MAINTAINING CLOCK SETTINGS WITH NTP Use the set clock command to ensure that the lt NetSecure 6100 gt is configured with the correct date and time set clock date time dst off ntp timezonenumber Use NTP for updates to the clock Example Manually setting the CLOCK using 12 30 2004 12 00 o set clock 12 30 2004 12 00 O save 79 Chapter4 System Management 4 7 7 4 7 8 CONFIGURING
187. unnel will terminate 7 2 2 CREATING SECURITY POLICY WITH THE VPN TUNNELS A VPN tunnel that is created is used in a security policy that specifies the local and destination networks Traffic that matches the source and destination networks specified in policies with the vpn option is encrypted or decrypted The set policy command with the vpn option specifies the VPN tunnel in the security policy to use for encryption and decryption set policy top name name_str from zone to zone remote network local network service tunnel vpn name_str Table 7 3 explains these parameters in this command Refer to the CLI Reference Guide and Command Descriptions for additional policy parameters Table 7 3 Policy Requirements for Manual Key VPN Parameter Description top Move the tunnel policies to the top of the policies list name Name that uniquely identifies the tunnel policy name_str from zone Source zone from which the VPN traffic originates To zone Destination zone for the VPN traffic remote network Specifies the destination network for the VPN tunnel local network Specifies the local network for the VPN tunnel service Specifies the services enabled to pass through the VPN tunnel tunnel Action that specifies the policy to encrypt and decrypt traffic 136 Chapter 7 Virtual Private Networks Parameter Description vpn name_str Binds the tunnel policies to the
188. use a 128 192 or 256 bit encryption key This new standard supports ease of interoperability with other security appliances as it becomes widely adapted THE DIFFIE HELLMAN GROUP Users can create a shared secret value using the Diffie Hellman DH group This value is secure so that the original message can be sent over an insecure medium without sending the secret message along with it There are a total of three DH groups available for configuration within the VPN policy 132 Chapter 7 Virtual Private Networks m DH Group 1 768 bit m DH Group 2 1024 bit m DH Group 5 1536 bit It is more secure to use DH group 5 but as you increase the bit modulus it will take longer for the key generation process Because such a variant exists in the size of the bit modulus both participants must agree to use the same DH group SECURITY ASSOCIATION Security Association SA is a unidirectional agreement between VPN appliances that defines the parameters used to secure the data communication To allow bi directional communication you must define two SAs one for each direction m Key management manual key IKE m SA lifetime m Protocol mode Security algorithms and keys SITE TO SITE VPN REQUIREMENTS Site to site VPN is a common method used to connect remote offices with a main office over the public Internet In a site to site VPN refer to Figure 7 4 all hosts in the branch office can communicate and transfer data securely wi
189. ute mode Refer to Configuring Interface Modes for additional information You can use additional set interface commands to bind the interface to a different zone or to set the interface mode to either NAT enabled route or Transparent mode BINDING INTERFACES TO A SECURITY ZONE All physical and logical interfaces must bind to a security zone Inbound and outbound security policies are applied to the source and destination zone and encompass all interfaces that are members of those security zones Use the set interface command with the zone option to bind an interface to a security zone o set interface interface name zone name_str Example Binding the ETHO interface to the SALES security zone o set interface ethO zone sales Oo save GUI Example Binding the ETHO interface to the SALES security zone o Network gt Interface gt Edit for eth0O 24 3 3 3 3 3 4 Chapter 3 Security Zone and Interfaces o Select the following then click Apply Zone Name Sales MOVING INTERFACES BETWEEN SECURITY ZONES Unbinding an interface removes the interface from the assigned zone and places it into the zone specified in the set interface command To move an interface from one assigned zone to another use the set interface command and assign the interface to the new zone The new zone policies are enforced to the specified interface Example Moving the ETHO Interface to the trust security zone o se
190. uth 0 in ipsec ah 0 in ipsec replay fail O in ipsec auth fail O out pkts 1821 out bytes 725315 out arp pkts 163 out icmp pkts O out tcp pkts 654 out udp pkts 1004 out vlan pkts 0 out gre pkts 0 out esp pass thru 0 out ah pass thru 0 out bad protocol pkts 0 out ipsec replay fail O out ipsec crypto busy 0 out ipsec esp only 0 out ipsec esp na 0 out ipsec esp auth 0 out ipsec ah 0 GUI Example View the interface statistics for the ETHO interface O O O Reports gt Counters gt Hardware Select the Interface EthO Select the Go button 128 Chapter 7 Virtual Private Networks Chapter 7 Virtual Private Networks This chapter describes the different modes and configuration options available for a virtual private network VPN This chapter includes the following topics Virtual Private Networks Configuring Manual Key VPN Implementations Configuring Internet Key Exchange m Advanced VPN Configuration Options 7 1 VIRTUAL PRIVATE NETWORKS Businesses can use a Virtual Private Network VPN to communicate and transfer information securely over the Internet Secure private networks that use VPN technology provide a low cost infrastructure enabling increased communication for global business This infrastructure includes connections for regional offices branch offices and business partners refer to Figure 7 1 129 Chapter 7 Virtual Private Networks 7 1 1 Branch Offi
191. vate network 242 Appendix B Glossary VPNs commonly use encryption and authentication to make this communication secure Wide Area Network WAN A computer network that spans a large geographical area Typically a WAN consists of two or more local area networks LAN usually connected using the public telephone system leased lines or satellite The largest WAN today is the Internet Zone A segment on a network where certain security parameters are applied This could include a security zone virtual private network VPN zone or demilitarized zone
192. way 4 4 4 1 166 8 3 DISPLAYING ROUTE INFORMATION Chapter 8 Routing Use the get route command to display all routes on the appliance get route Figure 8 2 shows an example of the output that appears when you use the get route command get route Dest Routes for lt gt 14 entries C Connected S Static P Permanent iB IBGP E1 OSPF external type 1 A Auto Exported eB EBGP O OSPF E2 OSPF external type 2 Imported R RIP IP Prefix 64 79 127 64 32 64 79 127 67 32 64 79 127 71 32 64 79 127 64 29 192 168 105 0 24 192 168 115 0 24 192 168 215 0 24 192 168 154 0 24 192 168 145 0 24 192 168 65 0 32 192 168 65 230 32 192 168 65 255 32 192 168 65 0 24 0 0 0 0 0 Interface Gateway eth1 eth1 eth1 eth1 ethO etho etho ethO ethO etho etho ethO ethO eth1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192 168 65 240 192 168 65 240 192 168 65 240 192 168 65 240 192 168 65 240 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 79 127 65 Distance Metri oo0o0c 1oo 000 0 Figure 8 2 Get Route Command Output oo0o0c oo O00 0 0 Use the get route command with the prefix option and ip_addr to display route information for a specific IP address 167 Chapter 8 Routing get route ip ip addr GUI Example Get route all o Network gt Routing gt Route o Shows current routing information Figure 8 3 displays an example of the output that appears
193. when you use the get route command with the ip_addr option get route 192 168 65 0 24 Dest Routes for lt gt 1 entries C Connected S Static A Auto Exported Imported R RIP P Permanent iB IBGP eB EBGP O OSPF E1 OSPF external type 1 E2 OSPF external type 2 IP Prefix Interface Gateway P Distance Metri 192 168 65 0 24 eth 0 0 0 0 0 C 0 0 Figure 8 3 Get Route Command with ip_addr option Output 168 8 4 Chapter 8 Routing ROUTING INFORMATION PROTOCOL RIP The Routing Information Protocol or RIP as it is more commonly called is one of the most enduring of all routing protocols RIP is also one of the more easily confused protocols because a variety of RIP like routing protocols proliferated some of which even used the same name RIP and the myriad RIP like protocols were based on the same set of algorithms that use distance vectors to mathematically compare routes to identify the best path to any given destination address These algorithms emerged from academic research that dates back to 1957 Today s open standard version of RIP sometimes referred to as IP RIP is formally defined in two documents Request For Comments RFC 1058 and Internet Standard STD 56 As IP based networks became both more numerous and greater in size it became apparent to the Internet Engineering Task Force IETF that RIP needed to be updated Consequently the IETF released RFC 1388 in January 1993 which was then superceded
194. xt of a sentence in this document it is in bold except for variables which are always in italic For example Use the get system command to display general information about the lt NetSecure 6100 gt Variable CLI values are described in Table 1 1 Table 1 1 Variable CLI Values Used in This Guide Variable CLI Value Description addr_sir Defines an IP address range assignment dst_adr Destination address assigned in a policy fqdn Fully Qualified Domain Name ip_addr Defines an IP address assignment number Numeric value assigned for a specific command name_stir Name value assignment password_sir New password assignment is required src_adr Source address assigned in a policy zone name Zone used in a specific command Chapter 1 Overview BROWSER BASED GRAPHICAL USER INTERFACE WEBGUI CONVENTIONS m Values inside square brackets are optional m Values inside braces are required m For commands that require a selection from a pre defined list of values each value in the list is separated by a pipe m Variables appear in italic When a WebGUI command appears within the context of a sentence in this document it is in bold except for variables which are always in italic For example Use click on the XXXX command to display general information about the lt NetSecure 6100 gt Chapter 1 Overview 1 1 3 ILLUSTRATION CONVENTIONS Figure 1 1 Illustration Conventions Rou
195. y Location Action Permit Source Address Any Destination Address Any Service Any o Policy gt Configuration gt Edit for ID2 o Enter the following then click Apply Location Action Deny Source Address Any Destination Address Any Service FTP By default the lt NetSecure 6100 gt software assigns a newly created policy a policy ID and adds it to the bottom of the policy list To restrict FTP traffic from trust to untrust Policy 2 reordered in front of Policy 1 Use the set policy command with the move option to re order policies in the policy database 9 2 4 9 2 5 9 2 6 9 2 7 Chapter 9 Policy Configuration set policy move id_num before after target_id The id_num number specifies the policy number that is moved the target_id is the policy number that the policy is moved before or after DISABLING POLICIES Use the set policy command with the disable option to disable a policy rather that delete it from the policy database set policy id id_num disable RE ENABLING POLICIES Use the unset policy command with the disable option to enable a policy that has been set to disable unset policy id id_num disable DELETING POLICIES Use the unset policy command with the id option to delete a policy by specifying a policy number unset policy id number VIEWING POLICIES You can display policies using the get policy command get policy This displays all policies in the p
196. zone name screen fin flood attack threshold number Example Setting the FIN flood threshold Set the FIN flood threshold to 2 000 on the untrust zone o set zone untrust screen fin flood attack threshold 2000 Oo save GUI Example Setting the FIN flood threshold o 6 1Policy gt Attack Settings Edit Zone for untrust o Enter the following then click Apply FIN flood attack threshold 2000 Chapter 5 Attack Detection amp Prevention 6 CONFIGURING IP FRAGMENT PREVENTION 5 6 5 5 6 6 To limit the number of fragmented IP packets a specific interface can receive per second use the set zone command with the ip frag attack threshold option set zone zone name screen ip frag attack threshold number Example Setting the IP fragment threshold Set the ip frag threshold to 1 000 on the untrust zone o set zone untrust screen ip frag attack threshold 1000 Oo save GUI Example Setting the IP fragment threshold o Policy gt Attack Settings Edit Zone for untrust o Enter the following then click Apply P frag attack threshold 1000 CONFIGURING TCP FIN NO ACK To filter packets that have a TCP FIN bit set but no ACK use the set zone command set zone zone name screen fin no ack Example Configuring TCP FIN no ack To filter packets that have a TCP FIN bit set but no ACK for the untrust zone o set zone untrust screen fin no ack Oo save GUI Example Configuring TCP F
Download Pdf Manuals
Related Search