- Securepoint
Contents
1. Virusscan active Virusscan active Virusscan active VNC Repeater DynDNS Client L2TP Server PPTP Server SPUVA Server Web Server DHCP Server IPSec Server 0 connections on 1 tunnel roadwarrior01 0 connections on 1 tunnel roadwarrior01_2 0 connections on 1 tunnel No DCHP Client connected E Downloads E 3 Security Manager Securepoint Manager Securepoint Log Server Authentication Agent SSH Client Securepoint Manual Securepoint License DI DI DI Q Q DI DI v Q DI D I o DI Qo vd DI Q DI Ad v o Routing Server fig 7 cockpit overview Securepoint Security Solutions 18 5 Securepoint Cockpit Securepoint 10 5 1 Navigation Bar The navigation bar guides you to the different configuration categories These catego ries are configuration network firewall applications VPN authentication ex tras live log Moving the mouse over the entry opens the respective dropdown menu configuration network firewall applications VPN authentication extras live log A fig 8 navigation bar of the cockpit 5 2 License In this area you have an overlook of the firewall software updates and license mme asap O License valid till Validation of the license The date is given in US American format MM DD YYYY Last Virus Pattern update Time of the last virus pattern update License Firewalltype y2009nx Build 6215 Securepoint icense valid till 03 13 ast2. Abort Back Next fig 153 select L2TP Select the authentication method lf you want to use a preshared key activate the radio button Preshared Key and en ter the key into the field beneath If you want to use a certificate activate the radio button x 509 Certificate and select a server certificate from the dropdown box Click Next IPSec Wizard Create a IPSec Connection Roadwarrior L2TP Which kind of Authentification do you want to use Preshared Key eeeeeeee 509 Certificate newCs Abort Back fig 154 select the authentication method Securepoint Security Solutions 140 10 Menu VPN Securepoint 10 Enter the address pool for the roadwarrior and the IP address of the DNS server Enter the local IP address into the field Local L2TP IP address Enter the IP address range into the fields L2TP address pool Enter the IP addresses of the first and the second DNS servers into the fields Prima ry and Secondary nameserver Click Next IPSec Wizard Create a IPSec Connection Roadwarrior L2TP Please specify the address pool for L2TP Roadwarrior Local L2TP IP address 192 168 1 8 L2TP address pool from 192 168 1 1 gt 128 FY Primary nameserver 192 168 176 10 Secondary nameserver Abort Back Next fig 155 define address pool and DNS server The last step offers the creation of L2TP users If you don t want to use this option click F
3. Service Groups VPN B Groups m Services o ah W icmp o igmp o rsvp archie nat traversal cys E domain_tcp domain_udp B openvpn_tcp pptp F3 gopher S finger openvpn_udp ftp SE http EJ https ica Le m Select Information You have selected 0 Service s You have selected 1 Service Group member Infobox Settings Disable Infobox Update Rule Close _ fig 84 dialog service groups Securepoint Security Solutions 81 8 Menu Firewall Securepoint 10 8 5 2 Create New Service Group You can also subsume Services in new service groups Click on the plus symbol in the section Service Groups The dialog Add service group appears Enter a name for the new service group and click Add Select the just created service group from the dropdown box The message No member in service group appears in the right table because no service is added yet Add services to the new group like described in the previous article _ Add Service Group Name supportServicel fig 85 enter name for the new service group Securepoint Security Solutions 82 8 Menu Firewall Securepoint 10 8 6 Network Objects Network objects describe certain computers network groups users interfaces VPN computers and networks With these network objects the rules in the portfilter can be de fined exactly Click the on the menu item Firewall in the navigation bar Click
4. fig 99 HTTP proxy settings tab general When you define exception for HTTP proxy the relevant computers will access the internet directly if an accordant rule exists The exceptions must be defined by source and destination IP addresses HTTP Proxy Exceptions HTTP Proxy Exceptions Source Destination 192 168 10 0 255 255 255 0 0 0 0 0 0 0 0 0 Source Mask 255 255 255 0 24 Le Destination Mask Add Exception Save Close E fig 100 define exceptions for the HTTP proxy Securepoint Security Solutions 92 9 Menu Applications Securepoint 10 9 1 2 Virus scanning In this tab you can set which files and websites should be ignored by the virus scanner You can deactivate the virus scanning by unchecking the checkbox Virus scanner The left list shows file extentions which are excluded by the virusscanning You can edit the entry by clicking the wrench symbol You can delete the entry by clicking the trashcan symbol Enter a file extenstion leading by a dot in the field under the left table and click Add Extension to add an entry The right list shows websites which are excluded by the virus scanner You can edit the entry by clicking the wrench symbol You can delete the entry by clicking the trashcan symbol Enter a website in the field under the right table and click Add Website to add an en try Host names like www are not declared e HTTP Proxy Block Appli
5. Password eeccccce Confirm Password TE Abort Back Finish fig 47 add VDSL interface set properties Securepoint Security Solutions 47 7 Menu Network Securepoint 10 7 2 1 6 Add Cluster Interface The cluster interface is needed to set up a high availability environment Two or more appliances are required to adjust this setup One appliance acts in active state as master and the other appliances are waiting in stand by mode as spare If important ser vices cannot be provided by the active machine or the whole machine breaks down the oth er appliance wakes op from stand by and assumes the service as master The cluster interface binds a virtual and a real IP address to a physical interface The espe cialness of the high availability bond is that all appliances get the same virtual P addresses Because the redundant machines are running in standby mode and their cluster IPs are not up there will be no IP address conflict The real P addreses so called management IPs are used to send advertisement packages in terms of their status between the appliances ethO 10 0 0 1 24 10 0 0 3 24 10 0 0 2 24 10 0 0 2 24 switch A external net z eth2 eth2 Pe master Walt 192 168 13 1 24 BW 192 168 13 3 24 Dr SA 192 168 13 2 24 192 168 13 2 24 th switch C DMZ switch B internal net eth eth 192 168 4 87 24 192 168 4 86 24 192 168 4 88 24 192 168 4 88 24 red IP address gt management IP real IP local
6. administration Filter Objects amp Services Source Network Objects DMZ Interface O Destination Network Objects DMZ Interface Services ftp fig 66 filter firewall rules Securepoint Security Solutions 66 8 Menu Firewall Securepoint 10 8 1 1 Create Rule Yy Click Appent Rule to append a new rule The dialog Add Rule appears The rule will be created on the tab General Select in the field Source a source from the list Select in the field Destination the destination from the list Define in the field Service which service will be used Choose in the field Action if the access should be accepted or denied Select in the field Logging which logging mode should be used In the field QoS Quality of service you can limit the bandwidth VV VV WW V WV At Rule Routing you can define which gateway should be used for packages of this rule For example IPSec connections must always communicate over the same inter face This setting is important if you use several internet connections Note For source and destination a network object must exist which defines the item exactly If it doesn t exist you have to create it If the used service is not listed you can define a new one o Add Rule General Time Description Destination Source internet Service Grp external_interfa Grp internal_interfac Grp internal_net internet Grp external_interfa Grp inte
7. emeng KE Services To define exact rules in the porttilter you use applicable services In this section all services are listed with their used ports and protocols You can edit them or add new ones service Groups services which provide similar functions are subsumed to groups Network Objects Network objects specify groups users or computers You can only de fine rules for created network objects Network Groups Network objects are subsumed to device groups Securepoint Security Solutions 63 8 Menu Firewall Securepoint 10 8 1 Portfilter The port filter is the main item of the firewall Rules are defined in this section which control the whole data traffic The rules are editable in the properties networks user services and time You can define if traffic which matched with a created rule will be logged By default traffic will be stopped if no rule is set which allows the traffic Portfilter m Portfilter Source Destination Service Action Time Logging Active QoS Description Rule routing 1 internal net Q Internet any ACCEPT None 2 Filiale Berlin Zu Internal Network any ACCEPT None 7 3 Za Internal Network J Filiale Berlin any ACCEPT None 9 P 4 Q Internet External Interface openypn_udp ACCEPT None 5 SSLYVPN Netz Z Internal Network any ACCEPT None amp ae ije iae ei ei e l Set Filter 4ppend Rule Append Group Open Groups Close Groups Update Rule Cl
8. 8 Menu Firewall Securepoint 10 8 6 5 Add Interface You can also add network objects for interfaces You distinguish between interfaces with static and dynamic IP addresses Click Add Interface The dialog Add Interface appears Enter a name for the new object in the field Name Under Type select StaticAddress or DynamicAddress lf you have chosen StaticAddress you have to enter the static IP address in the field IP Address Under Zone select the zone of the interface Store your settings with Save Add Interface Add Interface Name external l Name internal Type Dynamic Adress Type Static Adress ei IP Adress 192 168 175 1 Zone firewall internal_ Save Close 7A Save Close A fig 93 object of interface with dynamic address fig 94 object of interface with static address Securepoint Security Solutions 87 8 Menu Firewall Securepoint 10 8 7 Network Groups In this section you can subsume several network objects into groups You can add new groups edit and delete existing groups Select an existing group from the dropdown field in the section Network Groups Click the trashcan symbol for deleting the group All included network objects will be deleted too Click the plus symbol to create a new group Enter a name for the new group and select an icon for the group In the table Network Objects all available network objects are listed In the table Network Group
9. 9 Menu Applications Ssecurepoint 10 9 1 6 2 Whitelist You can exclude users P addresses and websites from the content filtering by the whitelist 9 1 6 2 1 User Users who are listed in this table can call up websites without being limited by the content filter gt Switch to the tab Whitelist Select the tab Users gt Enter the login name of the user who should be excluded from the content filtering Click the button Add User gt Todelete a user from the list click the trashcan symbol in the related row o HTTP Proxy General Virusscan URL Filter Block Extensions Block Spplications Content Filter Bandwidth Blacklist Categories Whitelist User IP Addresses Websites Whitelist User Username Add User Save Close Ms fig 106 contenttfilter of the HTTP proxy section whitelist tab user Securepoint Security Solutions 99 9 Menu Applications Ssecurepoint 10 9 1 6 2 2 IP Addresses P addresses can be excluded from the content filtering as well This only makes sense if the IP addresses are assigned statically Switch to the tab IP Addresses Enter the IP address which should be excluded from the content filtering Click the button Add IP To edit an entry click on the wrench symbol beneath the related entry To delete an entry click on the trashcan symbol beneath the related entry HTTP Proxy General Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth Blac
10. Action Firewall DROP Incoming Interface ethi Outgoing Interface Source 192 168 4 Destination 192 168 4 Protocol UDP Source Port 138 Destination Port 138 Flags fig 203 details of a log message Securepoint Security Solutions 188 13 Menu Live Log Securepoint 10 13 5 Raw Data Entries in the live log are conditioned Syslog messages You can also display the Syslog messages gt Click on the button Show raw data gt The raw data of the current logging are shown The logging is still running in the background You can also download the raw data gt Click on the button Download raw data gt The data will be transferred in txt format _ Show Raw Data r Live Log Raw Data lt 4 gt Apr 27 13 39 32 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 15 c5 7c ed a9 08 00 ISRC 192 168 DST 192 168 LEN 96 TOS 0x00 PREC 0x00 TTL 128 ID 50642 PROTO UDP lt 4 gt Apr 27 13 39 31 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 15 c5 7c ed a9 08 00 SRC 192 168 gt DST 192 168 4 LEN 96 TOS 0x00 PREC 0x00 TTL 128 ID 50603 PROTO UDP lt 4 gt Apr 27 13 39 28 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 15 c5 7c ed a9 08 00 SRC 0 0 0 0 DST 255 255 255 255 LEN 337 TOS 0x00 PREC 0x00 TTL 128 ID 50429 PROTO UDP lt 4 gt Apr 27 13 38 41 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 23 54 00 d2 ca 08 00 SRC 192 168 DST 1
11. Enter your region into the field State Enter the name of your city into the field City Enter the name of your company into the field Organisation Enter the department into the field Unit Enter you e mail address into the field E mail Select the CA to sign the certificate with Select an Alias optionally You will need it under the operating system MacOS Activate the checkbox Server Authentication if you want to create a server certifi cate Click Save to create the certificate VV VV VV VV V WV v F o Add Certificate X Add Certificate Xx Type User Server ze Type User Server Valid from 01 01 2009 valid from 01 01 2009 l o0 woo el op el oo mlo woo m valid untill arapo valid untill 31 12 2012 23 el Sg Lelleg el 23 Lal 0 Lel gg Le Name roadwarriorO1 Name ee Server Country DE sel Country DE sel State Nds State Hds City Lueneburg City Lueneburg Organisation Securepoint Organisation Securepoint Unit Support o Unit Support Email support sp de Email support sp de CA ew i CA newCa x Alias None Alias None sel Server O casi bi Authentication Authentication Save Close Save Close E fig 178 create client certificate fig 179 create server certificate Securepoint Security Solutions 165 11
12. For applying the rules immediately click the button Update Rules O Advanced Settings IPSec Portfilter Dialup Templates Variables Webserver m Portfilter Accept all incomming IPSec M Allow Related connections W Update Applications Update Interface Update Rules Save Config Close hs fig 196 edit porttilter settings Securepoint Security Solutions 179 12 Menu Extras Securepoint 10 12 6 4 Dialup LCP Link Control Protocol echo requests are used to control the existence of a connection Several internet service providers don t support this checking For this you should disable the checking gt To disable the checking deactivate the checkbox Support LCP Echo for PPPoE gt Store your setting with Save gt For applying the changes immediately click the button Update Interface O Advanced Settings IPSec Portfilter Dialup Templates Variables Webserver Dialup Support LCP Echo for PPPoE M Save Update Applications Update Interface Update Rules Save Config Close A fig 197 enable disable the LCP echo request Securepoint Security Solutions 180 12 Menu Extras Securepoint 10 12 6 5 Templates On this tab you can edit all templates on the firewall Select the application you want to edit from the dropdown list Applications The firewall displays the depending templates in the dropdown field Templates Select the template you want to edit from the dropdown
13. General Attachment Filter Virusscan SMTP Settings SMTP Advanced PoP3 Settings PoP3 Settings Edit message in subject when spam SPAM Scan all Mailboxes for Virus J Scan all Mailboxes for attachment blocking Scan specific Mailboxes Scan specific Mailboxes Edit Accounts Edit Accounts Account Account No Entries for this list info alice bob Save Close fig 132 settings for POP3 service Securepoint Security Solutions 124 9 Menu Applications Ssecurepoint 10 9 5 VNC Repeater Virtual Networking Computing VNC software can display the screen content of a remote computer on a local computer The keyboard and mouse actions of the local computer are send to the remote computer So you can work on the remote computer as though you work directly on it The software is a client server application The remote computer acts as the server and the local computer as the client You have to enter the IP address or the host name of the remote computer and the port of the VNC repeater application to allow the traffic through the firewall 9 5 1 General Specify the ports which are used by the client viewer and the server Enter the port of the local VNC repeater at the field VNC Viewer Port Default setting is port 5900 Enter the port which is used by the remote VNC repeater at the field VNC Server Port YNC Repeater General YNE Server ID m General Sett
14. 48ms recy from 216 239 59 104 seg 2 48ms recy from 216 239 59 104 seq 3 47 ms recy from 216 239 59 104 seq 4 47ms recy from 216 239 59 104 seq 5 93ms Transmitted 5 Received 5 Lost 0 0 Average round time S6ms Legend A Lookup gi 7 Show Route fig 62 result of a Ping Securepoint Security Solutions 61 7 Menu Network Securepoint 10 7 4 3 Routing Table The command Routing Table shows the routing table of the appliance You don t have to enter data gt Click the button Routing Table All entered routes will be listed Network Tools google de 192 168 724 dev ethO proto kernel scope link src 192 168 192 168 3 24 dev ethi proto kernel scope link erc 192 168 default via 192 168 dey eth Legend Lookup Show Route fig 63 output of the routing table Securepoint Security Solutions 62 8 Menu Firewall Securepoint 10 8 Menu Firewall This menu item includes all functions for creating firewall rules The entry Portfilter shows the system of rules This section manages rights of all computers computer groups networks users uSer groups and devices firewall Portfilter Hide NAT Port Forwarding Services Service Groups Network Objects Network Groups fig 64 dropdown menu of the menu item firewall Hide NAT Dynamic Network Address Translation WEE Port Forwarding Request from the internet to defined ports will be transmitted to defined
15. E fig 88 create an object for a computer fig 89 create an object for a network Securepoint Security Solutions 85 8 Menu Firewall Securepoint 10 8 6 3 Add VPN Host Net The creation of VPN objects isn t very different from the creation of network and computer objects Just other zones are available gt Select the zone vpn ipsec vpn ppp or vpn openvpn against the VPN method you are using Add YPN Host Net Add YPN Host Net Name PPTP_Tunnel Name Filiale Type Single Host Type Network IP Address 192 168 180 32 IP Address 192 168 142 1 Zone Netmask 255 255 255 0 24 Nat IP ee Har IP fig 90 create object for a VPN computer fig 91 create an object for a VPN network 8 6 4 Add User You can also create network objects for users This way you can set rules for several users The only condition for this is that the users are SPUVA Securepoint Security User Verifica tion Agent user and employ the agent to log onto the system The user must be listed in the user administration under the menu item Authentication in the entry Users Click Add User The dialog Add User appears Under Name enter a name for the object Under Login select a SPUVA user Under Zone select the according zone Select which NAT IP should be used Store your settings with Save Add User Name Max Muster Zone Nat IP fig 92 create an object for an user Securepoint Security Solutions 86
16. Firewall because of warranty reasons fig 191 upload registration file Securepoint Security Solutions 175 12 Menu Extras Securepoint 10 12 5 Manage Cockpit This menu item offers the possibility to customize the cockpit You can hide lists which are uninteresting for you Furthermore you can position the lists to your needs The dialog Manage Cockpit for user x is divided into three sections On the left the section Not displayed dialogs Lists positioned here are not dis played In the middle the section Display in Cockpit Left Shown lists will be displayed on the left side of the cockpit On the right the section Display in Cockpit Right Shown lists will be displayed on the right side of the cockpit You can move the list per Drag and Drop You can manage the lists not only horizontally but also vertically Store your settings with Save Save Close E fig 192 customize the cockpit Securepoint Security Solutions 176 12 Menu Extras Securepoint 10 12 6 Advanced Settings This menu item opens a new browser window which offers settings for experienced users You can for example edit the templates of all services and applications and read out the used variables Note Make only changes in this section if you know what you re doing An incorrect usage of these options can damag the correct functionality of the ap liance or completely destroy the configuration For these reasons following
17. LAN 3 are destined for the predefined networks The ports in the machine are not labeled Take the attribution from the figure LAN2 LAN 4 LAN6 LAN8 fig 5 front view of the RC 400 schematic mm mmm mn Securepoint Security Solutions 16 4 Administration Interface Securepoint 10 4 Administration Interface 4 1 Connecting the Appliance You access the appliance with your browser on the IP address of the internal interface on the port 11115 using the https SSL protocol The factory setting for the internal IP address is 192 168 175 1 The port 11115 cannot be changed It is reserved for the administration User name and password are set to the following by default Username admin Password insecure gt Start your internet browser and insert the following value into the address field https 192 168 175 1 11115 lf you have changed the IP address at the installation replace the IP address 192 168 175 1 with the new one gt The dialog LOGIN appears LOGIN Username admin Password wT TrTtttt Login Reset fig 6 Login dialog At the field Username insert admin At the field Password insert insecure or the new password if you change it during the installation process After this click Login You will be logged on to the system and the start screen appears Change your password as quickly as possible Use the navigation bar icon Au thentication item Users Use upper and lowercase char
18. LAN ports are marked green E Appliance fig 13 view of the appliance for example a Piranja 5 6 Interfaces In this area the interface in listed with the assigned IP addresses and zones Depending on the used appliance more interfaces ethx are shown EEE eee ett Ethernet adapter for connection to the internet a ee eth Ethernet adapter for connection to the internal Network O REIREI eth2 Ethernet adapter to attach a demilitarized zone DMZ At the appliance indicated as LAN 3 DDDU A virtual interface to connect the firewall to the internet with ee Tun Virtual interface for the SSL VPN The internal address is set to Nita oe E Interfaces ethO external ethi internal eth up vpn openvpn fig 14 status of interfaces Securepoint Security Solutions 23 5 Securepoint Cockpit Securepoint 10 5 7 IPSec The created IPSec connections and their usage are listed in this section Ahead stands the name of the connection followed by the current usage O IPSec branch_Munich 0 connections on 1 tunnel roadwarrior0ol 0 connections on 1 tunnel roadwarrior01_2 0 connections on 1 tunnel fig 15 list and status of IPSec connections 5 8 Downloads In this table are listed which files are available in the download section of the user interface Furthermore the version and a short description are shown The filename is a hyperlink which you can use to download the file directly O Downloads OpenVPNP
19. Menu Authentication Securepoint 10 11 3 3 Import CA and Certificate You can import CA and certificates if they are available in PEM file format Switch to the corresponding tab CA or Certs Click Import and in the appearing dialog click Browse Select the file you want to import from your file system After that click Import Di Import Certificate Please select the certificate C server_cert pem Import Close fig 180 import dialog 11 3 4 Export CA and Certificate You also can export CAs and certificates You may select between PEM file format and the encrypted format PKCS 12 You ought to consider that the appliance only imports the PEM file format Switch to the corresponding tab CA or Certs At the end of every row you find the following icons H 6 The left icon exports the certificate or the CA as PEM file format The right icon exports the certificate or the CA as PKCS 12 p12 format Click on the favored icon and save the certificate or CA on your local file system Securepoint Security Solutions 166 11 Menu Authentication Securepoint 10 11 3 5 Download SSL VPN Client You can also download the preconfigured SSL VPN client from the tab Certs An Icon in the row of every certificate offers the download of the zip archive The archive includes the port able OpenVPN client a preconfigured configuration the CA and the relating cert Switch to the tab Certs Select the desired certifica
20. PPTP VPN user you can assign an IP address to the user for the VPN connection The IP address must be contined in the address pool If the new user utilizes SSL VPN you have to set a SSL VPN IP address on the tab VPN gt Switch to the tab VPN gt Assign an IP address which is used by the user in the L2TP or PPTP VPN tunnel This statement is optional gt Is the user SSL VPN user a tunnel IP address must be set This IP address must be an IP address of the subnet of the tun interface default 192 168 250 xxx The last part of the IP address must fulfill the following condition a multiple of 4 minus 2 Formula x 4 y 2 Possible values for the last part of the IP address 2 6 10 14 246 250 254 vi Add User General VPN SSL VPN Client Spamfilter Extras VPN PPTP IP address VPN L2TP IP address SSL YPN IP address 192 168 250 18 For L2TP and PPTP this is optional 4n ip address must be declared for the SSL VPN user Save Close We fig 168 assign a VPN IP address Securepoint Security Solutions 155 11 Menu Authentication Securepoint 10 11 1 3 Add User Tab VPN Client This tab will be activated if the user is member of the group SSL VPN In this tab you make settings to build a preconfigured SSL VPN client package for the user The package includes a configuration file a certificate and the portable OpenVPN client The user can download the package in the user interface Therefore the user n
21. Provider fig 54 list of DSL provider 7 2 3 1 Edit or Delete DSL Provider In the list of all saved DSL providers on the tab DSL Provider a wrench symbol and a trash can symbol are positioned beneath the entries With these buttons the entries can be edited or deleted gt For editing click the wrench symbol The dialog Edit DSL Provider appears Change the settings and save the new properties with Save For deleting click the trashcan symbol Click Yes at the conformation promt The entry will be deleted Securepoint Security Solutions 53 7 Menu Network Securepoint 10 7 2 3 2 DSL Provider create Click the button Add DSL Provider The dialog Add DSL Provider appears Enter a name for the provider into the field Name Type your login data into the field Login Enter your password into the field Password and retype it in the field Confirm pass word If you activate the checkbox Default Route a standard route will be set automatically Select a time in the field Separation At this time the appliances disconnect the inter net connection If you choose 0 the appliance does not force a disconnection e Add DSL Provider Name anonymous DSL Login nobody Password eecseces Confirm password eeeeseeee Default route Separation 3 je Bnznsnannnssd Save Close fig 55 create DSL Provider Securepoint Security Solutions 54 7 Menu Network Securepoin
22. Securepoint Security Solutions 152 11 Menu Authentication Securepoint 10 11 1 Users The dropdown menu item Users displays a list with all existing users and their permissions in binary format The users are listed in order of their creation Existing users can be edited by clicking the wrench symbol or deleted by using the trash can symbol Users Name Fullname Permissions admin System Administrator oo0000001 root Superuser oo0o000001 fred Fred Feuerstein 000001000 barney Barney Geroellheimer 010010000 donald Donald Duck 000100000 daisy Daisy Duck 000000010 dagobert Dagobert Duck 001100100 max Max M ller 000000100 Add Infobox settings E Disable Infobox fig 165 list of existing users When the mouse cursor moves over an user an infobox appears which shows the user permissions and assigned VPN IP addresses of the related user You can activate this function by unchecking the checkbox Disable Infobox 001100100 dagobert Fullname Dagobert Duck PPTP IP Not set P2TP IP 192 168 180 15 OpenVPN IP Not set Permissions ADMIN Not set YPN PPTP USER Not set YPN L2TP USER active SPAMADMIN Not set SPUVA USER Not set HTTP PROXY USER active USERINTERFACE active YPN SSL USER Not set SMTP RELAY USER Not set fig 166 user properties Securepoint Security Solutions 153 11 Menu Authentication Securepoint 10 11 1 1 Add User Tab General For adding a new user open the wi
23. address you want to allow the access via SNMP Select the wanted subnetmask and click Add network The IP address is appended to the table gt To allow the access you have to reate an according rule in the porttilter O Server Properties Server Settings Administration Syslog SNMP Cluster Settings SNMP Enable SNMP Version 1 V Enable SNMP Version 2c Edit community string public Enable access from networks IP Address Net 192 168 176 0 255 255 255 0 24 Add network fig 37 tab SNMP Securepoint Security Solutions 37 7 Menu Network Securepoint 10 7 1 5 Monitor Agent AmdoSoft v4 Agent The Securepoint firewall can be monitored and maintained by the controller software of the company AmdoSoft Systems The firewall connects to the registered AmdoSoft controller in the internal or external network The controller software for the automatic monitoring has to be purchased from the company AmdoSoft Systems It is no rule necessary for this data traffic Go to the point Network on the navigationbar and click on the entry Server Proper ties in the dropdownmenu In the dialog Server Properties switch to the tab Monitoring Agent Enter the IP address of the computer where the AmdoSoft Controller software is in Stalled into the the field b4 Conroller IP Afterward click Save Server Properties Server Settings Administration Syslog SNMP Monitoring Agent Cluster Sett
24. another one For example 2080 Vi Click Port Forwarding in the dropdown menu of the Firewall icon The window Port Forwarding appears which displays all forwarding rules Yy Click Add to create a new port translation rule The dialog Add Port Forwarding appears Select Port Translation as type Under Source select from which network the query is coming Under Interface define which interface is used by the query For Destination select a network object to which the query should be forwarded Under External Port select the service and hence the port which should be used Under Original Port select the port you want to redirect to Store your settings with Save gt gt gt gt gt gt gt gt gt Note A rule in the portfilter must be set to allow the port forwarding Add Port Forwarding Type Port Translation Source Internet Interface eth0 Lal Destination webserver External Port http_webserver Original Port 80 Las fig 77 create port translation rule Securepoint Security Solutions 76 8 Menu Firewall Securepoint 10 8 4 Services Services are used to specify the rules in the portfilter Every service uses a certain protocol and port or a port range This is listed in the section Services The list contains a lot of services You can add new services edit and delete services 8 4 1 Delete and Edit Services Click the trashcan symbol beneath the service t
25. audio l16 audio l20 audio l24 _ audio Ipc O audio midi audio mpa audio mpa robust Se mp4a latm GE eg audio pcma audio pcmu audio prs sid audio qcelp audio red fig 128 predefined MIME types Securepoint Security Solutions 120 9 Menu Applications Securepoint 10 9 4 3 Virusscan You can check incoming and outgoing e mails for viruses If a virus was found it will be de leted The deleting of a virus from an e mail will be indicated by a message in the e mail gt Activate Don t scan specific Attachments to exclude attachments from the virus scan by a Whitelist gt Use the Whitelist to define attachments which should not be scanned You can specify them by file extension or by MIME type You can write MIME types manually or select those from the predefined list see previous article O Spamfilter Properties General Attachment Filter Virusscan SMTP Settings SMTP Advanced PoP3 Settings Virus settings for SMTP and PoP3 W Don t scan specific Attachments m Whitelist Extensions MIME Types Type pdf m Edit Message fig 129 exclude attachments from the virusscanning Securepoint Security Solutions 121 9 Menu Applications Ssecurepoint 10 9 4 4 SMTP Settings In this section you can define how to deal with e mails that are identified as soam include a virus or an undesired attachment gt If you
26. by entering an address into the field under the tables and click the button Add Blacklist or Add Whitelist You can block or approve whole domains with all subpages For blocking or approving defined websites enter the relatie URL Furthermore you can block domains and approve subpages of this domain For example blacklist time com whitelist time com business Just use top and second level domains For example www example com becomes example com www example com auctions becomes example com auctions Securepoint Security Solutions 94 9 Menu Applications Ssecurepoint 10 l HTTP Proxy I General Virusscan URL Filter Block Extensions Block 4pplications Content Filter Bandwidth URL Filter Block all Use lists with authentication Blacklist Websites Whitelist Websites Domain Domain ebay de google de studi vz de securepoint de heise de Add Website Add Website Save Close E fig 102 HTTP proxy dialog tab URL filter Securepoint Security Solutions 95 9 Menu Applications Ssecurepoint 10 9 1 4 Block Extensions On this tab you can define file extensions which will be blocked Not only suffixes with three characters are supported You can also block suffixes like jpeg or mpeg Suffixes must be given with alleading dot gt Enter the file extension in the field at the bottom of the window Don t forget the leading dot For example mp3
27. by the SIP client to connect the proxy with the dropdown box Inbound Interface Select the interface which is used by the proxy to transfer the data to the internet from the dropdown box Outbound Interface Select the port on which the proxy expects data in field SIP Port default 5060 Adjust the RTP Port Range to the port range used by the client Enter the Timeout of the SIP server of the provider YoIP Proxy General Provider Inbound Interface Outbound Interface SIP Port RTP Port Range eth etho 5060 a v 7070 a 7089 al Timeout for Registration 600 seconds Save fig 136 tab General of the VoIP Proxy dialog Securepoint Security Solutions Close 127 9 Menu Applications Ssecurepoint 10 9 6 2 Provider Enter the data of the provider in this section gt Enter the name of the provider in the field Domain gt Enter the SIP proxy of the provider in the field Proxy gt Select the SIP proxy port of the provider in the field Proxy Port default 5060 VoIP Proxy General Provider Domain telefonie de Proxy voip foo Proxy Port s060 a le Save Close fig 137 tab Provider of VoIP Proxy dialog Securepoint Security Solutions 128 9 Menu Applications Ssecurepoint 10 9 7 IDS The Intrusion Detection System IDS is a system to detect attacks in the network The IDS analyzes all packets which pass the appliance Suspicious activities will be
28. cockpit and rebuilds the cockpit The button in the navigation bar has the same function Securepoint Security Solutions 184 13 Menu Live Log Securepoint 10 13 Menu Live Log The Live Log shows the current log entries For a clear view the entries are highlighted in different colors Furthermore the logs can be filtered i Gis sch Day Shows the day of occurrence In the Live Logging the current date wf Shows the protocol or the action additionally Shows which service is affected Detailed log message O LiveLog LiveLog Settings m Filter Filter pattern None Stop logging _ Scroll automatically to the bottom m Messages Apr 27 13 25 53 Firewall DROP DROP default IN ethi OUT MAC ff ff ff ff ff ff 00 24 8c 4d 0e H traffic ethi rx bytes 90801 tx bytes 68178 collisions DROP default IN ethi OUT Clear log window amp admin WA 192 168 4 102 Download Raw Data Show Raw Data Close fig 201 entries in the live log Securepoint Security Solutions 185 13 Menu Live Log Securepoint 10 13 1 Start Live Log When you enter the Live Log window the logging is out of action You can also not enter any search pattern To start the logging complete the following approach Click on the icon Live Log in the navigation bar A new browser window appears Click the button Start logging at the right side above the table The live logging starts The text of the button turns to
29. connection The period can vary between 1 and 8 hours Afterwards a new link connection is necessary for security reasons This starts automatically Keyingtries How many trials to initiate the connection time lag 20 seconds unlimited gt unlimited trials three times gt Three trials to initiate the connection Securepoint Security Solutions 145 10 Menu VPN Securepoint 10 10 3 1 2 Phase 2 ame mmm PFS Perfect Forward Secrecy The new key material must be created irrespective of the previous keys So no one can gather the new key from the previous key Key life Duration of an IKE connection The period can vary between 1 and 8 hours Afterwards a new link connection is necessary for security reasons This starts automatically tab Native IPSec Local Net Mask Local net which is connected with the remote net via VPN Remote Net Mask Remote net which is connected with the local net via VPN tab L2TP L2TP Subnet local subnet for L2TP connections Only useable with L2TP connections with MS Windows Vista or MacOSX if the client is positioned behind a router tab Address Pool Local Net Mask Local net which is connected with the remote net via VPN Address Pool Mask From this address pool an IP address will be assigned to the roadwarrior when connecting to the local net Securepoint Security Solutions 146 10 Menu VPN Securepoint 10 10 4 L2TP In this section you can set the general setting for L2TP VPN connec
30. don t want to block spam but mark it activate the checkbox Don t block spam just mark You can edit the flag that is attached to the subject in the field Message in Subject gt Decide if incoming or outgoing e mails with a virus will be blocked or relayed with deleted virus Select the according radio buttons gt Decide if incoming or outgoing e mails with undesired attachment will be blocked or relayed with deleted attachment Select the according radio buttons Spamfilter Properties General Attachment Filter Virusscan SMTP Settings SMTP Advanced PoP3 Settings SMTP Settings W Don t block spam just mark Message in Subject SPAM Reject complete E mail Reject complete E mail m Inbound Mail with Virus m Outbound Mail with Virus Delete Virus and forward Delete Virus and forward Inbound blocked Attachment Outbound blocked Attachment Reject complete E mail Reject complete E mail Delete Attachment and forward Delete Attachment and forward Save Close fig 130 settings for identified e mails Securepoint Security Solutions 122 9 Menu Applications Ssecurepoint 10 9 4 5 SMTP Advanced In the advanced SMTP setting you can define a global Whitelist and a global Blacklist The entries in the list could be an IP address a domain or a host IP address host name E mails from Whitelist entries will be relayed without checking E mails from
31. gt Click on Add Extension The extension is added to the list gt To delete an extension from the list click on the trashcan symbol at the end of he re lated row e HTTP Proxy General Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth Blocked Extensions Suffix Add Extension Save Close fig 103 HTTP proxy tab block extensions Securepoint Security Solutions 96 9 Menu Applications Ssecurepoint 10 9 1 5 Block Applications On this tab you can define remote support programs and messaging programs which will be blocked Note These settings only work for the HTTP proxy The programs could be executed via the rule set without using the HTTP proxy Possibly you have to modify the rule set to prevent the communication of these programs The applications are predefined The section remote support includes the programs Tem viewer and Netviewer In the section messaging the most popular chat programs are prede fined You can also block messaging programs which are not listed with the option Block other IM gt Select a program from the list Activate the related checkbox to block the program gt Click Save HTTP Proxy General Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth Block remote support Block Teamviewer Block Netviewer v Block messenger Block AOL Block GIZMO Block ICQ Block MSN Block SKYPE Block TRIL
32. in the dropdown menu on the entry Network Objects The window Network Objects appears In this window all available network objects are listed The table can be ordered by the values of the separate columns Behind the objects are buttons for editing and deleting the related object You can add objects with the buttons at the bottom of the window Network Objects Type Name IP Mask Zone NatIP P Internet 0 0 0 0 0 external Internal Network 192 168 4 0 24 internal etho External Interface 192 168 4 103 32 firewall external null Internal Interface 192 168 4 89 32 firewall internal null DMZ Interface 192 168 176 1 32 firewall dmz1 null Private CLASS A IPSec Network 10 0 0 0 8 ypn ipsec Private CLASS B IPSec Network 172 16 0 0 ypn ipsec Private CLASS C IPSec Network 192 168 0 0 ypn ipsec Filiale Berlin 19 168 210 0 ypn ipsec AuBendienst Muller 192 168 250 662 ypn openypn Spuva User daisy pn ipsec m pa pa pi P P P P P P P SSL YPN Netz 192 168 250 0 vpn openypn Infobox Settings CI Disable Infobox Maal Add Host Net Add VPN Host Net Add User Add Interface fig 86 list of created network objects Securepoint Security Solutions 83 8 Menu Firewall Securepoint 10 8 6 1 Network Object Information The function Infobox shows information of a network object if the mouse cursor rolls over it You can enable this function by unchecking the checkbox Disable Infobox The infobox shows not on
33. interface So you can conduct all virtual LANs at one interface Every VLAN has an ID which is append at the packets as a tag On the basis of thee tags a VLAN supporting switch can direct to packets to the right VLAN Appliance fig 43 VLAN formation Securepoint Security Solutions 43 7 Menu Network Securepoint 10 Click Add Interface The Interface Wizard appears Select the desired interface type in this case VLAN Click Next The configuration window of VLAN Interface appears Select in the field Interface to which physical Interface the VLAN interface should be bound to Enter an ID for the interface in the field VLAN ID Enter an IP and Mask the IP address and the subnet mask of the VLAN network Select if an IP address will be assigned to the interface by the DHCP server If so ac tivate the checkbox DHCP Client Define the maximum size of a data packet and enter the value in the field MTU Max imum Transmission Unit In normal case you can leave the default value 1500 lf the interface should answer pings activate the checkbox Allow Ping select the speed of the interface from the dropdown field Speed Select the zone of the interface and the related zones by activating the relevant checkboxes at the right side Complete the configuration with Finish After the interface is added you have to press the button Update Interface Interface Wizard VLan General Zones LJ ext
34. is turned on for example after reboot The heart symbol labels the current running configuration The signs behind the configuration names are buttons for functions which can be used for every configuration The buttons Save as and Import are located below the list buon function nem mn Lena Exports the configuration and saves it in DAT format rint Opens a browser window in which the configuration is shown p in table format This description can be printed or saved nr Laangen Set the configuration to start configuration e foa Loads the configuration Deletes the configuration Opens a browser window in which a description of the configu ration can be typed Securepoint Security Solutions 30 6 Menu Configuration Securepoint 10 6 1 1 Save Configuration The settings made will be stored automatically in the current running configuration You can also save the new settings in an existing configuration or in a new one Click on the button Save as The dialog Save as appears Select an existing configuration from the dropdown box or enter a new name for the configuration Click on Save Save as Please enter a name to save the current configuration to Select old name TERRA or enter new name Save Abort fig 31 save the configuration Securepoint Security Solutions 31 6 Menu Configuration Securepoint 10 6 1 2 Import configuration You can import an existing con
35. just one roadwarrior and enter the IP address into the field beneath lf you want to give access to a couple of roadwarriors activate the radio button Ad dress Pool and enter the IP address of the address pool and the related subnet mask An IP address out of this pool will be assigned to the roadwarrior if it connects to the network lf you want to set up the firewall rules automatically activate the checkbox Automati cally create firewall rules Click Finish for exiting the wizard IPSec Wizard m Create a IPSec Connection Roadwarrior Native IKEy2 Please specify the networks you want to connect with IPSec Local Network 192 168 175 0 Local Mask 255 255 255 0 24 Lei Single Roadwarrior IP address Address Pool 192 168 180 0 Address Pool Mask 255 255 255 0 24 Lal M Automatically create firewall rules Abort Back Finish fig 152 settings IKEv2 Securepoint Security Solutions 139 10 Menu VPN Securepoint 10 10 1 2 2 L2TP L2TP combines the PPT protocol and the L2F protocol Because L2TP has no authentica tion integrity and encryption mechanism it is combined with IPSec gt Activate the radio button IPSec Connection with L2TP gt Click Next IPSec Wizard Create a IPSec Connection Do you want create a IPSec connection with or without L2TP Native IPSec TheGreenbow NCP Safenet or Windows 7 si IPSec Connection with L2TP
36. logged by the IDS The system checks the signature of every packet against known attack signatures which are stored in so called rules Notice Just activate rules which are applicable for your system Otherwise the IDS stresses the system unnecessary gt Select rules in the dialog IDS Activate the relative checkbox gt Store your settings with Save The IDS service will be restarted IDS IDS rules backdoor bot CJ chat ddos CJ dns dos CJ exploit LJ finger len CL game l lirmn infn fig 138 select the signature classes Securepoint Security Solutions 129 9 Menu Applications Securepoint 10 9 8 Nameserver You have the possibility to forward requests to the local nameserver to external nameserv ers The replies of the external nameservers will be transmitted to the requesting application or the requesting service Select the menu item applications from the navigationbar and click on nameserver in the dropdown menu The dialog Nameserver appears Enter the IP address of the external nameserver into the field at the bottom of the di alog Click Add IP Address to apply the nameserver to the list You can delete listed nameserver by using the thrashcan button Click Save to store the settings and leave the dialog sf Nameserver Forwarder for local Nameserver IP Address 128 176 191 10 Add IP Address fig 139 add external nameserver Securepoint Secur
37. message is shown by opening the new browser window Warning Changes on this Settings may crash the system Do you want to continue fig 193 warning by clicking menu item advanced settings 12 6 1 Buttons If you made changes in this section the changes will not take effect till you update the appli cation the interface or the rule description ame eme Closes the browser window Advanced Settings fig 194 buttons in the window advanced settings Securepoint Security Solutions 177 12 Menu Extras Securepoint 10 12 6 2 IPSec You can disable the support of IKEv1 and IKEv2 for IPSec connections lf you disable both servers IPSec connections cannot be established gt To disable a server click the related button Off gt To enable a server click the related button On O Advanced Settings IPSec Portfilter Dialup Templates Variables Webserver m IKE Server IPSec IKE vil Server IPSec IKE v2 Server Update Applications Update Interface Update Rules Save Config fig 195 switch states of IKEv1 and IKEv2 servers Securepoint Security Solutions 178 12 Menu Extras Securepoint 10 12 6 3 Portfilter Make a setting for the allowance of IPSec connections Activate the first checkbox to Accept all incoming IPSec Activate the checkbox Allow related connections to allow iptables to accept all packets of existing connections per connection tracking Store the settings with Save
38. net 3 blue IP address gt cluster IP virtual IP fig 48 high availibility environment Securepoint Security Solutions 48 7 Menu Network Securepoint 10 Click Add Interface The Interface Wizard appears Select the desired interface type in this case Cluster Click Next The configuration window of Cluster Interface appears Select in the field Interface to which physical Interface the cluster interface should be bound to The physical interface persists to support the management IP address In the field Cluster Interface a name is predetermined Insert the virtual IP address of the appliance in the field Cluster IP Enter the subnet mask into the field Mask In the section Spare IPs enter the management IP address es of the spare ma chine s Type the IP address and the related subnet macks into the fields IP and Mask and click Add The IP address will be shown in the list With the trashcan beneath the IP address you can delete the relative entry select the related zones in the section Zones Normally the zones of the physical interface will be adopted Click Finish to complete the configuration After the interface is added you have to press the button Update Interface o Interface Wizard Cluster m General Interface etk Cluster Interface Cluster Cluster IP Mask Zones Spare IPs l M external IP CI internal 10 0 0 3 T bag CI dmz2 CI dmz
39. portable OpenVPN client a preconfigured configuration file and the needed certificates Opening OpenVPNPortable zip You have chosen to open 2 OpenVPNPortable zip which is a Compressed zipped Folder from https 192 168 99 What should Firefox do with this file Open with Windows Explorer default v Do this automatically for files like this from now on fig 207 save dialog of the Mozilla Firefox gt Decompress the ZIP archive and save the directory on your computer or on an USB flash drive gt Open the directory Doubleclick the file OpenVPNPortable exe The OpenVPN client starts The OpenVPN client icon appears in the taskbar beneath the clock Click it with the right mouse button The context menu appears Start the SSL VPN connections by clicking Connect Connect view Log Edit Config Change Password Proxy Settings About Exit fig 208 context menu of the VPN client in the taskbar Securepoint Security Solutions 195 14 Spamfilter Securepoint 10 14 4 Spamfilter If the user is a member of the groups User Interface and Spam Filter User he can access the Spam filter interface The user can check which e mails were classified as soam or ham by the system If he finds e mails which are misclassified as soam he can mark them as ham It is important to move not identified spam mails from the ham section into the spam section to train the adaptive filter Bayes filter The spam filt
40. primary and secondary Nameserver Enter the IP address of the primary and secondary WINS server if you use one Store your settings with Save YPN L2TP General DNS WINS Primary Nameserver 192 168 176 10 Secondary Nameserver 192 168 176 20 Primary WINS Server 192 168 70 10 Secondary WINS Server 192 168 70 20 Save Close fig 160 define IP adresses of DNS and WINS servers Securepoint Security Solutions 148 10 Menu VPN Securepoint 10 10 5 PPTP The basic settings of VPN via PPTP are nearly identical to the settings of L2TP The basic settings of the PPTP interface and address pool are set on the tab General On the other tab enter the IP addresses of the name server and the WINS servers Click in the VPN dropdown menu PPTP The dialog VPN PPTP appears In the tab General you have to adjust basic settings Enter the IP which should be used by the PPTP interface in the field Local PPTP IP An explicit PPTP interface doesn t exist The entered IP address will be bound as a virtual address to the external interface Under PPTP Address Pool adjust a PPTP address pool This must be set in the same subnet as the PPTP IP address The left field contains the start address and the right field the end address of the ad dress pool For the Maximum Transmission Unit MTU the default value 1300 should be re tained You can select if you want to use an authentication against a Radius server Enable or disable the R
41. safety measures in respect of network web and e mail security The appliance offers firewall IDS and VPN functionality proxies automatic virus scanning web content and spam filtering clustering high availability und multipath routing func tionality It provides several authentication methods and encrypted access to the net work The combination of these functions in one system minimizes the administrative and inte grative complexity in contrast to individual solutions The appliance is administrated with a clearly structured web interface The Securepoint UTM solution is available as a pure software version or as sundry ap pliances which are especially adapted to the requests The solutions vary from home office and small office networks to great company networks with several hundred com puters Securepoint Security Solutions 11 Securepoint 10 Part 1 The Administration Interface Securepoint Security Solutions 12 2 The Appliances Securepoint 10 2 The Appliances The firewall software is installed on hardware which is especially designed for the purpose of network protection The portfolio of Securepoint contains 7 appliances The appliances are adapted to different network quantities and consequently the processing speed the memory capacity the disk space the throughput rate and the numbers of interfaces of the machines vary VPN throughput Piranja o Gian up to 5 100 Mbit s 70 Mbit s RC 100 o i RC100 1
42. the settings for the password You decide if the user may change the password himself if the password must contain num bers special characters lower and uppercase letters and the minimal password length The password can only be changed in the user interface Switch to the tab Extras lf the user is allowed to change the password check the checkbox User can change password Select the Minimum password length Decide which characters the password must contain numbers special characters lower and uppercase letters Store your settings with Save vi Add User General VPN SSL VPN Client Spamfilter Extras User can change password M Minimum password length S Password must includes letters and numbers v special characters v lower uppercase v These settings will only have an effect in the user interface Save Close A fig 171 password properties Securepoint Security Solutions 158 11 Menu Authentication Securepoint 10 11 1 6 Add User Tab WoL The abbreviation WoL stands for Wake on LAN You can start start turned off computers over LAN The mainboard and the network adapter must support ACPI to use this function The option must set in the BIOS and in the network adapter settings If this option is set for a user the user can start listed computer over the user interface The membership UserlInterface is required Switch to the tab WoL Activate the checkbox Enable WoL Enter the name of the
43. the website http Awww java com Enter your user name into the field User and your password into the field Password Click Connect to login in to the system If the login was successful the button text changes to Disconnect Click this button for Logout You also logout from the system by closing the applet window If the login wasn t successful the text Wrong username password appears Server 192 168 4 87 User Password Connect fig 219 SPUVA login per Java applet Securepoint Security Solutions 206 14 Wake on LAN Securepoint 10 14 6 Wake on LAN This section is only visible for users which are authorized to use the Wake on LAN function The user can start registered computers remotely The user can access the remote computer if according rules are defined This function must be supported by the comuter The settings for this function are made in the BIOS or at the network adapter settings Click on the button Wake on LAN in the User Interface The dialog Wake on Lan appears Here are all computers listed which you allowed to start Click on the button with the start symbol Y The related computer will be started Wake On Lan Hostname Interface MAC Address PC FredF ethi 00 3F 65 B4 DC 1A Laptop Fred ethi 56 70 6C 4B8 23 48B fig 220 start remote computer Securepoint Security Solutions 207 14 Download Section Securepoint 10 14 7 Download Section Every user who is member o
44. use of a rule is logged and in which grade of accuracy The logging data in Syslog format can be stored ona server So you can analyse logging data at a later time To add a server for protocol data click on Add Syslog Server The dialog Add Syslog Server appears Enter the IP address or the host name into the input field and click Add You can delete a server in the list by clicking the trash can icon beneath the entry Server Properties Server Settings Administration Syslog SNMP Cluster Settings Syslog Server Host IP Address 192 168 176 5 Add Syslog Server fig 36 tab syslog of the Server Settings dialog Securepoint Security Solutions 36 7 Menu Network Securepoint 10 7 1 4 SNMP The Simple Network Management Protocol SNMP is a network protocol to control network devices centraly With this protocol you can read the values of interface traffic processor and memory utilization The versions 1 and 2c are supported The remote computer must be set as an authorized host to read the data Furthermore a SNMP client and the SNMP service must be installed on the remote computer The host must also know the Community String gt Activate the SNMP Version you want to support You can support both versions at the same time gt Seta keyword into the field Community String Advice the remote user of this key word gt Atthe bottom of the section Enable access from networks enter an IP
45. 0 to 25 100 Mbit s 100 Mbit s RC 200 3 I RC200 25 to 50 400 Mbit s 260 Mbit s RC 300 a 50to 100 1000 Mbit s 700 Mbit s RC 310 ke 50 to 100 1000 Mbit s 1000 Mbit s RC 400 100 to 500 1000 Mbit s 1000 Mbit s RC 410 eme 100 to 500 1000 Mbit s 1000 Mbit s machine CPU USB USB ports Piranja VIA C3 Eden 533 1 GB Compact Flash 3 x 10 100 al al RC 100 VIA C7 1 GHz 1 GB 80 GB 3 x 10 100 Ethernet ports NW RC 200 Intel M 1 0 GHz 1 GB 80 GB 4 x 10 100 1000 5 TTT TTT een 1 RC 300 Intel Core2 Duo 1 GB 80 GB 6 x 10 1000 E4500 2 x 2 2 GHz Ethernet ports RC 310 Pentium D 1 GB 2 x 80 GB 6 x 10 1000 2 xX 3 4 GHz Ethernet pPorts RC 400 Xeon 5335 2 GB 2x73 GB 10 x 10 1000 4 co eae ee RC 410 Xeon 1 8 GHz 2 GB 2x73 GB 10 x 10 1000 4 TT Iesel Securepoint Security Solutions 13 3 Positioning the Appliance Securepoint 10 3 Positioning the Appliance In the network assembling the appliance is positioned behind the modem If a network is actuated behind the appliance a switch or hub must be set between the UTM and the network If you only use one computer you can conduct it directly to the appliance Securepoint Appliance fig 1 position of the appliance in the network 3 1 Piranja and RC 100 The Piranja and the RC 100 appliances have 3 Ethernet ports LAN 1 to LAN 3 one serial interface D Sub and two USB ports The three network ports are destined for different nets The interface ethO is reached thro
46. 3 CI dmz4 COI dmz5 CI dmz6 IP 10003 vpn ipsec Mask 255 255 255 0 24 el Add vpn ppp Abort Back Finish E fig 49 add cluster interface set properties Securepoint Security Solutions 49 7 Menu Network Securepoint 10 7 2 1 7 Edit or Delete an Interface In the lists of all interfaces on the tab Interfaces a wrench symbol and a trashcan symbol are positioned beneath the entries With these buttons the entries can be edited or deleted For editing click the wrench symbol The dialog Change Interface appears Change the settings and save the new properties with Save For deleting click the trashcan symbol Click Yes at the conformation prompt The entry will be deleted 7 2 2 Routing Routing entries define via which gateway a destination has to be reached The default route defines that all destinations are reachable via the internal gateway internal interface o Network Configuration Interfaces Routing DSL Provider DynDNS DHCP Source IP Mask Route Destination Mask Weighting 192 168 100 1 0 0 0 0 0 1 192 168 176 0 24 192 168 175 1 0 0 0 0 0 1 Add default route Add route fig 50 list of routing entries Securepoint Security Solutions 50 7 Menu Network Securepoint 10 7 2 2 1 Edit or Delete Routes In the lists of all routing entries on the tab Routing a wrench symbol and a trashcan symbol are positioned beneath the entries With these buttons the entries can be edi
47. 8 Menu Firewall Securepoint 10 8 3 1 Port Forwarding Via Port Forwarding you can conduct inquiries which are directed to a specified port to a defined computer For Example You can conduct HTTP queries at port 80 directly to the web server For this forwarding a network object must exist for the web server Click Port Forwarding in the dropdown menu of the Firewall icon The window Port Forwarding appears which displays all forwarding rules Click Add to create a new forwarding The dialog Add Port Forwarding appears Select Port Forwarding as type Under Source select from which network the query is coming Under Interface define which interface is used by the query For Destination select a network object to which the query should be forwarded Under External Port select the service and hence the port which should be used Store your settings with Save Note A rule in the portfilter must be set to allow the port forwarding Add Port Forwarding Type Port Forwarding ze Source Internet Interface eth0 EN Destination webserver iv External Port http Save Close fig 76 create port forwarding rule Securepoint Security Solutions 15 8 Menu Firewall Securepoint 10 8 3 2 Port Translation With port translation you can change default ports to self defined ports Example You want to run two web servers in the DMZ But the default HTTP port 80 cannot be set twice So you redirect the port to
48. 92 168 4 LEN 78 TOS 0x00 PREC 0x00 TIL 64 ID 0 DF PROTO UDP lt 4 gt Apr 27 13 38 41 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 23 54 15 d1 c0 08 00 DST 192 168 _ LEN 78 TOS 0x00 PREC 0x00 TTL 64 ID 0 DF PROTO UDP lt 4 gt Apr 27 13 37 56 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 1f e2 6d 65 39 08 00 SRC 192 168 4 DST 192 168 LEN 240 TOS 0x00 PREC 0x00 TTL 64 ID 0 DF PROTO UDP lt 4 gt Apr 27 13 37 46 kernel DROP default IN eth1 OUT MAC ff ff ff ff ff ff 00 d0 b7 b2 27 0e 08 00 SRC 192 168 DST 192 168 LEN 235 TOS 0x00 PREC 0x00 TTL 128 ID 92 PROTO UDP lt 15 gt Apr 27 13 37 27 server lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic lt 15 gt Apr 27 13 37 27 server traffic RA Anr 27 13 37 14 sshdf42951 nam_unix sshd sessinn session clased far user admin fig 204 raw data of the log entries Securepoint Security Solutions 189 13 Menu Live Log Securepoint 10 13 6 Colored Labeling of the Service in the Live Log tag description Communication between Securepoint client and server Communication between dhcp client and server oa Gi 4 Co
49. Blacklist entries will be blocked without checking gt Enter complete e mail addresses on the tab E Mail Whitelist and Blacklist gt Enter domains on the tab Domain Whitelist and Blacklist gt Enter host IP addresses or host names on the tab Host Whitelist and Blacklist Di Spam filter Properties General Attachment Filter Virusscan SMTP Settings SMTP Advanced POP3 Settings SMTP Whitelist don t filter for spam SMTP Blacklist always reject E mail Domain Host E mail Domain Host E mail Domain support securepoint cc example com Save Close E fig 131 global Whitelist and Blacklist Securepoint Security Solutions 123 9 Menu Applications Ssecurepoint 10 9 4 6 POP3 Settings Here you can define settings for the POPS e mail retrieve service You can check all mail boxes for viruses and undesired attachments or just specified mailboxes gt The subject of soam e mails will be tagged Edit the tag in the field Edit message in subject when spam gt Decide on the left side if all mailboxes should be scanned for viruses or just specified ones If you select the option specific mailboxes enter the user names whose mailboxes should be scanned Decide on the right side if all mailboxes should be scanned for undesired attach ments or just specified ones If you select the option specific mailboxes enter the user names whose mailboxes should be scanned O Spamfilter Properties
50. C d EE 169 12 ITS wf NW re 170 Te Ll EE 171 Meet er DN EEN 171 12 1 2 CLI Send Commande 172 122 AE 173 12 2 Update the Eelere eege bebe 173 12 2 2 Update Virus Pattern Database cccccccccccceecceeeeceeeeseeeeeeeeseeeeseeesaeeses 174 2S Ee ee Le e EE 174 Securepoint Security Solutions 8 Securepoint 10 ES REO raO EE 175 12 5 Manage GOCK Olt annie Geir cre Aha Eeer 176 12 6 Advanced EE 177 PAO PUTON 177 Ve2 0se NWP ranne 178 tO POOE EN 179 gle aio DR TE EE 180 BC E We EE 181 1260 Ee 182 T2200 WWEDSCIV EN ege dE 183 T27 TREMSSIAllliccataoudaccsuntanngtdonsanptantadontieme R 184 128 RereSh COCK OI EE 184 13 Men LIVE E ee D 185 i SLAM EINE LO carcnnea 186 18 2 Search hue e e E 186 Toco WA CIMINO EE 187 13 4 Details of a Log Message cc eecccecccsececeeeeseeeeeeeeseeeeseeeseueeseeeeeeeeseeeeseeesaneesanes 188 TsO Eege 189 13 6 Colored Labeling of the Service in the Live Log 190 Part2 ol EE EE 191 14 HOGIN SCM ee 192 14 1 The User Interface Gechons 193 E Change PassWord EE 194 143 Download SSL VPN CLONE EE 195 TAAL Eege Ee ee 196 14 4 1 Overview over the spam filter interface ccecseceeeeeeeeeeeeeeeeeeeeeeeeaeeeeens 196 144 2 COMUMNS OF the VAS soa O 198 144 3 D tails ofan EMail prisimena 199 E EE Aciononihe Tab Ra RE 200 1445 Acionron the Tab SHAM iaioa a a aioe cele csaseieae 201 14 46 Actonson hun EE SE EEN 202 Aa Tao Aa iG tavncalcaaunetiaedntiasdieh aimednacaadetnnehies
51. For this you have to use special CLI commands For further information on these commands check the CLI reference which is available on the Securepoint website gt Type the desired CLI command into the field CLI gt Confirm the sending of the command with Send Command gt The command and the answer of the firewall appear in the text window Command Line Interface CLI Log CLI Send Command CLI show service A fig 186 send CLI command Securepoint Security Solutions 172 12 Menu Extras Securepoint 10 12 2 Updates You can update the firewall software and the virus pattern database at this menu item The firewall will connect to the Securepoint Server and looks for new versions Updates are only available with a valid license Updates Firewall Version Build 6870 Check for Updates Update Virusscan Pattern version Main Database Update O5 Jan 2006 23 48 0200 Daily Database OG Jan 2006 19 23 0100 fig 187 dialog for updating firewall software and virus pattern database 12 2 1 Update the Firewall The version of the firewall software is given as a build number First check if a newer version is available An immediate update will not check the build number but rather updates the firewall with the same version number The update stops all services and restarts the firewall Therefore you should update the soft ware only if a newer versi
52. LIAN Block YAHOO Block other IM fig 104 block remote support and messaging programs Securepoint Security Solutions 97 9 Menu Applications Ssecurepoint 10 9 1 6 Content Filter 9 1 6 1 Blacklist Categories The Content Filter blocks websites with defined content You can select from several prede fined content categories The categories contain tags and keywords which are characteristic for respective content The keywords are weighted by their directness If the sum of key words exceeds a defined limit Naughtylesslimit the website will be blocked The higher the Naughtylesslimit the more improbable is the blocking of a website Select the categories you want to block Activate the related checkbox Define the threshold Naughtylesslimit Consider that a low threshold could block many sites which don t meet conditions for the selected categories Store your settings which Save 0 HTTP Proxy Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth Blacklist Categories Whitelist wv auctions wv chat computercrime maleware culture books discrimination file extensions film video cinema flirt dating forums fun jokes games music news pharma potenz pornography proxy shopping sport betting travel yiolence weapons webmail Naughtylesslimit 80 middle fig 105 content filter of the HTTP proxy tab blacklist categories Securepoint Security Solutions 98
53. LS deed 54 Tee DYDD NG E 55 7 2 4 1 Create or Edita DynDNS Ent 56 7 2 4 2 Delete a DynDNS Entry ccc cceccceececeeeceeeeceeeeseeeceuseceueeseeessueesseesseeens 56 Vee EE 57 eege 58 Fe en 59 E Ee Gall Ee le 60 7 4 1 LO IUD dE 60 CAE G EE 61 Ee BRON EE 62 Eet Mr Ut VW EE 63 8 1 FONG EE 64 8 1 1 AS eebe 67 Sekt MODX FUN CHOM act xe cecetbiamostes gusset EEN 68 E TI UMM EE 69 8 11 93 Tap DSSCIIOTION EE 69 Ge eenegen enee ee 70 8 1 3 Organize Rules and Groupe sierran anaE 71 oe ROE NA EE 72 Sid Pon Forwardihg E 14 8 3 1 POR FOWardiNO seroren 75 8 3 2 POF MRAM SALON EE 76 E le 77 8 4 1 Delete ANC CIS Le 77 642 er E IMMA O WEE 78 843 AUG SEIN ICC EE 79 B Di SEME EE 80 8 5 1 Edit Existing SERVICE Ee EE 81 8 5 2 Create NEW Service Group 82 BO INGTON CO CCS eer 83 Securepoint Security Solutions 5 Securepoint 10 8 6 1 Network Object Information ccccseccceeecceeeceeeceeecsuseceeecueeseuseceeessueeneess 84 EE ele Be Te 85 S 6 3 ele WA EC HOSIN EE 86 S64 Add A EE 86 865 Add lat ir Le 87 Bl NeWok IOUS EE 88 8 7 1 Network le Gelle eg Ee oie ect raed ati ete asennad ate etnies 89 8 7 2 Network Group lnformation eannnannanneannannnnnnennnnnnennnnnnnnrsnenerrsnenerennererennes 89 MENU eelere 90 GC DAN ACEP FOX EE 91 9 1 1 Generalerna EE ETE 91 Oli EE eee acer mele 93 ee Sa 2 EE 94 OVA iBIOCK EXTCNSIONS EE 96 OA BIOCKADPICAUON EE 97 Ce E ie WEE 98 9 1 6 1 Blacklist Cate
54. Member all network objects are listed which are ele ments of the selected network object group You can add network objects to the selected group by highlighting objects in the left table and click on the rightwards arrow button The selected network objects will be moved to the right table You can delete network objects from the group by highlighting objects in the right ta ble and click on the leftwards arrow button The selected network objects will be removed from the right table Click on the button Update Rule to apply the network group changes to the rules of the porttilter o Network Groups External Interface Groups Network Objects Network Group Member W Internal Interface W External Interface KR DMZ Interface 5 Internet Private CLASS A IPSec Network f Private CLASS B IPSec Network Jf Private CLASS C IPSec Network jnternal net s ui gt Select Information You have been selected 0 Network Objects You have been selected 0 Network Group member Infobox Settings C Disable Infobox Update Rule Close fig 95 network groups dialog Securepoint Security Solutions 88 8 Menu Firewall Securepoint 10 8 7 1 Network Object Information The function Infobox shows information of the network object if the mouse cursor rolls over it You can enable this function by unchecking the checkbox Disable Infobox The infobox shows the name IP add
55. Password Confirm the password in the field Confirm Password Mail Relay General Relaying Mail Routing Greylisting Domain Mapping Advanced General Settings Virusscanner on sl Spamfilter on zs Postmaster E mail Address master securepoint Maximal E mail size in KByte 20480 Smarthost Settings Enable Smarthost wi Smarthost www mastermail net Enable Smarthost Authentication M Login securepoint Password EE Confirm Password Pe i ee fig 112 general settings for the mail relay and the Smarthost Securepoint Security Solutions 105 9 Menu Applications securepoint 10 9 3 2 Relaying On the tab relaying you deside how to deal with e mails of recorded hosts and domains E mails which are directed to your domain should be relayed to your internal mail server If the internal mail server also uses the firewall for sending e mails you have to enter it s IP address You have the possibility to use relay blocking lists In these lists computers are registered which are known for sending spam e mails With these lists mailservers could be blocked which are listed misleadingly or their misuse was a long time ago You can also enable SMTP authentication for local users The selected certificates are used for encryption of the data traffic Mail Relay General Relaying Mail Routing Greylisting Domain Mapping Advanced m Relaying Settings Option Domain or Host To securepoint de
56. Restart Off Kerberos i Restart Off fig 140 overview of the services their states and their classification to critical services Securepoint Security Solutions 131 10 Menu VPN Securepoint 10 10 Menu VPN The Virtual Private Network VPN connects several computers or networks with the local network This is realized by a tunneling connection through the internet For the user the tunneling connection seems to be a normal network connection to the destination host The VPN provides the user a virtual IP connection The transmitted data packets are encrypted by the client and will be decrypted by the firewall and vice versa For transmitting the data several protocols are used The methods are varying in degree of safety and complexity VPN IPSec Wizard IPSec Globals IPSec L2TP PPTP SSL VPN fig 141 dropdown menu VPN ame om L2TP Combination and enhancements of PPTP and L2F Is supported by MS Windows PPTP Point to Point Tunneling Protocol doesn t use a comprehensive encryp tion Is supported by MS Windows SSL VPN Uses the TLS SSL encryption protocol Securepoint Security Solutions 132 10 Menu VPN Securepoint 10 10 1 IPSec Wizard The assistant for creating IPSec VPN connections guides you step by step through the sev eral configuration points You can choose between site to site or roadwarrior connection A site to site connection interlinks two networks For example The local netw
57. Securepoint 10 Securepoint SECUREPOINT Product Overview Securepoint 10 Product Overview This manual applies to the following products VPN Product Terra VPN Gateway The Terra VPN Gateway has less functions than the Securepoint UTM products These limitations affect the functions of the applications proxies virus scanner spam filter and content filter If you purchase the Terra VPN Gateway you can easily upgrade to the Securepoint UTM product with a registration key At this yearly update costs are incurred For further informa tion contact our sales department vertrieb securepoint de UTM Products Terra UTM Gateway Piranja RC100 RC200 RC300 RC310 RC400 RC410 Securepoint 10 for Modular Server Securepoint 10 for VMware All Securepoint UTM products have the full UTM function volume Securepoint Security Solutions 2 Content Product Overview VPN Product UTM Products 1 Introduction Part 1 The Administration Interface 2 he Appliances wrssictvnccseesvaosseelaacsseesiacssveluaeniennae A Positioning the Applance 3 1 Piranja and RC 100 S RO OO 39 Ce 3A e 4 Administration Interface sseeseeeseenneeneeennnn 4 1 Connecting the Applance 4 2 System Requirements for Client Computer D Securepoint CGockont 5 1 Navigation Bar 32 Beie E E DYSICMIN EE 5 4 Service Status eege dee dee eehen 39 ee ue E Sicht JEE EE 5 3 DOwNo
58. Stop logging Click the button again to stop the logging 13 2 Search function When you started the live logging all events which are logged will be shown If you look for something special use the filter function You find the filter function centered above the event table The function works only when the logging is active m Filter Filter pattern None Start logging V Scroll auto he bottom Time Service Content gt Stop a running logging gt Select a pattern from the dropdown box Filter pattern o Time Filters the entries by time o Service Filters the entries by service o Content Filters the entries by message text gt Enter a search pattern into the right field The search pattern is depended on the selected filter o Time can be given in hours minutes and seconds Use colons as separators For example 13 16 09 8 36 00 You can filter by hours and skip the minutes and the seconds The entry must end with a colon For example 16 9 You can filter by minutes and skip the hours and seconds The entry must begin and end with a colon For example 27 09 Service Securepoint Security Solutions 186 13 Menu Live Log Securepoint 10 o Service lf you filter by service you don t have to know the service concretely You can also use parts of words For example webserver server Content The content of protocol messages is very different If you dont know a concrete error
59. To securepoint cc securepoint de Add Domain Add Host Options Use Relay Blocking Lists Activate SMTP Authentication for local Users Choose CA Choose Server Certificate fig 113 relaying settings Securepoint Security Solutions 106 9 Menu Applications Ssecurepoint 10 To add a domain click Add Domain The dialog Add Realy Domain appears Enter a domain in the field Domain select None To From Connect in the dropdown field Option In the field Action choose between Relay forward Reject block and OK ac cept Click Add To add a host click Add Host The dialog Add Host or IP Address appears Enter a host name or an IP address into the field Host or IP Address In the field Action choose between Relay Reject and OK Click Add l o Add Relay Domain Add Relay Host or IP Address Domain Host or IP Address securepoint de 19700 Fl Action RELAY a fig 115 add IP address fig 114 add domain Securepoint Security Solutions 107 9 Menu Applications Ssecurepoint 10 9 3 3 Mail Routing The mail routing defines which mail server is responsilble for e mail adresses in which do main You can activate an e mail validation against different databases or against a local file E mail to addresses which don t exist will be directly rejected by the mail relay gt To enable the e mail validation activate one checkbox Validate E mail addres
60. Virus Pattern update 22 Apr 2009 09 07 0400 fig 9 licence area Securepoint Security Solutions 19 5 Securepoint Cockpit Securepoint 10 5 3 System In this area the current system utilization and the number of active TCP UDP connections are shown Lane sO Utilization of the processor RAM Utilization of the memory ee graphical and in percentage SWAP Utilization of the swap file ps graphical and in percentage Current TCP Connections Number of current TCP connections Current UDP Connections Number of current UDP connections Start Configuration Name of the start configuration Running Configuration Name of the running configuration E System Status CPU 19 utilization Type VIA Esther processor LO00MHz 1000 Mhz RAM 41 of 1014 MB used SWAP 0 of 4194 MB used Uptime 08S Days 03 Hours 17 Minutes Current TCP connections 28 Current UDP connections 2 Start Configuration Running Configuration fig 10 system status Securepoint Security Solutions 20 5 Securepoint Cockpit Securepoint 10 5 4 Service Status The table shows a list of all available services and their status Next to the HTTP proxy POPS proxy and Mail Relay services is shown the state of the virus scanning An active service is illustrated by a green circle A grey circle shows that the service is inactive service description SSH Server Secure Shell Allows an encrypted connection to the appliance Mail Relay service for
61. acters numerals and special characters Your password should be eight characters long Securepoint Security Solutions 17 5 Securepoint Cockpit Securepoint 10 4 2 System Requirements for Client Computer Operating system MS Windows XP and higher or Linux Processor Pentium 4 with 1 8 GHz and higher or according Memory 512 MB or more Browser preferably MS Internet Explorer 7 and Mozilla Firefox 3 5 Securepoint Cockpit The first screen shown after login to the trusted area displays an overview of the hardware and services status Besides it contains the navigation bar information of the license active connections and available downloads This view is always open All further configuration options and settings will be conducted in popup windows After editing the settings the popup windows will be closed and the cockpit in the background will be activated again The lists in the cockpit can be closed to managie the display for your needs Firewalltype Securepoint 10 Version Build 8421 Licensed to UNREGISTERED wg BB etho miami vpn ipsec vpn 31 utilization eth1 internal firewall internal VIA Samuel 2 532 Mhz eth2 dmz1i firewall dmz1 51 of 249 MB used Fun vpn openvpn gt i 0 of 4200 MB used Uptime 00 Days 17 Hours 51 Minutes Current TCP connections 11 Current UDP connections 0 Cluster status No cluster active Start Configuration support Running Configuration support
62. adS sisie E Ee E EE 510 SSR E ama ee 5 11 Web Interface ler 512 DACP EE E Delo Menace KC e Securepoint Security Solutions Securepoint 10 Securepoint 10 Select Trane o eNOS eae 26 5 13 2 Traffic Details und Traffic Zoom 27 BAA ONON le p cenn T 28 DIS AMISTO ee 28 OAO E 28 6 Ment NS ee le Le ee 29 6 1 Configuration Management 30 6 1 1 Save en le Et te EE EN 6 12 leie Beer te Ee EE ER Seele EE EE 32 639 HAN SWS1GIM epep pe E E E ERE 32 Ot eelere E TTT ER SE Ee Lee EE ER E MenUNEWOK beet Abee Ee 33 Pal SCIEN IP EE eebe 34 7 1 1 DOI VEN SCN G EE 34 Gan EE elo Delt tel E 35 Ke VE HY SLOG rc kee ac tesa eet ee ei AT 36 EE ONM EE 37 7 1 5 Monitor Agent AmdoSoft v4 Agent 38 TACO EE SE MING Ee 39 dee INGIWORK GOMMGUIAN ON erse teeta icigieealaasneicegeeeeds 40 7 2 1 Il Ee 40 LANA ele Cui WN ACS EE 42 Leika 0 e RA La a TE 43 Peso Adad PPTP EE EE 45 Le Ae Add PPPOE IMCN ACC sri ote eccarNs T eciestar NS edie oiace NS ata 46 7 2 1 5 VDSL Interface hinzuf gen aannannnnnnenennnnennsnnonrnrrronrnnrrnnrrnrrsnrrerenrennee 47 7 2 1 6 Add Cluster Interface es e c2sccsccucecccneeedecedetsnendaenetecddakedeusaeuadentiehseenseeaedeoddsten 48 7 2 1 7 Edit or Delete an Interface AA 50 fee E dl Te RE 50 Peek Editor Delete e 51 Terz NACA ST A 51 Securepoint Security Solutions 4 Securepoint 10 T2728 EE ROUGE EE 52 7 2 3 DOELP OWI EE 53 Lede Editor Delete LE e Le EE 53 Vee Ove MOL PIOVIOEL ClO A
63. adius Server Authentication by selecting On or Off Store your settings with Save 0 YPN PPTP General DNS WINS Local PPTP IP 192 168 1 8 PPTP Adress Pool 192 168 1 9 Iris Lais MI 1300 Radius Server Authentication Off EI Save Close fig 161 adjust IP address address pool and authentication Securepoint Security Solutions 149 10 Menu VPN Securepoint 10 In the tab NS WINS enter the IP addresses of the name server and of the WINS server Windows Internet Name Service if you use one This will be forwarded to the PPTP net work Switch to the tab NS WINS Enter the IP address of the primary and secondary Nameserver Enter the IP address of the primary and secondary WINS server if you use one Store your settings with Save YPN PPTP General DNS WINS Primary Nameserver 192 168 176 10 Secondary Nameserver 192 168 176 20 Primary WINS Server 192 168 70 10 Secondary WINS Server 192 168 70 20 Save Close fig 162 define IP addresses of DNS and WINS servers Securepoint Security Solutions 150 10 Menu VPN Securepoint 10 10 6 SSL VPN In this section you can set the general setting for SSL encrypted VPN connections Enter the desired IP which should be used by the virtual interface in the field SSL VPN IP This VPN connection will be established over a separate virtual interface The ad dress pool depends on the IP address of the tun interface If you change the IP ad dre
64. alled name resolu tion The inversion search to detect the hostname of an IP address is not supported gt Enter a hostname into the field Host name gt Click on the icon Lookup If the host is known all related IP addresses will be shown Network Tools google de A 72 14 221 104 A 72 14 221 104 A 72 14 221 104 A 216 239 59 104 4 216 239 59 104 A 216 239 59 104 A 74 125 77 104 A 74 125 77 104 A 74 125 77 104 Legend Lookup i ing S Show Route fig 61 looking for IP addresses Securepoint Security Solutions 60 7 Menu Network Securepoint 10 7 4 2 Ping A Ping checks if a defined computer is reachable in the IP network The appliance is sending an ICMP echo request to the computer so called Ping The appliance expects an ICMP echo reply as an answer often called Pong If the remote computer sends this answer the computer is reachable lf the computer is not reachable the function shows the message undefined The query also fails if the computer is configured to not answer Pings gt Enter a hostname or an IP address into the field Please enter a host gt Click on the icon Ping lf the computer answers the times the resond packages needed are shown and the average time of all packages Furthermore the list shows how many packages are send received and lost If the host does not answer the message undefined will be shown Network Tools google de recy from 216 239 59 104 seq 1
65. an reach the user interface with their webbbroser over the IP address of the in ternal interface by using the HTTPS protocol forexample https 192 168 175 1 lf the users want to enter the user interface from outside the internal net for example from the internet or the DMZ the administrator has to create a firewall rule for reaching the inter nal interface from outside with the HTTPS protocol Securepoint Security Solutions 192 14 The User Interface Sections Securepoint 10 14 1 The User Interface Sections The user interface has more sections The user can access the sections depending on his group membership Change password Spamfilter Download SSL VPN Client SPUVA Login Wake on Lan fig 205 login screen Change Dialog to change the password User Interface with possibility password Password length and characters to use accord to change password User ing to the settings in the user management management gt tab Extras Spam filter Shows all received e mails and their classifica User Interface with Spam tion into ham desired e mails and spam unde Filter Admin sired e mails Possibility for resorting of mis classified e mails Download ZIP archive which includes the portable User Interface with SSL VPN SSL VPN OpenVPN client preconfigured configuration client file CA and user certificate SPUVA Login Central user authentication to login in to the sys User Interface with SPUVA Wake o
66. and Password Enter the address of the DynDNS server into the field Server In the field MX enter the domain for the e mail reception for example securepoint de Select the interface which should be used for this connection from the field Interface mostly a ppp interface Change DynDNS Hostname securepoint dyndns c Login Sp admin Password eeeeeeee Server _members dyndns ord Ma Interface pppd Save Close fig 57 create a DynDNS entry 7 2 4 2 Delete a DynDNS Entry gt Todelete a DynDNS Entry click on the trashcan symbol beneath the relative entry gt Confirm the security query with Yes gt The DynDNS entry will be deleted Securepoint Security Solutions 56 7 Menu Network Securepoint 10 7 2 5 DHCP The Dynamic Host Configuration Protocol can assign IP addresses and other network set tings to the clients If you start a client of the internal network the operating system of the client sends a query to the DHCP services of the server The server transmits an available IP address the IP addresses of the DNS server and of the default gateway to the client If you don t want to use this service make no entries in this section and disable the client DHCP Server in the menu applications gt Service Status gt Enter the internal subnet into the field Local Subnet and the relating subnet mask in to the field Netmask gt Define the IP address range The DHCP se
67. anning of e mails Mail Relay Settings of the mail server P a Forwarding of remote control programs Activate and deactivate services Securepoint Security Solutions 90 9 Menu Applications Ssecurepoint 10 9 1 HTTP Proxy The HTTP proxy is set between the internal net and the internet It analyzes content of inter net sites blocks suspicious websites and checks data for viruses The client sends his query to the proxy The proxy gets the data from the internet analyses it and sends it to the client The proxy acts as an exchange agent For the client the proxy acts as a server For the server in the internet the proxy acts as a Client 9 1 1 General On the tab General you can make basic settings for the Proxy Setting up the port of the proxy The default port is 8080 If you want to define the Outgoing Address enter the desired IP address If you use another proxy activate the checkbox Cascade In this case enter the IP address of the other proxy in the field Parent Proxy and the port in the field Parent Proxy Port Decide in which networks the proxy should be activated as a transparent proxy Transparent means that the proxy isn t visible for the user You needn t insert the proxy settings in the browser The firewall conducts the packets to the proxy automat ically But if you don t insert the proxy setting in the browser the user authentication fails and protocols like HTTPS and FTP must be activated by rules Unde
68. ation Domain securepoint cc securepoint de securepoint ru securepoint de 4dd Domain Mapping Save Close E fig 123 domain mapping settings To add a domain mapping rule click the button Add Domain Mapping The dialog Add Domain Mapping appears Enter the domain of the incoming e mail in Source Domain Enter the new domain in Destination Domain Click Add Add Domain Mapping Source Domain securepoint ru Destination Domain securepoint cc fig 124 add a domain mapping rule Securepoint Security Solutions 114 9 Menu Applications Ssecurepoint 10 9 3 6 Advanced This section offers settings that protect the mail relay with a basic mechanism o Mail Relay Domain Mapping Advanced General Relaying Mail Routing Greylisting Advanced Settings wv Enable Greeting Pause Greeting Pause 2000 milliseconds Define exceptions Edit v Prevent recipient flooding Delay after 2 bad recipients wv Limit max number of recipients Max number of recipients for each message E wv Limit connections prevent DDoS Overall number of concurrent connections per seconds 3 Define exceptions Edit wv Enable rate control Define window size 60 seconds Limit the connections of a single host 5 Define exceptions Edit Save Close A fig 125 protecting mechanism on the tab advanced Securepoint Security Solutions 115 9 Menu Applications Securepoint 10 9 3 6 1 Greet
69. ation via certificate and IKEv2 Securepoint Security Solutions 137 10 Menu VPN Securepoint 10 10 1 2 1 1IKEv1 If you selected IKEv1 you have to specify the local network and an IP address for the road warrior Enter the network the roadwarrior connects to into the field Local Network Select the related subnet mask from the dropdown box Local Mask Enter an IP address from the subnet into the field Roadwarrior IP address This IP will be assigned to the roadwarrior when it connects to the local network lf you want to set up the firewall rules automatically activate the checkbox Automati cally create firewall rules Click Finish for exiting the wizard IPSec Wizard Create a IPSec Connection Roadwearrior IKEv1 Please specify the networks you want to connect with IPSec Local Network 192 168 176 0 Local Mask 255 255 255 0 24 ei Roadwarrior IP address 192 168 176 55 Ml Automatically create firewall rules ll Abort Back Finish fig 151 settings IKEv1 Securepoint Security Solutions 138 10 Menu VPN Securepoint 10 10 1 2 1 2IKEv2 If you selected IKEv2 you have to enter an individual IP address for the roadwarrior or a ad dress pool Enter the network the roadwarrior connects to into the field Local Network Select the related subnet mask from the dropdown box Local Mask Activate the radio button Single Roadwarrior IP address if you want to give access to
70. box Templates The template will be displayed in the section Template Content Adjust the template for your needs Store the changes with Save Template For applying the changes immediately click the button Update Applications Advanced Settings IPSec Portfilter Dialup Templates Variables Webserver 4 o cl A Ze 7 emm Applications openvpn Templates etc openvpn conf Te m Template Content SIE CLIENT_MODE 0 port PORT ELSE iclient fragment FRAGMENT ENDIF Save Template Update Applications Update Interface Update Rules Save Config Close hi fig 198 edit template Securepoint Security Solutions 181 12 Menu Extras Securepoint 10 12 6 6 Variables On this tab you can show the template variables and their values You can also add new va riables The added values just stay until a reboot of the appliance Select the application from which you want to see the variables in the dropdown box Applications The variables are shown in the window Entries To show the value of a variable click on the loupe symbol in the related row The value is shown in the window Entry Value Click trashcan symbol to delete the value Beneath the dropdown box Applications is an entry field To add a variable enter the name of the new variable in this field and click Add Entry The changes are saved immediately and exist until the next reboot of the appliance For a
71. can define e mails which should be excluded from the greylisting They will be forwarded at the first delivery attempt In the section IP Address Net you can exclude e mails from the greylisting which come from defined IP addresses and networks gt Enter an IP address into the field at the bottom of the window gt Select the related subnet mask from the dropdown field gt Click Add IP Address Net The IP address will be saved in the whitelist m Whitelist IP Address Net Domain Email Recipients Email Sender IP Address Net Mask 10 0 0 0 172 16 0 0 E e ei 192 168 0 0 tes 127 0 0 0 255 255 255 0 24 el Add IP Address Net fig 119 Whitelist IP Addreses Net Securepoint Security Solutions 111 9 Menu Applications Ssecurepoint 10 9 3 4 2 Whiteliste Domains You also can exclude e mails from the greylisting which comes from defined domains The specifcatons are only made in second and top level domains gt Enter a domain in the field at the bottom of the window gt Click the button Add Domain The domain will be saved in the whitelist r Whitelist IP Address Net Domain Email Recipients Email Sender Domain securepoint cc partner de 4dd Domain fig 120 Whitelist Domain Note The domain isn t the domain of the e mail address but the domain of the mail server which delivers the e mail Securepoint Security Solutions 112 9 Menu Applications Ssecurep
72. cations Content Filter Bandwidth General Virusscan URL Filter Block Extensions Virusscanning v Whitelist Extensions _________ F Whitelist Websites Suffix Domain securepoint de securepoint cc securepoint org windowsupdate microsoft com windowsupdate com update microsoft com swquery apple com Dw PR Pe Pe Pe Pe pe TD S e ei e ei ei ei ei swedn apple com gt ek 186 See 106 Che wee cee wee ome ei e ei e e e e e ei e Add Extension Add Website Save Close fig 101 HTTP proxy dialog tab virus scanning Securepoint Security Solutions 93 9 Menu Applications Ssecurepoint 10 9 1 3 URL Filter With the URL filter you can block the access to websites by defining the URL The filter is adjustable by two lists The blacklist contains URLs of blocked websites The whitelist con tains addresses of allowed websites If you select an authentication mode on the tab General websites on the blacklist are visible for authenticated users If you want to use the blacklist for all users activate the option Use lists with authentication Switch to the tab URL Filter Enable the filter by activating the checkbox URL Filter Activate the option Use lists with authentication to block sites from the blacklist un iversally You can edit the entries by clicking the related wrench symbol You can delete the entries by clicking the related trashcan symbol Add entries to the lists
73. ce basic settings Administrator P addresses time zone and log server IP address Network Configuration Network settings Setting of P addresses and subnets of interfaces DSL connec tion DynDNS service routing and DHCP server Zone Configuration Assign interfaces to zones and create new zones Network Tools Tools Lookup Ping and lists the routing table Securepoint Security Solutions 33 7 Menu Network Securepoint 10 7 1 Server Properties In this section basic settings for the appliance will be set The dialog contains the tabs Serv er Settings Administration Syslog and Cluster Settings 7 1 1 Server Settings On this tab you can set the appliance name the Domain Name Service server and the Net work Time Protocol server Enter the domain name of the firewall into the field Servername Enter the IP address of the Domain Name Service server into the field Primary Na meserver If you use a Second name server enter its IP address into the field Secondary Na meserver Enter the IP adress or the host name of a time server into the filed NTP Server and select your time zone in the dropdown box Timezone You can limit the numbers of TCP IP connections The number must range between 16 000 and 2 000 000 Enter the number into the field Maximum number of active connections Select from the dropdown box Last Rule Logging the protocol accuracy for dropped packets _ Server Properties Server Settings Admi
74. computer in to the first field below the list Select the interface from the dropdownbox the computer is connected to Enter the MAC address of the network adapter of the remote computer into the third field The address must be given in double characters separated by a colon gt Click Add O Add User General VPN Spamfilter Extras Enable WoL V Hostname Interface MAC Address PC Fred ethi 00 3F 65 B4 DC 1A laptop Fred ethi 56 70 6C 4B 23 4B Add fig 172 computer which can be started by the user Securepoint Security Solutions 159 11 Menu Authentication Securepoint 10 11 2 External Authentication For user authentication you can not only use the local database but also external authentica tion databases The appliance offers checking against a Radius or LDAP server For the HTTP proxy you can also select authentication with the Kerberos service 11 2 1 Radius Enter the access data for the Radius server on the tab Radius Open the dialog External Authentication On the tab Radius insert the data of the Radius server Insert the hostname or the IP address of the server in the field IP address or host name Under Mutual secret key insert the password and retype it in the field Confirm mu tual secret key Store your settings with Save External Authtentication Radius LDAP Kerberos Radius Settings IP adress or host name 192 168 175 100 Mutal secret key eoccccee confirm mu
75. e Activate the detailed view with a doubleclick in the row of the desired e mails Attachment of the mail will be displayed as a hyperlink in the row at the bottom of the window Click on the hyperlink to download the attachment Mail Details x From news2Onews 3 To Date 2009 09 20 16 33 Status Subject Neue_Brille_gesucht _Brillen_inklusive_Glser_sch on_fr_29 Euro Frau_ This is a multipart message in MIME format Attachments attachment 1 SchlieBen hi fig 211 view of details Securepoint Security Solutions 199 14 Spamfilter 14 4 4 Action on the Tab Ham Securepoint 10 You can execute the following actions on the e mails Mark selected e mails as soam Delete selected e mails Resend selected e mails Select all e mails Delete all e mails Resend all e mails Marks the selected e mails as soam and moves them to the tab Spam Moves the marked e mails to the tab Trash sends the marked e mails again Marks all e mails on this tab Moves all e mails on this tab to the tab Trash sends all e mails on the tab again Mark selected e mails as spamiw Execute Mark selected e mails as spam Delete selected e mails Resend selected e mails Select all e mails Delete all e mails Resend all e mails fig 212 actions on the tab Ham Securepoint Security Solutions 200 14 Spamfilter Securepoint 10 14 4 5 Action on the Tab Spam You can
76. e AuBendienst_Meyer l fig 148 name of the connection Securepoint Security Solutions 136 10 Menu VPN Securepoint 10 You can set up the IPSec Internet Protocol Security connection with or without L2TP Layer2 Tunneling Protocol You need a separate client for native IPSec without L2TP The operating system Microsoft Windows 7 already includes a native IPSec client 10 1 2 1 native IPSec gt Activate the radio button Native IPSec gt Click Next IPSec Wizard Create a IPSec Connection Do you want create a IPSec connection with or without L2TP Native IPSec TheGreenbow NCP Safenet or Windows 7 IPSec Connection with L2TP Abort Back Ai fig 149 select native IPSec Choose between the authentication methods preshared key and certificate Furthermore se lect the IKE version you want to use If you choose preshared key activate the radio button Preshared Key and enter the key into the field beneath lf you choose certificate activate the radio button x 509 Certificate and select a serv er certificate from the dropdown box Choose between IKEv1 and KEv2 and activate the relative radio button Click Next IPSec Wizard Create a IPSec Connection Roadwarrior Native Which kind of Authentification and IKE you want to use Preshared Key 509 Certificate spServer IKE version 1 IKE version 2 Abort Back Next fig 150 authentic
77. e Certificate Revocation Lists are listed These lists have the same name as the relating CA If a certificate is revoked it is stored in the CRL of the CA it is signed with The lists can be exported So other sites which are also use certificates of the appliance cab be informed of revoked certificates Furthermore CRLs from other sites can be imported This files must have the CRL format Switch to the tab CALs All CRLs of self created CAs and imported CRLs are show on this tab For export a CRL click the button with the disk symbol The browser will open a dialog in which you can select the saving path For import a CRL click the button with the label Import Enter the whole path of the file into the appearing dialog or click Browse the search the file in the local system Afterward click import Importet CRLs can also be deleted Click the button with the trashcan symbol to delete the relating CRL Confirm the security question O Certificates CA Certs Revoked CRLs Name Status original_CA SupportCA bla_CA Imported Import fig 183 tab CRLs Securepoint Security Solutions 169 12 Menu Extras Securepoint 10 12 Menu Extras In this section you will find options to customize the administration interface and functions for advanced users extras CTA Update Firewall Registration Manage Cockpit Advanced Settings Refresh All Refresh Cockpit fig 184 dropdown menu extras a CLI Command Lin
78. e Interface Logging of the command line in and output a Sending commands to the appliance Changelog Shows changes from one version to the previous version of the fire wall software Refresh Cockpit Reloads the values of the cockpit The button D in the navigation bar offers the same function Securepoint Security Solutions 170 12 Menu Extras Securepoint 10 12 1 CLI The command line interface CLI sends commands to the firewall software Most functions of the administration interface are based on such commands This section offers to log the in and output of the CLI Furthermore you can send commands directly to the firewall 12 1 1 CLI Log On this tab you can activate the logging of the CLI in and output The logging is disabled by default Send commands to the firewall are colored blue Answers of the firewall are colored green gt Toenable the logging activate the checkbox Enable CLI Log gt The logging can always show the current entries To enable this function activate the checkbox Enable autoscroll O Command Line Interface CLI Log CLI Send Command D mm Legend eT e CLI Request CLI Response W CLI Error CLI Log settings Enable CLI Log Enable Autoscroll fig 185 CLI logging Securepoint Security Solutions 171 12 Menu Extras Securepoint 10 12 1 2 CLI Send Command In this tab you can send commands directly to the firewall
79. e e mails on this tab irrevocably Resend all e mails sends all e mails on the tab again Mark selected e mails as spam Delete selected e mails permanent Resend selected e mails Mark all e mails as ham Mark all e mails as spam Delete all e mails permanent Resend all e mails fig 214 Actions on the tab trash Securepoint Security Solutions 202 14 Spamfilter Securepoint 10 14 4 7 Tab Statistic On this tab the ratio of spam and deleted e mails to ham e mails is shown graphically Fur ther diagrams show the numbers of mails depending on their origin 14 4 7 1 Filter With the filter function above the diagram all statistics can be displayed for different time in tervals gt Select the interval from the dropdown box Possible intervals are Today Yesterday Last week Last month gt Click Refresh to reload the diagram Refresh Yesterday Last week Last month fig 215 select intervall Securepoint Security Solutions 203 14 Spamfilter Securepoint 10 14 4 7 2 Tab General On this tab a diagram shows the total number of ham e mails soam e mails and deleted e mails The blue lines clarify the total amount of every bar on the y axis The legend on the right side shows the numbers of every section and the percentage O Spamfilter Ham Spam Trash Statistic General Virus Top Level Domain Today E Refresh m Information Type Count Percent E mails 138 Ham 122 88 40 WS g Spa
80. e of the previous keys So no one can gather the new key from the previous key 10 3 1 1 Phase 1 In these settings the basic connection parameters are stored Le tab General Local gateway ID ID of the appliance lf you use the interface ppp0 ethO the firewall ID is the IP address of the interface You can insert the hostname as well also the DynDNS name remote VPN gateway or host Name or IP address Remote host gateway remote VPN gateway or host Name or IP address ID Enter the certificate of the remote host if the connection uses certificates for authentication Authentication Shows which authentication method is used ema Local key Local Certif Depending on the authentication method enter the local key PSK or the name of the certificate Start automatically Activate only for site to site connections Dead peer detection This functions recognizes if the connection aborted unexpectedly If an abort is recognized the tunnel will be shut down completely to guarantee a new link connection DynDNS name Mark this checkbox if the remote host uses a DynDNS service Securepoint Security Solutions 144 10 Menu VPN Securepoint 10 Encryption Encryption method Authentication Authentication method Strict If this box is activated the remote station must use the same set tings for key and hash mode regards phase 1 and phase 2 DH Group Key length of the Diffie Hellmann key IKE life Duration of an IKE
81. e portfilter and is dropped by the last rule it could be more sensible to position the blocking rule at the top of the porttilter Especially if this kind of packets come in often You can not only move single rules but also rule groups and rules inside of a group It is also possible to move rules from one group into another For organizing the rule use Drag amp Drop and the context menu which opens with a right mouse click t Toggle Active Ej Toggle Group 4 Add new Rule Insert Rule before Insert Rule after Add new Group Insert Group before Insert Group after Si Edit gy Delete fig 72 context menu of the portfilter dialog The context menu offers the possibility to create rules and groups at defined positions So you don t have to move them after creation Switch the status of a highlighted rule by using the option Toggle Active The option Toggle Group changes the status of all rules in a group The context menu also includes the options Edit and Delete In the second column of every row you will find the wrench and the trashcan symbol for editing and deletion Instrumental in managing the rule set are the options Open Groups and Close Groups They open or close all groups in the list The symbols in front of the groups open or close a single group The green symbol with the two arrows presents a closed group o Click on it to open the group 7 The red symbol presents an open group Click on it to cl
82. ecccseeceececseeccseeceueeceeeceueecseeeeseeseaeeseeseeas 136 SE REH UE 137 n e WCE WEE 138 Ee EE WAGE EE 139 WO ER GEN 140 tO MP SOC GOO als EE 142 1021 General DCHING Sisciccthecercantec cect iatoedaeieiceed iad edanhol eee iuciededies heb iecedatied gene 142 bg Ge EN EE 143 BE SEENEN 144 ue Oo HN elt GOMME GIO NEEN 144 Securepoint Security Solutions 7 Securepoint 10 e EE Dia D nt Le BEE 144 10 3 1 2 Phase E 146 OA T TEE 147 MO Se NR a a E niu eiicananetcesntusiehcasauehortatauncayautulcasancatcassatneaseneds 149 T00 S EN E aT arene tet aeaaian canines vareiicaaieataremicudanenceere 151 11 Menu Authbentcaton 152 bs WD NEE 153 11 1 1 Add User Tab General ccc cece cece cccccccccececececcacccecececuacaceueneauavaceneneaeas 154 ETS viet Heen MN 155 11 1 3 Add User Tab VPN OChenmt 156 died Add User Tab Spam Fiter eege Ee 157 Itro ele 8 oy all E le te EE 158 11 1 6 Add User Tab W e EEN 159 11 2 External Authbenticaton ccc cccececccceccccccccccccecceucececueatenesueaeeceanecueneeneaneaees 160 Pee le 0 EE E EE 160 dh E NWI AP SOI EE 161 Le iE 2E AEE EE EE 162 Wiles era re EE 163 i is Ss Simms gos ck EE 164 11 3 2 CreateCGertificales cc cccccccccccccececcceccecececcccacecececcacaueceteceavsueceneneas 165 11 3 3 Import CA and CGerttcaie cc ccccccceccccsseeeeseeeeesseeeeeseeeeesseeeeesseeeesseneeeeas 166 11 34 Export GA and ee le EE 166 11 3 5 Download SSL VPN Cent 167 11 3 6 Delete CA and Certificate 168 tos E
83. eeds the membership in the group User Interface If the user isn t member of this group you can preconfigure the SSL VPN package anyway You just have to hand the package to the SSL VPN user see chapter 14 3 To enable the preconfiguration activate the checkbox Enable VPN Client Select a user certificate from the dropdown box Certificate If no certificate is shown you have to create one first Select an IP address or a hostname in the field SSL VPN Gateway which is used by the SSL VPN service Either select a dynamic DNS entry trom the dropdown box or enter an IP address or host name into the field Alternative The option Redirect default gateway to remote site reroutes the whole internet traf fic of the VPN user over the appliance Click the button Download Client to download the client package as a zip archive vi Add User General VPN SSL VPN Client Spamfilter Extras Enable VPN Client SSL YPN Certificate Certificate ssl Client zi SSL YPN Gateway Please select the gateway for the connection e secpoint dyndns org v Alternative Redirect default gateway to remote site Download Client If the user has the User Interface permission it is possible to download a preconfigured client from the User Interface Save Close E fig 169 setting for preconfigured SSL VPN client Securepoint Security Solutions 156 11 Menu Authentication Securepoint 10 11 1 4 Add User Tab Spam Filter Is the user
84. ent to the server but also the server to the client Switch to the tab Kerberos Enter the LDAP group name of the group you want to give access into the field Workgroup Enter the domain name of the realm used into the field Domain Under AD Server enter the IP address of the computer which hosts the Kerberos service Enter the IP address of the used DNS server into the field Primary Nameserver Enter the administrator of the Kerberos server into the field User Enter the password of the Kerberos administrator into the field Password and retype it in the field Confirm Password External Authtentication Radius LDAP Kerberos NTLM Settings These settings will have only an effect on the HTTP Proxy Workgroup securepoint Domain securepointlocal AD Server 192 168 176 100 Primary Nameserver 192 168 176 10 Administrator account Administrator rer Ss Tt Password Confirm Password eeeeeng Save Close fig 175 access data for the Kerberos server Securepoint Security Solutions 162 11 Menu Authentication Securepoint 10 11 3 Certificates The appliance uses certificates to authenticate users which connect via VPN The certificate proves the users identity and contains a digital signature and statements about the owner Certificates are signed by a Certification Authority CA to guarantee the genuineness of the certificate Normally the CA is a third independent and trustable instance Yo
85. ented time period is the last 24 hours The measurement is taken every 5 minutes Interface Traffic settings fig 21 graphical display of the data traffic 5 13 1 Traffic Settings With the button Settings your can configure which interfaces are displayed in this area The dialog Interface Traffic Settings shows two lists The left one shows the available inter faces and the right one the interfaces which are displayed in the cockpit Highlight an inter face and use the arrow buttons to move it to the desired list o Interface Traffic Settings x m Interfaces m Show Interfaces gt ethi etho fig 22 available and displayed interfaces Securepoint Security Solutions 26 5 Securepoint Cockpit Securepoint 10 5 13 2 Traffic Details und Traffic Zoom A click onto a diagram opens a new window which shows the graph in higher resolution It also shows details of the traffic Interface Traffic eth1 E incomming KByte s E Outgoing KByte s 12 00 16 00 20 00 0 00 4 00 8 00 Reset zoom Overview Measuring points 288 4 8 9 44 5 8 9 44 Incomming total 1 Mbyte Outgoing total 50 Mbyte Incomming average 0 01 Kbyte s Outgoing average 0 59 Kbyte s Collisions total 0 CO Show in plot Errors total D O Show in plot Collision and error plot is not zoomable fig 23 details of the data traffic of the interface eth1 You can enlarge a section of the graph by raisi
86. er Type you can choose between Include and Exclude Under Source define which objects should be nated In this example the internal network Under Interface set the interface which should be used lf you have a static IP address select ethd lf you use a dynamic IP address deploy the DSL interface pppd If the rule should be used for all destinations select the entry any in the field Destina tion Position defines the position in the Hide NAT rule table The rules are executed se quential excepting the Exclude rules which are executed at first regardless of their position o Add HideNat Type Source Interface TN Position append Save Close fig 74 create HideNAT rule Securepoint Security Solutions 73 8 Menu Firewall Securepoint 10 8 3 Port Forwarding The menu item Port Forwarding includes the functions Port Forwarding and Port Translation Both functions define the destination of packages which reach the firewall at a defined port Port Forwarding direct packages arriving at the defined port to a determined computer Port Translation replaces the port of an ariving package with a self defined port o Port Forwarding Source Over IP Interface Destination External Port Original Port Internet eth0 webserver administration Internet eth webserver http_webserver 80 fig 75 list of port forwarding and port translation rules Securepoint Security Solutions 74
87. er interface only shows e mails if the spam filter is activated 14 4 1 Overview over the spam filter interface The mails are ordered by time the newest at top Di Spamfilter Ham Spam Trash Statistic 1 Sender Le Filtern Reset 2 Date From To Subject C 15 18 18 09 09 siegeiox7 reply b telnet ah pptp de By increasing the number of your inch 15 18 18 09 09 fractured22 qales bikini aspi treib Tired of your old ugly watch Get a n C 15 18 18 09 09 amplitudesm6 dete _hilfe ohrensausen Dont wait until you become rich get 15 18 18 09 09 cellularcq282 met biotechnologie te Great harmony of quality and low prices C 15 18 18 09 09 embryologists2 ro base64 domaenenna Your cheap designer watch will be inc C 15 18 18 09 09 topicsd3 ritual com baseball tuerkei With our watches your style will be i C 15 18 18 09 09 dringenddawpy fre _firewall for nt f Ihre berweisung 15 17 18 09 09 goodnesszz21 reta be pptp de With these watches being trendy is ch 15 17 18 09 09 gewinnegya web de diabetes forum je Dringend OO00000000F 1 20 o0f 28 next gt last page 3 Mark selected mails as ham Execute 4 5 Refresh fig 209 sections and functions of the spam filter Securepoint Security Solutions 196 14 Spamfilter Securepoint 10 bag e 2 Filter 3 Navigation 4 Action The display is divided in different sections Ham shows identified des
88. ernal Interface etb x VLan ID 34 CO dmz1 IP Mask 255 255 255 0 24 E C dmz3 DHCP Client MTU Allow Ping O vpn ipsec Speed O vpn ppp internal 192 168 180 1 C dmz2 CO dmz4 O dmz5 C dmz6 O vpn openvpn O firewall external M firewall internal O firewall dmz1 Abort Back Finish Ye fig 44 add VLAN interface set properties Securepoint Security Solutions 44 7 Menu Network Securepoint 10 7 2 1 3 Add PPTP interface A PPTP interface is used for connecting the internet by Point to Point Tunneling Protocol This protocol is primarily used in Austria Click Add Interface The Interface Wizard appears Select the desired interface type in this case PPTP Click Next The configuration window of PPTP Interface appears Select in the field Interface to which physical Interface the PPTP interface should be bound to This should be the external interface It will be replaced by the PPTP inter face after completion Enter an Local Ethernet IP Address and Mask the IP address and the subnet mask of the interface The field Modem IP Address expects the IP address which is assigned to you by the internet service provider Select a provider from the dropdown field DSL Provider which is used to connect the internet If you did not create a DSL provider yet select the entry new and add a provider En ter the required data into the fields Provider Name Userna
89. execute the following actions on the e mails Mark selected e mails as ham Marks the selected e mails as ham and moves them to the tab Ham Delete selected e mails Moves the marked e mails to the tab Trash Resend selected e mails Sends the marked e mails again Mark all e mails as ham Marks all e mails on this tab as ham and moves them to the tab Ham Delete all e mails Moves all e mails on this tab to the tab Trash Resend all e mails sends all e mails on the tab again Mark selected e mails as bam Execute Mark selected e mails as ham Delete selected e mails Resend selected e mails Mark all e mails as ham Delete all e mails Resend all e mails fig 213 actions on the tab spam Securepoint Security Solutions 201 14 Spamfilter Securepoint 10 14 4 6 Actions on the Tab Trash You can execute the following actions on the e mails Mark selected e mails as ham Marks the selected e mails as ham and moves them to the tab Ham Mark selected e mails as spam Marks the selected e mails as spam and moves them to the tab Spam Delete selected e mails permanent Deletes the marked e mails irrevocably Resend selected e mails Sends the marked e mails again Mark all e mails as ham Marks all e mails on this tab as ham and moves them to the tab Ham Mark all e mails as soam Marks all e mails on this tab as spam and moves them to the tab Spam Delete all e mails permanent Deletes th
90. f the CA expires all certificates which are signed with this CA will become invalid too Enter a name for the CA into the field Name Select your country identifier from the field Country Enter your region into the field State Enter the name of your city into the field City Enter the name of your company into the field Organisation Enter the department into the field Unit Enter you e mail address into the field E mail Click Save to create the CA gt gt gt gt gt gt gt gt o Add Certificate RI Type Root CA ise valid from 01 01 2009 oo iloon Lal oo w Valid untill 31 12 2012 23 m59 ell oa el Name InewCA 8 Country DE m State Nds City Lueneburg Organisation Securepoint Unit Su pport Email support sp de Save Close fig 177 create CA Securepoint Security Solutions 164 11 Menu Authentication Securepoint 10 11 3 2 Create Certificates Click in the tab Cert onto Add The dialog Add Certificate appears The fields Valid from and Valid until define the duration of validity of the certificate You can enter the date directly into the first field Or click into the field and a calendar appears where you can select the date The following three fields are reserved for the time hour minutes and seconds Enter a name for the certificate into the field Name Select your country identifier from the field Country
91. f the group User Interface can access the download section The download section offers files and documents which are stored on the appliance The hyperlink is positioned in the first column of the list The second column contains the version of the file and the third column contains a short description of the file Login in to the user interface Click the button Download Click on the hyperlink in the first column to start the download Click on Save or according in the browser query The download will begin O Downloads Security Manager Securepoint Manager Log Server Securepoint Log Server SPUVA Client Authentication Agent Putty SSH Client Manual Securepoint Manual License Securepoint License fig 221 available donwloads Securepoint Security Solutions 208 15 Download Section Securepoint 10 15 Zone Concept of the Securepoint Firewall To every interface of the appliance one zone or several zones are assigned For example To the internal interface the zone internal is assigned and to the external interface the zone external is assigned For the rule set of the firewall the administrator has to create network objects IP addresses or networks and assign one zone to every network object This action defines behind which interface a network object is positioned A well known attack scenario on a router is to fake a sender IP address IP Address Spoof ing If the attacker uses a Sender address from the internal net
92. figuration The function requires that the external file must be saved in DAT format Click on the button Import The dialog Import configuration appears Click on browse and select the designated file After that click Import The configuration will be stored on the application Import configuration Configuration to import CAinstall dat Import Abort E fig 32 import external configuration 6 2 Reboot System The second point of the dropdown menu restarts the appliance After reboot the start confi guration will be loaded If no configuration is set as a start configuration you have to set one before the reboot 6 3 Halt System This point stops the system The system will neither be rebooted nor new shuted down 6 4 Factory Defaults Reset the system to factory settings Note The reset will delete all configurations 6 5 Logout Click on this button to log out of the system The appearance of the administration interface will be stored for each user on every logout Securepoint Security Solutions 32 7 Menu Network Securepoint 10 7 Menu Network Network settings like P addresses of the interfaces DSL access data etc are set here Fur ther on you can download updates and apply the license file in this section network Server Properties Network Configuration Zone Configuration Network Tools fig 33 dropdown menu of the menu item network Server Properties Applian
93. gories sorei deg EEN 98 OTOZ WANES EE 99 E WE E EEN 99 ON6 272 MP ele 100 Se WNCDSICS si csecs Acer soe ated EE 101 GEN e EN Le e VE 102 O22 IRORSFIOXV 103 GE RE 104 9 3 1 General EE 105 GREEN le e WE 106 939 9 Mal te le EEN 108 Cs EECH 110 9 3 4 1 Whitelist IP address Nei 111 9 3 4 2 Whiteliste DOMAINS eg 112 9 3 4 3 Whitelist E mail Hecpients A 113 9 3 4 4 Whitelist E mail Gender 113 93 5 DOMAIN Tei e e LR EEN 114 SOs AVIO cea cut Gs eal cutee Gc eed toca Gta ead ocean E 115 9 3 6 1 Greeting TE 116 Securepoint Security Solutions 6 Securepoint 10 9362 RECIPIENT TIOOGING EE 116 9 3 6 3 Limit max number Of recipients cccceccceeeeceeeceeeeceeeeseeeseueeseeesaeeesaess 116 9364 LIMIMCONNECHONS EEN 116 9360 Bale Com vik cect tec cea Aiea cic ee lca Ae eat Bee ee 116 9 4 Spam Filter Propertie ccccccccccssceccseeecesceceueeccseeecsueeseeseecaueessueeeseneessueeess 117 9 4 1 ET eg EEN 117 9 4 2 AtachmMont lt EEN 119 9 4 3 e Ee EE EE 121 944 SMTP SOUING E 122 9 4 5 SIM PiAGVANCCC WEE 123 oS SA POPS EE Ee 124 95 VNC Ee 125 9 5 1 ET a EE 125 9 5 2 VING Server He 126 9 5 3 VNC Server EEN 126 20 NOIR PIO E 127 9 6 1 General 127 9 6 2 FO VICI OM asic rae pen se ne a earn ene arn aac eae aia A asad 128 o7 Ip EE EE 129 9 8 SATUS CUNY Cle ee EE 130 9 9 Service Status EEN 131 TO MERU VPN DEE 132 101 IPSec Wizard BEE 133 tO Seto EE 133 10 1 2 Site to End Roadwarrior ccce
94. ies for the POP3 proxy Securepoint Security Solutions 103 9 Menu Applications Securepoint 10 9 3 Mail Relay In this section you set properties for the e mail service Mail Relay x General Relaying Mail Routing Greylisting Domain Mapping Advanced fig 111 tabs of the mail relay General General settings for spam filter virus scanner e mail administrator and maximum e mail size Relaying Allowed relaying hosts and domains Securepoint Security Solutions 104 9 Menu Applications Ssecurepoint 10 9 3 1 General Set general setting of the mail relay and a Smarthost A Smarthost must only be set if e mails should not be send directly by the appliance Set the dropdown field Virusscanner to ON to scan e mails for viruses Set the dropdown field Spamfilter to ON to check the e mails for spam Enter the e mail address of the e mail administrator in the field Postmaster E Mail Address Limit the maximum size of an e mail Enter a value in kilobyte in the field Maximal E Mail Size in KByte maximum is 10 000 000 KByte If you don t want to limit the e mail size set the value to 0 If you want to use a Smarthost activate the checkbox Enable Smarthost Enter the IP address or the host name of the external mail server in the field Smar thost If the external mail server requires an authentication activate the checkbox Enable Smarthost Authentication Enter your user name and password into the fields Login and
95. ing Pause Mail servers send a Greeting Message to the sending mail server An uncorrupted mail serv er will deliver more SMTP commands after it gets this message Spam mail servers don t wait for this message and deliver the mail immediately The mail relay drops e mails if the Greeting Message rule has been ignored You can define mail servers that don t have to wait for the Greeting Message Use the Edit button beneath Define Exceptions and enter the IP address or the host name of the mail server 9 3 6 2 Recipient flooding Refers to the sending of mails to a lot of recipients at which the recipient addresses are composed randomly After a defined number of failed delivery attempts a pause of 1 second will be made This slows down the query of e mail addresses and it will be inefficient for the address collec tor 9 3 6 3 Limit max number of recipients Define a maximum number of recipients inside an e mail 9 3 6 4 Limit connections Limits the simultaneous connections to your firewall per second You can define mail servers by IP address or host name which should be excluded from this limit 9 3 6 5 Rate Control Limits the simultaneous connections from one server in a interval of one minute default Exceptions can be defined You can define mail servers by IP address or host name which should be excluded from this limit Securepoint Security Solutions 116 9 Menu Applications Securepoint 10 9 4 Spam Filter Pr
96. ings Monitoring Agent Your firewall can be managed over AmdoSoft b4 Managed Services technology The software needed b4 agent to provide that service is already installed on your firewall Here you can configure the IP address of the b4 Controller needed to configure your management rules b4 Controller IP 192 168 175 101 Save Close E fig 38 tab Monitor Agent Securepoint Security Solutions 38 7 Menu Network Securepoint 10 7 1 6 Cluster Settings The Securepoint appliance offers the option to set up a high availability environment For the environment you need at least two appliances One firewall will be used as active machine mMaster and the other one or more as backup machine slave in standby If a requisite service or the complete master crashes the slave machine assumes the control Define the range in seconds between the status messages of the master to the slave in the field Delay between advertisment packets Decide how many messages may be missing before the master is detected as crashed Type the number in the second field Enter a number into the field Cluster ID to identify the cluster formation Enter a keyword for the encryption of the status messages into the field Cluster Se cret The option Switch to master if possible sets the appliance as master if it goes back on stream The Host Status can be offline master or slave If the status has the value master the applia
97. ings VC Viewer Port 5900 A VNC Server Port 5500 A fig 133 set ports Securepoint Security Solutions 125 9 Menu Applications Ssecurepoint 10 9 5 2 VNC Server ID If the server connects the VNC proxy an ID is assigned to the server The client connects the server via the repeater and uses the ID to identify the Server OG YNC Repeater To add a Server ID type it into the General YNC Server ID YNC Server IP field ID at the bottom of the dialog YNE Server Click Add Repeater ID Click the trashcan symbol be neath an ID to delete it fig 134 tab VNC Server ID 9 5 3 VNC Server IP lf the client initiates the connection the VNC proxy forwards the query to the IP address of the server Oo YNC Repeater x To add a Server IP type it into the General VNC Server ID VNC Server IP field IP at the bottom of the dialog BEE Click Add IP Address 192 168 71 23 Click the trashcan symbol be neath an IP to delete it 192 168 145 163 Gi Save Close fig 135 tab VNC Server IP Securepoint Security Solutions 126 9 Menu Applications 9 6 VoIP Proxy Securepoint 10 The VoIP Voice over IP proxy offers packet based telephony over the internet It supports SIP Session Initiation Protocol for initiation of a communication session and RTP Real Time Transport Protocol for broadcasting the speech data General Select the interface which is used
98. inish and leave the wizard Enter the user name of the new user into the field Login name Enter the first name and the surname into the field Fullname Assign a password to the user in the field Password and confirm it in the field Con firm Password Click Finish to save the IPSec connection and the user IPSec Wizard Create a IPSec Connection Roadwarrior L2TP Address Pool User Do you want create a L2TP User Additional user you can add in the user management Login name max Fullname Max Meyer Password eeecceee Confirm password eoccccce Abort Back Finish fig 156 create L2TP user Securepoint Security Solutions 141 10 Menu VPN Securepoint 10 10 2 IPSec Globals Adjust general settings for all IPSec VPN connections 10 2 1 General Settings On this tab you can activate the option NAT Traversal This function prevents the manipula tion of IPSec packets by address translation This could occur if the mobile user uses NAT devices himself o IPSeC Global Settings General IKE V2 Enable Nat Traversal b Traversal fig 157 option NAT Traversal Securepoint Security Solutions 142 10 Menu VPN Securepoint 10 10 2 2 IKE V2 The Internet Key Exchange IKE protocol is used for managing and exchange of IPSec keys It arranges the connection establishment and the authentication of the communication partner Furthermore it is responsible for the negotiation of the e
99. innsaudadnbeaiaatnnsadanaonialeetneuaaieenees 203 Securepoint Security Solutions 9 Securepoint 10 EE a ol e 203 E 72 Tab General renns a E 204 TAAT TaD TE 204 14 4 7 4 Tab Top Level Domam 205 E OPN Pi LOIren EE RTTE R 206 140 Wake on LAN eneren enc asiaaanhrwatanc asa gantre At ancevaganieananoeaRaneuatReas 207 14 7 D wnload SCCUOM E 208 15 Zone Concept of the Securepoint Firewall ccccceccccsececeseeeeeeeeseeeeeseeeesaeeesees 209 Securepoint Security Solutions 10 1 Introduction Securepoint 10 1 Introduction The internet is an ubiquitous information and communication medium in our time Often the computer or the network is permanent connected to the internet because a lot of businesses are executed online lt is mostly disregarded that the internet must be seen as a security risk This is especial ly critical if confidential data are stored on the systems The security of these data can not be guaranteed The information could be spied out or may be irrevocable lost by a computer virus Software firewalls which are installed on the computer don t meet requirements be cause the dangerous programs are already in the net A system is demanded which is positioned between the internet and the local network to guard the network against destructive programs and to control the communication with the internet The Securepoint Unified Threat Management UTM offers a complete solution with comprehensive
100. ired e mails Spam shows identified undesired e mails Trash shows deleted e Mails deleted by the Spam Filter User Statistics shows a diagram of ham and spam e mails in depen dence on the country of origin Click on the tabs to change the view With the filter you can sort the list by Sender Recipient Subject Country SMTP POP3 Virus Blocked For some criteria a pattern is needed Insert the pattern in the input field Execute the filter by clicking on Filter You can reset the selection by clicking on Reset The display shows 10 entries per side With the buttons back and next you can scroll through the pages With the buttons first page and last page you can jump to the first or to the last side You can choose an action mark as ham spam delete irrevocable delete for all checked e mails activated checkbox in the first col umn With the action Select all e mails you can check or uncheck all e mails shown on this page The action will be executed when you click on Execute 5 Refresh With the button Refresh the page will be reloaded Securepoint Security Solutions 197 14 Spamfilter Securepoint 10 14 4 2 Columns of the Table eee first column Activate the checkbox to mark the e mail Already marked e mails will be unchecked if you click the checkbox again Date Date and time of the e mail erate E mail type SMTP kl or POPS Eh Shows a symbol if the e mail contains a virus ES In the tab Spam
101. is shown which filter has detected the e mails as spam mail Bayes filter K3 Commtouch filter Esd Sender of the e mail To Recipient of the e mail Subject Subject of the e mail Ham Spam Trash Statistic Sender Filter Reset Date From To Subject C 15 52 18 09 09 ft horpach gmx net test realsecure de test E 15 51 18 09 09 fa horpach gmx net test realsecure de test gmx 2 C 15 49 18 09 09 na horpach gmx net test realsecure de test gmx E 15 48 18 09 09 fa horpach googlemai test realsecure de test neu 15 39 18 09 09 horpach googlemai test realsecure de test 15 32 18 09 09 Frat horpach googlemai test realsecure de Mail mit Attachment C 15 10 18 09 09 root www2 securep dhi realsecure de Please check your Mailbox 15 08 18 09 09 mi news2 news aidame luzk pptp de Mit_swoodoo com_bis_zu_80_Prozent_bei C 14 59 18 09 09 nd horpach googlemai test realsecure de Testmail Mark selected mails as spam Execute fig 210 columns in the tab Ham Securepoint Security Solutions 198 14 Spamfilter Securepoint 10 14 4 3 Details of an E mail The Spam Filter User can take a look at the content of an e mail The content and the at tachments are only displayed if these options are activated in the spam filter settings Other wise only the e mail header is shown Note Showing the content of an e mail may violate the data privacy Notice the data protection act of your stat
102. ission Unit Usually you can leave the default value 1500 lf the interface should answer to pings activate the checkbox Allow Ping select the speed of the interface from the dropdown field Speed In the right section select the zone of the interface and the related zone s and acti vate the relevant checkboxes Complete the configuration with Finish After the interface is added you have the press the button Update Interface Interface Wizard Eth General ___ gt gt gt J Zones Interface Name eth dmz2 IP Mask 255 255 255 0 24 f C dmz4 DHCP Client O MTU Allow Ping CO vpn ppp LJ am2t 192 1eg 1901 C dmz3 O dmz5 CI dmz6 2500 O vpn ipsec CO vpn openypn CO firewall external O firewall internal O firewall dmz1 M firewall dmz2 O firewall dmz3 Abort Back Finish fig 42 add eth interface define settings Securepoint Security Solutions 42 7 Menu Network Securepoint 10 7 2 1 2 Add VLAN Interface VLAN means Virtual Local Area Network and is used to divide a physical network into ser veral logical nets Several networks kann be used to structure the whole intranet You can split the network by organization into units groups or by spatial properties like floor or build Ings Actually you need one interface for every network VLAN interfaces of the appliance are vir tual interfaces that are bound to one physical
103. ity Solutions 130 9 Menu Applications Ssecurepoint 10 9 9 Service Status In this section all services of the firewall are listed The current state of every service is shown You can start stop or restart the system If you use a high availability environment you can define which services are critical This means if the service crashes the system will change to the spare machine This setting is called Cluster Protection gt An active service shows a green On bution An inactive service shows a red Off button gt Start a service by clicking the button On in the related row Stop a service by clicking the button Off in the related row Restart a service by clicking the button Restart in the releted row If you use a high availability environment set the Cluster Protection to On for servic es which should be available always o Service Status Name Status Cluster Protection SSH Server On Restart On Off Mail Relay Restart On Off DNS Server ff Restart Off POP3 Proxy Restart Off HTTP Proxy Restart Off VOIP Proxy Restart Off VNC Repeater E Restart Off DynDNS Client Restart Off NTP Server Restart Off IDS Server Restart Off L2TP Server Restart Off PPTP Server Off Restart Off SPUVA Server ON Restart Off Web Server Restart Off DHCP Server Restart Off IPSec Server Restart Off SSL VPN Server Restart Off IGMP Proxy Restart Off Virusscanner Restart Off CTASD Server Restart Off BAYESD Server
104. klist Categories Whitelist User IP Addresses Websites Whitelist IP Addresses _ o_4o4 Nw gt S IP Address 123 123 123 123 192 168 180 153 192 168 180 64 Save Close hs fig 107 content filter of the HTTP proxy section whitelist tab IP addresses Securepoint Security Solutions 100 9 Menu Applications Ssecurepoint 10 9 1 6 2 3 Websites In this section you can enter websites which will not be checked by the content filter Just insert absolutely trustable websites Some entries are factory provided Switch to the tab Websites Enter addresses of websites which should be excluded by the content filtering Click the button Add Website To edit an entry click the wrench symbol beneath the related entry To delete an entry click the trashcan symbol beneath the related entry HTTP Proxy General Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth Blacklist Categories Whitelist User IP Addresses Websites m Whitelist Websites Domain securepoint de securepoint cc securepoint org windowsupdate microsoft com windowsupdate Com E amp e e e e update microsoft com Add Website Save Close 4 fig 108 content filter of the HTTP proxy section whitelist tab websites Securepoint Security Solutions 101 9 Menu Applications Ssecurepoint 10 9 1 7 Bandwidth You can limit the bandwidth globally or per host Enable the bandwidth limitation b
105. l zen fig 117 add route for the mail relay Securepoint Security Solutions 109 9 Menu Applications Ssecurepoint 10 9 3 4 Greylisting The greylisting controverts spam by rejecting e mails with unknown combinations of sending mail server address of the sender and address of the recipient A soam mail server will not retry to deliver the mail A normal mail server will do When the mail comes the second time the relay will accept it gt Enable the greylisting by activating the checkbox Enable Greylisting gt The mail relay stores the combination of server sender and recipient automatically if the mail arrived a second time Enter in the field Auto Whitelisting the number of days the combination should be stored Define the time interval between the delivery attempts Enter the number of minutes into the field Delaying O Mail Relay General Relaying Mail Routing Greylisting Domain Mapping Advanced Greylist Settings W Enable Greylisting Auto Whitelisting 7 days Delaying 2 minutes m Whitelist IP Address Net 10 0 0 0 172 16 0 0 192 168 0 0 127 0 0 0 255 255 255 0 24 IP Address Net Domain E mail Recipients E mail Sender Mask 8 12 16 8 e Add IP Address Net fig 118 greylisting settings Save Securepoint Security Solutions Close 110 9 Menu Applications Securepoint 10 9 3 4 1 Whitelist IP address Net In the whitelist you
106. lity for ham and 99 shows a high probability for spam o Bias to define spam Multiplier for words in the ham database lf there is much more spam than ham the values should be set to 1 Click Reset values to set the values back to default values If the checkbox E mail body invisible for the spam administrator is activated the spam administrator will only see the e mail header in the spam filter interface The content isn t visible for him Consider the respective privacy regulations if you uncheck this option Define how long the e mails should be saved on the appliance Enter the number of days in the field Keep e mails not longer than x days O Spamfilter Properties General Attachment Filter Virusscan SMTP Settings SMTP Advanced POP3 Settings Global Spamfilter Settings Automatically Spamfiltering V Bayes Filter Threshold value for spam mail 90 Bias to define spam 50 Reset values E mail body invisible for spam administrator Keep emails not longer than 14 days fig 126 settings for filter mechanism Securepoint Security Solutions 118 9 Menu Applications securepoint 10 9 4 2 Attachment Filter You can block attachments from incoming and outgoing e mails The filter can check all at tachments or you limit the checking of a special attachment You can define attachments by extension or MIME Multipurpose Internet Mail Extensions type which is given in the e mail heade
107. ly the name and the object group affiliation but also if the object is used in a firewall rule In this case the numbers and a summary of the rules are shown Filiale Berlin Network Object Information Name Filiale Berlin Group Filiale Berlin Source Destination Service Filiale Berlin Internal Network any Internal Network Filiale Berlin any fig 87 information of network objects Securepoint Security Solutions 84 8 Menu Firewall Securepoint 10 8 6 2 Add Host Net To create a network object for a network or a computer use the following approach Click Add Host Net The dialog Add Host Net appears Enter a name for the new object in the field Name Under Type select whether you want to create an object for a network or for a com puter Host Under IP Address enter the according IP address of the computer Under the dropdown field Zone select the zone which the computer is associated with Network Under IP Address enter the IP address of the network Select from the dropdown field Netmask the compatible netmask Im the field Zone enter the zone of the network Select which NAT IP should be used Store your settings with Save oi Add Host Net i e Add Host Net Name Webserver Name Internet_Server Type Single Host Type Network IP Address 192 168 176 10 IP Address 192 168 176 0 _ damz1 M Netmask 255 255 255 0 24 m Zone j Nat IP et ae Save Close Save Close
108. m 15 10 86 Trash 1 0 72 fig 216 tab general 14 4 7 3 Tab Virus On this tab a diagram shows the total number of virus infected e mails The blue lines clarify the total amount of every bar on the y axis The legend on the right side shows the numbers of every section and the percentage Spamfilter Count Percent 18 10 0 fig 217 tab virus Securepoint Security Solutions 204 14 Spamfilter Securepoint 10 14 4 7 4 Tab Top Level Domain On this tab a diagram shows from which state the e mails are received The statistic is split into ham e mails soam e mails and deleted e mails O Spamfilter Trash Statistic Top Level Domain Refresh fig 218 tab top level domain Securepoint Security Solutions 205 14 SPUVA Login Securepoint 10 14 5 SPUVA Login The Securepoint User Verification Agent SPUVA gives users individual rights on computers in the DHCP environment The user authenticates against SPUVA and gets an individual security policy for any workstation in the network If the user changes his workplace he will get the same security policy at the new workplace automatically Login in to the user interface Click on the button SPUVA Login A new browser window appears in which a Java applet is starting Confirm the security query for starting the applet The java applet can only be executed if the Java Runtime Environment is installed If it isn t installed visit
109. me and Password Click Finish to complete the configuration After the interface is added you have to press the button Update Interface Interface Wizard PPTP m General Interface etho Local Ethernet IP Address 192 168 130 Mask 255 255 255 0 24 Modem IP Address 10 0 0 138 DSL Provider internet communicator Abort Back Finish A fig 45 add PPTP interface set properties Securepoint Security Solutions 45 7 Menu Network Securepoint 10 7 2 1 4 Add PPPoE Interface A PPPoE interface is used for connecting the internet by Point to Point Protocol over Ether net This protocol is commony used in Germany Click Add Interface The Interface Wizard appears Select the desired interface type in this case PPPoE Click Next The configuration window of PPPoE Interface appears Select in the field Interface to which physical Interface the PPPoE interface should be bound This should be the external interface It will be replaced by the ppp interface after completion Select a provider from the dropdown field DSL Provider which is used to connect the internet If you did not create a DSL provider yet select the entry new to add a provider Enter the required data into the fields Provider Name Username and Password gt Click Finish to complete the configuration gt After the interface is added you have to press the button Update Interface o Interface Wiza
110. me are numbered serially from 1 to n ethO eth1 eth2 eth3 eth4 ethn virtual network eth0 0 ethO 1 ethO n ethn 0 ethn 1 ethn n virtual address is bonded to real interface ADSL and VDSL pppO ppp1 pppn high availability clusterO cluster1 cluster2 clustern environment virtual address is bonded to real interface OpenVPN tunO tun1 tun2 tunn virtual interface The minimum of three interfaces are ethernet interfaces with the name ethO eth1 and eth2 Furthermore one virtual interface un is predefined with the address 192 168 250 1 Interface Wizard Which kind of interface you want to create fe Eth VLAN PPTP PPPoE VDSL Cluster Back Next E fig 41 select the interface typ Securepoint Security Solutions 41 7 Menu Network Securepoint 10 7 2 1 1 Add eth Interface Click Add Interface The Interface Wizard appears Select the desired interface type in this case eth Click Next The configuration window of eth Interface appears In the section General you have to set the properties of the interface The name of the interface is set automatically and cannot be changed Enter the IP address of the interface into the field IP Select the subnet mask in the field Mask If the DHCP server should assign an IP address to this interface activate the check box DHCP Client You can define the maximum packet size in the field MTU Maximum Transm
111. member of the group Spam Filter User you can restrict the permissions to sev eral e mails addresses or domains You can add three entries If you don t enter any restric tion the user can access all e mails Restriction to several e mail addresses must be set for the whole e mail address For example john smith example org Restriction to domains must be set with a leading at symbol For example example org gt Switch to the tab Spam Filter gt Restrict the display of the spam filter interface to several e mail addresses or do mains These settings are only relevant for users which are members of the group Spam Filter User gt Activate the checkbox Show blocked attachments in Spam Filter to disable the possibility to display blocked attachments vi Add User General VPN Ss t Spamfilter Extras E mail or Domain 1 securepoint de E mail or Domain 2 fred feuerstein com E mail or Domain 3 Show blocked attachments in Spamfilter V Please enter the e mail addresses or domains which the spam filter user has to administrate e g info securepoint de or securepoint de You can assign three e mail addresses to each user If you don t assign any e mail address the user will see any e mail in the user interface Save Close fig 170 restrict the display of the spam filter Securepoint Security Solutions 157 11 Menu Authentication Securepoint 10 11 1 5 Add User Tab Extras On this tab you can adjust
112. message you can search for an IP addresses gt Start the log with Start logging gt You can invert the filter The filter will show all entries which don t match the search pattern To enable this option activate the checkbox Inverse filter on the tab Settings gt By default the option Scroll automatically to the bottom is activated New entries are appended to the list So this option always shows the newest entries 13 3 Tab Settings Here you can invert the filter The filter will show all entries which dont match the given search pattern Furthermore you can define the number of entries If the logging has more entries defined here the oldest entries will be deleted Changes on this tab can only be made if no logging is running O LiveLog LiveLog Settings Settings Inverse filter 100 Maximum live log entries Changes on this Settings are only allowed if logging is switched off A admin WE 192 168 4 102 Download Raw Data Show Raw Data fig 202 tab settings Securepoint Security Solutions 187 13 Menu Live Log Securepoint 10 13 4 Details of a Log Message If the automatic scrolling is disabled you can navigate through the log by the arrow keys on the keyboard If you press the enter key on a marked entry a window with details of the log message is shown This is also shown if you make a double click on an entry with the mouse O Log Detail Day 27 Time 13 37 46
113. mmunication dns Domain Name Service client lt gt nameserver Communication dyndns client lt gt dyndns provider Communication https client lt gt server or via https proxy Communication http client lt gt server or via http proxy Messages of the Intrusion Detection Systems Messages of the IPSec service Messages of the L2TP service Communication ntp Network Time Protocol ntp client lt gt server Communication pop3 Post Office Protocol 3client lt gt server or pop3 via POP3 proxy Messages of the pppd service Messages of the pptp service Communication smtp Mail despatch Communication ssh Secure Shell Protocol Messages by the virus scanner Communication VNC client lt gt server or via VNC proxy Communication VoIP client lt gt server or via VoIP proxy Interface messages Alerts warnings of the firewall and the IDS system Drop dropped data packages Accept accepted data packages ir En RH BHEBAH HHHHBEHEIGE Reject rejected data packages with the message Destination Unreachable Securepoint Security Solutions 190 Securepoint 10 Part 2 User Interface Securepoint Security Solutions 191 14 Login User Interface Ssecurepoint 10 14 Login User Interface The user interface is useable for all users with the group membership User Interface in combination with Spam Filter Admin SSL VPN SPUVA User or the possibility to change the password The users c
114. n Lan Remote turn on the registered computers User Interface with WoL Downloads Shows all downloadable applications and docu User Interface S emme ee Securepoint Security Solutions 193 14 Change Password Securepoint 10 14 2 Change Password This section is only visible for users which are authorized to change their password Login in to the user interface Click the button Change Password The dialog Change Password appears Enter your current password in the field Old Password Enter your new password into the field New Password and retype it in the field Con firm Password The password must meet the conditions which are shown in the section Password Restriction Click Change Password si Change password Old Password eeeseeee New Password eecsseseese Confirm Password eessseseses Password restrictions Change Password Close he fig 206 change password Securepoint Security Solutions 194 14 Download SSL VPN Client Securepoint 10 14 3 Download SSL VPN Client lf the user is member of the groups User Interface and SSL VPN and if the administrator has made settings for the VPN client for this user he is able to download the SSL VPN client In this section Login in to the User Interface Click on the button Download SSL VPN Client to start the download Select in the browser dialog the option Save File or accordingly The downloaded file is a packed ZIP archive including the
115. nce can be made to spare with the button Downgrade to spare A machine with slave status becomes the master Server Properties Server Settings Administration Syslog SNMP Cluster Settings Cluster settings Delay between advertisment packets 1 seconds Number of missing advertisment 5 1 255 packets untill peer declared as dead Cluster ID D 1 255 Cluster Secret secret Switch to master if possible ET Host Status OFFLINE Downgrade to spare Save Close fig 39 tab Cluster Settings Securepoint Security Solutions 39 7 Menu Network Securepoint 10 7 2 Network Configuration In this area the settings for the network have to be defined This contains the IP addresses of the several interfaces entries in the routing table access data of the internet service provid er maybe data of a dynamic address service and settings ot the DHCP server 7 2 1 Interfaces The tab Interfaces shows a list of all available interfaces with the related IP address and zone o Network Configuration Interfaces Routing DSL Provider DynDNS DHCP Name IP Adress Mask Zone etho 123 123 123 100 32 external ethi 192 168 175 1 24 internal eth2 192 168 176 1 24 dmzi Dun 192 168 250 1 24 on openypn Add Interface fig 40 list of available interfaces Securepoint Security Solutions 40 7 Menu Network Securepoint 10 The name of the interface is depending on it s usage Interfaces with the same na
116. ncryption parameters and the generation of the keys The complexity of the protocol complicates the configuration of an IPSec connection especially if you use different end devices The new version of the IKE protocol IKEv2 defangs this complexity It allows a faster con nection establishment and a more stable connection By now this version is supported by several programs It is implemented in Microsoft Windows 7 too In this dialog the IP addresses of the Domain Name servers and the Windows Internet Name Service servers are specified This will be forwarded to the remote stations o IPSeC Global Settings General IKE V2 Domain Name System DNS 1 192 168 176 10 DNS 2 192 168 176 20 WINS Server WINS 1 192 168 70 10 WINS 2 192 168 70 20 fig 158 IKEv2 settings Securepoint Security Solutions 143 10 Menu VPN Securepoint 10 10 3 IPSec This point displays an overview of all native IPSec and L2TP connections Here you can adjust the settings of the connections delete load initiate and stop the con nections Furthermore the status of the connection is shown 10 3 1 Edit Connection An IPSec connection is divided into two phases The first phase negotiates the encryption method and the authentication The Internet Key Exchange IKE protocol defines in which way security parameters will be agreed and shared keys will be exchanged The second phase creates new key material irrespectiv
117. ndow Users and click on the button Add The dialog Add User appears In the tab General you have to adjust basic settings Under Login enter the name which the user uses for logging in Under Name enter the real name of the user Insert a password in the field Password and retype it in the field Confirm password Activate the designated group memberships by marking the according checkboxes lt is allowed to check more than one box fl Add User General VPN SSL VPN Client Spamfilter Extras Login donald Name Donald Duck Password Confirm password Groups Firewall Admin Spamfilter User VPN L2TP VPN PPTP SSL VPN vi SPUVA User HTTP Proxy Userinterface M SMTP Relay User fig 167 general setting for a new user description Firewall Admin 000000001 Administrator of the firewall VPN PPTP 000000010 PPTP VPN connection user VPN L2TP 000000100 L2TP VPN connection user Spam Filter User 000001000 Administrator of the Administrator of the spam filter filter SPUVA User 000010000 User authenticates via ee User Verification Agent HTTP HTTP Proxy 000100000 00000 HTTP HTTP proxy user user tee Interface Medel 000000 e a o of the firewall user interface SSL VPN 010000000 SSL VPN connection user SMTP Relay User 100000000 User of the SMTP mail relay Securepoint Security Solutions 154 11 Menu Authentication Securepoint 10 11 1 2 Add User Tab VPN If the new user is L2TP or
118. ng a selection rectangle in the lower diagram You can reset the selection by clicking Reset Zoom o Interface Traffic eth1 NIV ZS 15 30 16 00 16 30 17 00 sil anc Reset zoom m Overview Measuring points 288 4 8 9 44 5 8 9 44 Incomming total 1 Mbyte Outgoing total 50 Mbyte Incomming average 0 01 Kbyte s Outgoing average 0 59 Kbyte s Collisions total 0 O Show in plot Errors total 0 O Show in plot Collision and error plot is not zoomable fig 24 enlarged section Securepoint Security Solutions 2 5 Securepoint Cockpit Securepoint 10 5 14 Show Help In the title bar of the dialogs you can find a questionark symbol right beneath the close but ton Press this symbol to open the help The shown text comments the settings which have to be set in the dialog This function is context sensitive and only describes the relative di alog PoP3 Proxy D x fig 25 help symbol in the title bar 5 15 Administrator IP At the bottom of the web browser window the user name and the IP address of the logged on administrator are shown A click on the double arrow in the lower left corner hides or shows the bar AN admin W 192 168 dp fig 26 name and IP address of the logged on user fig 27 hides or shows the data 5 16 Refresh At the right side of the navigation bar you will find the button Refresh Cockpit With this button you can reload the website fig 28 reloads the cockpi
119. nistration Syslog SNMP Cluster Settings Firewall emeng fw support local i DNS Server Primary Nameserver 192 168 100 10 Secondary Nameserver 192 168 200 10 Time settings NTP Server ptbtime2 ptb de Timezone Europe Berlin Further Settings Maximum number of active 16000 2000000 connections Last Rule Logging Save Close fig 34 tab Server Settings Securepoint Security Solutions 34 7 Menu Network Securepoint 10 7 1 2 Administration The administration access to the appliance is only allowed from the internal net by default In this tab you can define which IP addresses and subnets the appliance can be admini strated from To add an IP address or a net click the button Add Host Net The dialog Add Host IP appears Enter a host name or an IP address lf you want to allow the access for a subnet you have to use the bitcount notation For example 192 168 176 0 24 Click Add You can delete entries in the list by clicking the trash can icon beneath the entry Server Properties Server Settings Administration Syslog SNMP Cluster Settings External Administration External Admin Host IP Address 192 168145 15 32 Add Host Net Save Close fig 35 tab Administration for external administration Securepoint Security Solutions 30 7 Menu Network Securepoint 10 7 1 3 Syslog In the portfilter of the appliance the administrator can define whether the
120. o be used as DHCP relay In this case a central DHCP server distri butes the DHCP information in the network The appliance receives the broadcast querys and forwards them to the central DHCP server The answers of the server will be returned to the clients by the DHCP relay In this way the clients receive IP addresses and network in formation dynamically although the DHCP server stands in another subnet In the section Interface define the interfaces from which net the DHCP queries should be received and to which they should be forwarded Select the interface from the dropdownbox and click on Add Interface Define the IP address of the central DHCP server in the list P Addresses Type the IP address into the field and click Add IP Address Afterward click Save and Update Interfaces Note For this traffic no rules must be defiened Network Configuration Interfaces Routing DSL Provider DynDNS DHCP DHCP Relay vc Interfaces IP Addresses ethi 192 168 175 110 eth2 etho Add Interface Add IP Address Update Interfaces fig 59 settings for DHCP Relay Securepoint Security Solutions 58 7 Menu Network Securepoint 10 7 3 Zones This dialog lists all arranged zones of the appliance and the allocated interfaces The zones conduce to confine or connect interfaces and associated nets The important zones are already set in factory Every zone is available only once and can be allocated to ju
121. o delete it Confirm the security query with Yes Click the wrench symbolbenaeth the service to edit it Make modifications in the appearing dialog Click Save OH Services a Icon Designation Protocol Designation Port ah ah lo icmp icmp r KL igmp igmp a rsvp rsvp archie tcp cvs tcp domain_tcp tcp domain_udp udp finger tcp ftp tcp gopher tcp 7 ee H E Ten I E o WRRRRRRRE http tcp p ton 7 hine Infobox Settings C Disable Infobox ae dd new Service fig 78 list of available services Securepoint Security Solutions if 8 Menu Firewall Securepoint 10 8 4 2 Services Information The function Infobox shows information about services if the mouse cursor rolls over it You can enable this function by unchecking the checkbox Disable Infobox The infobox shows not only the name and the service group affiliation of the service but also if the service is used in a firewall rule In this case the rule number and a summary of the rule are shown openvpn_udp Services Information Name openypn_udp Group openvpn_udp Source Destination Service 4 Internet External Interface openypn_udp fig 79 infobox for services Securepoint Security Solutions 78 8 Menu Firewall Securepoint 10 8 4 3 Add service Click Add new Service The dialog New Service appears In the field Designation enter a name for the new service In the field Protocol select a protoc
122. ogged web interface sessions admin 22 9 2009 12 16 admin 22 9 2009 12 16 admin 22 9 2009 12 16 fig 19 users which are logged on the administration or user interface 5 12 DHCP Lease The DHCP Dynamic Host Configuration Protocol server assigns dynamic IP addresses to the user of the internal network if this service is activated This IP address is reserved for the user for a defined time In this section the reserved addresses are listed with the user name and the MAC address of the computer The last column shows the status A grey dot means that the user is offline A green dot means that the user is currently logged on The table always contains ten rows If more DHCP addresses are stored you can leaf through the pages with the arrow button at the bottom E DHCP 192 168 1 18 PC_TestCenter 00 5c b3 36 8d 46 192 168 1 24 PC_Smith 00 40 48 b1 aa 62 192 168 1 33 Laptop_Training OO cc de 37 8d 41 192 168 1 51 PDC Black 00 48 54 1b 59 73 192 168 1 52 PC_Training 0e 30 d3 57 8d 92 192 168 1 56 PC_Management 00 50 bf 67 a2 fd 192 168 1 83 TestServer 00 c7 bb 78 8c 21 192 168 1 100 Laptop Guest 00 40 48 bl aa 62 fig 20 stored DHCP addresses Securepoint Security Solutions 25 5 Securepoint Cockpit Securepoint 10 5 13 Interface Traffic The display Internet Traffic shows the data traffic of the interfaces graphically The incom ming traffic is shown as a green and the outgoing traffic as a blue graph The repres
123. oint 10 9 3 4 3 Whitelist E mail Recipients Exclude e mails to defined recipients from the greylisting gt Enter the e mail address of a recipient into the field at the bottom of the window gt Click Add E mail Recipient E mails which are delivered to this recipient will be excluded from the greylisting r Whitelist IP 4ddress Net Domain Email Recipients Email Sender Recipient postmaster securepoint de support securepoint de Add Email Recipient fig 121 exclude e mail recipients from the greylisting 9 3 4 4 Whitelist E mail Sender Exclude e mails from defined sender from the greylisting gt Enter the e mail address from a sender into the field at the bottom of the window gt Click Add E mail Sender E mails which are delivered from this sender will be excluded from the greylisting r Whitelist IP 4ddress Net Domain Email Recipients Email Sender Sender max muster mail de partner message de Add Email Sender fig 122 exclude e mail sender from the greylisting Securepoint Security Solutions 113 9 Menu Applications Ssecurepoint 10 9 3 5 Domain Mapping This function replaces the domains of e mail addresses So the internal mail server must only be configured for one domain For example bob myhost com becomes to bob myhost de Mail Relay General Relaying Mail Routing Greylisting Domain Mapping Advanced Domain Mapping Settings EH Source Domain Destin
124. ol from the list which is used by the service If you choose the icmp protocol you have to select an ICMP Control Message too lf the service uses a specified port insert this port in the field Destination Port If the service uses a port range select Port Range at the field Type Insert the start an end port of the range into the fields Port Range Start and Port Range End Store the new service with Save Add Service Add Service Designation openVPN Designation RangeProtocol Protocol u d p F m Protocol tcp Type Single Port vl Type Port Range sel Destinaton Port 1194 ali Port Range Start Port Range End 3015 Save Close Save Close fig 80 add service single port fig 81 add service port range Securepoint Security Solutions 79 8 Menu Firewall Securepoint 10 8 5 Service Groups In the section service groups you can subsume several services into a group delete services from existing groups or add services to existing groups These groups can be used in the portfilter for rule creation If the mouse cursor rolls over a service an infobox can be displayed which shows the prop erties of the service You can enable this feature by unchecking the checkbox Disable Info box be cvs Service Information Name cvs Protocol tcp Source Port 1024 65535 Destination Port 2401 ICMP fig 82 infobox shows properties of a service You al
125. on is available gt First click the button Check for Updates The firewall checks the server for new ver sions gt If the firewall answers that a new version is available click Update Firewall Version Bulld 6870 Check for Updates fig 188 update firewall software Securepoint Security Solutions 173 12 Menu Extras Securepoint 10 12 2 2 Update Virus Pattern Database The virus scanner can be adapted immediately If no newer version is available the update will not be executed If a new database is installed the scanner will be restarted The virus scanner checks every hour for updates automatically gt Click Update Virusscan Pattern version Main Database Update O5 Jan 2006 23 48 0100 Daily Database O8 Jan 2006 19 23 0100 fig 189 update virus pattern database 12 3 Changelog The function Changelog offers the possibility to show the changes of one version of the fire wall software to the previous version The published versions are listed in the dropdownbox gt Goon the point Extras in the navigation bar and click the entry Changelog in the dropdownmenu The dialog Changelog appears which shows the changes from the previous version to the actual version gt To show changes of former versions select the desired version from the dropdown box and click Show Note Only changes form one version to the next version are shown zi Changelog m Changelog Bugfi
126. operties The integrated Securepoint anti soam solution filters unrequested e mails spam Therefore it uses a combination of different methods to detect as much undesired e mails as possible The Securepoint spam filter analyzes every e mail on the basis of different criteria and classi fies it as soam depending of the weighting Assessment criteria are for example obviously invalid sender address known spam text passages HTML content future dated sender data and so on 9 4 1 General Decide which spam filter mechanism you want to use The automatic filter uses a spam filter module of the company Commtouch The company services a consistently updated spam database The incoming e mails are checked against this database The Bayes filter checks on the basis of classified evaluated words if an e mail is soam or ham desired mail In order that the filter works properly it must be trained by the soam administrator The ad ministrator has to resort the misclassified mail into soam and ham Thereby the filter learns which words are typical for a spam e mail Securepoint Security Solutions te 9 Menu Applications Ssecurepoint 10 If you want to use the Commtouch module activate the checkbox Automatically Spam filtering Activate the checkbox Bayes Filter to use this filter mechanism Set values for the following settings o Threshold value for spam mail The calculated value lies in the range between 1 and 99 1 shows a high probabi
127. ork of a central office with the local network of a branch A roadwarrior connection binds one or more computers with the local network For example An outdoor staff connects with the laptop to the network of the central office 10 1 1 Site to Site gt Click in the VPN dropdown menu on the entry IPSec Wizard The dialog IPSec Wizard gt Create an IPSec connection appears gt Select the VPN type Site to Site Connection gt Connects your local network with a remote net work gt Click Next IPSec Wizard Create a IPSec Connection Which type of a IPSec connection do you want to create Site to Site Connection connect two gateways Roadwarrior connect a computer with a gateway Abort Back Next fig 142 select kind of connection Securepoint Security Solutions 133 10 Menu VPN Securepoint 10 Enter a name for the VPN Connection in the field Connection name Enter the IP address or hostname of the remote network in the field Gateway If you want to use a DynDNS service activate the checkbox Hostname resolved by DynDNS Click Next IPSec Wizard Create a IPSec Connection Site to Site Please specify the connection name and the IP or hostname from the gateway you want to connect Connection name VPN_Filiale Gateway kecurepoint_stuttgar Hostname resolved by DynDNS Fi Abort Back Next fig 143 define name and gateway You can decide between two au
128. ortable 1 5 2paf Mobile SSL VPN Client OpenVPNConfig Zon Example configuration SecEntry IPSec Client Trial SPUVA Client Authentication Agent Putty SSH Client Manual Manual of the Firewall License agreement fig 16 available downloads in the user interface 5 9 Spuva User This table lists the users and their IP address which have signed in via SPUVA Securepoint User VerificationAgent The SPUVA gives users individual rights on computers in the DHCP environment The user authenticates against SPUVA and gets an individual Security Policy for any workstation in the network If the user changes his workplace he will get the same Security Policy at the new workplace automatically O Spuva User barney fig 17 user barney is conneted via SPUVA Securepoint Security Solutions 24 5 Securepoint Cockpit Securepoint 10 5 10 SSH User This section shows which user has connected the appliance via SSH Secure Shell for ex ample by the program PuTTY Login name and IP address of the user are shown Also the time of the login is listed User logged on via SSH admin 192 168 root 192 168 fig 18 users which are logged on via SSH 5 11 Web Interface User Shows a list of user which are logged on the web interface The login name and the IP ad dress of the user are shown Also the time of the login is listed The table lists users at the administration interface and the user interface L
129. ose fig 65 overview of all created rules Note You can also define IP Table rules in the category Advanced Settings see chapter 12 6 5 On the tab Templates use the Application securepoint firewall and the Template etc post rules sh Securepoint Security Solutions 64 8 Menu Firewall Securepoint 10 A rule always has the following structure Who where from which source uses which service to access a defined destination Then you have to decide if the activity is allowed Accept denied Drop or refused Re ject With the action Drop the data packet will be discarded The action Reject will transmit to the sender the error message Destination unreachable You can log the traffic when it is matched by a rule You can decide between three set tings o None gt No logging o Short gt The first three packets of a new connection will be logged After a minute the next three packets will be logged o Long gt All packets will be logged The rule can be limited temporarity days and time A short description can be set With the wrench symbol beneath the rule you can call a dialog for editing the rule With the trashcan symbol beneath the rule you can delete the rule Rules can be dissarranged by Drag and Drop The order of the rules in the portfilter can be important because the rules will be processed in sequence Once dropped packets cannot be accepted by a later rule Notice To acti
130. ose the group Securepoint Security Solutions 71 8 Menu Firewall Securepoint 10 8 2 Hide NAT Private P addresses are not routed in the internet Therefore outgoing packets must get the external IP of the firewall The function Hide Nat realites this The Source is the network or the computer which IP will be replaced by the Hide NAT Behind IP Interface describes which IP address the packets get instead of their own one You can define an IP address or an interface If you use a dynamic IP insert the DSL inter face The Destination must be set to declare in which case the Hide NAT is to be used Network objects are used for source and destination To create Hide NAT rules you maybe have to create network objects before The option Include means that the Hide NAT will be used The Exclude option means that the Hide NAT will not be used and so packets will be send with their original IP address for example in tunnel connections IPSec site to site HideNat Source Behind IP Interface Destination Hide Nat Internal Network eth Internet Include Internal Network ethO Private CLASS A IPSec Network Exclude P Internal Network erb Private CLASS B IPSec Network Exclude Internal Network eth Private CLASS C IPSec Network Exclude P fig 73 list of Hide NAT rules Securepoint Security Solutions 72 8 Menu Firewall Securepoint 10 Click on Add to define a new Hide NAT rule The dialog Add HideNat appears Und
131. pdown field belongs to the ending time Add Rule General Time Description Monday Tuesday Wednesday Thursday Friday Saturday Sunday 7 sa 7 sa 7 sa 7 all 18 f li f le wl Jelli fig 69 add new rule tab time 8 1 1 3 Tab Description On the tab Description you can enter an explanation for the rule gt Click on the tab Description gt Click into the text field and enter a description gt Click Save to store the rule Add Rule General Time Description Description fig 70 add new rule tab description Securepoint Security Solutions 69 8 Menu Firewall Securepoint 10 8 1 2 Create Rule Group You can subsume several rules to one group If you unite several rules of one scope to one group you can arrange the portfilter clearly Click on the button Append Group in the dialog Portfilter The dialog Append Group appears Enter a name for the new group in the field Groupname Click on Add The new will be added to the Portfilter at the bottom position You can move the rule into the group via Drag amp Drop Append Group x 4ppend Group Groupname Opervh fig 71 add rule group Securepoint Security Solutions 70 8 Menu Firewall Securepoint 10 8 1 3 Organize Rules and Groups The order of rules in the porttfilter can have a big effect on the performance of the appliance because the rules are executed sequentially lf a packet passes through all rules of th
132. pplying the changes click the button Update Applications Advanced Settings IPSec Portfilter Dialup Templates Variables Webserver Applications openvpn Lel Add Entry ae LDAP_AUTH LDAP_SERVER LOGLEVEL AOFANIMAL PAA io ae Values Values 1500 Update Applications Update Interface Update Rules Save Config Close E fig 199 show variables and their values Securepoint Security Solutions 182 12 Menu Extras Securepoint 10 12 6 7 Webserver On this tab you can change the port of the webserver for the user interface By default the port of the webserver for SSL encrypted connections is 443 Enter the desired port into the field or use the arrow buttons to select the desired port Store your changes with Save For applying the changes click the button Update Applications O Advanced Settings IPSec Portfilter Dialup Templates Variables Webserver E User Webinterface port 443 A Le Save Update Applications Update Interface Update Rules Save Config Close A fig 200 change the port of the webserver Securepoint Security Solutions 183 12 Menu Extras Securepoint 10 12 7 Refresh All This function reloads all data of the appliance and rebuilds the cockpit So you can update data in the cockpit which are changed per CLI and not in the administra tion interface 12 8 Refresh Cockpit This function reloads all data of the
133. r gt Either Block all Attachments You can exclude attachment by the Whitelist gt Or Block specific Attachments You have to define the attachments to be checked in the blacklist This filter doesn t block the e mails It just removes the attachments lf an attachment is removed a message is inserted into the mail You can edit this message in the field Edit Message O Spamfilter Properties General Attachment Filter Virusscan SMTP Settings SMTP Advanced PoP3 Settings r Attachmentfilter for SMTP and PoP3 Block all Attachments ga Block specific Attachments m Whitelist Blacklist Extensions MIME Types Extensions MIME Types Suffix Suffix exe mp3 Edit Message Attachments removed by Securepoint firewall fig 127 delete attachments from the e mails Securepoint Security Solutions 119 9 Menu Applications Securepoint 10 You can write MIME types on your own for example audio mp3 or you use prede fined types Switch to the tab MIME Types at the Whitelist or Blacklist section Click the button Predefined The dialog Add MIME Type appears Select a type by activating a radio button Choose a subtype from the relative dropdown list Click Add The MIME type will be added to the Whitelist or Blacklist Q Add Mime Type Mime Types application activemessage E Laudio prs sid iy audio gsm _ audio gsm efr audio Is
134. r Destination Network enter the remote network Enter the according net mask at Destination Mask Activate the checkbox Automatically create firewall rules to create the firewall rules for the connection automatically Click Finish to exit the assistant o IPSec Wizard Create a IPSec Connection Site to Site Please specify the networks you want to connect with IPSec Local Network 192 168 175 0 Local Mask 255 255 255 0 24_ Destination Network 192 168 210 0 Destination Mask 255 255 255 0 24 el bel Automatically create firewall rules Abort Back Finish fig 146 enter interlinked subnets Securepoint Security Solutions 135 10 Menu VPN Securepoint 10 10 1 2 Site to End Roadwarrior Click in the VPN dropdown menu on the entry IPSec Wizard The dialog IPSec Wizard gt Create an IPSec connection appears Select the VPN type Roadwarrior gt One or several computers can connect to the local network Click Next IPSec Wizard Create a IPSec Connection Which type of a IPSec connection do you want to create Site to Site Connection connect two gateways S Roadwarrior connect a computer with a gateway Abort Back fig 147 select kind of connection gt Enter a name for the VPN connection in the field Connection name gt Click Next IPSec Wizard Create a IPSec Connection Roadwarrior Please specify the connection name Connection nam
135. r Exceptions enter subnets and IP addresses which should be except from the proxy redirect Source and destination addresses must be specified for these excep tions Select an authentication mode None no authentication Local authentication against the local user database Radius authentication against a Radius server Active Directory authentication at the AD of the network NTLM authentication against the NT LAN manager Click the button Settings to define if all users or just a defined group are allowed to authenticate lf you want to limit uploads and downloads activate the checkbox Enable Size Limit If you don t want to limit the upload or the download activate the relative radio but ton unlimited The Anonymize Logging logs without user name and IP address Securepoint Security Solutions 91 9 Menu Applications Securepoint 10 O HTTP Proxy General Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth r Proxy Proxy Port 8080 Enable Outgoing Address C Outgoing Address Cascade E Parent Proxy Parent Proxy Port 0 v m Authentication Transparent Mode 5 None E etho Local WV ethi Radius E eth2 LDAP F tuno NTLM Settings Exceptions m Size Limit Enable Size Limit d Max upload 5000 KByte or unlimited Max download 0 KByte or unlimited Logging Anonymize Logging E Save Close
136. rd PPPOE General Interface eth0 E PPP Interface pppo DSL Provider internet communicator Abort el fig 46 add PPPoE interface set properties Securepoint Security Solutions 46 7 Menu Network Securepoint 10 7 2 1 5 VDSL Interface hinzufugen VDSL stands for Very High Speed Digital Subscriber Line and is an internet connection with great transfer rates Click Add Interface The Interface Wizard appears Select the desired interface type in this case VDSL Click Next The configuration window of VDSL Interface appears Select in the field ETH Interface to which physical Interface the VDSL interface should be bound This should be the external interface Select a VLAN ID for the Interface At completion an eth interface will be created with the selected ID for example eth0O 7 In the field VDSL Interface a name is predetermined Select a provider from the dropdown field DSL Provider which is used to connect the internet If you did not create a DSL provider yet select the entry new to add a provider Enter the required data into the fields Provider Name Username and Password Click Finish to complete the configuration After the interface is added you have to press the button Update Interface Interface Wizard General ETH Interface etht VLAN ID 7 VDGL Interface pppo DSL Provider new a Provider Name ynet_Service Username securepoint gt
137. ress subnet mask zone and NAT IP J SSL VPN Netz Network Object Information Name SSL YPN Netz IP 192 168 250 0 Mask 24 zone vpn openyvpn Nat IP fig 96 object information 8 7 2 Network Group Information You can also retrieve information of network groups gt Select a network group from the dropdown box gt Click on the information symbol behind the dropdown box The infobox appears The infobox shows the name of the network group and if the group is used in a firewall rule In this case the numbers and a summary of the firewall rules are shown o Rules for Network Group Name External Interface Rules for Group Source Destination Service 2 Internet External Interface openvpn_udp fig 97 infobox for a network group Securepoint Security Solutions 89 9 Menu Applications Securepoint 10 9 Menu Applications In this menu item you will find the settings of the proxies for HTTP POP3 and VoIP and also the settings of the remote control service VNC Repeater the Mail Relay and the Spam Filter Furthermore you can switch the status of the services applications HTTP Proxy PoPS Proxy Mail Relay Spamfilter Properties YNC Repeater VoIP Proxy IDS Service Status fig 98 dropdown menu applications J HTTP Proxy General settings of the proxy Furthermore virus scanning filtering of internet addresses and website content POP3 Proxy Spam filtering and virus sc
138. rnal_interfac Grp internal_net lany default internet 1 ACCEPT a Active Infobox setting E Disable Infobox dns ntp ipsec Logging NONE ei QoS None administration netbios proxy ping Ae Rule routing EN None Save Close fig 67 create new rule tab general Securepoint Security Solutions 67 8 Menu Firewall 8 1 1 1 Infobox Function When the mouse cursor rolls over an entry in the list an infobox appears which shows de tails of the entry It shows which objects or services are elements of the related group You can enable this function by deactivating the checkbox Disable Infobox SSL_VPN_Netz Network Groups Information Name SSL_YPN_Netz Member Name IP ssi_vpn_net 192 168 250 0 ssl_user barney 4uBendienst_Miuller 192 168 250 30 4uBendienst_Meyer 192 168 250 58 Zone yon openypn ypn openypn ypn openyvpn yYpn openyvypn fig 68 group elements with IP address and zone affiliation Securepoint Security Solutions Securepoint 10 68 8 Menu Firewall Securepoint 10 8 1 1 2 Tab Time On the tab Time you can limit the validity period of a rule If you do not set any limit the rule is valid all the time Click on the tab Time Select a beginning time and an ending time for every day at which the rule should be limited The top dropdown field belongs to the beginning time and the bottom dro
139. route The dialog Add Route appears Select in the field Type if the route applies to all networks and computers or just for several ones For all select without Source Otherwise select with Source and enter the IP address and the subnet mask of the concerned network or host in the fields Source Network and Source Mask Enter the Gateway which should be used for reaching the destination network or destination host In the fields Destination Network and Destination Mask enter the IP address and the subnet mask of the destination You can assign a weighting for the route in the field Weighting Add Route Add Route Type without Source EI Type with Source E Gateway 192 168 175 1 Source Network 192 168 176 0 Destination 192 168 176 0 Source Mask 255 255 255 0 24 Retort Gateway 192 168 175 1 Destination 255 255 255 0 24 e SH S Mask Destination Network FE 7 Destination weighting d Mack Save Close Weighting fig 52 general route Save Close A fig 53 route for defined sources Securepoint Security Solutions 52 7 Menu Network Securepoint 10 7 2 3 DSL Provider When connecting the internet using a DSL dialup mode you have to enter the provider and your account data so the appliance can connect to the internet by itself o Network Configuration Interfaces Routing DSL Provider DynDNS DHCP Name Login Force separation Default Route anonymous DSL nobody 2 Yes 4dd DSL
140. rver will assign IP addresses to the clients from this range The range must be a part of the local subnet Consider that the first address XXX XXX XXX 1 iS mostly assigned to the default gateway Hence it cannot be part of the DHCP address pool Furthermore reserve a couple of IP addresses for computer and server which need static IP addresses to warrant the correct working of several services Enter the lower limit of the range into the field DHCP Pool start and the upper limit into the field DHCP Pool end Enter the standard gateway into the field Default Gateway This is the IP address of the internal interface Type the IP addresses of the DNS server into the fields Nameserver 1 and Name server 2 Type the IP addresses of the WINS server into the fields WINS Server 1 and WINS Server 2 if you use them gt Store your settings with Save o Network Configuration Interfaces Routing DSL Provider DynDNS DHCP Subnet Local Subnet 192 168 175 0 Netmask 255 255 255 0 24 iv DHCP Pool DHCP Pool start 192 168 175 3 DHCP Pool end 192 168 175 25 Gateway i Default Gateway 192 168 175 1 Nameserver Nameserver 1 192 168 100 10 Nameserver 2 192 168 200 10 WINS WINS Server 1 192 168 100 10 WINS Server 2 192 168 200 10 Save fig 58 settings for DHCP server Securepoint Security Solutions of 7 Menu Network Securepoint 10 7 2 6 DHCP Relay The appliance can als
141. sending e mail DNS Server Domain Name System Server Hostname to IP address resolution POP3 Proxy Post Office Protocol Version 3 Proxy Establishes a connection to a POP3 server and tests the re ceived e mails for viruses and spam HTTP Proxy Hypertext Transfer Protocol Proxy The proxy interconnects the client of the internal network with the server in the internet It can block HTTP requests by means of content and it can test websites for viruses VoIP Proxy Voice over IP Proxy VNC Repeater Virtual Network Computing DynDNS Client Dynamic Domain Name Services Client The client updates the current IP of the firewall by a DynDNS service NTP Server Network Time Protocol Server Synchronizes all system clocks in the network IDS Server Intrusion Detection System Server Protects the network against know intrusions L2TP Server Layer 2 Tunneling Protocol Server Offers VPN connections to the firewall by using the network protocol L2TP PPTP Server Point To Point Tunneling Protocol Server Offers VPN connections to the firewall by using the network protocol PPTP Securepoint Security Solutions 21 5 Securepoint Cockpit Securepoint 10 SPUVA Server Wortmann Security User Verification Agent Server ee Central user authentication Web Server Dynamic Host Configuration Protocol Server Allocates network configurations to the computer in the network for example the IP address DHCP Server Internet Protocol Security Ser
142. ses against Mailserver with gt You can use the addresses of the LDAP directory or the SMTP server checks the ex istence of the addresses Furthermore you can upload a file with e mail addresses The validation can be made against this file with the option Validate E mail addresses against Mailserver with local file The file contains one e mail address per row You can edit the file from here with the button Edit e mail addresses You also can download it with the button Download file Mail Relay General Relaying Mail Routing Greylisting Domain Mapping Advanced SMTP Routing Settings Domain Mailserver realsecure de 192 168 4 10 pptp de 192 168 4 10 Add SMTP Routing Validation Validate E mail addresses against Mailserver with SMTP Validate E mail addresses against Mailserver with LDAP Validate E mail addresses against Mailserver with loacal file Ml 0 Email addresses Local File validation i Upload File Download File Edit email addresses Save Close P fig 116 routing settings for the mail relay Securepoint Security Solutions 108 9 Menu Applications Ssecurepoint 10 To assign e mails of a domain to a defined mail server click the button Add SMTP Routing The dialog Add SMTP Routing appears Enter a domain into the field Domain Enter a host name or an IP address of the mail server into the field Mailserver Click Add o Add SMTP Route Domain ssecurepoint cc Mailserver ma
143. so can retrieve information of service groups gt Select a service group from the dropdown box gt Click on the information symbol beneath the dropdown box An infobox appears The infobox shows the name of the service group and if the group is used in a firewall rule In this case the number and a summary of the rule are shown o Rules for Network Group Name External Interface Rules for Group Source Destination Service 2 Internet External Interface openypn_udp fig 83 infobox for a service group Securepoint Security Solutions 80 8 Menu Firewall Securepoint 10 8 5 1 Edit Existing Service Groups Select a group from the dropdown box in the section Service Groups The services which are elements of the selected group are shown in the right table You can add services by highlighting services in the left table It could be helpful to disable the infobox Click on the rightwards arrow button between the tables The service will be move from the left table into the right table Highlight a service you want to delete in the right table Click on the leftwards arrow button between the tables The highlighted service will move from the right table to the left table You can delete the whole group by a click on the trashcan symbol beneath the dropdown box Confirm the Security Query with Yes Click on the button Update Rule to apply the service group changes to the rules of the portfilter
144. ss in this section it will also change in the section network configuration Enter the port of the SSL VPN in the field SSL VPN Port The default port 1194 is al ready set The SSL VPN uses the protocol udp You can change the protocol to tcp This is not recommended because a big overhead is produced Select a server certificate from the dropdown box SSL VPN Certificate This certifi cate has to be created with the option Server Authentication This authenticates the appliance as a SSL VPN server Store your settings with Save SSL YPN SSL VPN IP 192 168 250 1 255 255 255 0 24 el SSL VPN Port 1194 a SSL VPN Protocol udp Le Save Close fig 163 adjust IP address address pool and server certificate Securepoint Security Solutions 151 11 Menu Authentication Securepoint 10 11 Menu Authentication The user and certificate administration is located in the section Authentication Further more you can adjust the settings of external authentication methods here authentication Users External Suthentication Certificates fig 164 dropdown menu authentication Users User administration for creating new users and editing existing users Furthermore assigning group membership password etc External Authen Settings for external authentication via Radius or LDAP server ea AE Certificates Certificate administration for creating new certificates Also export and earen T
145. st one interface If you want to use interfaces in the same zone you have to add a new zone Type a name for the new zone in the field Name in the section Add Zone select an interface which should be allocated to the zone from the dropdown field In terface Click Add Zone to save the settings If you want to change allocated interfaces use the tab Interfaces in the menu Net work gt Network Configuration Zones m zones Name Interface external pppo internal eth1 dmzi eth2 dmz2 dmz3 Gd Zone Name Interface None e Add Zone fig 60 dialog for adding and deleting zones gt Todelete a zone click on the trashcan symbol in the column of the related zone gt Confirm the securety query with Yes The zone will be deleted Securepoint Security Solutions 59 7 Menu Network Securepoint 10 7 4 Network Tools The point Network Tools opens a dialog which offers three needful functions These func tions are often used in network engineering Therefore they are implemented in the ap pliance meaning description gt Z gt o button ec Detects IP addresses of a host d ox Detects if a computer is reachable in the network routing table Shows the routing entries of the appliance 7 4 1 Lookup The name of this function is deduced from the command nslookup The function queries the nameserver which IP address belongs to a defined host name This is c
146. t Securepoint Security Solutions 28 6 Menu Configuration Securepoint 10 6 Menu Configuration All settings of the appliance are stored in a configuration file Commands which are related to the configuration and basic system commands are depo sited in the menu item configuration configuration Configuration management Reboot System Halt System Factory Defaults Logout fig 29 dropdown menu of the menu item configuration Configuration The configuration management shows a list of all saved configuration management files Here you can export print or delete the configuration Furthermore you can load and import configurations set a start configu ration or save current settings in a new file Securepoint Security Solutions 29 6 Menu Configuration Securepoint 10 6 1 Configuration Management All settings of the firewall are stored in a configuration file The menu item Configuration management of the menu configuration shows a list of all saved configurations gt Choose the menu configuration in the navigation bar and select the point Configu ration management from the dropdown menu The dialog Configurations appears Configurations Status Name Sg TERRA TERRA BACKUP fsdffsd a D g import TERRA173 Import fig 30 list of available configurations The start configuration is labled with an asterisk ahead of the configuration name This confi guration is loaded when the appliance
147. t 10 7 2 4 DynDNS If you don t have a static IP address but a dynamic one which is changing at every dial into the internet you can use a DynDNS service for always being reachable with the same host name This is only required if you offer a service which should be reachable from the internet for example web server VPN connection or if you want to administrate the firewall from the external net If you use the DynDNS services the client transmits at every dial in its current IP address to the DynDNS service provider The current IP address Is stored by the provider The provider links your static hostname with your current IP address In this way it is assured that your host is always available by the host name The appliance transfers the current IP address to the DynDNS provider You can create six interfaces These will be listed in the tab DynDNS Network Configuration Interfaces Routing DSL Provider DynDNS DHCP Hostname Login Server MX Interface 1 securepoint dyndns de sp _admin members dyndns org pppo fig 56 list of the external DNS update service for dynamical IP addresses Securepoint Security Solutions 55 7 Menu Network Securepoint 10 7 2 4 1 Create or Edit a DynDNS Entry To create a new entry or to edit an existing entry click on the wrench symbol The dialog Change DynDNS appears Enter your domain name into the field Hostname Type your access data of your services provider into the fields Login
148. tal secret key eeseesee fig 173 access data for the Radius server Securepoint Security Solutions 160 11 Menu Authentication Securepoint 10 11 2 2 LDAP Server For using a LDAP server follow the approach below Open the dialog External Authentication On the tab LDAP insert the data of the LDAP servers Insert the host name or the IP address of the server in the field IP address or host name Enter the server domain into the field Server Domain Under User name insert your user name of the server Under User password insert your password and retype it in the field Confirm user password Store your settings with Save External Authtentication Radius LDAP Kerberos LDAP Settings IP adress or host name Idap 168 175 100 Server domain securepoint local User name admin User password eecccece Confirm user password eeeseeee fig 174 acces data for the LDAP server lf you use the LDAP authentication in combination with the services HTTP proxy or L2TP you have to create new groups in the Active Directory AD and users which may access the local net have to be members in these new groups HTTP Proxy gt group in AD SecurepointHitp L2TP gt group in AD SecurepointL2tp Securepoint Security Solutions 161 11 Menu Authentication Securepoint 10 11 2 3 Kerberos The Kerberos authentication service authorizes the access of the HTTP proxy It not only authenticates the cli
149. te and click on the following icon The dialog OpenVPN Client appears It asks for settings to configure the OpenVPN configuration Select a DynDNS Entry from the dropdown box Or enter an IP address into the field Alternative The option Redirect default gateway to remote site reroutes the whole internet traf fic of the VPN user over the appliance Click Save to start the download vi Open PN Client YPN Gateway Please select the gateway for the connection e secpoint dyndns org gt Alternative U Redirect gateway Save Close vA fig 181 settings for the OpenVPN client Securepoint Security Solutions 167 11 Menu Authentication Securepoint 10 11 3 6 Delete CA and Certificate You cannot delete the CA or certificates directly You can only revoke them so they aren t valid anymore Revoked certificates are store as invalid so nobody can use them for authen tication anymore Switch to the corresponding tab CA or Certs Click on the Trash Can symbol at the end of the row Answer the security query with Yes The CA or the certificate will get the status Revoked The invalid files will be listed on the tab Revoked Certificates CA Certs Revoked Name Type Valid untill Status ssl_Server User Server 31 12 2012 23 59 59 REVOKED fig 182 revoked certificate in the tab Revoked Securepoint Security Solutions 168 11 Menu Authentication Securepoint 10 11 3 7 Tab CRLs On the tab CRLs th
150. ted or deleted gt For editing click the wrench symbol The dialog Edit Route appears Change the settings and save the new properties with Save For deleting click the trashcan symbol Click Yes at the confirmation prompt The entry will be deleted 7 2 2 2 Add Default Route Click Add default route The dialog Add Default Route appears Enter as Gateway the IP address of the internal interface The fields Destination Network and Destination Mask are predefined The value Weighting defines the priority of the route This statement is relevant if you use two or more internet connections Multipath Routing If the first route has the weighting 1 and the second one the weighting 2 the second route will be used twice as much as the first one The weighting 5 and 10 have the same effect Add Default Route Gateway 192 168 175 1 Destination Network Destination Mask Weighting Save Close fig 51 add default route Securepoint Security Solutions 51 7 Menu Network Securepoint 10 7 2 2 3 Add Route Routes offer the possibility to find networks which are not directly connected to the appliance To send a package to a network which is connected via a gateway for example a router to the appliance the system must be informed about this Otherwise the packages will be routed to the default gateway where they cannot be transmitted to the desired network Switch to the tab Routing and click Add
151. thentication methods Either use the preshared key PSK method or you use the authentication via certificate The PSK is a password which is known by both connection partners Preshared Key Method Select the radio button Preshared Key Enter the preshared key PSK Decide which IKE Internet Key Exchange version you want to use and select the related radio button Click Next IPSec Wizard Create a IPSec Connection Site to Site Which kind of Authentification and IKE you want to use Preshared Key TETTETETT x 509 Certificate IKE version 1 IKE version 2 Abort Back fig 144 authentication via PSK and IKEv1 Securepoint Security Solutions 134 10 Menu VPN Securepoint 10 Certificate Method Mark the radio button x 509 Certificate and select a server certificate from the drop down box Decide which IKE Internet Key Exchange version you want to use and select the related radio button Click Next o IPSec Wizard Create a IPSec Connection Site to Site Authentification Which kind of Authentification and IKE you want to use O Preshared Key CG x 509 Certificate Filale_Stuttgart ze IKE version 1 GZ IKE version 2 Abort Back Next vA fig 145 authentication via certificate and IKEv2 Now enter the networks which should be interlinked by the VPN connection Under Local Network enter your local network Select the according net mask at Local Mask Unde
152. tions Click in the VPN dropdown menu L2TP The dialog VPN L2TP appears In the tab General you have to adjust basic settings Enter the IP which should be used by the L2TP interface in the field Local L2TP IP An explicit L2TP interface doesn t exist The entered IP address will be bound as a virtual address to the external interface Under L2TP Address Pool adjust a L2TP address pool This must be set in the same subnet as the L2TP IP address The left field contains the start address and the right field the end address of the ad dress pool For the Maximum Transmission Unit MTU the default value 1300 should be re tained Under Authentication select the authentication mode You can select from local authentication against the database of the appliance au thentication via a Radius server or via an Active Directory Store your settings with Save YPN L2TP General DNS WINS Local L2TP IP 192 168 180 1 L2TP Adress Pool 192 168 180 1 50 a MTU 1300 Authentication Local iy Save Close fig 159 adjust IP address address pool and authentication method Securepoint Security Solutions 147 10 Menu VPN Securepoint 10 In the tab NS WINS enter the IP addresses of the name server and of the WINS server Windows Internet Name Service if you use one This will be forwarded to the L2TP net work Switch to the tab NS WINS Enter the IP address of the
153. u can create a CA yourself to sign the certificates you have generated The signed certificates will be distri buted to the users which connect to the local net via VPN The signature assures that the certificates are created by the firewall and not by anybody else For a complete authentication not only the remote station needs a certificate but also the firewall itself You have to create one certificate for the firewall and one certificate for each external user You can import external certificates given in PEM format You may also export local certifi cates in PEM format or as PKCS 12 The tab CA shows all existing Certification Authorities The tab Certs shows all available certificates The tab Revoked shows all invalid CAs and certificates Certificates CA Certs Revoked Name Type Valid from Valid untill est CA 17 02 2012 23 59 59 OK Import fig 176 list of available CAs Securepoint Security Solutions 163 11 Menu Authentication Securepoint 10 11 3 1 Create CA At first you have to create a CA to sign created certificates Click in the tab CA onto Add The dialog Add Certificate appears The fields Valid from and Valid until define the duration of validity of the CA You can enter the date directly into the first field Or click into the field and a calendar ap pears where you can select the date The following three fields are reserved for the time hour minutes and seconds When the validation o
154. ugh LAN 1and is designated for the external network internet LAN 2 represents the second interface eth1 and is designated for the internal network The port LAN 3 uses the interface eth2 and is destined for a demilitarized zone DMZ It can also be used for a second internal network or a second external connection DC Input fig 2 rear view of the Piranja respectively of the RC 100 external internet internal Securepoint Security Solutions 14 3 Positioning the Appliance Securepoint 10 3 2 RC 200 The RC 200 has 4 LAN ports The assignments of the first three ports are identical to the previous it described ones The port LAN 4 is bounded to the interface eth3 und is for free disposal You could connect another internal net another DMZ or a second internet connec tion to this port DC Input Key Mouse I l fig 3 rear view of the Piranja respectively of the RC 100 3 3 RC 300 The RC 300 has 6 LAN ports Contrary to smaller dimensioned appliances the ports are numbered serially from right to left The ports at the machine are not labeled Take the attri bution from the figure LAN A LAN3 LAN2 LAN fig 4 front view of the RC 300 schematic Securepoint Security Solutions 15 3 Positioning the Appliance Securepoint 10 3 4 RC 400 This Appliance has 8 LAN ports The sockets are arragned in two blocks of 4 connectors The ports are numbered top down and from left to right LAN 1 and
155. vate new rules you have to click the button Update Rule in the Portfilter Dialog lf you changed the order of the rules you have to update the rules also Securepoint Security Solutions 65 8 Menu Firewall Securepoint 10 You can modify the view of the portfilter by using the filter function This way you can find a desired rule fast Click on Set Filter in the portfilter overview to open the dialog Set Filter Activate the filter by selecting the entry On from the dropdown field Enable Filter You can filter the entries of the porttilter by several criteria The criteria are Groups Source Network Groups Shows all entries which have the given group as source Destination Network Groups Shows all entries which have the given group as destination Service Groups Shows all entries which use the given group as service Objects and Services Source Network Objects Shows all entries which have the given object as source Destination Network Objects Shows all entries which have the given object as destination Services Shows all entries which use the given service Activate the desired filter criterion and select a filter word from the related dropdown box Click Close The set filter will be used for the firewall rules o Set Filter Filter Options Enable Filter On Filter Groups Source Network Groups Internet Destination Network Groups Internal Interface Service Groups
156. ver Offers VPN connections to the firewall by using the IPSec pro tocol IPSec Server Layer 2 Tunneling Protocol Server Offers VPN connections to the firewall by using the network SSL VPN Server secure Socket Layer Virtual Private Network Server eee Offers SSL secured VPN connections to the firewall IGMP Proxy Internet Group Management Protocol eee Offers the spreading of packets to multiple recipients CTASD Server Commtouch Anti Soam Daemon mee Service for soam identification from the company Commtouch Kerberos The Kerberos authentication service authorizes the access of wf the HTTP proxy Mailfilter Scans e mails for soam and undesired attachments SNMP Server Simple Network Monitoring Protocol Reads the values of interface traffic processor and memory utilization Routing Server Supports several routing protocols Applications SSH Server SPUVA Server Mail Relay Virusscan active Web Server DNS Server DHCP Server POP3 Proxy Virusscan active IPSec Server HTTP Proxy Virusscan active SSL VPN Server SG E VOIP Proxy IGMP Proxy VNC Repeater Virusscanner 0 DynDNS Client CTASD Server NTP Server Kerberos c IDS Server Mailfilter L2TP Server SNMP Server PPTP Server Routing Server fig 11 service status part 1 fig 12 service status part 2 Securepoint Security Solutions 22 5 Securepoint Cockpit Securepoint 10 5 5 Appliance Displays the view of the appliance The connected
157. work and the packet is send from a wrong zone for example external the packet will be dropped automatically on the basis of the zone concept The administrator doesn t have to create anti spoofing rules fig 222 zone concept of the Securepoint firewall Securepoint Security Solutions 209 15 Download Section Securepoint 10 The zone concept is designed in two parts The firewall Zones and the group zones The firewall zones contain the zones firewall internal firewall external and firewall dmz These zones are provided for the interfaces of the appliance A group zone is assigned to one firewall zone For example The group zone internal is as signed to the firewall zone firewall internal with the internal interface In the group zones computers and networks are positioned which are connected with the firewall by the related interface The VPN zones are provided for VPN computers and networks These are assigned to the external interface too but they are different from the devices of the zone external because they connect the appliance by a secure tunnel Zones can only be assigned once If you want to use two interfaces for the internal net you have to create a new zone for the second internal net Securepoint Security Solutions 210
158. x Mailfilter Fixing Email Database update routine Bugfix SSL VPN Fixing OpenVPN tunO problem after CLI command update interface Bugfix Kernel IP forwarding fix Bugfix Spamfilter Restart CTASD when defaultroute updates Feature Server Decreasing CLI to Server response time Feature Server Add config convert CLI command convert database to UTF 8 Feature Server CLI command show systemstats replaced memFree with memAvail u wm ban em wm mmi VU et 8 M o wm Ai se ses DT PPA Ett L EI KK nf m Changelogs Show Build 8830 Show fig 190 changes from one version to the next Securepoint Security Solutions 174 12 Menu Extras Securepoint 10 12 4 Registration Here you can upload your license file If you don t have a license yet you can follow the hyperlink in the dialog to access the Securepoint website and register your appliance Upload the license file like this gt Click Browse and select the license file from your file system gt Click Upload to upload the file Di Registration If you don t have any Registration File you can register your Securepoint Firewall through the following link https www securepoint de registration Upload Registration C SecurepointREG bd Browse Upload Only a registered Firewall updates the Virusscan Pattern Files automatically and allows you to update the Firewall itself to a newer Version Please register your Securepoint
159. y activating the checkbox Enable Bandwidth Con trol Select a global limitation or a limitation per host Activate the related radio button Enter a global limit in kilobit per second in the field Global Bandwidth Enter a host limit in kilobit per second in the field Bandwidth per Host The host just gets this bandwidth even if the global bandwith is not reached yet ei HTTP Proxy General Virusscan URL Filter Block Extensions Block Applications Content Filter Bandwidth wv Enable Bandwidth Control Global Settings k Limit global Bandwidth Global Bandwidth 16000 KBit s Host Settings Limit Bandwidth per host Global Bandwidth 16000 KBit s Bandwidth per Host 512 KBit s fig 109 limit the bandwidth in the HTTP proxy Securepoint Security Solutions 102 9 Menu Applications Ssecurepoint 10 9 2 POP3 Proxy The POPS proxy acts as a POPS server to the mail client and retrieves the e mails from a mailserver in the internet The e mails are checked for viruses and spam and are send to the mail client Select at Virusscanning the value On to activate the virus scanning select at Spamfilter the value On to activate the spam filter Choose the net in which the Transparent Proxy should be activated Store your settings with Save PoP3 Proxy Virusscanning On Spamfilter On el Transparent Proxy Please choose the TT etho interfaces ethi LI eth2 C tuno fig 110 set propert
Download Pdf Manuals
Related Search