Innominate mGuard - Innominate Security Technologies AG
Contents
1. root admin user Root Password Factory default setting root If you wish to change the root password enter the current password in the Old Password field and then the desired new password in the two corresponding fields below Administrator Password Account admin Factory default setting mGuard fixed user name admin Disable the VPN until the user is authenticated via HTTP Yes No The factory default setting for this switch is No In the case of Yes VPN connections and various other services can only be used after a user logged into the mGuard entered the user password via HTTP All HTTP traffic will be redirected to the mGuards user login page when the user is required to login The change of this option becomes active after the next reboot User Password There is no factory setting for the user password To set one enter the desired password twice once in each of the two fields 6 5 2 User Authentication gt Firewall Users Firewall Users User To eliminate private surfing on the Internet every outgoing connection is blocked VPN is not affected by means of outgoing filter rules via Network security gt Packet filters Under Network security gt User firewall certain user firewalls can be assigned different firewall rules definitions for example permitting any outgoing connection This user firewall rule goes into effect as soon as any respective firewall user to whom this firewall rule ap2. Your e mail client uses the POP3 protocol for incoming e mail The virus filter can only check unencrypted data for viruses Consequently you should not activate encryption options such as STLS or SSL Encrypted authentication using AUTH is however usable since the e mail itself is not encrypted Anti virus protection for POP3 E mail pickup Yes No In the case of Yes files received are scanned for viruses by mGuard if they arrive via POP3 connections contained in the list of POP3 servers below Tip When using a POP3 connection most e mail clients will pick up all of the e mails during a single connection In this case the new settings will first take effect after the last e mail is collected from the server during the current connection Consequently to change the settings when an e mail transfer is in process first cancel the transfer POP3 maximum filesize for scanning in bytes With this parameter you can set the maximum size of the files to be checked If this limit is exceeded the system will depending on the setting Action for mails exceeding the maximum message size block the e mail and send an error message back to the e mail client or it will automatically switch to Let the message pass unscanned mode If the mGuard does not have enough memory to save a file completely or to decompress it a corresponding error message will be sent to the user s e mail client and an entry will be writt
3. 1 Select the page with the desired configuration options from the menu see Page 43 2 Make the desired settings on the associated page 3 Once you have confirmed the changes by clicking on OK the new settings will be activated on the device The system will display a confirming message If the changes are not shown when you open the page again because the browser has loaded the page from a cache reload the page to refresh the display To do so click on the appropriate icon in the browser toolbar gt Depending on how you configure the mGuard you may also need to modify the network interface settings of the locally connected system or network accordingly 5 4 Remote Configuration Prerequisite Remote configuration The mGuard must be configured to permit remote configuration gt For reasons of security remote configuration is disabled by default For information on how to enable remote configuration see section Management gt Web Settings on page 50 To configure the mGuard from a remote computer first establish a connection between it and the local mGuard Proceed as follows 1 Start a Web browser e g Firefox MS Internet Explorer or Safari the Web browser must support SSL i e https 2 As the address enter https followed by the IP address or hostname under which the mGuard can be reached 41 of 152 Example If this mGuard can be found in the Internet at the address 123 456
4. 8 Automatic configuration backup is enabled disabled R Automatic reconfiguriation if blade replacement is enabled disabled Rack ID The ID of the rack into which the mGuard is mounted This values can be set on the control unit for all blades inside the rack Power Supply P1 P2 State of the power supplies P1 and P2 e OK e Absent e Defect e Fatal Error Blade Number of the slot in which the mGuard is installed Device Device type e g blade or blade XL State Online The device in the slot is ready Present The device is present but not ready yet e g it is still booting Absent No device was found in the slot 68 of 152 WAN Status of the Ethernet WAN port LAN Status of the Ethernet LAN port Serial The mGuard s serial number Version Software version of the mGuard B Automatic configuration backup on the controller is activated deactivated for this slot R Automatic configuration restore from the controller is activated deactivated for this slot 6 3 2 Blade control gt Blade 01 to 12 Blade in slot __ Overview Blade Control Blade 01 Blade in slot 01 Configuration Overview Device type ID bus controller ID Serial number Flash ID Software version MAC addresses Status LAN link status WAN link status Temperature Device type Device type e g blade or blade XL ID bus Controller ID ID of this slot on the bladeBases control bus Serial The
5. or not by setting Log to No factory setting Log entries for unknown connection attempts If this is set to Yes all attempts to establish a connection which were not covered by the rules defined above will be logged Outgoing Rules Network Security Packet Filter Incoming Rules Outgoing Rules Outgoing Lag D fr auigaing W Dds 109 DDE 1 bec BcD8 DDDcbe D1 DIS2 PX FE tall z Jo 0 0 0 0 Jany fo 0 0 0 0 Tan Accept default rule n No 2 These rules specify which traffic from the inside is allowed to pass to the outside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts No Lists the firewall rules that have been set These rules apply for outgoing connections i e ones which were initiated internally to communicate with a remote site The default factory setting is a rule that allows all outgoing connections If no rule is set all outgoing connections are forbidden except VPN Inserting moving and deleting rows is explained under Working with tables on page 43 You have the following options for the entries Protocol All means TCP UDP ICMP and other IP protocols 90 of 152 IP address 0 0 0 0 0 means all addresses To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Port This is only evaluated by the TCP and UDP protocols any means each and
6. The password must be the same on both mGuards It will be transmitted in clear text and should not be identical with other security relevant passwords Stealth Mode Virtual Router ID Routermode External Virtual Router ID An ID between 1 and 255 which must be the same on both mGuards and iden tifies the virtual router Stealth Mode Management IP of the 2nd device Routermode External IP of the 2nd device In stealth mode the management IP of the other mGuard in router mode the external IP of the other mGuard Router Mode 128 of 152 The following values need to be set if the mGuards are operated in router mode Internal Virtual Router ID An ID between 1 and 255 which must be the same on both mGuards and iden tifies the virtual router on the internal interface ICMP Checks Internal IP of the 2nd device The internal IP of the other mGuard External virtual IP IP of the virtual router on the external interface WAN Internal virtual IP IP of the virtual router on the internal interface LAN Clients inside the in ternal network should use this IP as their default gateway Management Redundancy ICMP Checks ICMP Checks Enable ICMP checks Hosts to check via ICMP in the external network Hosts to check via ICMP in the internal network ICMP checks provide an additional way to monitor the network connections between mGuards working as a virtual router If one of the two direct Ethernet connections
7. Contact The signal contact is a relais which is used by the EAGLE mGuard to signal error conditions See Signal contact on page 22 46 of 152 Mode Signal contact The signal contact can be controlled by the mGuard through automatic Ope ration supervision or Manual setting Operation supervision Contact Displays the state of the the signal contact Either Open Error oder Closed Ok Redundant power supply If set to Ignore the power supply doesn t influence the signal contact If set to Supervise the signal contact will be opened if one of the power supplies fails or during permanent malfunction inside the mGuard internal voltage of 3 3 VDC power supply lt 9 6V Link supervision Supervision of the ethernet interfaces link state Possible settings are e Ignore e Supervise only internal port trusted e Supervise only external port unntrusted e Supervise both ports Manual settings Contact If the signal contact is set to Manual setting this option sets the contact to Closed or Open Alarm Time and Date Management System Settings Time and Date Time and Date Current system time UTC Current system time local Local system time 2000 01 01 00 04 22 Timezone in POSIX 1 notation Time stamp in filesystem 2h granularity NTP Server Enable NTP time synchronization NTP State Server Time and Date Current system time UTC Displays the current system tim
8. Editing a defined user firewall template Click the Edit button next to the list entry Deleting a defined user firewall template Click the Delete button next to the list entry Defining a new user firewall template 1 Click the New button Result the list of user firewall templates displayed will be supplemented with a new entry 2 Next to the list entry click the Edit button 99 of 152 User Firewall gt After clicking on the Edit button the following page will appear Define Template General Network Security User Firewall marketing Options A descriptive name for the template marketing Timeout 28800 Timeout type sai AA Options A descriptive name for the template You can name or rename the user firewall template as desired Active Yes No For Yes the user firewall template becomes active as soon as external users log onto the mGuard who are listed on the Template User register card see below and who have been assigned firewall rules It doesn t matter from which computer and under which IP address the user logs in The assignment of user firewall rules is based on the authentication data that the user enters during the login user name password Comments Optional explanatory text Timeout Default 28800 Indicates the time in seconds at which point the firewall rules will be deacti vated If the user session lasts longer than the timeout time defined here the user will have to rep
9. IP Masquerading i e traffic is NATed to the external virtual IP e ltol NAT e Port forwarding use the external virtual IP as Incoming on IP e MAC Filter 127 of 152 Redundancy General Management Redundancy Redundancy General Redundancy State Enable Redundancy Redundancy Start State Priority Authentication passphrase Stealth Mode Virtual Router ID 5 Router Mode External Virtual Router ID Stealth Mode Management IP of the 2nd device Router Mode External IP of the 2nd device Disabled Router Mode Internal Virtual Router ID Internal IP of the 2nd device External virtual IP EENG of ofi N en ola plo Sis el H Internal virtual IP 192 168 1 100 Redundancy State Shows the current redundancy state of this mGuard Enable Redundancy Enable Disable the redundancy feature Redundancy Start State The state of this mGuard during activation of redundancy master or backup Priority Defines which mGuard will operate as the master In case the priorities are different the mGuard with the higher priority will operate as the master as long as it does not fail If both mGuards have the same priority and the backup becomes the master in case of a failure it will continue to work as the master even when the other mGuard becomes available again Values between 1 and 254 are possible Authentication passphrase This password is to protect against misconfiguration among different virtual routers
10. Log entries for unknown connection attempts No Outgoing SaR Ne Protocol NC AT tore CT ET TE tog E Log entries for unknown connection attempts 19 D fve vpn vDDD_DDD in A 0 2e49ed10 e930 1610 9227 DDDcbeD1DIS2 La E Ne Protocol E TO Torr ET MES __ Comment too E 1 Fan z 0 0 0 0 0 any 0 0 0 0 0 Jany Accept z default rule plez No z Lag D fw wpn wDDD_DDD aul A10 2e49e410 e970 1610 9227 DDDcbe D1052 1 Fan z Jo 0 0 0 0 Jany 0 0 0 0 0 Jany Accept z default rule plez No y Firewall incoming Firewall outgoing While the settings made in the Firewall menu only affect non VPN connections see above under Incoming Rules on page 89 these settings affect just the VPN connection defined here This means If you have defined multiple VPN connections you can restrict the outgoing or incoming access individually for each connection You can have any attempts made to bypass these restrictions logged gt The VPN Firewall factory settings allow all connections via this VPN connection However the settings for Network Security gt DoS Protection on page 98 do apply independently for each individual VPN connection BO Tf multiple firewall rules are set they will be searched in the order in which they are listed from top to bottom until a suitable rule is found This rule will then be applied If further down in the list there are other rules which would also fit they will be ign
11. with 12 bits containing the VLAN ID The VLAN IDs 0 and 4095 are reser ved and can t be used for VLAN identification VPN Virtual Private A Virtual Private Network VPN connects several separate private networks Network subnets together via a public network e g the Internet to form a single joint network A cryptographic protocol is used to ensure confidentiality and authenticity A VPN thus offers an economical alternative to using dedicated lines to build a nationwide corporate network 149 of 152 9 Technical data General Intel IXP 42x mit 266 MHz or 533 MHz EAGLE und enterprise CPU XL Memory 16 MB Flash 64 MB SDRAM mGuard delta 128 MB LAN and WAN Interfaces Ethernet IEEE 802 10 100 Mbps RJ45 Serial RS 232 Operating System Innominate Embedded Linux Monitoring Indicators Watchdog and LEDs Relative humidity Temperature blade smart PCI max 90 none condensing delta 5 95 none condensing smart blade delta 0 40 C PCI 0 70 C EAGLE mGuard Network size Operating voltage Potential difference between input voltage and housing Length of a 10BASE T 100BASE TX twisted pair segment 100 m approx NEC Class 2 power source 12 VDC or 24 VDC 25 33 safety extra low voltage SELV PELV redundant inputs decoupled 5 A maximum Buffer time min 10 ms at 24 VDC Potential difference to input voltage 24 VDC 32 VDC Potential difference
12. 192 168 1 0 24 and you may need to adjust the configuration of your computer to access it 36 of 152 If you are using Windows XP click on Start Control Panel Network Connections e Right click on the icon of the LAN adapter and then e click on Properties in the pop up menu e In the dialog Internet Protocol Properties on the General tab select Internet Protocol TCP IP under This connection uses the following items and then e click on the Properties button to open the following dialog Internet Protocol TCP IP Properties General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically 2 Use the following IP address IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 2 Use the following DNS server addresses Preferred DNS server Altemate DNS server Activate Use the following IP and then enter the following address IP address 192 168 1 2 Subnetwork mask 255 255 255 0 Default gateway 192 168 1 1 B gt Depending on how you configure the mGuard you may also need to modify the network interface settings of the locally connected system or network accordingly 5 2 3 mGuard PCI Install the mGuard PCI Card Install the mGuard PCI Driver Configure the Network Interface If you haven
13. 9 1 IPsec VPN Global ud A A ss 113 Machine Certifica lis 113 DynDNS MontOTNOS ici din 114 6 9 2 IPsec VPN gt Connections ae 114 COMME Sci tddi aii da 114 6 9 3 Define a VPN Comme ction sirsie ese e aan aa salinos ideas site 115 Generalitat iia oidos 115 Authentic ii 119 Etrewallictiva domo excels tout va Mla anes ds latas iaa 121 IKE OPtODS units rial TE a cotidiana 123 6 9 4 IPsec VPN gt L2TP oyver I Pset vinindustrien 125 A A ANN 125 6 9 5 lt IPsec VPN gt IP sec Statu Sne ne e as ek eee 125 6 10 Menu redundancy cnt Meade eaten aaa aes erates 127 6 10 1 Firewall Redundancy 4 casei caine oan is 127 Redundancy 2 22 esieeniien Bian einai niin nein hin deed 128 ICMP Checks ornen nane E on Rae 129 6 10 2 Ring Network Coupling ooocconnccnoconocnnonononoconononnnanonn nc noconccnn nono conan E AEE E aR Ee 129 Ring Network Coupling nestis e ee a SEE ERE ae 129 OLL Menu ogame ista ti tdo 130 GAL Los US ro 130 Remote Lose maca ata lala ceca 130 6 11 2 Logging gt Browse local logs ti io 131 6 12 Menu S pp rt ua aaa 134 As A seeds case E aaa aaeoa wedi en kne 134 Hard WI ee Rhee he ES 134 SHAPSHOb seveersedss O a Rea 134 6 13 CIDR Classless InterDomain Routing 2 0 0 ee ceseesseceeeceeaeeceeeeceeeeaeceeaeneaeceeaeeeeeees 135 6 14 Network Examples iis cieler tienne ieiet tica 136 7 The Rescue Button restart recovery procedure and to flash the firmware 000 137
14. Found New Hardware Wizard Ha Innominate mGuardPCl Windows has finished installing the software for this device To close this wizard click Finish lt Back Cancel The Linux driver is available as a source archive and must be compiled before usage To do this e Build and install the kernel 2 4 26 in usr src linux e Unpack the driver into usr src pci driver e Issue the following commands in the shell e cd usr sre pci driver 31 of 152 e make LINUXDIR usr src linux install m0644 mguard o lib modules 2 4 26 kernel drivers net e depmod a e To load the driver run the following command e modprobe mguard 32 of 152 33 of 152 5 Configuration preparation 5 1 Connecting the mGuard mGuard blade mGuard delta EAGLE mGuard mGuard smart mGuard PCI The mGuard blade must be installed inside the mGuard bladeBase and at least one of the bladeBases power supplies must be on In a local configuration The system that you use for performing the configuration must either be connected to the LAN jack of the mGuard blade or connected to it via the local network In the case of a remote configuration The mGuard must be configured to permit remote configuration The mGuard must be connected i e the required connections must function The mGuard must be connected to its power supply In a local configuration The system that you use for performing the configura
15. Hostname host example com If a VPN connection is to be setup at least the IP address of one of the partners must be known so that the other can setup a connection to it This condition is not satisfied if both sites stations are assigned their IP addresses dynamically by their respective Internet Service Providers In this case a DynDNS Service such as DynDNS org or DNS4BIZ com can be of assistance The currently valid IP address of a site station is registered under a fixed name at a DynDNS service If you have registered with one of the DynDNS services supported by mGuard you can enter the corresponding information in this screen Register this mGuard at a DynDNS Service Yes No Select Yes if you have registered with a DynDNS provider and the mGuard should utilize this service In this case the mGuard will report its current IP address the one assigned for its own Internet access by 1ts Internet Service Provider to the DynDNS Service Refresh Interval sec Standard 420 seconds 6 4 3 Internal External DHCP Whenever the IP address of its own Internet access is changed the mGuard will inform the DynDNS Service of its new IP address For additional reliability the device will also report its IP address at the interval set here This setting is ignored for some DynDNS providers like DynDNS org where too many updates will cause the account to be closed DynDNS Provider The providers in the list support the s
16. In Stealth mode Reject is not supported Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule e should be logged by setting Log to Yes e or should not be logged by setting Log to No factory setting 6 2 3 Management gt Licensing Overview Management Licensing Overview mGuard Flash ID 000b000a40ffc77b 0142 AntiVirus License AntiVirus license installed VE Expiry data poor os oTses35 920 Feature License License with priority 1148898187 E licence_id 0 licence_date 2006 05 29T10 23 07 flash_id 000b000a40ffc77b serial_number 16529003 hardware_revision 00000dee licence_order 264 product_code 51033 vpn_channels 1 I2tp_server snmp remote_syslog mau_management AntiVirus License Anti Virus license installed Here you can examine the validity of the installed AVP license Expiry date Shows the expiry date of your anti virus license Feature License Shows which functions are included with the mGuard license you have purcha sed e g the number of possible VPN tunnels Install Management Licensing Automatic License Installation Voucher Serial umber Voweherkey YA Manual License Installation Order License Edit License Request Form Filename Browse Install license file With the following functions you can install new licenses on your mGuard Automatic license installation Vouch
17. Local IP Mode Via DHCP If the address data for the access to the PPTP server is supplied by the Internet Service Provider via DHCP select Via DHCP In this case you need not make an entry in the Local IP field Static from field below If the address required to access the PPTP server is not supplied by the Internet Service Provider via DHCP you must enter the IP address of the remote PPTP server and possibly that of the mGuard in the following two fields Local IP The IP address under which the mGuard can be accessed by the PPTP server Modem IP This is the address of the Internet Service Provider s PPTP server Internal Networks Internal IPs The Internal IP is the IP address under which the mGuard can be accessed from the locally connected LAN 77 of 152 Ethernet 78 of 152 In Router PPPoE PPTP mode the default settings are IP address 192 168 1 1 Local Netmask 255 255 255 0 You can also specify other addresses under which the mGuard can be accessed by devices on the locally connected network This can be useful for example if the locally connected network is divided into subnetworks In this case multiple units on different subnetworks can access the mGuard under different addresses IP IP Adresse under which the mGuard shall be accessible on the internal inter face LAN Netmask A netmask for the internal interface LAN Use VLAN If this IP address is to be inside a VLAN this option
18. Programs Accessories Command Prompt enter the following command ipconfig all Network Interfaces Network Status External IP address Network Mode Status Active Defaultroute Network Mode Network Mode External Networks Obtain external configuration via DHCP y ETRE o IP Netmask Use YLAN LAN ID un o 10 1 0 152 255 255 255 0 o fa Additional External Routes Network Gateway IP of default gateway Internal Networks foe Le IP Netmask Use LAN LAN ID rusted po 192 168 1 1 255 255 255 0 fno I Additional Internal Routes Network Gateway External Networks Network Mode Router These are the addresses under which the mGuard can be accessed by devices in the external networks connected to the mGuard s Ethernet connector If this unit is serving as a gateway to the Internet the IP addresses will be assigned by the Internet Service Provider ISP Obtain external configuration via DHCP Yes No Tf the mGuard obtains the configuration data via DHCP Dynamic Host Configuration Protocol from a DHCP server enter Yes In that case all other entries made on this page will be ignored Tf the mGuard does not obtain the configuration data via DHCP Dynamic Host Configuration Protocol from a DHCP server enter No and make the following additional entries 75 of 152 External IPs untrusted port IP Netmask IP and netmask for the external interface WAN Use VLAN I
19. Read Write Community Read Only Community Enter the required login data in these two fields 60 of 152 Allowed Networks Lists the firewall rules that have been set These apply for the incoming data packets of an SNMP access Inserting moving and deleting rows is explained under Working with tables on page 43 From IP Enter the address es of the system s that is are allowed access for the purpose of SNMP monitoring in this field You have the following options for the entries e An IP address e To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 e 0 0 0 0 0 means all addresses Interface External OR Internal Specifies whether the rule applies to the external interface WAN port or the internal interface LAN port The default behaviour when no rules are specified is to drop all connections on the external interface and to accept all connections on the internal inter face Action Possible settings e Accept e Reject e Drop Accept means that the data packets should be passed through Reject means that the data packets should be rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that the data packets should not be passed through The data packets will be discarded so that the sender will not be informed as to what happened to them In Stealth m
20. Shell Access Enable SSH remote access Port for incoming SSH connections remote administration only Allowed Networks PE rromi O interface f action comment to These rules allow to enable SSH remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The SSH access from the internal side is enabled by default and can be restricted by firewall rules Shell Access When SSH Remote Access is enabled the mGuard can be configured from a remote system using the command line interface This option is disabled by default IMPORTANT If you enable remote access make certain that you have secure root and administrator passwords To enable SSH Remote Access proceed as follows Enable SSH remote access Yes No If you want to allow SSH connections set this switch to Yes In this case make certain that the firewall rules on this page permit the mGuard be accessed from a remote site Port for incoming SSH connections remote administration only Standard 22 You can select a different port Example If this mGuard can be found in the Internet at the address 123 456 789 21 and the Port Number 22 has been set as the port for remote access you do not need to enter this port number in the
21. Tel Rerforming a Resta da ducati At 137 T2 Performing a RECOVery 2 ssi lt i isis chistes cc dstvidh ites a a a Ea S e aee eiae pera Se 137 73 gt Blashine the firm Ware teser aeaaee leds eaae aeaa eiat ites 138 Required before the firmware can be flashed DHCP and TFTP servers 140 7 3 1 Installing DHCP and TFTP servers under Windows or Linux s es 141 Under W INO WS tna E OE inci 141 Under LIMA A ee RES 142 BGI OSSARY OE AA AE AEE ESEO EESE EA TEE 143 Asymmetrical Encryption enio n a a E e a 143 DES IDE Sir OE O E ind A yeast 143 AES morenen aa A a E E Elia scetebbons 143 Chent Server iia illa a aea ae ieee eaei 143 Dita iii io aia 143 Default routes tddi aa tati ls 144 DynDNS provider eiaa e cadens eatin sae os bolas darias 144 IP addres S iieri a rieel tito iaa tddi 145 IPSCO e iere oa aia ao 146 NAT Network Address Translati0N oocoonnnoconnnoooccnooonconoonnccnoonncnnnnncnnnnonoccnnnnoss 146 NS AAA RR 146 PPPOE eaae e ies elena etna a eee DA ec eee 147 PIPER arta 147 X 509 Certiti cate a is 147 4 of 152 Table of Contents Table of Contents Protocol communication protocol oooncononcnnccnnncnocononcconannnnnanano nono nonnncnnncnna conc con nono 147 NO INN 147 Service Providers at A ee 148 Spoofing ANUSPOOHD mid di 148 Symmetrical encryption ceiissttieieet a adan tened iii 148 TCP IP Transmission Control Protocol Internet Protocol ooooooocccinncccninonnoss 148
22. The proxy servers IP or hostname Port The port corresponding to the IP or hostname of the proxy server Login The login in case the proxy server requires authentication Password The password corresponding to the login 6 2 5 Management gt Configuration Profiles Configuration Management Configuration Profiles Profiles Configuration Profiles Configuration Profiles 2 Factory Default O At Home OA office Save Current Configuration to Profile Upload Configuration to Profile Save the current configuration on ACA Here you can save the configuration settings as a configuration profile under any name on the mGuard It is possible to create and save multiple configuration 57 of 152 profiles You may then activate the configuration profile appropriate at the time if you use the mGuard in different operating environments Furthermore you can also save configuration profiles as files on the configuration system Naturally these configuration files can then be read back onto the mGuard and activated Furthermore you can restore the mGuard to the factory settings at any time B gt Passwords and user names are not saved in the configuration profiles Configuration profiles The top of the Configuration profile page has a list of configuration profiles that are stored on the mGuard for example the Factory Default configuration profile If any configuration profiles have been saved by the user see below they
23. User Authentication Local Users Passwords root Root Password Account root admin Administrator Password Account admin user Disable VPN until the user is authentified via o HTTP User Password The mGuard supports 3 levels of user authorization To login at a specific level of authorization the user must enter the corresponding password for the level Authorization level Root This level password grants full rights to all parameters of the mGuard Note This is the only authorization level that allows you to setup a SSH connection to the device and to then change all of the parameters so that nothing will work anymore If this happens all you can do is flash the firmware to restore it to the factory settings see Flashing the firmware on page 138 Default root password root Administrator If you login at this level password you will be granted all the rights required for the configuration options that are accessible via the Web based Administrator interface Default user name admin Default password mGuard The user name admin cannot be changed User If a user password has been defined and activated the user must after every restart of the mGuard enter this password to enable a VPN connection when he or she first attempts to access any HTTP URL If you wish to use this option enter the desired user password once in each of the corresponding entry fields
24. been changed to or away from Stealth mode the device will reboot automatically BO If you change the address of the mGuard e g by changing the Network Mode from Stealth to Router the device will only be accessible at the new address When the change is done from the local interface you will get a message telling you the new address before the change becomes active When the change is done from the external interface you will not receive feedback from the mGuard BO If you set the Network Mode to Router PPPoE or PPTP and then change the internal IP address and or the local netmask make very certain that you enter the correct values Otherwise the mGuard may no longer be accessible External IP Address Address under which the mGuard is accessible for external network devices If the mGuard has been allocated an IP address dynamically you will see here the IP address that is currently valid In Stealth mode the mGuard assumes the address of the computer which is connected locally as its external IP Network Mode Status Displays the status of the selected network mode Active Default Route Here the IP address is displayed via which the mGuard tries to reach networks that are unknown to it The display will read none if the mGuard is run ning in Stealth mode or if the IP address which has been defined in the con figuration for the connected computer as the default gateway is not correct 73 of 152 Network Mode gt S
25. clients within the VPN Local IP for L2TP connections With the setting shown in the screenshot above the mGuard will inform the remote site that the mGuard s address is 10 106 106 1 Remote IPs for L2TP connections range With the settings shown in the screenshot above the mGuard will assigned IP addresses between 10 106 106 2 and 10 106 106 254 to the remote peers Status Shows information about the L2TP status when this type of connection has been selected See Connections on page 114 If this type of connection has not been selected the screen shown above will be displayed 6 9 5 IPsec VPN gt IPsec Status IPsec VPN IPsec Status Connection Connection ISAKMP Name State 10 0 0 152 any 192 168 1 1 32 192 168 8 1 32 C DE ST Berlin L Berlin O Innominate C DE ST Berlin L Berlin O Innominate Security Technologies AG OU Support Security Technologies AG OU Support CN test2 E mhopf innominate com CN test3 E mhopf innominate com 10 0 0 152 any r 192 168 1 1 32 192 168 254 1 32 C DE ST Berlin L Berlin O Innominate C DE ST Berlin L Berlin O Innominate Security Technologies AG OU Support Security Technologies AG OU Support CN test2 E mhopf innominate com CN test1 E mhopf innominate com Shows the status of the Psec connections 125 of 152 126 of 152 The names of the VPN connections are listed on the left On the right you will find the current status of each connection GATEW
26. connection to a local system which is registered with the DynamicDNS provider the remote system can use the host name of the local system as its address This will setup a connection to the responsible DNS Domain Name Server to lookup the IP address that is currently registered for this hostname The corresponding IP address will be IP address sent back from the DNS to the remote system which can then use this as the destination address The remote system can now directly address the desired local computer In principle all Internet addresses are based on this procedure First a connection will be established to a DNS to lookup the IP address assigned for the domain name Once that has been accomplished this looked up IP address will be used to setup a connection to the desired remote site which could be any site in the Internet Every host or router in the Internet or an Intranet has a unambiguous IP address IP Internet Protocol The IP address is 32 bits 4 bytes long and is written as 4 three digit numbers each in the range from 0 to 255 which are separated by a dot An IP address consists of 2 parts the network address and the host address Network Address Host Address Each host or workstation in a network has the same network address but a different host address Depending on the size of the respective network networks are categorized as Class A B or C networks which are each differen
27. define firewall rules for each individual VPN connection in the VPN gt Connections menu BO The anti virus function see Web security gt HTTP on page 113 Web security gt FTP on page 115 E mail security gt POP3 on page 119 E mail security gt SMTP on page 122 has priority over the firewall rules defined here and can partially override them This behaviour can be overridden in the Network security gt Packet filters Extended settings menu by setting the switch to Connections scanned for viruses are subject to firewall rules see Extended settings Anti virus scanner on page 103 Bo If multiple firewall rules are set they will be searched in the order in which they are listed from top to bottom until a suitable rule is found This rule will then be applied If further down in the list there are other rules which would also fit they will be ignored Incoming Rules Network Security Packet Filter Incoming Rules Outgoing Rules Incoming Lag D Iw incaming N0 2e4Ged14 e91D 1610 9227 DDDebe D1 D152 RaR Ne Protocol __Fromip__ __Fromport Torr ET action TE tog F L 1 TCP E 0 0 0 0 0 any 0 0 0 0 0 any Accept z No These rules specify which traffic from the outside is allowed to pass to the inside Please note Port settings are only meaningful for TCP and UDP Incoming Lists the firewall rules that have been set These rules apply for incoming data connections 1 e o
28. ee 4 Click on the TFTP Server or DHCP Server tab and then click on the Settings button to open the dialog shown below Then set the parameters as shown Tftpd32 Settings E xj Tftpd32 by Ph Jounin OI x r Base Directory 4 Current Directory Em Browse JE my Browse 3 2 Browse Server interface 192 168 10 1 Show Dir r Global Settings Syslog server IV TFTP Server Syslog Server f Save syslog message T tp Server DHCP server TFTP Client I DHCP Server File A IP pool starting address 192 168 10 200 Size of pool 30 r TFTP Security TFTP configuration gt Boot Fil 5 lice i E i oot File j a Standard ii io 3 WINS DNS Server 0 0 0 0 v i Max Retransmit 6 e C High T tp port 5 Default router 0 0 0 0 C Read Only Mask 255 255 255 0 Advanced TFTP Options Domain Name Y Option negotiation Tl Hide Window at startup JV Show Progress bar IT Create dir txt files Translate Unix file names T Beep for long tranfer JV Use Tftpd32 only on this interface EFAIET TS Use anticipation window of fp Bytes Allow As virtual root Default Help Cancel 141 of 152 Under Linux 142 of 152 All current Linux distributions include DHCP and TFTP servers Install the corresponding packages as described in the instructions for the respective distribution Configure the DHCP server by making the following settings in the etc dhep file subnet 1
29. is 3600 seconds 1 hour The allowed maximum is 86400 seconds 24 hours IPsec SA Lifetime The lifetime of the IPsec SA keys in seconds The factory default is 28800 seconds 8 hours The allowed maximum is 86400 seconds 24 hours Rekeymargin Minimal time interval before the old key expires during which a new key shall be negotiated The factory default is 540 seconds 9 minutes Rekeyfuzz Maximum in percent by which Rekeymargin shall be randomly increased This is to lower the load during key exchanges on machines with many VPN connections by serializing them The factory default is 100 percent Keying tries Number of attempts to negotiate new keys with the remote peer The special value 0 means unlimited attempts in case the connection is to be initiated by the mGuard otherwise it means 5 Rekey When set to Yes the mGuard will try to renegotiate keys when they expire Dead Peer Detection When the remote peer supports the Dead Peer Detection DPD protocol both peers can detect whether the connection is still valid or must be renegotiated Without DPD the connection must be either restarted manually or is unusable until the initiating site s SAs expire Action Hold Restart Delete The switch determines the action that is to be carried out when DPD has recognised a disruption in the IPsec connection In the case of Hold default an attempt to re build the IPsec connection is made if it has been declared dead but on
30. is in PPPoE PPTP mode NAT must be activated to enable access to the Internet If NAT is not activated the device will only allow VPN connections When using more than one IP address for an interface always the first IP address of the list will be used for IP Masquerading BO These rules don t apply to the stealth mode Factory setting NAT is not active Inserting moving and deleting rows is explained under Working with tables on page 43 You have the following options for the entries From IP 0 0 0 0 0 means all addresses i e all internal IP addresses will be translated using NAT To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Lists the rules set for 1 1 NAT Network Address Translation which mirrors addresses from the internal network into the external network In the following example the mGuard is inside the net 192 168 0 0 24 with its internal interface and inside the net 10 0 0 0 24 with its external interface By using 1 1 NAT the computer with the IP 192 168 0 8 can be reached under the IP 10 0 0 8 in the external network O 192 168 0 8 192 168 0 0 24 10 0 0 0 24 BO These rules don t apply to the stealth mode Factory setting NAT is not active Inserting moving and deleting rows is explained under Working with tables on page 43 You have the following options for the entries Local network The network address
31. key WAN Red See The Rescue Button restart recovery procedure and to LAN Green flash the firmware on page 137 12 of 152 3 2 mGuard delta 6 Innominate 5 a mGuard Power Status LAN SWITCH Power Status reserved Ethernet WAN Ethernet LAN LEDs State Meaning Power on The power supply is active Status on The mGuard is booting heartbeat The mGuard is ready flash flash pause 1 2 Reserved 3 WAN on Link detected flashing Data transfer 4 7 LAN on Link detected flashing Data transfer 13 of 152 3 3 EAGLE mGuard Link Status Data 1 LAN Link Status Data 2 WAN STATUS FAULT Serial V 24 Rescue Key Ethernet LAN USB Ethernet WAN Serial V 24 Ground Connection LEDs State Meaning pl p2 green The power supply 1 or 2 is active STATUS green flashing The mGuard is booting green The mGuard is ready yellow The mGuard is ready and Redundancy Master yellow green flashing The mGuard is ready and Redundancy Slave FAULT red The signal contact is open in case of an error LS DA 1 2 green Link detected V 24 yellow flashing Data transfer 14 of 152 3 4 mGuard smart LEDs Recovery Key Located in the opening Usea LED1 LED2 LED3 e g straightened paper clip to operate it Colour State Meaning Red Green red green flashing Bo
32. mGuard s serial number Flash ID Serial number of the mGuard s flash chip Software version Software version of the mGuard MAC addresses All MAC addresses used by the mGuard Status Status of the mGuard WAN link status Status of the Ethernet WAN port LAN link status Status of the Ethernet LAN port 69 of 152 Configuration Blade Control Blade 01 Blade in slot 01 Configuration Out of date Configuration backup Blade 01 gt Controller ack UP Restore Reconfiguration if Blade 01 is replaced Delete configuration backup of Blade 01 Upload configuration from client Upload from client Download configuration to client Download to client Configuration 70 of 152 Configuration backup Blade __ gt Controller Automatic Shortly after a configuration change on the mGuard the new configuration will be stored automatically on the controller Manual With the Backup button the configuration can be stored on the controller and with the Restore button it can be restored from the controller onto the mGuard Reconfiguration if Blade __ is replaced After replacing an mGuard in this slot the configuration stored on the controller will be automatically applied to the new mGuard Delete configuration backup of Blade __ Deletes the configuration stored on the controller for this slot Upload configuration from client Upload a configuration profile for this slot to the controller
33. made in the Firewall gt Incoming menu BO These rules don t apply to the stealth mode Inserting moving and deleting rows is explained under Working with tables on page 43 Protocol Specify the protocol which the rule should govern From IP The source IP for which forwarding shall be performed From Port The source port for which forwarding shall be performed any specifies any port Ports may be either port numbers or services names like pop3 for port 110 or http for port 80 Incoming on IP Enter the external IP address or one of the external IP addresses of the mGuard here OR If the destination IP address of the mGuard is assigned dynamically this cannot be specified In this case use the following variable extern gt The variable extern always corresponds to the first IP address of the address list when using more than one external IP address Incoming on Port The original destination port of the incoming data packets must be entered in this field 95 of 152 Connection Tracking Redirect to IP In this field enter the internal IP address to which the data packets should be forwarded The original destination address will be overwritten with the address entered in this field Redirect to Port In this field enter the port to which the data packets should be forwarded The original entry for the destination port will be overwritten with the port specified in this field Comment
34. modules of the mGuard Can be used for support purposes as applicable Update Management Update AntiVirus Pattern Local Update Filename Install Packages The filename of the package set has the extension tar g2 The format of the filename you have to enter is update a b c d eftar g2 Online Update Package 3etnamo FE Install Package Set Automatic Update Install the latest patch release x y 2 Install latest patches Install the latest minor release x Y z for Installilatestiminonnelease the currently installed major version Note It might be possible that there is no direct update from the currently installed version to the latest published minor release available Therefore after updating the system to a new minor release press this button again until you receive the message that there is no newer update available Install the next major release X y z tallo sica Note It might be possible that there is no direct update from the currently installed version to the next major release available Therefore execute the minor release update first and repeat this step until you receive the message that there is no newer minor release available Then install the next major release Update Servers PES rrotocol server O toon OOO Password E https 7 z update innominate com J J There are two possibilities for conducting a software update You have the update package set file on your computer the fil
35. not be informed as to what happened to them In Stealth mode Reject is not supported Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule e should be logged by setting Log to Yes e or should not be logged by setting Log to No factory setting 6 2 2 Management gt Web Settings General Management Web Settings General General Scope of the Apply button Per Page xj General Language If Automatic is selected from the list of languages the device will use the language setting of the system s browser Session Timeout seconds Specifies the time interval of inactivity in seconds after which the user will be logged out automatically Possible values are between 15 and 86400 24 hours seconds 50 of 152 Access Scope of the Apply button If set to per Page configuration changes need to be applied per page for being stored Otherwise per Session the configuration may be changed on several pages before being applied Management Web Settings HTTPS Web Access Enable HTTPS remote access Remote HTTPS TCP Port Allowed Networks Eme interface action comment oo These rules allow to enable HTTPS remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In ro
36. on how to request and install a license can be found under the section Management gt Update on page 54 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 54 109 of 152 Virus Protection 110 of 152 Email Security SMTP Virus Protection Options Enable content scanning for SMTP Outgoing yes v oa SMTP maximum filesize for scanning in 5MB OY Action for mails exceeding maximum Let message pass unscanned gt message size Servers PS server servervort comment Enable Scan E o 0 0 07 0 25 Sure out to any Scan x Note Both global content scanning for SMTP must be enabled and firewall rules defining the IP address range to be scanned must be set The SMTP protocol is used by e mail clients or mail transfer agents MTA to send e mails The virus filter can only check unencrypted data for viruses Consequently you should not activate encryption options such as TLS If a virus is detected or an error occurs an e mail with an error code will be sent to the sender and an entry will be made in the anti virus log The intended recipient will receive neither the infected mail nor a message Options Anti virus protection for SMTP E mail transmission Yes No In the case of Yes files to be sent are scanned for viruses by mGuard if they are to be transmitted via SMTP connections that are specified in the list of SMT
37. on the local interface LAN External network The network address on the external interface WAN Port Forwarding Network Security NAT Masquerading Port Forwarding Netmask The network mask as a value between 1 and 32 for the local and external network address See also CIDR Classless InterDomain Routing on page 135 Lists the rules set for port forwarding Connection Tracking Lag D Iw parllarmwarding 4 0 DEB4a c2 DDBs 1bec EcD8 DDDcbeD1DIS2 X META A ATEN Incoming on Port Redirect to IP_ Redirect to Port Comment TT E a TCP 10 0 0 070 any extern http 192 168 2 2 http J No These rules let you forward traffic targeted to the mGuard to another machine without modifing the source address The column Incoming on IP accepts the special value extern as the mGuard s first external IP Please note These rules won t apply to the Stealth mode Port forwarding performs the following The headers of data packets incoming from the external network which are addressed to the mGuard s external IP address or one of its external IP addresses and to one of the ports on the mGuard will be rewritten to forward them to a specific port on a specific system in the internal network In other words both the IP address and the port number in the header of the incoming data packets will be changed This method is also called Destination NAT BO The rules set here have priority over the settings
38. passed on after it has been loaded completely and checked Consequently user software may react less quickly when downloading larger files or whenever the download speeds are slow To check the anti virus protection for FTP you can download the safe Eicar test virus which is available for test purposes at http www eicar org anti_virus_test_file htm The mGuard can only be used to secure the FTP client Options Anti virus protection for FTP Yes No In the case of Yes files received are scanned for viruses by mGuard if they arrive via FTP connections contained in the list of FTP servers below Scanning up to a pre set volume of 5 MB The maximum size of the files to be checked is specified here Files that are larger are not scanned Depending on the When size limit is exceeded setting an error message is sent to the client in the event of a file exceeding the size limit or the system automatically switches to throughput mode If the mGuard does not have enough memory to save a file completely or to decompress it a corresponding error message will be sent to the user s client software and an entry will be written to the anti virus log In this case you have the following options e You can try again later to download upload the file e You can temporarily deactivate the virus filter for the corresponding server e You can set the parameter to Let the data pass unscanned Action for infected content Notify
39. power signal relay activate traps Yes No enterprise oid genericTrap specific trap additional Description enterprise oid genericTrap specific trap additional Description mGuardTrapIndustrial enterpriseSpecific mGuardTrapIndustrialPowerStatus 2 mGuardTrapIndustrialPowerStatus This trap is sent when power supply failure was detected mGuardTrapIndustrial enterpriseSpecific mGuardTrapSignalRelais 3 mGuardTResSignalRelaisState mGuardTResSignalRelaisReason mGuardTResSignalRelaisReasonIdx Current state of the signal relais changed O off 1 0n e Agent ACA temperature activate traps Yes No enterprise oid genericTrap specific trap additional Description enterprise oid genericTrap specific trap additional Description mGuardTrapIndustrial enterpriseSpecific mGuardTrapIndustrialTemperature 1 mGuardSystemTemperature mGuardTrapIndustrialTempHiLimit mGuardTrapIndustrialLowLimit Trap reporting temperature exceeding the given limits mGuardTrapIndustrial enterpriseSpecific mGuardTrapAutoConfigAdapterState 4 mGuardTrapA utoConfigAdapterChange This trap is sent when the ACA was accessed Blade Controller Traps only blade Blade status change replug failure and power supply activate traps Yes No enterprise oid generic trap specific trap additional Description mGuardTrapBladeCTRL enterpriseS pecific mGuardTrapBla
40. rail insert a screwdriver horizontally under the housing into the locking slide pull it without tipping the screwdriver downwards and lift the EAGLE mGuard upwards 23 of 152 4 4 Connect the mGuard smart Ethernet plug to connect the unit AAA directly to the system or network to be protected local system or network __ USB connector to connect the unit to a computer s USB interface Only used to supply power Jack for connecting an external A network e g WAN Internet Connections to remote devices or networks are established via this network Use a UTP cable CAT 5 If your system is already connected to a network simply insert the mGuard between the system s network interface and the network before C B Ka after BO No additional driver needs to be installed B gt For reasons of security we recommend that you change the default Root and Administrator passwords during the first configuration 24 of 152 4 5 Connect the mGuard PCI 4 5 1 Choice between Driver mode or Power over PCI mode Driver Mode There are two operating modes Driver mode or Power over PCI mode The mGuard is switched to operate in the desired mode via a jumper Driver mode The mGuard PCI can be used like a regular network card enabling this network card to also provide the mGuard functions In this case the included driver must be installed Power over PCI mode
41. s current address you must use the Rescue key to restore it to factory default see Performing a Recovery on page 137 If even after repeated attempts the Web browser still reports that the page cannot be displayed try the following e Check whether the default gateway has been initialized on the connected configuration system See Local Configuration At startup on page 34 e Try disabling any existing firewall e Make certain that the browser does not use a proxy server In MS Internet Explorer Version 6 0 you can prevent this with the following setting In the Extras menu select Internet Options and click on the Connections tab Under LAN Settings click on the Properties button and in the Local Area Network LAN Settings dialog check to make certain that Use a proxy server for your LAN under Proxy server is not activated e If any other LAN connection is active on the system deactivate it until the configuration has been completed Under the Windows Start menu Settings Control Panel Network Connections or Network and Dial up Connections right click on the associated icon and select Disable in the pop up menu After the connection has been successfully set up the following security notice will be displayed MS Internet Explorer Security Alert Information you exchange with this site cannot be viewed or changed by others However there is a problem with the site s security certificate The sec
42. supervise the functions of the EAGLE mGuard and thereby facilitates remote diagnosis An interruption of the potential free signal contact relay contact closed current circuit indicates the following e The failure of at least one of the two supply voltages e A permanent fault on the EAGLE mGuard internal 3 3 V DC voltage supply voltage 1 or 2 lt 9 6 V e The faulty link status of at least one port The indication of the link state on the EAGLE mGuard can be masked on a port by port basis using the management software State of delivery there is no link test e Self test error Bo In case of a non redundant voltage supply the EAGLE mGuard will indicate the failure of the supply voltage You can correct this by connecting the supply voltage to both inputs Ground connection The EAGLE mGuard is grounded with a separate screw connection Assembly The equipment is delivered in a ready to operate condition The following procedure is appropriate for assembly e Pull the terminal block off the EAGLE mGuard and wire up the supply voltage and signal contact lines e Fit the EAGLE mGuard on a 35 mm standard bar to DIN EN 50 022 e Attach the upper snap on slide bar of the EAGLE mGuard to the standard bar 22 of 152 Startup procedure Network connection Dismantling and press it down until it locks into position e Connect the device to the local network or the local PC which is to be protected LAN e Connect the s
43. switch to from daylight saving time enter CET 1CEST M3 5 0 M10 5 0 3 Time stamp in filesystem 2h granularity Yes No If this option is set to Yes the mGuard will save the current system time to its memory every two hours Afterwards If the mGuard is switched off and back on a time from this two hour period of time will be displayed when the mGuard is switched on and not the factory setting a time on 1 January 2000 Enable NTP time synchronisation Yes No Once the NTP is enabled the mGuard queries the time from the Internet and displays this as 1ts current system time The synchronisation can take several seconds If this option is set to Yes and at least one time server is specified under NTP servers to synchronize to see below the current system time will be retrieved over the internet NTP State Displays the current NTP state NTP server Enter one or more time servers from which the mGuard should obtain the current time If you enter multiple time servers the mGuard will automatically connect with all of them to determine the current time Tf you enter a hostname e g pool ntp org instead of an IP address a DNS server must also be specified see Network gt DNS on page 81 If the mGuard is operating in Router PPPoE or PPTP mode it will also make the NTP time available to the locally connected systems Shell Access Management System Settings Hest Time and Date 08 shell Access
44. t already installed the mGuard PCI card in your computer please follow the steps as described in Hardware installation on page 27 If you ve configured the mGuard to run in Driver Mode make sure that you ve installed the drivers as described in Driver installation on page 28 If you e operate mGuard in the driver mode and the LAN interface computer s network interface has not yet been configured OR e operate mGuard in the Power over PCI mode and the computer s network interface which is connected to mGuard s LAN interface has not yet been configured this network interface must be configured before you can configure mGuard If you are using Windows XP 37 of 152 The Default Gateway 38 of 152 Click on Start Control Panel Network Connections Right click on the icon of the LAN adapter Click on Properties in the pop up menu In the dialog Internet Protocol Properties on the General tab select Internet Protocol TCP IP under This connection uses the following items Click on the Properties button to open the dialog you see to the right Internet Protocol TCP IP Properties General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address IP address 192 168 1 2 Subn
45. the following steps 1 Click on Browse so select the certificate file 2 Click on Import Download Test By clicking on Test Download you can test without actually saving the modified parameters or activating the profile if the parameters are correct The result of the test will be displayed in the right column E You should make sure that the profile on the server does not contain unwanted variables beginning with GAI_PULL_ which overwrite the pull configuration on the mGuard 67 of 152 6 2 8 Management gt Restart Management Restart Restart Restart Note please give the mGuard approximately 40 seconds to reboot A new Start reboot is necessary in the event that a fault occurs It may also be necessary after a software update You can also reboot the device by switching it off and back on again 6 3 Menu Entry Blade Control control unit only This menu is only available on the control unit 6 3 1 Blade control gt Overview Blade Control Overview Overview SS SCN A TT C blade XL Do a DA 21500134 4 0 0 pre18 defa 02 blade 4 0 0 pre16 beta 03 blade XL 4 0 0 pre18 defa 04 blade 3 1 0 sophia 05 blade 3 1 0 sophia 06 blade 3 1 0 pre05 07 blade EGE Don Doa 21500072 4 0 0 pre13 defa 08 blade XL e Down Down 27500139 4 0 0 pre15 beta 09 Unknown 10 blade Down Down 27500054 4 0 0 pre07 defa 11 blade Dama DORA 21500003 3 1 1 pre05 defa 12 Unknown
46. to 1 1 1 1 requires ARP resolution of the default gateway Restricting ARP traffic to the default gateway may lead to management access problems Outgoing trusted port PX Source MAC Destination MAC Ethernet Protocol Actin Comment Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Please note Management access to 1 1 1 1 requires ARP resolution of the default gateway Restricting ARP traffic to the default gateway may lead to management access problems Beside the IP firewall OSI Layer 3 4 which filters ICMP messages and TCP UDP connections the mGuard when operating in stealth mode can additionally filter for MAC addresses and ethernet protocols OSI Layer 2 In contrast to the IP firewall the MAC filter is stateless This means an additional rule must be created for some rules in the opposite direction where necessary When no rules are defined all ARP and IP frames are allowed BO Please note the annotations on the screen when you define MAC filtering ru 91 of 152 Advanced 92 of 152 Advanced les BO Rules defined here supersede the IP firewall rules Source MAC Definition of the source MAC address XX XX XX XX XX xXx is a wildcard for all MAC addresses Destination MAC Definition of the destination MAC address XX XX XX XX XX XX is a wildcard for all MAC addresses The values ff ff ff ff ff ff is the broadcast MA
47. to input voltage ground 32 VDC Power consumption max 7 2 W at 24 VDC 24 6 Btu IT h Overload current protection at input non changeable fuse Dimensions W x H x D 46 mm x 131 mm x 111 mm 1 8 in x 5 2 in x 4 4 in Weight Ambient temperature 340 g 0 8 Ib Surrounding air 0 C to 55 C 32 F to 131 F Storage temperature Surrounding air 40 C to 80 C 40 F to 176 F Humidity 10 to 95 non condensing Atmospheric pressure Suitable for operation up to 2000 m 6561 ft 795 hPa Pollution Degree 2 150 of 152 Interference proof Discharge of static electricity Contact discharge EN 61000 4 2 Test level 3 Air discharge EN 61000 4 2 Test level 3 Electromagnetic fields EN 61000 4 3 Test level 3 Fast transients EN 61000 4 4 Test level 3 Surge voltage symmetrical EN 61000 4 5 Test level 2 Surge voltage asymmetrical EN 61000 4 5 Test level 3 Cable based RF faults EN 61000 4 6 Test level 3 EMC emitted immunity FCC 47 CFR Part 15 Class A EMC emitted immunity EN 55022 Class A Germanischer Lloyd Rules for Classification and Construction VI 7 3 Part 1 Ed 2003 Vibration IEC 60068 2 6 Test FC testing level in line with IEC 61131 2 and Germanischer Lloyd Guidelines for the Performance of Type Tests Part 1 Shock IEC 60068 2 27 Test Ea testing level in line with IEC 61131 2 Certifications cUL 508 CSA 22 2 No 142 co
48. to replace the earlier DES standard AES specifies three different key sizes 128 192 and 256 bits In 1997 NIST started the AES initiative and announced its conditions for the algorithm From the many proposed encryption algorithms NIST selected a total of five algorithms for closer examination the MARS RC6 Rijndael Serpent and Twofish algorithms In October 2000 the Rijndael algorithm was adopted as the standard s encryption algorithm In a client server environment a server is a program or computer which accepts and answers queries from client programs or computers In data communication a computer which establishes a connection to a server or host is also called a client In other words the client is the calling computer and the server or host is the computer called In the IP protocol data is sent in the form of data packets which are known as IP datagrams An IP datagram has the following structure IP Header TCP UDP ESP etc Header Data Payload The IP header contains 143 of 152 Default route DynDNS provider 144 of 152 the IP address of the sender source IP address the IP address of the receiver destination IP address the protocol number of the protocol of the next higher protocol layer in accord with OSI seven layer model the IP header checksum used to check the integrity of the received header The TCP UDP header contains the following informati
49. under Hostname mode the entry in this field will be ignored Domain search path This entry makes it easier for the user to specify a domain name If the user enters the domain name in an abbreviated form the mGuard will extend the entry by appending the domain suffix which is defined here in the Domain search path SNMP Information Systemname An informational name for the mGuard eg Hermes Pluto sysName under SNMP Location The physical location of this mGuard sysLocation under SNMP Contact The name of the contact person for this mGuard together with information on how to contact this person sysContact under SNMP HiDiscovery HiDiscovery is a protocol which supports the initial startup of new network de vices and is available in the mGuard s Stealth mode on the mGuard s LAN port Local HiDiscovery Support Activated The HiDiscovery protocol is activated Read only The HiDiscovery protocol is activated but the mGuard cannot be configured through it Deactivated The HiDiscovery protocol is deactivated HiDiscovery Frame Forwarding If this option is activated then HiDiscovery frames are forwarded from the in ternal LAN interface externally WAN Signal contact only Management System Settings EAG LE mGuard Signal Contact Mode Signal contact Operation supervision v Operation supervision Contact Redundant power supply Supervise xl Link supervision Ignore Manual settings
50. up by a remote site with any IP address enter any In this case the local mGuard can be called by a remote site which has been dynamically assigned its IP address by the internet service provider which has an IP address that changes In this scenario you may only enter an IP address when this is the fixed and known IP address of the remote calling site B gt any can only be used along with the authentication mode using X 509 certificates gt In case the remote peer is located behind a NAT gateway any must be used Otherwise the renegotiation of new connection keys will fail after the connection is established Connection startup There are 2 options e Initiate the connection to the remote site e Wait for the remote site to initiate the connection Initiate In this case the local mGuard sets up the connection to the remote site The fixed IP address or domain name of the remote site must be entered in the Address of the remote sites VPN gateway see above field Wait In this case the local mGuard is ready to accept a connection which a remote site actively initiates and sets up to the local mGuard The entry in the Address of the remote site s VPN gateway see above field may be Zany If the mGuard should only accept a connection initiated by a specific remote site which has a fixed IP address you can enter its IP address or hostname just to be on the safe side If the mGuard is running in
51. was developed in cooperati on with the Industrial Security Alliance partner Hirschmann Automation und Control GmbH The device is designed for top hat rail mounting according to DIN EN 50 022 and is therefore especi ally suited for use in industrial environ ments The optional configuration connection and the option to establish a telephone dial up connection via the V 24 interface provide for additional ap plications options mGuard delta This device model is a compact LAN switch Ethernet Fast Ethernet desi gned for connecting up to 4 LAN seg ments Thus the device is especially suited for logically segmented network environments where the locally connected computers networks share the mGuard functions An additional serial interface enables configuration using a telephone dial up connection or a terminal With its robust metal housing mGuard delta is not only suitable as a desktop device but also for placement in wiring closets 8 of 152 2 Typical application scenarios Stealth Mode Network Router DMZ Some of the more common application scenarios may be found below Firewall AntiVirus VPN In Stealth Mode factory default the mGuard can be installed between an indivi dual computer and the rest of the network The settings for Firewall AntiVirus and VPN can be made with a webbrowser at the URL https 1 1 1 1 On the computer itself no configuration changes are required Intranet DSL Mode
52. will be listed here Active configuration profile The configuration profile that is currently in effect is shown with the green light next to the entry You can do the following with configuration profiles that are stored on the mGuard e Activate them e Save them to a file on the connected configuration computer e Delete them e Display them Displaying the configuration profile Click the name of the configuration profile in the list Applying the factory setting or a configuration profile setting that has been stored by the user Click the Restore button located to the right of the name of the relevant con figuration profile Result The corresponding configuration profile is activated Bo If the restoration involves a switch between the stealth mode and another net work mode then mGuard is restarted Saving the configuration profile as a file to the configuration computer 1 Click the Download button to the right of the name of the respective confi guration profile 2 Specify the file name and folder in which the configuration profile is to be saved as a file in the displayed dialogue box You can give the file any name Deleting a configuration profile Click the Delete button to the right of the name of the respective configuration profile The Factory Default profile can t be deleted Saving the current configuration as a configuration profile on the mGuard 1 Enter the desired profile name in the field behind
53. 0 OC BE 02 21 2C 10 1 47 9 WAN port mguard mdickopp LLDP Link Layer Discovery Protocol IEEE 802 1AB supports the automatic detection of the ethernet network topology LLDP capable devices periodically send ethernet multicasts layer 2 with net work information about themselves which will be collected by other LLDP ca pable devices and made available via SNMP Mode Enabling and disabling of the LLDP service Internal LAN interface and External WAN interface Chassis ID An entity which identifies a remote device uniquely typically one of its MAC addresses IP address The IP address to manage the remote device via SNMP Port description A textual description of the remote device s interface System name Hostname of the remote device 6 2 7 Management gt Central Management Configuration Pull Management Central Management Configuration Pull Configuration Pull config example com Server Filename when empty 14008005 atv will be used Server Certificate Browse Download Test Test Download The mGuard can retrieve new configuration profiles from a HTTPS server in configurable time intervals When a new configuration differs from the current 66 of 152 configuration it will be activated automatically Configuration Pull Pull Schedule Interval at which new configurations will be searched on the server Server IP or Hostname of the server which provides the configurati
54. 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 CIDR 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 BP NM W B amp B UI Oy 1 0 o 135 of 152 6 14 Network Example IP external 192 168 11 2 gt IP external 192 168 15 1 gt IP internal 192 168 15 254 EEIEIIE Netmask 255 255 255 0 IP internal 192 168 27 254 Ee Netmask 255 255 255 0 The following sketch illustrates how the IP addresses can be distributed in a local network with subnets which network addresses result and how the details regarding additional internal routes might look Internet Address from external network e g 123 456 789 21 assigned by Internet Service Provider mGuard in Router network mode mGuard Internal address of the mGuard 192 168 11 1 r oo Network A Network address 192 168 11 0 24 Netmask 255 255 255 0 Router Network B Network address 192 168 15 0 24 Netmask 255 255 255 0 Router Network C Network address 192 168 27 0 24 Netmask 255 255 255 0 additional internal routes Network A System Al A2 A3 A4 A5 IP address 192 168 11 3 192 168 11 4 192 168 11 5 192 168 11 6 192 168 11 7 Netmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Network B Additi
55. 2 Connect the mGuard delta gt Console 7 6 5 4 3 2 1 DC 5V 3A Serial Console Ethernet LAN Ethernet WAN reserved Power e Connect the power supply 5V DC 3A to the mGuard s power jack e Connect the local computer or network to one of the Ethernet LAN jacks 4 to 7 with an UTP CATS ethernet cable 21 of 152 4 3 Connect the EAGLE mGuard Terminal block The supply voltage and the signal contact are connected via a 6 pin terminal block with screw locking mechanism Signal Contact 24V P1 OV OV 24V P2 ie ae ae NO IS IAS AD Warning The EAGLE mGuard is designed for operation with a safe extra low voltage Thus its power supply and signal contact connectors may only be connected with PELV circuits or alternatively SELV circuits with voltage restrictions in accordance with IEC EN 60950 Operating voltage NEC Class 2 power source 12VDC or 24 VDC 25 33 safe extra low voltage SELV PELV redundant inputs decoupled 5 A maximum Buffer time min 10 ms at 24 VDC Redundant power supply Redundant power supplies are supported Both inputs are decoupled There is no load distribution With a redundant supply only the power pack with the higher output voltage supplies the EAGLE mGuard The supply voltage is electrically isolated from the housing a Signal contact The signal contact is used to
56. 55 255 254 252 248 240 224 192 128 oo0oo0oo0oo0o0o0o0 oo0oo0oo0oo0oo0o0o0 space The following table presents the IP netmask on the left and the corresponding CIDR notation on the right 255 254 252 248 240 224 192 128 oo0oo0oo0oo0oo0o0o0 binary 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
57. 573 sshd 32021 Accepted publickey for root from 192 168 1 96 port 56115 ssh2 27118 sshd 2874 Accepted publickey for root from 10 1 0 253 port 56109 ssh 70151 sshd 3249 Accepted publickey for root from 10 1 0 253 port 56110 ssh2 30133 sshd 3559 Accepted publickey for root from 10 1 0 253 port 56111 ssh2 09067 sshd 3867 Accepted publickey for root from 10 1 0 253 port 56112 sshZ 78038 sshd 18537 Accepted publickey for root from 10 1 0 253 port 56669 sshz 17812 sshd 18547 Accepted publickey for root from 10 1 0 253 port 56670 ssh2 20517 sshd 18557 Accepted publickey for root from 10 1 0 253 port 56671 ssh2 63630 sshd 18589 Accepted publickey for root from 10 1 0 253 port 56672 sshZ 15047 gai WWW_LANGUAGE changed to en 54645 gai HTTPS_ACCESS_UUID changed to Ze49ed19 e930 161b 9227 000cbe010f 52 54903 gai HTTPS_REMOTE_ACCESS_RULES O LOG changed to yes 49668 kernel fw https access 1 Ze49ed19 e930 161b 9227 000cbe010f52 act ACCEPT IN eth w Common M SNMP LLDP V Network Security V IPsec VPN IV Reload logs Jump to firewall rule Depending on which mGuard functions were active the corresponding checkbo xes for filtering entries according to category are displayed below the log entries Enable the checkbox es for the desired category ies and click the Reload logs button to display one or more categories All log entries which are not related to the other categories appear here Network Security When loggi
58. 789 21 and the Port Number 443 has been set as the port for remote access you must enter the following address in the Web browser s address field on the remote system https 123 456 789 21 If a different Port Number is used this must be appended to the IP address e g https 123 456 789 21 442 42 of 152 6 Configuration 6 1 Operation Screen Layout 1 Via the left hand menu click on the page with the desired setting possibili ties e g Administration gt Licensing The page will then be displayed in the main window in the form of a register card on which you can define the settings If necessary the page will be organized into several register cards You may browse through these cards using the tabs at the top 2 On the relevant page or register card make the desired settings To do so see also the subsection What happens if inadmissible values are entered on page 43 3 In order to adopt the settings click on the Apply button After the settings have been saved by the system you will see a confirmation message This indicates that the new settings have taken effect They will also remain valid after a restart reset What happens if inadmissible values are entered After inadmissible values are entered for example an inadmissible number in an IP address and after subsequently clicking Apply the letters of the relevant tab card titles will be displayed in red This helps you in tracking down t
59. 92 168 134 0 netmask 255 255 255 0 range 192 168 134 100 192 168 134 119 option routers 192 168 134 1 option subnet mask 255 255 255 0 option broadcast address 192 168 134 255 This sample configuration makes 20 IP addresses 100 to 119 available It is assumed that the DHCP server has the address 192 168 134 1 settings for ISC DHCP 2 0 The required TFTP server is configured in the following file etc inetd conf In this file insert the appropriate lines or set the necessary parameter for the TFTP service The directory for the data is tftpboot tftp dgram udp wait root usr sbin in tftpd s tftpboot Then restart the inetd process to activate the modified configuration If you use a different mechanism e g xinetd please read the corresponding documentation 8 Glossary Asymmetrical encryption DES 3DES AES Client Server Datagram In the case of asymmetrical encryption data is encrypted with one key and decrypted with a second key Either key may be used for encryption or decryption One of the keys is kept secret by its owner Private Key the other is made available to the public Public Key i e possible communication partners A message encrypted with the public key can only be decrypted and read by the owner of the associated private key A message encrypted with the private key can only be decrypted and read by a receiver who has the associated public key The fact that the message was encr
60. AY shows the IP addresses of the communicating VPN gateways TRAFFIC identifies the systems or networks which communicate via the VPN gateways ID identifies the Distinguished Name DN of an X 509 certificate ISAKMP State ISAKMP State Internet security association and key management protocol is given as established if the two VPN gateways involved have established a channel to exchange keys In this case they have been able to contact each other and all of the settings made on the configuration page up to and including ISAKMP SA were correct IPsec State IPsec State is given as established if IPsec encryption is activated when communicating In this case the entries made under IPsec SA and Tunnel Settings were also correct In the event of problems we recommend that you examine the VPN logs of the system to which the connection was setup The basis for this recommendation is that for reasons of security exhaustive error messages are not returned to the initiating system If the display shows ISAKMP SA established IPsec State WAITING This indicates that the authentication was successful but the other parameters are not correct Do the connection types Tunnel Transport match If Tunnel has been selected do the network address areas match at both ends If the display shows IPsec State IPsec SA established This indicates that the VPN connection has been successfully setup and can be used I
61. An informational comment for this rule Log You can specify for each individual port forwarding rule whether the use of the rule should be logged by setting Log to Yes or not by setting Log to No factory setting Network Security NAT Masquerading Port Forwarding Connection Tracking Connection Tracking Maximum table size 4096 Timeout for established TCP connections 432000 Yes y Yes Connection Tracking 96 of 152 Maximum table size This entry specifies an upper limit for maximum number of connections being tracked The default setting is selected in such a way that it is never reached under normal conditions During attacks it may be easily reached so that this limit provides an additional protection If special requirements should be present in your operating environment then you can increase this value Timeout for established TCP connections When a TCP connection was not used during the interval specified here its connection information will be deleted A connection which was rewritten by NAT not 1 1 NAT must be reestablished after it was deleted The factory default are 432000 seconds 5 days FTP If an outgoing FTP protocol connection is setup to download data there are two alternatives as to how the data will be transmitted When using active FTP the server called will call the calling system back to establish a connection for the transfer of data When using passive FTP th
62. C address to which for example all ARP requests are being sent Ethernet Protocol any is a wildcard for all ethernet protocols Protocols can be specified by name or hexadecimal value for example IPv4 or 0800 e ARP or 0806 Action Accept means that frames can pass Drop means to drop frames Comment An informational comment for this rule The MAC filter does not support logging Network Security Packet Filter Incoming Rules Outgoing Rules Advanced Router Modes Router PPTP PPPoE ICMP from extern to the mGuard I Drop a Please note Enabling SNMP access automatically accepts incoming ICMP packets AntiVirus Scanning Connections scanned for viruses are subject to firewall rules Stealth Mode Allow forwarding of GVRP frames Allow forwarding of STP frames Allow forwarding of DHCP frames The following settings influence the basic behavior of the firewall Enable TCP UDP ICMP consistency checks When set to Yes the mGuard performs various checks for wrong checksums packet sizes etc and drops packets failing the check The factory default for this option is Yes Router Modes Router PPTP PPPoE ICMP from extern to the mGuard With this option you can control which ICMP messages from the external network are accepted by the mGuard You have the following options Drop All ICMP messages sent to the mGuard from the external network will be dropped Allow ping requests Only ping requests ICMP messa
63. Download configuration to client Download the configuration profile stored on the controller for this slot 6 4 Menu Network 6 4 1 Network gt Interfaces General Network Interfaces General Network Status External IP address Network Mode Status Active Defaultroute Network Mode Network Mode et ANA Network Status External IP address WAN port address Display only The addresses through which mGuard can be accessed by de vices from the external network They form the interface to other parts of the LAN or to the Internet If the transition to the Internet takes place here the IP addresses are usually designated by the Internet Service Provider ISP If mGuard is assigned an IP address dynamically you can look up the currently valid IP address here In stealth mode mGuard adopts the address of the connected local computer as its external IP Network mode status Displays the status of the selected network mode Active default route The IP address that mGuard uses to try to reach networks unknown to it is dis played here If mGuard is in stealth mode or if the IP address that is specified as the standard gateway in the connected computer s configuration is not cor rect none is shown here Network mode The mGuard has to be set to the network mode that corresponds to its local com puter or network connection respectively See Typical application scenarios on page 11 Depending to which network m
64. EAGLE mGuard max 90 EAGLE mGuard 95 non condensing humidity e To avoid overheating do not leave it in direct sunlight or expose it to any other source of heat Do not bend the cables sharply Only use network cables to connect to a network Steps for starting To startup the device perform the following steps in the order listed up the device Step Objectives Page 1 Check the package contents and read the Release Included in the package on page 17 Notes 2 Connect the Device Connect the mGuard blade on page 19 Connect the mGuard delta on page 21 Connect the EAGLE mGuard on page 22 Connect the mGuard smart on page 24 Connect the mGuard PCT on page 25 3 Configure the device to the extent necessary Local Configuration At startup on To accomplish this select from the various page 34 options offered in the mGuard s configuration menus For more information regarding which options and settings are required or desirable for your operating environment please read the rele vant sections in this manual Included in the Before beginning to setup the device check that the package is complete package e an mGuard blade delta smart PCI or EAGLE mGuard e a manual in the Portable Document Format PDF on the CD ROM e a Quick Installation Guide The mGuard bladePack also contains e the 19 mguardBlade base e an mGuard blade as controller e 2 power supplies e 2 power
65. GuardInfo linkUp linkDown 0 This trap is send in case the connection to an ethernet port is interrupted linkDown or reestablished linkUp e Coldstart activate traps Yes No enterprise oid generic trap specific trap Description mGuardInfo coldStart 0 This trap is send after a cold start or a warm start e Admin access SSH HTTPS new DHCP Client activate traps Yes No enterprise oid generic trap specific trap additional Description enterprise oid generic trap specific trap additional mGuardb enterpriseSpecific mGuardHTTPSLoginTrap 1 mGuardHTTPSLastAccessIP This trap is sent when someone is trying to open a HTTPS session using the wrong password mGuardHTTPSLastAccessIP contains the IP address of the last unsuccessfull login request mGuard enterpriseSpecific mGuardShellLoginTrap 2 mGuardShellLastAccessIP Description enterprise oid generic trap specific trap additional Description This trap is sent when someone opens the shell through SSH or serial console mGuardShellAccessLastIP contains the IP address of the login request The value of mGuardShellAccessLastIP is 0 0 0 0 if the request was sent via serial console mGuard enterpriseSpecific mGuardDHCPNewClientTrap 3 mGuardDHCPLastAccessMAC This trap is sent when a DHCP request was received from an unknown client Hardware related traps only EAGLE mGuard e Chassis
66. IN EE W OTK FEALUTES ios lt cai od Una VIVOS estes 6 Eras hates ies hobs bad eed AE 6 Anus VATUS PEATUTES 05 co sciesccas ese deseceduciede vivian dana dee desea dence Ei 6 VPN features ta aves 6 Additional features A e a N RN a a a aS 7 Support Aa 7 Tlie DEVICE VETO Storia ind aa e A A a e O E En E TE Ee EE 7 MACHU AL Matias hora 7 mGuard PERN merse adidas T MiGUard o EKE lE EEE A E EE E E AEB 7 BAGEE mG ands cose tt it AAA E ee Ea E A A is 8 MACHU ALT delta ninia Tota a Soe lante aS oo oases eas 8 2 Vypicalap plication SCOMAarioS siccsscsciscoaicssescssessoncsionssesssesdecssnsessseeiscascosncdinstosacedduetiussecnsacsdsgsesssaesns 9 Stealth Mode AEE TE E E debe es ETE E alada nacida vna vaciadas 9 Network Roll cd 9 DA O A A 9 VPN Gateway ii cal nie Sit e a ae 10 WIGAN OVER WEN tna e a a N irae enti 10 Solving Network Conflicts iii rial ida 11 3 Control AMA LEDs yssccssevessczcvssesecescsedecssseccosscedensssenccostecsesssenseessesseusseseosseteseesceseswesdessssexessoncesencess 12 ZE mGuard blade court aria iento lira 12 3 2 pair Ward delta aii datar 13 3 3 EAGLE MG ard iii A A ERS 14 E AAA A RN 15 Soe il O AAA E ses e en Mee oa nace ean de EE A EE A 16 E O S E ssosedued Sessedsnsesseceesseess 17 Included imthe packaDe nentorren eenen oen ere Enei eantaire sat 17 4 1 Connect the mGuard blade nseni a a a N EN E Te 19 Installing mGuard bladeBase oooonconnccnocinicconnnacnnaccnononononnono nono nonnc cono cnncnnn cnn c
67. If the mGuard s network card functionality isn t needed or won t be used then the mGuard PCI can be connected behind an existing network card of the same computer or of another one essentially acting as an mGuard standalone device In this operating mode in fact the mGuard PCI is only plugged into the computer s PCI slot to be supplied with power and given a housing This mGuard operating mode is called Power over PCI mode No driver needs to be installed Decide in which mode you want the mGuard PCI to operate before installing it in your PC In this mode a driver for the PCI interface of the mGuard PCI available for Windows XP 2000 and Linux needs to be installed later on the computer In Driver Mode another network card is not required in the computer Stealth Mode with Driver Mode Factory default ID D D D D The LAN ethernet jack is de ra activated in Driver Mode gaS The LAN interface is provided S by the driver for the computers A Operating system WAN In this configuration the mGuard acts as normal network interface card NIC with additional security features and requires a driver for the host operating system The IP address can be configured using the network utilities of the operating system As soon as an external router is available the mGuard can be configured using a webbrowser at the URL https 1 1 1 1 Bo In Stealth Mode it is not possible to use PPPoE or PPTP 25 of 152 Ro
68. Innominate mGuard User s Manual Software Release 4 2 0 Innominate Security Technologies AG Albert Einstein Str 14 12489 Berlin Germany Tel 49 0 800 366 4666 info innominate com www innominate com Innominate Security Technologies AG December 2006 Innominate and mGuard are registered trade names of Innominate Security Technologies AG The mGuard technology is protected by Patent No 10138865 and 10305413 which were granted by the German Patent Office Additional patents are pending This document may not be copied or transferred in whole or in part without prior written approval Innominate AG reserves the right to modify this document at any time without notice Innominate provides no warranty for the contents of this document This disclaimer shall also apply to any implicit warranty of marketability or suitability for a specific purpose Furthermore Innominate assumes no liability for errors in this manual or for accidental or consequential damages in connection with the delivery performance or utilization of this document This manual may not be photocopied duplicated or translated into another language in whole or in part without the prior written approval of Innominate Security Technologies AG Innominate Document Number 574119 215 Table of Contents Table of Contents A decsectcedsscsaccssnsdssinssoscsevseeceens cudecseedosssneseuetesdesdandcentecesosengusesoneesoseceeccosesessesesess 6
69. Media Type Media type of the interface Link State The state of the ethernet link which can be either Up or Down Automatic Configuration Yes the interface will be configured automatically No the setting from the column Manual Configuration will be used gt Both ports of the mGuard are configured to be connected to a computer If you connect the ports to a hub please note that if Automatic Configuration is disabled then the Auto MDIX function will also be deactivated i e the port of the mGuard has to be connected either to the uplink port of the hub or a cross link cable has to be used Manual Configuration The configuration for the interface to be used when Automatic Configuration is set to No Current Mode The current configuration of the interface Port on only EAGLE mGuard and mGuard smart Enables disables the ethernet port 6 4 2 Network gt DNS DNS Server DNS Server DNS Servers to query User defined servers listed below User defined name servers f f i 10 1 0 253 In Stealth Mode only User defined and DNS Root Servers are supported Other settings will be ignored When the mGuard has to initiate a connection on its own to a remote system e g a VPN gateway or a NTP server and it is defined in form of a host name i e in the form of www example com then the mGuard has to query a domain name server DNS for the IP address belonging to the host name If the mGuard is not in stealth
70. Mode Stealth 74 of 152 An additional IP address can be specified here to administrate the mGuard If Stealth configuration is set to the option multiple clients or e the client doesn t answer ARP requests or e there is no client at all then the remote administration via HTTPS SNMP and SSH is only possible using the management IP address IP address The additional IP address to contact the mGuard The IP address 0 0 0 0 disables the Management IP Address Netmask The netmask for the IP address above Default Gateway The default gateway of the network the mGuard is located in Use Management VLAN If this IP address is to be inside a VLAN this option must be set to Yes This option is only effective when the option Stealth configuration is set to multiple clients Management VLAN ID A VLAN ID between 1 and 4095 An explanation of the term VLAN can be found under VLAN on page 148 Static Stealth Configuration Stealth Configuration static Network Mode gt Router factory setting mGuard delta and blade controller Stealth Static Stealth Configuration Client s IP address Client s MAC address ooo PA Client s IP address The IP address of the client Client s MAC address This is the physical address of the local computer s network adapter to which the mGuard is connected B gt The MAC address can be determined in the following manner On the DOS level Start
71. N lt P Om ba baal 3 Internet A Internet Netzwerkadresse Netzwerkadresse f r ge f r 1 zu 1 NAT gen berliegendes 1 zu 1 NAT Local network With this entry you specify the address of the network or computer which is connected to the local interface of the mGuard Enable 1 to 1 NAT of the local network to an internal network only Router Mode Rewrite the local network as defined in Local network to an actually existing local network The default setting is No Internal network address for local 1 to 1 NAT only when Yes was chosen above The actually existing local network address from which local systems address the VPN tunnel The network mask is taken from the field Local network Remote network With this entry you specify the address of the network or computer which is available behind the remote VPN gateway The network 0 0 0 0 0 specifies a default route over the VPN This means that all traffic for which there is no other VPN tunnel or route will be routed through this VPN tunnel A default route over VPN should only be specified for a single tunnel and is not available in Stealth mode Enable 1 to 1 NAT of the remote network to a different network only 118 of 152 Authentication Router Mode Rewrite a remote network which is addressed by the systems in the local net work to the network address as defined in Remote network The default setting is No Network address for remote 1 to 1 NAT only when
72. P servers below Scanning up to a pre set volume of 5 MB The maximum size of the files to be checked is specified here Files that are larger are not scanned Depending on the When size limit is exceeded setting an error message is sent to the SMTP client and the e mail 1s not delivered in the event of a file exceeding the size limit or the system automatically switches to throughput mode If the mGuard does not have enough memory to save a file completely or to decompress it a corresponding error message will be sent to the user s e mail client and an entry will be written to the anti virus log In this case you have the following options e You can try again later to send the message e You can temporarily deactivate the virus filter for the corresponding server e You can set the parameter to Let the message pass unscanned Please note that depending on the coding scheme used the size of the attachment may be larger than the original file Action for mails exceeding the maximum message size Let the message pass unscanned When this option is selected the virus filter will allow the messages which exceed the filesize set to pass through unscanned E In this case the message is not checked for viruses Block message When this option is selected an error code will be returned to the e mail client and the e mail will be blocked List of SMTP servers Indicate which server connections should be scanned for viruses By e
73. PRAP sy cedecs Gaeden A e AAA AA 148 MEAN taa reido eo e Lat ee aleta AEA EEE 148 VPN Virtual Private Network ooooonnoccccnooocccnooonccnnononocnnnnnnonon anno cono EEE Ea 149 NN IE AAA 150 Generali alas lil 150 EAGLE MG arA ut da 150 5 of 152 1 Introduction The mGuard protects IP data connections The device supports the following functions e Network Card mGuard PCI Switch mGuard delta e VPN router VPN Virtual Private Network for the secure transfer of data via public networks hardware based DES 3DES and AES encryption IPsec protocol e Configurable firewall to provide protection against unauthorized access The dynamic packet filter inspects the source and destination addresses of data packets and blocks undesired traffic e Virus protection with support for the protocols HTTP FTP SMTP and POP3 The device can be conveniently configured using a Web browser Network features e Stealth Auto Static Multi Router Static DHCP Client PPPoE for DSL and PPTP for DSL connectivity VLAN DHCP server relay on the external and internal network interfaces DNS cache on the internal network interface e Administration using HTTPS and SSH Firewall features e Stateful packet inspection e Anti spoofing e IP Filtering e L2 Filtering only stealth mode e NAT with FTP IRC and PPIP pass through only router modes e 1 1 NAT only router modes e Port forwarding only router modes e Firewall throughpu
74. S Secure HyperText Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol Version 3 and DNS Domain Name Service ICMP is based on IP and adds control messages SMTP is an e mail protocol that is based on TCP IKE is an IPsec protocol that is based on UDP ESP is an IPsec protocol that is based on IP On a Windows PC the WINSOCK DLL or WSOCK32 DLL handles both protocols gt Datagram The SNMP protocol Simple Network Management Protocol is used in addition to the other protocols especially in large networks This UDP based protocol is used for the central administration of network devices For example you can use the GET command to request a configuration or employ the SET command to change the configuration of a device provided that the addressed network device is SNMP compliant An SNMP compliant device can also send SNMP messages independently in case for example an extraordinary event should occur Messages like this are called SNMP traps A VLAN Virtual Local Area Network divides a physical network into several independent logical networks Devices within a VLAN can only access devices within their own VLAN The membership to a LAN is defined by the physiacl network topology and the VLAN ID 1 4094 All devices with the same VLAN ID belong to the same VLAN and can therefore communicate with each other For a VLAN based on IEEE 802 10 the ethernet frame is extended by 4 bytes
75. Save current configura tion as profile 2 Click the Save button Result The configuration profile is saved on the mGuard and the name of the profile is displayed in the list of profiles saved on the mGuard 58 of 152 Profiles on the ACA Configuration profiles can be stored EAGLE mGuard only Uploading a configuration profile that has been saved to the configuration computer Prerequisite You have saved a configuration profile on the configuration computer as a file according to the procedure described above 1 Enter the desired new profile name in the field behind Upload a configu ration as profile 2 Click the Browse button and select the respective file in the displayed dialogue box and open it 3 Click the Upload button Result The configuration profile is loaded into mGuard and the name assigned in Step 1 will be displayed in the list of the profiles stored on the mGuard also on an external autoconfiguration adapter ACA which is connected to the mGuard s V 24 ACA11 or USB ACA21 port Store a profile on the ACA e When the password of the mGuard on which you will later import the profile has a root password unequal root you must enter that password under The root pasword to save on ACA e Press the button Save Current Configuration to ACA to write the current configuration to the ACA The LED STATUS and also the V 24 LED in case of ACA11 will blink until the store procedure is fini
76. Servers RADIUS timeout RADIUS retries gt lt IE O Port ES cL 1812 Radius Server Status 88 of 152 Radius Timeout Specifies in seconds how long the mGuard will wait for the answer from the radius server Default 3 seconds Radius retries Specifies how often requests will be repeated to the radius server after a radius timeout has occurred Default 3 Server Name of the server or IP address Port The port number used by the radius server Secret Server password User Authentication Remote Users Status Status User Firewall not enabled If the user firewall is activated its status will be displayed here 6 6 Menu Network Security 6 6 1 Network Security gt Packet Filter The mGuard has an integrated Stateful Packet Inspection Firewall The connection data for each active connection is collected in a database connection tracking Therefore 1t is only necessary to define rules for one direction data from a connection s other direction and only this will be automatically passed through A side effect is that when reconfiguring existing connections will not be dropped even if a corresponding new connection may not be setup Factory settings for the packet filter e All incoming connections will be rejected except VPN e The data packets of all outgoing connections will be passed through VPN connections are not subject to the firewall rules defined in this menu You can
77. Stealth mode this setting has no effect In other words it will be ignored and the connection will be initiated automatically whenever the mGuard notices that the connection should 116 of 152 be used Tunnel Settings Connection type You can choose from Tunnel Net work gt Net work Transport Host gt Host Transport L2TP Microsoft Windows Transport L2TP SSH Sentinel Tunnel Net work gt Net work This type of connection is not only suitable in every case but also the most secure In this mode the IP datagrams are completely encrypted before they are sent with a new header to the remote site s VPN gateway the tunnel end There the transferred datagrams are decrypted to restore the original datagrams These are then passed on to the destination system Transport Host gt Host In this type of connection the device only encrypts the data of the IP packets The IP header information remains unencrypted Transport L2TP Microsoft Windows If this type of connection is activated the mGuard will use a transport connection which is compatible with the IPsec L2TP client available in older Microsoft Windows systems If you select this option you should also set Perfect Forward Secrecy PFS to No and enable the L2TP server Transport L2TP SSH Sentinel If this type of connection is activated the mGuard will use a transport connection which is compatible with the IPsec L2TP client availa
78. Web browser must support SSL i e https 2 Make certain that the browser does not automatically dialup a connection when it is started because this could make it more difficult to establish a connection to the mGuard In MS Internet Explorer you can prevent this with the following setting In the Extras menu select Internet Options and click on the Connections tab Make certain that Never dial a connection is selected under Dial up and Virtual Private Network settings Enter the complete address of the mGuard into the browser s address field In Stealth mode factory setting except mGuard delta and blade controller this address always is The mGuard s default P address in Stealth mode https 1 1 1 1 and not in Stealth mode https 192 168 1 1 ner ps Od and in Router factory setting on mGuard delta and blade controller PPPoE or PPTP mode the factory setting for the mGuard s address is https 192 168 1 1 39 of 152 BO If you have forgotten the configured address BO If the Administrator Web page is not displayed After a connection has been successfully setup 40 of 152 Afterwards The mGuard s Administrator Web page will be displayed The security notice shown under After a connection has been successfully setup on page 40 will displayed If the address of the mGuard in Router PPPoE or PPTP mode has been changed to a different value and you do not know the device
79. Yes was chosen above The remote network address which is actually addressed by the local systems The network mask is taken from the field Remote network B gt In case the Remote network or the Network address for remote 1 to 1 NAT are within one of the networks directly connected to the mGuards LAN port then the mGuard will additionally answer ARP requests for such IP addresses This enabled access to a remote VPN using local IP addresses without actually changing the routing configuration of locally connected clients The virtual IP which will be used by the client in stealth mode Virtual Local Network IPsec Tunnel ee tea ae Se Client s virtual IP lt i ZN Client s real IP Si Internet Remote Remote VPN Gateway Network In Stealth mode the VPN s local network is simulated by the mGuard Inside this virtual network the client will be known under a virtual IP BO This entry is only required in Stealth mode Activate 1 to 1 NAT in another internal network in Router mode Yes No Transcribe the local network defined in the VPN tunnel to a local network available for the local LAN Ethernet port An explanation for 1 to 1 NAT can be found under Network Address Trans lation IP Masquerading on page 93 Internal network for 1 to 1 NAT The network address for the local LAN Ethernet port The net mask is taken over from the local network field Authentication method There are 2 options X 509 Ce
80. a cbt ea EENES ARESE REESE 70 6 4 Menu NetWork id ea aah AEST ME Te 71 NG e A ES 71 General tices a EAA A en tial radia a 71 Network Mode gt Stealth factory setting except mGuard delta and blade controller 74 Network Mode gt Router factory setting mGuard delta and blade controller 75 Network Mode gt PPBOE coo iria e E elon E AE E 76 Network Mode gt PPTP cuco 77 Network Mode gt Router PPPoE or PPTP ooonccccnnnincccnnnncinnonacinannnccnnnncccnnnnac nnn T11 Bthernet iii aaa a 78 Serial Port only mGuard blade delta and EAGLE MGuard ecoooonnccnnncccnoccccnnncnnnnnnn 79 Hardwarea E AE cat N AE cadwies indeed 81 6 4 2 Network DNS unn da ate add AN E T A vw 81 DINA TN 81 DyN Sintra eae AH SL IE 82 643 Network DHCP marido dada caco 83 Internal External DIC aa 83 6 35 Menu User Authentication sereins eei aE S ETARE ENARA EE EEEE EEA ea EESE 86 6 5 1 User Authentication gt Local Users ooooonconincnnnnnnononononononnnonnnonnncnnnnnncnnncon coca ncnnnonos 86 PASS WOTAS ien hre Stade A ductors tert A A A E 86 6 5 2 User Authentication gt Firewall Users oooonnonnnnninnnncnnnnnnncnconccononanonanonnncnnnonanonnnonos 87 Bre Wall Uli i 87 Raditis Server ETT 88 SAUS A AS AS AAA A E I A AN AA TA 88 6 6 Menu Network Security viciado 89 6 6 1 Network Security gt Packet Filter aaa 89 Incoming Rules i22 20 Saye a aera tee nue eee cai 89 Qutgome Rules 02 sss ce ane dis 90 MAC Fier
81. a different Port Number is used this must be appended to the IP address e g as follows https 123 456 789 21 442 Allowed Networks Lists the firewall rules that have been set These apply for the incoming data packets of an HTTPS access Inserting moving and deleting rows is explained under Working with tables on page 43 51 of 152 52 of 152 From IP Enter the address es of the system s that is are allowed remote access in this field You have the following options for the entries e IP address 0 0 0 0 0 means all addresses To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Interface External OR Internal Specifies whether the rule applies to the external interface WAN port or the internal interface LAN port The default behaviour when no rules are specified is to drop all connections on the external interface and to accept all connections on the internal inter face Action Possible settings e Accept e Reject e Drop Accept means that the data packets should be passed through Reject means that the data packets should be rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that the data packets should not be passed through The data packets will be discarded so that the sender will not be informed as to what happened to them
82. address field on the remote system s SSH client If a different port number has been set e g 22222 this must be specified to the SSH client e g ssh p 22222 123 456 789 21 Allowed Networks Lists the firewall rules that have been set These apply for the incoming data packets of an SSH remote access Inserting moving and deleting rows is explained under Working with tables on page 43 49 of 152 From IP Enter the address es of the system s that is are allowed remote access in this field You have the following options for the entries IP address 0 0 0 0 0 means all addresses To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Interface External OR Internal Specifies whether the rule applies to the external interface WAN port or the internal interface LAN port The default behaviour when no rules are specified is to drop all connections on the external interface and to accept all connections on the internal inter face Action Possible settings e Accept e Reject e Drop Accept means that the data packets should be passed through Reject means that the data packets should be rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that the data packets should not be passed through The data packets will be discarded so that the sender will
83. al Configuration At startup oo eee ceeceeseeeeecnseceseeseeseceeseecaaecaeceseceeesaeeeaeeaeenaeeneeeeaes 34 5 2 1 mGuard blade EAGLE mGuard und mGuard smart ccccccccncnnnicinininnnninananananananos 35 With a configured network interface eee esceceseeseesseecceeeceseeeseeeaeceaeeneeseeeeaes 35 Without a configured network interface cee ceeeeeeeeeecnseeeeceseceseeeseecseseaeenseeeaee 35 522 mGuard deltas zi ier inets NS 36 SS MGU PCM AA NO 37 Install the mGuard PCT Cardis ccinoticocicon cie dees Sees Hees s e e aa 37 Install the mGuard PCI Driver 0 ee eee tsai iigtin ieee iiaei tieses 37 Configure the Network Interface eee cecseeeeeeeeneecnseeseceseeeaeesaeceseceseeeneseaeenaees 37 The Default Gate way viii ii oils A A Ne Le 38 5 3 Setting Up a Local Configuration Connection 00 cece eee eeseeseceeeeseeeaeceeeeeeeeeeesaecneenseeeees 39 Web based Administrator interface cc ceccecsseceesseeeeeceeeececeeeeceeaaeeeaaeceeaeeeeeeeees 39 After a connection has been successfully Setup oooonocononcnoconocononcnonanonanananananononnc ns 40 Configuring the devices saninin idee end ie gli ee 41 540 Remote Configuration iaa ae abe a ea Me ieee eee 41 Prerequisiles coo dete iso tetas tetas Soins eae a ss debian a i ceiba Ae AE Eens 41 Remote Combi curation aceite cialis alli le bss tirate lla Esc ctas 41 6 CONTIGUA iss ssssescesscesdssssdisennsceseoseccsvssacscesecssesesecstasseceescesseedsnntesscossdessnsscedennsdosc
84. ame protocol as the mGuard Select the name of the provider with which you are registered e g DynDNS org DynDNS Server The name of the server of the DynDNS provider selected above e g dyndns org DynDNS Login DynDNS Password Enter the user name and password that you have been assigned by the DynDNS provider here DynDNS Hostname The name selected at the DynDNS Service for this mGuard if you use a DynDNS Service and have entered the corresponding data above Network gt DHCP Mode The Dynamic Host Configuration Protocol DHCP automatically assigns appropriate network parameters like IP address or subnet mask to the clients connected to the mGuard Under DHCP Intern you can configure the settings for the internal interface LAN port and under DHCP Extern the settings for the external interface WAN port The DHCP server relay is also operational in stealth mode BO IP configuration on Windows clients To do so if you are using Windows XP click on Start Control Panel Network Connections Right click on the icon of the LAN adapter and then click on Properties in the pop up menu In the Internet Protocol Properties dialog on the General tab select Internet Protocol TCP IP under This connection uses the following items and then click on the Properties button In the Internet Protocol Properties TCP IP dialog make the appropriate entries or settings Network DHCP External DHCP Mode pa c
85. ansmission Control Protocol Internet Protocol Trap VLAN 148 of 152 and distribute them to the said employees This reduces the outgoing traffic which in turn cuts down on costs Service providers are companies or institutions which offer users access to the Internet or an online service In Internet terminology spoofing means supplying a false address With the false Internet address the user can create the illusion of being an authorized user Anti Spoofing is term for mechanisms which detect or prevent spoofing In the case of symmetrical encryption the same key is used to encrypt and decrypt the data Two examples of symmetrical encryption algorithms are DES and AES They are fast but as the number of users increases the administration becomes rather involved This is a family of network protocols It is used to connect two computers in the Internet IP is the base protocol UDP is based on IP and sends individual packets The packets may arrive at the recipient in an order different from that in which they were sent or they may even be lost TCP secures the connection and ensures for example that data packets are passed on the application in the right order UDP and TCP add the Port Numbers 1 to 65535 to the IP Addresses The various services offered by the protocols may be distinguished by these Port Numbers A number of additional protocols are based on UDP and TCP e g HTTP HyperText Transfer Protocol HTTP
86. ase the Rescue Button quickly enough the mGuard will restart again The mGuard will now start the recovery system It tries to receive an IP address from a DHCP server over the LAN port e Status display e blade PCI the red LAN LED flashes e delta the Status LED flashes EAGLE the LEDs 1 2 and V 24 light orange e smart the middle LED heartbeat flashes The file install p7s will be loaded from the TFTP server which contains the installation procedure for the flashing Only files digitally signed by Innominate will be accepted Afterwards the flash memory will the be erased e Status display e blade PCI the two green and the red LAN LED form a bouncing ball display in which the light shifts from one LED to the next e delta the Status LED will flash fast EAGLE the LEDs 1 2 and V 24 form a bouncing ball display in which the light shifts from one LED to the next e smart the 3 green LEDs form a bouncing ball display in which the light shifts from one LED to the next The file jffs2 img p7s which contains the mGuard software will be loaded from the TFTP server and written onto the flash Only files digitally signed by Innominate will be accepted This process will take about 3 to 5 minutes e Status display e blade PCI the green and the red LEDs will flash continuously e delta the Status LED will light continuously e EAGLE the LEDs 1 2 and V 24 are off the LEDs p1 p2 and Status will light continuously e smart the mi
87. atic electricity discharge Unplug the power cord from the back of the computer Remove the computer s cover please consult the manual of your computer Select a free PCI slot 3 3V or 5V for the mGuard PCI Remove the selected slot bracket by unscrewing the holding screw and slide it out Save this screw for securing the mGuard PCI card after it s installed To install the PCI card carefully align the board s bus connector with the selected expansion slot on the motherboard Push the board down firmly but gently until it is well seated Replace the slot bracket s holding screw to secure the board to the rear slot panel Put back the computer s cover 10 Reconnect the power cord and turn on your computer Driver installation e Please complete the steps described in section Hardware installation on page 27 first BO The installation of the driver is only necessary and will only work as described in Driver Mode see Driver Mode on page 25 gt The following screen shots show the german version of Windows XP To install the driver switch your computer on login with Administrator rights and wait for the following window to show up Assistent fiir das Suchen neuer Hardware Willkommen Mit diesem Assistenten k nnen Sie Software fiir die folgende Hardwarekomponente installieren Ethemet Controller 3 Falls die Hardwarekomponente mit einer CD A oder Disk
88. ble in recent Microsoft Windows systems and the SSH Sentinel VPN client If you select this option you should also set Perfect Forward Secrecy PFS to No see below and enable the L2TP server As soon as the IPsec L2TP connection is started under Windows a dialog will appear to prompt you to enter your user name and login You can make any entry that you want in this dialog Since the X 509 certificate has already provided your authentication the mGuard will ignore these entries Tunnel Settings with Connection Type Tunnel Net lt gt Net When the Connection Type is setto Tunnel the following entries appear on the page Tunnel Settings Connection type Tunnel Net lt gt Net y Local network 192 168 1 1 32 Remote network 192 168 254 1 32 The virtual IP which will be used by the client in Stealth mode Enable 1 to 1 NAT to a different internal network in router mode 117 of 152 The parameters Local network address and Remote network address define the networks on both sides of the tunnel which must also match the remote VPN gateway s tunnel configuration y a a a Local Internet Remote Remote Network VPN Gateway Network With 1 to 1 NAT it is furthermore possible to change the effectively used network addresses independently from the tunnel settings as agreed on with the remote VPN gateway Lokales Netz Gegen berliegendes Netz a oe oN a A A N 3 L
89. ble to use PPPoE or PPTP Router Mode with Power over PCI Mode NIC 192 168 1 2 AM PR E E A A y L If 192 168 1 1 T mGuard PCI external IP In router mode it is possible to use PPPoE and PPTP The mGuard and the network interface card NIC connected to the LAN jack use a separate subnet E g the NIC could use the IP 192 168 1 1 and the mGuard s LAN jack could use the IP 192 168 1 2 A third IP will be used on the WAN jack to communicate with a router or a PPPoE PPTP capable DSL modem Hardware installation 1 Rescue push button 2 Jumper to enable disable Driver Mode 3 Ethernet jack to connect the unit directly to the system or net work to be protected local sys tem or network when Driver Mode is disabled 4 Jack for connecting an external network e g WAN Internet Connections to remote devices or networks are established via this network Use an UTP cable CAT 5 1 Configure the mGuard for either Driver or Power over PCI mode See Choice between Driver mode or Power over PCI mode on page 25 27 of 152 4 5 3 Windows XP 28 of 152 Nn amp WwW 9 To enable the Driver Mode set the jumper 2 to the following position 3 2 ol To enable the Power over PCI Mode set jumper 2 to the following position t3 BR Turn off the power to your computer and any other connected peripheral devices Follow the precautions for st
90. blish a PPP Point to Point Protocol dial up connection to the mGuard On a Windows PC in order to be able to access mGuard s web configuration user interface using the PC s web browser via TCP IP you must set up a dial up network connection to the mGuard Serial Port Modem Baudrate The speed of the serial port MODEM PPP When set to Off the serial interface can be used with a terminal client When set to On the serial interface can be used with PPP 79 of 152 Hardware handshake RTS CTS Use the RTS and CTS signals for the PPP connection PPP dialin options Local IP IP of the mGuard for the PPP connection Remote IP IP of the remote peer for the PPP connection PPP Login name Login to be send by the remote PPP peer PPP Password Password to be send by the remote PPP peer Firewall Incoming PPP Firewall rules for connection from the PPP to the internal ethernet interface LAN Inserting moving and deleting rows is explained under Working with tables on page 43 You have the following options for the entries Protocol All means TCP UDP ICMP and other IP protocols IP address 0 0 0 0 0 means all addresses To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Port This is only evaluated by the TCP and UDP protocols any means each and every port startport endport e g 110 120 defines a range of ports You can spec
91. cables 17 of 152 e 12 place holders e 12 handle plates M1 to M12 e screws to install the bladeBase The mGuard delta also contains e the 5V DC power supply e two UTP ethernet cables e aRS232 serial cable 18 of 152 4 1 Connect the mGuard blade mGuard bladeBase mGuard blade Power Supply Switches P1 amp P2 Handle Plate Screws mGuard blade 1 to 12 Jacks for Power Supply P1 amp P2 Pow e Sub los El E Installing mGuard e Install the mGuard bladeBase into the rack e g close to the patch panel bladeBase e Provide the two power supplies and the control unit at their front from the left to the right with the handle plates P1 P2 and Ctrl e Connect both power supplies on the back of the mGuard bladeBase with 100V or 220 240V e Switch both power supplies on e The LEDs at the front of the power supplies flash now green Bo It is necessary that a sufficient air circulation through the bladePack is guaranteed B gt When stacking several bladePacks one or more 19 rack mount fan trays must be installed to exhaust the accumulated warm air Installing mGuard e Loosen the upper and lower screws of the place holder or mGuard blade you blade want to replace e Remove the place holder or pull the old mGuard blade out of the bladeBase e Insert the new mGuard blade with its circuit board into the bladeBase s plastic guidance and push until 1t is completely inside e Secure the mGuard blade by lig
92. cescesdensteasesssees 43 olo Operation aen baton ee het Bete read do lts 43 6 2 Men Management A vedens sedis ladstes iadetes E Ea E e SEEE G E S Sea 45 6 2 1 Management gt System Settings a tas 45 a AAEE 45 Signal contact only EAGLE mGuatd ococonoccnoconocononcnnnonnnonnnonnconncnnncnnncnnnonnnconccn nano 46 A AA NO 47 Shell ACCESS inne ea inset ciel ht in alae a at ian 49 072 2 Management gt Web Settings A ene ERNS 50 Generale aii A NT 50 ACTOS it ARS Mate a heute ARA REA fehl da 51 6 2 3 Management Licensing AA 53 QQVETVIS E E E EEE 53 Installs sist E E E OSS 53 6 2 4 Management gt Update is 54 OYEryIEW ar area e e a e E a e e aR CE 54 Update noir Aa 55 AntiVirus A AT 56 6 2 5 Management gt Configuration Profiles a ai aa 57 Configuration Profiles tati iss inte ee 57 Profiles on the ACA EAGLE MCU Oido siii 59 6 2 6 Management X SNMP ico 60 QU EE T E A A tt eds 60 E IAN 62 LED Picas rst tl beds 66 6 2 7 Management gt Central Management ais idiccpsiacsubsascvapsitatecvuncsapitetermensea ica 66 Configuration Pull cuina id 66 6 2 8 Management gt Res aa 68 6 3 Menu Entry Blade Control control unit only oooonconcnnnccnnnnnononoccnannannnnn non nonnncnnncnnc cnn conan 68 631 Blade control Overview in dede 68 6 3 2 Blade control gt Blade 01 to 12 nda 69 2 of 152 Table of Contents Table of Contents Bladen slot Ruina oxees saauedveasasevaine 69 Cs A andes asthe AEE soteaetded
93. ch are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 93 to adjust this behaviour You have the following options for the entries Server 0 0 0 0 0 means all addresses i e the system will filter the traffic of all POP3 servers To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Bo Since an attempt to setup a connection is first handled by the proxy if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server had been established but no data was sent If the list contains the exact server addresses this behavior can be prevented since the proxy will then only take requests addressed to the servers given in the list Server Port Enter the number of the port for the POP3 protocol in this field The default setting for the POP3 port is 110 Comment An informational comment for this rule Scan Scan The virus filter is activated for the servers specified in this rule No Scan The virus filter is deactivated for the server specified in this rule 6 8 2 Email Security gt SMTP Requirements The following requirements must be fulfilled for the use of the virus filter e Anti virus license has been installed Instructions
94. ched in the event of an attack the limits provide additional security If your operational environment has special requirements you can increase these values 6 6 4 Network Security gt User Firewall User Firewall Templates The user firewall is operative exclusively for firewall users i e users that regi stered as firewall users see User Authentication gt Firewall Users on page 87 A set of firewall rules a so called template can be assigned to each fi rewall user B gt The anti virus function see Menu Web Security not on blade control unit on page 102 and Menu Email Security not on blade control unit on page 107 has priority over the firewall rules defined here and can partially override them This behaviour can be overridden in the Network Security gt Packet Filters Extended Settings menu by setting the switch to Connections scanned for viruses are subject to firewall rules see Network Security gt User Firewall Advanced Connections scanned for viruses are subject to firewall rules Yes No on page 93 Network Security User Firewall User Firewall Templates CUIT IN Yes x marketing Yes xj research All defined user firewall templates are listed here A template can consist of several firewall rules A template can be assigned to several users Enabling Disabling a defined user firewall template Set Parameters active to Yes or No respectively
95. ck on Browse to select the file Enter the password with which the PKCS 12 file s private key is protected in the Password field Click on Import Then click on OK After the import is completed the new certificate will be shown under Certificate IPsec VPN Global DynDNS Monitoring DynDNS Monitoring Watch hostnames of remote VPN Gateways Refresh Interval sec For an explanation of DynDNS see below Services gt DynDNS Registration Watch hostnames of remote VPN Gateways Yes No If the mGuard has been given the address of the remote VPN gateway as a hostname see Connections on page 114 and this hostname has been registered with a DynDNS Service the mGuard can check against the DynDNS at regular intervals whether any changes have occurred If yes the VPN connection will be setup to the new IP address Refresh Interval sec Standard 300 seconds 6 9 2 IPsec VPN gt Connections Prerequisites for a VPN connection The main prerequisite for a VPN connection is that the IP addresses of the VPN partners are known and reachable Connections 114 of 152 In order for an IPsec connection to be setup successfully the VPN s remote site must support IPsec with the following configuration Authentication via Pre Shared Key PSK or X 509 certificate ESP Diffie Hellman Groups 2 and 5 DES 3DES or AES encryption MDS or SHA 1 hash algorithms Tunnel or Transport mo
96. com 1 1 Device versions mGuard smart mGuard PCI mGuard blade mGuard is available in the following device versions which have largely identi cal functions All devices can be utilized regardless of the processor technology and operating system the connected computers use Smallest device model Can for exam ple simply be plugged between the computer or local network on mGuard s LAN port and an available router on mGuard s WAN port with out having to change existing system configurations or driver installations Designed for instant use in the office or when on the go This card which can be plugged into a PCI slot provides the computer it is in stalled in with all mGuard functions in driver mode and can additionally be uti lised as a normal network card A net work card already on hand in the computer or another local computer lo cal network can be connected in the power over PCI mode The mGuard blade Pack includes the mGuard bladeBase which can be easily installed into standard 3 U racks 19 inches and accommodate up to 12 mGuard blades Thus this version is ide ally suited for use in an industrial envi ronment where it can protect several 7 of 152 server systems individually and independently of one another An additional se rial interface enables remote configuration using a telephone dial up connection or a terminal EAGLE mGuard EAGLE mGuard previously mGuard industrial
97. coo anos 19 Installing mGuard blade cateo ins 19 Control UMt CTRES IO szcistsecesbeedecathadeesbscacestladecabincaash h ia iii 19 Connecting mGuard blade secre aaa pai 20 4 22 Connect the mGuard delta irnir concaciearcocee secede cesvseesedoessdetedevovevaeededevarcranes 21 4 3 Connect the EAGLE mGuatrd seitse aasre E A ESE ieaS a raas 22 Terminal Block decenie aiino eea EEE E EEEE EEE a E ESS 22 Assembly E E EE N 22 Startup Procedure osen araeir lid 23 NEAR aaa a ae ae ee a ee a aeeie 23 Dismantling A iii ii i i 23 4 4 Connect the MGuard SMart en A a A ee a Raen 24 4 5 Connect the mGuad PCD e a 25 4 5 1 Choice between Driver mode or Power over PCI mode ooccccccccccnnnncnonocicininininanns 25 Diver Mode sitiado sate the ie ansiada 25 Powerover PCT Mode ninia a a aee eari aai 26 4 5 2 Hardware installation seseeessesesesssssssecsessssseceessssseressssestecssssssosesessssscrecsessseeeeseses 27 4 3 3 DeiveranstallaliOn tail rl R A EE EOE 28 Wand LANAO G E TEE E EEE E T 28 Windows 2000p siesena piiniera E NEE EE AE EEA io dle 29 EA 31 5 Configuration PreParatiOn vsisescscisrsccescosssedsesccesessssnaseonsesseacsesvessdesssacsvevescsonessedsesiacsvetesseassboosssses 34 orl Connecting the mGuard cion o ett td ate 34 1 of 152 Table of Contents MGu ard A A 34 mGuard delta evi advised eats aise eos labia een laiuls 34 EAGLE DG Ai A iaa 34 MUA Midi A A A tate 34 mGuard Pluna diet AE AA estes 34 5 2 Loc
98. d can be restricted by firewall rules SNMP Simple Network Management Protocol is mainly used in more complex networks to monitor the status and operation of devices SNMP is available in several releases SNMPv1 SNMPv2 and SNMPv3 The older versions SNMPv1 SNMPv2 do not use encryption and are not considered to be secure We therefore recommend that you do not use SNMPv1 SNMPy2 As far as security is concerned SNMPy3 is considerably better but not all management consoles support it Bo It can take more than one second to process SNMP get or walk requests However the factory settings for the timeout of many Network Management Applications is set to one second In case you experience timeout problems please set the time out of your Management Application to values between 3 and 5 seconds Settings Enable SNMPv3 access Yes No If you wish to allow monitoring of the mGuard via SNMPv3 set this switch to Yes The access via SNMPv3 requires an authentication with a login and a password The factory settings for these entries are Login admin Password SnmpAdmin MDS is supported for the authentication DES is supported for encryption The login parameters for SNMPv3 can be changed only by using SNMPv3 Enable SNMPv1 v2 access Yes No If you wish to allow monitoring of the mGuard via SNMPv1 v2 set this switch to Yes Port for incoming SNMP connections external interface only Standard 161 SNMPv1 v2 Community
99. ddle LED heartbeat will light continuously The new software will be unpacked and configured This process will take about 5 minutes As soon as the procedure has been completed e blade PCI the mGuard restarts itself e delta the Status LED will flash once per second continuously EAGLE the LEDs 1 2 and V 24 will flash green continuously e smart all 3 LEDs will flash green continuously 3 Restart the mGuard not required on blade and PCI To do so press the Rescue Button briefly OR Disconnect the power supply smart by disconnecting the USB cable which is only used to supply power or in case of the mGuard PCI restart the computer The mGuard will be now restored to its factory settings Configure it once again 139 of 152 Required before the firmware can be flashed DHCP and TFTP servers 140 of 152 see Local Configuration At startup on page 34 Before the firmware can be flashed DHCP and TFTP servers must be installed on the locally connected system or a network system DHCP Dynamic Host Configuration Protocol TFTP Trivial File Transfer Protocol Install the DHCP and TFTP server if necessary see below BO If you install a second DHCP server in a network this can affect the configuration of the entire network 7 3 1 Installing DHCP and TFTP servers under Windows or Linux Under Windows Install the program found on the CD ROM To accomplish this proceed as follows 1 If the Windo
100. de Quick Mode Main Mode SA Lifetime 1 second to 24 hours If the system at the remote site is running Windows 2000 the Microsoft Windows 2000 High Encryption Pack or at least Service Pack 2 must be installed If the remote site is behind a NAT router it must support NAT T Or the NAT router must support the IPsec protocol IPsec VPN Passthrough In either case for technical reasons only IPsec Tunnel connections are supported IPsec VPN Connections Connections ves zj Jnausicaa new Lists the VPN connections that have been set up You can activate Enable Yes or deactivate Enable No each individual connection VPN connections deleting Click on the Delete button next to the entry Then click on OK Configuring a new VPN connection Click on New Enter a name for the connection and then click on Edit Make the necessary or desired settings see below Then click on OK VPN connections editing Click on the Edit button next to the entry Make the necessary or desired settings see below Then click on OK The following URL can be used to start stop VPN connections indepently from their Enabled setting https server nph vpn cgi name connection amp cmd up down Example wget https admin mGuard 192 168 1 1 nph vpn cgi name pa ris amp cmd up 6 93 Define a VPN connection After pressing the Edit button the following page appears General IPsec VPN Conn
101. de termines the required package set name Install the latest patch release x y Z Patch releases regulate errors in previous versions and have a version number which only changes in the third digit position e g 4 0 1 is a patch release for version 4 0 0 Install the latest minor release for the currently installed major ver sion x Y z Install the next major release X y z Minor and major releases supplement the mGuard with new features or con tain modifications of the mGuard s behavior Their version number change in the first and second digit position E g 4 1 0 is a major minor release for the versions 3 1 0 4 0 1 Update Servers AntiVirus Pattern 56 of 152 Here you can specify the servers from which the mGuard shall retrieve its updates BO The list of the servers is processed top down until an available server is found Protocol The update files can be downloaded using either HTTP or HTTPS Server In this field enter the FQDN or IP address of the server from which the update files shall be downloaded eg 123 456 789 21 or update example com Login In this field enter the user name to be used for connecting to the server Password In this field enter the password to be used when logging in Management Update Schedule Update Schedule never AAA Update Servers for AYP gt x Update Location Hostname L downloads avp innomir Proxy Settings L po C a The virus signa
102. deCtrlPowerStatus 2 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlPowerStatus The BladePack s power supplies status has changed 63 of 152 64 of 152 enterprise oid generic trap specific trap additional Description mGuardTrapBladeCTRL enterpriseSpecific mGuardTrapBladeCtrlRunStatus 3 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlRunStatus The blade s run status has changed Blade reconfiguration backup restore activate traps Yes No enterprise oid generic trap specific trap additional Description enterprise oid generic trap specific trap additional Description Antivirus SNMP Traps mGuardBladeCtrlCfg enterpriseS pecific mGuardTrapBladeCtrlCfgBackup 1 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrICfgBackup A configuration backup to the Blade Controler is triggered mGuardBladeCtrlCfg enterpriseSpecific mGuardTrapBladeCtrlCfgRestored 2 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlCfgRestored Configuration restore from Blade CTRL is triggered Successful update for AV pattern activate traps Yes No enterprise oid generic trap specific trap additional Description mGuardTrapA V enterpriseS pecific mGuardTrapA vUpdateDone 1 mGuardTResA vUpdateDone AV Update was performed successfully AV update or scanning problems activate
103. dundancyState mGuardTResRedundancyReason Current HA cluster state changed mGuardTrapRouterRedundancy enterpriseSpecific mGuardTrapRouterRedundancyBackupDown 2 mGuardTResRedundancyBackupDown Backup device is not reachable by Master device This trap is only sent when ICMP checks are activated mGuardTrapUserFirewall enterpriseSpecific mGuardTrapUserFirewallLogin 1 mGuardTResUserFirewallUsername mGuardTResUserFirewallSrcIP mGuardTResUserFirewallAuthenticationMethod Remote User logged in mGuardTrapUserFirewall enterpriseSpecific mGuardTrapUserFirewallLogout 2 mGuardTResUserFirewallUsername mGuardTResUserFirewallSrcIP mGuardTResUserFirewallLogoutReason Remote User logged out mGuardTrapUserFirewall enterpriseS pecific mGuardTrapUserFirewallAuthenticationError 3 mGuardTResUserFirewallUsername mGuardTResUserFirewallSrcIP mGuardTResUserFirewallAuthenticationMethod Authentication error occured Traps can be send to one or more targets Destination IP IP to which the trap shall be sent 65 of 152 Destination Name An optional descriptive name for the destination which has no influence on the generated traps Destination Community Name of the traps SNMP community LLDP Management SNMP LLDP Mode Enabled gt Internal LAN interface Chassis ID IP address Port description Systemname External WAN interface MAC 0
104. e System Power supply 1 2 Uptime Temperature C System DNS Hostname Hostname mode User defined from field below xl Hostname Domain search path example local SNMP Information System Name Location Contact HiDiscovery Local HiDiscovery Support Enabled y iil HiDiscovery Frame Forwarding No x System only EAGLE mGuard Power supply 1 2 The state of both power supplies Uptime The system uptime since the last reboot Temperature C If the temperature exceeds the specified range a SNMP trap is sent System DNS Hostname Hostname mode Using the Hostname mode and Hostname fields you can assign a name to the mGuard This will then be displayed e g when logging in via SSH The administration of multiple mGuards is simplified if you assign hostnames to them User defined see below Default The name entered in the Hostname field is assigned to the mGuard Tf the mGuard is running in Stealth mode the option User defined must be selected under Hostname mode Provider defined e g via DHCP If the selected network mode permits the external setting of the hostname e g via DHCP the name received from the provider will be assigned to the mGuard 45 of 152 Hostname If the option User defined is selected under Hostname mode enter the name which should be assigned to the mGuard here Otherwise i e if the option Provider defined e g via DHCP is selected
105. e Browse button select the file and open it so that the path or the file name is displayed in the File Name field Then click the Install License File button 6 2 4 Management gt Update Overview Management Update System Information Version Base Updates AntiVirus Information AntiVirus Engine Status Last AntiVirus Update AntiVirus Update Status Package Versions ee Packa Number version Flavour bootloader 1 3 2 default bridge utils 0 9 5 default busybox 1 1 6 default bzip2 0 0 2 default clamav 0 88 50 default djbdns 1 5 1 default ebtables 0 3 0 default You can examine the successful unblocking of the virus filter feature For the information about the expiration date of your anti virus license please see Management gt Licensing on page 53 System Information Version The current software version of the mGuard Base The software version that was originally used to flash this mGuard Updates List of updates that have been installed on the base 54 of 152 AntiVirus Information Anti Virus Engine Status Displays the state of the scan engine If you have activated the anti virus protection for at least one protocol the status will be displayed as up Last Anti Virus Update Diplays the current release date of the anti virus database Anti Virus Update Status Shows if the anti virus update is activated or currently downloading Package Versions Lists the individual software
106. e MAU management for the ethernet interfaces will be switched on and HTTPS will be allowed on the local ethernet interface LAN The passwords and the settings configured for VPN connections and the firewall are retained Possible reasons for starting the Recovery procedure The mGuard is in Router or PPPoE mode and the mGuard s IP address has been changed from the default setting and you don t know the device s current IP address 137 of 152 Action 1 Press the Rescue Button slowly 6 times once per second 2 2 After about two seconds the mGuard will respond e blade PCI e On success the LAN LED lights green e On failure the WAN LED lights red e delta e On success the Status LED lights green e On failure the Status LED stays off e EAGLE e On success the STATUS LED lights yellow e On failure the FAULT LED lights red e smart e On success the middle LED lights green e On failure the middle LED lights red 3 Press the Rescue Button slowly 6 times again 4 On success the device will perform a restart and switch to Stealth mode It can then once again be accessed at the following address https 1 1 1 1 The mGuard delta and the mGuard blade Control Unit will be switched to Router Mode and will be accessible at 192 168 1 1 at the internal interface 7 3 Flashing the firmware Objectives To reload the mGuard s complete firmware BO All of the configured settings will be deleted The mGuard will b
107. e calling system will establish this additional connection for the data transfer To let the data of this additional connection pass through the firewall Enable FTP NAT Connection Tracking support must be set to Yes factory setting IRC This is similar to FTP When the IRC protocol is used for chatting in the Internet incoming connections must also be permitted after the connection has been established actively In this case Enable IRC NAT Connection Tracking support must be set to Yes so that the firewall will permit these connections factory setting PPTP This need only be set to Yes under the following condition if a local system should establish a VPN connection via PPTP to an external system without help from the mGuard The factory setting is No 97 of 152 6 6 3 Flood Protection 98 of 152 Network Security gt DoS Protection TCP ICMP Network Security DoS Protection Flood Protection TCP Maximum number of new outgoing TCP connections SYN per second Maximum number of new incoming TCP connections SYN per second ICMP Maximum number of outgoing ping frames ICMP Echo Request per second Maximum number of incoming ping frames ICMP Echo Request per second Stealth Mode Maximum number of outgoing ARP requests or ARP replies per second in each case Maximum number of incoming ARP requests or ARP replies per second in each case Maximum number of new ou
108. e in Universal Time Coordinates UTC If the Enable NTP time synchronisation is not yet activated see below and Time stamp in filesystem is deactivated the clock will start with January 1st 2000 Current system time local If the possibly differing current local time should be displayed you must make the corresponding entry under Timezone in POSIX 1 notation see below 47 of 152 Local system time Here you can set the mGuard s system time in case no NTP server has been specified or the NTP server isn t reachable The date and time are specified in the format Y Y YY MM DD hh mm YYYY Year MM Month DD Day hh Hour mm Minute Timezone in POSIX 1 notation If the Current system time above should display your current local time instead of the current time if it is different to the Greenwich Mean Time you must enter the number of hours plus or minus that your local time differs from Greenwich Mean Time Examples In Germany the time is one hour earlier than in Greenwich Therefore enter CET 1 In New York the clock is behind by five hours relative to Greenwich Mean Time So you enter GMT 5 The only important thing is the value 1 2 or 1 etc because only this will be evaluated the preceding letters won t be They can be substituted with CET or any other designation such as UTC If you wish to display Central European Time for example for Germany and have it automatically
109. e name ends with tar gz and you conduct a local update OR You can download the package set file via the Internet from the update server and then install the packages gt Depending on the size of the update this may take several minutes B gt If a reboot is necessary after a system update a message to this effect will be displayed E gt Do not interrupt the power supply during the update procedure Otherwise the device could be damaged and may be left inoperable and will require your device to be sent to the manufacturer Local Update Filename To install the packages proceed as follows 1 Click on Browse select and open the file so that its path or filename is shown in the field Filename The format of the filename is update a b c d e f tar gz 2 Click on Install Packages to transfer them to the device Online Update To perform an online update proceed as follows 1 Be sure that at least one valid entry exists under Update Server You should 55 of 152 have received the necessary details from your licensor 2 Enter the update s name in the entry field e g update 4 0 x 4 1 0 default 3 Click on Install Package Set to transfer them to the device Depending on the size of the update this may take several minutes If a reboot is necessary after a system update a message to this effect will be displayed Automatic Update This is a variation of the online update in which the mGuard independently
110. e restored to the factory default settings Possible reasons for flashing the firmware e The Administrator and Root password have been lost Action Proceed as follows E gt Do not interrupt the power supply during the flashing procedure Otherwise the device could be damaged and may be left inoperable and will require your device to be send to the manufacturer Prerequisites e First copy the mGuard software from the mGuard CD ROM or retrieve it from Innominate Support and save it on the configuration system A DHCP and a TFTP server both installed on a single system which provide the mGuard image files see Required before the firmware can be flashed DHCP and TFTP servers on page 140 e mGuard PCI When the mGuard is in Power over PCI mode the DHCP TFTP server must be connected to the mGuards LAN jack When the mGuard is in Driver Mode the DHCP TFTP server must listen on the mGuards network interface 1 Hold the Rescue Button pressed until the recovery status is entered as follows The mGuard will be restarted after approx 1 5 seconds and after another approx 1 5 seconds the mGuard will enter the recovery mode 138 of 152 e blade PCI the green and the red LAN will light e delta the Status LED will slowly fade off EAGLE the LEDs 1 2 and V 24 will light e smart all LEDs will light green 2 No more than 1 second after the recovery mode was entered release the Rescue Button If you do not rele
111. e the Anti Virus gt Database Update menu e Invalid virus filter license e Damaged or faulty update of the virus signature file Update running There is currently no anti virus database installed and the download of the current database has been started You can follow the progress of the download in the anti virus update log 133 of 152 DHCP Server Relay Messages from services defined under Network gt DHCP Anti Virus Update The update log contains notifications regarding the start and progress of the up date process for the virus signature files SNMP LLDP Messages from services defined under Management gt SNMP IPsec VPN Lists all VPN events The format corresponds to the standard Linux format It offers special evaluation programs that present information from the logged data in a more readable format 6 12 Menu Support 6 12 1 Support gt Advanced Hardware Snapshot 134 of 152 Support Advanced Hardware Hardware Information Hardware CPU CPU Family CPU Stepping CPU Clock Speed System Uptime User Space Memory MAC 1 MAC 2 Product Name OEM Name OEM Serial Number Serial Number Flash ID Hardware Version Version Parameterset This page lists the hardware properties of the mGuard Support Advanced Snapshot Support Snapshot This will create a snapshot of the mGuard for support purposes This function is intended to provide the support with
112. e the virus filter for HTTP or FTP over HTTP connections over a proxy insert a new row and change the default port 80 to the proxy s port Common proxy ports are 3128 and 8080 B gt The set of rules will be processed from the top down therefore the order of the rules is also decisive for the results BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number will cause further 103 of 152 connection attempts to be refused B gt Scanning for viruses may allow outgoing connections which are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 93 to adjust this behaviour You have the following options for the entries Server 0 0 0 0 0 means all addresses i e the system will filter the traffic of all HTTP servers To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 B Since an attempt to setup a connection is first handled by the proxy if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server had been established but no data was sent If the list contains the exact server addresses this behavior can be prevented since the proxy will then on
113. e will not be displayed in the browser If a download manager is used to download a file via HTTP the error message will be displayed by the download manager Action for web content exceeding the maximum content size Let data pass unscanned When this option is selected the virus filter will allow the files which exceed the filesize set to pass through unscanned Tn this case the data is not checked for viruses Block data If this option is selected the system will terminate the download and send an error message to the client software whenever the content exceeds the maximum size List of HTTP Servers You can select the servers whose traffic should be filtered and specify for each IP address whether or not the anti virus protection should be activated It is also possible to enter trusted servers Examples Global activation of the anti virus protection for HTTP x Server Port Comment Enable Scan A F E 0 0 0 fo TTP out to any Scan x Scan a subnet and exclude a trusted HTTP server x Server Port Comment Enable Scan A E f92 168 2 5 fo frusted HTTP No Scan v a 192 168 2 0 24 fo fintrusted HTTP Scan vf Scan a single untrusted HTTP server in a subnet x Server Port Comment Enable Scan A f fis2 168 25 po untrusted HTTP Scan fz F E 192 168 2 0 24 fo frusted HTTP No Scan vf Inserting moving and deleting rows is explained under Working with tables on page 43 B gt To activat
114. eat the login process Timeout type static dynamic With static timeout users are logged out automatically as soon as the specified timeout elapsed With dynamic timeout users are logged out automatically after all connections were closed by the user or did expire on the mGuard and afterwards the timeout elapsed On the mGuard a connection expires when no data was sent for a certain period depending on the protocol being used Protocol Expiration after non usage TCP 5 days This value is configurable plesase see Timeout for established TCP connections on page 96 Plus 120 additional seconds after the connection expired This also includes connections closed by the user UDP 30s after traffic in one direction 180s after traffic in both directions ICMP 30s Other 10min 100 of 152 Template User Users Firewall Rules Network Security User Firewall marketing User Name Enter the names of users here The names must correspond to those that have been defined in User Authentication gt External Users for more informati on see User Authentication gt Firewall Users on page 87 Network Security User Firewall HTTP Template users Firewall rules Firewall rules Source IP J authorized_ip Lag D ufw ulwDDDDD 4 0 2e49e415 297D 1610 9227 DDDcbe D1 DIS2 Ne Protocol From Port Torr E ToPort Comment Log iE ater E Jany 0 0 0 0 0 http No z Fir
115. ections nausicaa General Options A descriptive name for the connection Inausicaa Enabled Yes gt Address of the remote site s VPN gateway 9 any either an IP address a hostname or any Connection startup Wait gt will be ignored in Stealth Mode Tunnel Settings Connection type Tunnel Net lt gt Net Local network 192 168 1 1 32 Remote network 192 168 254 1 32 The virtual IP which will be used by the client in Stealth mode Enable 1 to 1 NAT to a different internal network in router mode Internal network for 1 to 1 NAT 192 168 2 1 115 of 152 Options A descriptive name for the connection You can assign the connection any name you desire Enabled Specify whether the connection should be enabled Yes or not No Address of the remote site s VPN gateway najm Remote Internet VPN Gateway The address of the gateway to the private network in which the remote communication partner can be found If you wish to have the mGuard actively initiate and set up the connection to the remote site or 1f the device is in Stealth mode enter the IP address or the hostname of the remote site here If the remote site s VPN gateway does not have a fixed and known IP address you can use the DynDNS Service to simulate a fixed and known address See DynDNS on page 82 If you want the mGuard to be ready to accept a connection actively initiated and set
116. en to the anti virus log In this case you have the following options e You can try again later to download the file e You can temporarily deactivate the virus filter for the corresponding server 107 of 152 108 of 152 e You can set the parameter to Let the message pass unscanned Please note that depending on the coding scheme used the size of the attachment may be larger than the original file Action for infected mails Notify recipient by e mail If the virus filter detects a virus the recipient will be informed by e mail Notify e mail client by error message If the virus filter detects a virus the recipient will be informed by an error message sent to the e mail client If the parameter Delete received messages from server has been set in the e mail client software and the Action for infected mails has been set to Notify recipient by e mail the infected e mail will be deleted on the server since the e mail client will assume that the e mail has been successfully transferred If you do not wish to have the infected mail deleted e g if you wish to download the infected e mail in some other manner only use the option Notify e mail client by error message Action for mails exceeding the maximum message size Let the message pass unscanned When this option is selected the virus filter will allow the messages which exceed the filesize set to pass through unscanned In th
117. er Serial Number Voucher Key Enter here the serial number that is printed on the voucher as well as the ac companying license key and then click Online License Request Result mGuard now establishes a connection via the Internet and installs the respec tive license on the mGuard if the voucher is valid Restoring licenses Use this function if the license installed in mGuard has disappeared for some reason such as flashing the firmware To do so click the Online license re load button The license s that had been issued for this mGuard previously will be retrieved from the internet and installed 53 of 152 Manual license installation After clicking the License Request Form button an online form will be provi ded which can be used to order the desired license In the request form enter the following information Voucher Serial Number the serial number that is printed on your voucher Voucher Key the license key on your voucher Flash Id is automatically filled in Email Address the email address to which the license file will be sent After you have completed the form the license file will be sent to the email address indicated Under Filename you can apply the license file Install License Once the license has been purchased the license file will be sent to you as an email attachment In order to apply the license first save the license file as a separate file on your computer and continue as follows Click th
118. er provider example net PPPoE Password Internal Networks Internal IPs IP Netmask Use LAN LAN ID trusted port 192 168 1 1 255 255 255 0 fo ll T Additional Internal Routes Network Gateway PPPoE Network Mode PPPoE PPPoE Login In this field enter the user name Login which is expected by your Internet Service Provider ISP when you setup a connection to the Internet 76 of 152 Network Mode gt PPTP PPPoE Password In this field enter the password which is expected by your Internet Service Provider when you setup a connection to the Internet Network Interfaces Serial Port Hardware General Network Status External IP address Network Mode Status Active Defaultroute Network Mode Network Mode PPTP PPTP Login user provider example net PPTP Password Local IP Mode Static from field below Local IP 10 0 0 140 Modem IP 10 0 0 138 Internal Networks ed ee IP Netmask Use LAN LAN ID ru po 192 168 1 1 255 255 255 0 md fi Additional Internal Routes Network Gateway PPTP Network Mode PPTP Network Mode gt Router PPPoE or PPTP PPTP Login In this field enter the user name Login which is expected by your Internet Service Provider when you setup a connection to the Internet PPTP Password In this field enter the password which is expected by your Internet Service Provider when you setup a connection to the Internet
119. ernet connector when using the Power over PCI mode In the case of a remote configuration The mGuard must be configured to permit remote configuration The mGuard must be connected i e the required connections must function 5 2 Local Configuration At startup 34 of 152 The mGuard is configured using a Web browser which is running on the configuration system e g Firefox MS Internet Explorer or Safari gt The Web browser must support SSL in other words https By default factory settings the mGuard is accessible at the following address Factory setting Stealth Mode https 1 1 1 1 default setting except mGuard delta and blade controller Router Mode https 192 168 1 1 default setting on mGuard delta and blade controller 5 2 1 mGuard blade EAGLE mGuard und mGuard smart With a configured network interface Without a configured network interface In order for the mGuard to be accessed via the address https 1 1 1 1 it must of course first be connected to a configured network interface This is the case if you insert it into an existing network connection see the illustration in the section e Connect the mGuard blade on page 19 e Connect the EAGLE mGuard on page 22 e Connect the mGuard smart on page 24 In this case the Web browser can access the mGuard s configuration interface at the address https 1 1 1 1 see Setting Up a Local Configuration Connection
120. et mask 255 255 255 0 Default gateway 92 168 1 2 Use the following DNS server addresses Preferred DNS server Altemate DNS server After you ve configured the network interface you should be able to access the mGuard s configuration interface with a Web browser at the URL https 1 1 1 1 In case this isn t possible then your computer s default gateway might not be available and you must initialize the default gateway by assigning it a dummy value To accomplish this proceed as follows Initializing the default gateway 1 Determine the currently valid default gateway address If you are using Windows XP follow the steps described above under Configure the Network Interface to open the Internet Protocol TCP IP Properties dialog box If no IP address has been entered for the default gateway in this dialog box e g because Obtain an IP address automatically has been activated enter the IP address manually To do so first activate Use the following IP and then enter as an example the following addresses IP address 192 168 1 2 gt Do not under any circumstance Subnetwork mask 255 255 255 0 assign the configuration system Default gateway 192 168 1 1 an address like 1 1 1 2 2 On the DOS level Start Programs Accessories Command Prompt enter arp s lt IP of the default gateway gt aa aa aa aa aa aa Example You have determined that the address of the default gateway 1s or
121. ette geliefert wurde legen Sie diese S jetzt ein Wie m chten Sie vorgehen Klicken Sie auf Weiter um den Vorgang fortzusetzen lt Zuruck Abbrechen 1 After inserting the mGuard CD choose From a list or specified location Advanced and click on Next Assistent fiir das Suchen neuer Hardware Wahlen Sie die Such und Installationsoptionen ee Verwenden Sie die Kontrollk stchen um die Standardsuche zu erweitern oder einzuschr nken Lokale Pfade und Wechselmedien sind in der Standardsuche mit einbegriffen Der zutreffendste Treiber wird installiert IV Wechselmedien durchsuchen Diskette CD F Folgende Quelle ebenfalls durchsuchen KaADriversiPrintiwin_2kXP y Durchsuchen Nicht suchen sondem den zu installierenden Treiber selbst w hlen Verwenden Sie diese Option um einen Geratetreiber aus einer Liste zu w hlen Es wird nicht garantiert dass der von Ihnen gew hlte Treiber der Hardware am besten entspricht lt Zuriick Abbrechen 2 Click on Next Hardwareinstallation A Die Software die f r diese Hardware installiert wird Innominate mGuardPCI hat den Windows Logo Test nicht bestanden der die Kompatibilit t mit Windows XP berpr ft Warum ist dieser Test wichtig Das Fortsetzen der Installation dieser Software kann die korrekte Funktion des Systems direkt oder in Zukunft beeintr chtigen Microsoft empfiehlt strengstens die Installation jetzt abzubrechen u
122. etwork Interfaces Serial Port Modem Baudrate Modem PPP Hardware handshake RTS CTS PPP dialin options Local IP 192 168 2 1 Remote IP 192 168 2 2 PPP Password Poole Incoming Rules PPP Lag D fw zetisl incaming A 0 DODDDDDD DDDD DDDD DDDD DDDODOODDDDD AS no Protocol From Port To IP To Port Comment Log a Log entries for unknown connection attempts Outgoing Rules PPP Lag D fw erisl aulgaing A 0 DDDDDDDD DDDD DODD DDDD DDDDDODDDDDD PS TU rrotocot From From port Torr Toport action comment Log Log entries for unknown connection attempts In addition to HTTPS SSH and SNMP management access the above rules regulate access to Incoming and from Outgoing the internal network via the PPP connection Please note On some platforms the serial port is not accessible Some mGuards like the mGuard blade delta or EAGLE offer a serial interface which is accessible from the outside The mGuard s configuration can also take place via this interface The following possibilities are available e Connecting mGuard s serial interface to the serial interface of a PC Establish the connection to the mGuard on a PC by using a terminal programme and carry out the configuration via SSH Connect a modem which is connected to the telephone fixed line or GSM network to the mGuard s serial interface This enables a remote PC also connected to the telephone network by means of a modem to esta
123. etworks and has both an external and an internal IP address External Interface The external interface WAN of the mGuard is connected to the Internet or other parts of the LAN e mGuard smart the ethernet jack Internal Interface A network or a single system is connected to its internal interface LAN e mGuard smart the Ethernet plug e mGuard PCI The internal interface is in Driver Mode the network interface of the Operating System or in Power over PCI mode the LAN Ethernet jack of the mGuard PCI As in the other cases the mGuard supports the Firewall and VPN security functions in this mode of operation as well If the mGuard is operated in Router mode you must set it as the standard gateway in the locally connected client computers In other words the address entered for the standard gateway must be the internal IP address of the mGuard See Initializing the default gateway on page 35 If the mGuard is operated in Router mode and is used to establish the connection to the Internet you should activate NAT to allow access to the Internet from the local network see Network Address Translation IP Masquerading on page 93 If NAT is not activated the device may only allow VPN connections PPPoE PPPoE mode corresponds to the Router mode with DHCP with one difference The PPPoE protocol which is used by many DSL modems for DSL Internet access in germany will be used for connecting to the external ne
124. every port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that the data packets are passed through Reject means that the data packets are rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that the data packets are not passed through The data packets will be discarded so that the sender will not be informed as to what happened to them B gt In Stealth mode Reject is not supported Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule should be logged by setting Log to Yes E or not by setting Log to No factory setting Log entries for unknown connection attempts If this is set to Yes all attempts to establish a connection which were not covered by the rules defined above will be logged MAC Filtering Network Security Packet Filter Incoming Rules Outgoing Rules MAC Filtering Incoming untrusted port gt x Source MAC Destination MAC Ethernet Protocol y E MEREEN RE O OOO cany Accept Bi Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Please note Management access
125. ewall Rules Source IP The IP address from which the user connected to the mGuard authorized_ip is a placeholder for the address BO If several firewall rules have been defined and activated for a single user the se will be queried in sequence from top to bottom until the appropriate rule has been located This rule will then be applied If further rules are defined in the rule list that would also be suitable these are ignored You are offered the following options for entries Protocol All encompasses TCP UDP ICMP and other IP protocols From Port To Port is only evaluated for the TCP and UDP protocols Any designates any port Startport Endport e g 110 120 designates a port range Individual ports can be entered either using the port number or the correspon ding service names e g http for 80 or pop3 for 110 To IP 0 0 0 0 0 means all IP addresses In order to specify an IP address range use CIDR notation see e CIDR Classless InterDomain Routing on page 135 Comment A comment can be entered as desired for this rule Log For each individual firewall rule you may define whether once the rule is ac tivated e the event should be logged set Log to Yes e or not set Log to No default setting 101 of 152 6 7 Menu Web Security not on blade control unit 6 7 1 Web Security gt HTTP Virus Protection 102 of 152 Options Requirements The following requirements must be ful
126. f this IP address is to be inside a VLAN this option must be set to Yes VLAN ID A VLAN ID between 1 and 4095 An explanation of the term VLAN can be found under VLAN on page 148 Inserting moving and deleting rows is explained under Working with tables on page 43 The first row in the list can t be removed Additional External Routes In addition to the Default Route see below you can define additional external routes Inserting moving and deleting rows is explained under Working with tables on page 43 IP of default Gateway The IP address of a device in the local network connected to the LAN port or the IP address of a device in the external network connected to the WAN port can be specified here If mGuard establishes the transition to the Internet this IP address is specified by the Internet Service Provider ISP If mGuard is utilised within the LAN the default gateway s IP address will be specified by the network administrator BO If the local network is not known to the external router e g in the case of configuration by DHCP enter the address of your local network under Firewall gt NAT in other words 0 0 0 0 0 see Network Address Translation IP Masquerading on page 93 Network Interfaces Network Status Network Mode gt PPPoE External IP address Network Mode Status Active Defaultroute Network Mode Network Mode PPPoE PPPoE PPPoE Login us
127. f this is not the case there must be a problem with the remote VPN gateway In this case disable and enable the connection to re establish the connection 6 10 Menu redundancy 6 10 1 Firewall Redundancy It is possible to combine two mGuards to a single virtual router with the help of the redundancy ability Master n_n o EA The second mGuard backup takes over the function of the first mGuard master in the event of an error The redundancy feature allows two mGuards to be configured to operate as a virtual router In case of an error one mGuard the backup will take over the functionality of the other mGuard previously working as the master Additionally the state of the stateful firewall is synchronized between both mGuards so that in case of a takeover current connections will not be interrup ted BO Prerequisite Both mGuards must be configured accordingly The firewall configuration should be identical to avoid problems after a switch over B gt Redundancy can only be used in router mode static stealth mode with management IP or multi stealth mode The mGuards operating as virtual router must not be used as a VPN gateway BO Devices connected to the internal network of the virtual router configuration must be configured to use the mGuard s internal virtual IP as the default gateway The following features are supported by the virtual router configuration e Incoming Outgoing firewall rules e NAT
128. filled for the use of the virus filter e Anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Update on page 54 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 54 Web Security HTTP Virus Protection Options Enable content scanning for HTTP HTTP maximum filesize for scanning in bytes Action for infected web content Action for web content exceeding maximum Let data p content size List of HTTP Servers SX server servervart Comment Enable Scan gL o 0 0 07 0 80 Scan 7 Note Both global content scanning for HTTP must be enabled and firewall rules defining the IP address range to be scanned must be set The HTTP protocol is not only used by web browsers to retrieve data from web sites but is also used in many other applications It is also used for example to download files e g software updates or to initialize multimedia streams The transferred file will only passed on after it has been loaded completely and checked Consequently user software may react less quickly when downloading larger files or whenever the download speeds are slow BO To check the anti virus protection for HTTP you can download the safe Eicar test virus which is available for test purposes at http www eicar org anti_virus_test_file htm Anti virus protec
129. ge type 8 from the external network will be accepted Allow all ICMPs All ICMP messages from the external network will be accepted Anti virus scanner Connections scanned for viruses are subject to firewall rules Yes No In the Web security DHTTP Web security gt FTP E mail security gt POP3 E mail security gt SMTP menus a list of server connections can be created on the Anti virus protection tab Files that enter mGuard via these connections are scanned for viruses in the case of SMTP outgoing mGuard files If firewall packet filters are set Network security gt Packet filters and or Net work security gt User firewall which relate to these connections and prevent them these will only be taken into consideration ifthe Connections scanned for viruses are subject to firewall rules switch is set to Yes In the case of No default setting the rules that have been set for the anti virus function have priority Firewall packet filters that contradict them are overridden VPN connections are not affected because the anti virus function is not available for VPN connections Stealth Mode Allow forwarding of GVRP frames The GARP VLAN Registration Protocol GVRP is used by GVRP capable switches to exchange configuration information By setting this switch to Yes GVRP frames are allowed to traverse the mGuard in Stealth Modus Allow forwarding of STP frames The Spawning Tree Protocol STP 802 1d is used by bridges and
130. gram Since the IP header remains unchanged this mode is only suitable for a host to host connection In Tunnel Mode an IPsec header and a new IP header will be added in front of the entire IP datagram As a consequence the original datagram will be encrypted in its entirety and sent as the payload of the new datagram The Tunnel Mode is used in VPN applications The devices at the tunnel ends ensure that the datagrams are encrypted before they pass through the tunnel so the actual datagrams are completely protected while being transferred over the public network Using Network Address Translation NAT which is also often called ZP Masquerading an entire network is hidden behind a single device which is know as a NAT router The internal computers in the local network with their IP addresses will remain hidden if you communicate with the outside via a NAT router The remote system will only see the NAT router with its own IP address If the internal computers are to directly communicate with external systems in the Internet the NAT router must modify the IP datagrams that are passed back and forth between the internal computers and the remote sites If an IP datagram is sent from the internal network to a remote site the NAT router will modify the UDP and TCP headers respectively of the outgoing datagrams It replaces the source IP address and port with its own IP address and thus far unused port It maintains a table in
131. he IP address of the default gatew ay can be Use the following DNS server addresses examined or set here Prefered DNS server Ears Altemate DNS server E If no IP address has been entered for the default gateway in this dialog box e g because Obtain an IP address automatically has been activated enter the IP address manually To do so first activate Use the following IP and then enter as an example the following addresses IP address 192 168 1 2 gt Do not under any circumstance Subnetwork mask 255 255 255 0 assign the configuration system Default gateway 192 168 1 1 an address like 1 1 1 2 2 On the DOS level Start Programs Accessories Command Prompt enter arp s lt IP of the default gateway gt aa aa aa aa aa aa Example You have determined that the address of the default gateway is or you have set it to 192 168 1 1 Then the command should be arp s 192 168 1 1 aa aa aa aa aa aa 3 To proceed with the configuration first establish the necessary connection see Setting Up a Local Configuration Connection on page 39 4 After setting the configuration restore the original setting for the default gateway address To do so either restart the configuration computer or enter the following command at the DOS level in the Command Prompt window arp d 5 2 2 mQGuard delta The mGuard delta s initial IP address on the LAN interfaces 4 to 7 is 192 168 1 1 within the network
132. he error Working with tables Many settings are saved as data records Correspondingly the adjustable parame ters and their values are presented in the form of table rows If settings have been created for several data records e g firewall rules these will be queried or pro cessed based on the sequence of entries from top to bottom Therefore if appli cable it is important to pay attention to the order of the entries By shifting table rows either up or down the order can be changed With tables you can insert rows in order to set up a new data record with settings e g the firewall rules for a specific connection move rows i e shift them to another location and delete rows in order to delete the entire data record Insert row gt 5 Ei lt IE os 11 a eL e s eC os 1 Click on the arrow under which you want to insert a new row F 2 Result The new row is inserted 43 of 152 44 of 152 Move rows lt gt 5 i lt gt 25 IE ea el 1 LI Lt Og gt gl 2 rm 3 OL gt o tH El OL sUL 1 E ME a 1 Mark one or more rows you want to move 2 Click on the arrow under which you want to move the marked rows F 3 Result The rows are moved Delete rows Bf ON IE ORN sU sL Ogro IEA gt E PS INC eel 3 Pr 4 gn L 1 Mark the rows you want to delete 2 Click on the symbol to delete the rows x x 3 Result The rows are de
133. his behaviour You have the following options for the entries Server 0 0 0 0 0 means all addresses i e the system will filter the traffic to all SMTP servers To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Bo Since an attempt to setup a connection is first handled by the proxy if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server had been established but no data was sent If the list contains the exact server addresses this behavior can be prevented since the proxy will then only take requests addressed to the servers given in the list Server Port Enter the number of the port for the SMTP protocol in this field The default setting for the SMTP port is 25 Comment An informational comment for this rule 111 of 152 Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule 112 of 152 6 9 Menu IPsec VPN not blade controller 6 9 1 IPsec VPN gt Global Machine Certificate IPsec VPN Global Machine Certificate DynDNS Monitoring Machine Certificate Certificate PKCS 12 Filename p12 Browse Password Machine Certificate This shows the currently imported X 509 certificate with which the mGuard identifies itself to other VPN gateways The following infor
134. ht tightening of the upper and lower screws e Replace the empty handle plate with the suitable number from the mGuard bladeBase accessories or the old mGuard blade by shoving it in or out latteraly B gt During installation or removal of an mGuard blade the bladeBase does not need to be switched of Control Unit Next to the two current supplies is the CTRL Slot An mGuard blade operated CTRL Slot therein works as a controller for all other mGuard blades During an mGuard blade s first installation into the CTRL slot the blade reconfigures itself into an control unit e The web interface is reconfigured to operate as a control unit e It switches itself into router mode with the local IP address 192 168 1 1 e The firewall Anti Virus and VPN services are reset and deactivated 19 of 152 Connecting mGuard blade 20 of 152 Computer on the Patch Panel Patch Panel Switch mGuard blade before after If your computer is already attached to a network then you just need to patch the mGuard blade between the already existing network connection Please note that the initial configuration can only be done using the LAN connector and that the firewall is rejecting all IP traffic from the WAN to the LAN interface BO No additional driver needs to be installed gt For reasons of security we recommend that you change the default Root and Administrator passwords during the first configuration 4
135. ia the LAN port Main building default gateway IP of the default gateway 192 168 1 253 10 0 0 0 16 10 0 0 0 16 10 0 0 0 16 In the illustration above it is desired that the networks on the right hand side are accessible from the network or the computer on the left hand side For historical or technical reasons however the computer networks overlap on the right hand side With the help of mGuards and their 1 1 NAT feature these networks can be redefined so that the conflict is solved 1 1 NAT can be used in normal routing and in IPsec VPN tunnels 11 of 152 3 Control and LEDs 3 1 mGuard blade WAN red WAN green LAN red LAN green Rescue Key Innominate serial State Meaning WAN Red flashing Booting up After starting or restarting the computer LAN Red WAN Red flashing System error BO Perform a system restart To accomplish this briefly press the Rescue button 1 5 sec If the error occurs again start the Recovery procedure see Performing a Recovery on page 137 or contact Support WAN Green on or flashing Ethernet status Shows the status of the LAN and WAN inter LAN Green face As soon as the device is connected to the network the LEDs will be on continuously to indicate that there is a connec tion The LEDs will flash when data packets are transferred WAN Green various LED codes Recovery mode After pressing the Rescue
136. ify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that the data packets are passed through Reject means that the data packets are rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not passed through The data packets will be discarded so that the sender will not be informed as to what happened to them Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule should be logged by setting Log to Yes or not by setting Log to No factory setting Log entries for unknown connection attempts If this is set to Yes all attempts to establish a connection which were not covered by the rules defined above will be logged Firewall Outgoing PPP Firewall rules for connection from the the internal ethernet interface LAN to 80 of 152 PPP All other settings conform to Firewall Incoming PPP Hardware Network Interfaces Hardware MAU Configuration External WAN 10 100 BASE T RJ45 up Yes 2 100 Mbit s FDX xj 100 Mbit s FDX Internal LAN 10 100 BASE T RJ45 up ves xi 100 Mbit s FDX Y 100 Mbit s FOX Configuration and status display of the ethernet ports MAU Configuration Port Name of the interface the row refers to
137. in ma dende 91 AGV ANCE A eae edo ra ee BA oe been Boos 92 6 6 2 Network Security D NAT o cccccccccccsecsceeecescesecseeseeseessessecseeeeeeeeseecsecsaeeseeseeeeseaes 93 Masquerading cisteciil cnet aig Ave eA Aiea eae hale 93 Port Forwarding uti it Boece eae sateen selec lada sic 95 Connection Trackin 955525 tives fetes eee riera cbs a loti danag E VES 96 6 6 3 Network Security gt DoS Protection ccccecccccssessesseseceseseeseeseesececseeeseeseeseneees 98 Flood Protection ernaar aI E a E AEE 98 6 6 4 Network Security gt User Fr ic 99 User Firewall Templates cocina en cutee tes e ideada ade pa Des 99 User Firewall gt Define Template Ri 100 Genre E E E EEEE E TEI E AAA 100 Template Usted 101 Fre wall RUS ni NA AAA AA A AO A 101 6 7 Menu Web Security not on blade control unit ooonoonnnnccninccnoncccnanoconnncnnna nono nonanccnnncccnncnos 102 A AAA peleevegdeatvoieeencanatebens 102 Virus Protec ds 102 6 7 2 il A cesedid yo e E EE ED i 104 Virus Protec Marisa 104 6 8 Menu Email Security not on blade control unit oooonnccnincccnnccccnnncnonaninncnnnnannncccnncccnncno 107 68 1 EmailSecunly D POP tds 107 Virus ProtectiOn cidad 107 E ci gt SMTP oar eeen eroi eter va Casta ce lain gs Compan iota aaa 109 3 of 152 Table of Contents Virus Protections eria en iaa asias 110 6 9 Menu IPsec VPN not blade controller oooooooccnonocnconocanonanonnnonnnnncnonononcnnnnonononannncnnos 113 6
138. is case the mail will not be checked for viruses Block message When this option is selected an error code will be returned to the e mail client and the e mail will be blocked List of POP3 servers Indicate which servers files should be scanned for viruses By enabling or disabling the anti virus function beside each individual entry or server respectively you can for example set an exception rule for a subsequent comprehensive rule This allows you to define trusted servers see the example illustrated below Examples Global activation of the anti virus protection for POP3 r7 E l 0 0 010 ho Pops out to any Scan zi Scan a subnet and exclude a trusted POP3 server x Server Port Comment Enable Scan A f fis2 168 25 fro frusted POP3 No Scan v p E 192 168 2 0 24 fro juntrusted POP3 Scan v Scan a single untrusted POP3 server in a subnet D x Server Port Comment Enable Scan A E haz 168 2 5 frio untrusted POP3 Scan gj Inserting moving and deleting rows is explained under Working with tables on page 43 BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number will cause further connection attempts to be refused BO The set of rules will be processed from the top down therefore the order of the rules is also decisive for the results B gt Scanning for viruses may allow outgoing connections whi
139. is the certification authority s digital signature If the certificate s data is altered this HASH value will no longer be correct with the consequence that the certificate will be worthless The HASH value is also known as the fingerprint Since it is encrypted with the certification authority s private key anyone who has the public key can decrypt the bit sequence and thus verify the authenticity of this fingerprint or signature The usage of a certification authority means it is not necessary for each owner of a key to know every other owner It is enough for them to know the certification authority The additional information about the key further simplifies the administration of the key X 509 certificates are used e g for e mail encryption in S MIME or IPsec Devices which communicate with each other must follow the same rules They must speak the same language Such rules and standards are called protocols or communication protocols Some of the more frequently used protocols include for example IP TCP PPP HTTP and SMTP A proxy representative is an intermediary service A web proxy e g Squid is commonly placed upstream of a larger network For example if 100 employees accessed a certain website at the same time and did this via the web proxy then the proxy would load the respective pages from the server only once 147 of 152 Service Provider Spoofing Antispoofing Symmetrical encryption TCP IP Tr
140. issbied m DHCP mode Server The mGuard will work as an independent DHCP server Relay The mGuard will forward DHCP requests to other DHCP servers on its external interface WAN Disabled The mGuard will not answer DHCP requests 83 of 152 84 of 152 DHCP mode gt Server Network DHCP External DHCP Mode DHCP mode DHCP Server Options Enable dynamic IP address pool DHCP lease time DHCP range start DHCP range end Local netmask Broadcast address Default gateway DNS server WINS server Static Mapping Client MAC Address Client IP Address EVEVTEVTEVRTVETVEFTF oflof of of aj o o S SABRE STS af Sli ati ali alo Ni el wm al ao Seta Saf alle EPSP RNASE ye a Sinflo fl f s If the DHCP mode is set to Server the following options are available DHCP Server Options Enable dynamic IP address pool Select Yes if you wish to use the dynamic IP address pool defined by DHCP range start and DHCP range end Select No if you wish to use IP addresses statically assigned by the means of the MAC address see below DHCP lease time Time in seconds for which the network configuration assigned to the client is valid Briefly before expiration of this time the client should renew its configuration Otherwise 1t may be assigned to another computer With enabled dynamic IP address pool When the DHCP server and the dynamic IP address pool has been activated you can enter the ne
141. j Inserting moving and deleting rows is explained under Working with tables on page 43 BO To activate the virus filter for FTP connections over a proxy insert a new row and change the default port 21 to the proxy s port BO The set of rules will be processed from the top down therefore the order of the rules is also decisive for the results BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number will cause further connection attempts to be refused Scanning for viruses may allow outgoing connections which are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 93 to adjust this behaviour You have the following options for the entries Server 0 0 0 0 0 means all addresses i e the system will filter the traffic of all FTP servers To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Bo Since an attempt to setup a connection is first handled by the proxy if a nonexistent server 1s requested e g a bad IP address the user software will act as though the connection to the server had been established but no data was sent If the list contains the exact server addresses this behavior can be prevented
142. l In case the connection on the LAN port goes down up the WAN port will be set down up also 129 of 152 External In case the connection on the WAN port goes down up the LAN port will be set down up also 6 11 Menu Logging The term logging is understood to mean the recording of event messages e g about settings that have been set about firewall rules taking effect about errors etc Log entries are recorded in different categories and can also be displayed accor ding to categories see Logging gt Browse local logs on page 131 6 11 1 Logging gt Settings Remote Logging Logging Settings Remote Logging Settings Activate remote UDP logging Log Server IP address 192 168 1 254 Log Server port normally 514 514 All log entries are recorded in the mGuard s temporary memory RAM Once the space for log entries has been filled the oldest log entries will be overwritten Furthermore if the mGuard is switched off all log entries are deleted If you wish to keep a copy of the log the log entries can be sent to an external system This is particularly useful if you wish to have centralized administration of the logs Settings Activate remote UDP logging Yes No If all log entries should be sent to an external specified below log server set this option to Yes Log Server IP address Enter the IP address of the log server to which the log entries should be sent via UDP This en
143. leted Further operating remarks The following buttons are located in every page header 25 Las Logout For logging out after configuration access to the mGuard If the user does not conduct a logout procedure the logout is automatically conducted if no more activity takes place and the timeout has expired Renewed access is only granted after the login process has been repeated Reset Optional button Resets data to the previous values If you have entered values on a configuration page and these haven t yet been applied you can restore the previous values on the page by clicking the Reset button This button is only included in the page header if the validity range of the Apply button is set to include all pages see Management gt Web Settings on page 50 Apply Optional button Functions similar to the Apply button see above but is valid for all pages This button is only included in the page header if the validity range of the Apply button is set to include all pages see Management gt Web Settings on page 50 6 2 Menu Management Bo For reasons of security we recommend that you change the default Root and Administrator passwords during the first configuration see Passwords on page 86 As long as the passwords have not been changed you will see a notice at the top of the page 6 2 1 Management gt System Settings Host Management System Settings Host Time and Dat
144. logged by setting Log to Yes or not by setting Log to No factory setting Log entries for unknown connection attempts If this is set to Yes all attempts to establish a connection which were not covered by the rules defined above will be logged IKE Options IPsec VPN Connections nausicaa Firewall ISAKMP SA Key Exchange Encryption Algorithm 3DES faa Hash Algorithm All algorithms gt IPsec SA Data Exchange Encryption Algorithm 3DES v Hash Algorithm All algorithms gt Perfect Forward Secrecy PFS Yes xl The remote site must have the same entry Activation is recommended due to security reasons Lifetimes ISAKMP SA Lifetime seconds IPsec SA Lifetime seconds Rekeymargin seconds E Rekeyfuzz percent o Keying tries 0 means unlimited tries Rekey Dead Peer Detection Action Hold Default y Delay Timeout yr N o ISAKMP SA Key Exchange Encryption algorithm Together with the administrator at the remote site decide on which encryption technique should be used 3DES 168 is the most commonly used algorithm and is therefore the default factory setting Basically the following applies The greater the number of bits used by an encryption algorithm specified by the appended number the more secure itis The relatively new AES 256 protocol is therefore considered the most secure but is not yet widely used The longer
145. ly take requests addressed to the servers given in the list Server Port Enter the number of the port for the HTTP protocol in this field The default setting for the HTTP port is 80 Comment An informational comment for this rule Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule 6 7 2 Web Security gt FTP Requirements The following requirements must be fulfilled for the use of the virus filter e Anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Update on page 54 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 54 Virus Protection Web Security FTP Virus Protection Options Frise caning ET vo aa FTP maximum filesize for scanning in bytes sump y Action for infected web content Notify with browser error xj Action for web content exceeding maximum Let data pass unscanned Y content size List of FTP Servers lt a Comment Enable Scan E o 0 0 0 0 21 Fe out to any Scan xj Note Both global content scanning for FTP must be enabled and firewall rules defining the IP address range to be scanned must be set The FTP protocol is used for up and download of files 104 of 152 The transferred file will only
146. ly when the locally connected network tries to send data to the receiver In the case of Restart the connection is re built immediately In the case of Clear the connection will be deactivated until IPsec is restarted Delay The length of time in seconds after which DPD Keep Alive queries will be sent to check the availability of the remote peer The factory default is 30 seconds Timeout The length of time in seconds after which the remote peer will be declared dead if the Keep Alive queries are not answered 124 of 152 The factory default is 120 seconds 6 9 4 IPsec VPN gt L2TP over IPsec Together with VPN connections of connection type transport the L2TP server allows remote peers to connection with IPsec L2TP to the mGuard L2TP Server IPsec VPN L2TP over IPsec L2TP Server Settings Start L2TP Server for IPsec L2TP Yes y Local IP for L2TP connections 10 106 106 1 Remote IP range start 10 106 106 2 Remote IP range end 10 106 106 254 Please note These rules won t apply to the Stealth mode Status Maximal number of tunnels 256 Tunnels in use 0 Maximal number of sessions per tunnel 16 Sessions in use 0 L2TP Daemon s Uptime O days and 00 00 03 Settings Start L2TP Server for IPsec L2TP Yes No If you want to enable IPsec L2TP connections set this switch to Yes It is then possible to establish incoming L2TP connections over IPsec which dynamically assign IP addresses to the
147. m Internet or Router Al Firewall HQ The mGuard is able to provide internet connectivity to a group of computers while protecting the company network with its firewall For this purpose one of the following network modes may be used Router if the Internet access is established via a DSL router or dedicated line e PPPoE if for example the Internet access is established via a DSL modem using the PPPoE protocol e g in Germany e PPTP if for example the Internet access is established via a DSL modem using the PPTP protocol e g in Austria The mGuard must be set as the default gateway on the locally connected client system s Intranet Internet Server Firewall A DMZ Demilitarized Zone is a protected network which sits between an in ternal network and an external network For example a company s website may be inside a DMZ granting FTP write access to computers in the intranet and HTTP read only access to both networks The IP addresses within the DMZ can be public or private In the latter case pub 9 of 152 VPN Gateway WLAN over VPN 10 of 152 lic IPs would be mapped by means of portforwarding to the private addresses within the DMZ Branchoffice Internet An encrypted access to the company s network is to be provided to employees at home o
148. mation is displayed subject The holder to whom the certificate was issued issuer The certification authority which signed the certificate C Country ST State L Location city O Organisation OU Organisation Unit CN Common Name hostname MDS SHA1 Fingerprint Fingerprint of the certificate to compare this with another person e g on the telephone Windows displays the fingerprint in SHA1 format here notBefore notAfter Period of time that the certificate is valid This is ignored by the mGuard since it doesn t have an integrated realtime clock In addition to the information given above the imported PKCS 12 file filename extension p12 or pfx also contains a public and a private key The public key will be given in a certificate file filename extension cer or pem to other VPN gateways and is used to verify that this mGuard owns the corresponding private key Depending on the remote site its operator must be supplied with the certificate file in person or via a signed e mail or if a secure means of communication is not available you should conclude by comparing the fingerprint shown by the mGuard via a secure means Only one PKCS 12 file can be imported into the device To import a new certificate proceed as follows 113 of 152 Import a new certificate Prerequisite The PKCS 12 file filename p12 or pfx is generated and saved on the connected system DynDNS Monitoring 1 2 Cli
149. maximum of 4 three digit numbers which are each separated by a dot If the computer accesses its Internet Service Provider ISP via a modem on a phoneline ISDN or ADSL its ISP will assign it a dynamic IP address In other words it will be assigned a different address for every online session If the computer is online 24 hours a day without interruption e g in the case of a flat rate access the IP address will even change during the session If a local computer should be accessible via the Internet it must have an address that is known to the remote system Unless this is true no connection can be established between the remote system and the local computer If the local computer s address is constantly changing no connection can be setup Unless of course the operator of the local computer has an account with a Dynamic DNS provider DNS Domain Name Server In this case the operator can set a host name with this provider under which the system should be reachable e g www example com The Dynamic DNS provider also supplies a small program which must be installed and run on this local computer At each new Internet session this tool will inform the Dynamic DNS provider which IP address the local computer has currently been assigned This Domain Name Server will register the current assignment of Domain Name IP Address and will also inform the other Domain Name Servers in the Internet Now if a remote system wishes to establish a
150. mode locally connected clients can be configured to use the mGuard itself as a DNS server See IP configuration on Windows clients on page 83 81 of 152 DynDNS 82 of 152 DNS DynDNS Servers to query Possible settings DNS Root Servers e Provider defined i e via PPPoE or DHCP e User defined servers listed below DNS Root Servers Queries will be sent to the DNS Root server in Internet found at the IP address which is stored in the mGuard These addresses rarely change Provider defined e g via PPPoE or DHCP With this setting the device will use the Domain Name Server of the Internet Service Provider which is used to access the Internet Only select this setting 1f the mGuard is operated in PPPoE or PPTP mode or in Router mode with DHCP User defined servers listed below If this setting is selected the mGuard will connect to the Domain Name Servers shown in the list of User defined name servers User defined name servers You can enter the IP addresses of domain name servers in this list If one of these should be used by the mGuard select the option User defined servers listed below under Servers to query Inserting moving and deleting rows is explained under Working with tables on page 43 DynDNS DynDNS Register this mGuard at a DynDNS Service Status Refresh Interval sec DynDNS Provider DNS4BIZ y DynDNS Server DynDNS Login DynDNS Password i DynDNS
151. mplies with cUL 1604 CSA 22 2 No 213 pending Germanischer Lloyd complies with Certifications cUL 508 CSA 22 2 No 142 complies with cUL 1604 CSA 22 2 No 213 pending Germanischer Lloyd complies with C Notes on CE identification The devices comply with the regulations of the following European directive 89 336 EEC Council Directive on the harmonization of the legal regulations of member states on electromagnetic compatibility amended by Directives 91 263 EEC 92 31 EEC and 93 68 EEC The EU declaration of conformity is kept available for the responsible authorities in accordance with the above mentioned EU directives at Innominate Security Technologies AG Albert Einstein Str 14 D 12489 Berlin Telephone 49 0 30 6392 3300 The product can be used in the residential sphere residential sphere business and trade sphere and small companies and in the industrial sphere 151 of 152 152 of 152 e Interference proof EN 61000 6 2 2001 e Emitted immunity EN 55022 1998 A1 2000 A2 2003 Class A FCC Note This equipment has been tested and found to comply with the limits for a Class A digital device persuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in acco
152. must be set to Yes VLAN ID A VLAN ID between 1 and 4095 An explanation of the term VLAN can be found under VLAN on page 148 Inserting moving and deleting rows is explained under Working with tables on page 43 The first entry in the list cannot be deleted Additional internal routes If the locally connected network includes subnetworks you can define additional routes Network The network in CIDR notation see CIDR Classless InterDomain Routing on page 135 Gateway The gateway used to reach this network Please see also the Network Example on page 136 Ethernet ARP Timeout ARP Timeout MTU Settings MTU of the internal interface MTU of the internal interface for VLAN MTU of the external interface MTU of the external interface for VLAN MTU of the Management Interface MTU of the Management Interface for VLAN 1500 ARP Timeout ARP Timeout Lifetime of entries in the ARP table MTU Settings Serial Port only mGuard blade delta and EAGLE mGuara MTU of the interface The Maximum Transfer Unit MTU defines the maximal frame size when sending from this interface and is usually 1500 for ethernet interfaces BO VLAN interfaces VLAN frames contain 4 bytes more than frames without VLAN which may cause problems with certain network equipment By reducing the MTU from 1500 to 1496 such problems can be avoided N
153. n this case both sides of the VPN authenticate each other with the same PSK To make the agreed upon key available to the mGuard enter the agreed upon character string in the Pre Shared Secret Key PSK entry field To achieve security comparable to that of 3DES the string should consist of about 30 characters selected at random and should include upper and lower case characters and digits The Pre Shared Secret Key cannot be used with dynamic any IP addresses fixed IP addresses or host names are required at both ends Firewall VPN Identifier VPN Identifier E A Local VPN Identifier Via the VPN Identifier the VPN gateways can recognize which configurations belong to the same VPN connection Valid entries are PSK authentication e empty the IP address will be used this is the default e an IP Address e a Hostname prefixed with an 0 character eg Ovpn1138 example com e an email address eg piepiorra example com X 509 authentication e empty the certificates distinguished name DN will be used this is the default e the certificates distinguished name e one of the subject alternative names listed in the certificate when the certificate contains subject alternative names they will be shown under Valid values are and may be IP addresses hostnames prefixed with a O character or email addresses IPsec PN Connections nausicad Incoming
154. nabling or disabling the anti virus function beside each individual entry or server respectively you can for example set an exception rule for a subsequent comprehensive rule This allows you to define trusted servers see the example illustrated below Examples Global activation of the anti virus protection for SMTP Scan a subnet and exclude a SMTP server x Server Port Comment Enable Scan A F E fs21 68 2 5 ps ferver does it s own scan No Scan v Zz 192 168 2 0 24 ps fvuinerable systems Scan Ad Scan traffic to a single SMTP server in a subnet x Server Port Comment Enable Scan A E f92 1 68 2 5 ps vulnerable system Scan E fis2 68 2 0 24 ps lservers do their own scan No Scan vf Inserting moving and deleting rows is explained under Working with tables on page 43 BO The set of rules will be processed from the top down therefore the order of the rules is also decisive for the results BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number will cause further connection attempts to be refused B gt Scanning for viruses may allow outgoing connections which are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 93 to adjust t
155. nd sich mit dem Hardwarehersteller f r Software die den Windows Logo Test bestanden hat in Verbindung zu setzen Installation fortsetzen 3 3 Click on Continue anyway Assistent fiir das Suchen neuer Hardware Fertigstellen des Assistenten Die Software fiir die folgende Hardware wurde installiert Innominate mGuardPCl Klicken Sie auf Fertig stellen um den Vorgang abzuschlie en F Abbrechen lt Zur ck 4 Click on Finish Windows 2000 e Please complete the steps described in section Hardware installation 29 of 152 on page 27 first BO The installation of the driver is only necessary and will only work as described in Driver Mode see Driver Mode on page 25 To install the driver switch your computer on login with Administrator rights and wait for the following window to show up Found New Hardware Wizard Welcome to the Found New Hardware Wizard This wizard helps you install a device driver for a hardware device To continue click Next lt Back 1 Click on Next Found New Hardware wizard OOOO Install Hardware Device Drivers OS A device driver is a software program that enables a hardware device to work with Y an operating system This wizard will complete the installation for this device En Innominate mGuardPCI A device driver is a software program that makes a hardware device work Windows needs driver files for your ne
156. nes which were initiated by an external system If no rule has been set all incoming connections except VPN will be dropped factory setting Inserting moving and deleting rows is explained under Working with tables on page 43 You have the following options for the entries Protocol All means TCP UDP ICMP and other IP protocols 89 of 152 IP address 0 0 0 0 0 means all addresses To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 Port This is only evaluated by the TCP and UDP protocols any means each and every port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that the data packets are passed through Reject means that the data packets are rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that the data packets are not passed through The data packets will be discarded so that the sender will not be informed as to what happened to them Bo In Stealth mode Reject is not supported Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule should be logged by setting Log to Yes E
157. ng of firewall events was chosen during the definition of firewall ru les Log yes then these logged events are shown here Log ID and number for tracing errors Log entries that refer to the firewall rules listed below have a log ID and a num ber Using the log ID and number it is possible to trace the firewall rule that the corresponding log entry refers to and that led to the event in question Firewall rules and their log ID e Packet filters Network security gt Packet filters gt Incoming rules Outgoing rules menu Log ID fw incoming or fw outgoing respectively e Firewall rules for VPN connections IPsec VPN gt Connections gt Firewall incoming outgoing menu Log ID vpn fw in or vpn fw out respectively e Firewall rules for web access through mGuard via HTTPS Administration gt Web settings gt Access menu Log ID fw https access Firewall rules for web access through mGuard via SNMP Administration gt SNMP gt Query menu Log ID fw snmp access e Firewall rules for SSH remote access to the mGuard Administration gt System settings gt Shell access menu Log ID fw ssh access e Firewall rules for the user firewall Network security gt User firewall gt Firewall rules menu Log ID ufw 131 of 152 132 of 152 e Rules for NAT port forwarding Network security gt NAT gt Port forwarding menu Log ID fw port forwarding Searching for firewall rules on the basis of a network security log Blade A
158. ntiVirus If the Network security checkbox is enabled the Lookup search field is display ed below the Reload Logs button so that the relevant log entries can be display ed Proceed as follows if you want to trace the firewall rule that a log entry in the network security category references and that resulted in the relevant event 1 Mark the section that contains the log ID and number in the relevant log entry for example fw https access 2ed9ed19 e930 161b 922 00cbe010f52 ptime Z days 01 10 44 20517 sshd 18557 Accepted publickey for root from 10 1 0 253 port 56671 ssh2 2 days re sshd 18589 Accepted publickey for root from 10 1 0 253 port 56672 ssh2 2 days 03 28 45 15047 gai WWW_LANCGUAGE changed to en iptime Z days 04 23 06 54645 gai HTTPS_ACCESS_UUID changed to Ze49ed19 e930 161b 9227 O000cbe010 52 2 days 04 23 06 54903 gai HTTPS REMOTE ACCESS RULES O LOG changed to yes 2 days 04 23 17 49668 kernel Hina Ja ieee a Oe ee Pelee eae pes act ACCEP Common M SNMP LLDP V Network Secffity V IPsec VPN V Reload logs Jump to firewall rule fw https access 1 2e49ed19 e930 161b 9227 000cbe010f52 2 Copy this section into the Jump to firewall rule field via the clipboard 3 Click the Lookup button Result The configuration page containing the firewall rule that the log entry refers to is displayed In addition to the error messages the following messages are output on the blade controller The areas encl
159. ocket for connection to the external network WAN e g the Internet Via this network the connctions to the remote device or the remote network are realized The front panel of the EAGLE mGuard is grounded via a separate ground connection Do not open the housing The shielding ground of the twisted pair lines which can be connected is electrically connected to the front panel You do start up the EAGLE mGuard by connecting the supply voltage via the 6 pin terminal block Lock the terminal block with the locking screw at the side If your computer is already attached to a network then you just need to patch the mGuard between the already existing network connection Please note that the initial configuration can only be done using the LAN connector and that the firewall is rejecting all IP traffic from the WAN to the LAN interface No additional driver needs to be installed BO For reasons of security we recommend that you change the default Root and Administrator passwords during the first configuration gt Both ports of the mGuard are configured to be connected to a computer If you connect the ports to a hub please note that if Autonegotiation See MAU Configuration on page 81 is disabled then the Auto MDIX will also be deactivated i e the port of the EAGLE mGuard has to be connected either to the uplink port of the hub or a cross link cable has to be used To take the EAGLE mGuard off the ISO DIN
160. ode Reject is not supported Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule e should be logged by setting Log to Yes e or should not be logged by setting Log to No factory setting 61 of 152 Trap 62 of 152 Basic traps Management SNMP Basic traps SNMP authentication Link Up Down Coldstart Admin access SSH HTTPS new DHCP Yes 7 client Anti Virus traps Successful update of AV pattern AV update or scanning problem Found virus or skipped scanning Redundancy traps Status change Trap destinations Yes xl Yes vf Yes y Yes Y PX Destination IP Destination Name Destination Community Platform specific configurations are only effective on the platform in question Similarily AV traps are only sent when a licensed anti virus system is active SNMP traps only are sent if SNMP access is enabled On certain events the mGuard can send SNMP traps These traps are compatible with SNMPv1 For each setting the traps being sent are explained below SNMP authentication activate traps Yes No enterprise oid generic trap specific trap Description Link Up Down enterprise oid generic trap specific trap Description mGuardInfo authenticationFailure 0 This trap is send in case a station tries to access the mGuard s SNMP agent without proper authorisation activate traps Yes No m
161. ode the mGuard is set the page will change and only display the configuration parameters which are required for that mode Stealth factory setting except mGuard delta and blade controller Stealth mode is only used when a single computer is locally connected to the device In this mode the device can be simply integrated inserted into an existing network connection of the respective computer In this case simply insert the mGuard into the network line see the illustration in the section Connect the mGuard smart on page 24 The mGuard will analyze the network traffic passing through it and configure its network connection accordingly It will then operate transparently i e without requiring that the client be reconfigured As in the other cases the mGuard supports the Firewall and VPN security functions in this mode of operation as well DHCP data received from outside will be passed through to the connected client 71 of 152 72 of 152 In case a firewall is installed on the client it must be configured to allow ICMP Echo Requests ping Otherwise the mGuard won t be able to use services like VPN DNS NTP etc In Stealth mode the mGuard uses 1 1 1 1 as its internal IP address which is accessible when the client s configured default gateway is also accessible Router factory setting mGuard delta and blade controller If the mGuard is not in Stealth mode it serves as a gateway between different n
162. on the sender s port source port the recipient s port destination port a checksum covering the header and some information from the IP header among others the source and destination IP addresses If a computer is connected to a network the operating system creates a routing table internally It lists the IP addresses that the operating system has identified based on the connected computers and the routes available at that moment Thus the routing table contains the feasible routes destinations for sending IP packets If IP packets are ready for sending the computer s operating system compares the IP addresses stated in the IP packets with the entries in the routing table to determine the right route If a router is connected to the computer and if its internal IP address i e the IP address of the router s LAN port has been relayed to the operating system as the standard gateway in the network card s TCP IP configuration this IP address will be used as the destination if all other IP addresses in the routing table don t match In this case the router s IP address specifies the default route because all IP packets by default the standard whose IP address have no counterpart in the routing table i e can t find a route are directed to this gateway Also Dynamic DNS provider Every computer which is connected to the Internet has an IP address IP Internet Protocol An IP address consists of a
163. on page 39 Continue from this point onwards in this case If the computer s network interface has not yet been configured If the system which will be used to configure the device was not previously connected to a network e g because the computer is new its network interface will generally not be configured yet This means that the system has not yet been informed that network traffic should be handled by this interface In this case you must initialize the default gateway by assigning it a dummy value To accomplish this proceed as follows Initializing the default gateway 1 Determine the currently valid default gateway address If you are using Windows XP click on Start Control Panel Network Connections Right click on the icon of the LAN adapter and then click on Properties in the pop up menu In the dialog Internet Protocol Properties on the General tab select Internet Protocol TCP IP under This connection 35 of 152 uses the following items and then click on the Properties button to open the following dialog Internet Protocol TCP IP Properties General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 12 168 1 2 T
164. on profiles Directory The directory on the server in which the configuration profile is located Filename The name of the file in the directory defined above In case no filename is defined here the name of the configuration file the mGuard s serial number with the suffix atv is used Login The login on the HTTPS server Password The Password on the HTTPS server Server Certificate The certificate which authenticates the HTTPS server from which the configuration is fetched It is used to prevent unauthorized configurations from being installed on the mGuard Incase the configuration profiles do contain the machine certificate or PSKs for VPN connections the password should consist of at least 30 random upper and lower case letters and numbers in order to prevent unallowed access to the keys The HTTPS server should further only grant access to a single configuration profile per login and password Otherwise users of other or even compromised mGuards may gain access to other configurations The IP address or the hostname specified under Server must be the same as the certificate s Common Name CN entry Self signed certificates should not use the key usage extension In case the server certificate is self signed that server certificate must be imported here In case the certificate was signed by a certification authority CA the CA s certificate must be imported here To install the certificate perform
165. onal internal System B1 B2 B3 B4 Tules IP address 192 168 15 2 192 168 15 3 192 168 15 4 192 168 15 5 Network 192 168 15 0 24 Netmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Gateway 192 168 11 2 Network C System C1 c2 c3 C4 Network 192 168 27 0 24 IP address 192 168 27 1 192 168 27 2 192 168 27 3 192 168 27 4 Gateway 192 168 11 2 Netmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 136 of 152 7 The Rescue Button restart recovery procedure and to flash the firmware The Rescue Button is used to set the device in one of the following states 7 1 Performing a Restart Objectives To restart the device using the configured settings Action Press the Rescue Button for ca 1 5 seconds e blade PCI until both red LEDs light e delta until the Status LED stops blinking EAGLE until the Status LED and the Link LEDs go off e smart until the middle LED lights up in red OR e Disconnect the power briefly e mGuard PCI restart the computer in which the mGuard PCI card is installed 7 2 Performing a Recovery Objectives It is not possible to access the mGuard and the network configurations is to be set to factory defaults All mGuard versions except the mGuard delta and blade controller will be switched to Stealth mode with the IP address 1 1 1 1 The mGuard delta and the mGuard blade controller will be switched to Router mode with the IP address 192 168 1 1 Additionaly th
166. ored Bo In stealth mode the real IP address is to be used for the client or left at 0 0 0 0 0 as only one client can be addressed through the tunnel 121 of 152 122 of 152 Inserting moving and deleting rows is explained under Working with tables on page 43 As in the previous sections you have the following options when making the entries Protocol All means TCP UDP ICMP and other IP protocols From IP To IP 0 0 0 0 0 means all addresses To enter an address space use the CIDR notation see CIDR Classless InterDomain Routing on page 135 From Port To Port This is only evaluated by the TCP and UDP protocols any means each and every port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that the data packets should be passed through Reject means that the data packets should be rejected so that the sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that the data packets should not be passed through The data packets will be discarded so that the sender will not be informed as to what happened to them Comment An informational comment for this rule Log You can specify for each individual firewall rule whether the use of the rule should be
167. osed by lt and gt are replaced by the respective data in the log ent ries General messages blade daemon lt version gt starting Blade lt bladenr gt online Blade lt bladenr gt is mute Blade lt bladenr gt not running Reading timestamp from blade lt bladenr gt When activating a configuration profile on a blade Push configuration to blade lt bladenr gt reconfiguration of blade lt bladenr gt returned lt returncode gt blade lt bladenr gt lt text gt When retrieving a configuration profile from blade Pull configuration from blade lt bladenr gt Pull configuration from blade lt bladenr gt returned lt returncode gt The Anti Virus Log contains the following messages from the virus filter e The names of any viruses found together with the following information name of the file and in the case of an e mail the sender date and subject e Warnings sent whenever the system has passed a file through unscanned because it was larger than the maximum file size e Startup and shutdown of the virus filter programs e Error messages from the scan Engine and the virus filter Error Messages Virus Detection A virus has been detected The error message includes the name of the virus the sender of the e mail the date sent and the name of the infected file or the name of the compressed archive file and the infected portion of this archive An example of a virus message mGuard detected a
168. oting up After connecting the device to the power supply After a few seconds the LED will switch to a heartbeat Green flashing Heartbeat The device is correctly connected and functioning Red flashing System error B Perform a system restart To accomplish this briefly press the Rescue key 1 5 sec OR Disconnect the device from its power supply briefly and then reconnect it If the error occurs again start the Recovery procedure see Performing a Recovery on page 137 or contact Support 1 and 3 Green on or flashing Ethernet status LED 1 shows the status of the inter nal interface LAN LED 3 the status of the external interface WAN As soon as the device is connected to the interface the LED will be on continuously to indicate that there is a connection to the network The LEDs will flash when data packets are trans ferred 1 2 3 various LED codes Recovery mode After pressing the Rescue key See The Rescue Button restart recovery procedure and to flash the firmware on page 137 15 of 152 3 5 mGuard PCI p LAN green LAN red p WAN green WAN red WAN LEDs State Meaning WAN Red flashing Booting up After starting or restarting the computer LAN Red WAN Red flashing System error BO Perform a system restart To accomplish this briefly press the Rescue key 1 5 sec OR Restart your comp
169. plies has logged in see Network security gt User firewall on page 110 User Authentication Firewall Users Firewall Users RADIUS Servers Users PX E haa Traoius PA E development Trans E gt List of firewall users their user names and authentication methods Activate User Firewall Yes No Under the menu item User Firewall firewall rules can be defined and assi gned to specific external users By clicking Yes you specify that the firewall rules for the listed users are to be activated as soon as the corresponding user logs in Enable group authentication Yes No If enabled the mGuard will forward login requests for unknown users to the RADIUS server On success the RADIUS server s reply will contain a group 87 of 152 Radius Server name The mGuard will then enable user firewall templates containig this group name as a user name The RADIUS server must be configured to deliver this group name in the Access Accept packet as Filter ID lt groupname gt attribute User Name Name of the user Authentication method Radius Local Local In the column User Password the password must be entered that has been as signed to the user Radius If a user logs in the mGuard transmits the login and password entered to the radius server for verification If the verification is positive the user will gain access User Authentication Remote Users RADIUS Servers RADIUS
170. r in the field The mGuard thereby provides the services of a VPN gateway On the external computers an IPsec capable VPN client must be installed in case the computers operating system does not provide such a service LUS6L Eese 18 Internet vSe c 891 c6l ol Ol cz EL OL CLI YSZ 1891 c6l y LOLZLL GL OL ZZL Auxiliary NM 192 168 2 0 24 WLAN 192 168 1 0 24 Two buildings of a company are to be connected with an IPsec protected WLAN connection From the auxiliary building it shall also be possible to use the main building s internet connection In this example the mGuards were switched into router mode and a separate network with addresses of 172 16 1 x was created for the WLAN Since the internet should be also available via the VPN from the auxiliary building a Default route over VPN must be configured Auxiliary building tunnel configuration Connection type Tunnel Net lt gt Net Local network address 192 168 2 0 24 Remote network address 0 0 0 0 0 In the main building the appropriate counterpart to the connection is to be configured Solving Network Conflicts Main building tunnel configuration Connection type Tunnel Net lt gt Net Local network address 0 0 0 0 0 Remote network address 192 168 2 0 24 The default route of an mGuard is usually directed over its WAN port But in this case the internet is reachable v
171. r up to 65 536 hosts 256 x 256 Obviously such huge network is not practical At this point one can see a need for subnetworks The standard answers this need with the Subnet Mask Like an IP address this mask is 4 bytes long The bytes which represent the network address are each assigned the value 255 The main purpose of the mask is to borrow a portion of the host address which can then be used to address the subnetworks As an example by using the subnet mask 255 255 255 0 in a Class B network 2 bytes for the network address 2 bytes for the host address the third byte which was actually intended for host addressing can now be used for subnet addressing With this configuration the company s network could support 256 subnetworks that each have 256 hosts IP Security IPsec is a standard which uses encryption to verify the authenticity of the sender and to ensure the confidentiality and integrity of the data in IP datagrams gt Datagram The components of IPsec are the Authentication Header AH the Encapsulating Security Payload ESP the Security Association SA and the Internet Key Exchange IKE At the start of the session systems which wish to communicate must determine which technique shall be used and the implications of this choice for the session e g Transport Mode or Tunnel Mode In Transport Mode an IPsec header will be inserted between the IP header and the TCP or UDP header respectively in each IP data
172. rdance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense
173. rows is explained under Working with tables on page 43 You must enter the following data when assigning IP and MAC addresses Client MAC address The MAC address of the client Please enter without spaces or hyphens Client IP address The IP address you wish to assign to the MAC address The statically assigned IP addresses take priority over the dynamic IP address pool Static IP addresses and pool addresses must not overlap Do not assign one IP address to several MAC addresses otherwise several clients will be assigned the same IP address You should only use one DHCP server per subnetwork DHCP mode gt Relay Network DHCP External DHCP Mode DHCP mode DHCP Relay Options DHCP Servers to relay to Append Relay Agent Information Option No i 82 If the DHCP mode is set to Relay the following options are available DHCP Relay Options DHCP servers to relay to A list of DHCP servers to which DHCP requests are to be passed on Append Relay Agent Information Option 82 When this option is set to Yes additional information according to RFC 3046 will be added 85 of 152 6 5 Menu User Authentication 6 5 1 User Authentication gt Local Users Passwords 86 of 152 The term local users refers to users who have the right depending on their access permission level to configure mGuard root and administrator access permis sion or to use it user access permission
174. rtificate Pre Shared Key Depending on which option you have chosen the page will present you different possibilities for adjustments 119 of 152 120 of 152 Authentication method X 509 Certificate IPsec VPN Connections nausicad Authentication Authentication Authentication method X 509 Certificate zi X 509 Certificate Flename cer These methods are supported by most of the newer IPsec implementations In this case the mGuard uses the public key of the remote site filename cer or pem to encrypt the authentication datagram before it sends it to the remote site the tunnel end You must have received this cer or pem file from the operator at the remote site perhaps on a floppy disc or attached to an e mail To make this public key available to the mGuard proceed as follows Prerequisite The cer or pem file must have been saved on the configuration system Click on Browse and select the file 2 Click on Import After the import the contents of the new certificate will be displayed An explanation of the information displayed can be found in the chapter Machine Certificate on page 113 Authentication method Pre Shared Secret Key PSK IPsec VPN Connections nausicaa Authentication Authentication Authentication method Pre Shared Secret Key PSK icomplicated_like_5Dy0qoD_and_ This method is mainly used by older IPsec implementations I
175. shed Restore profile from the ACA Plug the ACA in mGuard s V 24 USB socket Start mGuard while the ACA is plugged in The mGuard s password has to be either root or correspond to the password designated when saving the profile The STATUS LED and also the V 24 LED in case of an ACA11 will flash until the loading process has ended Result The configuration profile loaded from the ACA is loaded into the mGuard and launched It does not appear in the list of configuration profiles stored on the mGuard BO The configuration on the ACA also includes the root admin and user passwords which will also be used when restoring a configuration from the ACA 59 of 152 6 2 6 Management gt SNMP Query Management SNMP 08 Query Settings Enable SNMPv3 access Enable SNMPv1 v2 access Port for incoming SNMP connections external interface only SNMPv1 v2 Community Read Write Community Read Only Community Allowed Networks rem mentar acen comment oo These rules allow to enable SNMP access Important Make sure to set secure passwords for SNMPv3 before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note Enabling SNMP access automatically accepts incoming ICMP packets Note The SNMP access from the internal side is allowed by default an
176. since the proxy will then only take requests addressed to the servers given in the list Server Port Enter the number of the port for the FTP protocol in this field The default setting for the FTP port is 21 Comment An informational comment for this rule Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule 6 8 Menu Email Security not on blade control unit 6 8 1 Email Security gt POP3 Virus Protection Options Requirements The following requirements must be fulfilled for the use of the virus filter e Anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Update on page 54 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 54 Email Security POP3 Virus Protection Options Enable content scanning for POP3 Yes y POP3 maximum filesize for scanning in SMB x Action for infected mails Notify email client by error message xj Action for mails exceeding maximum Let message pass unscanned xj message size Servers EA server O server port comment Enable scan i 0 0 0 0 0 110 Pors out to any Scan xj Note Both global content scanning for POP3 must be enabled and firewall rules defining the IP address range to be scanned must be set
177. switches to detect and avoid loops in the network topology By setting this switch to Yes STP frames are allowed to traverse the mGuard in Stealth Modus Allow forwarding of DHCP frames Allow the client to retrieve an IP address using DHCP independently from the outgoing firewall rules This switch is set to Yes per default 6 6 2 Network Security gt NAT Masquerading Network Security NAT Network Address Translation IP Masquerading X p E 0 0 0 0 0 These rules let you specify which IP addresses normally addresses within the private address space are to be rewritten to the mGuard s IP address Please note These rules won t apply to the Stealth mode 1 1 NAT aN xX Local network External network A p E 0 0 0 0 0 0 0 0 24 Please note These rules won t apply to the Stealth mode Network Address Translation IP Masquerading Lists the rules set for NAT Network Address Translation In the case of outgoing data packets the device can translate the sender s IP address From IP in the internal network to the device s own external address This technique is called NAT Network Address Translation 93 of 152 94 of 152 1 1 NAT This method is used whenever the internal address cannot or should not be routed externally e g since it is in a private address space such as 192 168 x x or because you wish to keep the internal network structure hidden This method is also called P Masquerading BO If the mGuard
178. t in size the two parts of the address differ in length 1 Byte 2 Byte 3 Byte 4 Byte Network Host Address Classe Address Class B Network Address Host Address Network Address Host CSC Address Whether the IP address of device in a network is Class A B or C can be seen in the first byte of the IP address The following has be specified Value of the No of bytes for the No of bytes for the host 1st Byte network address address Class A 1 126 1 3 Class B 128 191 2 2 Class C 192 223 3 1 As you can see there can be a worldwide total of 126 Class A networks and each of these networks can have a maximum of 256 x 256 x 256 hosts 3 bytes of address space There can be 64 x 256 Class B networks and each of these networks can have up to 65 536 hosts 2 bytes address space 256 x 256 There can be 32 x 256 x 256 Class C networks and each of these networks can have up to 256 hosts 1 bytes address space Subnet Mask Normally a company s network with access to the Internet is only officially assigned a single IP address e g 123 456 789 21 Based on the first byte of this sample address one can see that this company network is a Class B network and 145 of 152 IPsec NAT Network Address Translation Port Number 146 of 152 therefore the last 2 bytes are free to be used for host addresses With a Class B network the company network has address space fo
179. t max 99MBit s e Individual firewall rules for different users user firewall Anti Virus features ClamAV virus protection e Supported protocols HTTP FTP POP3 and SMTP sending e The virus filter can decompress the following formats ZIP e RAR e GZIP e BZIP2 e TAR e MS OLE2 e MS Cabinet Dateien CAB e MS CHM Komprimiertes HTML e MS SZDD e UPX FSG e Petite VPN features Protocol IPsec Tunnel and Transport Mode e IPsec DES encryption 56 Bit e IPsec 3DES encryption 168 Bit e IPsec AES encryption 128 192 and 256 Bit e Packet authentication MD5 SHA 1 e Internet Key Exchange IKE with Main and Quick Mode e Authentication Pre Shared Key PSK X 509v3 certificate DynDNS 6 of 152 Additional features Support NATT e Dead Peer Detection DPD e Hardware encryption e up to 250 VPN tunnels please refer to the feature table e VPN throughput max 35MBits s on 266MHz or 7OMBit s on 533MHz models e IPsec firewall and 1 1 NAT e Default route over VPN e MAU management e Remote logging e Router Firewall Redundancy e IPsec L2TP Server e LLDP e Administration by SNMP v1 v3 please refer to the feature table and Inno minate Device Manager IDM In case of problems with the mGuard please contact your local dealer Additional information about the device and relevant changes as well as release notes and software updates can be found on our web site http www innominate
180. tealth factory setting except mGuard delta and blade controller Network Interfaces Network Status External IP address Network Mode Status Active Defaultroute Network Mode Network Mode Stealth configuration autodetect Stealth Management IP Address Here you can specify an additional IP address to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will only be possible using this IP address An IP address of 0 0 0 0 disables this feature IP address Netmask Default gateway Use Management VLAN Management VLAN ID Network Mode Stealth configuration autodetec static multiple clients autodetect Standard The mGuard will analyse the network traffic configure its network interface accordingly and will then function transparently For special cases you can also preset these values e g in the following case The connected computer only accepts incoming connections so that it is not possible for the mGuard to configure automatically static If the mGuard cannot analyse the network traffic passing through e g because the locally connected computer only receives data the Stealth configuration must be set to Static multiple clients Like autodetect but it is possible to use multiple devices and IPs on the mGuard s internal interface LAN For technical reasons VPN can t be used with this mode Stealth Management IP Address Network
181. ted data To enable the user of the public key which will be used to encrypt the data to be sure that the public key that he she has received is really from its issuer and thus from the instance which should later receive the data it is possible to use certification A Certification Authority CA certifies the authenticity of the public key and the associated link between the identity of the issuer and his her key The certification authority will verify authenticity in accordance with its rules which may for example require that the issuer of the public key appear before it in person Once authenticity has be successfully certified the certification authority will add its digital signature to the issuer s public key The result is a Certificate An X 509 v3 Certificate thus includes a public key information about the key owner given as it Distinguished Name DN the authorized usage etc and the signature of the certification authority The signature is created as follows The certification authority creates an individual bit sequence which is known as the HASH value from the bit sequence of the public key the information about its owner and other data This sequence may be up to 160 bits long The certification authority encrypts this with its own private key and then adds it to the certificate The encryption with the certification authority s private key proves the authenticity of the certificate i e the encrypted HASH string
182. tgoing TCP connections SYN per second Default 75 Maximum number of new incoming TCP connections SYN per second Default 25 These two settings define upper limits for the allowed incoming and outgoing TCP connections per second The default values will never be reached in nor mal operation However since they can be easily reached in the event of an attack the limits provide additional security If your operational environment has special requirements you can increase these values Maximum number of outgoing ping frames ICMP Echo Request per second Default 5 Maximum number of incoming ping frames ICMP Echo Request per second Default 3 These two settings define upper limits for the allowed incoming and outgoing ping frames per second The default values will never be reached in normal operation However since they can be easily reached in the event of an attack the limits provide additional security If your operational environment has special requirements you can increase these values Stealth Mode Maximum number of outgoing ARP requests or ARP replies per second in each case Default 500 Maximum number of incoming ARP requests or ARP replies per second in each case Default 500 These two settings define upper limits for the allowed incoming and outgoing ARP requests and ARP replies per second The default values will never be reached in normal operation However since they can be easily rea
183. that exist between the LAN ports of the two mGuards and between their WAN ports fails the backup becomes the master The Virtual Router Redundancy Protocol VRRP utilised by the Guard can t however inform the master of this while it is still operating With ICMP checks ICMP ping the master can check its connections to the bak kup and deactivate itself in case its internal or external connections to the backup failed Enable ICMP Checks The master mGuard will check the connection to the backup mGuard using the ICMP ping protocol In case the backup mGuard can not be reached the Hosts to check via ICMP in the external internal network will be tried If these checks fail as well the master mGuard will deactivate itself Hosts to check via ICMP in the external network Hosts in the external network to be checked The hosts have to be able to ans wer to the ICMP echo requests Hosts to check via ICMP in the internal network Hosts in the internal network to be checked The hosts have to be able to ans wer to the ICMP echo requests 6 10 2 Ring Network Coupling Ring Network Coupling Settings Redundancy Ring Network Coupling Ring Network Coupling Settings Enable Ring Network Coupling Dual Homing Yes No When activated the link status of one ethernet port will be transfered to the other ethernet port whereby interruptions in the network can be traced more easily Redundancy Port Internal External Interna
184. the key the longer the time required by the encryption process This latter point however is of no consequence for the mGuard since it uses a hardware based encryption technique However this aspect may be of significance for the remote site The algorithm designated as Null performs no encryption Hash Algorithm Leave this setting on All algorithms With this setting it is does not matter whether the remote site uses MD5 or SHA 1 IPsec SA Data Exchange In contrast to ISAKMP SA Key Exchange see above this setting determines the method used for the exchange of data This may be different from the Key Exchange but need not be Encryption Algorithm See above Hash Algorithm See above Perfect Forward Secrecy PFS This method is used to increase the security of the data transfer In IPsec the key used for the data exchange is changed at certain intervals In the case of 123 of 152 PFS a new random number is negotiated with the remote site instead of deriving it from a previously agreed on random number Do not set this to Yes unless the remote site also supports PFS If you select the connection type Transport L2TP Microsoft Windows set Perfect Forward Secrecy PFS to No Lifetimes The keys of an IPsec connection will be renegotiated at certain intervals to increase the costs of an attack at the IPsec connection ISAKMP SA Lifetime The lifetime of the ISAKMP SA keys in seconds The factory default
185. the necessary diagnostic information This function prepares a compressed file in tar format containing all of the current configuration settings and log entries which could be relevant to the diagnosis of errors This file does not contain any private information such as the private machine certificate or the passwords To take a snapshot proceed as follows 1 Click on Download 2 Save the file under the name snapshot tar gz Please make the file available to the support if requested 6 13 CIDR Classless InterDomain Routing IP netmasks and CIDR are notations which define an address space containing multiple IP addresses In this case an address space in which the addresses follow one another sequentially is treated as a network To define a range of IP addresses for the mGuard e g when configuring the firewall it may be necessary to use the CIDR notation to specify the address IP Netmask 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 254 252 248 240 224 192 128 0 0 Example 192 168 1 0 255 255 255 0 corresponds to 192 168 1 0 24 in CIDR notation 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 254 252 248 240 224 192 128 oo0oo0oo0o0oo0o0o0 oo0oo0oo0oo0o0o0o0 oo0oo0oo0oo0oo0o0o0 o o 255 255 255 255 255 255 255 2
186. tion for HTTP Yes No In the case of Yes files received are scanned for viruses by mGuard if they arrive via HTTP connections contained in the list of HTTP servers defined below Scanning up to a pre set volume of 5 MB The maximum size of the files to be checked is specified here Files that are larger are not scanned Depending on the When size limit is exceeded setting an error message is sent to the browser in the event of a file exceeding the size limit or the system automatically switches to throughput mode If the mGuard does not have enough memory to save a file completely or to decompress it a corresponding error message will be sent to the user s client software browser or download manager and an entry will be written to the anti virus log In this case you have the following options e You can try again later to download the file e You can temporarily deactivate the virus filter for the corresponding server e You can set the parameter to Let the data pass unscanned Action for infected web content Notify with browser error If the virus filter detects a virus in the data transferred from an HTTP server to the HTTP client an error message will be sent to the HTTP client The handling of this error message depends on the respective HTTP client A web browser will display the error message in the form of an HTML page If a file that is downloaded within an HTML page e g a graphic file is infected this fil
187. tion must either be connected to the mGuard s LAN switch ethernet jack 4 to 7 or connected to it via the local network In the case of a remote configuration The mGuard must be configured to permit remote configuration The mGuard must be connected i e the required connections must function The EAGLE mGuard must be connected to an active power supply In a local configuration The system that you use for performing the configuration must either be connected to the LAN jack of the mGuard or connected to it via the local network In the case of a remote configuration The mGuard must be configured to permit remote configuration The mGuard must be connected i e the required connections must function The mGuard must be connected to a power supply In other words its USB cable must be connected to a system or power supply that is ON In a local configuration The system that you use for performing the configuration must either be connected to the mGuard s Ethernet plug or connected to it via the local network In the case of a remote configuration The mGuard must be configured to permit remote configuration The mGuard must be connected i e the required connections must function In a local configuration The system that you use for performing the configuration must either be equipped with the mGuard drivers when using the Driver Mode or connected to it via the LAN Eth
188. traps Yes No enterprise oid generic trap specific trap additional Description enterprise oid generic trap specific trap additional Description mGuardTrapA V enterpriseSpecific mGuardTrapAvUpdateError 2 mGuardTResA vUpdateError Error when performing AV Update mGuardTrapA V enterpriseS pecific mGuardTrapAvFailed 5 mGuardTResA vFailed General AV failure Found virus or skipped scanning activate traps Yes No enterprise oid generic trap specific trap additional Description mGuardTrapA V enterpriseS pecific mGuardTrapAvVirusDetected 3 mGuardTResAvVirusDetected AV found a virus enterprise oid generic trap specific trap additional Description Redundancy Traps mGuardTrapA V enterpriseSpecific mGuardTrapAvFileNotScanned 4 mGuardTResAvFileNotScanned The file was not scanned for viruses e Status change activate traps Yes No enterprise oid genericTrap specific trap additional Description enterprise oid genericTrap specific trap additional Description User firewall traps Yes No enterprise oid generic trap specific trap additional Description enterprise oid generic trap specific trap additional Description enterprise oid generic trap specific trap additional Description SNMP Trap Destinations mGuardTrapRouterRedundancy enterpriseSpecific mGuardTrapRouterRedundancyStatusChange 1 mGuardTResRe
189. try must be an IP address not a hostname This function does not support hostnames since 1f it did 1t would not be possible to log the loss of a DNS server Log Server port Enter the port of the log server to which the log entries should be sent via UDP Standard 514 130 of 152 6 11 2 Logging gt Browse local logs Common Logging Browse local logs 0 TEMPLATE _RULE 1 L0G inserted with value no 98429 gai USERFW_TEMPLATE O TEMPLATE RULE 1 COMMENT inserted with value 98568 gai USERFW_TEMPLATE O TEMPLATE _USERS O USERNAME inserted with value robert o o 98295 gai USERFW_TEMPLATE 5 98717 gai USERFW_TEMPLATE O TEMPLATE_USERS 1 USERNAME inserted with value arthur 98852 gai USERFW_TEMPLATE O TEMPLATE_USERS 2 USERNAME inserted with value william 85222 gai USERFW_ENABLE changed to yes 83877 userfwd userfwd server startup 02466 userfwd mguard userfwd logins info apply rule 32768 robert 192 168 1 96 53112 userfwd mquard userfwd logins info apply rule 32768 robert 10 1 0 154 80407 userfwd mguard userfwd logins info delete login rule 32768 robert 19Z 168 1 80418 userfwd mguard userfwd logins info remove rule 32768 for ip 192 168 1 96 97505 userfwd mguard userfwd logins info delete login rule 32768 robertfl0 1 0 15 lt 97516 userfwd mguard userfwd logins info remove rule 32768 for ip 10 1 0 154 37845 sshd 30085 Accepted publickey for root from 10 1 0 154 port 37058 sshz 98
190. ture files can be updated from a selected update server at intervals defined by the user The update is performed without interrupting the operation of the anti virus filter The mGuard is delivered without any virus signatures installed Therefore after the anti virus protection has been activated with the corresponding license you should also set the update schedule The course of the updates can be examined in the Anti Virus Update log Schedule Update Schedule This parameter is used to set how often the signature files are updated The size of the signature file is about several MByte The system will only download the changed files from the update server Update Servers for AVP You can select the server from which the updated signature files should be downloaded A default server has already been entered If necessary you can enter your own servers BO The list of servers will be processed from the top down until an available server is found Inserting moving and deleting rows is explained under Working with tables on page 43 Proxy Settings When the mGuard is located behind a firewall which restricts HTTP or FTP access to use a proxy server the following rows can be used to specify the required proxy settings For the proxy server to be used the fields HTTP FTP Proxy Server and Port must be set To authenticate with the proxy server the fields Login and Password must be set HTTP FTP Proxy Server
191. twork Internet or WAN The external IP address under which the mGuard can be reached from a remote site is assigned by the Internet Service Provider If the mGuard is operated in PPPoE mode you must set it as the standard gateway in the locally connected client computers In other words the address entered for the standard gateway must be the internal IP address of the mGuard See Initializing the default gateway on page 35 Tf the mGuard is in PPPoE mode NAT must be activated to enable access to the Internet see Network Address Translation IP Masquerading on page 93 If NAT is not activated the device will only allow VPN connections e PPTP This mode is similar to PPPoE mode In Austria for example PPTP is used instead of the PPPoE protocol for DSL connections PPTP is a protocol originally designed by Microsoft for VPN connections If the mGuard is operated in PPTP mode you must set it as the standard gateway in the locally connected client computers In other words the address entered for the standard gateway must be the internal IP address of the mGuard See Initializing the default gateway on page 35 If the mGuard is operated in PPTP mode you should activate NAT to allow access to the Internet from the local network see Network Address Translation IP Masquerading on page 93 If NAT is not activated the device will only allow VPN connections E gt When the Network Mode has
192. twork parameters that should be used by the client s DHCP range start DHCP range end Local Netmask Broadcast IP Default gateway DNS server The start and end of the address range from which the mGuard s DHCP server should assign IP addresses to its locally connected clients The factory setting is 255 255 255 0 The clients broadcast IP This field is used to define which IP address should be used by the client s as the standard gateway Usually this is the internal IP address of the mGuard This field is used to define the Domain Name Service DNS server which the clients can access to find out the IP address that is associated with a specific domain name If you would like to use the DNS service of the mGuard use the internal address of the mGuard for this field WINS server This field is used to define the Windows Internet Naming Service WINS server Static mapping You can find out the MAC address of your client by using the following commands Windows 95 98 ME Click on the Start button and then click on Run Type winipefg in the Open box and then click on OK The MAC address will be shown as Adapter Address NT 2000 XP Select the Start button on the Task Bar Select Run Type cmd exe When the DOS command prompt window opens type ipconfig all The MAC address will be shown as Physical Address Linux Start sbin ifconfig or ip link show in a shell Inserting moving and deleting
193. urity certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The security certificate has expired or is not yet valid The name on the security certificate is invalid or does not match the name of the site Do you want to proceed Explanation Since administrative tasks can only be performed when a secure encrypted access has been established to the device a signed by the device certificate will be returned Acknowledge the associated security notice by clicking on Yes Afterwards Configuring the device The login window is displayed Username root Password hibited Access Type Administration Choose the Access Type Administration or User Firewall and enter your username and password for this access type Please see Network Security gt User Firewall on page 99 for an explanation of the User Firewall The factory settings for the Administration are Login admin Password mGuard gt Please note these entries are case sensitive To configure the device you can make the required changes on the various pages of the mGuards web interface Please see Configuration on page 43 gt For reasons of security we recommend that you change the default Root and Administrator passwords during the first configuration please see User Authentication gt Local Users on page 86
194. uter If the error occurs again start the Recovery procedure see Performing a Recovery on page 137 or contact Support WAN Green on or flashing Ethernet status Shows the status of the LAN and WAN inter LAN Green face As soon as the device is connected to the network the LEDs will be on continuously to indicate that there is a connec tion The LEDs will flash when data packets are transferred WAN Green various LED codes Recovery mode After pressing the Rescue key WAN Red See The Rescue Button restart recovery procedure and to LAN Green flash the firmware on page 137 16 of 152 4 Startup Safety instructions The Innominate mGuard is intended for protective low voltage operation Only connect the mGuard s network interfaces to LAN installations Some telephone lines also use RJ45 jacks The mGuard must not be operated on a telephone line Warning mGuard PCI Before handling the mGuard PCI touch the bare metal case of your PC to discharge static electricity from your body o Warning This is a Class A device It may cause radio interference in a living area in which case the operator may be requested to take appropriate measures o General notes e mGuard PCI Your PC must provide a free PCI slot 3 3V or 5V regarding usage e Use a soft cloth to clean the case of the device Do not use any aggressive solvents e Environmental conditions 0 to 40 C blade smart delta 70 C PCD 55 C
195. uter Mode with Driver Mode Power over PCl Mode Operating System 192 168 1 2 9 192 168 1 1 lt mGuard PCI external IP In router mode it is possible to use PPPoE and PPTP In this mode the mGuard and the network interface of the mGuard use a separate subnet An example is shown in the illustration above the mGuard s operating systems interface could use the IP 192 168 1 1 and the mGuard could use the IP 192 168 1 2 Represented in the figure above by two black spheres A third IP will be used on the WAN jack to communicate with a router or a PPPoE PPTP capable DSL modem In this mode the software driver is not needed The PCI interface is only used as a power supply and another network interface card installed in the same or another computer must be connected to the ethernet jack 3 instead Stealth Mode with Power over PCI Mode 26 of 152 D D D NIC D 192 168 1 1 1 1 1 1 mGuara Pct PCI 192 Lan 1 1 In Power over PCI Mode the mGuard does not require a driver for the host operating system The PCI bus is only used as a power supply The LAN jack of the mGuard must be connected to another NIC using an ethernet cable At the WAN jack the mGuard automatically uses the IP address of the other network interface card As soon as an external router is available the mGuard can be configured with a webbrowser at the URL https 1 1 1 1 Bo In Stealth Mode it is not possi
196. uter mode with NAT or portforwarding the port set here has priority over portforwarding Note The HTTPS access from the internal side is enabled by default and can be restricted by firewall rules HTTPS Web Access When HTTPS Remote Access is enabled the mGuard can be configured using 1ts Web based Administrator interface from a remote system In other words a browser running on the remote system will be used to configure the local mGuard This option is disabled by default IMPORTANT If you enable remote access make certain that you have secure root and administrator passwords To enable HTTPS remote access proceed as follows Enable HTTPS remote access Yes No If you want to enable a HTTPS connection set this switch to Yes In this case make certain that the firewall rules on this page permit the mGuard be accessed from a remote site Port for incoming HTTPS connections remote administration only Standard 443 You can select a different port If a different port has been selected you must append the port number set here to the IP address of the device in the address provided by the remote site which will have remote access Example If this mGuard can be found in the Internet at the address 123 456 789 21 and the Port Number 443 has been set as the port for remote access you do not need to enter this port number after the address in the Web browser s address field on the remote system If
197. virus The mail could not be delivered found Virus Email Worm Win32 NetSky q From sick example com Date Fri 13 Aug 2004 11 33 53 0200 about_you zip document txt exe 000012a7 00000077 00000000 Message Details From sick example com Subject Private document Date Fri 13 Aug 2004 11 33 53 0200 Exceeded maximum filesize The maximum filesize set for this protocol was exceeded To transfer the file anyway you can deactivate the virus filter either for the corresponding server for the course of the download or globally Alternatively you can set the Action for exceeding the maximum message size parameter to Let the message data pass unscanned for the respective protocol BO In either case the transferred file will not be scanned for viruses Temporary Virus Scanner Failure A temporary error occurred while trying to scan a file It is possible that the problem will be cleared if you repeat the transfer again at a later time or if you update the virus signature file Possible causes e The scan engine cannot process the file The mGuard does not have enough memory available to decompress the file e Internal error in the scan engine Exceptional Virus Scanner Failure A problem has occurred in the communication with the scan engine For more details please see the anti virus log Possible causes e The information entered for the update server is faulty and the signature update has failed se
198. w device To locate driver files and complete the installation click Next What do you want the wizard to do or my device recommende Display a list of the known drivers for this device so that can choose a specific driver EA 2 After inserting the mGuard CD choose Search for a suitable driver for my device and click on Next 30 of 152 Linux Found New Hardware Wizard E Driver Files Search Results SS The wizard has finished searching for driver files for your hardware device wy The wizard found a driver for the following device Innominate mGuardPCl Windows found a driver for this device To install the driver Windows found click Next DB 4 vindows netmgpci int 3 Click on Next Digital Signature Not Found i T xj The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested The software you are about to install does not contain a Microsoft digital signature Therefore there is no guarantee that this software works correctly with Windows Innominate mGuardPCl If you want to search for Microsoft digitally signed software visit the Windows Update Web site at http windowsupdate microsoft com to see if one is available Do you want to continue the installation reves y No More Info 4 Click on Yes 5 Click on Finish Found New Hardware Wizard Completing the
199. which the original values are listed together with the corresponding new ones When a reply datagram is received the NAT router will recognize that it is actually for an internal computer from the datagram s destination port Using the table the NAT router will replace the destination IP address and port and pass the datagram on via the internal network The UDP and TCP protocols assign a port number to each peer participating in the connection This way it becomes possible to handle more than one UDP or TCP connection between two peers at the same time PPPoE PPTP X 509 Certificate Protocol communication protocol Proxy Fixed port numbers are assigned for certain frequently used application processes These are called a Assigned Numbers E g HTTP connections are usually established to TCP port 80 or POP3 connections to port 110 The acronym for Point to Point Protocol over Ethernet This protocol is based on the PPP and Ethernet standards PPPoE defines how to connect users via Ethernet with the Internet via a jointly used broadband medium such as DSL a Wireless LAN or a cable modem The acronym for Point to Point Tunneling Protocol This protocol was developed in a cooperation between Microsoft U S Robotics and others to securely transfer data between VPN nodes gt VPN via a public network A type of Seal which certifies the authenticity of a public key gt asymmetrical encryption and the associa
200. with browser error If the virus filter detects a virus in the data transferred between the FTP server and the FTP client an error message will be sent to the FTP client The handling of this error message depends on the respective FTP client Action for web content exceeding the maximum content size Let data pass unscanned When this option is selected the virus filter will allow the files which exceed the filesize set to pass through unscanned BO In this case the data is not checked for viruses Block data If this option is selected the system will terminate the download and send an error message to the client software whenever the content exceeds the maximum size List of FTP Servers You can select the servers whose traffic should be filtered and specify for each IP address whether or not the anti virus protection should be activated It is also possible to enter trusted servers Examples Global activation of the anti virus protection for FTP D x Server Port Comment Enable Scan A f p 0 0 00 p1 FTP out to any Scan KM 105 of 152 106 of 152 Scan a subnet and exclude a trusted FTP server x Server Port Comment Enable Scan A E fis2 168 2 5 pt frusted FTP No Scan v E f 92 168 2 0 24 pt juntrusted FTP Scan y Scan a single untrusted FTP server in a subnet x Server Port Comment Enable Scan A E haz 168 2 5 pr intrusted FTP Scan Z F i fis2 168 2 0 24 pt frusted FTP No Scan v
201. ws system is connected to a network disconnect it 2 Copy the software into any empty folder on the Windows system Start the program TFTPD32 EXE 3 The system s IP must be set to 192 168 10 1 This must also be the address of the network adapter Click on the Browse button to switch to the folder in which the mGuard image files have been saved install p7s jffs2 img p7s The image files are also ioixi found on the CD ROM Current Directory Em Browse which was included in Server interface 192 168 10 1 y Show Dir the package T tp Server DHCP server Revd DHCP Discover Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 694 DHCP proposed address 192 168 10 200 26 11 09 41 19 694 Revd DHCP Rast Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 704 Previously allocated address acked 26 11 09 41 19 714 Connection received from 192 168 10 200 on port 1024 26 11 09 41 19 774 Read request for file lt install p s gt Mode octet 26 11 09 41 19 774 lt install p s gt sent 4 blks 2048 bytes in 1 s O blk resent 26 11 09 41 20 786 Connection received from 192 168 10 200 on port 1024 26 11 09 43 17 053 Read request for file lt jffs2 img p s gt Mode octet 26 11 09 43 17 053 lt iffts2 img p s gt sent 14614 blks 7482368 bytes in 11 s O blk resent 26 11 09 43 28 008 gt Current Action sifisZ ima p s gt sent 14614 blks 7482368 bytes in 11 s 0 blk resent ton
202. you have set it to 192 168 1 1 Then the command should be arp s 192 168 1 1 aa aa aa aa aa aa 3 You should now be able to access the mGuard s configuration interface at the URL https 1 1 1 1 Please see Setting Up a Local Configuration Connection on page 39 for full details 4 After setting the configuration restore the original setting for the default gateway address To do so either restart the configuration computer or enter the following command at the DOS level in the Command Prompt window arp d B gt Depending on how you configure the mGuard you may also need to modify the network interface settings of the host operating system or locally connected system accordingly 5 3 Setting Up a Local Configuration Connection Web based The mGuard is configured using a Web browser which is running on the Administrator configuration system e g Firefox MS Internet Explorer or Safari interface The Web browser must support SSL in other words https Depending on the mGuard s network mode mode of operation it can be accessed with the factory settings at one of the following addresses Factory setting Stealth Mode https 1 1 1 1 default setting except mGuard delta and blade controller Router Mode https 192 168 1 1 default setting mGuard delta and blade controller Proceed as follows 1 Start a Web browser For example Firefox MS Internet Explorer or Safari the
203. ypted with the private key proves that the owner of the associated public key actually sent the message Therefore the expression digital signature is also often used However asymmetrical encryption techniques such as RSA are both slow and susceptible to certain types of attack and are therefore frequently combined with some form of symmetrical encryption gt symmetrical encryption On the other hand there are concepts which avoid the additional work of administering symmetrical keys This symmetrical encryption algorithm was developed by IBM and checked by the NSA DES gt symmetrical encryption was set in 1977 by the American National Bureau of Standards which was the predecessor of the National Institute of Standards and Technology NIST as the standard for American governmental institutions Since this was the very first standardized encryption algorithm it quickly won acceptance by industry even outside of America DES uses a 56 bit long key which is no longer considered secure as the processing power available has greatly increased since 1977 3DES is a variant of DES It uses keys that are three times as long i e 168 bits long 3DES is still considered to be secure and is also included in the IPsec standard Advanced Encryption Standard This encryption standard was developed by NIST National Institute of Standards and Technology in cooperation with the industry This gt symmetrical encryption standard was developed
Download Pdf Manuals
Related Search