Innominate Security Configuration Manager Working with
Contents
1. Maoms aslov Oa Oe Bl ARUP EER A d Browser a L ES qv JERE lt D VPNs a H Classes Intetnet mGuard branch office 3 Subnet 3 192 158 3 0 24 Server 1 we 192 168 1 100 T All mGuards O all networks ta all PEPs if PS 1 All remote nety L Any mGuard branch office 2 Subnet 2 1 982 1 58 2 0 24 Router Subnet 4 1 92 1 68 4 0 24 Filter X Element Information Make a single selection in order to display the relevant is ofthe ence ate 99 ee selected object Cisco Pix Hadquarters mGuardsteatth E Headquarters Network gt VPNs and Stealth mode with management IP Firewall rules within the tunnel mode VPN Figure 32 VPN and Stealth mode The client protected by the device in Stealth mode will be addressed with the virtual IP address The mGuard will automatically translate this virtual IP address to the real IP address of the client i e there is no need to configure the client When configuring tunnels for devices that use Stealth mode with management interface one thing has to be kept in mind Contrary to the configuration without management interface see Chapter 6 1 the interface with Security Zone Untrusted Stealth must have an IP address for VPN configurations that corresponds to the IP address of the client This will result in a warning by the Solsoft server that the addre2. Figure 14 Creating multiple permissions using metaclasses The mGuard supports connection tracking for certain protocols services Please refer to Chapter 6 for more information on this feature 22 of 77 Example project Stealth mode For a detailed description of the Stealth mode and the Stealth options see Chapter 6 1 In stealth mode without management IP the permissions are drawn directly to from the mGuard See the device mGuard Stealth in the following figure Solsoft Security Designer admin pc jboehmert manual 1 3 2 1 1 0 File Edit View Mode Action Tools Help 59 Topology gt tH Policy pp VPN E NAT MaarlaaniaGewlmal Keer SA Rue tee MR BBATAL Browser al SP lt gt SR AM esp v VA ftp j A i Wa http ua d rr 5 ike La Lond Subnet 3 192 168 3 0 24 Server 1 s sglsoft np a ssh Ti il aa j a Filter x P Show Used Only v Subnet 4 192 168 4 0 24 Element Information 9 3325 w i E Eel m3 Headquarters Network mGuard branch office 1 Subnet 1 192 158 1 0 24 mGuardstealth e FEE IN Figure 15 Firewall rules and Stealth mode All permissions except for the administrative permissions SSH HTTPS SNMP are automatically recognized as permissions to from the client Administrative permissions SSH HTTPS SNMP from the rem
3. E is ui mGuardHgdquarters amp Headquarters network erver Solsoft Client Figure 62 Problem when managing remote mGuards with VPN The problem does not occur ifmGuard Headquarters in Figure 62 is natting the traffic coming from Headquarters network Problem when operating an mGuard in Stealth mode with management IP as VPN gateway If a remote access permission is drawn to the mGuard see Figure 63 in this example an https permission from 192 168 1 0 24 to mGuardStealth then two rules are generated one rule with the management IP as destination address which is correct and another rule with the client IP 192 168 0 100 32 as destination address which is not correct This rule is suppressed on mGuardStealth but can not suppressed on mGuard0 and mGuard1 Le https traffic to the client 192 168 0 100 32 will pass mGuard1 and mGuard0 but will be blocked on mnGuardStealth 74 of T7 VPN with certificates 10 2 NAT Port forwarding Appendix Restrictions Known problems miuard1 m uardstealth miuarcdiEauter Figure 63 Problem when operating an mGuard in Stealth mode without management IP as VPN gateway The use of certificates require the definition of a CA server and a CRL Distribution Point CDP Depending on the type of server or CDP ISCM creates implicit permissions for the mGuard to access the servers Since the mGuard does not support CA servers or CDPs the
4. RIN w H E Bel G G Headquarters Network mGuard branch office 1 Subnet 1 192 168 1 0 24 mGuare tealth 1 E o 0 xz 00 Figure 16 Permission for HTTPS remote configuration 89 Permissions originating on the mGuard are ignored since traffic originating on the mGuard can not be restricted 8 n Router or PPPoE mode all permissions to the mGuard itself will be ignored except for SSH SNMP HTTPS and depending on the ICMP settings see Chapter 6 the ICMP permissions 24 of 77 Example project 3 8 Options for large scale networks In large scale networks with many devices you can structure your projects in hierarchical folders and subfolders to gain a better overview To put the networks and devices of Branch Office 1 in one folder select all objects that belong to branch office 1 Then click on the icon make sure that the Topology tab is active to put all objects in one folder You can rename the folder to branch office 1 see Figure 17 Solsoft Security Designer admin pc jboehmert manual 1 3 2 1 1 1 File Edit view Mode Action Tools Help EF Topology 43 Policy v po VPN NAT Y owio nso s 6wLotBBrxxBx Browser a ES EA at Ge branch office 1 H Classes T All mGuards m All remote networks mGuard branch office 3 Subnet 3 192 168 3 0 24 server 1 s Solsoft Client Solsoft Server A gt an cC
5. 53 of 77 The Properties Window Solsoft Security Designer admin hali manual 1 3 File Edit View Mode Action Tools Debug Help EF Topology 44 Policy 7 VPN E NAT Ma Qm e 4 6 Browser ES V r amp I Classes I Networks L Nexus Hat Devices e Cisco Pix Headquarte mGuard branch office mGuard branch office i mGuard branch office Element Information CINE _ Haseley Ver Filter Stealth mode with management IP 5 E DEC ELS o censeo we branch office 3 Subnet 3 192 168 3 0 24 mGuardStealthvVithoutManagementIP mGuardStealthWithoutManagementIP Properties E xi EPmggAu Options dz 158 4 0 24 Identification Name General Options Is Loopback Interface O Yes 3 No Application Servers Device Default i i Policy Learning Mode Ua Device Default v C VPN Options Upload Configuration G ee 3 Modifier Zones Icons Generate ICMP Error Message Allow Forwarding Upload Target Use as Tunnel Peer a Stealth Security zone Comments Interfaces Options E Stealth interface 192 168 5 E Headqu Lox J comer J ro T Figure 42 Stealth mode without management interface In Stealth Mode with management IP the device is also transparent to the environment but has a management IP address that is accessible from both sides trusted untrusted
6. Cisca Pix Headquarters mGuard branch office 2 Subnet 2 1 92 1 68 2 0 24 Router subnet 4 1 32 168 4 0 Element Information Make a single selection in order to display the relevant information of the selected object C a Headquarters Network N 9 au ee branch office 1 Figure 17 Structuring the project using hierarchical folders 25 of 77 Example project To see the contents of the folder in the context of the project double click on the folder again Solsoft Security Designer admin pc jboehmert manual 1 3 2 1 1 1 2 oj xj File Edit View Mode Action Tools Help Topology 33 Policy po VPN i NAT IN i oe 9e 95015 L 88cz xxBB8 2 o w 6n Zoo ES aa L Subnet 1 192 1 ED Sw eee Devices Intefnet l mGuard branch office 3 Subnet 3 192 168 3 0 24 wa All mGuards m uard branch office 2 Subnet 2 192 168 2 0 24 outer Subnet 4 192 168 4 0 Server 1 E All remote networks Filter x Element Information Cisco Pix Headquarters Make a single selection in order to display the relevant information of the selected object C Headquarters Network mGuard branch office 1 subnet 1 192 166 1 0 24 mGuardStealth prancn office ul Figure 18 Structuring the project using folders a k 15 1 To collapse the folder select it and click on the amp icon To see only the conten
7. E all PEPs we All remote netwo E0 Any 11 s Solsoft Client 14 Solsoft Server Es Wt Server 1 Filter x Element Information Make a single selection in order to display the relevant information ofthe selected Cisco Pix Headquarters object i S Headquarters Network mGuard branch office 1 Subnet 1 192 158 1 0 24 FEDT EN b v a lt gt Any NS branch office 3 Subnet 3 192 168 3 0 24 Server 1 m PR Guard branch office 2 Subnet 2 192 168 2 0 24 Router Subnet 4 192 168 4 0 24 T Enable the log for port forwarding Figure 26 Completed port forwarding rule in the workspace Please refer to Chapter 6 to get information on how to enable the log for port forwarding rules A log for single rules is not supported The Security Configuration Manager can either enable the log or disable it for all port forwarding rules 4 4 Create 1 1 NAT rules Parameters for port forwarding rules The class symbol in Subnet3 of our example project represents an ftp server Since the server has a private IP address you must create either a port forwarding rule to make the server accessible from the Internet or as alternative a 1 1 NAT rule The nat rule can either be configured for Subnet3 or only for the ftp server The parameters of the port forwarding rule for ftp are Traffic to be translated D is automatically assigned by t
8. EE Figure 50 Configure the NTP server in the mGuard property window 61 of 77 Remarks Restrictions Advanced configuration Click on the EM icon to open a window which allows you to select server NTP1 as NTP server for the mGuard Toconfigure the time zone please click on Application server gt NTP server and enter the time zone as a string Leave the mGuard Property window by clicking on OK er or The permissions for DNS Syslog and NTP are implicitely created 1 e they do not have to be created by the user Remote logging is a licensed feature i e if no license is installed on the device e g mGuard professional then an upload of the policy fails if remote logging is enabled in ISCM When using NTP in Stealth mode the following restrictions apply Up to mGuard release 2 1 only the two first NTP servers are used by the mGuard software Starting with mGuard release 2 2 all NTP servers in the server list are used When using DNS in Stealth mode the following restrictions apply Up to mGuard release 2 1 only the two first DNS servers are used by the mGuard software and only User defined is available as option Starting with mGuard release 2 2 all DNS servers in the server list are used and Root DNS server and User defined are available as option 8 2 Define remote access rules through a tunnel In Chapter 6 the configuration of Remote access rules is explained In some cases it might be helpful to con
9. internal interface Cisco Pix Headquarters Properties E X Tem ee AYE Identification General Options Application Servers Policy Learning Mode YPN Options Upload Configuration Modifier Zones Icons Comments Interfaces Options Choose Domain i external 212 1 2 122 Internet fil internal 192 168 0 1 Headquar Er Options Security Profile ACL Name Include File Security Level Figure 6 Interface properties for Cisco PIX Before uploading your policy to the devices you have to specify which of the interfaces 1s to be used as the upload target Depending on the configuration of your network this could be either an external or internal interface In the 15 of 77 Add connections Specify the Default Gateway Example project example project the upload target of the Cisco Pix is the internal interface since the Security Configuration Manager is part of the Headquarters Network The upload target of the Innominate mGuards which are securing the remote networks 1s the external interface To access the property Upload Target select Interface gt Options in the property window of the device Set this property to the proper value for each interface in the network Connect the objects by using the Connected To option in the properties window upper right see below mGuard branch office 2 Properties Identification General Options Application Servers Logging Servers DAS Certificate Registration
10. D internal use only e SIC Source of the traffic to be translated e g a network or a single computer Dst Destination of the traffic to be translated e g a network or a single computer e Service The service protocol port to be translated e g any or ftp Translation Parameters Method Src The translation method to be used on the source address Sre After NAT The source address after the NAT rule has been applied Method Dst The translation method to be used on the destination address Dst Before NAT The destination address before the NAT rule has been applied e Service The service port protocol after translation 1f desired Application Point The device where the NAT rule is to be applied If no translation is desired you can specify the value same see Figure 20 for any of the translation methods src dst service The NAT Editor supports the specification of destination and source translation parameters in one rule as shown in Figure 20 For the Innominate mGuard only one translation method per rule is supported either source or destination translation For masquerading the source address is translated For port forwarding the service port or the destination address or both will be translated since all of the networks in the example project see Chapter 3 use private addressing address masquerading is needed to connect the networks to the Internet In Chapter 4 2 you can find a descripti
11. External tracking hosts see Figure 58 Add your tracking hosts to the list If the desired tracking hosts do not exist yet on the workspace you can add several tracking hosts by creating a class see Chapter 3 3 with the IPs of the tracking hosts and connect this class to the appropriate network Then the class is available to be added to the tracking host list Finally you have to add a ping permission from each device to the tracking hosts to enable the generation of the proper configuration The ping permission will cause some warnings during compilation which you can ignore 7 The cluster can be used now Draw your permissions between the class representing the workstations and the desired networks The permissions will be created on both redundant devices mGuardPrimary Properties rCluster configuration for Stealth Mode Identification General Options Redundancy start state Master Security Profile Cluster Peer E mGuardPrimary Select Stealth mode configuration Authentication password ThisIs4nExamplePassword Priority 100 Administration services Update Options Configuration Pull Options Virtual Router ID Conntrack Options Enable ICMP check luster configuration for Sti Internal tracking hosts External tracking hosts Application Servers Policy Learning Made Upload Configuration Modifier Zones Icons Comments Interfaces OK Cancel Help Figure 60 Cluster parameters for Stealth
12. Figure 28 Completed 1 1 NAT rule in the workspace 37 of 77 5 VPN VPN Transport mode Enabling VPN view General remarks VPN How to use VPN tunnel mode is explained in Chapter 3 6 When creating a tunnel the tunnel is set to tunnel mode by default To enable transport mode open the Tunnel properties window see Figure 29 by double clicking on an existing tunnel Double click on Primary Tunnel and select one of the VPN gateways in the submenu Then select Transport for the parameter VPN mode Configure the other VPN gateway in the same manner For transport mode VPNs please bear the following restrictions in mind Transport mode is supported only for the Innominate mGuard Other devices can not be used as hosts in transport mode VPNs Both mGuards have to use transport mode There is no reasonable topology when combining router mode with transport mode VPNs since a transport mode is a host to host connection and not a network to network connection When using transport mode VPNs the devices have to be switched to Stealth mode For more information refer to Chapter 5 1 Please make certain that the VPN view is enabled Select the VPN tab in the workspace To configure VPNs with ISCM you should take a few things into account see also Chapter 10 NAT and VPN NAT has to be disabled for flows entering a VPN tunnel Double click on the tunnel and use the menu options
13. wE All remote nety w Any 1 s Solsoft Client 1 Solsoft Server 1is Untitled Class Ha Networks LIT e dh Filter x ub P M Element Information Untitled PEP1 Untitled PEP3 Untitled Network3 Untitled Nexus Untitled Network5 E288 xB O s HD org o y e Internet Untitled PEP2 Untitled Network4 Untitled Class1 Make a single selection in order to display the relevant information of the selected object z Untitled Network1 Untitie PEP4 Untitled Network2 j al 77777 gt Figure 4 Empty objects placed on the workspace Name and Name the objects set the address range of the networks and add interfaces to configure the the devices objects Toname an object on the workspace click on it once and place the cursor on the name to edit it To add an address range to a network double click on the network symbol click on Add and specify the address range of the network To get help on the address syntax simply click on Help Please specify the address ranges of the networks as shown in Figure 3 To add interfaces to the devices double click on the device click on the EP bot Place the cursor on the name of the interface and change it It is recommended to use consistent interface names for all devices e g internal for the internal interface and external for the external interface Configure the addr
14. x R er o Import Filtering Rules 1 Exclude filtering rules that have no meaning in the context of this policy 2 Map source destination and service 3 Select Filtering rules and click on import button to create them in the policy All rules must be imported or excluded to proceed to the next step Vv a s5 Sly nn v35 vee v ID Interface Action Service Source Destination Status Q Allow f Mii Headquarters Network Mii Subnet 1 192 168 1 0 24 f1 center Allow A https ANY lt gt Subnet 2 192 168 2 0 24 f10 center Allow A nfsd tcp lt gt Subnet 3 192 168 3 0 24 lt gt Headquarters Network Fil center O Allow A ldap lt gt Subnet 2 192 168 2 0 24 lt gt Subnet 1 192 168 1 0 24 f12 center Allow aA pop3 Headquarters Network lt gt Subnet 3 192 168 3 0 24 f13 center Allow A ssh lt gt Subnet 2 192 168 2 0 24 lt gt Headquarters Network f14 center Allow az http lt gt Subnet 1 192 168 1 0 24 Headquarters Network f2 center Allow A https Headquarters Network lt gt Subnet 3 192 168 3 0 24 f3 center Allow A http gt Subnet 1 192 168 1 0 24 lt gt Subnet 3 192 168 3 0 24 f4 center Allow A pop3 lt gt Headquarters Network Subnet 1 192 168 1 0 24 f5 center Allow tcp UNP 5230 10 3 0 1 16 lt gt Headquarters Network f6 center Allow A ssh lt gt Subnet 3 192 168 3 0 24 Headquarters Network F7 center O Allow A
15. 192 168 3 0 24 Server 1 Pn 2 OMe UC Ag t Fy Guard branch office 2 Subnet 2 192 168 2 0 24 Router Subnet 4 192 168 4 0 24 ah D M atm E mGuard branch office 1 Subnet 1 192 168 1 0 24 b a LST e Cisco Pix Hl dquarters Filter x Element Information Make a single selection in order to display the relevant information of the E selected object Headquarters Network Ss e Prey Figure 11 Create multiple tunnels using metaclasses Important Subnet 4 can not be part of the trust zone for more details see Chapter 5 Figure 30 3 Implement your firewall rules permissions First change to the Policy tab If no objects are displayed select View gt Show all objects from the menu To allow e g http traffic from Headquarters Network to Internet search for ht tp in the service window on the left select ht tp left click on the entry select the T1 icon click on Headquarters Network and then draw a line between Headquarters Network and Internet while keeping the left mouse button pressed The permission will show up on the workspace as an arrow between the objects Activate the log for To activate the log for a permission open the Property window by double a permission clicking on the permission Select Actions gt Log in the menu tree and check Enter the logging level and set the logging level to a value 0 Sel
16. Ki aT Figure 59 Cluster with members operating in Stealth Mode 4 Create a Limited Path Zone see Chapter 3 6 Create a trust zone and add both redundant devices to the Limited Path Zone see Figure 59 5 Configure the cluster Open the Property Window of the mGuards by double clicking on the devices and set the parameter General Options gt This device is member of stealth cluster for both mGuards to Yes This will enable the menu GeneralOptions gt Cluster configuration for Stealth Mode in the Property Window Set the Redundancy Start State for mGuardPrimary to Master and for mGuardBackup to Backup Select mGuardPrimary as peer device for mGuardBackup and vice versa Set the remaining cluster parameters see Figure 60 To prevent misconfiguration the parameters Authentication password 70 of 77 Advanced configuration and the Virtual Router ID can be configured only in the Property Window of the master device Please note that the maximum length for the password is 8 characters 6 Set optional cluster parameters To configure external or internal tracking hosts click in the Property Window of each device on GeneralOptions gt Cluster configuration for Stealth Mode and enable the option Enable ICMP checks Then you are able to select tracking hosts in the menu GeneralOptions gt Cluster configuration for Stealth Mode gt Internal tracking hosts or GeneralOptions gt Cluster configuration for Stealth Mode
17. gt Subnet 3 192 1 mGuardStealthWithManagementIP Properties LPggm gg Aw Identification Type Innominate mGuard General Options Application Servers Policy Learning Mode Cisco Pix p VPN Options Version 3 0 Upload Configuration i Internal gt Subnet 3 192 1 fit Management Figure 44 Multi Stealth Mode Automatic When using Static Mode make sure that the Default Gateway for the attached Static Stealth network is specified see Chapter 3 2 Additionaly the MAC address ofthe client Modes has to be specified in the input field that appears in the menu General options gt Stealth mode configuration when enabling the Static Mode 56 of 77 Generic PEP Actions 7 Generic PEP Actions The Generic PEP Actions can be activated by opening the context menu right click on a device and selecting PEP action The available PEP actions for the Innominate mGuard are described in the following chapters 7 1 Device Update Specifiying the update parameters Initiating an update Before initiating an update the parameters have to be set Please refer to Chapter 6 on how to set the update parameters To initiate an update the Security Configuration Manager logs in to the device using SSH Therefore you have to specify the admin login and password for each device Open the properties window by double clicking on a device select Upload Configuration gt Authentication and enter the l
18. need or use the PKI information CA server CRL Distribution Server etc For detailed information on how to configure the PKI in ISCM please refer to the Solsoft document Working with VPNs ISCM will not create certificates the certificates have to be exported by the CA and placed in a user defined directory on the ISCM server Since the Innominate mGuard does not support a PKI CRL CA online enrollment CA root certificates the devices have to be manually enrolled at the CA to subsequentially export the certificates Please refer to the manual of the respective CA how to enroll devices and export certificates Examples for using a CA can be found in the document nteroperability Guide Setting up a VPN connection between mGuard and Cisco VPN 3000 Series Concentrator on the Innominate web site For the Innominate mGuard two files are required 1 The certificate with the public key of the mGuard signed and exported by the CA as PEM export lt deviceName crt gt 2 The private key as PEM export without password protection containing the corresponding private key lt deviceName pem gt The private key can also be imported in the device during rollout in this case please disable the import in ISCM see below All exported certificates also the PEM certificates of the non Innominate devices have to be placed in a user defined directory on the ISCM server Important The names of the certificate files for the respective device have to b
19. of the device In this mode also only one client can be connected to the trusted interface A device using Stealth Mode with management interface must have at least 3 interfaces e One interface without IP address exception VPNs see Chapter 5 1 and the parameter Security Zone set to Untrusted Stealth Please deactivate the option Upload target for this interface One interface without IP address and the parameter Security Zone set to Trusted Stealth There must be a network with the IP address of the client netmask 32 connected to this interface Please deactivate the option Upload target for this interface One interface with the management IP address and the parameter Security Zone set to Management There must not be a network connected to this interface Please activate the option Upload target for this interface 1 e this IP address is used to upload the configuration to the device 54 of 77 The Properties Window Solsoft Security Designer admin hali manual 1 3 File Edit View Mode Action Tools Debug Help Topology 33 Poley s VPN E NAT Integnet mGuard branch office 3 Subnet 3 192 168 3 0 24 mGuardStealthivithMManagementlP Client 192 158 3 1 32 Any Solsoft Client 5 Solsoft Server mGuardStealthWithManagementIP Properties rem BRAY Identification General Options Is Loopback Interface Application Servers Generate ICMP Error Message Policy Learning Mode Cisco Pix I VPN Optio
20. 0 24 Server 1 gt d E Cisco Pix HRadquarters P Headquarters Network 4 rem aa 3 ee SA a wt x EE Router Subnet 4 192 158 4 0 24 misuard branch office 2 Subnet 42 158 2 0 24 mGuard branch office 1 Subnet 1 192 158 1 0 24 E aT MEE ZEN lt gt Figure 61 Routing problem when mixing VPN and non VPN traffic 73 of 77 VPN and Stealth Mode Solsoft Security Designer admin amp hal1 2 mguards 1 4 Appendix Restrictions Known problems Ifthe ISCM server is part of the VPN see Figure 62 it is not possible to configure a remote mGuard in the following cases Theremote mGuard is operated in Router Mode and the mGuard Release is older than 2 2 Theremote mGuard is operated in Stealth Mode and the mGuard Release is older than 3 1 ini x File Edit View Mode Action Tools Debug Help EF Topology 14 Policy amp VPN E NAT Browser Ez VEM Z3 ERE VPNs He Classes C all networks E all PEPs His Solsoft Client 11 Solsoft Server Hae Networks _ gt External netii w Ci eee D Filter x Element Information Make a single selection in order to display the relevant information of the selected object hus External network Remote Network mGuardotealth IP m n E a T Solso P ES P
21. Authority NTP Server Policy Learning Mode VPN Options Upload Configuration Modifier Zones Icons Comments Interfaces Options x EESTI Un Hl internal 192 168 2 0 24 i E Connection a Connected To Internet HIP Addresses Use Dynamic Addresses Dynamic Addresses From Resolve IP Address Using d Ok J Cancel Help Figure 7 Connection option of the interfaces or by right clicking on a device to open its popup menu and then selecting Auto Connect The Auto Connect feature can only be used in cases where the assignment of the interface to the network is unambiguous To specify the Default Gateway of a network double click on a network in the workspace and then click on Gateway in the menu of the left side of the window In the right window select the Default Gateway and click on OK After connecting the objects your workspace should look similar to Figure 3 16 of 77 Example project 3 3 Create classes to represent objects with special functionality in your topology If you need to represent objects with a special functionality e g an ftp server or an web server etc click on the symbol to create a new class In the example project there is a ftp server in Subnet3 Please create a new class and configure it with an address from the address range o
22. Chapter 6 the directory for the configuration data and a device specific serial 57 of 77 Initiate the export Generic PEP Actions number can be entered The rollout function will generate a configuration file in the specified directory for each of the selected devices The directory must be created in advance by the administrator The name of the export files will be serial number atv If no serial number is specified the name of the mGuard will be used for the filename To use the roll out function the parameter Upload configuration gt Connection Options gt Upload method in the mGuard properties menu has to be set to Localhost Otherwise the roll out function is not visible in the context menu To initiate an export of the configuration data right click on any Innominate mGuard in your workspace Select PEP Actions gt Create Rollout DB in the popup menu to open the following window after the project has been successfully compiled LN Select amp Order PEPs For Generic Action x Choose and order the PEPs for Generic Action Pat F JL w 4 a dh Group Generic Action PEP Mame Group C mGuard branch office 2 mGuard branch office 3 es vl mGuard branch office 1 Generic Action for All PEPs Cane He Figure 46 PEP Action window Initiating an update Select individual devices or select Generic Action for all PEPs to export data for all of the devices in the project Then press Generi
23. Disable NAT in tunnel and Disable NAT for to configure the use of NAT in the VPN For the mGuard all NAT has to be disabled for VPN flows because NAT in a tunnel is not supported by the mGuard 38 of 77 VPN Tunnel Scope The property Tunnel Scope may only take the value Trust Zone or by IP Address To access the property Tunnel Scope double click on an existing tunnel and select Primary Tunnel Tunnel Options in the Tunnel Properties window Tunnel Properties Tunnel Options Mame Tunnel Scope Options L Ignore Zone Primary Tunnel unnel Options oS Cisco Pix Headquarters Pre Shared Kev valid IPSec Proposals mGuard branch office 1 Figure 29 Tunnel Properties window When using by IP Address as the value for Tunnel Scope the tunnel permissions must not originate from two different objects in a single network as shown in the following figure Solsoft Security Designer adminihal1 manual 1 1 File Edit View Mode Action Tools Debug Help F Topology 4 Policy Y r VPN 9 NAT Browser ESO v GN Hi I L a x500 eod Fitter sap Show Used Only Element Information Q ig 8 w Hle feel Hahei se a l Xe Maanas tn hi or oaj se amp my Subnet 3 192 158 3 0 24 mGuard branch office 3 Server 1 QO D Subnet 2 192 168 2 0 24 Subnet 4 192 168 4 0 24 mouard branch office 2 H
24. VLAN interface untrusted Icons Comments Interfaces Options fil External 192 168 2 1 24 1 ExternalVLAM1 192 168 4 i 1 ExternalVLAN 2 192 168 114 fi Internal 192 168 1 1 24 fi Internal LAN1 192 168 3 Options Cancel Help Figure 53 Adding a VLAN interface 8 4 Learning mode Activate learning mode Analyse the log Import the rules In environments with unknown network traffic it is nearly impossible to use a firewall since any traffic that is required for the proper operation but not known to the administrator will be blocked by the firewall In these environments the Learning mode can be used to analyse the network traffic and to import rules in ISCM based on the analyse result To use Learning Mode you have to setup a Syslog server Please note that you must have a valid ISCM license for import to use learning mode To enable Learning Mode for an mGuard open the Properties window of the device by double clicking on the device and select Policy Learning Mode in the menu tree on the left Set Enable Policy Learning mode to Yes If Learning Mode is activated the rule permit all with activated log will be appended to the ruleset when compiling the project The log for any explicit permission will be set to No i e any unknown traffic will be logged and all known traffic will not be logged No traffic will be blocked by a device with activated Learning Mode The log can
25. a single selection in order to display the relevant information of the selected object n Cisco Pix ii Headquarters Network DH 777777 T gt mGuard branch office 3 subnet 3 192 168 3 0 24 Server 1 at m mGuard branch office 2 subnet 2 192 168 2 0 24 Router subnet 4 192 168 4 0 24 mGuard branch office 1 subnet 1 192 168 1 0 24 4 Figure 9 Trust Zone 18 of 77 Add a tunnel Example project 5 To add a tunnel between the Cisco Pix and the mGuard click on the a symbol in the Security Designer tool bar left click on one of the devices and then draw with the mouse button pressed down a line between the Cisco Pix and the mGuard The tunnel will be initialized with a PSK and will be shown on the workspace Solsoft Security Designer admin pc jboehmert manual 1 3 2 0 l d c E xi File Edit View Mode Action Tools Help Topology 14 Policy e VPN E NAT Browser ES VAM 2tu 5 5 amp e w o e 8 Bor amp EctEXOXBER Y I VPNs LJ Classes Networks Headquarters a Internet Filter x Element Information order to display the selected object Make a single selection in relevant information of the Headquarters Network al li 3 mGuard branch office 3 subnet 3 192 168 3 0 24 server 1 4 5 amp mGuard br
26. be drawn to that class Please note that this can only be accomplished with HTTPS and SNMP permissions Since the configuration is uploaded with SSH to the devices a SSH permission can not end on the internal interface of a tunnel gateway since this interface is only available when the tunnel is up Please note that in the example in Figure 51 a port forwarding rule for SSH would have to be defined for mGuard branch office 1 tomakemGuard 1 1 accessible from Headquarters Network 8 3 Configure VLANs Physical interfaces Virtual VLAN interfaces The mGuard supports the tagging of VLAN packets and the definition of virtual VLAN interfaces Please refer to the mGuard manual for detailed information on mGuard VLAN support VLANs support is available for mGuard Release gt 3 0 only A VLAN tag can be attached to the physical interfaces trusted untrusted interface of the mGuard To configure a VLAN tag please open the Properties window of the device by double clicking on the device Open the interface properties for the respective interface and enable the option Has VLAN tag Then enter a value between 0 and 255 for the VLAN tag see Figure 52 This option will be available for the trusted and untrusted interface in Router Mode and the management interface in Stealth Mode 3 Untitled_PEP1 Properties E x Options Mame Is Loopback Interface Yes 3 No Identification General Options Application Servers Policy
27. be used as input for the concentrator tool that will convert the contents of the log to an import file xci for ISCM Please refer to the application note Learning Mode for more detailed information on Learning Mode and the concentrator tool To import the rules right click on any mGuard on your workspace and select Import gt Device configuration Select Solsoft Import File xci and browse for the xci file use the Ell icon Set Try to Map Unmapped Objects to Yes see below 64 of 77 Advanced configuration Import Device Configuration Untitled PEP1 R UN Define Import Source And Options Innominate mGuard 1 Choose the import source 2 Optionally set specific device import options Import Source Solsoft Import File xci Options Solsoft Import File t xci C Dokumente und EinstellungeniBesitzerlEigene DateienikmpilearningMode xci Try to Map Unmapped Objects 3 Yes UNP ALL For Src Port Range Automatic Mapping 3 Yes Figure 54 Selecting the xci file for rule import Click on the button Next ISCM will now import the xci file and show the rules to be imported in a window For all network addresses that can be matched to objects on the workspace ISCM will replace the address with the appropriate object The same is true for services protocols that can be matched to existing services 65 of 77 Advanced configuration Import Device Configuration mGuard branch office 3
28. in order to display the relevant information of the selected object To configure the tunnel to use certificates for authentication open the Tunnel Property Window by double clicking on the tunnel click on Primary Tunnel gt Tunnel Policy gt Select select IPSec RSA Sig Default and close both windows by clicking on OK E Tunnel Properties Ix Primary Tunnel Value j Tunnel Policy J IPSeciRSA S Select Element Chooser x Ee Ignore zone Primary Tunnel A IPSeciPSE High Security Ji IPSeciRS4 Sig amp PSK Default J IPSeciRSA Sig Authentication Only IPSeciRSA Sig Default J IPSeciRSA Sig High Performance Ji IPSeciRSA Sig High Security CE ect Figure 38 Select a tunnel with certificate authentication Now you are ready to compile When compiling ISCM will create the configuration for the use of certificates 47 of T7 The Properties Window 6 The Properties Window Update options Please double click on an mGuard in your workspace to open the Properties window Use this window to configure the parameters of an device c mGuard branch office 1 Properties k I l X Identification iFicati Type InnominatemGuard v mGuard meneral 2mins ercan Application Servers Policy Learning Made YPN Options Upload Configuration Modifier Zones Icons Comments Interfaces Options zi interface1 Inter
29. information on how to use VPN with Stealth mode and to Chapter 3 7 for the definition of firewall rules Chapter 6 1 contains a detailed description of the different Stealth modes Check the box Activate log for port forwarding to enable the logging of port forwarding rules A log cannot be activated for a single rule Click on the entry General Options gt Administration services to access the options for remote access HTTPS SNMP The configuration for SSH remote access can be found in the menu Upload configuration gt Connection Options gt SSH flow to be used By default the Innominate mGuard will use the standard ports for the remote access via HTTPS SNMP and SSH For certain configurations it might be necessary to use other ports than the standard ports e g when enabling SSH access to a client computer protected by a mGuard in Stealth mode without management interface In this case please create a service with the desired port see Chapter 4 3 for information on how to create services and select this service by clicking on the appropriate button Service for HTTPS remote access Service for SNMP remote access SSH flow to be used To enable the remote access for the desired protocol check the appropriate box SNMP remote access is a licensed feature i e if no license is installed on the device e g mGuard professional then an upload of the policy fails if the SNMP access is enabled in ISCM The roll out options are only
30. password for each device to enable the Security Configuration Manager to login to the devices Open the properties window by double clicking on a device select Upload Configuration gt Authentication and enter the login and the password for admin this is mandatory For mGuard version 2 0 and 2 1 you have to specify the root login To be able to deploy the policy set the project status to Approved for deployment Select File gt Save in the Security Designer menu enter a comment in the dialog box this is mandatory and then click on OK Open the Project Manager by selecting File gt Projects If it is not already selected select your project with a left click The versions of your projects are shown in the lower window of the Project Manager A new version is created each time the project is saved Right click on the latest version and select Set version status Set the version status to Approved for deployment Close the Project Manager The L5 icon will now be accessible in the Security Designer Click on this symbol to deploy your policy X Please note that the icon will be deactived as soon as a class on the workspace is selected To activate the icon again deselect the class by clicking on an empty place on your workspace Before uploading the very first time the configuration of the mGuard is saved by default in a file on the server To disable this feature uncheck the box in the menu Upload Configuration gt Advanced C
31. policies the procedures specific to the Innominate mGuard security appliances For detailed information about the usage of the Security Configuration Manager please refer to the documents listed below Related documentation Overview The Innominate Security Configuration Manager enables the convenient network wide configuration of security settings for mid sized and large networks in which Innominate mGuard security appliances are integrated The tool offers state of the art management of security policies via a graphical interface based on Solsoft technology Using Innominate Security Configuration Manager VPN connections between Innominate mGuard appliances and VPN gateways from other major manufacturers e g Cisco Netscreen etc can be configured and managed With a click of your mouse you can generate the desired firewall rules VPN configurations NAT settings etc and upload the generated rule set to the devices in the network deploying in an instant your desired security policies Supported devices ISCM 3 0 supports all Innominate mGuards Release gt 2 0 Supported features The current version of the Innominate Security Configuration Manager supports of the mGuard the following features of the mGuard Router mode Stealth mode PPPoE mode e Stealth modes automatic static and multi VPN tunnel and transport mode e Support of X 509 certificates VLAN configuration Firewall rules with connection tracking for f
32. this select the tab Advanced and set Contains IP data in payload to Yes This information is needed by the Security Configuration Manager when performing checks on your projects When creating a new service one default protocol 1s already created for the service Now configure this protocol set the parameters to the following values P protocol TCP e Src port UNP 1024 65535 Dst port 21 Direction BEST flows with an arrow pointing to the left are back flows Master leave Master unchecked since there is only one flow in the service Services with more than one flow need a master flow indicating the initiating flow After creating the new service you can specify the port forwarding rule The internal ftp server in our example accepts ftp requests on port number 21 i e you can also use the new service ftp incoming to specify the flow from the mGuard which is applying the port forwarding rule to the internal ftp server Ifthe internal server accepts ftp requests on another port you must create another service e g ftp outgoing with the corresponding port number T When creating a new service one default protocol is already created for the service In case you need to add additional protocols to the service click on the ay icon The parameters of the port forwarding rule for ftp are Traffic to be translated ID is assigned by the NAT Editor Sre Any ISCM currently does not support this parameter the value must b
33. to be compiled and the configuration has to be uploaded to the device The sequence logging analysing importing and deploying can be repeated until no rules will be logged any more If the learning phase is completed Learning mode can be deactivated for the device Then the default rule permit all will be removed from the ruleset and the device operates in normal firewall mode 66 of 77 Advanced configuration 8 5 Router redundancy For high availability two mGuards can be configured as redundant devices During operation the firewall state tables will be synchronized between the two redundant mGuards As soon as the master device fails the backup device will continue operation Redundany is supported for firewall only not for VPNs Please refer to the mGuard manual for further information on router redundancy Router redundancy is supported for mGuard Release gt 3 0 only You must have a valid license for cluster support to configure redundant devices in Router Mode with ISCM the license is not required if you configure redundant devices in Stealth Mode Router redundancy is supported in Router Mode and in Stealth Mode Static Stealth mode and Multi Stealth Mode only The way to configure redundancy with ISCM differs completely between Stealth Mode and Router Mode Therefore please refer to the corresponding chapters 8 5 1 Configure redundant devices operated in Router Mode We will now replace Router1 in our ex
34. virtual network without and the virtual interface described in the previous sections is not needed The management IP trust zone for the transport mode VPN contains only the mGuards see Figure 34 if the mGuard is operated in Stealth mode without management IP That means that also all permissions are drawn between the two mGuards In the following example one mGuard in Subnet 1 and another one in Subnet 2 both operated in Stealth mode without management IP are connected via a transport mode VPN Please note that in the scenario in Figure 34 the definition of port forwarding rules 1s necessary to enable the SAP permission since mGuard branch office 1landCisco Headquartes are NAT devices 3 Topology tH Policy po VPN fs NAT Maan Attibher Oa eer Gla bute EM l PRETT Browser HESS v2 ON M aa prt branch office 3 Subnet 3 192 168 3 0 24 Internet Filter x sap Show Used Only mGuard branch office 2 Subnet 2 192 168 2 0 24 Element Information w i amp amp b d E va sap a Cisco Pix p D tcp LINP gt sap r3 Headquarters Network mGuard branch office 1 Subnet 1 192 168 1 0 24 nn Z amp y Figure 34 Firewall rules within transport mode VPN Stealth mode without management IP mGuard operated In contrary to the previous section the permission are drawn between the two with managemen
35. 9 corresponds to the lowest priority In certain configurations it 1s necessary that a flow that is usually routed through a tunnel has to be routed outside of the tunnel In this case open the Permission Property window by double clicking on the permission Select Zone amp VPNs in the menu on the left Enable the option Ignore all VPNs for the permission 21 of 77 Example project Use the metaclass To allow http traffic from all remote networks to Internet use the metaclass All remote networks see Chapter 3 4 Draw a permission from All remote networks to Internet Also allow internal traffic e g ftp between the remote networks and Headquarters Network by drawing the permission between All remote networks and Headquarters network Your workspace should look similar to the following figure the security designer displays only the relevant objects unless you select View gt Show all objects from the menu Solsoft Security Designer admin pc jboehmert manual 1 3 2 0 File Edit View Mode Action Tools Help s Topology 14 Policy gt VPN ES NAT Ia i omsttie6anew5nealat ste Browser EP lt gt NA Al a aoea a a At a ftp passive a ftp incoming es Fw authenticated isa http proxy target asl 6 mosaic V9 tftp LS mm mmn Fiter x tp All remote ne Show Used Only Element Information o 32324 w E amp amp ue E Headquarters Network
36. Identification General Options Application Servers Logging Servers DNS Use Dynamic Addresses Certificate Registration Authority NTP Server Policy Learning Mode YPN Options Upload Configuration Modifier Zones Dynamic Addresses From Resolve IP Address Hsing Icons Comments Interfaces Options zr lexternal Internet zi internal 192 168 2 0 24 OK JI Cancel Help Figure 40 Dynamic addresses If the interface with the dynamic address is an upload interface then the ISCM server has to knwo the address when uploading Therefore you can set the parameter Resolve IP address using to Prompt for IP address if you would like to enter the IP address manually when uploading or set it to PEP FQDN if you have FQDN enabled see below PEP FQDN will only be available if FQDN is enabled The parameter Dynamic addresses from specifies the address range of the dynamic addresses e g user defined pool Any Network If the device is connected to the Internet only the value Any is allowed 5 of 77 FQDN ICMP Handling Enable log for default rules Enable VPN DynDNS monitoring The Properties Window To configure the FQDN ofthe device set FQDN mode in the menu Application Servers gt DNS to Yes and enter the FQDN mGuard branch office 1 Properties Identification General Options Tes tesk4 innominte de Logging Servers gging Yes te Ho Application Servers Certificate Registrati
37. Innominate Security Configuration Manager Quick Installation Guide Working with Innominate mGuard ISCM Release 3 x x Document Rev 1 7 Solsoft Security Designer admin pc jboehmert manual 1 1 1 2 n x File Edit View Mode Action Tools Help 5s Topology 14 Policy VPN NAT Maan Oa FG 8 ake tee MBB AY aL i wa i amp Browser ES EA A es FH NAT Hz Classes De 192 168 3 100 E All mGuards all networks ED all PEPs A ET All remote net E a Any Ga mGuard branch office 192 168 2 04 is Solsoft Client E 1H s Solsoft Server H Networks f Router Subnet 2 mGuard Subnet 1 e 192 168 1 0 2 lt gt 192 168 1 0 2 192 168 2 0 i ead L pw 192 168 3 Headquarters w mGuatd Hda dquarters Filter x Element Information Es C c E E interFace2 link Inte 212 1 2 122Z 53 El interfacet gt iinkHeall a quarters Network 192 168 3 100 192 168 3 0 24 192 168 1 0 24 192 168 0 1 aT D Compilation Result Log To Containers Innominate Security Technologies AG Albert Einstein StraBe 14 12489 Berlin Germany Tel 49 0 30 6392 3300 info innominate com http www innominate com Innominate Security Technologies AG October 2005 Innominate and mGuard are registered trade
38. Learning Mode YPN Options Upload Configuration Modifier ZONES Generate ICMP Error Message Device Default Allow Forwarding Device Default Upload Target Yes 3 No Use as Tunnel Peer Automatic i Security zone Untrusted i Icons 3 Yes 100 Comments Interfaces Options Ei External 192 168 2 1 24 il E ternalVLAN1 192 158 4 fil E amp ternalVLAN2 192 168 10 fit Internal 192 168 1 1 24 il InternalVLAN1 192 168 3 Options OK J Cancel Help Figure 52 Attaching a VLAN tag to a physical interface It is possible to add virtual VLAN interfaces either on the trusted or the untrusted side of the device Please refer to Chapter 3 2 on how to add an interface Choose either VLAN interface trusted or VLAN interface untrusted as Security Zone depending on which side of the device you would like to add the interface Then enter the VLAN tag in the field that appears in the 63 of 77 Advanced configuration interface options see Figure 53 It is only possible to add VLAN interfaces in Router Mode Untitled PEP1 Properties E xj Options Identification General Options Is Loopback Interface Yes 3 Nn Application Servers Policy Learning Mode YPN Options Upload Configuration Modifier zones Generate ICMP Error Message Device Default w Allow Forwarding Device Default Upload Target C Yes No Use as Tunnel Peer Automatic B T
39. Mode 71 of 77 Appendix Interface settings overview 9 Appendix Interface settings overview Untrusted Management Virtual VPN Network mode Trusted interface interface interface interface Scenario Security Zone trusted Security Zone Security Zone Security Zone Virtual untrusted Management VPN Router PPPoE Automatic static Stealth without management IP Automatic static Stealth without management IP and VPN tunnel mode Automatic static Stealth without management IP and VPN transport mode Automatic static Stealth with management IP Multi Stealth with management IP Automatic static Stealth with management IP and VPN tunnel mode Automatic static Stealth with management IP and VPN transport mode Each cell contains the mandatory settings for the interface the scenario For all cells with green colour the corresponding interface is mandatory 72 of 77 Appendix Restrictions Known problems 10 Appendix Restrictions Known problems 10 1 VPN Miscelleneaous Non contiguous address ranges in a VPN There is no support for two networks with noncontiguous address ranges on one side of the VPN even if the Tunnel Scope is set to Trust Zone Therefore it is not possible in the setup of Figure 11 to add Subnet4 to the trust zone since the address ranges of Subnet 2 and Subnet 4 are not contiguous Permissions with Ignore VPN option are not allowed inside a VPN Deny P
40. al addresses the compilation will stop with an error message If dynamic addresses are used the Security Configuration Manager will use extern as a value for the address no matter what you specified in the port forwarding rule e Service tp incoming In our example incoming port has the same value as outgoing port If the internal server accepts requests on another port you must create a new service with the corresponding port if it is not already in the service list Please keep in mind The current version only supports services with single flows Application Point mGuard branch office3 This 1s the device applying the port forwarding rule After the port forwarding rule 1s completed it will be displayed in the NAT Editor and in the workspace E all NAT Definitions m X E de m k e df s Traffic ta be Translated Translatian Parameters ID em Dist Service Method Sret Ste AR Method Dist Dst Before NAT Service Application Point 1H OV Any Subnet 3 fip incoming same cj Static gt 242 4 2 3 eo fip incoming pas mGuard branch affi No Error Figure 25 Completed port forwarding rule in the editor 34 of 77 NAT Solsoft Security Designer admin amp hal1 manual 1 1 B x File Edit View Mode Action Tools Debug Help E Topology 14 Policy pp VPN NAT eke tee RBBB Ata Browser EP VM TERS NAT H Classes ig All mGuards all networks
41. alue is 100 7 Set optional cluster parameters To configure external or internal tracking hosts click in the cluster Property Window on Cluster Options and enable the option Enable ICMP checks Then you are able to select tracking hosts in the menu Cluster Options gt Internal tracking hosts or Cluster Options External tracking hosts see Figure 58 Add your tracking hosts to the list If the desired tracking hosts do not exist yet on the workspace you can add several tracking hosts by creating a class see Chapter 3 3 with the IPs of the tracking hosts and connect this class to the appropriate network Then the class is available to be added to the tracking host list Finally you have to add a ping permission from the cluster to the tracking hosts to enable the generation of the proper configuration The ping permission will cause some warnings during compilation which you can ignore 8 The cluster is ready to be used If a permission is created it will be automatically added to the configuration of both devices NAT is also supported in this mode use the cluster as NAT device The NAT configuration will be added to both of the redundant devices 69 of 77 Advanced configuration 8 5 2 Configure redundant devices operated in Stealth Mode Redundancy is either supported in Multi Stealth Mode or in Static Stealth Mode with management IP Let s assume we would like to protect some workstations in Subnet 1 of our example pro
42. ample project Chapter 3 with two redundant mGuards in Router Mode Please follow these steps 1 First place both devices parallel to each other between Subnet 2 and Subnet 4 first delete Router 1 Set the version of the devices to 3 0 Add and configure the interfaces and connect the mGuards to the networks see Figure 56 Refer to Chapter 3 2 for detailed information about the configuration of devices and interfaces Solsoft Security Designer admin hali manual 1 5 a D x File Edit View Mode Action Tools Debug Help Topology 14 Policy pp VPN ES NAT Maa rm T Oo 9 9 Mg 1 os a Browser ew oe z656uz BBrzxxN2 ES X 3 JERE amp lt gt Ha Classes a s ubnet 3 192 168 3 0 24 L 192 168 1 100 Copy mGuard branch office 3 or All mGuards pn 3 All remote networks L op Any RN Subnet 4 192 158 4 0 24 L t NTP server 1 T 11 s Solsoft Client 14 Solsoft Server L mGuard branch office 2 Subnet 2 192 158 2 0 24 Filter 4 mGuard2 backup Element Information 2 Tie Cisco Pix H adquarters Make a single selection in order a to display the relevant S Headquarters Network La amp me Figure 56 Router redundancy die 2 Add a cluster parallel to the devices with the icon please make sure that the Topology tab is active The
43. anch office 2 subnet 2 192 168 2 0 24 Router subnet 4 192 168 4 0 24 mGuard branch office 1 Subnet 1 192 168 1 0 24 Figure 10 Tunnel added and initialized Configuration ofthe 6 To check or change the tunnel configuration double click on the tunnel to tunnel Use the metaclass tunnel groups open the Tunnel Properties window To generate VPN rules during compilation you must define the permissions see Chapter 3 7 between the networks of the VPN For creating a VPN between all mGuards and the headquarters network use the tunnel goup feature 7 Please note that you must have a valid ISCM license for the tunnel group feature For the tunnel group use metaclass A11 mGuards created in Chapter 3 4 First delete the tunnel created in step 7 insert all objects into the trust zone except for Internet Router and Subnet4 and draw the tunnel between the Cisco Pix and All mGuards Afterwards your workspace will look similar to the following illustration 19 of 77 Example project Solsoft Security Designer admin pc jboehmert manual 1 3 2 0 File Edit Yiew Mode Action Tools Help E Topology HH Policy VPN 2 NAT A anhlow of amp Browser T ES a5 3 ER L VPNs Hz Classes w All mGuards gt all networks CJ all PEPs Hehe i SERBS AYA v3 Interne A UP at gt w mGuard branch office 3 Subnet 3
44. c Action to initiate the export process A window will open for each device showing the progress and the results of the export 7 3 Check Device connectivity Initiate the connectivity check This PEP action tests whether the device 1s reachable via SSH To initiate a check the Security Configuration Manager logs in to the device using SSH Therefore you have to specify the admin login and password for each device Open the properties window by double clicking on a device select Upload Configuration gt Authentication and enter the login and the password for admin this is mandatory To initiate the connectivity check right click on any Innominate mGuard in your workspace Select PEP Actions gt Check device connectivity in the popup menu 58 of 77 Generic PEP Actions to open the following window after the project has been successfully compiled E Select amp Order PEPs For Generic Action x Choose and order the PEPS for Generic Action v 4 B Group e Action PEP Name j misuard branch office 2 Guard branch office 3 a EE mGuard branch office 1 Generic Action for All PEPs Cane He Figure 47 PEP Action window Initiating an update Select individual devices or select Generic Action for all PEPs to check the connectivity of all of the devices in the project Then press Generic Action to initiate the check A window will open for each device showing the results of
45. ce Content ftp V entrust admin V entrust keymgmt irecti Dst Port ICMP IGMP msq UNP 1024 65535 ftp 21 UNP 1024 65535 lt ftp data 20 V ftp passive V ftp incoming V fwi recs 0 0 0 jJ Show Used Only Figure 24 Service Editor service ftp 32 of 77 Create a new service Parameters for port forwarding rules NAT The service ftp contains two flows e The initiating request master flow with the following parameters tcp source port numbers 1024 65535 destination port 21 The data flowing back in response to the request with the following parameters not shown in the figure above tcp source port numbers 1024 65535 destination port 20 8 n the current version of the Security Configuration Manager the port forwarding rules only support services with a single flow The mGuard supports connection tracking for certain protocols Please refer to Chapter 6 for more information on this feature To create a port forwarding rule for ftp you must therefore first create a service which only contains single flows Begin by selecting Tools gt Service Editor to open the Service Editor In the s Service Editor click on the qy symbol to create a new service Choose IP Service from the menu Name the service e g tp incoming Some protocols like ftp contain IP data in the payload e g address information To make the Security Configuration Manager aware of
46. cluster 1s a virtual device that represents the two redundant mGuards 67 of 77 Advanced configuration 3 Add two interfaces to the cluster Add the virtual external IP addresses to one interface and the virtual internal IP address to the other interface see Figure 57 The external interfaces of both redundant devices and the cluster have to be connected to the same network The same 1s true for the internal interfaces Set the Security Zone for the internal trusted interfaces to Trusted 4 Then add the two mGuards to the cluster Open the properties window of the cluster by double clicking on the cluster Select Cluster Options gt Cluster Members Click on the the T icon see Figure 57 and select the redundant devices as cluster members The first device in the list will be the master and the second device in the list will be the backup device Solsoft Security Designer admin amp halt1 manual 1 7 File Edit View Mode Action Tools Debug Help EF Topology 14 Policy gt VPN gt NAT Maams O 9 F COT eH Browser ES M aE Be LJ Classes Deom LR Daninn LIS Cluster Properties EP MP mm DON A VP S Identification P General Options Cluster Options n Er luster Members Filter 1 mGuard1 master 4 2 mGuard2 backup Modifier Zones Icons Comments Add a sub item Interfaces v TO xxx B Oxo ow B or By x Cluste
47. d like to masquerade the traffic leaving Subnet1 Sre After NAT empty Since masquerading implies that the source address is translated to the address of the external interface of the device applying this rule this field is empty Method Dst same As described in the previous chapter the mGuard does not support the translation of destination addresses and source addresses in one rule Any value other than same will cause either an error message in the NAT Editor or a compiler error when you compile your policy Dst Before NAT empty e Service any see comments to the parameter Service in Traffic to be translated e Application Point mGuard branch officel The device applying the NAT rule is mGuard branch officel inthe example project When finished the completed NAT rule will be displayed in the NAT Editor and the workspace All NAT Definitions D El ap te E e hm 38 te Traffic to be Translated Translation Parameters ID Src Dist Bernice Method Src Sr Method Dst Dist B Service Application Point 1M Subnet E Any any GO Masq eo Same e any e mGuard branch offic E No Error om case ve Figure 21 Completed NAT rule in NAT Editor 30 of 77 Solsoft Security Designer admin hall manual 1 1 File Edit View Mode Action Tools Debug Help NAT O x 57 Topology tH Policy gt gt VPN a NAT A M i 5 amp c o o ea
48. e 10 of 77 Installation 2 Configure the Security Designer ISCM enterprise only Starting the Security Designer The Security Designer is the graphical user interface used to design your security policies and to start the compilation and deployment process After installation the Security Designer has to be configured to use the server l To start the Security Designer select Start gt All Programs gt Solsoft gt SecurityDesigner7 1 gt Solsoft Security Designer in the Windows Start Menu Remark Depending on the current version of ISCM or your specific settings the path above may differ 15 Click on the symbol to configure the server parameters Server The name or IP address of the computer running the server Port Please insert the port number of the server the standard port number is 14001 Click on OK The Innominate Security Configuration Manager has now been successfully installed 2 8 Configure the devices Please follow the steps described in the device manual for starting up and configuring the device IP addresses of the interfaces etc Enable SSH access The configuration file containing the firewall rules and the NAT and VPN configuration 1s copied from the Security Configuration Manager to the mGuards using SSH Therefore SSH traffic has to be permitted first on the mGuard if ISCM is using the external untursted interface to upload the configuration Select Access gt SSH in the
49. e any or a warning will be shown during compilation To create a representation of the value any create a class name it Any and set the address of the class to i e to the full address range refer to Chapter 3 3 on how to create classes e Dst Serverl The traffic is terminated by the ftp Server in Subnet3 this parameter corresponds to the mGuard parameter outgoing address 33 of 77 NAT Service ftp incoming Select the new service you just created with the Service Editor this parameter corresponds to the mGuard parameter incoming port Please keep in mind The current version only supports services with one single protocol Translation Parameters Method Src same No translation of the source address is desired Any value other than same will result in an error message from the NAT Editor or an error message during compilation Sre After NAT empty Source addresses are not translated Method Dst Static gt The only translation method for destination addresses supported by the Innominate mGuard is Unistatic Any other value will result in an error message from the NAT Editor Dst Before NAT address of the external interface of mGuard branch office3 This value must be one of the public external addresses of the device applying the rule in this case mGuard branch office3 This parameter corresponds to the mGuard parameter incoming address If the address specified in the rule does not match one of the extern
50. e identical to the name of the device on the ISCM workspace 44 of 77 Enroll the non Innominate devices Add a CA server to your project Assign the CA server to the devices VPN Otherwise ISCM is not able to find the corresponding certificates In case you are using a CA and devices that support enrollment via SCEP please refer to the manual of the devices and the CA respectively or to the Solsoft document Working with VPNs Solsoft supports the use of certificates for the following non Innominate devices e FWI e Cisco VPNSM e Netfilter e Cisco PIX e Cisco VPN 3000 First add an CA server to your project How to configure servers is explained in Chapter 8 1 There are 3 CA server types available e SCEP e Offline e TFTP If you use Innominate mGuard together with other non Innominate devices then choose the CA required for the non Innominate devices If you have only Innominate mGuards in your project then use an Offline CA server In this case you have to create an additional CRL Distribution point to your project and assign this CRL Distribution point to your CA server please refer to the Solsoft document Working with VPNs The parameters required to configure these objects relative path IP addresses etc will not be used by the mGuard since they do not support PKI The Solsoft server requires the definition of a PKI for the use of certificates Please note that the Solsoft server will create
51. e remote network of the VPN For an overview on the required interfaces settings for the different scenarios please refer to Chapter 9 Solsoft Security Designer admin hali manual 1 2 File Edit View Mode Action Tools Debug Help ini x EF Topology F Policy pp VPN ES NAT MxaQanmle 4 6 c t a re EB MK RA R2 es t r n Em I a u a n 63 Le Browser E V JER amp EH Classes WA 192 168 1 100 All mGuards All remote net E Any 14 s Solsoft Client 11 s Solsoft Server i9 Server 1 lt M xS A Filter x Element Information Make a single selection in order to display the relevant information of the selected object UNT branch office 3 Cisco Pix em a Headquarters Network Subnet 3 192 168 3 0 24 Server 1 a JA a mna Subnet 4 192 168 4 0 24 Q mGuard branch office 2 Subnet 2 192 158 2 0 24 Router o_O mGuard branch office 1 Subnet 1 1 68 1 0 24 7 mGuardStealth 172 16 1 1 32 na See ion AS F igure 31 Virtual VPN network for Stealth configuration Then the VPN tunnel can be created as described in Chapter 3 6 40 of 77 VPN Solsoft Security Designer admin amp hal1 manual 1 2 Bl x File Edit View Mode Action Tools Debug Help EF Topology 43 Policy 79 VPN Ea NAT
52. eadquarters Network Figure 30 VPN configuration with an error 39 of 77 VPN For this type of configuration the property Tunnel Scope must be set to Trust Zone or the flows must originate from the network in Figure 30 Subnet1 n order to set up working VPN s you must define permissions between the networks that are part of the VPN e Implicit ESP and IKE permissions are not generated by the Security Configuration Manager mGuard natively allows them for VPNs 5 1 Configuring VPNs in Stealth mode For a general description of the Stealth mode and the Stealth options refer to Chapter 6 1 VPNs are not supported in Multi Stealth Mode 5 1 1 Configure Tunnel mode VPNs To use an mGuard in Stealth mode as VPN gateway first a local network has to be simulated that does not overlap the existing networks on the workspace see the mGuard manual for more details To create this virtual local network create a network as described in Chapter 3 2 Then add an additional network interface without IP address to the device and set the value of the parameter Security Zone of this network interface see Chapter 6 to Virtual VPN interface Assign an IP address with a 255 255 255 255 32 netmask to the virtual VPN network and connect the virtual VPN network to the virtual network interface Do not assign an address to the virtual VPN interface The IP address used for the virtual network must not be used in th
53. ecb aco Fei rtplede aul Ge Diac Fee itur 3d 7 2 ISOHQOULSUDDOLU siae ente te vant Oda mda c desde ent ieee ees 57 T s heckDeyicecomnecl VID eusisecd aede putet beca poteat bacio iu toe Pe T 58 8 RUAN TNC Ole OUU EL LET AL O anesore arco patitur uut Dette odds Sit ae a atten RS 60 8 1 Configure application servers NTP DNS and Syslog c cc cesssssesesseeeeeeeeeeeeeeeeeeees 60 8 2 Define remote access rules through a tunnel 00 0 ccccccccccceeeceeeeeeeesssseeeeeecceeeeeeeeeaes 62 v MEC nuu cem m 63 Bd Learnie ModE ousestusei sumi om bem on E aua gin PE teeta a eee 64 c Router te dUDICATIC V quesumus o timeo ade ee pesca EE Hn tsm ineat et eases intime 67 8 5 1 Configure redundant devices operated in Router Mode esee 67 8 5 2 Configure redundant devices operated in Stealth Mode eeesssssessssss 70 9 Appendix 7 Intertace Settmes OVebVIe Wesen db estet etaibu maa tios a eee D T2 3 from 77 10 Appendix Restrictions Known problems sese 73 TOUL NBN S ex creme MM MD E E MM ME E M EL E ES EE DUM EE 73 DU NA e cse see Faren raced atte ee tense A NUT LM M DE on te E aM 75 103 Network Mod s TERT TT 76 4 from 77 Introduction 1 Introduction Thank your for choosing Innominate Security Configuration Manager 3 x x Please read this document for information on the installation process e an overview of how to implement your security
54. ect the devices for which the log should be activated see Figure 12 20 of 77 Set deny rules Set the order of the permissions Permissions with Ignore tunnel option Example project http All remote networks gt Internet Properties E X Log v Enter the Logging Level m uard branch office 2 mGuard branch office 3 e Cisco Pix Headquarters mGuard branch office 1 Global Properties Actions Relay Through Netscreen Policy Advanced Settings PIX ASA Modular Policy Framework Proxy zm Error Messages Time Scope Block Path Zones amp VPRs Comments Figure 12 Avtivate the log for permissions To switch from a permit rule to a deny rule open the permissions Property Window by double clicking on the permission Select Global Properties in the menu tree on the left and set the parameter Action to Deny Deny permissions are not allowed insed a tunnel http All remote networks Internet Properties Global Properties lobal Properties Actions Block Path zones amp VPs PEP Default Comments d Policy Default k Enabled a No Temporary Permission Figure 13 Permissions Property Window Set deny rules To influence the order in which the permissions are generated set the priority for a permission Open the permissions Property Window by double clicking on the permission see Figure 13 check Priority and enter a priority value 9999 is the highest priority and 999
55. eor GARY tS XXX IB IB i X uL Browser ES a JEL e NAT a H Classes Lisa All mGuards LQ all networks CJ all PEPs g All remote net L NS 11 s Solsoft Client 1 s Solsoft Server UM branch office 3 WU Server 1 xm E Cisco Pix ian Subnet 3 192 168 3 0 24 Internet Guard branch office 2 Subnet 2 192 168 2 0 24 Filter X Element Information d t amp Be ES S Any F Headquarters Network mGuard branch office 1 Susnet 1 192 168 1 0 24 Addresses v b 4 asm m Figure 22 Completed NAT rule in workspace 4 3 Create port forwarding rules PS a m E C ui p p Router Subnet 4 192 168 4 0 24 The class symbol in Subnet3 of our example project represents an ftp server Since the server has a private IP address you must create a port forwarding rule to make the server accessible from the Internet mGuard Parameters The mGuard needs the following parameters for a port forwarding rule for port forwarding Protocol tcp icmp udp e Incoming address the IP address to which requests are sent by the outside world this address must be one of the addresses of the external interface of the mGuard ncoming port number the port the requests are sent to by the outside world not used for icmp Outgoing address the internal address of the server receiving the request Outgoin
56. ermissions are not allowed inside a VPN VPN peers with dynamic addresses For VPN configurations to several peers with dynamic addresses an error will occur different PSK but the same IP address if the tunnel group option Chapter 3 6 is not used In this case please use certificates Chapter 5 2 for VPN configurations with multiple peers with dynamic addresses An FQDN has to be specified for the VPN gateways with dynamic addresses All mGuard releases up to 2 1 x route packets based on the destination address only Therefore mGuard branchoffice 2 tries to route packets coming from Subnet4 through the tunnel in Figure 61 although Subnet4 does not belong to the VPN Because Subnet4 does not belong to the VPN the sap permissions will be generated by ISCM outside of the tunnel not inside the tunnel and therefore the traffic coming from Subnet4 is blocked by mGuard branchoffice 2 Therefore this configuration will result in an error message of the compiler This behaviour is fixed in mGuard release 2 2 Solsoft Security Designer admin hali manual 1 2 i E D x File Edit View Mode Action Tools Debug Help E Topology tH Policy po VPN ES NAT Maan Browser ESO v2 ON Al 3 a x500 Filter x sap Show Used Only Element Information 8 8230 vik BA l PETET ALLIEE TAIL E EEEE eA l PEET 9 9 Intefnet mGuard branch office 3 Subnet 3 192 168 3
57. espective owners Innominate Document Number 581709 162 Contents l WAVED OG UCU Oesa denis eet tr eae Fa hue tun baa betaxpatetp td ens ladhnedacnesnautt chadoencendoastcsondeastedewenecuen 5 2 siae aM 6 2 MR GWU Me AMG I aia E E uiu ate S uas 6 2 2 Installation of the Innominate Security Configuration Manager eee 6 2 3 Install or update the Innominate technology package eeeeeeeeeeeeeer 7 2 4 Migrate from previous versions of the Security Configuration Manager ISCM enterprise only 8 2 5 Start or stop the policy server ISCM enterprise only cccccccccccceeceeeeeeeeeeeeesseeeeeeeees 9 2 6 Set the adminstrator password ISCM enterprise only ccccccccccceeeeeeeeeeeeeeeeeeeeeeeeees 9 2 7 Configure the Security Designer ISCM enterprise only eeeeeeeeeeeeeee 11 2 5 XConlisure the de VICeS deben eeotee re abr uent O hole ele detta Bt esa rasant OaE 11 3 Example pEOleCt 22s dou ouem nsn adeunt aseo anccpM MA Cu use Cei tU ETIN TUE 12 Bel Crede anew DIOJGCL serena oaren essa eibi EO et un Uds 13 3 2 Draw the topology of your network i eee pen ax tee RS RD e a iei e um ees 13 3 3 Create classes to represent objects with special functionality in your topology 17 Sub Create IMCL ACI AS SCS ocio e du e had vinta dateetuli iu mtu misa udis sean dtu Uu ramen wesw 17 200 Meso Volt NAT TUES sedente axo oie ergo oen auo o sands eto seme
58. ess of your Security Manager Server and Client Select View gt Show all Objects in the main menu to show the representation of the server and client on your workspace In the example project the client and the server are part of Headquarters Network Please double click on the client and the server and add proper addresses to include them in Headquarters Network 14 of 77 Configure the interfaces Example project Add an address to the interface in the window on the right side by clicking on the T symbol The address must be contained in the address range of the network to be connected Please specify also the network mask of the attached network in the interface address e g 192 168 1 1 24 For the mGuards set the interface property Security Zone of the internal interface to Trusted mGuard branch office 2 Properties Identification General Options Application Servers Lagging Servers DNS Certificate Registration Authority MTF Server Policy Learning Mode YPN Options Upload Configuration Modifier Zones Icons Comments Interfaces Options fi external gt Internet internal 192 168 2 0 24 InterFace Type Is Loopback InterFace Generate ICMP Error Message Allow Forwarding Upload Target Use as Tunnel Peer Security Zone Figure 5 Interface properties for mGuard 3 No Device Default ww Device Default Trusted For the Cisco PIX the property Security Level must be set to inside for the
59. f Subnet3 and connect it to Subnet3 see Figure below co Solsoft Security Designer admin pc jboehmert manual 1 1 2 0 Oj x File view Mode Action Tools Help E Topology 43 Policy P VPN Y NAT Ha o e e 9cGO sj ow 66 86s 6 u R2 5 BB E X X IB GE Browser E Ata Mz Classes S AllmGuards 99 All remote net A 5 Any is Solsoft Client f s Solsoft Server 1N9 Server 1 Networks A Server 1 mGuard branch office 3 Subnet 3 192 158 3 0 24 Mt PR mGuard branch office 2 Subnet 2 192 158 2 0 24 Router Subnet 4 192 168 4 0 24 Filter x e Cisco Pix Headquarters Element Information Make a single selection in order to display the relevant information of the selected object i mGuard branch office 1 Subnet 1 192 158 1 0 24 E Headquarters Network m a 1 LS la Figure 8 Classes as representation of objects with a special functionality 3 4 Create metaclasses Group objects In networks with lots of devices it could be a very time consuming task to define the policies for each of the devices individually To group devices which are treated the same in certain cases use metaclasses Metaclasses simplify the design of firewall rules and VPNs since the rule can be applied to the whole group class and does not have to be applied to each device ind
60. figure a remote access through a tunnel e g when accessing mGuards behind a NAT device In this case the permission has to end on the internal interface of the tunnel gateway See the following figure how this can be configured Solsoft Security Designer admin amp hali manual 1 4 ini x File Edit View Mode Action Tools Debug Help 5 Topology t4 Policy po VPN 2 NAT Il ec i o Browser EU lt gt UND A TELT EA ALEE S m http proxy target asl A V https ssl v3 a httpsAny fe up2date v5 asl W N M34 xo Filter x https Show Used Only Element Information o 232x323 HI amp Be E a https 99 tcp UNP gt https Comment Subnet 3 S 92 168 3 0 24 5 tof A qu al I d branch office 3 Internet at PR mGuard branch office 2 Subnet 2 192 168 2 0 24 Router g oO mGuard branch office 1 Subnet 1 192 168 1 0 24 mGuard1 1 Cisco Pix HRaddquarters Headquarters Network Internal interface of mGuard1 1 Subnet 5 192 168 5 0 24 Subnet 4 192 166 4 E 62 of 77 HTTPS and SNMP only Advanced configuration Figure 51 Remote access through tunnel For the representation of the internal interface of mGuard 1 1 a class with the address of the internal interface has to be created The HTTPS permission has to
61. ft Security Designer admin hall manual 1 3 File Edit View Mode Action Tools Debug Help Topology 44 Policy gt gt VPN ES NAT A ERA RA Pa B EEA x amp ob tof 2 2 JH IL I Q o w o n aoow0 Browser EZ V H Classes D 192 168 1 100_Copy 28 All mGuards NTP server 1 8 All remote networks lt gt mGuard branch office 3 Subnet 3 192 168 3 0 24 lt gt mGuard branch office 2 Subnet 2 192 158 2 0 24 Router C A EA Subnet 1 192 168 1 0 24 Headquarters Network is Solsoft Client 5 Solsoft Server mD Fiter 0 0 0 0 0 Element Information Make a single selection in order to display the relevant information of the selected object N ail Subnet 4 192 166 4 0 24 Cisco Pix p Figure 49 NTP server Now we have to configure the device to use the NTP server Open the Property window of one of the Innominate mGuards by double clicking on the device and open the menu Application server gt NTP server gt NTP server list mGuard branch office 3 Properties Pm eRe AY Identification General Options NTP Server List a Application Servers Logging Servers DNS Certificate Registration Authority 5 MTF Server Server List Policy Learning Mode YPN Options Upload Configuration Modifier Zones Icons Comments InterFaces Options 1 interface1 Internet zi interface2 192 168 3 1 5
62. g port the internal port on which the server accepts requests not used for icmp 31 of 77 NAT Services The Security Configuration Manager uses services as a high level abstraction for protocols and ports If the Policy tab is selected a list ofthe available services is shown in the left window Solsoft Security Designer admin hali manual 1 1 File Edit View Mode Action Tools Debug Help 5 Topology 44 Policy A DOJ vPN ES NAT N aci oo amp te i ew z Ge e Bou v m xxi ox D 8 EP UA T mGuard branch office 3 Subnet 3 192 168 3 0 24 Server 1 interphone z 4 Z 4 _ Guard branch office 2 Subnet 2 192 168 2 0 24 Router Subnet 4 192 168 4 0 24 V ip twoway Cisco Pix Headquarters a ipip a ipsec nat t ipso cluster mat Fier x ooo Headquarters Network mGuard branch office 1 Subnet 1 192 168 1 0 24 Show Used Only _ Element Information 9 RNA w HE ale Figure 23 List of services left window A service contains the specification of a protocol the flows of the data and the source and destination ports Service Editor To view the definition of a service please open the Service Editor Select Tools gt Service Editor To view the definition of a service double click on its name in the left window The figure below shows the definition of the service ftp Service Editor Properties Advanced IP Servi
63. he NAT Editor e Sre Server 1 Source of the traffic to be translated Server 1 in our example It is also possible to create a 1 1 NAT rule for the whole Subnet3 In this case all traffic coming from Subnet3 will be natted Dst Any Since the Innominate mGuard does not support destination addresses for 1 1 NAT rules this parameter must be set to any To create a representation of the value any create a class name it An y and set the address of the class to 1 e to the full address range please refer to Chapter 3 3 on how to create classes Any other value than any will cause a compiler warning 35 of 77 NAT Service any The mGuard does not support service translations in 1 1 NAT rules Therefore the service parameter must be set to any or there will be a compilation error Translation Parameters Method Src Static lt gt We would like to create a 1 1 NAT Rule static bidirectional NAT for server 1 e Src After NAT the public address for Server 1 It is important that the netmask of this adress is identical to the netmask specified as Src in Traffic to be translated In our example Server 1 has a single IP Address In case you configure a rule for Subnet3 then the netmask of Subnet3 and the netmask of the address for Src After NAT have to match Method Dst same As described in the previous chapter the mGuard does not support the translation of destination addresses and source addresses in one rule Any value
64. hoose the intervall in which the mGuard should check for a new configuration e Server Enter the URL of the configuration server Login for remote update Password for remote update Please enter the appropriate authentication information The default value is anonymous for both parameters Load server certificate from Policy Server You can store the certificate of the HTTPS configuration server in a directory on the Policy Server If you enable this option it will be imported in the configuration Location of certificate Please specify the location full filename where you stored the certificate of the configuration server ISCM offers you to use the name of the device in the workspace as hostname for the device this 1s the default setting Optionally you can specify a custom hostname or you can use the hostname in the FQDN only available if FQDN is enabled seel below section FODN In this case ISCM extracts the hostname from the the FQDN e g mGuard1 from the FQDN mGuardl innominate com Only the characters A Z a z 0 9 or are allowed in the hostname ISCM supports the configuration of the 3 different network modes for the Innominate mGuard In the PEP menu this parameter can be configured via General options Network mode Please consult the device user manual for a detailed description of these modes For an overview on the required interfaces settings for the different scenarios please refer
65. implicit permissions e g an HTTP permission to the CRL distribution point that will be included in the mGuard firewall rules After creating the CA server you have to configure your devices to use the CA server To do this open the Property Window of the device by double clicking on the device Select the Application Servers gt Certificate Registration Authority Servers entry and click on the the LE icon in the upper menu of the Property Window select the CA server and leave the dialog box with OK 45 of 77 Configure your devices VPN E mGuard Headquarters Properties ee yee eR AY Cerificate Registration Authority Severs Identification General Options application Servers Logging Servers DAS ertificate Registration Authority Servers NTP Server Policy Learning Mode VPN Options Upload Configuration Modifier Zones Add a sub item Icons Comments Interfaces Options i Inside 192 168 0 1 32 Headquarte fi Outside 212 1 2 3 32 Internet Figure 36 Assign a CA server to a device Depending on the device type it might be necessary to configure the device please refer to the documentation of the device or the Solsoft documentation To configure the Innominate mGuard open the Property Window if it is not already open and select VPN Options gt Certificate options mGuard Headquarters Properties l X EP HP Gm EB AW Certificate options Directory to look Far certificates C Ytempli
66. ividually To create a metaclass A11 mGuards in the example project select all of the mGuards by clicking on each mGuard while pressing Ct r1 and lt Alt gt Right click on one of the selected devices to open the popup menu choose Create MetaClass from selection and then place the class on the workspace with a left click Name the class A11 mGuards Additionally create a metaclass A11 remote subnets with the class members Subneti1 Subnet2 and Subnet3 The metaclasses will be used later in the example 3 5 Design your NAT rules Please see Chapter 4 for information on how to create NAT rules 17 of 77 Example project 3 6 Design your VPNs Tunnel Transport mode The trust zone Create a trust zone Add objects to the trust zone In the following example the VPN tunnel mode is explained Please refer to Chapter 5 to learn more about the VPN transport mode and about restrictions on the VPN management with ISCM First select the VPN tab to design your VPNs If no objects are displayed select View gt Show all objects from the menu To configure VPNs you must define a trust zone for all objects networks objects and devices using the VPN By definition all communication between two objects within a trust zone takes place via a path which remains inside this zone i e traffic between two objects in the trust zone will never leave the zone In the example project we will define a VPN between Headquarters Ne
67. ject with two redundant mGuards in Multi Stealth Mode Follow these steps 1 First create a copy of Subnet 1 Edit gt Copy Edit gt Paste or lt Ctrl gt C lt CtrI gt V 2 Then create a class see Chapter 3 3 that contains the IP addresses of the workstations Connect the class to the copy of Subnet 1 3 Create two mGuards e g mGuardPrimary and mGuardBackup Set the version of the devices to 3 0 Configure the mGuard and the interfaces in Multi Stealth Mode one untrusted stealth interface without IP connected to Subnet 1 one trusted stealth interface without IP connected to the copy of Subnet 1 one management interface with IP e g 192 168 1 111 and 192 168 1 112 55 Topology tH Policy pp VPN EF NAT Ly e iQ mm 5 4 t am PL D pD p ae ridentification iFicati Type Innominate mGuard F General Options L bani Version 3 0 iy a Application Servers Policy Learning Mode 3 192 168 3 0 24 Upload Configuration Modifier Zones Icons o Comments EH Interfaces 2 192 168 2 0 24 Options o E External gt Subnet 1 192 168 1 0 24 et 1 192 168 1084 aX fz Subnet 4 192 169 4 0 24 SMnet 1 192 168 1 0 24 Copy1 Workstations m ba 5 i Internal gt Subnet 1 192 168 1 0 24 i Management 192 168 1 111 24 e I Cancel Help
68. ll the Solsoft Firewall Manager sfm 1 0 1 windows exe The Innominate technology package sps ddk 7 1 Innominate mGuard 3 x x windows jar Valid license file license dat Download Please contact the Innominate Sales Department sales innominate com to obtain information how to download the software packages and the license file 2 2 Installation of the Innominate Security Configuration Manager This section describes the installation of the Innominate Security Configuration Manager Migration from In case you have previous versions of the Security Configuration Manager previous versions installed do not uninstall these versions prior to the new installation First install the new version then migrate your projects from the old version to the new version see Chapter 2 4 and after the migration you might uninstall any old version Installation process ISCM is installed in 2 steps 1 Installation of the Solsoft Policy Server ISCM enterprise edition or the Solsoft Firewall Manager ISCM professional edition Depending on your license you can install either the Standard version or the Enterprise version of the Solsoft Policy Server The Enterprise version additionally contains the Web Services SDK and you are able to choose a different Java Virtual Machine Please refer to the corresponding manuals to get installation instructions 2 Installation of the Innominate technology package Chapter 2 3 For the next steps
69. lt ISCMRoot gt is used as a placeholder for the installation directory of the Security Configuration Server e g C Program Files Solsoft PolicyServer7 1 6 of 77 Installation Installation of the Please install your license file which you received from Innominate license 1 Copy the file license dat to the directory ISCMRoot FIexLM X Please note that if the server is installed on the Windows OS it will not start in case the server 1s not connected to a network If Windows does not detect an active network connection it does not return a MAC address to the FlexLM manager Therefore ISCM can not be started To circumvent this please follow these steps Edit the registry entry HKEY LOCAL MACHINE System WXCurrentControlSet Services Tcpip Parameters Add the following entry Name DisableDHCPMediaSense Type REG DWORD Value 2 3 Install or update the Innominate technology package To install or update the Innominate specific components please follow the steps below l Make certain the Policy Server is not running see Chapter 2 4 for more information on how to stop the server Copy the technology package file to a directory of your choice e g C temp Open a Windows command window All Programs gt Accessories gt Command Prompt and change to the directory lt ISCMRoot gt bin by using the cd command Run the device packaging tool DevicePackaging exe upgrade C temp l
70. menu of the Web user interface and enable SSH remote access For more detailed information on SSH remote access please consult the user manual In case you are using devices from other vendors in your network please refer to the respective user manual to set up your devices appropriately 11 of 77 Example project 3 Example project Example project This chapter presents an example project which is used throughout the remaining chapters The example project is shown in the figure below Solsoft Security Designer admin pc jboehmert manual 1 1 2 0 NI ni xj File View Mode Action Tools Help tf Topology I Poy s VEN E NAT TILLIE of amp nE Tra i Fo pA l Pt Browser ES VSA At EH Classes mGuard branch office 3 Subnet 3 192 158 3 0 24 Server 1 Fer x o P Element Information Make a single selection in Cisco Pix Headquarters order to display the relevant information of the selected object C Headquarters Network mGuard branch office 1 subnet 1 192 158 1 0 24 dh E TA mGuard branch office 2 Subnet 2 192 168 2 0 24 Router Subnet 4 192 168 4 0 24 al Figure 3 Example project d The example project consists of a headquarters network connected to 3 branch office networks via the Internet The branch offices are secured using Innominate mGuard security appliances The headquarters network is connected t
71. n ete eek 17 S0 Destemyour VPN S onae etus teu vae deta edis epi uentus eumd a ente duRs 18 3 7 Implement your firewall rules permissions eeeeeeesesssssssseeeeeeeeeeeeeeeennnnnnnnn 20 3 0 OpHOons Tor latge Scale Deb WODKS et a act oie e pvp Etoile et ptr Race 25 3 9 Use the audit function to verify your policy 26 2 10 Compile Ime NOC y ons iesu nonien dct Dt ab ee enr eau 26 SEED Ada Mlle Z4 4 EE etui ont E A ted ep ana ieee ena i rede pe ARES Mito tp PH tote 28 ZZ 1c 14 oh tetendit e iter Md Ext beret Ee are fcd 28 AD Create MMaSGUCTAGING rules ob e slo eub dti Edd ic Et ea hada 30 2 5 Create DOLL IODWAFUIBE TUIGS eite uve t S EDENDI pde naa ete DID d UMEN d tuta n Id 3l 44 Cresc dL NAT Wiles dian Yita cec cton eut utes ebrei ha deccm eren ohne scuba tea ru uc ded 35 5 IVT IN MM PE P ES 38 5 1 Configuring VPNs in Stealth mode sseeeeee eene 40 5 1 Conmnoure s Tunnel mode VENS erario e Rt Doq pa as ated aida bii loft as 40 5 1 2 Conu Transport mode VPINS a iis ERU e TEA 43 22 Using certificates for authentication os vos a ce mu eta vrsdienedecaasca NIE EROR RE T T diei aT 44 6 The Properbes WTDdOW serorea diete bsaaetudatd Savona ated tic Goose M asta aton2 48 61 Stealth mode ConHguUtatlOtr zen i een iod ERE eti eter e t o i EE RE EINE Rea ER 53 7 Genero PEPJXGUOBS aussen aat Qe mda uci eed ea ae RUE 57 Zu JOeviee UDUdlesuadivenediee beta bar n td a
72. names of Innominate Security Technologies AG The mGuard technology is protected by Patent No 10138865 which was granted by the German Patent Office Additional patents are pending This document may not be copied or transferred in whole or in part without prior written approval Innominate AG reserves the right to modify this document at any time without notice Innominate provides no warranty for the contents of this document This disclaimer shall also apply to any implicit warranty of marketability or suitability for a specific purpose Furthermore Innominate assumes no liability for errors in this manual or for accidental or consequential damages in connection with the delivery performance or utilization of this document This manual may not be photocopied duplicated or translated into another language in whole or in part without the prior written approval of Innominate Security Technologies AG The Solsoft product described in this document is protected by French patent number FR97 13254 and may be protected by other US patents foreign patents or pending applications Solsoft Solsoft NPTM and Network Policy Engine are trademarks of Solsoft Cisco Cisco Systems PIX are trademarks of Cisco Systems SSH SSH Secure Shell are trademarks of SSH Communications Security Windows Windows NT and Windows Server are trademarks of Microsoft Corporation All other products mentioned in this manual are trademarks of the r
73. net zi interface 19 166 1 1 gt 5 OK J Cancel Help Figure 39 mGuard properties window Only the options relevant for the current setting will be shown E g General Options gt Stealth mode configuration will only be shown if Stealth mode is enabled Also only the features available for the device version see Figure 39 will be accessible in the Properties Window Double click on General Options to access the parameters specific to the Innominate mGuard The update parameters General Options gt Update options are available for mGuard version gt 2 1 Name of package set Use this input field to specify the name of your update package 1 e updaLte 2 0 0 240 2 Update Protocol Choose either http or https Location of package set Use this input field to specify the address of your update server Please refer to Chapter 7 1 on how to initiate an update or to the mGuard user manual for detailed information on the update feature Login for remote update Password for remote update These parameters are only supported by mGuard Release gt 3 0 Please enter the appropriate authentication information The default value is anonymous for both parameters 48 of 77 Configuration pull options Hostname Network mode Security zone The Properties Window These settings General Options gt Configuration pull options are available for mGuard Release gt 3 0 Pull intervall C
74. ns Allow Forwarding Element Information Upload Configuration Modifier Zones Icons Comments Interfaces Headquarters Network Options E External gt Subnet 3 192 168 3 0 2 Internal Client 192 168 3 1 32 i Management 192 168 3 100 Figure 43 Stealth Mode with management interface 55 of 77 The Properties Window Multi Stealth Mode The configuration is exactly the same as described for the Stealth Mode with management interface in the previous section except that the network representing the client does not have to be a single IP address but is identical to the network on the external untrusted side see Figure 44 since Multi Stealth mode allows to connect several clients to the trusted interface VPN s are not supported in Multi Stealth Mode Solsoft Security Designer admin hali manual 1 3 File Edit View Mode Action Tools Debug Help E ont zN 14 Policy P VPN NAT ec GD or 6 qa Bu oog Browser EZ ERA Ath EH Classes E d E 3 en s MENOR Intetnet mGuard branch office 3 Subnet 3 192 168 3 0 24 mGuardStealthvYithManagementIP Subnet 3 192 168 3 0 24 All mGuards E All remote networks AN Any is Solsoft Client 1H s Solsoft Server He Networks LA S 7 Filter wr Element Information Modifier m a r Zones Icons Comments dr mGuard rd ver iai E Interfaces Headquarters Network Options E External
75. o Static Stealth Mode requires a reboot of the device This has to be done manually on the device web interface or reset button 76 of 77 77 from 77
76. o the Internet using a Cisco PIX All networks use the private address range 192 168 0 0 The following chapters provide an overview on how to create a project draw the topology setup NAT rules e setup VPNs setup the permissions firewall rules compile your project and finally deploy your policy 12 of 77 General procedure for implementing security policies Example project When implementing security policies with the Security Configuration Manager you should perform the following steps l 2 3 CONN Nn RA Create a new project Draw the topology of your network Create classes to represent objects with special functionality in your topology Create metaclasses Design your NAT rules Design your VPNs Implement your permissions firewall rules Optional Structure your project into folders Use the audit function to verify your policy 10 Compile the policy 11 Deploy the rules For a more detailed description on how to perform the following steps please refer to the Solsoft User Guide To perform the following steps you must first install the Security Configuration Manager including the license file as described in Chapter 2 3 1 Create a new project To start the Security Designer ISCM enterprise edition select Start gt All Programs gt Solsoft gt SecurityDesigner7 1 gt Solsoft Security Designer from the Windows Start menu To start the Firewall Manager ISCM profe
77. ogin and the password for admin this is mandatory To initiate an update of the device right click on any Innominate mGuard in your workspace Select PEP actions gt Device Update in the popup menu to open the following window after the project has been successfully compiled uh Select amp Order PEPs For Generic Action E x Choose and order the PEPs for Generic Action va Generic Action PEP Mame 5i mGuard branch office 2 mGuard branch office 3 mGuard branch office 1 Generic Action for All PEPS Cane He Figure 45 PEP Action window Initiating an update Select the devices to be updated or select Generic Action for all PEPs to update all of the Innominate mGuards in the project Then press Generic Action to initiate the update process A window will open for each device showing the update progress and the results of the update 9 The update feature will not work with mGuard Version 2 0 Up to mGuard Release 2 1 6 an update with reboot can only be initiated by root Beginning with Release 2 2 also admin can initiate the reboot 7T 2 Roll Out support Specifying the parameters To support large rollout scenarios ISCM supports a rollout function It enables the administrator to export the configuration data of some or all Innominate mGuards of a project to a user defined directory on the ISCM host In the properties menu of the mGuard in General options gt Rollout options see
78. on Authority 5 NTP Server Policy Learning Mode VPN Options Upload Configuration Modifier Zones Icons Comments Interfaces Options zi interface1 Internet zi interface 192 168 1 1 5 OK Cancel Help Figure 41 Configure the FODN Please refer to the So soft User Guide for detailed information on the other parameters in the properties window not explained in this section This feature allows to accept or drop ICMP messages to the device This feature will be available beginning with mGuard version 2 1 Eagle Hirschmann 2 0 in the node General Options gt Security Profile gt Common Security Parameters There are 3 options Drop all All ICMP Messages to the mGuard will be dropped In case you created permissions for ICMP messages to the device there will be a warning message during compilation Only Ping Allowed Ping messages ICMP message type 8 will be allowed In case you created permissions for ICMP messages to the device other than Ping there will be a warning message during compilation Allow all All ICMP messages to the device are allowed You are able to activate deactivate the log for the default rules in the menu Interfaces gt Options in the Property window menu In ase you are using dynamic addresses for a VPN gateway and you have specified a FQDN you can enable the VPN DynDNS monitoring in the menu VPN options gt DynDNS Monitoring 52 of 77 ACA support The P
79. on of how to configure the correct masquerading rules for the example network Information on how to create a port forwarding rule to access a ftp server in Subnet3 of our example project can be found in Chapter 4 3 9 Please keep in mind that no NAT rules are generated even if they are defined as long as no permissions firewall rules have been defined 29 of 77 NAT 4 2 Create masquerading rules In our example project private addresses are used for the subnets 1 e the mGuards and the Cisco have to use NAT to connect to the Internet To create a masquerading rule for Subnet1 of our example project please specify the following parameters in the NAT Editor Parameters for Traffic to be translated masquerading ID is automatically assigned by the NAT Editor e Sre Subnet1 Source of the traffic to be translated subnet1 in our example e Dst Any Since the mGuard does not support destination addresses in masquerading this parameter must be set to any To create a representation of the value any create a class name it Any and set the address of the class to 1 e to the full address range please refer to Chapter 3 3 on how to create classes Any other value than any will cause a compiler warning Service any The mGuard does not support service translations in masquerading rules Therefore the service parameter must be set to any or there will be a compilation error Translation Parameters Method Src Masq We woul
80. onfiguration gt Save Original Configuration at first upload You can save the current configuration of the mGuard any time as original configuration by opening the context menu with a right click on the device and by selecting Get Original Configuration To rollback to the original configuration open the context menu by right clicking on a device and select Rollback gt To original configuration This option is only available after a original configuration was saved To rollback to the previous configuration open the context menu by right clicking on a device and select Rollback gt To previous configuration 27 of 77 NAT 4 NAT Supported NAT The Innominate mGuard supports the following network address translation methods NAT methods Masquerading Port forwarding e 1 1 NAT Please refer to the device manual for a detailed description of these features The Security Configuration Manager provides a convenient graphical user interface for handling the administration of NAT rules for your network X In Stealth mode the NAT feature can not be used Enable NAT view Before designing your NAT rules please make certain that NAT view is enabled 4 1 in the Security Designer Select the NAT tab in the workspace Overview To create NAT rules you have two options You can either use the NAT Editor or draw the NAT rule directly in your network map The following overview describes the usage of the NAT Editor To
81. open the NAT Editor please choose Tools gt NAT Editor in the Security Designer main menu The following window will open All NAT Definitions E x Jp tv 425 E ci a i a o 3 8 moe dw Traffic to be Translated Translation Parameters ID fo Stir Dst Ser Method Src Src Aft Method Dst Dst Befor Service Application Point No Error ok Cancel Help Figure 19 NAT Editor Create new NAT rules To create anew NAT rule click on the d symbol select the service protocol port to be translated and the source and destination of your NAT rule X The source and destination objects must already be part of your network map After specifying those parameters the NAT rule will be displayed in the NAT Editor L All NAT Definitions E Pup GR EE ETE Traffic ta be Translated Translation Parameters AID Bt Ds Service Method Src erc After MAT Method Dist Dst Before NAT Service Application Point 7 Jo una A n any Qo AG sate 7 v Bl SLA ul a 9 Ho application point Cancel Help Figure 20 Nat Editor Incomplete NAT rule The NAT Editor will still show an error since the parameters have not yet been completed Information on how to complete the NAT rule can be found in Chapter 4 2 and Chapter 4 3 28 of 77 Parameters of a NAT rule No permission gt no NAT rules NAT A NAT rule contains the following information Traffic to be translated
82. or password ISCM enterprise only In case you did not set the administrator password during the installation we recommend to set the password immediately after the installation using the web interface 1 To open the web interface open a browser of your choice Enter the URL http localhost Login to the interface Select the tab User Management Click on the user admin Click on the button Change password on the bottom of the page Enter the password and click on the button Change password Un d W b2 9 of 77 Installation E Solsoft Security Reporter Microsoft Internet Explorer Datei Bearbeiten Ansicht Favoriten Extras AN Qzw k O x ig JP suchen c Favorten O 4 3 3 Adresse amp https flocalhost solsoft reporter administration user passwordchange do operationName changePasswordInit wechseln zu Links x SOLSOFT welcome admin Logout Main User Management ei Preferences Profiles Password usermanagement gt users change password Password configuration apply only to internal Authentication New Password New Password repeat BACK TO USER LIST CHANGE PASSWORD Users Profiles Password zi Fj https localhost solsoft reporter administration user passwordchange do operationName changePasswordInit amp t ips Izd zd B Lokales Intranet aa Figure 2 Web interface for the server configuration 6 Click on the link Logout at the top of the pag
83. ote network to the mGuard are applied as remote access rules to the mGuard Therefore it is not possible to access the client using these protocols in the standard configuration See Chapter 6 on how to change the remote access rules for the mGuard in case you would like to access the client via SSH HTTPS or SNMP 23 of 77 Example project Allow remote configuration via HTTPS The rules for SSH access are generated without explicitly specifying a permission for SSH an implicit rule for SSH access is predefined in the Security Configuration Manager To allow remote HTTPS configuration you must add a permission for HTTPS from the originating network to the mGuard not to the network connected to the interal interface of the mGuard as shown in the next illustration Solsoft Security Designer admin pc jboehmert manual 1 3 2 1 1 0 File Edit View Mode Action Tools Help 53 Topology t4 Policy VPN 9 NAT ka Q7 naRiatewvlmal SGerG aku t eR BRAY AL Browser al EP v GM Al 6 http http proxy http proxy 8000 fy http proxy target a http squid Interne pitt nr mGuard branch office 3 Subnet 3 192 168 3 0 24 Server 1 All remote networks p m i y Filter x oraa f p Show Used Only All mtsuaras Sisco Pix Adquarters mGuard branch office 2 Subnet 2 1 d 58 2 0 24 Router Subnet 4 1 92 1 68 4 0 24 Element Information
84. other than same will cause either an error message in the NAT Editor or a compiler error when you compile your policy Dst Before NAT empty Service any see comments to the parameter Service in Traffic to be translated Application Point mGuard branch office3 The device applying the NAT rule is nGuard branch office3 in the example project After the 1 1 NAT rule is completed it will be displayed in the NAT Editor and in the workspace E All NAT Definitions ES x Pupp Atdi Trafic to be Translated Translation Parameters AID erc Dist Service Method Src Sre After NAT Method Dst Dist Before MAT Service Application Paint 1H E Subnet 3 xl Dy Any any 5 Static lt gt 015219 Q Same e any Fa mGuard bra No Error Figure 27 Completed 1 1 NAT rule in the editor 36 of 77 NAT Solsoft Security Designer admin hali manual 1 1 File Edit View Mode Action Tools Debug Help Q 4 d odo EH Static lt gt LT NAT 1 any Classes All mGuards T mGuard branch office 3 Subnet 3 192 168 3 0 24 Server 1 Fiter x S Element Information O y Make a single selection in J order to display the relevant Guard branch office 2 Subnet 2 192 168 2 0 24 Router Subnet 4 192 168 4 0 24 information of the selected Cisco Pix Headquarters object i Headquarters Network mGuard branch office 1 Subnet 1 192 168 1 0 24
85. r Members 2 168 3 0 24 lt lt e dn p 158 D I a 4 192 16 n Clusteri n Options E External 192 168 2 100 24 E Internal 192 168 4 100 24 B2 168 1 0 24 Le I Cancel Help Ll LN NN gt Figure 57 Cluster properties 5 Set the cluster parameters Open the Property window of the cluster by double clicking on the cluster Select Cluster options and enter a password in the Authentication password field Please note that the maximum length for the password is 8 characters Select the interface options of the cluster interface and enter a valid Virtual Router ID for each interface see Figure 58 68 of 77 Advanced configuration Clusteri Properties rCluster Options Suthentication password ThisIs4nExamplePassword Identification General Options aS luster Options Cluster Members Le 2 mGuardPrimary x i3 miuardBackup Internal tracking hosts External tracking hosts Modifier Zones Icons Comments Interfaces Options 3 extern 10 1 0 1 24 Exute zi intern 192 168 0 1 24 gt 1 OK Cancel Help Figure 58 Cluster interface parameters 6 Set the cluster parameters for the devices If a device is a cluster member the parameter Router Redundancy Priority appears in the menu General Options Open the Property Windows of each of the redundant mGuards Select General Options and set Router Redundancy Priority to the desired value The default v
86. refer to Chapter 9 The following Stealth Modes are available for the Innominate mGuard please refer to the user manual for a more detailed description Automatic Stealth Mode with or without management IP only one client can be connected to the internal trusted interface e Static Stealth Mode with or without management IP only one client can be connected to the internal trusted interface Multi Stealth Mode more than one client can be connected to the trusted interface The Multi Client Mode and the modes with management IP are only available for mGuard Releases gt 3 0 When using the Stealth Mode without management IP the device is completely transparent to the environment The device does not have its own IP address and uses the IP address of the client Therefore only one client can be connected to the device Two modes can be used Automatic or Static mode In Automatic mode the mGuard configures itself automatically without any user action In Static Mode the user has to specify some additional parameters see below To configure a device using Stealth Mode without management IP in ISCM create and configure only one interface that has the IP address of the client The parameter Security Zone see previous chapter of the interface has to be set to Untrusted Stealth All permissions start end on the device and will be treated as permissions to the client except for the remote access permissions SNMP HTTPS and SSH
87. roperties Window ISCM supports the automatic configuration of an Automatic Configuration Adapter ACA This option is only available for the mGuard Industrial In the menu Upload configuration gt Advanced configuration gt ACA options you are able to set Load configuration to ACA If this option is enabled ISCM will first upload the configuration to the device and then write the configuration to an ACA that has to be connected to the mGuard If no ACA is connected or the device is not an mGuard Industrial the upload will terminate with an error To write the configuration to an ACA the root password has to be specified If you enable Use the default root password the default password will be used if you disable this option you can specify a custom root password that has to match the current root password of the device Otherwise the write process terminates with an error The ACA support requires root permissions i e in Upload configuration gt Authentication you have to enter the root login parameters 6 1 Stealth mode configuration Stealth Mode without management IP When enabling the network mode Stealth in General Options gt Network mode the additional menu General options gt Stealth mode configuration will appear This menu allows you to select one of the 3 Stealth Modes and set the parameters for the manual Stealth configuration For an overview on the required interfaces settings for the different scenarios please
88. scm certs Import machine certificates Identification General Options application Servers Policy Learning Mode VPN Options IKE Capabilities IPSec Capabilities ertificate options Upload Configuration Modifier Zones Icons Comments Interfaces Options 1 Inside 192 168 0 1 32 Headquarte zx Outside 212 1 2 3 32 Internet Figure 37 Configure the certificate options Please enter the full path of the directory where you placed the certificates and private keys crt and pem files 9 Please do not forget the trailing slash V in the path in case you do not use the default path If you wish ISCM to import the machine certificates into the devices then enable the option Import machine certificates By default this option is disabled and the machine certificates have to be imported manually or during roll out 46 of 77 VPN Add and configure After configuring the devices define your tunnels see Chapter 3 6 the tunnel Solsoft Security Designer admin hal1 PKI test 1 9 File Edit View Mode Action Tools Debug Help 55 Topology 18 Policy yp VPN is NAT aku t ee eSB H 2 H ow a a ar ue UM ees Q g dh ode Browser ES Ve a amp VPNs Hz Classes O all networks LE all PEPs His Solsoft Server CRL Distributio 03 Offline CA 1 Solsoft Client LoT T Fer x Element Information Make a single selection
89. se rule are useless but can not suppressed The mGuard supports the definition of a source address port in the port forwarding rule beginning with Release 2 3 This 1s not supported by ISCM The source address port for port forwarding rules in ISCM has to be Any To activate the port forwarding rule a permission has to be created that matches the port forwarding rule This permissions will also be part of the mGuard configuration although it is not required by the mGuard The mGuard created already an implicit firewall rule for the port forwarding rule 75 of T7 Appendix Restrictions Known problems 10 3 Network Modes Stealth Mode Switching between modes It is not possible to manage an mGuard operated in Stealth Mode without management IP if ISCM is connected to the internal trusted interface of the mGuard since the mGuard can be accessed only with the interface address BELT A reconfiguration with ISCM between router mode and Stealth Mode with management interface and between Stealth Mode with and without management IP is only possible if the IP address of the upload target the interface used to upload the configuration with SSH does not change The upload target in Stealth Mode with management interface is the management interface 1 e the IP address of the management interface should be the same as the IP address of the upload target of the modes that should be switched to or from A switch from or t
90. see Chapter 2 5 Open the client as an administrator and check whether the Solsoft Policy Server projects and the configuration are as expected Verify that the changes introduced by the migration process are correct When all the previous steps have been successfully finished you can start to remove all the components of the previous Innominate Policy Server version 8 of 77 Installation 2 5 Start or stop the policy server ISCM enterprise only The Solsoft Server will start automatically during the start up of MS Windows After installation you can either reboot stop or start the server manually by following the steps below 1 To start the Solsoft Policy Server Launcher select Start gt All Programs gt Solsoft gt PolicyServer7 1 gt Solsoft Policy Server Launcher in the Windows Start menu Remark Depending on the current version of ISCM or your specific settings the path above may differ 2 Choose the action e g Start the Server Restart the Server or Stop the Server from the drop down list B solsoft Policy Server 7 1 Server Launcher 1 o x TUR ae Security Policy Management Please Select an Action i Start the Server E F Start the Server Stop the Server i Force the Server to Stop Restart the Server Y Force the Server to Restart Set the License 7 Set the Server Configuration v Show the Server Status Figure 1 Policy Server Launcher 3 Press Go 2 6 Set the adminstrat
91. snmp Subnet 2 192 168 2 0 24 lt gt Headquarters Network f8 center Allow A smtp lt gt Subnet 2 192 168 2 0 24 lt gt Subnet 3 192 168 3 0 24 fa center Allow A pop3 Headquarters Network Subnet 2 192 168 2 0 24 Original Rule Import Previous Close Help Figure 55 Select the rules to be imported If the rule contains addresses and services that can not be matched to an existing object the user has to decide whether a new class or service should be created or another object on the workspace or an existing service should be used E g the rule 5 in the import list contains an unmapped service tcp UNP 5230 and an unmapped address range 10 3 0 1 1 16 To map the service click on the value tcp UNP 5230 an choose the action either choose an existing service from the list or create a new service Proceed likewise with unmapped address ranges If you choose Create then a Class with this address range is created In rule 1 is the unmapped source address ANY Map this either to Internet or to a Class Any To exclude a rule from the import select the rule and click on the icon As soon as arule is completed all addresses and services are matched or created it can be imported in the project with the Import button Also multiple rules can be selected for import After importing all desired rules into the project the policy has to be deployed i e the project has
92. source path target path project name list Without any option the command takes as single parameter the old server installation path to migrate all projects e g ServerVersionUpdate exe C Program Files WSolsoft Old Version gt The tool will prompt you to acknowledge the transfer Depending on the amount of data the transfer can take a while The tool will transfer all the data but will maintain the new administrator password that was set up during the new installation Attention The migration tool will erase all data in the new installation and replace the data by those imported from the old installation When the script is finished a complete migration log file can be found in the lt ISCMRoot gt log directory The file name is xxxxx migration log Check this file for potential error messages In general warning messages can be ignored In case an error message was produced please contact the Innominate support and report the message SF The log file will be only generated if you do not specify the path or list options Use the command line interface to reset the license allocation ServerVersionUpdate resetLicense lt SCMRoot gt e g ServerVersionUpdate resetLicense C ProgramFiles Solsoft PolicyServer7 1 The next server startup may take more time than usual since the server will re allocate the license for all migrated projects Once this 1s done the new server can be restarted again Start the server
93. ss of the interface Untrusted Stealth is contained in the network connected to the interface Trusted Stealth This warning can be ignored For an overview on the required interfaces settings for the different scenarios please refer to Chapter 9 Firewall rules within the VPN have to be drawn between the two networks belonging to the VPN For non VPN firewall rules in Stealth mode see Chapter 3 7 Please not that in the scenario in Figure 33 the definition of port forwarding rules is necessary to enable the SAP permission since mGuard branch office landCisco Headquartes are NAT devices 41 of 77 VPN Solsoft Security Designer admin hali manual 1 2 File Edit Yiew Mode Action Tools Debug Help E Topology t4 Policy pp VPN X E NAT Ne o ss amp t measemwotn aostuenxExx B mox Browser Ry D me a rsh simple 4 i et mGuard branch office 3 Subnet 3 192 168 3 0 24 Server 1 rsrb cisco V rstat Aes Van V rwall isl a sadmind p a mGuard branch office 2 Subnet 2 192 168 2 0 24 Router Subnet 4 192 168 4 0 24 Show Used Only E 3 Element Information T m Guard branch office 1 Subnet 1 192 168 1 0 24 e i w E amp Se mm queen Hn m El Figure 33 Firewall rules within tunnel mode VPN in Stealth mode 42 of 77 VPN 5 1 2 Configure Transport mode VPNs mGuard operated Since a transport mode VPN is a host to host connection the
94. ssional edition select Start gt All Programs gt Solsoft gt FirewallManager1 0 gt Solsoft Firewall manager from the Windows Start menu ret Click on the tite symbol in the project manager to create a new project Name the project e g Example project click on OK to open the project with an empty workspace 3 2 Draw the topology of your network Create the objects Create networks Create managed devices Create a representation of the Internet e Select the Topology tab and place the objects of your network on the workspace as shown in Figure 4 LJ e To create a network on your workspace click on the symbol and click on an empty place in the workspace e To create a device click on the symbol select the device type e g Innominate mGuard and click on an empty place in the workspace e To create a representation of the Internet click on the a symbol and click on an empty place in the workspace 13 of 77 Example project Create unmanaged e To create a device which is not managed by the Security devices e Configuration Manager e g a router click on the Nexus symbol and click on an empty place in the workspace Solsoft Security Designer admini pc jboehmert manual 1 3 1 0 7 Oj x File Edit View Mode Action Tools Help EP Topology 43 Policy pp VPN 35 NAT IM a i m Z F 1 SQ Browser CS X a 2 ERE EH Classes ima AllmGuards
95. t device package name jar gt When running the tool substitute device package name jar gt in the command above with the real name of the package file e g sps ddk 7 1 Innominate mGuard 3 0 0 windows jar It is also possible to rollback to a previous version of the technology package in case there are problems with the new version For detailed information on how to use the device packaging tool please refer to Chapter Managing Devices of the Solsoft Administration Guide 7 of T7 Installation 2 4 Migrate from previous versions of the Security Configuration Manager ISCM enterprise only Procedure Log File Reset the License Allocation Test the Migration Finish the Migration To migrate your data from old installations use the command line tool Server VersionUpdate exe that is located in the lt ISCMRoot gt bin directory of the new server This tool copies and adapts all the previous server data to the new server The old server data will not be deleted Before migrating please make sure you have enough disk space to replicate the Solsoft Policy Server database 1 Make certain the Policy Server is not running see Chapter 2 4 for more information on how to stop the server 2 Open a Windows command window All Programs gt Accessories gt Command Prompt and change to the directory lt I SCMRoot gt bin using the cd command 3 The syntax of the command is Server VersionUpdate help list path
96. t networks connected to the trusted interface if the mGuard is operated in Stealth IP mode with management IP The networks have to be part of the Trust Zone see Figure 35 Important For this scenario the corresponding client IP has to be assigned to the untrusted interface of the VPN gateways 43 of 77 Solsoft Security Designer admin amp hal1 manual 1 5 1 1 1 1 File Edit view Mode Action Tools Debug Help VPN i amp l x 3 Topology gt 44 Policy p VPN E NAT IMa iomsstabec jon se6 6uwEotEkxXxxBESX Browser x HP mPA pz lt r Identification Type Innominate mGuar v General Options Application Servers onn vj Policy Learning Mode YPN Options Upload Configuration Modifier Zones Icons Comments E Interfaces Options it interface1 Subnet 1 192 168 1 0 24 fil Internal 192 168 1 10 32 gt 192 168 1 10 32 i Management 192 168 1 111 24 bnet 3 192 163 3 0 24 Subnet 1 192 168 1 0 24 n Figure 35 Firewall rules within transport mode VPN Stealth mode with management IP 5 2 Using certificates for authentication Create and store the certificates To use certificates for authentication a PKI has to be defined on your workspace This 1s required by the Solsoft server although the Innominate mGuard will not
97. the check 59 of 77 Advanced configuration 8 Advanced configuration 8 1 Configure application servers NTP DNS and Syslog The steps below show you how to configure a NTP server as an example To configure an DNS or Syslog or CA server please follow the steps likewise Please refer to the Innominate mGuard manual for a detailed description of the mGuards DNS Syslog and NTP capabilities First create the NTP server Create a class with the T icon as described in Chapter 3 3 and name the class e g NTP Server 1 Configure a single IP address for the class open the Class Property window by double clicking on the class and add an address Click on the Add Server icon add the address of the NTP server and select Time Server gt NTP Time Server from the menu Name the server e g NTP1 The Class property window should look as shown in the following figure NTP server 1 Properties 1 X Global user properties Addresses Icons service Comments Service Dut Servers NTP protocol version L 5 Ie z MDS Authentication Key MDS Authentication Key ID Ok Cancel Help Figure 48 Class property window T The settings for the NTP server MD5 authentication etc are ignored by the Innominate mGuard 60 of 77 Advanced configuration Close the Class Property window by clicking on OK The NTP server will now show up on your workspace as shown in the following figure Solso
98. to Chapter 9 9 When switching between the network modes or mGuard versions all interfaces will be reset to their default configuration Security Zone Untrusted and therefore have to be reconfigured again There are special configuration options for each of the modes Router mode Security Zone For the proper generation of firewall rules and VPN rules the parameter Security Zone must be initialized for each of the mGuard interfaces Set Security Zone for the internal interface to Trusted and for the external interface to Untrusted Double click on an interface 1f existing in the properties window and select Options to access the parameter Security Zone PPPoE mode PPPoE configuration Please enter your user name and your password in General options gt PPPoE configuration to enable the PPPoE access Security Zone For the proper generation of firewall rules and VPN rules the parameter Security Zone must be initialized for each of the mGuard interfaces Set Security Zone for the internal interface to Trusted and for the external interface 49 of 77 The Properties Window to Untrusted Double click on an interface if existing in the properties window and select Options to access the parameter Security Zone Stealth mode Log for port forwarding Configure remote access Roll out options Connection Tracking The handling of VPN and firewall rules is different in Stealth mode Please refer to Chapter 5 1 for
99. tp irc and pptp NAT Masquerading Port forwarding and 1 1 NAT Router redundancy cluster e Server configuration Syslog NTP and DNS Roll out support Related Detailed information on the Security Configuration Manager and the Innominate documentation mGuard can be found in the following documents e Solsoft Release Notes e Solsoft Getting Started Guide ISCM enterprise only e Solsoft Policy Server User Guide ISCM enterprise only e Solsoft Policy Server Reference Manual ISCM enterprise only e Solsoft Policy Server Working with VPNs ISCM enterprise only e Solsoft Policy Server Administration Guide ISCM enterprise only e Solsoft Firewall Manager User Guide ISCM professional only e Solsoft Firewall Manager Quick Start Guide ISCM professional only e nnominate mGuard manual e Application notes Roll out support and Learning mode Version Info ISCM 3 x x is based on e Solsoft Policy Server 7 x and Solsoft Firewall Manager 1 x respectively nnominate technology package 3 x x 5 of 77 Installation 2 Installation 2 1 Requirements Hardware A minimum of 512 MB RAM e 4 GB free hard disk space Monitor displaying 32K colors at 1024 x 768 resolution minimum Software e Windows 2000 SP 2 or higher Windows XP e For the ISCM enterprise version you need to install the So soft Policy Server sps 7 1 suite windows exe or sps 7 1 clients windows exe For the ISCM professional version you need to insta
100. ts of the folder select the folder and click on the icon To see the folder in the context again click on the 9 icon To delete the folder select the folder and click on the Br icon 3 9 Use the audit function to verify your policy The Security Configuration Manager offers an audit function to allow you to review and verify your completed setup for a device Verify that the output of the policy audit is what you expect To access the audit right click on the device and select Policy Audit in the popup menu For more information on how to interpret the output of the audit refer to the Solsoft User Manual 3 10 Compile the policy Once you have completed your project and verified the results you can compile it The compilation generates the device specific upload files After successful compilation you can view the generated files by right clicking on a device and selecting Show gt Generated PEP configuration from the popup menu To start the compilation process click on the icon 26 of 77 Example project 3 11 Deploy the rules Rollback Deployment parameters Save the original configuration Rollback to original configuration Rollback to previous configuration After successfully compiling your project and setting the parameters for deployment you can deploy your policy The Security Configuration Manager copies the configuration file to the mGuard using SSH Therefore you have to specify the admin login and
101. twork and Subnet1 First let us put all of the objects that are supposed to be part of the VPN in a trust zone 1 To open the Zone Editor select Tools gt Zone Editor in the main menu of the Security Designer et 2 Click on the b symbol to create a new zone With the Zone Editor you can change the colour of the zone or the type of the zone there are also limited path zones Please leave the configuration unchanged and click on OK 3 Now select the objects that are going to be part of the zone Hold the Ctrl and Alt keys while clicking on each object In our example the objects Headquarters Network Cisco Pix Headquarters mGuard branch officel and Subnet1 must be selected 4 To add the objects to the zone right click on one of the selected objects and choose Zones gt Zone 1 in the popup menu After adding the objects to the zone the workspace will look like this Solsoft Security Designer admin pc jboehmert manual 1 3 2 0 i E ioj x File Edit View Mode Action Tools Help Maan T8 Topology 13 Policy e VPN Y E s 5 93 ae is us Ps E 2t D SS m 4K FA FLA T n E 5 sz xx BG X amp d Browser 4t F Classes Ha Networks lt _ gt Headquarters A Internet 4 gt Subnet 1 192 Subnet 2 192 H lt gt Subnet 3 192 4 Subnet 4 192 ms b Filter x Element Information Make
102. visible when the parameter Upload method Upload Configuration gt Connection options is set to localhost See Chapter 7 2 for more information on the Roll out Directory to export rollout DB Use this input field to specify the directory for the configuration data export e g C tempMSCM roll out Make certain that the directory exists before initating the roll out Serial number Use this field to specify a serial number The serial number should contain only characters that are allowed in Windows filenames Click on the entry General Options gt Conntrack Options to access the connection tracking options for firewall rules and NAT If e g an outgoing ftp connection is setup to download data the server will callback the calling system to establish an additional connection for the transfer of data In this case Connection Tracking for ftp must be set to Yes so that the mGuard will accept this additional connection without an explicit firewall rule The same is true for the protocols irc and pptp Please check the appropriate box to enable connection tracking for ftp irc or pptp Since more than one service could be affected by the connection tracking e g active ftp passive ftp please specify the services that are involved 50 of 77 The Properties Window Dynamic Addresses To use dynamic interface addresses set the Use Dynamic Address option in the interface properties to Yes mGuard branch office 2 Properties BRAY
Download Pdf Manuals
Related Search