Innominate mGuard User Manual
Contents
1. The appropriate connection counterpart is configured in the main building 13 from 243 Typical Application Scenarios Main building tunnel configuration Connection type Tunnel Network lt gt Network Local network 0 0 0 0 Remote network address 192 168 2 0 24 The default route of an mGuard is usually directed over the WAN port but in this case the Internet is accessible via the LAN port Main building default gateway IP of default gateway 192 168 1 253 Solving network conflicts 10 0 0 0 16 E 10 0 0 0 16 10 0 0 0 16 In the illustration above the networks on the right hand side should be accessible from the network or the computer on the left hand side However due to historical or technical reasons the computer networks overlap on the right hand side The conflict can be solved by rewriting these networks using the mGuard 1 1 NAT feature 1 1 NAT can be used in normal routing and in IPsec VPN tunnels 14 from 243 Control Elements and Displays 3 Control Elements and Displays 3 1 Supply voltage 1 Power supply 1 P1 Modem State LAN Rescue button Located in the opening Can be pressed with a straightened paper clip See The Rescue Button Restarting the Recovery Procedure and Flashing Firmware on page 226 mGuard industrial RS Supply voltage 2 see chapter on Startup nn2. P1 P2 Modem Fault 2 Power supply 2 P2 S State Error El 3s Fault LAN WAN iS 2 Error Serial 5 WAN Service Anal Line I _ 1 CMDACK TIPRING lt gj Terminal block for the signal contact push button and optional ISDN or telephone connection see chapter on Startup LED State Meaning P reen Power supply 1 1s act ve P2 Green Power supply 2 is active Modem Green Connection established over modem Fault Red The signal contact is open due to an error see Installing the mGuard industrial RS on page 23 under Signal contact The signal contact is interrupted during a reboot State Green flashing Heartbeat The device is correctly connected and functioning Error Red flashing System error Reboot the system B gt Press the Rescue button briefly 1 5 seconds OR Disconnect the device from its power supply briefly and then reconnect it If the error continues to occur start the Recovery procedure see Performing a recovery on page 226 or contact the support department State Error Flashing Boot process After connecting the device to the power supply alternately The LED switches to heartbeat mode after a few seconds green red LAN Green Ethernet status Shows the status of the LAN and WAN ports As WAN Green soon as the device is connected to the relevant network the LEDs are illuminated continuously to indicate the presence
3. o o SPE Pops yo P ola PS ofaj e of o o Keying tries 0 means unlimited tries Rekey lt a El Dead Peer Detection Action Hold Default v Delay o ISAKMP SA Key Exchange Encryption Algorithm Decide on which encryption technique should be used with the remote peer administrator 3DES 168 is the most commonly used algorithm and is therefore the default setting The following generally applies The greater the number of bits used by an encryption algorithm specified by the appended number the more secure it is The relatively new AES 256 protocol is therefore considered the most secure but is not yet widely used The longer the key the longer the time required by the encryption process However this is of no consequence for the mGuard as it uses a hardware based encryption technique This aspect may be of significance for the remote peer The algorithm designated as Null contains no encryption Hash Algorithm Leave this setting as Al algorithms It then does not matter whether the remote peer uses MD5 or SHA 1 IPsec SA Data Exchange In contrast to ISAKMP SA Key Exchange see above this setting determines the data exchange method This may or may not be different from the Key Exchange method Encryption Algorithm See above Hash Algorithm See above Perfect Forward Secrecy PFS This method is used to increase the security of the data transfer In IPs
4. Configuration Management Menu Access Only displayed during Login with X 509 user certificate Management Web Settings senera 2 access HTTPS Web Access Allowed Networks Log ID fw https access N 3eBb12cl 3440 1149 97e6 O00cbE0220ct PEA ne rromie interface action comment toa Sa fo 0 0 0 0 external y Accept gt Jno y User authentication User authentication method Login with X 509 client certificate or password O PX CA certificate SL Web RootCA 01 sr Web SubCA 01 gt ax sl ig admin Dx SL Meyer Ralf y admin gt These rules allow to enable HTTPS remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The HTTPS access from the internal side is enabled by default and can be restricted by firewall rules When web access by HTTPS protocol is enabled the mGuard can be configured from a remote system using its web based administrator interface This means a browser running on the remote system is used to configure the local mGuard This option is disabled by default IMPORTANT If you enable remote access ensure secure root and administrator passwords are defined To enable HTTPS remote access proceed as follows HTT
5. IKE Fragmentation Yes v IPsec MTU default is 16260 Allowed packet forwarding between VPN connections Yes No No standard VPN connections exist separately Yes Hub and Spoke feature activated A control center diverts VPN connections to several branches who can also communicate with each other mGuard remote peers can also exchange data between each other during the establishment of a star VPN connection topology In this case we recommend that the local mGuard consults CA certificates for the authentication of remote peers see Authentication on page 190 The Yes setting is only needed for mGuards communicating between two different VPN remote peers The local network of the communicating mGuard must be configured so that the remote networks containing the VPN remote peers are included This is necessary for the correct communication between two VPN remote peers The opposite set up local and remote network interchanged must also be established for VPN remote peers The Yes setting is not supported in the Stealth network mode Start and stop the entered VPN connection over the CMD contact Off VPN connection name The mGuard industrial RS has connections where an external push button and a signal LED can be connected See also Installing the mGuard industrial RS on page 23 under Service contacts A defined VPN connection can be established and released using the push button The VPN conn
6. If the mGuard is switched off and then back on a time from this two hour time period is displayed not 1st January 2000 NTP Server NTP Network Time Protocol The mGuard can obtain the current date and time from an NTP server time server In order to do this the address of at least one NTP server must be entered This feature must also be activated Enable NTP time synchronization Yes No Once the NTP is enabled the mGuard obtains the date and time from a time server and displays this as its current system time Synchronization may take a few seconds NTP State Displays the current NTP state Shows whether or not the MTP daemon installed in the mGuard has synchronized with the configured NTP server to a suitable level If the system clock of the mGuard has never been synchronized before activation of NTP time synchronization then synchronization can take up to 15 minutes The NTP daemon still changes the mGuard system clock to the current time as soon as it has successfully contacted an NTP server The system time of the mGuard is then synchronized Fine adjustment of the time is usually only made in the second range NTP Server Enter one or more time servers from which the mGuard should obtain the current time If you enter several time servers the mGuard will automatically connect with all of them to determine the current time If you enter a hostname e g pool ntp org instead of an IP address a DNS serv
7. In a certificate the classification of a certificate to its owner is confirmed by a CA Certificate Authority This occurs through the confirmation of certain owner characteristics Furthermore the certificate owner must possess the private key that matches the public key in the certificate gt X 509 certificate Example Certificate Data Version 3 0x2 Serial Number 1 0x1 Signature Algorithm md5WithRSAEncryption Issuer C XY ST Austria L Graz O TrustMe Ltd OU Certificate Authority CN CA Email ca trustme dom Validity Not Before Oct 29 17 39 10 2000 GMT gt Subject CN anywhere com E doctrans de C DE ST Hamburg L Hamburg O Innominate OU Security Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 1024 bit Modulus 1024 bit 00 c4 40 4c 6e 14 1b 61 36 84 24 b2 61 c0 b5 d7 e4 7a a5 4b 94 ef d9 5e 43 7f c1 64 80 fd 9f 50 41 6b 70 73 80 48 90 f3 58 bf f0 4c b9 90 32 81 59 18 16 3f 19 f4 5f 1 1 68 36 85 6 1c a9 af fa a9 a8 7b 44 85 79 b5 f1 20 d3 25 7d 1c de 68 15 0c b6 bc 59 46 0a d8 99 4e 07 50 0a 5d 83 61 d4 db c9 7d c3 2e eb 0a 8f 62 8f 7e 00 e1 37 67 3f 36 d5 04 38 44 44 77 e9 10 b4 95 15 f9 34 9f 18 43 Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Alternative Name email xyz anywhere com Netscape Comment mod_ssl generated test server certificate Netscape Cert Type SSL Server Signature Algorithm md5WithRSAEncryption 12 ed f7 b3 5e a0 93 3f a0 1d 60
8. Specifies in seconds how long the mGuard waits for an answer from the RADIUS server Standard 3 seconds RADIUS retries Specifies how often requests to the RADIUS server are retried after a RADIUS timeout has occurred Standard 3 Server Name of the RADIUS server or IP address Port The port number used by the RADIUS server Secret RADIUS server password Authentication Firewall Users Status The User Firewall is not enabled If the user firewall is activated its status is displayed here 135 from 243 Configuration Authentication Menu 6 5 3 Authentication gt Certificates Definitions Y Certificate Self signed certificates Certificate machine certificate Remote certificate 136 from 243 Authentication is a fundamental element of secure communication The X 509 authentication procedure ensures that the correct partners communicate with each other Certificates are used in this process An incorrect communication partner is one who falsely identifies themselves as someone they are not see glossary under X 509 certificate A certificate is used as proof of authentication for its owner The relevant authorizing party in this case is the CA Certificate Authority The digital signature on the certificate is made by the CA By providing this signature the CA confirms that the authorized certificate owner possesses a private key that corresponds to the public key in the c
9. see below under Serial Port on page 27 gt The device forwards the grounding from the DIN rail through to the left contact grounding connection on the lower terminal block B gt Do not open the housing BO The shielding ground of the connectable twisted pair lines is electrically connected to the front faceplate Safety notice This is a Class A device which may cause radio interference in residential areas In this case the operator may be requested to take appropriate preventative measures Remove or disconnect the connections To remove the mGuard industrial RS from the DIN rail insert a screwdriver horizontally under the housing into the locking slide pull it without tipping the screwdriver downwards and lift the mGuard industrial RS upwards 23 from 243 Startup Connections Supply voltage Connection of the supply voltage is made using a terminal block with a screw mechanism This is found on the top of the device Supply voltage P1 P2 24V 0V 24V OV 7 DOOD P1 P2 Modem Fault State Error n ec g 3 D LAN WAN Warning The mGuard is intended for safety extra low voltage SELV operation Therefore power supply and signal contact connectors may only be connected with PELV or SELV circuits with voltage restrictions in accordance with IEC EN 60950 Operating voltage NEC class 2 power source 12 V DC or 24 V DC 25 33
10. 1 1 NAT Fi o 0 0 o 0 0 0 0 24 Please note These rules won t apply to the Stealth mode Network Address Translation IP Masquerading 1 1 NAT Lists the rules set for NAT Network Address Translation For outgoing data packets the device can rewrite the sender s IP address from its internal network to its own external address This technique is called NAT Network Address Translation This method is used whenever the internal address cannot or should not be routed externally e g when a private address such as 192 168 x x or the internal network structure should remain hidden This method is also known as IP Masquerading gt If the mGuard is operated in PPPoE mode NAT must be activated in order to gain access to the Internet If NAT is not activated then only VPN connections can be used B gt If more than one IP address for the WAN port is used the first IP address of the list is always used for IP Masquerading BO These rules do not apply to Stealth mode Factory default NAT is not active You have the following options From IP 0 0 0 0 0 means all addresses meaning all internal IP addresses are subject to the NAT procedure To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 Comment Can be filled with relevant comments Lists the rules set for 1 1 NAT Network Address Translation The mGuard mirrors addresses from the internal network to the
11. 2 Network E Gateway Network Enter the network using CIDR notation see CIDR Classless Inter Domain Routing on page 224 Gateway The gateway where this network can be accessed The routes defined here are valid as necessary routes for data packages created by the mGuard This definition takes priority over other settings See also Network Example on page 225 104 from 243 Configuration Network Menu Stealth Static Stealth Configuration Client IP address The IP address of the client connected to the LAN port Client MAC address The physical address of the network adaptor in the local computer where the mGuard is connected The MAC address can be determined as follows On the DOS level Start Programs Accessories Command Prompt enter the following command ipconfig all The entry of a MAC address is not necessary The mGuard can obtain the MAC address automatically from the client The MAC address 0 0 0 0 0 0 must be entered in order to do this Please note that the mGuard can only forward the network package through to the client after the MAC address has been determined If no Stealth management IP address or Client s MAC address is configured in static Stealth mode then DAD ARP requests are sent to the internal interface see RFC2131 section 4 4 1 105 from 243 Configuration Network Menu gt Network Mode Router General Network Status Factory default for Ext
12. AT The mGuard sends this character string to the modem in order to establish the readiness of the modem for accepting commands If the modem is connected to a private branch exchange where no constant dial tone is present then AT should be replaced by ATX3 The modem is then instructed not to wait for a constant dial tone when connection is opened OK Specifies that the mGuard expects the OK character string from the modem as an answer to AT With many modem types it is possible to save modem settings in the modem itself However this option should not be used Desired or necessary initialization settings should be set externally instead i e through the mGuard In case of a modem breakdown the modem can then be replaced quickly without changing the modem settings Modem reset string Specifies the reset sequence for the modem Standard ATH If necessary consult the modem manual for the reset sequence modem reset command 121 from 243 Configuration Network Menu Additionally for mGuard industrial RS with built in modem analog gt For mGuard industrial RS with built in modem External Modem Hardware handshake RTS CTS Baudrate Modem init string Modem reset string Built in Modem analog Country AAA ee i A ied ion voto Speaker control built in speaker Speaker is on during call establishment but off when receiving carrier v gt The mGuard industrial RS can additionall
13. Shortname During the machine certificate import process the CN attribute from the certificate subject field is suggested as the short name providing the Shortname field is empty at this point This name can be adopted or another name can be chosen Name entry whether the suggested one or another is mandatory The names must be unique and must not be used more than once Use of the short name During the configuration of SSH Menu Management gt System settings Shell access HTTPS Menu Management gt Web settings Access and VPN connections Menu IPsec VPN gt Connections the imported certificates in the mGuard are given as a selection list The certificates are displayed under the short name entered for each individual certificates For this reason the entry of a name is necessary Creating a certificate copy You can make a copy of the imported machine certificate e g for the remote peer so that this mGuard can authenticate itself This copy does not contain the private key and can be made public at any time To do this proceed as follows Click on the Current Certificate File button on the machine certificate next to the Download certificate row title Make the desired entries in the dialog that opens 143 from 243 Configuration Authentication Menu CA Certificates CA certificates are those from a Certificate Authority CA CA certificates are used to check whether the certificates shown by re
14. Aside from the CA certificate whose signature can be seen in the displayed certificate of the VPN partner to be checked the CA certificate of the superordinate CA up to the root certificate must also be used If this trust chain is checked meticulously in order to accept the authenticity of a remote peer then the level of security increases In a client server environment a server is a program or computer which accepts and answers queries from client programs or computers In data communication the computer which establishes a connection to a server or host is also called a client In other words the client is the calling computer and the server or host is the computer called In the IP protocol data is sent in the form of data packets These are known as IP datagrams An IP datagram has the following structure IP Header TCP UDP ESP etc Header Data Payload The IP header contains The IP address of the sender source IP address The IP address of the recipient destination IP address The protocol number of the protocol on the superordinate protocol layer according to the OSI layer model The IP header checksum used to check the integrity of the received header The TCP UDP header contains the following information The sender s port source port The recipient s port destination port A checksum covering the TCP header and information from the IP header e g source and de
15. C UK MIE TEA cn web subca 01 0 Sample Web Securities Inc C UK Validity From Jun 20 11 27 05 2007 GMT to Jun 20 11 27 05 2010 GMT MDS 17 57 2F 50 FF 44 5E 8D D2 E3 A2 CF 91 B5 1B A8 SHA1 66 E5 C8 EE A9 EC D0 C3 19 0C 7C 0B 75 C8 B7 7D 62 79 0B B9 M smortmame frouerd m customer co uk Upload Filename Browse Import PKCS 12 Password METE vre terminal service _ M 0 Sample Supplier C UK EC cn ven subca 01 0 Sample Supplier C UK META From dun 20 12 05 01 2007 GMT to Jun 20 12 05 01 2010 GMT Fingerprint MDS 2C F9 59 49 72 4C 83 31 E8 F5 E0 A5 30 88 09 C4 SHA1 D9 6F 0D 69 9B D1 27 BB 38 7A 93 19 56 C8 AB B1 B1 8C D1 FC a VPN terminal service Manchester Upload Filename Browse Import PKCS 12 Password Fingerprint Fingerprint Machine Certificates Shows the currently imported X 509 certificates that the mGuard uses to authenticate itself to remote peers e g other VPN gateways To import a new certificate please proceed as follows Importing a new machine certificate Requirement The PKCS 12 file format p12 or pfx is saved on the connected computer Proceed as follows 1 Click on Browse to select the file 2 Enter the password that is used for protection of the PKCS 12 file private key in the Password field 3 Click on Import After the import the installed certificate can be seen under Certificate 142 from 243 Configuration Authentication Menu
16. DHCP Internal DHCP Mode DHCP mode Disabled gt Mode DHCP mode Disabled Server Relay Set this option to Server if the mGuard should function as an independent DHCP server The selection settings are then displayed on the screen see DHCP mode gt Server on page 128 Set the option to Relay if the mGuard should forward DHCP queries to another DHCP server The selection settings are then displayed on the screen see DHCP mode gt Relay on page 130 BO The Relay DHCP mode is not supported in Stealth mode If Stealth mode is in operation on the mGuard and Relay DHCP mode is selected then this setting is ignored However DHCP client queries and the respective answers are forwarded due to the nature of Stealth mode If this option is set to Disabled the mGuard does not answer any DHCP queries 127 from 243 Configuration Network Menu DHCP mode gt Server Network DHCP Internal DHCP Mode DHCP mode DHCP Server Options Enable dynamic IP address pool DHCP lease time DHCP range start DHCP range end Local netmask Broadcast address Default gateway DNS server WINS server Static Mapping Client MAC Address Client 1P Address If the DHCP mode is set to Server the following selection settings are displayed DHCP Server Options Enable dynamic IP address pool Yes No Select Yes if you wish to use the IP address pool defined by DHCP range sta
17. Internal Setting of Egress Queue rules on the LAN interface QoS Egress Rules External Default Default Queue Pot es Rules PX L o o e a urgent AS T afani zj 0 0 0 0 0 0 0 0 0 0 TOS Maximize Reliability gt Unchanged z important gt fa zf fo 0 0 0 0 TOS Minimize Cost Y Unchanged z Low Priority x External Setting of Egress Queue rules on the WAN interface QoS Egress Rules VPN via External Default Default Queue Default Ki Rules PX A a aa a E Current TOS DSCP NewTos oscr Queue name Con ema z lo 0 0 0 0 lo 0 0 0 0 TOS Minimize Delay Z Unchanged er afan zf fo 0 0 0 0 J 0 0 0 0 0 Tos Maximize Reliability Y Unchanged FT jan vf 0 0 0 0 0 0 0 0 0 0 TOS Minimize Cost Z unchanged Urgent Important gt Lef Lejla Low Priority VPN via External Setting of Egress Queue rules on the WAN interface for VPN connections The three tab options offer the same allocation possibilities The Internal tab for the LAN interface The External tab for the WAN interface The VPN via External tab for the WAN interface during VPN connections In all cases the settings relate to the data that is sent externally to the network from the respective mGuard interface Default Default Queue Names of the Egress Queues user defined The names of queues are displayed as listed or defined under E
18. Status LAN link status WAN link status Temperature Device type Device name e g blade or blade XL ID bus controller ID ID of this slot on the bladeBases control bus Serial number The serial number of the mGuard Flash ID Flash ID of the mGuard s flash chip Software version Software version installed on the mGuard MAC addresses All MAC addresses used by the mGuard Status Status of the mGuard LAN link status Status of the LAN port WAN link status Status of the WAN port 97 from 243 Configuration Blade Control Menu control unit only Configuration 98 from 243 Blade Control Blade 01 Blade in slot 01 Configuration No configuration file Configuration backup Blade 01 gt Controller Restore A TAR pei Upload configuration from client Upload from client Download configuration to client Download to client Configuration backup Blade __ gt Controller Automatic The new configuration is stored automatically on the controller shortly after a configuration change on the mGuard Manual The configuration can be stored on the controller using the Backup button and can be restored on the mGuard using the Restore button Reconfiguration if Blade __ is replaced After replacing an mGuard in this slot the configuration stored on the controller will be automatically transferred to the new mGuard Delete configuration backup of Blade __ Deletes the
19. Subject entry in machine certificate One of the Subject Alternative Names listed in the certificate When the certificate contains Subject Alternative Names these are entered under Valid entries are These can be IP addresses hostnames with preset signs or e mail addresses Authentication method Pre Shared Secret Key PSK IPsec VPN Connections London Authentication Authentication Authentication method Pre Shared Secret Key PSK complicated like 5Dy0qoD_and_long A VPN Identifier Remote This method is mainly used by older IPsec implementations In this case both sides of the VPN authenticate themselves with the same PSK To make the agreed key available to the mGuard proceed as follows Enter the agreed character string in the Pre Shared Secret Key PSK entry field To achieve security comparable to that of 3DES the string should consist of about 30 randomly selected characters and should include upper and lower case characters and digits Configuration IPsec VPN Menu not for blade controller BO The Pre Shared Secret Key cannot be used with dynamic any IP addresses Only fixed IP addresses or hostnames at both ends are supported However changing IP addresses DynDNS can be hidden behind the hostnames B Pre Shared Secret Key cannot be used when one or both of the communication partners is found behind a NAT gateway VPN Identifier VPN gateways use the VPN Identifi
20. Tf the mGuard is running in Stealth mode the option User defined must be selected under Hostname mode Provider defined e g via DHCP If the selected network mode permits external setting of the hostname e g via DHCP the mGuard is assigned the name received from the provider Configuration Management Menu Hostname If the option User defined is selected under Hostname mode enter the name that should be assigned to the mGuard here Otherwise the entry in this field will be ignored i e if the option Provider defined e g via DHCP is selected under Hostname mode Domain search path This option makes it easier for the user to specify a domain name If the user enters the domain name in an abbreviated form the mGuard completes the entry by appending the domain suffix that is defined here under the Domain search path SNMP Information System name A freely selectable name for the mGuard used for administration purposes e g Hermes Pluto under SNMP sysName Location Freely selectable description of the installation location e g hall IV corridor 3 broom cupboard under SNMP sysLocation Contact The name of the contact person responsible for this mGuard including telephone number under SNMP sysContact HiDiscovery HiDiscovery is a protocol which supports the initial startup of new network devices and is available in Stealth mode on the local interface LAN of the m
21. decompress it a corresponding error message is sent to the user s client software and an entry is written in the anti virus log In this case you have the following options e You can try to download upload the file again later e You can temporarily deactivate the virus filter for the corresponding server e You can activate the automatic pass through mode 170 from 243 Configuration Web Security Menu not for blade controller Action for infected files Notify with FTP error An error message is sent to the FTP client if the virus filter detects a virus in the data transferred from an FTP server to the FTP client The handling of this error message depends on the respective FTP client Action for files exceeding maximum message size Let data pass unscanned When this option is selected the virus filter is switched to pass through mode which allows files that exceed the file size to pass through unscanned BO In this case the data is not checked for viruses Block data When this option is selected the system terminates the download and sends an error message to the client software List of FTP Servers Enter the servers where the data should be scanned for viruses By activating and deactivating the anti virus function for each entry or server you can set an exception for subsequent rules It is also possible to enter trusted servers see the example below Example Global activation of anti virus protecti
22. except mGuard delta and blade controller When Stealth network mode and Static stealth configuration are set General Network Status External IP address Network Mode Status Active Defaultroute Used DNS servers Network Mode Network Mode Stealth a Stealth configuration static z Stealth Management IP Address Here you can specify an additional IP address to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will only be possible using this IP address An IP address of 0 0 0 0 disables this feature Note using management VLAN is not supported in Stealth autodetect mode IP address Netmask Default gateway Use Management VLAN jaa Management VLAN ID Static routes The following settings are applied to traffic generated by the mGuard Networks to be routed over alternative gateways Network Gateway Stealth Static Stealth Configuration Client s IP address T 2 sec E B Je la N E a iy A jur a o p E a iy a N Stealth configuration autodetect static multiple clients autodetect Default The mGuard analyzes the network traffic and independently configures its network interface accordingly It functions transparently static If the mGuard cannot analyze the network traffic e g because the connected local computer only receives data then the Stealth configuration must be set to static In this case f
23. gt L2TP over IPsec L2TP Server Settings Status Allows VPN connections using the IPsec L2TP mGuard protocol In doing so the L2TP protocol is driven using an IPsec transport connection in order to establish a tunnel connection with a Point to Point Protocol PPP Clients are automatically assigned IP addresses through PPP In order to use Psec L2TP the L2TP server must be activated and one or more IPsec connections with the following characteristics must be defined e Type Transport e Protocol UDP e Local port any e Remote port any e PFS No See also gt Further settings can be made by clicking More on page 188 and IKE Options on page 198 IPsec VPN L2TP over IPsec L2TP Server Settings Local IP for L2TP connections 10 106 106 1 Remote IP range start fiors1062 NN Remote IP range end 110 106 106 254 Please note These rules won t apply to the Stealth mode E Status Maximal number T M Ss Start L2TP Server for IPsec L2TP Yes No If you want to enable IPsec L2TP connections set this option to Yes It is then possible to establish incoming L2TP connections over IPsec which dynamically assign IP addresses to the clients within the VPN Local IP for L2TP connections If set as shown in the screenshot above the mGuard will inform the remote peer that its address is 10 106 106 1 Remote IP range start end If set as shown in the screenshot above the mGuard w
24. successively If these are also not accessible the master mGuard deactivates itself Hosts to check via ICMP in the external network Hosts to check via ICMP in the internal network Enter the respective IP address here The hosts must answer ICMP echo requests Configuration Redundancy Menu 6 11 2 Ring Network Coupling Ring Network Redundancy Ring Network Coupling Coupling Ring Network Coupling Settings Enable Ring Network Coupling Dual Homing Redundancy Port Internal Settings Enable Ring Network Coupling Dual Homing Yes No When activated the status of one ethernet port is transferred in Stealth mode to the next port This means that interruptions in the network can be traced more easily Redundancy Port Internal External Internal The WAN port is activated deactivated accordingly when the connection on the LAN port is connected disconnected External The LAN port is activated deactivated accordingly when the connection on the WAN port is connected disconnected 215 from 243 Configuration Logging Menu 6 12 Logging Menu Logging is the recording of event messages e g concerning settings that have been made firewall rules taking effect errors etc Log entries are recorded in different categories and can be displayed according to these categories see Logging gt Browse local logs on page 217 6 12 1 Logging gt Settings Remote Logging 216 from 243 Setting
25. the Recovery Procedure and Flashing Firmware 7 3 1 Installing DHCP and TFTP servers in Windows or Linux In Windows Install the program from the CD ROM To do this proceed as follows 1 Disconnect the Windows computer from all networks 2 Copy the software into any empty folder on the Windows computer Start the TFTPD32 EXE program 3 The set host IP is 192 168 10 1 This must also be the network card address The image found on the CD ROM included in the package Click on the Browse button to switch to the folder where the mGuard image files have been saved install p7s jffs2 imgp7s If a major release upgrade of the firmware is carried out due to the flash files are also procedure the license file purchased for the update must also be stored here under the name licence lic Please ensure that this is the correct license for the device see Management gt Update on page 77 lolx Current Directory Esmy Browse Server interface 192 168 10 1 y Show Dir Tftp Server DHCP server Revd DHCP Discover Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 694 DHCP proposed address 192 168 10 200 26 11 09 41 19 694 Revd DHCP Rast Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 704 Previously allocated address acked 26 11 09 41 19 714 Connection received from 192 168 10 200 on port 1024 26 11 09 41 19 774 Read request for file lt install p s gt Mode octet 26 11 09 41
26. 2 Management Menu 6 2 1 Host 56 from 243 gt For security reasons we recommend that you change the default Root and Administrator passwords during the first configuration see Authentication gt Local Users on page 132 You will be informed of this as long as passwords are left unchanged Management gt System Settings Management System Settings Host System Power supply 1 2 Uptime Temperature C System DNS Hostname Hostname mode User defined from field below Hostname machine01 Domain search path beispiel kunde hh com SNMP Information System Name Location Contact HiDiscovery Local HiDiscovery Support Enabled y ll HiDiscoverv Frame Forwardina a l System only mGuard industrial RS EAGLE mGuard Power supply 1 2 State of both power supplies Uptime Current system running time since the last reboot Temperature C An SNMP trap is sent if the temperature exceeds or falls below the defined temperature range System DNS Hostname Hostname mode You can assign a name to the mGuard using the Hostname mode and Hostname fields For example this is then displayed when logging in via SSH see Management gt System Settings Shell Access on page 62 Assigning names simplifies the administration of several mGuards User defined from field below Default The name entered in the Hostname field is assigned to the mGuard
27. 5 3 Authentication gt Certificates on page 136 except remote certificate see above 191 from 243 Configuration IPsec VPN Menu not for blade controller Bo If the use of block lists CRL checking is activated under the Authentication gt Certificate Certificate settings menu then each certificate signed by a CA that shows a VPN remote peer is checked for blocks Locally configured remote certificates imported here are excepted Remote CA Certificate gt When the VPN remote peer authenticates itself with a self signed machine certificate In this case select Remote certificate below not CA certificate The certificate is then installed under Remote Certificate Itis not possible to refer to a remote certificate loaded in the Authentication gt Certificates menu gt When the VPN remote peer authenticates itself with a machine certificate signed bya CA It is possible to authenticate the machine certificate shown by the remote peer as follows A Using a CA certificate B Using the relevant remote certificate A Using a CA certificate Only the CA certificate from the CA that signed the certificate shown by the VPN remote peer should be referred to here selection from list The further CA certificates that build the chain to the root CA certificate together with the certificate shown by the remote peer must be installed in the mGuard under Authentication gt Certificates The selection list gives
28. A A E ANA dei 201 6 95 IPsec VPN gt TP SECOS AUS emotional titi cta telah ive 202 GaS MM A as 204 6 10 1 Ingress Filter cuina odia 204 Int rnal External is LA URS di 204 65102 Egress Queues ul telde tata do aaa 207 Internal External VPN via External oooocccinoconocccnooccnoncconancnnnnccnnnccnnoconnnccnnnncnns 207 6 103 Egress Rules cuina dali ptas se haued a ee aeee 208 Internal External VPN via External oooooonncconocccnnoccnoncconnncnonnccnnnccnnoconnnccnnnncns 209 Redundancy Medline 212 6 11 1 Firewall Redundancy ciasno sesiooni i se e e so aats 212 RedUndanCy oeseri nenea ia did lili eea e eE 213 ICMP Chicks an 214 6 11 2 Ring Network CoupliN8 innisis ni s e e nono 215 Ring Network Couplin oes couiioste inci ane rita did e a ea 215 Logging Menu A ee ETEA 216 LAN Logeing A A R e ATE ESES 216 Remote Logging iia A R 216 Contents 6 12 2 Logging gt Browse local aa 217 Log Entry cat gories nense oea mee eare iaeei aE AEn ee Ea aa das ieat 217 0 13 Support Menu ii A el nti dns 221 61321 Support To lS umi alii eds 221 Ping Check said ak 221 Traceroute inn aeia a cod tects Werte mons idad eses DEC dete Nasal 221 DNS EQ OKUp tsesessdeivssi densa ch loias sll suva vadouas E e E badenss EE ET ne EON ESEE E O E aa E rS 221 IKE Ping cuclillas 222 6 13 2 Support Advanced aia 223 Hard Ware ynnest A hte ete as es BO e 223 SMAPSHOtes dieses eispase hes che evant e wivds it Mood ara ih ot e
29. CA certificate 144 from 243 Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows 1 Click on Browse to select the file 2 Click on Import After the import the installed certificate can be seen under Certificate Shortname During the CA certificate import process the CN attribute from the certificate subject field is suggested as the short name providing the shortname field 1s empty at this point This name can be adopted or another name can be chosen Name entry whether the suggested one or another is mandatory The names must be unique and must not be used more than once Use of the short name During the configuration of SSH Menu Management gt System settings Shell access HTTPS Menu Management gt Web settings Access and VPN connections Menu IPsec VPN gt Connections Configuration Authentication Menu the imported certificates in the mGuard are given as a selection list The certificates are displayed under the short name entered for each individual certificate For this reason the entry of a name is necessary Creating a certificate copy You can make a copy of the imported CA certificate To do this proceed as follows Click on the Current Certificate File button on the CA certificate next to the Download certificate row title Make the desired entries in the dialog that opens Remote certificates A remot
30. DynDNS at regular intervals for whether any changes have occurred If so the VPN connection will be setup to the new IP address Refresh Interval sec Standard 300 seconds 181 from 243 Configuration IPsec VPN Menu not for blade controller 6 9 2 IPsec VPN gt Connections Connections Requirements for a VPN connection The main requirement for a VPN connection is that the IP addresses of the VPN partners are known and accessible e In order for an IPsec connection to be setup successfully the VPN remote peer must support IPsec with the following configuration Authentication via Pre Shared Key PSK or X 509 certificate ESP Diffie Hellman Groups 2 and 5 DES 3DES or AES encryption MD5 or SHA 1 hash algorithms Tunnel or Transport Mode Quick Mode Main Mode SA Lifetime 1 second to 24 hours If the remote peer system is running Windows 2000 the Microsoft Windows 2000 High Encryption Pack or at least Service Pack 2 must be installed e Ifthe remote peer is behind a NAT router the peer must support NAT T Alternatively the NAT router must support the IPsec protocol IPsec VPN Passthrough For technical reasons only IPsec Tunnel connections are supported in both cases Lists the VPN connections that have been defined Each entry listed here can identify an individual VPN connection or a group of VPN connection channels You have the possibility of defining several tunnels under t
31. EEE NIN 10 mGuard Indust RS AAA A 10 MGUArd Mii 10 MCU PO atado ai iS ES SE Laa 10 mGuard blade Ass AAAA 10 EAGLE MOUA carnada arta A TERRE A 11 MUELA ela ii aa dd 11 2 Typical Application Scenarios ccscccsscsssscssssccsssscsssssssssssssssssessssesessssssssssssssssssssssesssssssseaes 12 Stealth Mode miii osas Ledeen betel is 12 Network UE eiric RNE 12 DIY PAE OEN EEE EAE AS E oe oud even een oee 12 VEN gateway nnn in EE ESTE aa E e a NS 13 WEAN Over VPN cia E E EE E OE 13 Solving network conflicts miii E E ENA a A a 14 3 Control Elements and Displays sisescecccseseisovessssvassencsoceconsocscasssevecesseessenstenvnestecsssusessvacsoescooontssaces 15 3 1 mGuard industrial RS ua E AE E a aa as Eaa E Taea aaa 15 32 EN A A NN 16 3 3 O TO 17 3 4 mGuard Do E l a EN E E E ES E T N A A T A A A AT 18 39 EAGLE MmGUard ies 19 3065 mGuard delta i A E AEE E ON 20 NO 21 Safety TOSCO A E ia 21 General notes regarding Usage coooonccconnnocnnocnnononononnannncnn nono non nncnnn cnn conan rn nero nannncnnnos 21 StartUp Ste pS Ts dodo born El 21 Includednthe packdse iniciacion does E delos 22 4 1 Installing the mGuard industrial RS oo ce ceseceseeeseeeseeeseceeeseneeeaecnaecsaeeseeseeeesaesnaeens 23 Assembly Renee eas aaa anal wie 23 Disassembly tvn ideada iris 23 COMME OO dae cadets abe ati 24 4 2 Connecting the mGuard smart iii eno jor ias 28 4 3 Installing the mGuard blade oo ee eesceseceseeeseceaeceseeeeeseeeesaecsaecee
32. EErEE REEE ESR eRT 43 EAGLE MO A A das 43 EI AAA E 43 5 2 Local configuration At Startup ooooconccconnconnnonncononnnananonan cnn nonononnncnnn cnn nc naco eita Treis 44 5 2 1 mGuard industrial RS mGuard smart mGuard blade and EAGLE mGuard 44 With a configured network InterfaCe ooonccnnncnnnonncnnnonnonncnnnnnncnancnnncnnn cnn cnaccnncconccnos 44 With a non configured network interface oooncnnocnnncnnncnnoncnoncnoncnnanancnan con nc nono cnnannos 44 5 2 2 E ON A o e ts 46 52 3 MG ard Plica iia EA E E A ee 47 Installing the PGI card innisin went serari NVE EE iin eatin 47 Installing the diyer ennn ete etic edith eta ee A 47 Configuring the network interface 00 see ceeceeeeeseeeeceseceeeeeeeeeeesaecaeceeeeeeeeeeeenaes 47 Default Sate Vi A asii 47 5 3 Setting up a local configuration CONNECTION cooconnccnncnnocononcconanononononnncnnncnnncnn nono non nc conc cnnnnnno 49 Web based administrator interface ooooonnnccnnoninnoccnnoncnnnccnonenonnnannn cacon nc cnnn conc ccnnnarnos 49 After a successful connection setup oooococcnoccnocononoconanoncnancnononnncnnc cnn cono non nc co nannncnnnos 50 O AN RR ET 52 Requirementiuutacun diet tddbtbeas 52 Remote configuration 52 6 CONTI ALON incaico Seiecdestacsconsdeocecdasedoubesecensesnceceate counccesssesedcesuscdetesseness codes dsenseestecwsccenccecses s 53 Glo Operation total pects ita e A odes nee eet it 53 6 2 Management Menu ii da 56 6 2 1 Manag
33. Sent when user logs in to a user firewall mGuardTrapUserFirewall enterpriseSpecific mGuardTrapUserFirewallLogout 2 mGuardTResUserFirewallUsername mGuardTResUserFirewallSrcIP mGuardTResUserFirewallLogoutReason Sent when user logs out of a user firewall mGuardTrapUserFirewall enterpriseSpecific mGuardTrapUserFirewallAuthError TRAP TYPE 3 mGuardTResUserFirewallUsername mGuardTResUserFirewallSrcIP mGuardTResUserFirewallAuthenticationMethod Sent during an authentication error Status change of IPsec connections Yes No enterprise oid genericTrap specific trap additional Explanation enterprise oid genericTrap specific trap additional Explanation mGuardTrapVPN enterpriseSpecific mGuardTrapVPNIKEServerStatus 1 mGuardTResVPNStatus Sent during starting and stopping of IPsec IKE servers mGuardTrapVPN enterpriseSpecific mGuardTrapVPNIPsecConnStatus 2 mGuardTResVPNName mGuardTResVPNIndex mGuardTResVPNPeer mGuardTResVPNStatus mGuardTResVPNType mGuardTResVPNLocal mGuardTResVPNRemote Sent when the state of an IPsec connection changes Status change of L2TP connections Yes No enterprise oid genericTrap specific trap additional Explanation mGuardTrapVPN enterpriseSpecific mGuardTrapVPNL2TPConnStatus 3 mGuardTResVPNName mGuardTResVPNIndex mGuardTResVPNPeer mGuardTResVPNStatus mGuardTResVPNLocal mGuardTRes VPNRemot
34. TCP UDP ICMP consistency checks Yes No When this option is set to Yes the mGuard performs various checks for wrong checksums packet sizes etc and drops packets failing the check The factory default for this option is Yes Router Modes Router PPTP PPPoE ICMP from extern to the mGuard With this option you can control which ICMP messages from the external network are accepted by the mGuard You have the following options Drop All ICMP messages directed to the mGuard are dropped Allow ping requests Only ping messages sent to the mGuard ICMP type 8 are accepted Allow all ICMPs All ICMP messages to the mGuard are accepted AntiVirus Scanning Connections scanned for viruses are subject to firewall rules Yes No In the Web Security gt HTTP Web Security gt FTP E mail Security gt POP3 E mail Security gt SMTP menus a list of server connections can be created under the Virus Protection tab Files that enter mGuard via these connections are scanned for viruses in the case of SMTP outgoing mGuard files If firewall packet filters are set Network Security gt Packet Filters and or Network Security gt User Firewall which relate to and prevent these 155 from 243 Configuration Network Security Menu not for blade controller connections then these are only taken into consideration if the Connections scanned for viruses are subject to firewall rules switch is set to Yes If No 1s set default s
35. a connected modem as soon as possible after a reboot or activation of the Modem network mode This remains in place constantly regardless of whether data is transferred or not If the telephone connection is then interrupted the mGuard attempts to restore it immediately A constant connection is then made like a dedicated line By doing this the mGuard is constantly available externally i e for incoming data packages gt For both Yes and No The telephone connection is always made by the mGuard Idle timeout Yes No Only considered when Dial on demand is set to Yes When Yes default is set the mGuard terminates the telephone connection as soon as no data transfer takes place over the defined idle period The mGuard gives the connected modem the relevant command for terminating the telephone connection When No is set the mGuard gives the connected modem no command for terminating the telephone connection Idle time seconds Standard 300 If no data traffic is made after the time specified here the mGuard can terminate the telephone connection see above under Idle timeout Local IP IP address of the mGuard serial port that now acts as a WAN interface Adopt the preset value if this IP address is assigned dynamically by the ISP 0 0 0 0 Otherwise enter this here i e assignment of a fixed IP address Remote IP IP address of the remote peer This is the IP address of the ISP used for access when conne
36. added to the beginning of the telephone number Volume built in speaker Speaker use These settings define which sounds are emitted by the mGuard speakers and at which volume Configuration Network Menu gt For mGuard industrial RS with built in ISDN terminal adaptor External Modem Hardware handshake RTS CTS Baudrate Modem init string Modem reset string Additionally for Built in Modem ISDN mGuard industrial RS 1st MSN ISDN with built in modem 2nd MSN ISDN protocol Layer 2 protocol PPP ML PPP y EuroISDN NET3 gt The mGuard industrial RS can also have an optional built in modem ISDN also known as an ISDN terminal adaptor If this modem is used it must be configured The built in modem can be used as follows For configuration connections over the PPP dialin option for configuration purposes see Serial Port PPP dialin options tab OR For data traffic in Built in Modem network mode In this network mode data traffic is made over the built in modem and not over the mGuard WAN port External Modem As for mGuard industrial RS without a built in modem mGuard blade EAGLE mGuard and mGuard delta Configuration as above for External Modem see above under External Modem on page 120 Built in Modem ISDN BO These settings apply to the Built in Modem network mode In this network mode data traffic is made over the built in modem installed ISDN terminal adapt
37. address must be known in order to establish a VPN connection so that they can connect to each other This condition is not met if both participants are assigned IP addresses dynamically by their respective Internet Service Providers In this case a DynDNS service such as DynDNS org or DNS4BIZ com can be of assistance The currently valid IP address is registered under a fixed name for a DynDNS service If you have registered with one of the DynDNS services supported by mGuard you can enter the corresponding information in this text field Register this mGuard at a DynDNS Service Yes No Select Yes if you have registered with a DynDNS provider and the mGuard should utilize this service The mGuard reports its current IP address to the DynDNS service i e the one assigned for Internet access by the Internet Service Provider Refresh Interval sec Standard 420 seconds The mGuard informs the DynDNS service of its new IP address whenever the IP address of its Internet access is changed For additional reliability the device will also report its IP address at the interval set here This setting has no effect for some DynDNS providers like DynDNS org as too many updates can cause the account to be closed DynDNS Provider The providers in this list support the same protocol as the mGuard Select the name of the provider where you are registered e g DynDNS org TinyDynDNS DNS4BIZ DynDNS Server Name of the server of the DynDNS
38. address of your client as follows Windows 95 98 ME Start winipefg in a DOS box Windows NT 2000 XP Start ipconfig all in a prompt The MAC address is shown as Physical Address Linux Call sbin ifconfig or ip link show in a shell You have the following options Client MAC address The MAC address of the client without spaces or hyphens Client IP address The static IP of the client to be assigned to the MAC address Static assignments take priority over the dynamic IP address pool Static assignments and dynamic IP pool addresses must not overlap Do not assign one IP address to several static MAC addresses otherwise several MAC addresses are assigned to this IP address Only use one DHCP server per subnetwork 129 from 243 Configuration Network Menu DHCP mode gt Relay Network DHCP Internal DHCP Mode DHCP mode DHCP Relay Options DHCP Servers to relay to IP 192 168 89 45 Append Relay Agent Information Option 82 No xl If the DHCP mode is set to Relay the following selection settings are displayed BO The Relay DHCP mode is not supported in Stealth mode If Stealth mode is in operation on the mGuard and Relay DHCP mode is selected then this setting is ignored However DHCP client queries and the respective answers are forwarded due to the nature of Stealth mode DHCP Relay Options DHCP servers to relay to A list of one or more DHCP servers where DHCP r
39. addresses for the mGuard e g when configuring the firewall 1t may be necessary to use CIDR notation to specify the address space The following table shows the IP netmask on the left and the corresponding CIDR notation on the right IP netmask Binary CIDR 255 255 255 255 11111111 11111111 11111111 11111111 32 255 255 255 254 11111111 11111111 11111111 11111110 31 255 255 255 252 11111111 11111111 11111111 11111100 30 255 255 255 248 11111111 11111111 11111111 11111000 29 255 255 255 240 11111111 11111111 11111111 11110000 28 255 255 255 224 11111111 11111111 11111111 11100000 27 255 255 255 192 11111111 11111111 11111111 11000000 26 255 255 255 128 11111111 11111111 11111111 10000000 25 255 255 255 0 11111111 11111111 11111111 00000000 24 255 255 254 0 11111111 11111111 11111110 00000000 23 255 255 252 0 11111111 11111111 11111100 00000000 22 255 255 248 0 11111111 11111111 11111000 00000000 21 255 255 240 0 11111111 11111111 11110000 00000000 20 255 255 224 0 11111111 11111111 11100000 00000000 19 255 255 192 0 11111111 11111111 11000000 00000000 18 255 255 128 0 11111111 11111111 10000000 00000000 17 255 255 0 0 11111111 11111111 00000000 00000000 16 255 254 0 0 11111111 11111110 00000000 00000000 15 255 252 0 0 11111111 11111100 00000000 00000000 14 255 248 0 0 11111111 11111000 00000000 00000000 13 255 240 0 0 11111111 11110000 00000000 00000000 12 255 224 0 0 11111111 11100000 00000000 00000000 11 255 192 0 0 11111111 11000000 00000000 0
40. adopt in order to authenticate the remote peer browser of the remote user To do this select one of the remote certificates from the selection list The selection list gives a selection of remote certificates that are loaded in the mGuard under the Authentication gt Certificate menu Authorized for access as root admin netadmin audit user Defines which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt Local Users on page 132 The netadmin and audit authorization levels relate to access rights with the Innominate Device Manager Configuration Management Menu 6 2 3 Management gt Licensing Overview Management Licensing Overview mGuard Flash ID 000b000a40ffc77b 0142 AntiVirus License Antivirus license installed ye ETA O Feature License License with priority 1148898187 sal licence_id 0 licence_date 2006 05 29T10 23 07 flash_id 000b000a40ffc77b serial_number 16529003 hardware_revision 00000dee licence_order 264 product_code 51033 vpn_channels 1 12tp_server 1 snmp 1 remote_syslog 1 mau_management at gt From mGuard version 5 0 onwards licenses also remain installed after firmware is flashed Licenses are still deleted when devices with older firmware versions are flashed to version 5 0 0 or higher Before flashing the license for use of the new update must be obtained so th
41. cb 47 19 7d 15 59 9b 3b 2c a8 a3 6a 03 43 d0 85 d3 86 86 2f e3 aa 79 39 e7 82 20 ed f4 11 85 a3 41 5e 5c 8d 36 a2 71 b6 6a 08 f9 cc 1e da c4 78 05 75 8f 9b 10 f0 15 f0 9e 67 a0 4e a1 4d 3f 16 4c 9b 19 56 6a f2 af 89 54 52 4a 06 34 42 0d d5 40 25 6b b0 c0 a2 03 18 cd d1 44 e7 c5 09 d2 d5 94 9d 6c 13 07 2f 3b 7c 4c 64 90 bf ff 8e 20 b6 e5 c5 1e 21 The Subject Distinguished Name or Subject clearly identifies the certificate owner The entry is comprised of several components These are known as attributes see example certificate above The following table contains a list of possible attributes The sequence of attributes in a X 509 certificate can vary Abbreviation Name Explanation CN Common Name Identifies the person or object that the certificate belongs to Example CN server1 E E mail address Shows the e mail address of the certificate owner OU Organizational Unit Shows the department within an organization or company Example O Development O Organization Shows the organization or company Example O Innominate L Locality Shows the place locality Example L Hamburg ST State Shows the federal state county Example ST Bavaria Glossary NAT Network Address Translation Port number Proxy PPPoE PPTP Router Abbreviation Name Explanation C Country Two letter code that identifies the country Germany DE Example C DE A filter can be set for the s
42. each case Factory default 500 These two settings define upper limits for allowed incoming and outgoing ARP requests per second These are set to a level that can never be reached during normal operation However they can be reached easily when attacks occur thus giving additional protection If special requirements are present in your operating surroundings then these values can be increased 162 from 243 Configuration Network Security Menu not for blade controller 6 6 4 Network Security gt User Firewall User Firewall Templates The user firewall is used exclusively by firewall users 1 e users that are registered as firewall users see Authentication gt Firewall Users on page 134 Each firewall user can be assigned a set of firewall rules also called a template BO The anti virus function see Web Security gt HTTP on page 167 Web Security gt FTP on page 170 E mail Security gt POP3 on page 173 E mail Security gt SMTP on page 176 has priority over the firewall rules defined here and can partially override them This behavior can be overridden in the Network Security gt Packet Filters Advanced menu by setting the option to Connections scanned for viruses are subject to firewall rules see Advanced AntiVirus Scanning on page 155 All defined user firewall templates are listed here A template can consist of several firewall rules A template can be
43. external network Example The mGuard is connected to network 192 168 0 0 24 using the LAN port and to network 10 0 0 0 24 using the WAN port By using 1 1 NAT the LAN computer with the IP 192 168 0 8 can be reached under the IP 10 0 0 8 in the external network Configuration Network Security Menu not for blade controller 192 168 0 8 10 0 0 8 192 168 0 0 24 10 0 0 0 24 Factory default NAT 1 1 is not active You have the following options Local network The network address on the LAN port External network The network address on the WAN port Netmask The netmask as a value between 1 and 32 for the local and external network address see also CIDR Classless Inter Domain Routing on page 224 Comment Can be filled with relevant comments Port Forwarding Masquerading Port Forwarding Log ID fw portforwarding N0 3eBb1243 3440 1149 97 F 4 TCP 0 0 0 0 0 extern 192 168 66 1 No These rules let you forward traffic targeted to the mGuard to another machine without modifing the source address The column Incoming on IP accepts the special value extern as the mGuard s first external IP Please note These rules won t apply to the Stealth mode Lists the rules set for port forwarding DNAT Destination NAT Port forwarding performs the following The headers of incoming data packets from the external network which are addressed to the mGuard s external IP address or one of its external I
44. for the connection Enabled Address of the remote site s VPN gateway o Either an IP address a hostname or Y any for any IP multiple clients or clients behind a NAT gateway Connection startup Transport and Tunnel Settings ox EE E TT ANA T fyes y Transport gt Only in Stealth mode Options A descriptive name for the VPN connection You can name or rename the connection as desired If several connection channels are defined below under Transport and Tunnel Settings then this name applies to the whole set of VPN connection channels summarized under this name Similarities between VPN connection channels e Same authentication procedure as defined under the Authentication tab see Authentication on page 190 e Same firewall settings Same IKE option settings Enabled Yes No Defines whether the VPN connection channels should be completely active Yes or not No Address of the remote site s VPN gateway An IP address hostname or any for several remote peers or remote peers behind a NAT router Internet VPN gateway of the remote peer The address of the gateway to the private network where the remote communication partner can be found If the mGuard should actively initiate and set up the connection to the remote peer or if the device is in Stealth mode enter the IP address or the hostname of the remote peer here 184 from 243 Configuration IPsec VPN Menu not for bl
45. for the firewall e All incoming connections are rejected except VPN e Data packets of all outgoing connections are passed through Firewall rules have an effect on the firewall that is constantly active with the exception of VPN connections Individual firewall rules are defined for VPN connections see IPsec VPN gt Connections Firewall on page 196 User firewall If a user logs in with defined firewall rules then these take priority After this the constantly active firewall rules then come into effect see Network Security gt User Firewall on page 163 gt The anti virus function see Web Security gt HTTP on page 167 Web Security gt FTP on page 170 E mail Security gt POP3 on page 173 E mail Security gt SMTP on page 176 has priority over the firewall rules defined here and can partially override them This behavior can be overridden in the Network Security gt Packet Filters Advanced menu by setting the option to Connections scanned for viruses are subject to firewall rules see Advanced AntiVirus Scanning on page 155 BO If multiple firewall rules are set they will be searched in the order in which they are listed top down until a suitable rule is found This rule is then applied If there are other suitable rules further down the list then these are ignored Incoming Rules 148 from 243 Network Security Packet Filter Incomi
46. it in person Once successfully authenticated the CA adds its digital signature to the issuer s public key This results in a certificate An X 509 v3 certificate is thus comprised of a public key information about the key owner given as Distinguished Name DN authorized usage etc and the signature of the CA gt Subject certificate The signature is created as follows The CA creates an individual bit sequence known as the HASH value from the bit sequence of the public key owner information and other data This sequence may be up to 160 bits long The CA then encrypts this with its own private key and then adds it to the certificate The encryption with the CA s private key proves the authenticity of the certificate i e the encrypted HASH string is the CA s digital signature If the certificate data is altered then this HASH value will no longer be correct and the certificate is then worthless The HASH value is also known as the fingerprint Since it is encrypted with the CA s private key anyone who has the corresponding public key can decrypt the bit sequence and thus verify the authenticity of the fingerprint or signature The usage of a certification authority means it is not necessary for key owners to know each other They must only know the certification authority used in the process The additional key information further simplifies administration of the key X 509 certificates can be used for e mail encryption with S M
47. level At the same time a slower data transfer by FTP or e mail does not threaten the overall success of the transfer file or e mail transfer 6 10 1 Ingress Filter An Ingress Filter prevents the processing of certain data packages by filtering and dropping them before they enter the processing mechanism The mGuard can use an Ingress Filter to avoid processing data packets that are not needed in the network This results a quicker processing of remaining required data packages Using suitable filter rules administrative access to the mGuard can be ensured with high probability Package processing on the mGuard is generally defined by the handling of individual data packages so that the processing performance depends on the number of packets and not on bandwidth Filtering is only made according to characteristics that are present in each data packet The sender s IP address in the header ethernet protocol IP protocol TOS DSCP value and or the VLAN ID if VLAN has been configured As the list of filter rules must be applied to each individual data packet it should be kept as short as possible Otherwise the time spent on filtering could be longer than the time saved by setting the filter itself Please note that not all filter criteria can be combined For example it does not make sense to enter an additional IP protocol in the same rule record as the ARP ethernet protocol This also applies to the entry of a sender or recipient
48. license until further notice Local Update Filename To install the packages proceed as follows 1 Click on the Browse button Select the file and open it so that the file name or path is displayed in the Filename field The file name should have the following format update a b c d e f default tar gz 2 Click on the Install Packages button Online Update To perform an online update please proceed as follows 1 Ensure that at least one valid entry exists under Update Server Configuration Management Menu You should have received the necessary details from your licensing authority 2 Enter the package set name e g update 4 0 x 4 1 0 3 Click on the Install Package Set button Automatic Update This is a variation of the online update where the mGuard independently determines the required package set name Install the latest patch release x y Z Patch releases resolve errors in previous versions and have a version number which only changes in the third digit position e g 4 0 1 is a patch release for version 4 0 0 Install the latest minor release x Y z for the current installed major version Install the next major release X y z Minor and major releases supplement the mGuard with new features or contain modifications in mGuard behavior Their version number changes in the first and second digit position e g 4 1 0 1s a major or minor release for versions 3 1 0 or 4 0 1 Update Servers H
49. must be set to Yes VLAN ID A VLAN ID between 1 and 4095 An explanation of the term VLAN can be found on page 239 Tf you want to delete entries from the list please note that the first entry cannot be deleted 106 from 243 Configuration Network Menu Additional External Routes In addition to the default route over the default standard gateway see below you can define additional external routes Network Gateway See also Network Example on page 225 IP of default gateway The IP address of a device in the local network connected to the LAN port or the external network connected to the WAN port can be specified here If the mGuard establishes the transition to the Internet this IP address is designated by the Internet Service Provider ISP If mGuard is utilized within the LAN the IP address of the default gateway is designated by the network administrator BO If the local network is not known to the external router e g in case of configuration by DHCP enter the address of your local network under Network Security gt NAT in other words 0 0 0 0 0 see Network Security gt NAT on page 158 Internal Networks Configuration of the internal network is described under Network Mode gt Router PPPoE PPTP or Modem Built in Modem on page 116 107 from 243 Configuration Network Menu gt Network Mode PPPoE When the PPPoE network mode selected 108
50. network After Built in Modem is selected the text fields used for the definition of modem connection parameters are displayed Modem Only mGuard industrial RS without a built in modem mGuard blade EAGLE mGuard mGuard delta If the Modem network mode is selected the WAN interface of the mGuard is deactivated and data transfer to and from the WAN is made over the serial 101 from 243 Configuration Network Menu mGuard port with external access An external modem that establishes the connection to the telephone network is connected to the serial port Internet connection is then made over the telephone network using the external modem BO The device reboots automatically when the network mode is changed to or from Stealth mode BO If the address of the mGuard is changed e g by changing the network mode from Stealth to Router the device is only accessible under the new address When the change is made over the LAN port a message is displayed with the new address before the change becomes active When the configuration is changed over the WAN port you will not receive feedback from the mGuard BO If you set the mode to Router PPPoE or PPTP and then change the internal IP address and or the local netmask ensure the correct values are entered Otherwise the mGuard may no longer be accessible 102 from 243 Configuration Network Menu gt Network Mode Network Interfaces Stealth Factory default
51. notation see CIDR Classless Inter Domain Routing on page 224 0 0 0 0 0 means all addresses Interface Specifies whether the rule applies to the external interface WAN port or the internal interface LAN port Action Possible settings e Accept e Reject e Drop Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that data packets may not pass through Data packets are discarded and the sender is not informed of their whereabouts In Stealth mode Reject is not supported as an action Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default 85 from 243 Configuration Management Menu Trap 86 from 243 Basic traps Management SNMP Basic traps SNMP authentication Yes v Link Up Down Yes z Coldstart Yes y Admin access SSH HTTPS new DHCP client Yes y Anti Virus traps Successful update of AV pattern AV update or scanning problem Found virus or skipped scanning Redundancy traps Status change Userfirewall traps Userfirewall traps VPN traps IPsec connection status changes E L2TP connection status changes Trap desti
52. of a network connection over LAN or WAN The LEDs are extinguished briefly when data packets are transferred 15 from 243 Control Elements and Displays 3 2 mGuard smart Rescue button Located in the opening Can be pressed with a straightened paper clip LEDs Color State LED 1 LED 2 LED3 Meaning 2 Red green Red green flashing Boot process After connecting the device to the power supply The LED switches to heartbeat mode after a few seconds Green Flashing Heartbeat The device is correctly connected and functioning Red Flashing System error BO Reboot the system Press the Rescue button briefly 1 5 seconds OR Disconnect the device from its power supply briefly and then reconnect it If the error continues to occur start the Recovery procedure see Performing a recovery on page 226 or contact the support department land3 Green On or flashing Ethernet status LED 1 shows the status of the LAN port LED 3 shows the status of the WAN port As soon as the device is connected the LEDs are illuminated continuously to indicate the presence of a network connection The LEDs are extinguished briefly when data packets are transferred 1 2 3 Various LED illumination codes 16 from 243 Recovery mode After pressing the Rescue button See The Rescue Button Restarting the Recovery Procedure and Flashing Firmware on page 226 Control
53. procedure see Performing a recovery on page 226 or contact the support department WAN green On or flashing Ethernet status Shows the status of the LAN and WAN LAN green interface As soon as the device is connected the LEDs are illuminated continuously to indicate the presence of a network connection The LEDs are extinguished briefly when data packets are transferred WAN green Various LED Recovery mode After pressing the Rescue button WAN red illumination codes See The Rescue Button Restarting the Recovery Procedure LAN green and Flashing Firmware on page 226 18 from 243 Control Elements and Displays 3 5 EAGLE mGuard Power supply 1 p1 STATUS Power supply 2 p2 FAULT Link Status Data 1 LAN Link Status Data 2 WAN Serial V 24 Rescue button Ethernet LAN USB Ethernet WAN Serial V 24 Grounding connection LEDs State Meaning p1 p2 Green Power supply 1 or 2 is active STATUS Green flashing The mGuard is booting Green The mGuard is ready Yellow The mGuard is ready and is Redundancy Master Yellow green The mGuard is ready and is Redundancy Slave flashing FAULT Red The signal contact is open after an error See Installing the EAGLE mGuard on page 31 under Signal contact LS DA 1 2 Green Link detected V 24 Yellow flashing Data transfer 19 from 243 Control Elements and Displays 3 6 mGuard delta 6 Innomina
54. provider selected above DynDNS Login DynDNS Password Enter the user name and password assigned by the DynDNS provider here DynDNS Hostname The name selected for this mGuard at the DynDNS service providing you use a DynDNS Service and have entered the corresponding data above Your computer connected to the mGuard is then accessible under this hostname Configuration Network Menu 6 4 3 Network gt DHCP The Dynamic Host Configuration Protocol DHCP can be used to automatically assign the appropriate network configuration to the clients connected to the mGuard Under Internal DHCP you can configure the settings for the internal interface LAN port and under External DHCP the settings for the external interface WAN port The DHCP server is also operational in Stealth mode BO IP configuration for Windows clients When you start the mGuard DHCP server you can configure the connected clients so that they obtain IP addresses automatically If you are using Windows XP click on Start Control Panel Network Connections Right click on the LAN adapter icon then click on Properties in the pop up menu In the LAN connection properties local network on the General tab select Internet Protocol TCP IP under This connection uses the following items and then click on the Properties button Make the appropriate entries or settings in the Internet Protocol Properties TCP IP text field Internal External Network DHCP
55. safety extra low voltage SELV PELV decoupled redundant entries max 5 A Buffer time min 10ms at 24 V DC o Redundant power supply Redundant power supplies are supported Both inputs are decoupled There is no load distribution With a redundant supply only the power supply unit with the higher output voltage supplies the mGuard industrial RS The supply voltage is electrically isolated from the housing B In case of a non redundant voltage supply the mGuard industrial RS indicates the failure of the supply voltage over the signal contact see below You can prevent this message by connecting the supply voltage to both inputs Network connection Safety notice Only connect LAN installations to the network connections Some communication connection points also use RJ45 sockets or connectors Do not connect these here LAN Port Connect the local computer or network to the mGuard LAN port using a UTP ethernet cable CAT 5 If the computer is already connected to a network then patch the mGuard between the existing network connections Please note that initial configuration can only be made over the LAN interface The mGuard industrial RS firewall rejects all IP traffic from the WAN to the LAN interface WAN Port Socket for connection to an external network e g WAN Internet Connections to the remote device or network are established over this network Use a UTP cable CAT 5 24 from 243 Startup B Addition
56. system or network where remote access is permitted in this field You have the following options e IP address 0 0 0 0 0 means all addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 Interface External OR Internal Specifies whether the rule applies to the external interface WAN port or the internal interface LAN port Factory default All connections for the external interface are dropped all connections for the internal interface are accepted Action Possible settings e Accept e Reject e Drop Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that data packets may not pass through Data packets are discarded and the sender is not informed of their whereabouts In Stealth mode Reject is not supported as an action Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default 63 from 243 Configuration Management Menu 64 from 243 X 509 Authentication Enable X 509 certificates for SSH access Yes No If No is selected then only normal authentication procedures user name and password or priv
57. the connected local client computers In other words the address entered for the standard gateway must be entered as the IP address of the mGuard LAN port If the mGuard is operated in PPPoE mode NAT must be activated in order to gain access to the Internet see Network Security gt NAT on page 158 If NAT is not activated then only VPN connections may be used PPTP Similar to the PPPoE mode In Austria for example PPTP is used instead of the PPPoE protocol for DSL connections PPTP is the protocol that was originally used by Microsoft for VPN connections If the mGuard is operated in PPTP mode it must be set as the standard gateway in the connected local client computers In other words the IP address of the mGuard LAN port must be entered as standard gateway If the mGuard is operated in PPTP mode NAT should be activated in order to gain access to the Internet from the local network see Network Security gt NAT on page 158 If NAT is not activated then only VPN connections can be used Built in Modem Only used for mGuard industrial RS with built in modem or ISDN terminal adaptor If the Built in Modem network mode is selected the WAN interface of the mGuard is deactivated and data transfer to and from the WAN is made over the modem or ISDN terminal adaptor installed in the mGuard This must be connected to the telephone network landline Internet connection is then made over the telephone
58. the mGuard does not appear as an individual device with address for data traffic to and from the computer BO It is not possible to use PPPoE or PPTP in Stealth mode Router mode in Power over PCI mode Network card 192 168 1 2 192 168 1 1 mGuard PCI External IP W If the mGuard is in Router mode or PPPoE or PPTP mode then the mGuard and the network card connected to its LAN socket either in the same or different computers function as an individual network This means the following for the IP configuration of the network interface on the computer operating system This network interface must be assigned an IP address that is different to the IP address of the mGuard according to the factory default of 192 168 1 1 A third IP is used for the mGuard interface to the WAN Connection to an external network e g Internet is made using this IP Startup 4 6 2 Hardware installation o 1 Rescue button 2 Jumper for activating deactivating the driver mode 3 LAN port Deactivated in driver mode In Power over PCI mode the network card is connected to the same or another protected computer or network 4 WAN port Connections to the remote network e g Internet are established over this interface Incoming connections are blocked here according to the firewall default settings Use a UTP cable CAT 5 Warning Before handling the mGuard PC
59. the patch panel mGuard bladeBase Provide the two front power supplies and the control unit with the handling plates P1 P2 and Ctrl from left to right e Connect both power supplies on the back of the mGuard bladeBase with 100V or 220 240V e Switch both power supplies on e The LEDs on the front of the power supplies should now light up green B It is very important to ensure sufficient air circulation for the bladePack B gt When stacking several bladePacks one or more rack mount fan trays must be installed to discharge the accumulated warm air Installing the Loosen the upper and lower screw of the faceplace or mGuard blade to mGuard blade be replaced e Remove the faceplace or pull out the old mGuard blade e Insert the new mGuard blade and circuit board into the plastic guides and push until it is completely installed in the mGuard bladeBase e Secure the mGuard blade by tightening the screws lightly e Replace the empty handling plate with the suitable number from the mGuard bladeBase accessories or replace it with the plate of the old mGuard blade To do this pull or push in a sideways motion gt The mGuard bladeBase does not need to be switched off during installation or deinstallation of an mGuard blade Control unit The CTRL slot can be found directly next to both power supplies An mGuard CTRL slot blade operated here works as a controller for all other mGuard blades During the first installa
60. the scan engine If monitoring is activated for at least one protocol the status is displayed as up Last AntiVirus Update Displays the version number and creation date of the virus signature AntiVirus Update Status Displays if antivirus updates are activated if the database update is being processed and if updates are blocked due to expiry of the antivirus license 77 from 243 Configuration Management Menu Update 78 from 243 Package Versions Lists the individual software modules of the mGuard Can be used for support purposes Management Update Update Local Update Filename Browse Install Packages The filename of the package set has the extension tar gz The format of the filename you have to enter is update a b c d e fitarg2 Online Update Package st name a Install Package Set Automatic Update Install the latest patch release x y 2 Install latest patches Install the latest minor release x Y 2 for Install latest minor release the currently installed major version Note It might be possible that there is no direct update from the currently installed version to the latest published minor release available Therefore after updating the system to a new minor release press this button again until you receive the message that there is no newer update available Install the next major release X y z Install next major version Note It might be possible that there is no direct upd
61. the subject in the certificate is then no longer needed Limitation to certain subjects individuals or to subjects that have certain attributes In the certificate the certificate owner is entered in the Subject field The entry is comprised of several attributes These attributes are either expressed as an Object Identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a relevant value Example CN John Smith O Smith and Co C UK If certain subject attributes have very specific values for the acceptance of the user by the mGuard then these must be specified accordingly The values of the other freely selectable attributes are entered using the wildcard Example CN O C UK with or without empty spaces between attributes In this example the attribute C UK must be entered in the certificate under subject Only then does the mGuard accept the certificate owner subject as a communication partner The other attributes in the certificates to be filtered can have freely selectable values 73 from 243 Configuration Management Menu 74 from 243 If a subject filter is set the number but not sequence of the entered attributes must correspond to those of the certificates where the filter 1s to be used Pay attention to capitalization Several filters can be set Pay attention to the sequence With HTTPS the browser of the accessing user does not specify with which user or administrat
62. to change the network interface of the local computer accordingly 45 from 243 Preparing the configuration 5 2 2 mGuard delta After initial delivery resetting to the factory defaults or flashing the mGuard the mGuard delta is found on the LAN interfaces 4 to 7 under the address 192 168 1 1 within the network 192 168 1 0 24 You may need to adjust the configuration of your computer to access the necessary interface If you are using Windows XP Click on Start Control Panel Network Connections Right click on the icon of the LAN adapter so that the pop up menu appears Click on Properties In the Properties of LAN connections local network on the General tab select Internet Protocol TCP IP under This connection uses the following items Then click on Properties so that the following window is displayed Internet Protocol TCP IP Properties pu General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate P settings Obtain an IP address automatically Use the following IP address IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 182 168 1 1 Use the following DNS server addresses Preferred DNS server Altemate DNS server First select Use the following IP and then enter the following addresses example IP address 192 16
63. user enters during login user name password Comment Optional explanatory text Timeout Standard 28800 Indicates the time in seconds at which point the firewall rules are deactivated If the user session lasts longer than the timeout time defined here the user has to login again Timeout type static dynamic With a static timeout users are logged out automatically as soon as the specified timeout expires With a dynamic timeout users are logged out automatically after all connections are closed by the user or have expired on the mGuard and the timeout has elapsed An mGuard connection expires when no data is sent for the connection over the following periods Protocol Connection expiration period after non usage TCP 5 days This value is configurable see Timeout for established TCP connections on page 156 120 additional seconds are added after connection closure This also applies to connections closed by the user UDP 30 seconds after data traffic in one direction 180 seconds after data traffic in both directions ICMP 30 seconds Other 10 minutes 164 from 243 Configuration Network Security Menu not for blade controller Template users Network Security User Firewall remote service Users Users Enter the user names here The names must correspond to those that have been defined in User Authentication gt Firewall Users for more information see A
64. virus filter e The anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Licensing on page 75 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 77 Email Security SMTP Virus Protection Options Enable content scanning for SMTP Outgoing yes v En SMTP maximum filesize for scanning in bytes Action for mails exceeding maximum message size sme oy Let message pass unscanned xj Servers EA server server port comment Enable sean E o 0 0 07 0 25 sure out to any Scan x The SMTP protocol is used by the e mail client or Mail Transfer Agent MTA for sending e mails e The virus filter can only check unencrypted data for viruses Therefore encryption options such as TLS should not be activated If a virus or error is detected a corresponding error code is sent to the e mail client software and an entry is written in the anti virus log The intended recipient will receive neither the infected mail nor notification of it Enable content scanning for SMTP Outgoing eMail Yes No By selecting Yes sent files are scanned for viruses by mGuard if they are transferred via SMTP connections contained in the List of SMTP servers defined below SMTP maximum filesize for scanning in bytes Factory default 5 MB Specify the maximum siz
65. will then receive an appropriate notification 222 from 243 Configuration Support Menu 6 13 2 Support gt Advanced Hardware Support Advanced Hardware Hardware Information Hardware CPU CPU Family CPU Stepping CPU Clock Speed System Uptime User Space Memory MAC 1 MAC 2 Product Name OEM Name OEM Serial Number Serial Number Flash ID Hardware Version This page lists the hardware properties of the mGuard Snapshot Support Advanced Snapshot Support Snapshot This will create a snapshot of the mGuard for support purposes This function is used for support purposes It creates a compressed file in tar gz format containing all current configuration settings and log entries that could be relevant to error diagnosis BO This file does not contain any private information such as the private machine certificate or passwords However any Pre Shared Keys of VPN connections are contained in snapshots To create a snapshot please proceed as follows 1 Click on Download 2 Save the file under the name snapshot tar gz Provide the file for support purposes if required 223 from 243 Configuration CIDR Classless Inter Domain Routing 6 14 CIDR Classless Inter Domain Routing IP netmasks and CIDR are notations that combine several IP addresses into one address space In this case an address space with sequential addresses is treated as a network To define a range of IP
66. 0000000 10 255 128 0 0 11111111 10000000 00000000 00000000 9 255 0 0 0 11111111 00000000 00000000 00000000 8 254 0 0 0 11111110 00000000 00000000 00000000 7 252 0 0 0 11111100 00000000 00000000 00000000 6 248 0 0 0 11111000 00000000 00000000 00000000 5 240 0 0 0 11110000 00000000 00000000 00000000 4 224 0 0 0 11100000 00000000 00000000 00000000 3 192 0 0 0 11000000 00000000 00000000 00000000 2 128 0 0 0 10000000 00000000 00000000 00000000 1 0 0 0 0 00000000 00000000 00000000 00000000 O Example 192 168 1 0 255 255 255 0 corresponds to CIDR 192 168 1 0 24 224 from 243 Configuration Network Example 6 15 Network Example The following sketch illustrates how IP addresses can be distributed in a local network with subnetworks which network addresses result and how the details regarding additional internal routes may look Internet External address e g 123 456 789 21 assigned by the ISP mGuard in Router network mode Internal mGuard address 192 168 11 1 Y Switch Network A Network address 192 168 11 0 24 Netmask 255 255 255 0 Lad Router External IP 192 168 11 2 gt Internal IP p 192 168 15 254 Netmask 255 255 255 0 Network B Network address 192 168 15 0 24 Netmask 255 255 255 0 Router External IP 192 168 15 1 gt Internal IP 192 168 27 254 Netmask 255 255 255 0 Network C Network address 192 168 27 0 24 Netmask 255 255 255 0 QD Q y Additional
67. 19 774 lt install p s gt sent 4 blks 2048 bytes in 1 s O blk resent 26 11 09 41 20 786 Connection received from 192 168 10 200 on port 1024 26 11 09 43 17 053 Read request for file lt fts2 img p s gt Mode octet 26 11 09 43 17 053 lt fs2 img p s gt sent 14614 blks 7482368 bytes in 11 s O blk resent 26 11 09 43 28 008 gt Current Action iffs2 ima p s gt sent 14614 blks 7482368 bytes in 11 s O blk resent ea Hee j 4 Click on the Tftp Server or DHCP Server tab and then click on the Settings button Set the parameters as shown below gt Tftpd32 Settings Ex Tftpd32 by Ph Jounin O x r Base Directory j Current Directory Em Browse E my Browse E Bross Server interface 192 168 10 1 y Show Dir JV Use T tpd32 only on this interface LEZALTALUS Use anticipation window of fp Bytes I Allow As virtual root Global Settings Syslog server IV TFTP Server Syslog Server Save syslog message T tp Server DHCP server TFTP Client V DHCP Server File as IP pool starting address 192 168 10 200 r TFTP Security TFTP configuration gt ae ie gt 5 None Timeout seconds 3 a Standard WINS DNS Server 0000 Y High Man naa 6 Default router 0000 MMS 9 Tftp port 69 na Read Only Mask 255 255 255 0 Advanced TFTP Options Domain Name J Option negotiation Tl Hide Window at startup Y Show Progress bar I Create d
68. 34 RADIUSSELVErS add dodo ano otitis Dia ia ainda 135 SUIS A EA AA E AE A A OH A 135 6 5 3 Authentication gt Certificates oonoonnnnnnnnncnnnnnnnnnnconancnnnnconenonnncconnn conan cnnn nc canarcnnnnos 136 Creation Of certificates noe oree sE ashes iaa 137 Authentication procedure ec eseesceseceseesseeseesseceseceeeseeeeceecaaecsaeeeeeeseeeaeeeaaecaeees 138 Certificate Seting S scat casas api 140 Machine Certificates ia ias 142 CAS CET CAE ta lc batata seas Mae ae ot Doses Cee Da aa Aia 144 Remote c r Ca E ii AE di data lis 145 A E ea See ST ne ene oA 147 Network Security Menu not for blade controller ooonnncnnnnconinccnncccnoncnonnncnnnncnnnccnnnnonnnos 148 6 6 1 Network Security gt Packet Filter tE ta 148 Incoming Rules cuicos ita iii ies esate Lassie 148 Outgome Rules diccionario dipolo 150 Sets Of Rules ai A dais 151 Seto RUS ao A Ata Lada 152 5 from 243 Contents 6 7 6 8 6 9 6 10 6 11 6 12 6 from 243 MAC Filtering mico lit 154 AVANCE ii ias 155 6 6 2 Network Security gt NAT ia dedo 158 Masquerading vieiro cio e Geet eg e 158 Port Forwarding ciutat ed ea ine anne ante 159 6 6 3 Network Security gt DoS Protection cea 161 Flood Protec nit a e E a e eT a e ai 161 6 6 4 Network Security gt User Firewall onoonconnncninnnccnonnnoonconcnncno non nonnconconc cn con ccoo 163 User Firewall Templates init isdesogitestnaduesstestassectestiusseetbetsadbbel 163 User Firewall
69. 4500 Informational Exchange is for an unknow 34862 Webinterface Failed login for root from 10 1 66 1 96631 Webinterface Accepted login for root from 10 1 66 1 E a dynip register DynDNS org trying 292 dynip register no update needed at this time success gt Common v IPsec VPN v Reload logs Jump to firewall rule The corresponding checkboxes for filtering entries according to category are displayed below the log entries depending on which mGuard functions were active To display one or more categories enable the checkboxes for the desired categories and click the Reload logs button Log entries which are not assigned to other categories Network Security Logged events are shown here when the logging of firewall events was selected during the definition of firewall rules Log Yes Log ID and number for tracing errors Log entries that refer to the firewall rules listed below have a log ID and number Using this log ID and number it is possible to trace the firewall rule that the corresponding log entry refers to and that led to the event in question Firewall rules and their log ID e Packet filters Network Security gt Packet Filters gt Incoming Rules Outgoing Rules menu Log ID fw incoming or fw outgoing e Firewall rules for VPN connections IPsec VPN gt Connections gt Firewall Incoming Outgoing menu Log ID vpn fw in or vpn fw out e Firewall rules for web access through m
70. 8 1 2 Sub netmask 255 255 255 0 Default gateway 192 168 1 1 gt Depending on the configuration of the mGuard it may then be necessary to change the network interface of the local computer accordingly 46 from 243 Preparing the configuration 5 2 3 mQGuard PCI Installing the PCI card Installing the driver Configuring the network interface Default gateway If the PCI card has not yet been installed in your computer please first follow the steps as described in Hardware installation on page 37 If you have configured the mGuard to run in Driver mode ensure that the drivers are installed as described under Driver installation on page 38 If you operate the mGuard e in Driver mode and the LAN interface has not yet been configured 1 e network interface of the computer OR in Power over PCI mode and the network interface of the computer connected to mGuard LAN interface has not yet been configured then this network interface must be configured before you can configure mGuard If you are using Windows XP Click on Start Control Panel Network Connections Right click on the icon of the LAN adapter so that the pop up menu appears Click on Properties In the Properties of LAN connections local network on the General tab select Internet Protocol TCP IP under This connection uses the following items Then click on Properties so that the following window is displayed Interne
71. A DES gt Symmetrical encryption was set in 1977 by the American National Bureau of Standards which was the predecessor of the National Institute of Standards and Technology NIST as the standard for American governmental institutions As this was the very first standardized encryption algorithm it quickly won acceptance in industrial circles both inside and outside America DES uses a 56 bit key length which is no longer considered secure as the available processing power has greatly increased since 1977 3DES is a variant of DES It uses keys that are three times as long i e 168 bits long This is still considered to be secure and is also included in the IPsec standard The AES Advanced Encryption Standard was developed by NIST National Institute of Standards and Technology in cooperation with the industry This gt symmetrical encryption standard was developed to replace the earlier DES standard AES specifies three different key lengths 128 192 and 256 bits In 1997 NIST started the AES initiative and announced its conditions for the algorithm From the many proposed encryption algorithms NIST selected a total of five algorithms for closer examination the MARS RC6 Rijndael Serpent and Twofish algorithms In October 2000 the Rijndael algorithm was adopted as the encryption algorithm Used to check the reliability of a CA certificate and the CA Certificate Authority that issued it gt X 509 certificate A CA
72. Application Scenarios VPN gateway WLAN over VPN IP addresses within a DMZ can be public or private In the latter case the mGuard connected to the Internet forwards the connections using port forwarding to the private addresses within the DMZ Internet Encrypted access to the company network should be provided to employees at home or whilst travelling The mGuard thereby takes on the role of the VPN gateway On external computers IPsec capable VPN client software must be installed the operating system must support this function e g Windows 2000 XP or an mGuard must be installed 16 esc 1 8 Internet vSc c 891 c61 ol Ol cz EOL CLI YSZ l 89l c6h Y LOLZZL GL OL 2Zk aan Main building 192 168 1 0 24 Auxiliary building 2 NM pa 192 168 2 0 24 Two company buildings should be connected to each other over an IPsec protected WLAN connection The auxiliary building should also be able to use the Internet connection of the main building In this example the mGuards were switched to Router mode and a separate network with addresses of 172 16 1 x was created for the WLAN As Internet access should also be available via the VPN from the auxiliary building a Default route over VPN is configured here Auxiliary building tunnel configuration Connection type Tunnel Network lt gt Network Local network address 192 168 2 0 24 Remote network address 0 0 0 0 0
73. EMC anti interference level Discharge of static electricity Contact discharge EN 61000 4 2 Air discharge EN 61000 4 2 Electromagnetic fields EN 61000 4 3 Fast transients EN 61000 4 4 Symmetrical surge voltage EN 61000 4 5 Asymmetrical surge voltage EN 61000 4 5 Cable based RF faults EN 61000 4 6 All entries are determined using test levels that are required for programmable logic controllers PLCs used in industrial zone B surroundings according to EN 61131 2 2003 EMC emitted immunity EN 55022 2006 Class A CFR 47 FCC Part 15 2005 4 Class A Resistance Vibration test sinusoidal according to EN 61131 2 2003 and DIN EN 60068 2 6 1996 Test parameter according to point 4 2 1 Vibrations and 6 2 1 Vibration test under normal operating conditions of EN 61131 2 2003 Shock test according to EN 61131 2 2003 and DIN EN 60068 2 27 1996 Test parameter according to point 4 2 2 Shocks and 6 2 1 Shocks type test under normal operating conditions of EN 61131 2 2003 Certifications CE FCC EAGLE mGuard Network size Length of a 10BASE T 100BASE TX twisted pair segment approx 100 m Operating voltage NEC class 2 power source 12 V DC or 24 V DC 25 33 safety extra low voltage SELV PELV decoupled redundant entries max 5A Buffer time Min 10 ms at 24 V DC Potential difference between input voltage and housing Potential difference to input voltag
74. Elements and Displays 3 3 mGuard PCI LAN green i LAN red i WAN green WAN red WAN LEDs State Meaning WAN red Flashing Boot process After starting or restarting the computer LAN red WAN red Flashing System error B Reboot the system Press the Rescue button briefly 1 5 seconds OR Reboot the computer If the error continues to occur start the Recovery procedure see Performing a recovery on page 226 or contact the support department WAN green On or flashing Ethernet status Shows the status of the LAN and WAN LAN green interface As soon as the device is connected the LEDs are illuminated continuously to indicate the presence of a network connection The LEDs are extinguished briefly when data packets are transferred WAN green Various LED Recovery mode After pressing the Rescue button WAN red illumination codes See The Rescue Button Restarting the Recovery Procedure LAN green and Flashing Firmware on page 226 17 from 243 Control Elements and Displays 3 4 mGuard blade Serial WAN red WAN green LAN red LAN green Rescue button oS Innominate LEDs State Meaning WAN red Flashing Boot process After starting or restarting the computer LAN red WAN red Flashing System error BO Reboot the system Press the Rescue button briefly 1 5 seconds If the error continues to occur start the Recovery
75. Guard Local HiDiscovery Support Enabled HiDiscovery protocol is activated Read only HiDiscovery protocol is activated but the mGuard cannot be configured using it Disabled HiDiscovery protocol is deactivated HiDiscovery Frame Forwarding Yes No If this option is set to Yes then HiDiscovery frames are forwarded from the internal LAN port externally over the WAN port 57 from 243 Configuration Management Menu Signal contact only mGuard industrial RS EAGLE mGuard Mode Management System Settings Signal Contact Time and Date Mode Signal contact Operation supervision v Operation supervision Contact Redundant power supply Supervise Link supervision Ignore Manual settings Contact The signal contact is a relay which is used by the mGuard to signal error conditions See also Signal contact on page 26 and page 31 Signal contact The signal contact can be controlled automatically by the mGuard using Operation supervision default or Manual settings See also Installing the mGuard industrial RS on page 23 and Installing the EAGLE mGuard on page 31 Operation supervision Contact Displays the state of the signal contact Either Open Error or Closed OK Redundant power supply If set to Ignore the power supply does not influence the signal contact If set to Supervise the signal contact is opened if one of the two power supplies fails or a permanent
76. Guard via HTTPS Management gt Web Settings gt Access menu Log ID fw https access 217 from 243 Configuration Logging Menu e Firewall rules for web access through mGuard via SNMP Management gt SNMP gt Query menu Log ID fw snmp access e Firewall rules for SSH remote access to the mGuard Management gt System settings gt Shell Access menu Log ID fw ssh access e Firewall rules for the user firewall Network Security gt User Firewall gt Firewall Rules menu Log ID ufw e Rules for NAT port forwarding Network Security gt NAT gt Port Forwarding menu Log ID fw port forwarding e Firewall rules for serial port Network gt Interfaces gt Serial Port Incoming Rules Log ID fw serial incoming Outgoing Rules Log ID fw serial outgoing Searching for firewall rules on the basis of a network security log Blade If the Network Security checkbox is enabled so that the relevant log entries are displayed the Jump to firewall rule search field is displayed under the Reload Logs button Proceed as follows if you want to trace the firewall rule referenced by a log entry in the network security category that resulted in the relevant event 1 Mark the section that contains the log ID and number in the relevant log entry for example fw https 1 1ec2c133 dcal 1231 bfa5 000cbe01010a Sia Accepted p acCess esse 2 Copy this section into the Jump to firewall rule field via the cli
77. I touch the bare metal case of your PC to discharge the build up of static electricity 1 Du BB YW 8 9 Configure the mGuard for Driver mode or Power over PCI mode See Selection of Driver mode or Power over PCI mode on page 34 To enable the required mode set the jumper 2 to the following positions Driver mode Power over PCI mode Be ar el 1 Turn off the power to the computer and any other connected peripheral devices Follow the precautions for the discharge of static electricity Unplug the power cable Open the computer cover please consult your computer manual Select a free PCI slot 3 3 V or 5 V for the mGuard PCI Remove the relevant slot plate by loosening the holding screw and pulling it out Keep this screw safe for securing the mGuard PCI card after installation Carefully align the connection plug board of the mGuard PCI card with the selected PCI slot on the motherboard then push the card down evenly Tighten the card slot plate Close the computer cover 10 Reconnect the power cable and turn on the computer 37 from 243 Startup 4 6 3 Driver installation Windows XP e Please first complete the steps described under Hardware installation on page 37 Bo Installation of the driver is only necessary when the mGuard PCI operates in Driver Mode see Driver mode on page 34 To install the driver switch on the computer login as an administrator and wai
78. IME or IPsec Devices that communicate with each other must follow the same rules To do this they must speak the same language Rules and standards of this kind are called protocols or communication protocols Some of the more frequently used protocols are IP TCP PPP HTTP and SMTP Service providers are companies or institutions that enable users to access the Internet or online services In Internet terminology spoofing means supplying a false address Using this false Internet address a user can create the illusion of being an authorized user Anti spoofing is the term for mechanisms that detect or prevent spoofing Glossary Symmetrical encryption TCP IP Transmission Control Protocol Internet Protocol VLAN VPN Virtual Private Network In symmetrical encryption the same key is used to encrypt and decrypt data Two examples of symmetrical encryption algorithms are DES and AES They are fast but also difficult to administrate as the number of users increases These are network protocols used to connect two computers over the Internet IP is the base protocol UDP is based on IP and sends individual packets The packets may arrive at the recipient in an different order in which they were sent or they may even be lost TCP is used for connection security and ensures for example that data packets are passed on to the application in the correct order UDP and TCP add port numbers between 1 to 65535 to the I
79. IP address Local IP The IP address where the mGuard can be accessed by the PPTP server Modem IP The address of the PPTP server at the Internet Service Provider Internal Networks Configuration of the internal network is described in the next section 109 from 243 Configuration Network Menu gt Network Mode Modem Built in Modem Only mGuard industrial RS mGuard blade EAGLE mGuard mGuard delta 110 from 243 The Modem network mode is available for mGuard industrial RS mGuard blade EAGLE mGuard mGuard delta gt The Built in Modem network mode is additionally available for mGuard industrial RS if this has a built in modem or ISDN terminal adaptor optional In all of the devices mentioned above data traffic is transferred over the internal serial port and not over the mGuard WAN port when the Modem or Built in Modem network mode is activated From there it is either A Transferred over the external serial port where an external modem must be connected OR B Transferred over the built in modem or ISDN terminal adaptor for mGuard industrial RS when equipped In both cases the connection to the ISP and Internet is established over the telephone network using a modem or ISDN terminal adaptor Communication can be made by TCP IP over this telephone connection as if the mGuard is connected to the Internet over an ethernet cable BO Settings for the Modem or Built in Modem network mode are
80. IP address under the hexadecimal IPX ethernet protocol Internal External QoS Ingress Filters Internal Enabling AS IO Measurement Unit rackets m Filters E r 1 E zii fare poson o 0 0 0 0 T fto0 unlimited Internal Setting of Ingress Filters on the LAN interface QoS Ingress Filters External Enabling Enable Ingress QoS o Measurement Unit nx NA Filters No ARP 10 0 0 0 0 0 0 0 0 0 All zj 100 unlimited sl External Setting of Ingress Filters on the WAN interface 204 from 243 Configuration QoS Menu Enabling Filter Enable Ingress QoS Yes No No standard Feature is disabled If filter rules are defined then they are ignored Yes Feature is enabled Data packets will only be transferred to the mGuard for further processing when they conform to the following filter rules Filters can be set for the LAN port Internal tab and WAN port External tab Units kbit s packets s Defines in which format the values below under Guaranteed and Upper Limit are defined Use VLAN Yes No If VLAN is configured then the VLAN ID can be entered to allow the affected data packets to pass through The option must be set to Yes VLAN ID Defines that the VLAN data packets that have this ID may pass through The Use VLAN option must be set to Yes Ethernet Protocol Defines that only data packets from the given ethernet protocol may pass Possi
81. Import Certificate r Dama and Current Certificate File Subject f CN Schlau Heiner L B OU Service O Sample Supplier C UK CN Web SubCA 01 0 Sample Web Securities Inc C UK META om dun 20 11 27 13 2007 GMT to Jun 20 11 27 13 2010 GMT MDS E1 A3 14 0B 09 87 93 AA AC 42 4C 38 3D 1D BD 79 SHA1 15 C2 75 EF 12 6E 8A 23 2D 4C 72 72 8B 1A DF 99 EB 61 89 A2 Upload Filename Browse Import Certificate f fala Current Certificate File a CN Findig Petra L B OU Service O Sample Supplier C UK fa ga e 145 from 243 Configuration Authentication Menu 146 from 243 Trusted remote Certificates Shows the current imported remote certificates To import a new certificate please proceed as follows Importing a new certificate Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows 1 Click on Browse to select the file 2 Click on Import After the import the installed certificate can be seen under Certificate Shortname During the remote certificate import process the CN attribute from the certificate subject field is suggested as the short name providing the Shortname field is empty at this point This name can be adopted or another name can be chosen Name entry whether the suggested one or another is mandatory The names must be unique and must not be used more than once Use of the short name During the co
82. Innominate mGuard User Manual Software Release 5 1 0 Innominate Security Technologies AG Albert Einstein Str 14 D 12489 Berlin Tel 49 0 800 366 4666 info innominate com www innominate com Innominate Security Technologies AG October 2007 Innominate and mGuard are registered trade names of Innominate Security Technologies AG mGuard technology is protected by patent numbers 10138865 and 10305413 which were granted by the German Patent Office Additional patents are pending This document may not be copied or transferred in whole or in part without prior written approval Innominate AG reserves the right to modify this document at any time without prior notice Furthermore Innominate assumes no liability for errors in this manual or for accidental or consequential damages in connection with the delivery performance or utilization of this document This manual may not be photocopied duplicated or translated into another language in whole or in part without the prior written approval of Innominate Security Technologies AG Innominate document number UG205102907 007 Contents Contents AA NO 8 NEP AA A O E ET 8 Firewall features leccion odiarte cccaavicadeavhcadensusaceves necia iconos 8 ANIEVICUS TOUS accionada naccicnnlcciinlelnsliscdablaicagol deaseadiceslaasceuasascehan tocehaneeceubises 8 VPN O NN 9 Additional TOTS iia A A Mila A A eee ea hes 9 SUPPE noir aE Ea e E irte iodo 9 LI a CA RR
83. Internal error in the scan engine Exceptional Virus Scanner Failure A problem has occurred during communication with the scan engine Possible causes e Failed signature update due to wrong update server entries see Management gt Update menu e Invalid virus filter license e Damaged or faulty update of the virus signature file Update running There is currently no anti virus filter signature installed and the download of the virus signatures has been started You can follow the progress of the download in the anti virus update log Logging gt Browse local logs gt Anti virus update DHCP Server Relay Messages from services defined under Network gt DHCP Anti Virus Update The update log contains notifications regarding the start and progress of the virus signature file update process SNMP LLDP Messages from services defined under Management gt SNMP IPsec VPN Lists all VPN events The format corresponds to the standard Linux format It offers special evaluation programs that present information from the logged data in a more readable format Configuration Support Menu 6 13 Support Menu 6 13 1 Support gt Tools Ping Check Support Tools Ping Check DNS Lookup Ping Check Hostname IP Address Ping Check Goal To check if the remote peer is accessible over a network Procedure Enter the IP address or remote peer hostname in the Hostname IP Address field Clic
84. LAN port Use VLAN If this IP address should be contained within a VLAN then this option must be set to Yes VLAN ID A VLAN ID between 1 and 4095 An explanation of the term VLAN can be found in the glossary under page 239 Tf you want to delete entries from the list please note that the first entry cannot be deleted Additional Internal Routes Additional routes can be defined if further subnetworks are connected to the local network Network Enter the network using CIDR notation see CIDR Classless Inter Domain Routing on page 224 Gateway The gateway where this network can be accessed See also Network Example on page 225 Configuration Network Menu Ethernet Network Interfaces ARP Timeout ARP Timeout MTU Settings MTU of the internal interface MTU of the internal interface for VLAN MTU of the external interface MTU of the external interface for VLAN MTU of the Management Interface MTU of the Management Interface for VLAN ARP Timeout ARP Timeout Lifetime of entries in the ARP table in seconds MTU Settings MTU of the lt name gt interface The Maximum Transfer Unit MTU defines the maximum IP package length allowed for using the respective interface gt For VLAN interfaces As VLAN packages contain 4 bytes more than those without VLAN certain drivers may have problems in processing larger packages Such probl
85. Limit unlimited kbit s x Queues Tame Guaranteed OO uppertimit priority comment O Eren fo unlimited High E 2 important o unlimited Medium O Eperu fo unlimited Medium e kom Priority fo unlimited Low VPN via External Setting of Egress Queues for packets that were transferred over the VPN connection and run over the WAN interface The three tab options offer the same setting possibilities The Internal tab for the LAN interface The External tab for the WAN interface 207 from 243 Configuration QoS Menu The VPN via External tab for the WAN interface during VPN connections In all cases the settings relate to the data that is sent externally to the network from the respective mGuard interface Enabling Enable Egress QoS Yes No No standard Feature is disabled Yes Feature is enabled This is recommended when the interface is connected to a network with a small bandwidth This allows the bandwidth allocation to be influenced in favor of especially important data Total Bandwidth Maximum bandwidth rate kBit s packets s Maximum available bandwidth measured in kbit s or packets s In order for an optimal prioritization process the total bandwidth entered here should be slightly lower than the actual amount This prevents an overrun in the transferring device buffer which would create adverse effects Queues Name You can apply the preset name for th
86. Old Password field then the new password in the two corresponding fields directly underneath admin Administrator Password Account admin Default setting mGuard fixed user name admin user Disable VPN until the user is authentified via HTTP Yes No The factory default for this option is No If Yes is selected VPN connections and various other services can only be used after a user has logged into the mGuard via HTTP As long as authentication is required all HTTP traffic is redirected to the mGuard Changes to this option become active after the next reboot User Password There is no factory default for the user password To set one enter the desired password twice once in each of the two entry fields 133 from 243 Configuration Authentication Menu 6 5 2 Authentication gt Firewall Users Firewall Users 134 from 243 Users To eliminate private surfing on the Internet every outgoing connection is blocked by the outgoing filter rules listed under Network Security gt Packet Filters VPN is not affected by this Under Network Security gt User Firewall certain users can be assigned different firewall definitions e g outgoing connections are permitted This user firewall rule comes into effect as soon as the respective firewall user has logged in see Network Security gt User Firewall on page 163 Authentication Firewall Users Users Enable user firewall No gt Enable gro
87. P server over the LAN port in order to obtain an IP address Status display e mGuard industrial RS The state LED flashes e smart The middle LED heartbeat flashes e blade PCI The red LAN LED flashes EAGLE The 1 2 and V 24 LEDs light up orange e delta The status LED flashes The install p7s file is loaded from the TFTP server This contains the electronically authenticated control procedure for the installation process Only files signed by Innominate are accepted The control procedure now deletes the current flash memory contents and prepares for a new software installation Status display e mGuard industrial RS The modem state and LAN LEDs form a light sequence e smart The three green LEDs form a light sequence e blade PCI The green and red LAN LEDs form a light sequence EAGLE The 1 2 and V 24 LEDs form a light sequence e delta The status LED flashes at a faster rate The jffs2 img p7s file is downloaded from the TFTP server and written onto the flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate will be accepted This process takes around 3 to 5 minutes Status display e mGuard industrial RS The state LED lights up continuously e smart The middle LED heartbeat lights up continuously e blade PCI The green LEDs and red LAN LED flash continuously The Rescue Button Restarting the Recovery Procedure and Flashing Fi
88. P addresses These distinguish the various services offered by the protocols A number of additional protocols are based on UDP and TCP e g HTTP HyperText Transfer Protocol HTTPS Secure HyperText Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol Version 3 and DNS Domain Name Service ICMP is based on IP and contains control messages SMTP is an e mail protocol based on TCP IKE is an IPsec protocol based on UDP ESP is an IPsec protocol based on IP On a Windows PC the WINSOCK DLL or WSOCK32 DLL handles the development of both protocols gt Datagram A VLAN Virtual Local Area Network divides a physical network into several independent logical networks Devices of different VLANs can only access devices within their own VLAN Assignment to a VLAN is no longer defined by the network topology alone but also by the configured VLAN ID VLAN settings can also be used as optional settings for each IP A VLAN is identified by its VLAN ID 1 4094 All devices with the same VLAN ID belong to the same VLAN and can therefore communicate with each other The ethernet packet for a VLAN based on IEEE 802 1Q is extended by 4 bytes with 12 bits available for recording the VLAN ID The VLAN IDs 0 and 4095 are reserved and cannot be used for VLAN identification A Virtual Private Network VPN connects several separate private networks partial networks together via a public network
89. P addresses and to one of the ports on the mGuard are rewritten in order to forward them to a specific port on a specific computer In other words both the IP address and the port number in the header of the incoming data packets are changed This method is also known as Destination NAT BO The rules set here have priority over the settings made in the Network Security Packet Filter gt Incoming Rules menu 159 from 243 Configuration Network Security Menu not for blade controller 160 from 243 Port Forwarding You have the following options Protocol TCP UDP Enter the protocol which the rule should relate to From IP The source address where forwarding is made 0 0 0 0 0 means all addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 From Port The source port where forwarding is made any describes any selected port Either the port number or the corresponding service name can be entered here e g pop3 for port 110 or http for port 80 Incoming on IP Enter the external IP address or one of the external IP addresses of the mGuard here OR It cannot be specified if the destination IP address of the mGuard is assigned dynamically In this case use the following variable extern B gt When using more than one static IP address for the WAN port the variable extern always corresponds to the first IP address of the address list Inc
90. PS Web Access Enable HTTPS remote access Yes No If you want to enable HTTPS remote access set this option to Yes Ensure that the firewall rules on this page permit access to the mGuard from a remote peer under Allowed networks Additionally the authentication rules under User authentication must be set if necessary Remote HTTPS TCP Port Standard 443 You can also specify a different port The remote peer that makes remote access must enter the port number defined here during entry of the address after the IP address Example If this mGuard is accessible over the Internet under the address 123 124 125 21 and the port number 443 has been set for remote access then you do not need to enter this port number after the address in the web browser on the remote peer If another port number is used then this is given behind the IP address as follows https 123 124 125 21 442 69 from 243 Configuration Management Menu NOTE The mGuard authenticates itself to the remote peer using a self signed machine certificate in this case the browser of the user making remote access This is a certificate produced once by Innominate for each mGuard This means that each mGuard is delivered with an individual self signed machine certificate Allowed Networks Allowed Networks 09 ID fw ex a imtertace action el i fo 0 0 0 0 external xi Accept zj No zj Lists the firewall rules that have been set T
91. TCP protocol participant It is then possible to differentiate two UDP or TCP connections between two systems and use them at the same time Fixed port numbers can be reserved for special purposes For example HTTP connections are usually assigned to TCP port 80 and POP3 connections to port 110 A proxy is an intermediary service A web proxy e g Squid is often used for a large network For example if 100 employees access a certain website at the same time over a web proxy then the proxy only loads the relevant web pages once from the server and then distributes them as needed amongst the employees Remote web traffic is reduced which saves money PPPoE is an acronym of Point to Point Protocol over Ethernet This protocol is based on PPP and ethernet standards PPPoE defines how to connect users via ethernet with the Internet via a jointly used broadband medium such as DSL wireless LAN or a cable modem PPTP is an acronym of Point to Point Tunneling Protocol This protocol was developed by companies such as Microsoft and U S Robotics in order to securely transfer data between VPN nodes gt VPN via a public network A router is a device that is connected to different IP networks and communicates between them To do this a router has an interface for each network connected to it A router must find the correct path to the target for incoming data and must define the appropriate interface for forwarding it It takes data from a loca
92. The device is delivered in a ready to operate condition The following procedure is required for the assembly process e Detach the terminal block from the EAGLE mGuard and connect the supply voltage and signal contact lines e Attach the EAGLE mGuard onto a 35 mm DIN rail according to DIN EN 50 022 31 from 243 Startup Startup Network connection Disassembly 32 from 243 e Attach the upper snap on guide of the EAGLE mGuard to the DIN rail and press it down until it locks into position e Connect the device to the local network or the local computer which is to be protected LAN e Connect the socket for connection to the external network WAN for example to the Internet Connections to the remote device or network are established over this network pa BO The front faceplate of the EAGLE mGuard housing is grounded via the grounding connection E gt Do not open the housing gt The shielding ground of the connectable twisted pair lines is electrically connected to the front faceplate Start the EAGLE mGuard by connecting the supply voltage via the 6 pin terminal block Lock the terminal block with the locking screw at the side If your computer is already attached to a network then patch the EAGLE mGuard between the existing network connection Please note that initial configuration can only be made over the LAN interface The EAGLE mGuard firewall rejects all IP traffic from the WAN to t
93. UL 1604 CSA 22 2 No 213 pending Complies with Germanischer Lloyd standards Technical Data CE This device complies with the regulations of the European Council directive 89 336 EEC on the harmonization of legal regulations of member states on electromagnetic compatibility amended by Directives 91 263 EEC 92 31 EEC and 93 68 EEC Notes on CE identification The EU declaration of conformity is kept available for the responsible authorities in accordance with the above mentioned EU directives at Innominate Security Technologies AG Albert Einstein Str 14 D 12489 Berlin Telephone 49 0 30 6392 3300 The product can be used in the residential sphere residential sphere business and trade sphere and small companies and in the industrial sphere e Interference proof EN 61000 6 2 2001 e Emitted immunity EN 55022 1998 A1 2000 A2 2003 Class A FCC Note This equipment has been tested and complies with the limits for a Class A digital device according to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in w
94. a selection of all CA certificates that are loaded in the mGuard under the Authentication gt Certificate menu Further possibility All known CAs With this setting all VPN remote peers are accepted providing that they log on with a certificate signed by a recognized Certificate Authority CA The CA is recognized when the relevant CA certificate and all other CA certificates are stored in the mGuard These then build the chain to the root certificate together with the certificates shown B Authentication of a VPN remote peer using CA certificates is only possible when any is entered under Address of the remote site s VPN gateway See 6 9 3 Defining VPN connection VPN connection channels General on page 184 B Using the relevant remote certificate Select the following entry from the list Remote certificate below not CA certificate The certificate is then installed under Remote Certificate 192 from 243 Configuration IPsec VPN Menu not for blade controller Itis not possible to refer to a remote certificate loaded in the Authentication gt Certificates menu Remote Certificate Must be configured if the VPN remote peer is authenticated using a remote certificate To import a certificate please proceed as follows Requirement The certificate file file format pem cer or crt is saved on the connected computer Proceed as follows 1 Click on Browse to select the file 2 Cli
95. ade controller If the remote peer VPN gateway does not have a fixed and known IP address you can use the DynDNS Service see glossary to simulate a fixed and known address If the mGuard should be ready to accept a connection that was actively initiated and set up by a remote peer with any IP address enter any This setting should also be selected for VPN star configurations when the mGuard is connected to the control center The mGuard can then be called by a remote peer that has been dynamically assigned its IP address by the ISP i e it has a changeable IP address In this scenario you may only enter an IP address when the remote peer has a fixed and known IP address gt any can only be used along with the authentication procedure using X 509 certificates B gt any must be set when the remote peer is authenticated using local CA certificates B gt any must be selected when the remote peer is located behind a NAT gateway Otherwise the renegotiation of new connection keys will fail after the connection is established Connection startup Initiate Initiate during data traffic Wait Initiate The local mGuard sets up the connection to the remote peer In the Address of the remote site s VPN gateway see above the fixed remote peer IP address or domain name must be entered Initiate during data traffic The connection is initiated automatically when the mGuard sees that the connection should be us
96. al Explanation mGuardTrapIndustrial enterpriseSpecific mGuardTrapIndustrialTemperature 1 mGuardSystemTemperature mGuardTrapIndustrialTempHiLimit mGuardTrapIndustrialLowLimit Displays the temperature when defined limits are exceeded 87 from 243 Configuration Management Menu enterprise oid genericTrap specific trap additional Explanation enterprise oid generic trap specific trap additional Explanation enterprise oid generic trap specific trap additional Explanation mGuardTrapIndustrial enterpriseSpecific mGuardTrapAutoConfigAdapterS tate 4 mGuardTrapAutoConfigAdapterChange Sent following access to the ACA Blade controller traps blade only e Blade status change blade switch outage Activate traps Yes No mGuardTrapBladeCTRL enterpriseSpecific mGuardTrapBladeCtrlPowerStatus 2 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlPowerStatus Sent when the power supply status of the blade pack changes mGuardTrapBladeCTRL enterpriseSpecific mGuardTrapBladeCtrlRunStatus 3 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlRunS tatus Sent when the blade run status changes Blade reconfiguration backup restore Activate traps Yes No enterprise oid generic trap specific trap additional Explanation enterprise oid generic trap specific trap additional Explanation Anti Virus traps
97. al driver installation is not necessary gt For security reasons we recommend that you change the default Root and Administrator passwords during the first configuration B gt Both network interfaces of the mGuard industrial RS are configured for connection to a computer Connection options on lower terminal block The mGuard industrial RS is available in three different versions These can be distinguished through the connection options on the bottom part of the terminal bar DON DODA 2000 P1 P2 P1 P2 P1 P2 Modem Fault Modem Fault Modem Fault State Error State Error State Error LAN WAN j LAN WAN a g LAN WAN mGuard industrial RS mGuard industrial RS mGuard industrial RS Anal Service line Service A mae ISDN Line Lower terminal block E eee gt LJ CMDACK TIPRING BD L CMDACK With ISDN terminal adaptor With analog modem WITHOUT modem ISDN mGuard industrial RS WITHOUT modem ISDN terminal adaptor Lower area on Service front faceplate with gt L 1 CMDACK terminal block Function grounding Signal contact interrupted if errors occur d Signal LED 20 mA Service contacts LL CMD ACK for establishing a predefined VPN connection 25 from 243 Startup mGuard industrial RS with modem Lower area on Senice Anal front
98. an protect several server systems individually and independently of one another An additional serial port enables remote configuration using a telephone dial up connection or a terminal Introduction EAGLE mGuard mGuard delta The EAGLE mGuard was developed in cooperation with the Industrial Security Alliance partner Hirschmann Automation and Control GmbH The device is designed for assembly on DIN rails according to DIN EN 50 022 and 1s therefore especially suited for use in industrial environments Additional application options are provided by the optional configuration connection and the option for establishing a telephone dial up connection via the V 24 interface This model is a compact LAN switch Ethernet Fast Ethernet designed for connecting up to 4 LAN segments This device is especially suited for logically segmented network environments where locally connected computers networks share mGuard functions An additional serial port enables configuration using a telephone dial up connection or a terminal The mGuard delta has a robust metal housing making it suitable as a desktop device or for use in wiring storage rooms 11 from 243 Typical Application Scenarios 2 Typical Application Scenarios Stealth mode Network router DMZ 12 from 243 Some of the more common application scenarios are detailed below Firewall anti virus VPN In Stealth mode factory default the mGuard can be i
99. an set an exception for subsequent rules It is also possible to enter trusted servers see the example below Example Global activation of anti virus protection for SMTP PES server serverport comment JEnable Scan A 0 0 0 0 0 ES fF ET Scan a subnet and exclude a trusted SMTP server 2 lt server servenvore Comment Enable Scan y E 192 168 2 5 25 server with own AV engine No Scan M 192 168 2 0 24 25 attackable server Scan Scan for a single SMTP server in a subnet ES server serverport comment enable Scan g 192 168 2 5 weak SMTP server Scan E fz92 168 2 0 24 E kervers with own AV engin No Scan BO The rule record is processed top down meaning the order of the rules is decisive for the results BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number results in the refusal of further connection attempts B gt Scanning for viruses may allow outgoing connections that are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 155 to adjust this behavior 177 from 243 Configuration E mail Security Menu not for blade controller 178 from 243 You have the following options Server 0 0 0 0 0 means all addr
100. an use the X 509 authentication procedure Further details must be specified here The use of option 1 or 2 depends on the web browser of the remote user Option 2 is used when the mGuard web browser provides a certificate Login with X 509 client certificate only The system of the remote user or the system browser must authenticate verify itself according to X 509 so that the mGuard can use the X 509 authentication procedure Further details must be specified here Before selecting the Login with X 509 client certificate only option you must first select and test the Login with X 509 client certificate or password option Login with X 509 client certificate only can only be used when this setting is fully functional Otherwise you could be locked out of the system permanently This precautionary measure comes into force especially when settings are changed under User authentication 71 from 243 Configuration Management Menu 72 from 243 If the following User authentication methods are defined Login with X 509 client certificate only OR Login with X 509 client certificate or password then the process is defined with which the mGuard of the remote user is authenticated according to X 509 The table below shows which certificates must be provided for the mGuard to authenticate the user access over HTTPS when the user or their browser displays one of the following certificate types on connection e A certific
101. and select the desired value The database has a size of several MB Only files updated on the server are loaded Update Servers for AVP Enter at least one AVP update server name here You can select the server from which the updated signature files should be downloaded A default server is already entered If needed you can enter your own servers BO The list of servers is processed top down until an available server is found The sequence of the entries thus defines their priorities Proxy Settings 80 from 243 HTTP Proxy Server When using a HTTP proxy server enter here the IP address and the Port number used Enter the user name and password under Login and Password Configuration Management Menu 6 2 5 Configuration Profiles Management gt Configuration Profiles Management Configuration Profiles Configuration Profiles Configuration Profiles 08 Factory Default O At Home 98 office Save Current Configuration to Profile Upload Configuration to Profile Save the current configuration on ACA You can save the configuration settings of the mGuard as a configuration profile under any name in the mGuard It is possible to create and save multiple configuration profiles You may then switch between different profiles for example if the mGuard is used in different operating environments Furthermore you can also save configuration profiles as files on the configuration system Alternately
102. ask 255 255 255 0 assign an address like 1 1 1 2 to Default gateway 192 168 1 1 the configuration system On the DOS level Start Programs Accessories Command Prompt enter the following command arp s lt IP of the default gateway gt aa aa aa aa aa aa Example You have determined or set the address of the default gateway as 192 168 1 1 The command should then be arp s 192 168 1 1 aa aa aa aa aa aa To proceed with the configuration establish the necessary configuration connection see Setting up a local configuration connection on page 49 After setting the configuration restore the original setting for the default gateway address To do this either restart the configuration computer or enter the following command on the DOS level arp d gt Depending on the configuration of the mGuard it may then be necessary to 48 from 243 change the network interface of the local computer accordingly Preparing the configuration 5 3 Setting up a local configuration connection Web based The mGuard is configured using the web browser running on the configuration administrator system e g Firefox MS Internet Explorer or Safari interface The web browser must support SSL i e https Depending on the model the mGuard is delivered either in Stealth or Router mode and is therefore available under one of the following addresses Factory default Stealth mode https 1 1 1 1 Factory
103. assigned to several users Making a new template definition Click on the Edit button on the right side of the template table under the unnamed entry If the unnamed entry cannot be seen then open a further line in the rule record table Editing a rule record Click on the Edit button to the right of the entry Enabled Yes No Activates deactivates the relevant template Name Name of the template The name is defined during creation of the template The Set of Rules page is displayed after clicking on the Edit button 163 from 243 Configuration Network Security Menu not for blade controller User Firewall gt Edit Template General Options After clicking on the Edit button the following page appears Network Security User Firewall remote service General Template users Options A descriptive name for the template remote service Enabled Comment SSS Timeout 28800 Timesa scoe O A descriptive name for the template You can name or rename the user firewall template as desired Enabled Yes No When Yes is selected the user firewall template becomes active as soon as firewall users log onto the mGuard These users are listed on the Template User tab see below and have been assigned firewall rules It does not matter from which computer and under which IP address the user logs in The assignment of user firewall rules is based on the authentication data that the
104. assume that the certificates have been correctly installed in the mGuard See 6 5 3 Authentication gt Certificates on page 136 ES If the use of block lists CRL checking is activated under the Authentication gt Certificate Certificate settings menu point then each certificate signed by a CA that shows an SSH client is checked for blocks CA certificate The configuration is only necessary when the SSH client displays a certificate signed by a CA All CA certificates needed by the mGuard to build the chain to the respective root CA certificate with the certificates displayed by the SSH client must be configured The selection list shows the CA certificates that are loaded in the mGuard under the Authentication gt Certificate menu X 509 Subject Allows setting of a filter relating to the contents of the Subject field in the certificate displayed by the SSH client It is then possible to limit or release access by SSH clients who would accept the mGuard in principle based on the certification check Limitation to certain subjects i e individuals or to subjects that have certain attributes 65 from 243 Configuration Management Menu 66 from 243 or Release for all subjects See also glossary under Subject certificate The X 509 subject field must not be left empty Release for all subjects individuals With a in the X 509 subject field you can define that all subject entries are allow
105. ata packets in real time whilst other packets e g FTP downloads are set to wait in critical cases The main function of Egress QoS is the optimal utilization of the available bandwidth on a connection In certain cases a limitation of the packet rate can be useful e g to protect a slow computer from overloading in the protected network In mGuard the Egress Queues feature can be implemented for the LAN interface internal and WAN interface external QoS Egress Queues Internal Enabling Enable Egress QoS No gt Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s x Queues gt E E Upper Limit A Comment Pde Jurgent ho unlimited High y EN 2 important fio unlimited Medium y Operar fio unlimited Medium gt E a flow Priority fo unlimited Low Internal Setting of Egress Queues on the LAN interface QoS Egress Queues External Enabling Enable Egress QoS No vj Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s x Queues gt Y EI CEI ST Upper Limit E Comment P al urgent 10 unlimited High El 1 a2 important fo unlimited Medium Sa Joefauit fo unlimited Medium gt EN a low Priority fo unlimited iow z External Setting of Egress Queues on the WAN interface QoS Egress Queues VPN via External Enabling Enable Egress QoS No gt Total Bandwidth Rate Bandwidth Rate
106. ate and public keys are allowed not the X 509 authentication procedure If Yes is selected then the X 509 authentication procedure can be used in addition to normal procedures as seen under No When Yes is selected the following points must be defined a How the local mGuard authenticates itself to the SSH client according to X 509 b How the local mGuard authenticates the remote SSH client according to X 509 X 509 Authentication SSH server certificate mguard customer co uk z PX CA certificate 40 SSH RootCA 01 gt C SSH SubCA 01 gt PX ST i All users gt x EL Meyer Ralf xf All users These rules allow to enable SSH remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client gt a How the local mGuard authenticates itself to the SSH client SSH server certificate Specifies how the mGuard identifies itself to the SSH client Select one of the machine certificates from the list or the None entry see below None When None is selected then the SSH daemon of the mGuard does not authenticate itself to the SSH client via the X 509 certificate Instead it uses a server key and is thus compatible with older versions of the mGuard If one of the machine certificates is selected then this is also offered to the SSH client The client can then decide whether to use the normal a
107. ate from the currently installed version to the next major release available Therefore execute the minor release update first and repeat this step until you receive the message that there is no newer minor release available Then install the next major release Update Servers PETT A AAA ATA ET https y update innominate com There are two possibilities for conducting a firmware update You have the current package set file on your computer the file name ends with tar gz and you conduct a local update OR You download the package set file via the Internet from the update server and then install the packages gt Depending on the size of the update this may take several minutes BO A message is displayed if a reboot is necessary after the update is completed E gt Do not disconnect the power supply to the mGuard during the update procedure The device could be damaged and may be left inoperable This will require the device to be reactivated by the manufacturer gt From mGuard version 5 0 0 onwards a license must be purchased for the affected device before the installation of a major release update e g from version 4 x y to 5 x y or from version 5 x y to 6 x y The license must be installed on the device before a firmware update is made see 6 2 3 Management gt Licensing Install on page 75 Minor release upgrades i e same main version e g within version 5 x y can be installed without a
108. ate signed by a CA e A self signed certificate For further information on the following table see chapter 6 5 3 Authentication gt Certificates on page 136 X 509 authentication for HTTPS The remote peer shows Certificate specific to Certificate specific to the following individual signed by CA individual self signed The mGuard authenticates the 1 af remote peer using All CA certificates Remote Certificate that build the chain to the root CA certificate together with the certificates displayed by the remote peer or ADDITIONALLY Remote certificates if used as filter The remote peer can additionally provide sub CA certificates In this case the mGuard can form the set union for building the chain from the provided CA certificates and the self configured CA certificates The corresponding root certificate of the mGuard must always be available According to this table the certificates must then be provided that the mGuard uses to authenticate a remote user access over HTTPS or their browser The following instructions assume that the certificates have been correctly installed in the mGuard See 6 5 3 Authentication gt Certificates on page 136 BO If the use of block lists CRL checking is activated under the Authentication gt Certificate Certificate settings menu then each certificate signed by a CA that shows a remote user is checked for blocks Configuration Mana
109. ble entries ARP IPV4 Any Other entries must be given in hexadecimal form up to 4 figures The entry here is the ID of the affected protocol that can be found in the ethernet header This can be found in the publication of the affected standard IP Protocol All TCP UDP ICMP ESP Defines that only data packets from the selected IP protocol may pass When All is selected no filtering is made according to the IP protocol From IP Defines that only data packets from the given IP address may pass 0 0 0 0 0 stands for all addresses This means that no filtering is made according to the IP address of the sender To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 To IP Defines that only data packets that should be forwarded to the given IP address may pass through Entries correspond to From IP as detailed above 0 0 0 0 0 stands for all addresses This means that no filtering is made according to the IP address of the sender Current TOS DSCP Each data packet contains a TOS or DSCP field TOS stands for Type Of Service DSCP for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP telephone writes outgoing data packets differently into this field than a FTP program that loads the data packages to a server When a value is selected here then only data packets with this value in the TOS or DSCP fiel
110. c trap specific trap additional Explanation Sent when someone tries to open a HTTPS session using an incorrect password The trap contains the IP address of the last unsuccessful login request attempt mGuard enterpriseSpecific mGuardShellLoginTrap 2 mGuardShellLastAccessIP Sent when someone opens the shell using SSH or the serial port The trap contains the IP address of the login request If this request 1s made over the serial port then the value is 0 0 0 0 mGuard enterpriseSpecific 23 mGuardHTTPSLastAccessMAC Sent when a DHCP request from an unknown client is received Hardware related traps mGuard industrial RS and mGuard EAGLE only e Chassis power supply relay Activate traps Yes No enterprise oid genericTrap specific trap additional Explanation enterprise oid genericTrap specific trap additional Explanation mGuardTrapSenderIndustrial enterpriseSpecific mGuardTrapIndustrialPowerStatus 2 mGuardTrapIndustrialPowerStatus Sent when the system registers a power outage mGuardTrapSenderIndustrial enterpriseSpecific mGuardTrapSignalRelais 3 mGuardTResSignalRelaisState mGuardTEsSignlalRelaisReason mGuardTResSignal RelaisReasonIdx Sent after the signaling contact is changed and displays the current status 0 Off 1 On Agent ACA temperature Activate traps Yes No enterprise oid genericTrap specific trap addition
111. canned When this option is selected the virus filter is switched to pass through mode which allows files that exceed the file size to pass through unscanned In this case the data is not checked for viruses Block message When this option is selected an error code is returned to the e mail client and the e mail is blocked List of POP3 servers Enter the servers where the data should be scanned for viruses By activating and deactivating the anti virus function for each entry or server you can set an exception for subsequent rules It is also possible to enter trusted servers see the example below Example Global activation of anti virus protection for POP3 0 0 0 0 0 110 all outgoing connections Scan F Scan a subnet and exclude a trusted POP3 server gt lt Server Server Port Comment ETS g I 192 168 2 5 110 unprotected POP3 No Scan SJ 192 168 2 0 24 110 protected POP3 Scan gt Configuration E mail Security Menu not for blade controller Scan a single untrusted POP3 server in a subnet g I 192 168 2 5 110 protected POP3 Scan y TO 192 168 2 0 24 firo unprotected POP3 No Scan y gt The rule record is processed top down meaning the order of the rules is decisive for the results BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number results in the refusal of further connection atte
112. cations For example it is used to download files e g software updates or to initialize multimedia streams e When virus protection is activated the transferred file is only forwarded after it has been loaded completely and scanned Consequently user software may react slower when downloading larger files or whenever download speeds are slow e To check HTTP anti virus protection you can download the safe Eicar test virus which is available for test purposes at http www eicar org anti_virus_test_file htm Enable content scanning for HTTP Yes No By selecting Yes received files are scanned for viruses by mGuard if they are transferred via HTTP connections contained in the List of HTTP servers defined below HTTP maximum filesize for scanning in bytes Factory default 5 MB Specify the maximum size of the files to be checked here Larger files are not scanned Depending on the When size limit is exceeded setting an error message is sent to the browser if a file exceeds the size limit or the system automatically switches to pass through mode If the mGuard does not have enough memory to save a file completely or to decompress it a corresponding error message is sent to the user s client software browser or download manager and an entry is written in the anti virus log In this case you have the following options 167 from 243 Configuration Web Security Menu not for blade controller 168 from 243 e You ca
113. ccessful the error LED lights up red e mGuard delta e If successful the status LED lights up green e If unsuccessful the status LED stays off Once again press the Rescue button slowly 6 times 4 If successful the device reboots after two seconds and switches to Stealth mode or Router mode for mGuard delta and blade controller It can then be accessed again under the following address https 1 1 1 1 mGuard delta and blade controller https 192 168 1 1 W 7 3 Flashing the firmware Objective To reload all mGuard software onto the device E gt All configured settings are deleted The mGuard is restored to the factory default settings From mGuard version 5 0 0 onwards the licenses installed in the mGuard remain in place after flashing the firmware They therefore do not need to be installed again B gt Only firmware from version 5 1 0 onwards can be installed on the mGuard industrial RS Possible reasons for flashing the firmware e The administrator and root password have been lost Action Proceed as follows Do not disconnect the power supply to the mGuard during the flashing procedure The device could be damaged and may be left inoperable This will require the device to be reactivated by the manufacturer Requirements e The mGuard software has been copied from the mGuard CD ROM or obtained from Innominate Support and saved on the configuration computer e If your current software version is higher than
114. ceeeeseesaaeaeceaeeneeeees 29 Installing the mGuard bladeBase oonconnccnononoconoccnocanononancnoncnnccnnn cnn nono crono co nanccnnnos 29 Installing the mGuard blade union te e a a 29 Control unt ETRL diiniita a oil dla dado das 29 mGuard blade CONNECHON esas illes dascads dlaicaaseseagh deat 30 44 Installing the EAGLE mGuatd 0 0 eeccecccesececsececseceaecesaeceeaeeeeeeecaeeesaecesaeceaaeceeeeeeeeeees 31 Terminal blOCK oi RA Res es a ha a aed 31 ASSEMBLY N EEE shipsseetizeseledetel sbletoast devienen iio AT 31 NT 32 Network connection ecra aeran E A abdicar ASA Donde nnbadidn no nidn abad EENES TE SEER 32 Disassembly ennn na li ni ae Rai 32 4 5 Connecting the mGuatd delta omic titi reticle 33 4 6 Installing the mGuard PC A di 34 3 from 243 Contents 4 6 1 Selection of Driver mode or Power over PCI mode coconnccnncnnocononcooncnnonancnnncnnninnos 34 Dyer MOE idas 34 Power Over PCl Mode cercania iniciada clado colinda 35 4 6 2 Hardware installation menier iiien i a i 37 463 IAS O 38 Windows XE aci A SIN AOE NG ea aa ca eee 38 Windows 2000 resessie eneen ee taaan EEE E E E AEE teeta des 39 RN 42 5 Preparing the configuration ccssccsssccssssssssscsssscssssscsccssssssssscssssessssesssssssssssessesssescesscsnees 43 3 1 Connection requirements od tees ele ees AA eee aes ate einai tae 43 mGuard industrial RS cui at ds di at 43 ES A NN 43 mGuard PEL A ias 43 mGuard blade nor oranssia ei iane ee eE ee an
115. ceived Vendor ID payload draft ietf 3 pluto 2820 packet from 77 245 32 76 4500 received Vendor ID payload draft iet f 3 pluto 2820 packet from 77 245 32 76 4500 received Vendor ID payload Dead Peer Di pluto 2820 v000_001 249 responding to Main Mode pluto 2820 v000_001 249 transition from state STATE_MAIN_RO to state STATE_MA pluto 2820 v000_001 249 STATE_MAIN_R1 sent MR1 expecting MI2 pluto 2820 v000_001 249 NAT Traversal Result using draft ietf ipsec nat t ik pluto 2820 v000_001 249 transition from state STATE_MAIN_R1 to state STATE_MA pluto 2820 v000_001 249 STATE_MAIN_R2 sent MR2 expecting MI3 pluto 2820 v000_001 249 Main mode peer ID is ID_DER_ASN1_DN CN mGuard C del pluto 2820 v000_001 249 issuer cacert not found pluto 2820 v000_001 249 X 509 certificate rejected pluto 2820 v000_001 249 I am sending my cert pluto 2820 v000_001 249 transition from state STATE_MAIN_R2 to state STATE_MA pluto 2820 v000_001 249 STATE_MAIN_R3 sent MR3 ISAKMP SA established auth pluto 2820 v000_001 249 Dead Peer Detection RFC 3706 enabled pluto 2820 packet from 77 245 32 76 4500 Informational Exchange is for an unknow dynip register DynDNS org trying dynip register no update needed at this time success dynip register DynDNS org trying dynip register no update needed at this time success pluto 2820 packet from 77 245 32 76
116. certificate can be consulted in order to check that a certificate signature has this CA This check only makes sense if there is little doubt that the CA certificate originates from an authentic source i e is also authentic If doubt occurs then the CA certificate itself can be checked If as is usually the case this applies to a sub CA certificate i e a CA certificate issued by a sub certificate authority then the CA certificate of the superordinate CA can be used to check the CA certificate of the subordinate instance If a superordinate CA certificate also has a superordinate CA certificate then its CA certificate can be used to check the CA certificate of the subordinate instance This chain of trust continues down to the root instance root CA The CA file of the root CA is necessarily self signed This instance is the highest available and is ultimately the basis of trust Glossary Client Server Datagram Default route No one else can certify that this instance is actually the instance in question A root CA is therefore a state or state controlled organization The mGuard can use its imported CA certificate to check the validity of displayed certificates from remote peers For example with VPN connections the authentication of remote peers can only be made using the CA certificate In this case all CA certificates must be installed in mGuard in order to build a chain with the certificate displayed by the remote peer
117. ch works correctly in all cases Special dial characters can be used in the dial sequence See the following table for more details HAYES special dial characters W Instructs the modem to make a pause in dialing until the dial tone can be heard Used when the modem is connected to a private branch exchange An external line must be obtained first for outgoing calls by dialing a certain number e g 0 before the desired telephone number can be dialed Example ATDOW765432 T Change to tone dialing Set the special dial character T before the dialed number if the faster tone dialing procedure should be used only with tone compatible telephone connections Example ATDT765432 111 from 243 Configuration Network Menu 112 from 243 Authentication PAP CHAP None PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol These are procedures used for the secure transfer of authentication data over Point to Point Protocol If the ISP requires the user to login using user name and password then PAP or CHAP is used as the authentication procedure The user name password and any other entries needed for the user to access the Internet are given to the user by the ISP The relevant fields are displayed depending if PAP CHAP or None is selected Enter the relevant data in these fields If authentication is made via PAP Authentication rar User name il Password y PAP se
118. changes for each online session Even if the computer is online 24 hours a day without interruption e g flat rate the IP address will change during the session If a local computer should be accessible via the Internet it must have an address that is known to the remote peer This is the only way to establish a connection to the local computer If the address of the local computer changes constantly then this is not possible The exception to this is when the operator of the local computer has an account with a Dynamic DNS provider DNS Domain Name Server In this case the operator can set a host name with this provider under which the system should be accessible e g www example com The Dynamic DNS provider also provides a small program that must be installed and run on the affected computer At each new Internet session this tool informs the Dynamic DNS provider which IP address the local computer has currently been assigned The Domain Name Server registers the current assignment of host name to IP address and also informs the other Domain Name Servers over the Internet If a remote system now wishes to establish a connection to a local system that is registered with the DynDNS provider then the remote system can use the host name of the local system as its address This will establish a connection to the responsible DNS Domain Name Server in order to look up the IP address that is currently registered for this host name The correspo
119. ci driver e Enter the following commands cd usr sre pci driver e make LINUXDIR usr src linux install m0644 mguard o lib modules 2 4 25 kernel drivers net e depmod a e The driver can then be loaded using the following command e modprobe mguard 42 from 243 Preparing the configuration 5 Preparing the configuration 5 1 Connection requirements mGuard industrial RS The mGuard industrial RS must be connected to at least one active power supply e For local configuration The computer used for configuration must be connected to the LAN socket of the mGuard e For remote configuration The mGuard must be configured to permit remote configuration e The mGuard must be connected i e the required connections must work mGuard smart e The mGuard must be connected to a power supply i e connected to an active system or power supply via USB cable e For local configuration The computer used for configuration must either be connected to the LAN port of the mGuard or connected to the mGuard via the local network e For remote configuration The mGuard must be configured to permit remote configuration e The mGuard must be connected i e the required connections must work mGuard PCI e For local configuration The computer used for configuration must fulfill the following requirements mGuard in Driver mode The mGuard PCI driver must be installed on the computer mGuard in Power over PCI mode Th
120. ck on Upload The certificate contents are then displayed VPN Identifier The following explanation applies when authentication of the VPN remote peer 1s made using CA certificates VPN gateways use the VPN Identifier to recognize which configurations belong to the same VPN connection If the mGuard consults CA certificates to authenticate a VPN remote peer then itis possible to use the VPN Identifier as a filter To do this make the appropriate entries in the Remote peer text field Remote peer Defines what must be entered as a subject in the VPN remote peer machine certificate for the mGuard to accept this VPN remote peer as a communication partner It is then possible to limit or release access by VPN remote peers that would accept the mGuard in principle based on the certification check Limitation to certain subjects i e machines or to subjects that have certain attributes or Release for all subjects See also glossary under Subject certificate Subject was previously known as Distinguished Name Release for all subjects If the Remote peer field is left empty then any subject entries are allowed in the machine certificate displayed by the VPN remote peer Identification or definition of the subject in the certificate is then no longer needed Limitation to certain subjects In the certificate the certificate owner is entered in the Subject field The entry is comprised of several attr
121. configuration stored on the controller for this slot Upload configuration from client Uploads and saves a configuration profile for this slot onto the controller Download configuration to client Downloads the configuration profile stored on the controller for this slot onto the configuration PC Configuration Network Menu 6 4 Network Menu 6 4 1 Network gt Interfaces General Network W interfaces Network Status External IP address Network Mode Status Active Defaultroute Used DNS servers Network Mode Network Mode Router External Networks Obtain external configuration via DHCP External IPs IP Netmask Use VLAN VLAN ID untrusted port Additional External Routes Metaarl autaany IP of default gateway 192 168 3 254 Internal Networks eae ar IP Netmask Use VLAN VLAN ID ed pol 192 168 1 10 255 255 255 0 No zj Additional Internal Routes RS AA AAA Network Status External IP address WAN port address Display only The addresses through which the mGuard can be accessed by devices from the external network They form the interface to other parts of the LAN or to the Internet Ifthe transition to the Internet takes place here the IP addresses are usually designated by the Internet Service Provider ISP If the mGuard is assigned an IP address dynamically you can look up the currently valid IP address here In Stealth mode mGuard adopts the address of the connected local computer as its ex
122. connections via this VPN connection However the extended firewall settings defined above see Network Security Menu not for blade controller Network Security gt Packet Filter Advanced on page 155 apply independently for each individual VPN connection BO If multiple firewall rules are set they will be searched in the order in which they are listed top down until a suitable rule is found This rule is then applied If there are other suitable rules further down the list then these are ignored Bo In Stealth mode the actual IP address used by the client should be used in the firewall rules or it should be left at 0 0 0 0 0 Only one client can be addressed through the tunnel You have the following options Protocol All means TCP UDP ICMP and other IP protocols From To IP 0 0 0 0 0 means all IP addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 Incoming From IP The IP address in the VPN tunnel To IP The 1 to 1 NAT address or actual address Outgoing From IP The 1 to 1 NAT address or actual address To IP The IP address in the VPN tunnel 196 from 243 Configuration IPsec VPN Menu not for blade controller From To Port Only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port nu
123. cting to the Internet As PPP is used for the connection the IP address is not normally specified This means you can use the predefined value 0 0 0 0 Netmask The netmask here belongs to both Local and Remote IP addresses Normally all three values Local IP Remote IP and Netmask are set or all remain set to 0 0 0 0 Configuration Network Menu Make further modem connection settings on the Modem tab see Modem on page 120 Internal Networks Configuration of the internal network is described under Network Mode gt Router PPPoE PPTP or Modem Built in Modem on page 116 115 from 243 Configuration Network Menu Network Mode gt Router PPPoE PPTP or Modem Built in Modem Internal Networks 116 from 243 Internal IPs trusted port The internal IP is the IP address where the mGuard can be accessed by devices on the locally connected network The factory defaults for Router PPPoE PPTP Modem mode are as follows IP address 192 168 1 1 Local netmask 255 255 255 0 You can also specify other addresses where the mGuard can be accessed by devices on the locally connected network For example this can be useful if the locally connected network is divided into subnetworks Multiple devices on different subnetworks can then access the mGuard under different addresses IP IP address where the mGuard is accessible over the LAN port Netmask The netmask of the network connected to the
124. d for access as All users root admin netadmin audit Filter which defines that the SSH client has to have certain administration level authentication in order to gain access Explanation During connection the SSH client shows its certificate and also the system user for which the SSH session is to be opened root admin netadmin audit Access is only granted when the entries match those defined here Access for all listed system users is possible when All users is set The netadmin and audit settings relate to access rights with the Innominate Device Manager 67 from 243 Configuration Management Menu 6 2 2 Management gt Web Settings General General 68 from 243 Management Web Settings General General Language automatic M Session Timeout seconds 1800 Language If automatic is selected from the list of languages the device uses the language setting of the system browser Session Timeout seconds Specifies the time interval of inactivity in seconds after which the user will be logged out automatically Possible values 15 to 86400 24 hours Scope of the Apply button Defines whether the Apply button must be pressed after configuration changes are made for each individual page Per Page Otherwise the Apply button can be pressed for changes on several pages Cross page so that the settings are adopted by the mGuard and then come into effect
125. d may pass through When All is selected no filtering is made according to the TOS DSCP value 205 from 243 Configuration QoS Menu Guaranteed The entered number defines how many data packets or kbit s can pass through at all times according to the set units see above This applies to the data flow that conforms to the rule record criteria listed on the left i e that may pass through The mGuard may drop the excess number of data packets during capacity bottlenecks if this data flow delivers more data packets per second Upper Limit kbit s The entered number defines the maximum number of data packets or kbit s that can pass through according to the set units see above This applies to the data flow that conforms to the rule record criteria listed on the left 1 e that may pass through The mGuard will drop the excess number of data packets 1f this data flow delivers more data packets per second Comment 206 from 243 Optional Text comment Configuration QoS Menu 6 10 2 Egress Queues Internal External VPN via External The services are allocated according to defined priorities During connection bottlenecks the outgoing data packets are put into egress queues i e queues for waiting packets and are then processed according to their priority Ideally the allocation of priority levels and bandwidths should result in a sufficient bandwidth level being available for the complete transfer of d
126. d will not connect to the service provider when the ISP does not give the correct name Secret Password for client authentication Password entered during ISP login to access the Internet CHAP server authentication Yes No Yes The following entry field appears Password for server authentication The password that the mGuard queries from the server mGuard only allows the connection when the server provides the agreed password Subsequent fields See under If None is selected as authentication on page 113 If None is selected as authentication In this case all fields that relate to PAP or CHAP are hidden Only the fields that define further settings remain Idle time seconds 300 Local IP 0 0 0 0 Ml Remote IP poco P Netmask pooo P 113 from 243 Configuration Network Menu 114 from 243 Dial on demand Yes No Yes standard This setting is useful for telephone connections where costs are calculated according to connection length The mGuard only commands the modem to establish a telephone connection when network packages are to be transferred It also instructs the modem to terminate the telephone connection as soon as no more network packages are to be transferred for a specific time see values in Idle timeout By doing this the mGuard is not constantly available externally 1 e for incoming data packages When No is selected the mGuard establishes a telephone connection using
127. d with a new header and sent to the remote peer VPN gateway the tunnel end The transferred datagrams are then decrypted and the original datagrams are restored These are then forwarded to the destination system Transport Host gt Host In this type of connection the device only encrypts the data of the IP packets The IP header information remains unencrypted When a change to Transport is made the following fields apart from the protocol are hidden as these parameters are omitted Local remote for connection type Tunnel Network lt gt Network Define the network areas for both tunnel ends under Local and Remote y 7 IPsec Tunnel A ZN ZN l La E l La Local VPN gateway Network Network Amer remote remote Local Enter the network or computer address where the local mGuard is connected Remote Enter the network or computer address found behind the remote VPN gateway 186 from 243 Configuration IPsec VPN Menu not for blade controller Default route over the VPN The address 0 0 0 0 0 provides a Default route over the VPN In this case all data traffic where no other tunnel or route exists is forwarded through this VPN tunnel B A default route over the VPN should only be given for one tunnel B gt Default route over the VPN cannot be used in Stealth mode Options following installation of a VPN tunnel group license When any is entered under Address of the remote site s VPN gatewa
128. data pass unscanned gt content size List of FTP Servers lt lt seee serwerport comment __ Enable scan g E o 0 0 0 0 21 Fe out to any scan zi Note Both global content scanning for FTP must be enabled and firewall rules defining the IP address range to be scanned must be set The FTP protocol is used for uploading and downloading files e When virus protection is activated the transferred file is only forwarded after it has been loaded completely and scanned Consequently user software may react slower when downloading larger files or whenever download speeds are slow e To check FTP anti virus protection you can download the safe Eicar test virus which is available for test purposes at http www eicar org anti_virus_test_file htm e The mGuard can only be used to protect the FTP client Options Enable content scanning for FTP Yes No By selecting Yes received files are scanned for viruses by mGuard if they are transferred via FTP connections contained in the List of FTP servers defined below FTP maximum filesize for scanning in bytes Factory default 5 MB Specify the maximum size of the files to be checked here Larger files are not scanned Depending on the When size limit is exceeded setting an error message is sent to the client if a file exceeds the size limit or the system automatically switches to pass through mode If the mGuard does not have enough memory to save a file completely or to
129. ddresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 165 from 243 Configuration Network Security Menu not for blade controller Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default 166 from 243 Configuration Web Security Menu not for blade controller 6 7 Web Security Menu not for blade controller 6 7 1 Web Security gt HTTP Virus Protection Options Requirements The following requirements must be fulfilled in order to use the virus filter e The anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Licensing on page 75 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 77 Virus Protection Options HTTP maximum filesize for scanning in 2MB y m Action for infected web content Notify with browser erro Action for web content exceeding maximum Let data pass unscanned content size List of HTTP Servers E server O servereort Comment Enable scan cL 0 0 0 0 0 80 Scan gt The HTTP protocol is not only used by web browsers to retrieve data from websites it is also used in many other appli
130. default settings apart from mGuard delta and blade controller Router mode https 192 168 1 1 factory default for mGuard delta and blade controller Proceed as follows 1 Start the web browser e g Firefox MS Internet Explorer or Safari the web browser must support SSL i e https 2 Ensure that the browser does not automatically dial a connection at startup as this could make it more difficult to establish a connection to the mGuard In MS Internet Explorer make this setting as follows In the Extras menu select Internet Options and click on the Connections tab Ensure that Never dial a connection is selected under Dial up and Virtual Private Network settings 3 Enter the complete address of the mGuard in the address field of the browser mGuard IP address In Stealth mode factory default except mGuard delta and blade controller in Stealth mode this is always https 1 1 1 1 When not in Stealth pec et ali mode https 192 168 1 1 In Router factory default for mGuard delta and blade controller PPPoE or PPTP mode this is always https 192 168 1 1 Result You reach the mGuard administrator website The security notice shown on the next page is displayed BO If you have forgotten If the address of the mGuard in Router PPPoE or PPTP mode has been the configured changed and the current address is unknown you must use the Recovery key to address set the mGuard to Stealth mode or Router mode for mGuard delta and b
131. e Sent when the state of an L2TP connection changes Configuration Management Menu Trap destinations Traps can be sent to one or more targets Destination IP IP address to which the trap should be sent Destination Name Optional name for the destination Has no influence on the generated traps Destination Community Name of the SNMP community allocated to the trap LLDP Management SNMP LLDP Mode Enabled xj Internal LAN interface Chassis ID IP address Port description External WAN interface Chassis ID IP address Port description LLDP Link Layer Discovery Protocol IEEE 802 1 AB D13 supports the automatic detection of ethernet network topology using suitable request methods LLDP capable devices periodically send ethernet multicasts layer 2 Tables of systems connected to the network are created from their answers which can then be requested using SNMP LLDP Mode The LLDP service or agent can be enabled or disabled here Internal LAN interface and External WAN interface Chassis ID A unique ID of the found system typically one of its MAC addresses IP address The IP address of the found system with which SNMP administration can be made Port description A textual description of the network interface where the system was found System name Hostname of the found system 91 from 243 Configuration Management Menu 6 2 7 Management gt Central Management Configurati
132. e 24 V DC 32 V DC Potential difference to input voltage ground 32 V DC Power consumption Max 7 2 W at 24 V DC 24 6 Btu IT h Current overload protection at input Non changeable fuse Dimensions W x Hx D 46 mmx 131 mmx 111 mm Weight 340 g Ambient air 0 C to 55 C Ambient temperature 241 from 243 Technical Data Storage temperature Relative humidity Ambient air 40 C to 80 C 10 to 95 non condensing Atmospheric pressure Suitable for operation up to 2000 m 795 hPa Pollution degree 2 EMC anti interference level Discharge of static electricity Contact discharge EN 61000 4 2 Test level 3 Air discharge EN 61000 4 2 Test level 3 Electromagnetic fields EN 61000 4 3 Test level 3 Fast transients EN 61000 4 4 Test level 3 Symmetrical surge voltage EN 61000 4 5 Test level 2 Asymmetrical surge voltage EN 61000 4 5 Test level 3 Cable based RF faults EN 61000 4 6 Test level 3 EN 55022 Class A FCC 47 CFR Part 15 Class A 242 from 243 pd ni Germanischer Lloyd Rules for Classification and Construction VI 7 3 part 1 Ed 2003 Vibration EC 60068 2 6 Test FC Test level according to IEC 61131 2 E2 CDV and Resi Germanischer Lloyd Guidelines for the Performance of Type Tests esistance Part 1 Shock EC 60068 2 27 Test EA Test level according to IEC 61131 2 E2 CDV Complies with cUL 508 CSA 22 2 No 142 Certifications c
133. e name or path is displayed in the text field 3 Click on the Upload button Result The configuration profile is loaded on the mGuard The name assigned in step 1 is displayed in the list of the profiles stored on the mGuard be stored on an external auto configuration adaptor ACA Connect the ACA to the V 24 ACA11 or USB ACA21 port of the EAGLE mGuard Configuration Management Menu Storing a profile on the ACA 1 When the password of the EAGLE mGuard where the profile is imported has a different root password than root then you must enter this under The root password to save on ACA 2 Click on the Save button Result The LED STATUS and the V 24 LED for ACA11 flashes until the store procedure is finished Restoring a profile from the ACA Plug the ACA into the EAGLE mGuard V 24 port Start the EAGLE mGuard whilst the ACA is plugged in The mGuard password must be either root or correspond to the password designated when storing the profile The LED STATUS and the V 24 LED for ACA11 flashes until the load procedure is finished Result The configuration profile loaded from the ACA is loaded into the EAGLE mGuard and started It does not appear in the list of configuration profiles stored on the EAGLE mGuard ES The configuration on the ACA also includes the root admin and user passwords These are also used when restoring a configuration from the ACA 83 from 243 Configuration Ma
134. e the administrator can logon to the mGuard via the PPP protocol In this case the configuration connection is not made over the Serial Port socket on the front side Instead it is made over the terminal block on the bottom where the built in modem or ISDN terminal adaptor makes contact with the telephone network Modem settings are made on the Modem tab Built in Modem can only be selected when the modem is free i e not occupied by normal data traffic through previous selection of Built in Modem under Network Mode See Network gt Interfaces on page 99 Local IP IP of the mGuard that can be accessed by a PPP connection Remote IP IP address of the PPP connection remote peer PPP Login name Login name that the PPP remote peer has to enter to gain access to the mGuard using PPP mGuard mGuard delta PPP Password Password that the PPP remote peer has to enter to gain access to the mGuard using PPP 119 from 243 Configuration Network Menu Incoming Rules PPP Firewall rules for PPP connection to the LAN interface You have the following options Protocol All means TCP UDP ICMP and other IP protocols From To IP 0 0 0 0 0 means all IP addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 From To Port Only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a rang
135. e 116 Configuration Network Menu gt Network Mode PPTP General Network Status External IP address MI Network Mode Status router static up Active Defaultroute MA Used DNS servers DNS Root Servers Network Mode Network Mode yl When the PPTP REP network mode is PPTP Login selected PPTP Password Local IP Mode Static from field below gt Local IP 10 0 0 140 Netmask Use VLAN VLAN ID Modem IP 10 0 0 138 Internal Networks Internal IPs IP trusted port i Additianal Internal Rautec PPTP For access to the internet the Internet Service Provider ISP gives the user a login name and password These are required for connection to the Internet PPTP Login The user name Login that is required by your Internet Service Provider when you setup a connection to the Internet PPTP Password The password that is required by your ISP when you setup a connection to the Internet Local IP Mode Static Via DHCP Via DHCP If the address data for access to the PPTP server is supplied by the Internet Service Provider via DHCP select via DHCP You then do not need to make an entry in the Local IP field Modem IP The address of the PPTP server at the Internet Service Provider Static from field below If the address required to for PPTP server access is not supplied by the Internet Service Provider via DHCP then the IP address of the remote PPTP server must be entered as the local
136. e 223 6 14 CIDR Classless Inter Domain Routing 0 0 eee eeceesseceeseceeaeeceneeceeeesaeeeeaaeseaaeceeaeeeeees 224 0 15 Network Examples scsi scecsasecessscoesseglenssanletseviecessettadeovnsesusvtbevssv antcesedegeavsdatecesvedeasbbesianess 225 7 The Rescue Button Restarting the Recovery Procedure and Flashing Firmware 226 AO Performing a restart iia O A A eat Mee apie is 226 T2 TEN A NO 226 E ER RR RAN 227 Requirements for flashing the firmware DHCP and TFTP servet 0 229 7 3 1 Installing DHCP and TFTP servers in Windows or LINUX c oooccnccnocncoccnonaconannnonnss 230 NN E RR 230 AA A E E EA 231 8 SGIOSSALY a EEE EEEE EEA EAEE EE EE EEA 232 Asymmetrical encryption rnor E aa non nono AT EEE ei 232 DESV SDE See urna si NE A T a e Og a a e i 232 ARS rai EEEE E E SA 232 CA certificate ninio i een aE E Enta EEAO aoe SEE aeaa kaea aieh 232 Client Servet nrimo ais 233 DARLA dat a OEA A MA ECE 233 Detault routes silicio lili R E E eee ieee 233 Dyn DNS provider icici isos eek is eet oct tases 234 RS NN 234 TP eile aided r RT EA AN 235 S bject certificate ina a a a a a Ca idas 236 NAT Network Address Translati0n oooonnocccnnnoocccononcnnnonononoononononnonnnncnnnnnnonnnos 237 P rt mb A a shies NE eA E E DEA TETE EEE 237 PrOX aii a da 237 PPPOE A NR OO 237 PPP nella idan ted ches 237 O NO ANO 237 Pap aster il E 238 A A dinate ete Maia eee eG ese 238 Protocol communication pro
137. e Egress Queues or select another one The name does not define data priority Guaranteed Bandwidth that should be available for the relevant queue Use the same units as defined above under Maximum band width rate kbit s OR packets s but do not enter the units of measurement explicitly The total of all guaranteed bandwidths must be smaller or equal to the total bandwidth Upper Limit kbit s Maximum permitted bandwidth available for the relevant queue Use the same units as defined above under Maximum band width rate kbit s OR packets s but do not enter the units of measurement explicitly This value must be the same as or larger than the guaranteed bandwidth Priority Low Medium High Defines with which priority the affected queue should be processed providing the total available bandwidth is not exhausted Comment Optional Text comment 6 10 3 Egress Rules This page defines which data is assigned to the defined Egress Queues see above They are then transferred with the priority assigned to the respective queue 208 from 243 Configuration QoS Menu Internal External VPN via External QoS Egress Rules Internal Default pa ceo Rules A A A A A E ram If 0 0 0 0 0 0 0 0 0 0 TOS Minimize Delay y Unchanged Urgent C afan 3 0 0 0 0 0 0 0 0 0 0 TOS Maximize Reliability EEE E 3 f afall 0 0 0 0 0 0 0 0 0 0 TOS Minimize Cost Y Unchanged Low Priority Y
138. e Successful update of AV pattern Activate traps Yes No enterprise oid generic trap specific trap mGuardTrapBladeCtrlCfg enterpriseSpecific mGuardTrapBladeCtrlCfgBackup 1 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlCfgBakkup Sent when blade controller configuration backup is released mGuardTrapBladeCtrlCfg enterpriseSpecific mGuardTrapBladeCtrlCfgRestored 2 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlCfgRestored Sent when blade controller configuration restoration is released mGuardTrapAv enterpriseSpecific mGuardTrapAvUpdateDone 1 Configuration Management Menu additional mGuardTResAvUpdateDone Explanation Sent after successful AV update AV update or scanning problem Activate traps Yes No enterprise oid generic trap specific trap additional Explanation enterprise oid generic trap specific trap additional Explanation mGuardTrapAv enterpriseSpecific mGuardTrapAvUpdateError 2 mGuardTResAvUpdateError Sent when an error occurs during the AV update mGuardTrapAv enterpriseSpecific mGuardTrapAvFailed 5 mGuardTResA vFailed Sent during a general AV error Found virus or skipped scanning Activate traps Yes No enterprise oid generic trap specific trap additional Explanation enterprise oid generic trap specific trap additional Explanation Redundancy traps Stat
139. e a serial port that can be accessed externally For these models mGuard configuration can also be made over this serial port The following possibilities are available A Connect the serial port of the mGuard to the serial port of a PC Establish the connection to the mGuard on a PC by using a terminal program and carry out the configuration using the command line of the mGuard B Connect a modem to the serial port of the mGuard This is connected to the telephone network landline or GSM network Connection to the telephone network is made over the terminal block on the bottom of the device for the mGuard industrial RS with built in modem or ISDN terminal This enables a remote PC that is also connected to the telephone network to establish a PPP Point to Point Protocol dial up connection to the mGuard via a modem or ISDN adaptor In the following documentation this procedure is also defined as a PPP dialin option for configuration purposes In order to access the mGuard web configuration user interface using the PC web browser via TCP IP you must set up a dial up network connection to the mGuard for Windows PCs Serial ports Baudrate Only valid for configurations where a terminal or PC with a terminal program is connected to the serial port as described above under A Not valid when an external modem is connected Settings are made on the Modem tab You can define the transfer speed of the serial port over the sel
140. e certificate is a copy of the certificate that is used by a remote peer to authenticate itself to the mGuard Remote certificates are securely received files from operators of possible remote peers file name extension cer pem or crt Load these files onto the mGuard so that bilateral authentication can take place The remote certificates of several possible remote peers can be installed B The remote certificate for authentication of a VPN connection or VPN connection channels is installed in the IPsec VPN gt Connections menu For more details see Authentication gt Certificates on page 136 Example of imported remote certificates Authentication Certificates Remote Certificates Trusted remote Certificates px MIE crv Meyer Ralf L 8 0U Service O Sample Supplier C UK CN Web SubCA 01 0 Sample Web Securities Inc C UK From Jun 20 11 27 08 2007 GMT to Jun 20 11 27 08 2010 GMT MDS 1D EF 40 76 D1 52 F8 07 18 0B 6D F7 85 93 37 6D SHA1 C8 DC 97 2E B7 1D 6A 94 EE FE 6D 6B 71 58 F1 35 52 D3 BE E1 Shortname Meyer Ralf Filename Browse Import Cora F Certificate Current Certificate File CN Wirth Nicola L B OU Service O Sample Supplier C UK CN Web SubCA 01 0 Sample Web Securities Inc C UK From Jun 20 11 27 11 2007 GMT to Jun 20 11 27 11 2010 GMT MDS 09 98 7B 71 58 FS F6 CF EA 28 BF 95 6C 8E A3 7F SHA1 E3 C3 0F 2E EC 3D 94 9C A9 E5 BD 7B E0 B9 F9 36 E6 D3 0C 9A g Upload Filename Browse
141. e computer must be connected to the mGuard LAN port or connected to the mGuard over the local network e For remote configuration The mGuard must be configured to permit remote configuration e The mGuard must be connected i e the required connections must work mGuard blade e The mGuard blade must be installed inside the mGuard bladeBase and at least one of the bladeBase power supplies must be on e For local configuration The computer used for configuration must either be connected to the LAN socket of the mGuard or connected to the mGuard via the local network e For remote configuration The mGuard must be configured to permit remote configuration e The mGuard must be connected i e the required connections must work EAGLE mGuard The EAGLE mGuard must be connected to at least one active power supply e For local configuration The computer used for configuration must either be connected to the LAN socket of the mGuard or connected to the mGuard via the local network e For remote configuration The mGuard must be configured to permit remote configuration e The mGuard must be connected i e the required connections must work mGuard delta The mGuard must be connected to its power supply e For local configuration The computer used for configuration must either be connected to the mGuard LAN switch ethernet socket 4 to 7 or connected to the mGuard via the local network e For remote confi
142. e g the Internet to form a single joint network A cryptographic protocol is used to ensure confidentiality and authenticity A VPN thus offers an economical alternative to using dedicated lines to build a nationwide corporate network 239 from 243 Technical Data 9 Technical Data General CPU Intel IXP 42x with 266 MHz or 533 MHz Memory 16 MB Flash 64 MB SDRAM mGuard delta 128 MB LAN and WAN interfaces Ethernet IEEE 802 10 100 Mbps RJ45 Serial RS 232 smart Via USB interface 5 V 500 mA or external power supply Power supply 110 230 V delta 5 V DC 3A Operating system Innominate Embedded Linux Operation supervision Watchdog and LEDs Relative humidity blade smart PCI max 90 non condensing delta 5 95 non condensing Ambient temperature mGuard industrial RS Network size smart blade delta 0 40 C PCI 0 70 C Length of a 10BASE T 100BASE TX twisted pair segment approx 100 m Operating voltage Potential difference between input voltage and housing 9 to 36 V DC 36 V DC Power consumption Maximum 4 W at 24 V DC Current overload protection at input Non changeable fuse Dimensions 45 mm x 100 mm x 111 mm W x Hx D Weight 250 g Ambient air 0 C to 55 C Ambient temperature Relative humidity 10 to 95 non condensing Pollution degree 2 240 from 243 Technical Data
143. e in the mGuard under Authentication gt Certificates is not sufficient In addition which mGuard certificate imported from the pool is used must be referenced in the relevant applications VPN SSH HTTPS B The remote certificate for authentication of a VPN connection or VPN connection channels is installed in the JPsec VPN gt Connections menu Certificate settings Authentication Certificates Remote Certificates Certificate settings Check the validity period of certificates and CRLs no SA CRL download interval Never z Certificate settings The settings made here relate to all certificates and certificate chains checked by the mGuard The following are excepted Self signed certificates from remote peers VPN of all remote certificates 140 from 243 Configuration Authentication Menu Check the validity period of certificates and CRLs No Wait for system time synchronization No The entered validity periods in certificates and CRLs are ignored by the mGuard Wait for system time synchronization The validity periods entered in certificates and CRLs are only considered by the mGuard when the current date and time are known Through the installed clock for mGuard industrial RS and mGuard delta By synchronizing the system time See Time and Date on page 59 Up until this point all certificates are considered as invalid Enable CRL checking Yes No Yes When CRL check
144. e of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected Drop means that data packets may not pass through Data packets are discarded and the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule should be logged set Log to Yes or should not be logged set Log to No factory default Log entries for unknown connection attempts Yes No When set to Yes all attempts to establish a connection that are not covered by the rules defined above are logged Outgoing Rules Port Modem Only mGuard industrial RS mGuard blade EAGLE mGuard mGuard delta Firewall rules for PPP connection from the LAN interface The parameters correspond to those of the Incoming Rules PPP see above gt For mGuard industrial RS mGuard blade EAGLE mGuard and mGuard delta Network Interfaces External Modem Hardware handshake RTS CTS off gt Baudrate 57600 Modem init string AT OK Modem reset string ATH External Modem 120 from 243 BO The settings here only come into force when an external modem is connect
145. e of the files to be checked here Larger files are not scanned Depending on the When size limit is exceeded setting an error message is sent to the SMTP client and the e mail is not sent or the system automatically switches to pass through mode If the mGuard does not have enough memory to save a file completely or to decompress it a corresponding error message is sent to the user s e mail client software and an entry is written in the anti virus log In this case you have the following options e You can try to send the file again later e You can temporarily deactivate the virus filter for the corresponding server e You can activate the automatic throughput mode Please note that depending on the coding scheme used the size of the attachment may be larger than the original file Configuration E mail Security Menu not for blade controller Action for mails exceeding maximum message size Let message pass unscanned When this option is selected the virus filter is switched to pass through mode which allows files that exceed the file size to pass through unscanned In this case the data is not checked for viruses Block message When this option is selected an error code is returned to the e mail client and the e mail is blocked List of SMTP Servers Enter the servers where the data should be scanned for viruses By activating and deactivating the anti virus function for each entry or server you c
146. e required license data is available for the flash This applies to major release upgrades for example from version 4 x x to version 5 x x to version 6 x x etc See Flashing the firmware on page 227 AntiVirus License AntiVirus license installed Displays if an anti virus license is installed Expiry date Shows the expiry date of the installed anti virus license Feature License Displays which functions are included with the installed mGuard license e g the number of possible VPN tunnels whether remote logging is supported etc Install Management Licensing Automatic License Installation Voucher Serial Number Voucher Key Reload Licenses Online License Reload Manual License Installation Order License Edit License Request Form Filename Browse Install license file Afterwards you can expand your installed mGuard license with further functions A voucher serial number and key can be found in the voucher included with the mGuard The voucher can also be purchased separately 75 from 243 Configuration Management Menu 76 from 243 With this you can perform the following functions 1 Request the required feature license file 2 Install the license file Automatic License Installation Voucher Serial Number Voucher Key Enter the serial number printed on the voucher and the corresponding voucher key then click on Online License Request Result mGuard now establishes a connection via
147. e signal contact push button and optional ISDN or telephone connection The mGuard bladePack also contains 19 mGuard bladeBase An mGuard blade as controller Two power supplies Two power cables 12 place holders 12 handle plates M1 to M12 Screws for installing the bladeBase The mGuard delta also contains A 5 V DC power supply Two UTP ethernet cables Startup 4 1 Installing the mGuard industrial RS Assembly Disassembly The device is delivered in a ready to operate condition The following procedure 1s required for the assembly and connection process 1 Pull the terminal block from under the mGuard industrial RS and connect the contact lines and other connections according to their use see below under Connection options on lower terminal block on page 25 When the device is assembled set the wired terminal block back on the DIN rail 2 Attach the mGuard industrial RS onto a 35 mm DIN rail according to DIN EN 50 022 Attach the upper snap on guide of the mGuard industrial RS to the DIN rail and press it down until it locks into position Y al Ms L a ASS Bl 7 3 Connect the supply voltage on the upper side of the terminal block see below under Supply voltage on page 24 4 Make the necessary network connections on the LAN or WAN port see below under Network connection on page 24 5 If necessary connect the serial port of the relevant device
148. ec the key used for the data exchange is changed at certain intervals With PFS Configuration IPsec VPN Menu not for blade controller a new random number is negotiated with the remote peer instead of deriving 1t from a previously agreed random number Only set this to Yes if the remote peer supports PFS Set Perfect Forward Secrecy PFS to No if the remote peer is an IPsec L2TP client Lifetimes The keys of an IPsec connection are renewed at certain intervals to increase the costs of an attack to the IPsec connection ISAKMP SA Lifetime seconds The lifetime of the ISAKMP SA keys in seconds Factory default 3600 seconds 1 hour The permitted maximum is 86400 seconds 24 hours IPsec SA Lifetime seconds The lifetime of the IPsec SA keys in seconds Factory default 28800 seconds 8 hours The permitted maximum is 86400 seconds 24 hours Rekeymargin seconds Minimum time interval before the old key expires during which a new key should be created Factory default 540 seconds 9 minutes Rekeyfuzz percent Maximum in percent by which Rekeymargin shall be randomly increased This is used to delay key exchange on machines with many VPN connections Factory default 100 Keying tries 0 means unlimited tries Number of attempts to negotiate new keys with the remote peer The value 0 results in unlimited attempts for connections initiated by the mGuard otherwise it results in 5 Rekey Yes No When s
149. ec encryption is activated during communication In this case the entries made under IPsec SA and Tunnel Settings were also correct In the event of problems we recommend that you examine the VPN logs of the remote peer where the connection was setup Detailed error messages are not returned to the initiating system for security reasons Configuration IPsec VPN Menu not for blade controller If the display shows ISAKMP SA established IPsec State WAITING This indicates the following The authentication was successful but the other parameters are incorrect Do the connection types Tunnel Transport match If Tunnel has been selected do the network address areas match on both sides If the display shows IPsec State IPsec SA established This indicates the following The VPN connection has been successfully set up and can be used If this is not possible there is a problem with the remote peer VPN gateway In this case disable and enable the connection again to re establish the connection 203 from 243 Configuration QoS Menu 6 10 QoS Menu QoS Quality of Service defines the quality of individual transfer channels in IP networks This relates to the allocation of certain resources to certain services or communication types so that they work correctly For example the necessary bandwidth must be provided for the transfer of audio or video data in real time in order to reach a satisfactory communication
150. ecomes available again Values between 1 and 254 are possible Authentication passphrase This password protects against wrong configuration among different virtual routers The password must be the same on both mGuards It is transmitted in clear text and should not be identical with other security relevant passwords Stealth Mode Virtual Router ID Router Mode External Virtual Router ID An ID between 1 and 255 which must be the same on both mGuards and identifies the virtual router Stealth mode Management IP of the 2nd device Router Mode External IP of the 2nd device The management IP of the second mGuard in Stealth mode or the external IP of the second mGuard in Router mode Router Mode The following values must be set if the mGuards are operated in router mode 213 from 243 Configuration Redundancy Menu ICMP Checks 214 from 243 Internal Virtual Router ID An ID between 1 and 255 which must be the same on both mGuards This ID identifies the virtual router on the LAN port Internal IP of the 2nd device The internal IP of the second mGuard LAN port External virtual IP Virtual IP address where the data traffic runs through the mGuard For example used by NAT as external IP Can be freely defined providing it is actually contained in the externally configured network and the IP address is not in use there Internal virtual IP Virtual IP address where the data traffic runs through the mGuard F
151. ection in question is defined here If VPN connections are defined and listed under the IPsec VPN gt Connections menu see IPsec VPN gt Connections on page 182 then these are displayed in the selection list If a connection should be established and released manually by pressing the button then select this here 179 from 243 Configuration IPsec VPN Menu not for blade controller Starting and stopping a connection using a push button only makes sense if it is disabled in the configuration of this connection Active No or when Connection startup is set to Wait Otherwise the connection to the mGuard is established independently When Off is selected this function is disabled If a push button is connected to the mGuard ports then pressing it has no effect IP fragmentation IKE fragmentation Yes No UDP packages can be oversized if an IPsec connection is made between the participants including the exchange of certificates Some routers are not capable of forwarding large UDP packages if they are fragmented during the transfer process e g by DSL in 1500 byte segments Some defective devices forward the first fragment only leading to a connection failure If two mGuards communicate with each other then the dispatch of small UDP packages should be agreed upon first This prevents packages from being fragmented during transportation which may lead to incorrect transfer from certain routers If y
152. ection list 118 from 243 Configuration Network Menu Hardware handshake RTS CTS Off On Only valid for configurations where a terminal or PC with a terminal program is connected to the serial port as described above under A Not valid when an external modem is connected Settings are made on the Modem tab When set to On flow control through RTS and CTS signals is used PPP dialin options Only mGuard industrial RS mGuard blade EAGLE gt For mGuard industrial RS without built in modem or ISDN TA mGuard blade delta and EAGLE mGuard Modem PPP Off On When set to Off the serial port can be used with a terminal client When set to On the PPP dialin option for configuration purposes is available 1 e the administrator can logon to the mGuard via the PPP protocol An external modem is then connected to the serial port Modem settings are made on the Modem tab gt For mGuard industrial RS with built in modem or ISDN TA Modem PPP Off Built in Modem External Modem When set to Off the serial port can be used with a terminal client When set to External Modem the PPP dialin option for configuration purposes is available i e the administrator can logon to the mGuard via the PPP protocol An external modem is then connected to the serial port Modem settings are made on the Modem tab When set to Built in Modem the PPP dialin option for configuration purposes is available i
153. ed to the mGuard serial port This can be used as follows Configuration Network Menu For configuration connections over the PPP dialin option see Serial Port PPP dialin options tab R Only mGuard j ep SGA industrial RS mGuard For data traffic in Modem network mode Data traffic is then made over the blade EAG LE serial port and connected modem and not over the WAN port mGuard mGuard delta Hardware handshake RTS CTS Off On When set to On flow control through RTS and CTS signals is used during PPP connection Baudrate Standard 57600 Transfer speed for communication between mGuard and modem over the serial cable connection This should be set to the highest level supported by the modem If the value 1s set lower than the maximum possible for the modem then the telephone connection will not work optimally Modem init string The initialization sequence that is sent by the mGuard to the connected modem Standard AT OK If necessary consult the modem manual for the initialization sequence The initialization sequence is the result of commands that must be transferred to the modem to allow it to establish a connection The preset initialization sequence has the following meaning two simple quotation marks placed directly after one another The empty character string inside the quotation marks means that the mGuard does not give any more initialization commands to the connected modem
154. ed can be selected in all operating modes of the mGuard Stealth Router etc Wait The local mGuard is ready to accept connections which a remote peer actively initiates and sets up to the local mGuard When any is entered under Address of the remote site s VPN gateway then Wait must be selected Transport and Tunnel Settings Stealth mode Transport and Tunnel Settings Dx ESE a ves z fTunnel x 192 168 1 1 32 192 168 254 1 32 92 168 1 1 Click here when further tunnel or transport paths Router mode should be specified Transport and Tunnel Settings AO A ves gt y Transport gt 185 from 243 Configuration IPsec VPN Menu not for blade controller VPN connection channels Several transport paths or tunnels can be specified here for a star configuration For each individual VPN connection channel After the More button is clicked another partially overlapping page is displayed where connection parameters can be defined for the relevant transport path or tunnel Enabled Yes No Defines whether the connection should be active Yes or not No Comment Freely selectable comments Can be left empty Type The following can be selected Tunnel Network gt Network Transport Host gt Host Tunnel Network lt gt Network This connection type is suitable in all cases and is also the most secure In this mode the IP datagrams are completely encrypte
155. ed for host addressing can now be used for subnet addressing With this configuration the company network could support 256 subnetworks that each have 256 hosts IP Security IPsec is a standard that uses encryption to verify the authenticity of the sender and to ensure the confidentiality and integrity of the data in IP datagrams Datagram The components of IPsec are the Authentication Header AH the Encapsulating Security Payload ESP the Security Association SA and the Internet Key Exchange IKE At the start of the session systems that wish to communicate must determine which technique should be used and the implications of this choice for the session e g Transport Mode or Tunnel Mode In Transport Mode an IPsec header is inserted between the IP header and the TCP or UDP header respectively in each IP datagram Since the IP header remains unchanged this mode is only suitable for host to host connections In Tunnel Mode an IPsec header and a new IP header are added in front of the entire IP datagram This means the original datagram is encrypted in its entirety and stored in the payload of the new datagram The Tunnel Mode is used in VPN applications The devices at the tunnel ends ensure that the datagrams are encrypted before they pass through the tunnel This means the actual datagrams are completely protected whilst being transferred over a public network 235 from 243 Glossary Subject certificate 236 from 243
156. ed in the certificate displayed by the SSH client Identification or definition of the subject in the certificate is then no longer needed Limitation to certain subjects individuals or to subjects that have certain attributes In the certificate the certificate owner is entered in the Subject field The entry is comprised of several attributes These attributes are either expressed as an Object Identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a relevant value Example CN John Smith O Smith and Co C UK If certain subject attributes have very specific values for the acceptance of the SSH client by the mGuard then these must be specified accordingly The values of the other freely selectable attributes are entered using the wildcard Example CN O C UK with or without empty spaces between attributes In this example the attribute C UK must be entered in the certificate under subject Only then does the mGuard accept the certificate owner subject as a communication partner The other attributes in the certificates to be filtered can have freely selectable values If a subject filter is set the number but not sequence of the entered attributes must correspond to those of the certificates where the filter is to be used Pay attention to capitalization Several filters can be set their order is irrelevant Authorized for access as All users root admin netadmin aud
157. edundancy activated see Network Security Menu not for blade controller e Incoming outgoing firewall rules e NAT IP Masquerading i e outgoing network traffic is rewritten to the external virtual IP e 1 1 NAT e Port forwarding the external virtual IP must be configured as Incoming on IP e MAC Filtering 212 from 243 Configuration Redundancy Menu Redundancy General Redundancy Firewall Redundancy Redundancy General Redundancy State Enable Redundancy Redundancy Start State Priority Authentication passphrase Stealth Mode Virtual Router ID Router Mode External Virtual Router ID Stealth Mode Management IP of the 2nd 0 0 0 device Router Mode External IP of the 2nd device Router Mode Internal Virtual Router ID Internal IP of the 2nd device External virtual IP 10 0 0 100 Pa a win a oj z z N ofajo H A a 9 2 8 w H 7 h a 4 Redundancy State Shows the current state Enable Redundancy Yes No Enable disable the redundancy feature Redundancy Start State State of the mGuard during activation of redundancy Master or Backup Priority Defines which mGuard operates as the master If priorities are set differently the mGuard with the higher priority operates as the master as long as it does not fail If both mGuards have the same priority and the backup becomes the master in case of a failure it continues to work as the master even when the other mGuard b
158. ee different device versions With built in modem with built in fp ISDN terminal adaptor or without CECE both devices It can then be used as a firewall VPN router over ethernet or serial dial up network connections RS means that this device is especially suited for secure Remote Services remote diagnosis remote configuration telephone services The device is designed for assembly on DIN rails according to DIN EN 50 022 and is therefore especially suited for use in industrial environments VPN tunnels can be initiated by the machine using the software or hardware switch Redundant power supply 9 36 V DC Smallest device model It can be plugged easily between the computer or local network on LAN port of mGuard and an available router on WAN port of mGuard without having to change existing system configurations or driver installations Designed for instant use in the office or when travelling This card can be plugged into a PCI slot and provides the connected computer with all mGuard functions in Driver mode It can also be used as a normal network card An existing network card or another local computer local network can be connected in Power over PCI mode The mGuard bladePack includes the mGuard bladeBase This can be easily installed into standard 3 U racks 19 inches and can accommodate up to 12 mGuard blades This version is thus ideally suited for use in an industrial environment where it c
159. elected time related to the configured time zone Server IP or hostname of the server that provides the configuration profiles Directory The directory folder on the server where the configuration is located Filename The name of the file in the directory defined above If no filename is defined here the serial number of the mGuard is used including the ending atv Number of times a configuration profile is ignored after it was rolled back Standard 10 After a new configuration is retrieved it can occur that the mGuard is no longer accessible after the configuration is put into force A new remote configuration for correction purposes is then no longer possible In order to rule this out the mGuard makes the following checks Configuration Management Menu After the retrieved configuration is enforced the mGuard tries to connect again to the configuration server based on the new configuration The mGuard then attempts to download the newly enforced configuration once again If this is successful the new configuration remains If unsuccessful for whatever reason the mGuard assumes that the newly enforced configuration profile is defective The mGuard memorizes the MD5 total for identification purposes and then performs a rollback Rollback means that the last working configuration is restored This assumes that the new non functioning configuration contains a rollback instruction when the new configuration profile
160. ely selectable comment for this rule The MAC filter does not support logging Configuration Network Security Menu not for blade controller Advanced Network Security Packet Filter Incoming Rules Outgoing Rules Sets of Rules MAC Filtering Advanced Consistency checks Maximum size of ping packets ICMP Echo Request Enable TCP UDP ICMP consistency checks Yes gt Router Modes Router PPTP PPPoE ICMP from extern to the mGuard xl Please note Enabling SNMP access automatically accepts incoming ICMP packets 9 3 3 AntiVirus Scanning Connections scanned for viruses are subject to No firewall rules le Stealth Mode Allow forwarding of GVRP frames Allow forwarding of STP frames Allow forwarding of DHCP frames Connection Tracking Maximum table size Allow TCP connections upon SYN only after reboot connections need to be re established Timeout for established TCP connections FIP IRC PPTP H 323 The following settings influence the basic behavior of the firewall z La Consistency checks Maximum size of ping packets ICMP Echo Request Relates to the size of the complete packet including the header Normally the packet size is 64 bytes although it can be larger If oversized packets should be blocked to prevent bottlenecks a maximum value can be entered This should be more than 64 bytes as normal ICMP echo requests should not be blocked Enable
161. em in this example the mGuard PCI In Power over PCI mode the LAN port is given by the LAN socket of the mGuard PCI As in the other modes firewall anti virus and VPN security functions are available If the mGuard is operated in Router mode it must be set as the standard gateway in the connected local client computers In other words the address entered for the standard gateway must be entered as the IP address of the mGuard LAN port Configuration Network Menu Only used for mGuard industrial RS with built in modem or ISDN terminal adaptor Only mGuard industrial RS without a built in modem mGuard blade EAGLE mGuard mGuard delta NAT should be activated if the mGuard is operated in Router mode and establishes the connection to the Internet Only then can the computers in the connected local network access the Internet over mGuard see Network Security gt NAT on page 158 If NAT is not activated then only VPN connections can be used PPPoE PPPoE mode corresponds to the Router mode with DHCP with one difference The PPPoE protocol which is used by many DSL modems for DSL Internet access e g in Germany is used for connecting to the external network Internet or WAN The external IP address that the mGuard uses for access from a remote peer is assigned by the Internet Service Provider If the mGuard is operated in PPPoE mode it must be set as the standard gateway in
162. ement System Settings qt A eee 56 THOSE iris 56 Signal contact only mGuard industrial RS EAGLE MGuard cocoonnccnocinocunaccnanoos 58 Drm ANd DA as 59 Shell Accor lts 62 6 2 2 Management gt Web Settings er 68 General ltd SOs dodo Do nao heen eects 68 VaN E T E E E SEE E E E etd eta dees fido 69 6 2 3 Management Licensing etica 75 ODE atata EE td di 75 li A a vs eae tai es BA GE ee 75 6 2 4 Management gt Update tii 77 OVA EA EE EN E ETE E ATETEA EE am EAS 71 Update 78 Anti Vir s Pattett a A A 80 6 2 5 Management gt Configuration Profiles tit te 81 Configuration Profiles inician ae aaa eee 81 Profiles on the ACA EAGLE mGuard ol eiii 82 4 from 243 Contents 6 2 6 Management gt SNMP na 84 QUEL ati A A A ala 84 VIDA A E AN AAA A EE AAA 86 EDO iaa idiotas 91 6 2 7 Management gt Central Management iaa 92 Configuration Palla ci 92 6 28 MATE Restat osineen aakit aria a Saaie iess a 95 estaria a tdt ls 95 Blade Control Menu control unit OnLy ooooocnnncninocanoncconocanonononnnanono cono nanoncccnnnc conc connncnnncn ns 96 6 3 1 Blade Control D Overview ooocccnoncccnnonnninnonnnccnonanonanananonannnconanononnnononcnna no ina 96 6 3 2 Blade Control gt Blade 01 to 12 oonocccnnnoccccnnonnninnnnnnninannnccnnnnn no cano nacinan nn ncnna naci n 97 Blade in slot Fory a ena ca a 97 Configura eiii aia 98 Network Men cati n dEAS aa a a 99 GAL Network gt Interfaces cccccccc cceccscsteccescvv
163. ems can be solved by reducing the MTU to 1496 117 from 243 Configuration Network Menu Serial ports The settings made here under Serial Port are not connected to those which can be made for the Modem network mode For more details see 6 4 1 Network gt Interfaces gt Network Mode Modem Built in Modem on page 110 Serial Port Serial Port Baudrate 57600 z Hardware handshake RTS CTS off v Please note On some platforms the serial port is not accessible The settings above become effective only for administrative shell login via a console connected to the serial port Such logins are impossible if dial in or dial out is configured via external modem PPP dial in options Modem PPP o EJ Local IP 192 168 4 1 Remote IP 192 168 4 2 PPP Login name PPP Password rr Incoming Rules PPP 8 5 A 3 E E g g E 8 w serial incoming N9 e2 f tb 10c4 Be14 Ev erotocol _rromie_ Fromport Tom torore action comment tog ST ifan vfffo 0 0 0 0 0 0 0 0 0 Accept No gt Log entries for unknown connection attempts Yes gt Outgoing Rules PPP E 5 7 13 E g i d E PEEN erotocoi rromir_ Frompo tom Tarore Acton comment Los eifa vf ff0 0 0 0 0 0 0 0 0 0 Accept gt No y Log entries for unknown connection attempts Some mGuard models mGuard industrial RS mGuard blade EAGLE mGuard or mGuard delta also hav
164. ent gt Update on page 77 Restart the inetd process again to activate the modified configuration If you use a different process e g xinetd please consult the appropriate documentation 231 from 243 Glossary 8 Glossary Asymmetrical encryption DES 3DES AES CA certificate 232 from 243 In asymmetrical encryption data is encrypted with one key and decrypted witha second key Both keys are suitable for encryption and decryption One of the keys is kept secret by its owner Private Key whilst the other is made available to the public Public Key i e to possible communication partners A message encrypted with the public key can only be decrypted and read by the owner of the associated private key A message encrypted with the private key can be decrypted by any recipient who is the owner of the associated public key Encryption using the private key shows that the message actually originated from the owner of the associated public key Therefore the expression digital signature is also often used However asymmetrical encryption techniques such as RSA are both slow and susceptible to certain types of attack meaning they are often combined with some form of symmetrical encryption gt Symmetrical encryption On the other hand concepts are available which avoid the additional administration of symmetrical keys This symmetrical encryption algorithm was developed by IBM and checked by the NS
165. eparing the configuration 5 4 Remote configuration Requirement Remote configuration 52 from 243 The mGuard must be configured to permit remote configuration Remote configuration is disabled by default To enable remote configuration see the section Management gt Web Settings Access on page 69 To configure the mGuard from a remote computer first establish a connection to the local mGuard Proceed as follows 1 Start the web browser on the remote computer e g Firefox MS Internet Explorer or Safari the web browser must support SSL i e https 2 Under address enter the IP address where the mGuard is available externally over the Internet or WAN together with the port number if required Example If this mGuard is accessible over the Internet at the address https 123 456 789 21 and the port number 443 has been set for remote access then you need to enter the following address in the web browser on the remote peer https 123 456 789 21 If another port number is used then this is given behind the IP address e g https 123 456 789 21 442 To configure the device make the required changes on the individual pages of the mGuard website See Configuration on page 53 Configuration Operation 6 Configuration 6 1 Operation Screen Layout 1 Click on the page with the desired setting possibilities on the left hand menu e Management gt Licensing The page is then disp
166. equests are forwarded Append Relay Agent Information Option 82 Yes No During forwarding additional information according to RFC 3046 for the DNCP server can be added 130 from 243 Configuration Network Menu 6 4 4 Network gt Proxy Settings HTTP S Proxy jetwork Proxy Settings Settings HTTP S Proxy Settings HTTP S Proxy Settings Use Proxy for HTTP and HTTPS HTTP S Proxy Server proxy example com are Proxy Authentication A proxy server can be entered for the following mGuard administration connections e CRL download e Firmware update e Regular configuration profile retrieval from central peer e Restoring licenses HTTP S Proxy Settings Use Proxy for HTTP and HTTPS Yes No When Yes is selected connections using HTTP or HTTPS are transferred over a proxy server whose address and port is defined in the corresponding two fields HTTP S Proxy Server Hostname or IP address of the proxy server Port Port number to be used e g 3128 Proxy Authentication Login User name for proxy server registration Password Password for proxy server registration 131 from 243 Configuration Authentication Menu 6 5 Authentication Menu 6 5 1 Authentication gt Local Users The term local users refers to users who have the right depending on their authorization level to configure the mGuard Root and Administrator authorization levels or to use 1t User access permission Passwords Authen
167. er must also be specified see Network gt DNS on page 125 61 from 243 Configuration Management Menu Shell Access Displayed when Enable X 509 certificates for SSH access is setto Yes Management System Settings Time and Date Shell Access Session Timeout seconds Enable SSH remote access Port for incoming SSH connections remote administration only Allowed Networks Log ID fw ssh access N0 3e8b124b 3440 1149 97e6 000ebe0220ef 10 1 0 0 16 External gt Accept No gt X 509 Authentication SSH server certificate mguard l customer co uk j Dx SSH RootCA 01 gt SSH SubCA 01 7 o NANA a a a a L o All users gt PX Client certificate Authorized for access as L Meyer Ralf y All users gt These rules allow to enable SSH remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Shell Access 62 from 243 When SSH remote access is enabled the mGuard can be configured from a remote system using the command line interface This option is disabled by default IMPORTANT If you enable remote access ensure secure root and administrator passwords are defined To enable SSH remote access make the following settings Session Timeout seconds Specifies after how long in seconds the session is automatically ended when no action
168. er to recognize which configurations belong to the same VPN connection The following entries are valid for PSK e Empty IP address used as default e An IP address e A hostname with prefixed symbols e g Evpn1138 example com e An e mail address e g piepiorra example com 195 from 243 Configuration IPsec VPN Menu not for blade controller Firewall IPsec VPN Connections New York Incoming Log ID fw vpn v000_000 in N0 3e8b1204 3440 L149 97e6 O00cb 0220cf SC eC TI CI ACTI ATT ETT TA Lo tall 4 0 0 0 0 0 o 0 0 0 0 Accept El default rule please No y Log entries for unknown connection attempts No y Outgoing Log ID fw vpn v000_000 out N0 3e8b1204 3440 1149 97e6 O00cbe022001 SS DET TIT A a e Loa F tla jo 0 0 0 0 o 0 0 0 0 Accept z default rule please No x Log entries for unknown connection attempts No y Incoming untrusted port Outgoing trusted port While the settings made in the Network Security menu only affect non VPN connections see above under Network Security Menu not for blade controller on page 148 the settings here only affect the VPN connection defined on these pages This means that if multiple VPN connections are defined you can restrict the outgoing or incoming access individually for each connection You can log any attempts made to bypass these restrictions BO The VPN firewall factory defaults are set to allow all
169. ere you can define from which servers the mGuard retrieves its updates BO The list of servers is processed top down until an available server is found The sequence of the entries thus defines their priorities You have the following options Protocol The update can be made using either HTTP or HTTPS Server Hostname of the server that provides the update files Login Login data for the server Password Password for the login 79 from 243 Configuration Management Menu AntiVirus Pattern Schedule Only displayed when a virus filter is installed and licensed Management Update Schedule Update Schedule Update Servers for AVP gt x Update Location Hostname FE downloads avp innomir Proxy Settings HTTP Proxy Server The virus signature files also known as anti virus pattern or virus identification pattern can be updated from a selected update server at intervals defined by the user The update is performed without interrupting the operation of the anti virus filter The mGuard is delivered without any virus signatures installed Therefore after the anti virus protection has been activated with the corresponding license you should also set the update schedule The course of the updates can be examined in the anti virus update log Update Schedule Enter here if and in which intervals an automatic update of the virus identification pattern should take place To do this open the selection list
170. ernal 1P address ABI o Network Mode Status router static Up mGuard delta and Adiva petaulroute A sed DNS servers DNS R ot Servers blade controller AAA Network Mode Router yl External Networks When the Router Obtain external configuration via DHCP network mode is External IPs Netmask untrusted port selected A fssasasso ome a IP of default gateway 1192 168 3 254 Internal Networks Internal IPs IP Netmask trusted port External Networks Network Mode Router Obtain external configuration via DHCP Yes No Tf the mGuard obtains configuration data via DHCP Dynamic Host Configuration Protocol from the DHCP server enter Yes here In this case all other entries made under External Networks have no effect The related fields on the page are then hidden If the mGuard does not obtain configuration data via DHCP Dynamic Host Configuration Protocol from the DHCP server enter No and make the following additional entries External IPs untrusted port The addresses on the WAN port side where devices can access the mGuard If the transition to the Internet takes place here the external IP of the mGuard is designated by the Internet Service Provider ISP B gt Only the first external IP address entered here is used for the handling of VPN connections IP Netmask IP address and netmask of the WAN port Use VLAN Yes No If this IP address should be contained within a VLAN then this option
171. ertificate The name of the certificate provider is shown as Issuer on the certificate whilst the name of the certificate owner is shown as Subject A self signed certificate is one that is signed by the certificate owner and not by a CA In self signed certificates the name of the certificate owner is shown as both Issuer and Subject Self signed certificates are used when communication partners want to use the X 509 authentication procedure without having an official certificate This type of authentication should only be used between partners that know and trust each other well Otherwise from a security point of view such certificates are as worthless as a self made passport without the official stamp Certificates are shown to all communication partners users or machines during the connection process providing the X 509 authentication method is used In terms of mGuard this could relate to the following applications e Authentication of communication partners during establishment of VPN connections see IPsec VPN gt Connections Authentication on page 190 e mGuard management using SSH shell access see Management gt System Settings Shell Access on page 62 e mGuard management using HTTPS see Management gt Web Settings Access on page 69 A machine certificate is one that a machine uses in order to authenticate verify itself to others The mGuard authenticates itself to othe
172. esses This means that files to all SMTP servers are scanned To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 Since a connection attempt is first handled by the mGuard if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server has been established but no data has been sent The entry of exact server addresses in the list prevents this behavior Server Port Enter the number of the port for the SMTP protocol in this field The default setting for the SMTP port is 25 Comment Freely selectable comment for this rule Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule Configuration IPsec VPN Menu not for blade controller 6 9 IPsec VPN Menu not for blade controller 6 9 1 IPsec VPN gt Global Options Options Only for mGuard industrial RS IPsec VPN Global Options DynDNS Monitoring Options Allow packet forwarding between VPN connections Start and stop the specified VPN connection with off y the CMD contact and signal the status of the connection with the ACK contact IP Fragmentation Some routers fail to forward large UDP packets which may break the IPsec protocol The following options allow you to reduce the size ofthe UDP packets generated by IPsec to traverse such routers
173. estart the computer where the mGuard PCI card is installed 7 2 Performing a recovery 226 from 243 Objective To reset the network configurations to the factory defaults as it is no longer possible to access the mGuard All mGuard versions except the mGuard delta and blade controller in Stealth mode with the IP address 1 1 1 1 The mGuard delta and mGuard blade controller in Router mode with the IP address 192 168 1 1 Furthermore MAU management for ethernet connections is switched on and HTTPS is approved for use on the local ethernet connection LAN gt The passwords configured settings for VPN connections and the firewall are all retained Possible reasons for starting the Recovery procedure The mGuard is in Router or PPPoE mode The mGuard device address has been changed from the default setting The current IP address of the device is unknown The Rescue Button Restarting the Recovery Procedure and Flashing Firmware Action 1 Press the Rescue button slowly 6 times 2 The mGuard responds after about two seconds e mGuard industrial RS e If successful the state LED lights up green e If unsuccessful the error LED lights up red e smart e If successful the middle LED lights up green e If unsuccessful the middle LED lights up red e blade PCI e If successful the LAN LED lights up red e If unsuccessful the WAN LED lights up red e EAGLE e If successful the status LED lights up yellow e If unsu
174. esult The corresponding configuration profile is activated BO If the restore process involves a switch between Stealth mode and another network mode then mGuard is restarted Saving the configuration profile as a file to the configuration computer 1 Click the Download button located to the right of the relevant configuration profile 2 Specify the file name and folder in which the configuration profile is to be saved as a file in the displayed text field The file name is freely selectable Deleting a configuration profile Click the Delete button located to the right of the relevant configuration profile BO The Factory Default profile cannot be deleted Saving the current configuration as a configuration profile on the mGuard 1 Enter the desired profile name in the Name for new profile field behind Save Current Configuration to Profile 2 Click on the Save button Result The configuration profile is saved in the mGuard and the profile name is displayed in the list of profiles saved in the mGuard Uploading a configuration profile that has been saved to the configuration computer file Requirement You have saved a configuration profile on the configuration computer as a file according to the procedure described above 1 Enter the desired profile name in the Name for new profile field behind Upload Configuration to Profile 2 Click on the Browse button Select the file and open it so that the fil
175. esvooctessdeinctesecneecdecnteevectecevsenteevecvivededsceveete 99 Ge eral sunen ee elo Pa TE ONAL es ESR See 99 gt Network Mode Stealth cinsinin aea conan crnon canon c rara conan 103 gt Network Mode Router oococoonncnonoccnnncconnncnnnoconanonancconnoconnnnnnnnnnanaconanornnnncnnnnon 106 gt Network Mode PPPOE cooonccnnninnnnonccnincnnonannanccnnn corona rca n conan canon canon a cncn cocinan 108 gt Network Mode PPTP tual E E hacias 109 gt Network Mode Modem Built in ModeM ocoocccnnnnonininunncnnnnnnaninannccnananacinnns 110 Network Mode gt Router PPPoE PPTP or Modem Built in Modem 116 Elda sd A 117 A nnn nener e ek ees R aa ei aa iaae Sete esse E si weit Veneta 118 Mod n miesenia aaa r a a A a E S 120 Hard Watt A EE EE EE EEA dada 124 6 4 2 Newark gt DN Sii eS es 125 DNS CV dt tt bed Beslan Mans 125 Dim DINN AA E E E ET E ties A ET 126 6 43 Networks DEP a a aaa 127 Internal Exteral DHCP ici iii init eai iii risien 127 6 4 4 Network gt Proxy Settings cccccceccscsseesceceseceseeseeseeeeeeecesecsecseeeeeeeeesecsseeeenees 131 HTTPS Proxy Setting snena iea ne e n eE N a S E E Anai 131 Authentication MENO aia dada 132 6 5 1 Authentication gt Local Users ooonccnnnnnocinnnnnccnnonnnininnnccnnnnnoconan cc cn nnnnacnnnn a 132 PASS OS a dose 132 6 5 2 Authentication gt Firewall Users coooocnnnninncnnnnnnccnnnnnccnnnnncconanononannn nc crono nananann ss 134 Bite Wall Us REE ac 1
176. et to Yes the mGuard will try to negotiate a new key when the old one expires Dead Peer Detection When the remote peer supports the Dead Peer Detection DPD protocol both partners can detect whether the IPsec connection is still valid or must be restored Without DPD the connection must either be restarted manually or it must wait until the SA lifetime expires Action Hold Restart Delete The switch determines the action that is carried out when DPD recognizes a disruption in the IPsec connection If Hold default is set an attempt is made to rebuild the IPsec connection if it has been declared dead but only when the locally connected network tries to send data to the receiver If Restart is set the connection is rebuilt immediately This setting only makes sense when a fixed IP address or hostname is configured as address of the remote peer VPN gateway i e not any If Delete is set the connection is deactivated until IPsec is restarted 199 from 243 Configuration IPsec VPN Menu not for blade controller Delay The time in seconds after which DPD Keep Alive queries are sent These queries test whether the remote peer is still available Factory default 30 seconds Timeout The time in seconds after which the remote peer is declared dead if Keep Alive queries are not answered Factory default 120 seconds 200 from 243 Configuration IPsec VPN Menu not for blade controller 6 9 4 IPsec VPN
177. etting the rules that have been set for the anti virus function have priority Firewall packet filters that contradict them are overridden VPN connections are not affected as the anti virus function is not available for VPN connections Stealth Mode Allow forwarding of GVRP frames Yes No The GARP VLAN Registration Protocol GVRP is used by GVRP capable switches to exchange configuration information When this switch is set to Yes GVRP frames are allowed to traverse the mGuard in Stealth mode Allow forwarding of STP frames Yes No The Spanning Tree Protocol STP 802 1d is used by bridges and switches to detect and consider loops in the network topology When this switch is set to Yes STP frames are allowed to traverse the mGuard in Stealth mode Allow forwarding of DHCP frames Yes No When set to Yes the client is allowed to retrieve an IP address using DHCP independently from the firewall rules for outgoing data The default setting of this switch is Yes Connection Tracking Maximum table size This entry defines the upper limit This is set to a level that can never be reached during normal operation However it is reached easily when attacks occur thus giving additional protection If special requirements are present in your operating surroundings then you can increase this value Allow TCP connections upon SYN only Yes No SYN is a special data packet in TCP IP connections that marks the beginning of a co
178. faceplate with D L CMDACK TIPRING terminal block Function Signal contact grounding as above Service contacts Telephone line as above as above analog connection mGuard industrial RS with ISDN terminal adaptor Lower area on Eo ISDN Line front faceplate with I L 1 CMDACK TXRX RX TX terminal block Function Signal contact grounding as above as above Service contacts ISDN as above Function grounding Can be used by the operator This connection is electrically connected to the rear side of the mGuard industrial RS Grounding of the mGuard industrial RS is made during assembly on a DIN rail with a metal clamp The DIN rail is connected to the rear side of the mGuard The DIN rail must be electrically grounded Signal contact The signal contact is used to monitor the functions of the mGuard industrial RS and thereby allows remote diagnosis The following is reported through interruption of the contact using potential free signal contacts relay contact closed current circuit The failure of at least one of the two supply voltages A power supply shortfall for the mGuard industrial RS supply voltage 1 and or 2 smaller than 9 V The faulty link status of at least one port The link state report on the mGuard industrial RS can be masked on a port by port basis using the management software No connection monitoring is offered in the factory default conditio
179. filter See 6 2 1 Management gt System Settings Shell Access on page 62 Remote Certificate HTTPS Authentication for HTTPS The remote peer shows the following Certificate specific to individual signed by CA Certificate specific to individual self signed The mGuard authenticates the remote peer using 2 Y All CA certificates that build the chain to the root CA certificate together with the certificates displayed by the remote peer or ADDITIONALLY Remote certificates if used as filter See 6 2 2 Management gt Web Settings Access on page 69 Remote Certificate The remote peer can additionally provide sub CA certificates In this case the mGuard can form the set union for building the chain from the provided CA certificates and the self configured CA certificates The corresponding root CA certificate of the mGuard must always be available 139 from 243 Configuration Authentication Menu VPN Authentication for VPN The remote peer Machine certificate Machine certificate shows the following signed by CA self signed The mGuard authenticates the remote peer using Remote Certificate Remote Certificate OR All CA certificates that build the chain to the root CA certificate together with the certificates displayed by the remote peer Important Installation of the certificat
180. for the network for the host 7 address address Class A 1 126 1 3 Class B 128 191 2 2 Class C 192 223 3 1 There is thus a maximum worldwide total of 126 Class A networks Each of these networks can have a maximum of 256 x 256 x 256 hosts 3 bytes of address space There can be 64 x 256 Class B networks and each of these networks can have up to 65 536 hosts 2 bytes address space 256 x 256 There can be 32 x 256 x 256 Class C networks and each of these networks can have up to 256 hosts 1 byte address space Subnet mask Normally a company network with access to the Internet is only officially assigned a single IP address e g 123 456 789 21 Based on the first byte of this sample address one can see that this company network is a Class B network This means that the last 2 bytes are free to be used for host addresses This produces an address space for up to 65 536 possible hosts 256 x 256 Such a huge network is not practical There is a need to build subnetworks here The subnet mask can be used for this Like an IP address this mask is 4 bytes long The bytes that represent the network address are each assigned the value 255 This can mainly be used to borrow a portion of the host address that can then be used to address the subnetworks In this example by using the subnet mask 255 255 255 0 in a Class B network 2 bytes for the network address 2 bytes for the host address the third byte which was actually intend
181. from 243 is PPPoE General Network Status External IP address Network Mode Status Active Defaultroute Used DNS servers Network Mode Network Mode PPPoE PPPoE Password Automatic Re connect Ll SL Re connect daily at Internal Networks Internal IPs IP Netmask Use VLAN VLAN ID trusted port MA A EN Additional Internal Routes For access to the internet the Internet Service Provider ISP gives the user a login name and password These are required for connection to the Internet PPPoE Login The user name Login that is required by your Internet Service Provider 1SP when you setup a connection to the Internet PPPoE Password The password that is required by your ISP when you setup a connection to the Internet Automatic Re connect Yes No Enter the time in the Re connect daily at field next to Yes This feature is used to schedule Internet disconnection and reconnection as required by many ISPs so that they do not interrupt normal business operations When this function is activated it only comes into action when synchronization with a time server has been made see Management gt System Settings Time and Date on page 59 Re comnect daily at Time when Automatic Re connect see above takes place Internal Networks Configuration of the internal network is described under Network Mode gt Router PPPoE PPTP or Modem Built in Modem on pag
182. g are dropped by the mGuard Sets of Rules Lists all defined firewall rule records Making a new rule record definition Click on the Edit button on the right side of the rule record table under the unnamed entry If the unnamed entry cannot be seen then open a further line in the rule record table Editing a rule record Click on the Edit button to the right of the entry BO If a firewall rule record is comprised of multiple firewall rules they are searched in the order in which they are listed top down until a suitable rule is found This rule is then applied If there are other suitable rules further down the list then these are ignored 151 from 243 Configuration Network Security Menu not for blade controller Set of Rules General Enabled Yes No Activates deactivates the relevant rule record Name Name of the rule record The name is defined during creation of the rule record The Set of Rules page is displayed after clicking on the Edit button Network Security Packet Filter Office Protocols Set of Rules General A descriptive name for the set Office Protocols Yes Firewall rules Log ID fw ruleset 000 N0 3e8b1247 3440 1149 9746 0 px IA A A Tia tce 0 0 0 0 0 10 1 66 7 smtp Accept gt ch r pr 3 o 0 0 070 a L0 1 66 8 pop3 Accept y TCP 0 0 0 0 0 10 1 66 8 O A Accept Accept A descriptive name for the set Freely selectab
183. gement Menu CA certificate The configuration is only necessary when a user with HTTPS access displays a certificate signed by a CA All CA certificates needed by the mGuard to build the chain to the respective root CA certificate must be configured with the certificates displayed by the users If the browser of the remote user also provides CA certificates that contribute to building of the chain then it is not necessary for the CA certificate to be installed and referenced at this point However the corresponding root CA certificate must be installed in the mGuard and made available referenced at all times The selection list shows the CA certificates that are loaded in the mGuard under the Authentication gt Certificate menu X 509 Subject Allows setting of a filter relating to the contents of the Subject field in the certificate displayed by the user It is then possible to limit or release access by users who would accept the mGuard in principle based on the certification check Limitation to certain subjects i e individuals or to subjects that have certain attributes or Release for all subjects See also glossary under Subject certificate The X 509 subject field must not be left empty Release for all subjects individuals With a in the X 509 subject field you can define that all subject entries are allowed in the certificate displayed by the HTTPS client Identification or definition of
184. gnal LED flashes then the VPN connection is being established or disabled Analog line with built in modem The TIP and RING contacts are used for connection to a telephone landline analog connection The following descriptions are used in Germany for the contact details on the frontplate TIP a RING b ISDN line with built in ISDN terminal adaptor The TX RX TX and RX contacts are used for connection to the ISDN and display the mGuard industrial RS as an ISDN participant The following descriptions are used in Germany for the contact details on the frontplate TX la RX 2a TX 1b RX 2b Serial Port Safety notice Do not connect the serial port RJ12 socket directly to a communication connection point The serial port can be used as follows a For configuration of the mGuard over the serial port There are two possibilities here A PC is connected directly to the serial port of the mGuard The PC user can then carry out the configuration over the mGuard command line using a terminal program The second option is an external modem connected to the mGuard serial port that is then connected to the telephone network landline or GSM network The user of a remote PC also connected to the telephone network using a modem can establish a PPP dial connection PPP Point to Point Protocol to the mGuard and can then configure it using their web browser b For development of data transfers over the serial p
185. gress Queues on the Internal External VPN via External tabs The following names are defined as standard Default Urgent Important Low Priority Traffic that is not allocated to an Egress Queue under Rules remains in the Default Queue You can specify which Egress Queue is used as the Default Queue in this selection list Rules The allocation of certain data traffic to an Egress Queue is made using its source and destination given as IP address and port respectively 209 from 243 Configuration QoS Menu Example You have defined a queue with guaranteed bandwidth and priority for transferred audio data under QoS gt Egress Queues see Egress Queues on page 207 under the name Urgent You specify here the rules how the audio data is defined and that this data belongs in the Urgent queue Protocol All TCP UDP ICMP ESP Protocols relating to the allocation From IP IP address of the network or device where the data originates from 0 0 0 0 0 means all IP addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 Allocate the traffic from this source to a queue towards the back of this row by entering the Queue name From Port Port used at the source where the data originates from only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a range of ports You can specify individual p
186. gt Edit Tepepan 164 G neral aere E NAO RNA 164 Template Users iii lato deter litis rito 165 Firewall TUES ainia 165 Web Security Menu not for blade controller ooooonnnnnnnnininncnnncccnnnccnonnnonnncnnnacnnnnonnnccnnnos 167 6 7 1 Web Security gt O os 167 Mirus PHOCECU OM A ee E hate e r Eeoae e ae e A eae pieptar eE TS 167 6 7 2 Web Security AS 170 Vitis ProvechiOn di ii 170 E mail Security Menu not for blade controller ooooonnnnnninicinicanonccnnnnnonnaconccnnnccnnncconnos 173 6 8 1 E mail Security gt POP Vta ld lt 173 Virus Protection A EI 173 6 8 2 E mail Security gt SMTP cscc ccsissccsesssescesacesiciscssteesesceseshasess ieia ehen EE Enia 176 Vitus Protection TN ea 176 IPsec VPN Menu not for blade controller ooonoococinoncconononacnnonancnnnononononnoconnconancnnnnos 179 69 1 IPsec VPN gt Global cian 179 OPS A aaa 179 DynDNS Monitoring nn sri semsi etne ee casita o anida 181 6 9 2 IPsec VPN Connections aruna an e ene ee 182 CONMECHIONS rese aen ete reeked E EE aaea aa eE A aE ee eE a oiei cate 182 6 9 3 Defining VPN connection VPN connection channels 184 A A 184 Generali illes 188 AULA A A A E data Aa 190 Firewall is c3 ste scadts irrita cias deis rio padres ufos adie eekly teins EEE Ene ites 196 IKE OPLUOOS sisteristiotesnitaaiddn site eee e eaae e e adela loletebtet aie 198 6 9 4 IPsec VPN gt L2TP over IPSec coooccnicnnonionionnonnonconccnnonnonnnonnnnncn ccoo cnn errete rieien 201
187. guration The mGuard must be configured to permit remote configuration e The mGuard must be connected i e the required connections must work 43 from 243 Preparing the configuration 5 2 Local configuration At startup The mGuard is configured using the web browser running on the configuration system e g Firefox from version 1 5 MS Internet Explorer from version 5 0 or Safari The web browser must support SSL i e https According to the factory defaults the mGuard is accessible under the following address Factory default Stealth mode https 1 1 1 1 Factory default settings apart from mGuard delta and blade controller Router mode https 192 168 1 1 Factory default for mGuard delta and blade controller 5 2 1 mGuard industrial RS mGuard smart mGuard blade and EAGLE mGuard With a configured network interface With a non configured network interface 44 from 243 In order to access the mGuard via the address https 1 1 1 1 it must be connected to a configured network interface This is the case if it is inserted into an existing network connection see the illustrations in the following sections e Installing the mGuard industrial RS on page 23 e Connecting the mGuard smart on page 28 e Installing the mGuard blade on page 29 e Installing the EAGLE mGuard on page 31 In this case the web browser can establish a connection to the mGuard configuration in
188. hange to Transport is made the following fields apart from the protocol are hidden as these parameters are omitted Local As above Remote As above Virtual IP for the client As above previous page 1 to 1 NAT With 1 to 1 NAT it is still possible to enter the used network addresses local and or remote for specifying the tunnel beginning and end independently of the Only in Router mode i tunnel parameters agreed with the remote peer Local network e ras i IPsec Tunnel Remote network es 7 ae bis A TO migm f a Internet Network address for remote 1 to 1 NAT Internet network address for 1 to 1 NAT 188 from 243 Configuration IPsec VPN Menu not for blade controller Enable 1 to 1 NAT of the local network to an internal network Yes No Rewrites the local network specified under Local to an existing local network The default setting is No Internal network address for 1 to 1 NAT Only when Yes is selected above The actual network address of the system in the local network The netmask is taken from the Local field Enable 1 to 1 NAT of the remote network to a different network Rewrites the remote network agreed by the VPN remote peer under Remote as if the computer connected there with the addresses was in the local network The default setting is No Network address for remote 1 to 1 NAT Only when Yes is selected above The remote network address actually addressed by t
189. has been detected The error message includes the name of the virus the sender of the e mail the date sent the name of the infected file or the name of the compressed archive file and the infected portion of this archive An example of a virus message mGuard detected a virus The mail could not be delivered found Virus E mail Worm Win32 NetSky q From sick example com Date Fri 13 Aug 2004 11 33 53 0200 about_you zip document txt exe 000012a7 00000077 00000000 Message Details From sick example com Subject Private document Date Fri 13 Aug 2004 11 33 53 0200 Exceeded maximum filesize The maximum filesize set for this protocol was exceeded To transfer the file anyway you can deactivate the virus filter either globally or for the corresponding server over the course of the download Alternatively you can set the Action for exceeding the maximum message size parameter to Let the message data pass unscanned under the Web Security or E mail Security menu BO In both cases the transferred files are not scanned for viruses 219 from 243 Configuration Logging Menu 220 from 243 Temporary Virus Scanner Failure A temporary error occurred while trying to scan a file Repeating the transfer later or updating the virus signature file may solve this problem Possible causes e The scan engine cannot process the file e The mGuard does not have enough available memory to decompress the file e
190. he LAN interface B Additional driver installation is not necessary gt For security reasons we recommend that you change the default Root and Administrator passwords during the first configuration L gt Both network interfaces of the EAGLE mGuard are configured for connection to a computer Please note the following when connecting to a hub When Automatic Negotiation is deactivated the Auto MDIX function is also deactivated This means that the EAGLE mGuard port must be either connected to the uplink port of the hub or be connected using a cross link cable To remove the EAGLE mGuard from the DIN rail insert a screwdriver horizontally under the housing into the locking slide pull it without tipping the screwdriver downwards and lift the EAGLE mGuard upwards Startup 4 5 Connecting the mGuard delta a RRE ee e 7 6 5 4 3 2 Console 1 DC 5V 3A Serial console Ethernet LAN Ethernet WAN Reserved Power supply e Connect the power supply 5 V DC 3 A to the corresponding mGuard power socket e Connect the local computer or network to one of the ethernet LAN sockets 4 to 7 using a UTP CATS ethernet cable 33 from 243 Startup 4 6 Installing the mGuard PCI 4 6 1 Selection of Driver mode or Power over PCI mode Driver mode There are two operating modes Driver mode or Power over PCI mode The mGuard is switched to the desired mode via a jumper Drive
191. he mGuard under the Authentication gt Certificate menu see Authentication gt Certificates on page 136 in this manual If None is displayed then a certificate must be installed first The None entry must not be left in place as this results in no X 509 authentication gt b How the local mGuard authenticates the remote peer The following definition relates to how the mGuard verifies the authentication of the VPN remote peer The table below shows which certificates must be provided for the mGuard to authenticate the VPN remote peer if the peer displays one of the following certificate types on connection e A machine certificate signed by a CA e A self signed machine certificate For further information on the following table see chapter 6 5 3 Authentication gt Certificates on page 136 Authentication for VPN The remote peer shows Machine certificate Machine certificate the following signed by CA self signed The mGuard authenticates the remote peer using Remote Certificate Remote certificate OR All CA certificates that build the chain to the root CA certificate together with the certificates displayed by the remote peer According to this table certificates must be provided that the mGuard has to use for authentication of the respective VPN remote peer The following instructions assume that the certificates have been correctly installed in the mGuard See 6
192. he systems in the local network The netmask is taken from the Remote field BO If the remote network or the remote network for 1 to 1 NAT are within one of the networks directly connected to the mGuard LAN port then the mGuard will additionally answer ARP requests for IP addresses within the remote network This allows access to an remote VPN using local IP addresses without changing the routing of locally connected clients Protocol Protocol All TCP UDP ICMP Select whether the VPN is restricted to a certain protocol or it is valid for all data traffic TCP or UDP Protocol all for all ports a number between 1 and 65535 or any to accept any proposal all for all ports a number between 1 and 65535 or any to accept any proposal Local Port all standard specifies that all ports can be used If a specific port should be used then enter the port number any specifies that port selection is made by the client Remote Port all standard specifies that all ports can be used If a specific port should be used then enter the port number 189 from 243 Configuration IPsec VPN Menu not for blade controller Tunnel settings IPsec L2TP If clients should connect to the mGuard by IPsec L2TP then activate the L2TP server and make the following entries in the fields specified below Type Transport Protocol UDP Local Port any Remote Port any Authentication Authentica
193. he transport or tunnel settings of the respective entry You also have the possibility of defining activating and deactivating new VPN connections changing editing the VPN or connection group settings and deleting connections IPsec VPN Connections Connections E eaea A E Yes v Hamburg Ei r Yes 7 lathen Making a new definition of VPN connection VPN connection channels Click on the Edit button on the connection table under the unnamed entry If the unnamed entry cannot be seen then open a further line in the table Editing VPN connection VPN connection channels Click on the Edit button to the right of the entry 182 from 243 Configuration IPsec VPN Menu not for blade controller URL for starting stopping and status query of a VPN connection The following URL can be used to start and stop VPN connections and query the connection status independently from their Enabled setting https server nph vpn cgi name verbindung amp cmd upldownlstatus Example wget https admin mGuard 192 168 1 1 nph vpn cgi name Athen cmd up A command like this relates to all connection channels that are summarized under the respective name in this example Athen This is the name entered under A descriptive name for the connection on the General tab If ambiguity occurs then the URL call only affects the first entry in the connections list Access to individual VPN connection cha
194. hese apply for incoming data packets of an HTTPS remote access attempt You have the following options From IP Enter the address of the system or network where remote access is permitted in this field IP address 0 0 0 0 0 means all addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 Interface External OR Internal Specifies whether the rule applies to the external interface WAN port or the internal interface LAN port Factory default All connections for the external interface are dropped all connections for the internal interface are accepted Action Possible settings e Accept e Reject e Drop Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that data packets may not pass through Data packets are discarded and the sender is not informed of their whereabouts In Stealth mode Reject is not supported as an action Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default 70 from 243 Configuration Management Menu User authentication Defines how the local mGuard authe
195. hich case the user will be required to correct the interference at their own expense 243 from 243
196. ibutes These attributes are either expressed as an Object Identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a relevant value Example CN VPN end point 01 O Smith and Co C UK 193 from 243 Configuration IPsec VPN Menu not for blade controller 194 from 243 If certain subject attributes have very specific values for the acceptance of the VPN remote peer by the mGuard then these must be specified accordingly The values of the other freely selectable attributes are entered using the wildcard Example CN O Smith and Co C UK with or without spaces between attributes In this example the attribute C UK and O Smith and Co must be entered in the certificate under subject Only then does the mGuard accept the certificate owner subject as a communication partner The other attributes in the certificates to be filtered can have freely selectable values F Ifa subject filter is set the number and sequence of the entered attributes must correspond to those of the certificates where the filter is used Pay attention to capitalization Local Standard Empty You can specify the name that the mGuard uses to identify itself to the remote peer using the VPN Identifier This must match the entries in the mGuard machine certificate Valid entries are Empty i e no entry standard The subject entry of the machine certificate earlier known as Distinguished Name is then used
197. icates e Public Key Infrastructure PKI with Certification Authority CA optional Certificate Revocation List CRL and filter options according to subject or e Remote certificate e g self signed certificates Recognition of changing remote peer IP addresses using DynDNS NAT Traversal NAT T Dead Peer Detection DPD Recognition of IPsec connection breaks IPsec L2TP server Connections from IPsec L2TP clients IPsec firewall and 1 1 NAT Default route over VPN Forwarding of data between VPNs hub and spoke Up to 250 VPN tunnels VPN throughput of max 35 MBit s 266 MHz mGuard and 70 MBit s 533 MHz mGuard MAU management Remote Logging Router Firewall redundancy LLDP Administration using SNMP v1 v3 and Innominate Device Manager IDM Quality of Service QoS PKI support for HTTPS SSH Remote Access Please contact your local dealer if problems occur with the mGuard Additional information on the device and relevant changes plus release notes and software updates can be found on our website http www innominate com 9 from 243 Introduction 1 1 Device versions mGuard industrial RS mGuard smart mGuard PCI mGuard blade 10 from 243 mGuard is available in the following device versions which all have largely identical functions All devices can be utilized regardless of the processor technology and operating system used by the connected computers The mGuard industrial RS is available in thr
198. ication to take place both partners must thus give each other a copy of their certificate A installs the copy of the certificate from B as its remote certificate B then installs the copy of the certificate from A as its remote certificate B Never give the PKCS 12 file file name extension p12 as a copy to the remote peer in order to use X 509 authentication at a later time The PKCS 12 file contains a private key that must be kept secret and must not be given to a third party See Creation of certificates on page 137 To create a copy of a machine certificate imported in the mGuard proceed as follows Click the Current certificate file button on the machine certificate tab next to the row title Download certificate See Machine Certificates on page 142 The certificate shown by a remote peer can also be checked by the mGuard in a different way i e not by consulting the locally installed remote certificate on the mGuard To check the authentication of remote peers using X 509 the method of consulting CA certificates can be used instead or as a supplement CA certificates provide a way of checking whether the certificate shown by the remote peer is really signed by the CA entered within A CA certificate is available from the related CA file name extension cer pem or crt It is often available to download from the website of the CA itself The mGuard can then check if the certificate shown by the remote
199. ificate file is saved on the connected computer 1 Click on Browse to select the file 2 Click on Import Download Test By clicking on Test Download you can test if the parameters are correct without actually saving the modified parameters or activating the profile The result of the test is displayed in the right column Ensure that the profile on the server does not contain unwanted variables beginning with GAI_PULL_ as these overwrite the set configuration 94 from 243 Configuration Management Menu 6 2 8 Management gt Restart Restart Management Restart Restart Restart Note please give the mGuard approximately 40 seconds to reboot Restarts the mGuard Has the same effect as a power outage The mGuard is turned off and on again A restart reboot is necessary in case of errors This may also be necessary after a software update 95 from 243 Configuration Blade Control Menu control unit only 6 3 Blade Control Menu control unit only This menu is only available on the blade control unit 6 3 1 Blade Control gt Overview Blade Control Overview Overview MITA gt A A EA AT O blade Dnm UB 2700053 4 2 0 default blade XL 27500146 5 0 0 pre02 def blade o A 27500083 2 3 0 default Unknown Present blade A Doma 2Tn00051 4 2 0 default blade XL EGHnEN Down Down 2T600005 4 2 0 pre08 beta blade GHIA R 2500161 4 2 0 preO05 beta blade O a D
200. ill assign the remote peer an IP address between 10 106 106 2 and 10 106 106 254 Shows L2TP status information when this connection type has been selected 201 from 243 Configuration IPsec VPN Menu not for blade controller 6 9 5 IPsec VPN gt IPsec Status Buttons IPsec VPN IPsec Status ST IES ARE ATT v001_001 192 168 66 1 any Edit Restart London v000_001 Edit host host Restart Shows the status of IPsec connections The names of the VPN connections are listed on the left On the right you will find the current status of each connection Update Click on Update to update the displayed data Restart Click on Restart to terminate the connection and restart it again Edit Click on Edit to make changes to a configuration of the connection Connection ISAKAMP Status IPsec Status 202 from 243 GATEWAY Shows the IP addresses of the communicating VPN gateways TRAFFIC Identifies the systems or networks which communicate via the VPN gateways ID Identifies the subject of an X 509 certificate ISAKMP State ISAKMP State Internet security association and key management protocol is given as established if both VPN gateways involved have established a channel for key exchange In this case they have contacted each other and all settings made on the configuration page up to and including ISAKMP SA were correct IPsec State IPsec State is given as established if IPs
201. in Routing on page 224 BO Since a connection attempt is first handled by the mGuard if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server has been established but no data has been sent The entry of exact server addresses in the list prevents this behavior Server Port Enter the number of the port for the FTP protocol in this field The default setting for the FTP port is 21 Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule Configuration E mail Security Menu not for blade controller 6 8 E mail Security Menu not for blade controller 6 8 1 E mail Security gt POP3 Virus Protection Options Requirements The following requirements must be fulfilled in order to use the virus filter e The anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Licensing on page 75 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 77 Email Security POP3 Virus Protection Options Enable content scanning for POP3 Yes Y POP3 maximum filesize for scanning in 5MB OY Action for infected mails Notify email client by error message Y X Action for mails exceeding maximum Let
202. in sortable tables 54 from 243 Configuration Operation Adding rows non sortable tables aa E lt lt iz 11 B E r Jai ml E Oo r m C E C ii 1 Click on the arrow where you want to insert a new row m 2 Result The new row is appended to the existing table You can now enter or specify values in the row Further operating instructions The following buttons are located at the top of every page For logging out after configuration access to the mGuard If the user does not conduct a logout procedure the logout is automatically made when activities have stopped and the defined time limit has expired Renewed access is only granted after the login process has been repeated Optional button Resets data to the original values If you have entered values on a configuration page and these have not yet been applied Reset Apply button you can restore the original values on the page by clicking the Reset button This button can only be seen at the top of the page if the validity range of the Apply button is set to Include all pages see Management gt Web Settings on page 68 Optional button Has similar functions to the Apply button but is valid for all pages Apply This button can only be seen at the top of the page if the validity range of the Apply button is set to Include all pages see Management gt Web Settings on page 68 55 from 243 Configuration Management Menu 6
203. incoming ARP requests or ARP replies per second in each case TCP Maximum number of new outgoing TCP connections SYN per second Factory default 75 Maximum number of new incoming TCP connections SYN per second Factory default 25 These two settings define upper limits for allowed incoming and outgoing TCP connections per second These are set to a level that can never be reached during normal operation However they can be reached easily when attacks occur thus giving additional protection If special requirements are present in your operating surroundings then these values can be increased ICMP Maximum number of outgoing ping frames ICMP Echo Request per second Factory default 5 Maximum number of incoming ping frames ICMP Echo Request per second Factory default 3 These two settings define upper limits for allowed incoming and outgoing ping frames per second These are set to a level that can never be reached during normal operation However they can be reached easily when attacks occur thus giving additional protection If special requirements are present in your operating surroundings then these values can be increased Stealth Mode Maximum number of outgoing ARP requests or ARP replies per second in each case Factory default 500 161 from 243 Configuration Network Security Menu not for blade controller Maximum number of incoming ARP requests or ARP replies per second in
204. independent from those under the Serial Port tab as these are different applications with different configurations Explanation Alternatively the serial port with external access can be used as follows A For development of data transfers over the serial port or built in modem instead of the mGuard WAN interface This is the case when the Modem or Built in Modem network mode is selected This case is described above For this procedure only the settings of the Modem or Built in Modem network mode are relevant settings of the Serial Port tab are not considered B For configuration of the mGuard over the serial port There are two possibilities here A PC is connected directly to the serial port of the mGuard The PC user can then carry out the configuration over the mGuard command line using a terminal program A modem is connected to the serial port of the mGuard This is connected to the telephone network landline or GSM network The user of a remote PC also connected to the telephone network using a modem can establish a PPP dial connection PPP Point to Point Protocol to the mGuard and can then configure it using their web browser In the following documentation this procedure is also defined as a PPP dialin option for configuration purposes For this procedure only the settings on the Serial Port tab are relevant Settings of the Modem or Built in Modem network mode are not considered as they play no role in the network
205. industrial RS EAGLE mGuard 95 e To avoid overheating do not expose to direct sunlight or other heat sources Do not bend connection cables Only use the network connector for connection to a network Action Check the package contents and read the Release Notes To start the device perform the following steps in the listed order Page Included in the package on page 22 Connect the device Installing the mGuard industrial RS on page 23 Connecting the mGuard smart on page 28 Installing the mGuard blade on page 29 Installing the EAGLE mGuard on page 31 Connecting the mGuard delta on page 33 Installing the mGuard PCI on page 34 Configure the device as required Proceed through the various options given in the mGuard configuration menus Please consult the relevant sections of this manual for more information regarding the required options and settings for your operating environment Local configuration At startup on page 44 21 from 243 Startup Included in the package 22 from 243 Before setting the device check that the package is complete The device mGuard industrial RS mGuard blade delta PCI smart or EAGLE mGuard System documentation on CD or downloaded from website see Quick Installation Guide Quick Installation Guide The mGuard industrial RS also contains Terminal block for the power supply Terminal block for th
206. ing is enabled the mGuard consults the CRL Certificate Revocation List and checks whether the mGuard certificates are blocked or not CRLs are issued by the CA and contain the serial numbers of blocked certificates e g certificates have been manipulated or stolen Enter the origin of the CRL under the CRL tab see CRL on page 147 B gt When CRL checking is enabled a CRL must be configured for each Issuer of certificates in the mGuard Absent CRLs lead to certificates being declared invalid BOCRLs are verified by the mGuard using a relevant CA certificate Therefore all CA certificates belonging to a CRL i e all sub CA certificates and the root certificate must be installed on the mGuard If the validity of a CRL cannot be proven then it is ignored by the mGuard BO If the use of CRLs is activated together with the consideration of validity periods lists are ignored if their validity period has expired or has not yet started CRL download interval If Enable CRL checking is set to Yes see above then select here the time period after which the CRLs should be downloaded and applied Enter the origin of the CRL under the CRL tab see CRL on page 147 If CRL checking is activated but the CRL download is set to Never then the CRL must be manually loaded on the mGuard so that CRL checking can be made 141 from 243 Configuration Authentication Menu Machine Certificates The mGuard authenticates it
207. internal routes Network A Computer Al A2 A3 A4 A5 IP address 192 168 11 3 192 168 11 4 192 168 11 5 192 168 11 6 192 168 11 7 Netmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Network B Additional Computer B1 B2 B3 B4 internal routes IP address 192 168 15 2 192 168 153 192 168 15 4 192 168 15 5 Network Ae dead cias 192 168 15 0 24 Netmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Gateway 192 168 11 2 Network C Network Computer Cl C2 C3 C4 192 168 27 0 24 192 168 27 1 Gateway IP address 168 27 192 168 27 2 192 168 27 3 192 168 274 199 168 14 2 Netmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 225 from 243 The Rescue Button Restarting the Recovery Procedure and Flashing Firmware 7 The Rescue Button Restarting the Recovery Procedure and Flashing Firmware The Rescue button is used to perform the following procedures 7 1 Performing a restart Objective Action To restart the device with the configured settings Press the Rescue button for approx 1 5 seconds e mGuard industrial RS Until the error LED lights up e smart Until the middle LED lights up red e blade PCI Until both red LEDs light up e EAGLE Until the status LED and the link LEDs are extinguished e delta Until the status LED stops blinking OR e Briefly disconnect the power supply e mGuard PCI R
208. ion authorization it logs in This access right allocation takes place here by setting filters under Authorized for access This has the following result If there are several filters that let through a user then the first filter comes into effect The user receives the access rights as defined by this filter This can vary from the access rights allocated to the user in the subsequent filter If remote certificates are configured as filters in the X 509 Certificate table column then these filters have priority over filter settings here Authorized for access as root admin netadmin audit user Defines which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt Local Users on page 132 The netadmin and audit authorization levels relate to access rights with the Innominate Device Manager X 509 Certificate Configuration is required in the following cases Remote users each show a self signed certificate Remote users each show a certificate signed by a CA Filtering should take place Access is only granted to the user whose certificate copy is installed in the mGuard as the remote certificate and is provided in the mGuard table as X 509 Certificate If used this filter has priority over the Subject filter in the table above The entry in this field defines which remote certificate the mGuard should
209. ir txt files Translate Unix file names Beep for long tranfer Default Help Cancel 230 from 243 The Rescue Button Restarting the Recovery Procedure and Flashing Firmware In Linux All current Linux distributions include DHCP and TFTP servers Install the corresponding packages as described in the instructions for the respective distributions Configure the DHCP server by making the following settings in the ete dhcpd conf field subnet 192 168 134 0 netmask 255 255 255 0 range 192 168 134 100 192 168 134 119 option routers 192 168 134 1 option subnet mask 255 255 255 0 option broadcast address 192 168 134 255 This sample configuration makes 20 IP addresses 100 to 119 available It is assumed that the DHCP server has the address 192 168 134 1 settings for ISC DHCP 2 0 The required TFTP server is configured in the following file etc inetd conf In this file insert the appropriate lines or set the necessary parameter for TFTP service The directory for the data is tftpboot tftp dgram udp wait root usr sbin in tftpd s tftpboot The mGuard image files must be saved in the tftpboot directory install p7s jffs2 img p7s If a major release upgrade of the firmware is carried out due to the flash procedure the license file purchased for the update must also be stored here under the name licence lic Please ensure that this is the correct license for the device see Managem
210. is defective according to the check procedure detailed above When the mGuard attempts to retrieve a new configuration profile cyclically after the time defined in Pull Schedule and Time Schedule it will only accept the profile under the following selection criteria The provided configuration profile must vary from the configuration profile identified as defective that led to the rollback To do this the mGuard checks the old MD5 total i e of the defective configuration against the MDS total of the suggested new configuration profile If these selection criteria are fulfilled i e the new configuration profile is offered then the mGuard retrieves this configuration profile enforces it and checks it according to the procedure detailed above It also disables it if the rollback check is negative If the selection criteria are not fulfilled i e same configuration profile is offered then the cyclical request of these criteria remains in force for the period defined in Number of times If the defined number of times expires without a change of the configuration profile on the server then the mGuard enforces the unchanged new defective configuration profile once more despite it being defective This occurs to rule out external factors e g network outage for the check failure The mGuard then once again attempts to connect to the configuration server based on the new configuration and then downloads the newly enforced configurati
211. is inserted as a function in this position i e the rules of this rule record Do not create any circular references Otherwise network packages that land in a permanent circuit through indirect self referencing are dropped by the mGuard B gt In Stealth mode Reject has the same effect as Drop Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default B Rule records are only used when they are referred to on the Incoming or Outgoing Rules tab Referring to a rule record leads to the use of a list of rules The requirement for this is that all row criteria are fulfilled in which the rule record is referred to 153 from 243 Configuration Network Security Menu not for blade controller MAC Filtering 154 from 243 Network Security Packet Filter Incoming Rules Outgoing Rules MAC Filtering Incoming D x Source MAC Destination MAC Ethernet Protocol y y XXIXXIXXIXXIXXIXX XXIXXIXXIXXIXXIXX any Accept z Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Please note Management access to 1 1 1 1 requires ARP resolution of the default gateway Restricting ARP traffic to the default gateway may lead to management access problems Outgoing gt x Source MAC Des
212. is not possible to use PPPoE or PPTP in Stealth mode Startup Router mode in Driver mode perating system 192 168 1 2 l gt 192 168 1 1 mGuard PCI External IP If the mGuard is in Router mode or PPPoE or PPTP mode then it builds 1ts own network together with the operating system on the computer where the mGuard is installed This means the following for the IP configuration of the operating system network interface It must be assigned an IP address that is different to the IP address of the mGuard according to the factory default of 192 168 1 1 This is represented in the figure above by two black spheres A third IP is used for the mGuard interface to the WAN Connection to an external network e g Internet is made using this IP Power over PCl mode Stealth mode in Power over PCI mode gt Network card D 192 168 1 1 O ttti A mGuard PCI 9 External IP No driver software is installed in Power over PCI mode as the mGuard PCI network card function is switched off 35 from 243 Startup 36 from 243 A network card is connected to the LAN port of the mGuard PCI that is already installed and can be found on the same or another computer See Hardware installation on page 37 In Stealth mode the IP address configured for the network interface of the operating system LAN port is also used by the mGuard for its WAN port By doing this
213. is taken 1 e automatic logout The setting 0 factory default means that no automatic session end is made The given value is also valid for shell access over the serial port Enable SSH remote access Yes No If you want to enable SSH remote access then set this option to Yes Ensure that the firewall rules on this page permit access to the mGuard from a remote peer under Permitted networks Port for incoming SSH connections remote administration only Standard 22 You can also specify a different port The remote peer that makes remote access may have to enter the port number defined here during the login procedure Configuration Management Menu Example If this mGuard is accessible over the Internet under the address 123 124 125 21 and the port number 22 has been set for remote access you may not need to enter this port number in the address field on the SSH client e g PUTTY or OpenSSH of the remote peer If a different port number has been set e g 22222 this must be specified e g ssh p 22222 123 124 125 21 Allowed Networks Allowed Networks Log ID fw ssh access NO 3e8b1240 3640 1149 974 n ss 6 000cde0220cf e O Frome interface Action comment f tos tli 10 1 0 0 16 External gt Accept y No yj Lists the firewall rules that have been set These apply for incoming data packets of an SSH remote access attempt You can also specify further rules From IP Enter the address of the
214. it Additional filter which defines that the SSH client has to have certain administration level authentication in order to gain access Explanation During connection the SSH client shows its certificate and also the system user for which the SSH session is to be opened root admin netadmin audit Access is only granted when the entries match those defined here Access for all listed system users is possible when All users is set The netadmin and audit settings relate to access rights with the Innominate Device Manager Configuration Management Menu Client certificate Configuration is required in the following cases SSH clients each show a self signed certificate SSH clients each show a certificate signed by a CA Filtering should take place Access is only granted to the user whose certificate copy 1s installed in the mGuard as the remote certificate and is provided in the mGuard table as Client certificate This filter is not subordinate to the Subject filter It resides on the same level and is allocated a logical OR function with the Subject filter The entry in this field defines which remote certificate the mGuard should adopt in order to authenticate the remote peer SSH client To do this select one of the remote certificates from the selection list The selection list gives a selection of remote certificates that are loaded in the mGuard under the Authentication gt Certificate menu Authorize
215. k is only synchronized when the system time of the mGuard is synchronized If the clock has been synchronized then its status is only returned to not synchronized after the firmware is flashed Local system time Here you can set the mGuard time if no NTP server has been specified see below or the NTP server is not available The date and time are specified in the format yyyy mm dd hh mm ss yyyy Year mm Month dd Day hh Hour mm Minute ss Second Timezone in POSIX 1 notation If the Current system time above should display a current local time that is different to Greenwich Mean Time then you must enter the number of hours that your local time is in front of or behind Greenwich Mean Time 60 from 243 Configuration Management Menu Example In Germany the time is one hour after GMT Therefore enter CET 1 In New York the time is five hours behind Greenwich Mean Time Therefore enter CET 5 The only important thing is the 1 2 or 1 value as only these are evaluated not the preceding letters They can be substituted with CET or any other designation such as UTC If you wish to display Central European Time e g for Germany and have it automatically switch to from daylight saving time enter CET 1CEST M3 5 0 M10 5 0 3 Timestamp in filesystem 2 h granularity Yes No If this option is set to Yes the mGuard will save the current system time every two hours Result
216. k on the Ping button You will then receive an appropriate notification Traceroute DNs tooo axe rio Traceroute Hostname IP Address Do not resolve IP addresses to hostnames Traceroute Goal To establish which intermediary peers or routers are found on the connection path to a remote peer computer Procedure Enter the remote peer IP address or hostname where the route is to be calculated in the Hostname IP Address field If the points on the route are to be given with IP addresses and not hostnames if applicable activate the Do not resolve IP addresses to hostnames checkbox Click on the Trace button You will then receive an appropriate notification DNS Lookup Support Tools DNS Lookup Hostname DNS Lookup Goal To establish which hostname belongs to a certain IP address OR which IP address belongs to a certain hostname 221 from 243 Configuration Support Menu Procedure Enter the IP address or hostname in the Hostname field Click on the Lookup button You will then receive the answer defined by the mGuard according to the DNS configuration IKE Ping A IKE Ping IKE Ping Hostname IP Address IKE Ping Goal To determine if the VPN gateway software is able to establish a VPN connection or if a firewall prevents this Procedure Enter the name or IP address of the VPN gateway in the Hostname IP Address field Click on the Ping button You
217. l 237 from 243 Glossary Trap X 509 certificate Protocol communication protocol Service provider Spoofing anti spoofing 238 from 243 routing table that shows which networks are available over which router connections or intermediary stations Aside from other protocols an SMNP Simple Network Management Protocol can also be used especially in large networks This UDP based protocol is used for the central administration of network devices For example the configuration of a device can be requested using the GET order and changed using the SET order To do this the requested network device must be SNMP compatible An SNMP compatible device can also send SNMP messages e g when unexpected events occur Messages of this kind are known as SNMP traps A type of seal that certifies the authenticity of a public key gt Asymmetrical encryption and the associated data It is possible to use certification to enable the user of the public key used to encrypt the data to ensure that the received public key is from its actual issuer and thus from the instance that should later receive the data A Certification Authority CA certifies the authenticity of the public key and the associated link between the identity of the issuer and their key The certification authority will verify authenticity in accordance with its rules For example this may require the issuer of the public key to appear before
218. lade controller This results in the resetting of the mGuard IP address factory defaults see Performing a recovery on page 226 49 from 243 Preparing the configuration BO If the administrator website is not displayed After a successful connection setup If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway has been initialized on the connected configuration system See Local configuration At startup on page 44 e Disable any active firewalls Ensure that the browser does not use a proxy server In MS Internet Explorer version 6 0 make this setting as follows In the Extras menu select Internet Options and click on the Connections tab Under LAN Settings click on Settings and check that Use a proxy server for your LAN under proxy server is not activated in the Local Area Network LAN Settings e If any other LAN connection is active on the system deactivate it until configuration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the associated icon and select Disable in the pop up menu After a connection has been successfully set up the following security notice is displayed MS Internet Explorer E Security Alert Explanation Information you exchange with this site cannot be viewed or As administrative tasks changed b
219. layed in the main window as one or more pages on which you can define the settings If the page is organized into several pages you can scroll through them using the tabs at the top 2 Make the desired settings on the relevant page or tab See also the section on Working with sortable tables on page 53 3 Click on the Apply button to save the settings on the device aes i After the settings have been saved by the system you will see a confirmation message This indicates that the new settings have taken effect They also remain valid after a restart reset e You can return to a previously accessed page by pressing the Back button if available Entry of inadmissible values After inadmissible values are entered for example an inadmissible number in an IP address and after clicking on Apply the relevant tab title is displayed in red This helps in tracking down the error Working with sortable tables Many settings are saved as data records Accordingly the adjustable parameters and their values are presented as table rows If several data records have been set e g firewall rules these will be queried or processed based on the entry sequence from top to bottom Therefore pay attention to the order of the entries if necessary The sequence can be changed by moving table rows upwards or downwards With tables you can carry out the following actions Insert rows sets up a new data record with settings e g the fire
220. le name It must clearly define the rule record in question A rule record can be referred to in the incoming and outgoing rule lists using this name To do this the relevant rule record name is selected in the Action column Enabled Yes No Activates deactivates the relevant rule record Firewall rules 152 from 243 Protocol TCP UDP ICMP ESP All From To IP 0 0 0 0 0 means all IP addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 From To Port Only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that data packets may not pass through Data packets are discarded and the sender is not informed of their whereabouts Configuration Network Security Menu not for blade controller Name of rule records if defined Aside from Accept Reject and Drop the selection list also gives the names of previously defined rule records If a name is selected referenced then this
221. letely or to decompress it a corresponding error message is sent to the user s e mail client software and an entry is written in the anti virus log In this case you have the following options e You can try to download the e mail again later e You can temporarily deactivate the virus filter for the corresponding server e You can activate the automatic pass through mode 173 from 243 Configuration E mail Security Menu not for blade controller 174 from 243 Please note that depending on the coding scheme used the size of the attachment may be larger than the original file Action for infected mails Notify recipient by e mail The recipient is informed by e mail if the virus filter detects a virus Notify e mail client by error message The recipient is informed by an error message sent to the e mail client if the virus filter detects a virus If the parameter Delete received messages from server has been set in the e mail client software and the Action for infected mails has been set to Notify recipient by e mail the infected e mail is deleted on the server as the e mail client assumes that the e mail has been successfully transferred If you do not wish to have the infected mail deleted e g if you wish to download the infected e mail another way only use the option Notify e mail client by error message Action for mails exceeding maximum message size Let message pass uns
222. llowed following an active connection attempt IRC must be set to Yes standard for the additional connections to be passed through by the firewall PPTP Yes No Must be set to Yes if VPN connections are established using PPTP from local computers to external computers without mGuard assistance The factory default for this option is No H 323 Yes No Standard No Protocol used for communication meetings between two or more participants Used for audio visual transfers This protocol is older than SIP SIP Yes No Standard No The SIP Session Initiation Protocol is used for communication meetings between two or more participants Often used during IP telephony By selecting Yes it is possible for the mGuard to monitor the SIP and add necessary firewall rules dynamically if further communication channels should be established in the same session When NAT is also activated one or more locally connected computers can communicate with external computers by SIP through the mGuard 157 from 243 Configuration Network Security Menu not for blade controller 6 6 2 Network Security gt NAT Masquerading 158 from 243 Network Security NAT Network Address Translation IP Masquerading FT 0 0 0 0 0 These rules let you specify which IP addresses normally addresses within the private address space are to be rewritten to the mGuard s IP address Please note These rules won t apply to the Stealth mode
223. malfunction occurs within the mGuard internal voltage of 3 3 V DC power supply lt 9 6 V etc Link supervision Supervision of the ethernet interface link state Possible settings are Ignore Supervise internal only trusted Supervise external only untrusted Supervise both Manual settings 58 from 243 Contact If the signal contact is set to Manual setting as above this option sets the contact to Closed or Open Alarm Configuration Management Menu Ti me and Date Management System Settings Time and Date Current system time UTC Current system time local System time state Hardware clock state Local system time 2007 08 06 16 10 20 Timezone in POSIX 1 notation a e E La Time stamp in filesystem 2h granularity NTP Server Enable NTP time synchronization Yes gt NTP State PX er pool ntp org Time and Date Current system time UTC Displays the current system time in Universal Time Coordinates UTC If NTP time synchronization is not yet activated see below and Time stamp in filesystem is deactivated the clock will start at January 1st 2000 Current system time local Display If you want the sometimes different current local time to be displayed you must make the corresponding entry under Timezone in POSIX 1 notation see below Local system time Display Displays whether the system time and run time of the mGuard have ever ac
224. mask The netmask for the IP address above Default gateway The default gateway standard gateway of the network where the mGuard is located Use Management VLAN Yes No If this IP address should be contained within a VLAN then this option must be set to Yes This option is only valid when the option Stealth configuration is set to multiple clients Management VLAN ID A VLAN ID between 1 and 4095 B gt VLAN is not supported for the management IP address during automatic stealth configuration An explanation of the term VLAN can be found in the glossary under page 239 Static routes Stealth configuration static In Stealth mode the mGuard adopts the default gateway of the client connected to the LAN port Alternative routes can be defined for data packages in WAN created by the mGuard Among others the following data traffic packages belong here The download of certificate revocation lists CRL The download of a new configuration or virus definition file Communication with an NTP server for time synchronization Dispatch and receipt of encrypted data packages from VPN connections If this option is used make the relevant entries afterwards If it is not used the affected data packages are transmitted over the default gateway defined by the client Static routes The following settings are applied to traffic generated by the mGuard Networks to be routed over alternative gateways xX
225. mber or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop Drop means that data packets may not pass through Data packets are discarded and the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default Log entries for unknown connection attempts When set to Yes all attempts to establish a connection that are not covered by the rules defined above are logged 197 from 243 Configuration IPsec VPN Menu not for blade controller IKE Options 198 from 243 IPsec VPN Connections New York ISAKMP SA Key Exchange Encryption Algorithm w e m wn El Hash Algorithm All algorithms IPsec SA Data Exchange Encryption Algorithm 3DES gt All algorithms y El Hash Algorithm Perfect Forward Secrecy PFS The remote site must have the same entry Activation is recommended due to security reasons Lifetimes ISAKMP SA Lifetime seconds IPsec SA Lifetime seconds Rekeymargin seconds h Rekeyfuzz percent
226. message pass unscanned xj message size Servers gt lt semer O ServerPort Comment ETS E 0 0 0 0 0 110 Pors out to any Scan xj The POP3 protocol is used by the e mail client for incoming e mails e The virus filter can only check unencrypted data for viruses Therefore encryption options such as STLS or SSL should not be activated However encrypted authentication using AUTH can be used since the e mail itself is not encrypted Enable content scanning for POP3 incoming eMail Yes No By selecting Yes received files are scanned for viruses by mGuard if they are transferred via POP3 connections contained in the List of POP3 servers defined below BO Tip When using a POP3 connection most e mail clients pick up all e mails during a single connection In this case the new settings will first take effect after the last e mail is collected from the server during the current connection If settings are changed whilst an e mail transfer is in process the transfer must be cancelled so the new setting can take effect POP3 maximum filesize for scanning in bytes Factory default 5 MB Specify the maximum size of the files to be checked here Larger files are not scanned Depending on the When size limit is exceeded setting an error message is sent to the e mail client and the e mail is not received or the system automatically switches to pass through mode If the mGuard does not have enough memory to save a file comp
227. mode settings of the mGuard Configuration Network Menu When the Modem network mode is selected Network Interfaces General Network Status External IP address Network Mode Status Active Defaultroute Used DNS servers Network Mode Network Mode Modem Phone number to call Authentication User name Password PAP server authentication Dial on demand Idle timeout Modem 0N0806432168 PaP y Lefa g Yes gt Idle time seconds S Local IP Remote IP ves e NN Netmask Use VLAN VLAN ID Netmask Internal Networks Internal IPs IP trusted port Firstly select whether the modem or telephone connection over the Internet is made using an external Modem or a Built in Modem only available for mGuard industrial RS with built in modem or ISDN terminal adaptor under Network Mode Then enter the required connection parameters for the telephone connection Make further modem connection settings on the Modem tab see Modem on page 120 Modem OR Built in Modem Phone number to call Telephone number of the ISP The connection to the Internet is established after telephone connection is made Command syntax Together with the previously set modem command for dialing ATD the following dial sequence as an example is created for the connected modem ATD765432 A compatible pulse dialing procedure is used as standard whi
228. mote peers are authentic The check is made as follows The issuing authority CA is entered as Issuer in the certificate shown by the remote peer These details can be checked for authenticity by the same Issuer using the local CA certificate For more details see Authentication gt Certificates on page 136 Example of imported CA certificates Authentication Certificates Trusted CA Certificates HX Certificates Te cn ven rootca 01 0 Sample Supplier C UK CN VPN RootCA 01 0 Sample Supplier C UK QE From sun 20 11 23 18 2007 GMT to Jun 20 11 23 18 2022 GMT ME BC B8 AC 3F A1 39 2F AD 68 56 2C 7E DE A0 14 FF Fingerprint SHA1 54 06 9E BD C2 38 88 E2 1A 38 B2 48 E7 0A C5 B9 36 FF 90 04 E Shortname VPN RootCA 01 Filename Browse Import Certificate F Current Certificate File CN VPN SubCA 01 0 Sample Supplier C UK CN VPN RootCA 01 0 Sample Supplier C UK From Jun 20 11 23 20 2007 GMT to Jun 20 11 23 20 2017 GMT MDS 21 0A 5C 9D DB BA 7B 4E E7 C8 BC 64 7D E9 9D FO SHA1 42 45 DA 1C 9F 2E 48 85 AC 9F 8D CA A0 52 B2 92 72 DE 4E B8 r Upload Filename Browse Import Certificate area F Current Certificate File ETC cn Web Rootca 01 0 Sample Web Securities Inc C UK CN Web RootCA 01 0 Sample Web Securities Inc C UK Upload Subject Trusted CA Certificates Shows the current imported CA certificates To import a new certificate please proceed as follows Importing a new
229. mpts BO Scanning for viruses may allow outgoing connections that are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 155 to adjust this behavior You have the following options Server 0 0 0 0 0 means all addresses This means that files from all POP3 servers are scanned To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 BO Since a connection attempt is first handled by the mGuard if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server has been established but no data has been sent The entry of exact server addresses in the list prevents this behavior Server Port Enter the number of the port for the POP3 protocol in this field The default setting for the POP3 port is 110 Comment Freely selectable comment for this rule Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule 175 from 243 Configuration E mail Security Menu not for blade controller 6 8 2 E mail Security gt SMTP Virus Protection 176 from 243 Options Requirements The following requirements must be fulfilled in order to use the
230. n Self test error BO The signal contact is interrupted during a reboot until the mGuard is fully operative This also applies when the signal contact is set manually to Closed in the software configuration Service contacts A push button and a signal LED 20 mA can be connected over the service contacts see diagram above for wiring The push button is used for establishing and disabling a previously defined VPN connection whilst the 26 from 243 Startup signal LED displays the status of the VPN connection See IPsec VPN gt Global on page 179 under Options Push button operation To establish a VPN connection press and hold the push button for a few seconds until the signal LED flashes Only release the push button at this point The flashing LED signals that the mGuard has received the command for establishing a VPN connection and has started the connection process The LED lights up continuously as soon as the VPN connection is established To disable the VPN connection press and hold the push button for a few seconds until the signal LED flashes or goes out Only release the push button at this point The VPN connection is disabled when the signal LED no longer lights up Signal LED If the signal LED is set to OFF then the defined VPN connection is disabled Cause VPN connection not established or failed due to errors If the signal LED is set to ON then the VPN connection is established If the si
231. n try to download the file again later e You can temporarily deactivate the virus filter for the corresponding server e You can activate the automatic pass through mode Action for infected files Notify with browser error An error message is sent to the HTTP client if the virus filter detects a virus in the data transferred from an HTTP server to the HTTP client The handling of this error message depends on the respective HTTP client A web browser will display the error message as an HTML page If a downloaded file within an HTML page e g a graphic file is infected then this file is not displayed in the browser If a download manager is used to download a file via HTTP the error message is displayed by the download manager Action for files exceeding maximum message size Let data pass unscanned When this option is selected the virus filter is switched to pass through mode which allows files that exceed the file size to pass through unscanned In this case the data is not checked for viruses Block data When this option is selected the system terminates the download and sends an error message to the client software List of HTTP Servers Enter the servers where the data should be scanned for viruses By activating and deactivating the anti virus function for each entry or server you can set an exception for subsequent rules It is also possible to enter trusted servers see the example below Exam
232. nagement Menu 6 2 6 Management gt SNMP Query Settings 84 from 243 Management SNMP 08 Query Settings Enable SNMPv1 v2 access No y Port for incoming SNMP connections 61 external interface only SNMPv1 v2 Community Read Write Community Read Only Community Allowed Networks Log ID fw snmp access N 00000000 0000 0000 0000 000000000000 ES ne rromir interface action comment tog A 0 0 0 0 0 External v Accept v No y These rules allow to enable SNMP access Important Make sure to set secure passwords for SNMPv3 before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note Enabling SNMP access automatically accepts incoming ICMP packets Note The SNMP access from the internal side is allowed by default and can be restricted by firewall rules SNMP Simple Network Management Protocol is mainly used in more complex networks to monitor the status and operation of devices SNMP is available in several releases SNMPv1 SNMPv2 and SNMPv3 The older versions SNMPv1 SNMPv2 do not use encryption and are not considered to be secure We therefore do not recommend using SNMPv1 SNMPy2 SNMPYy3 is considerably better from a security perspective but not all management consoles support it Bo It can take more than one sec
233. nations Hx Destination IP Destination Name Destination Community Platform specific configurations are only effective on the platform in question Similarily AV traps are only sent when a licensed anti virus system is active SNMP traps only are sent if SNMP access is enabled If certain cases the mGuard can send SNMP traps gt Glossary Traps correspond to SNMPv1 The following list details the trap information for each setting The exact description can be found in the MIB belonging to the mGuard SNMP authentication Activate traps Yes No enterprise oid mGuardInfo generic trap authenticationFailure specific trap 0 Explanation Sent if an unauthorized station tries to access the mGuard SNMP agents Link Up Down Activate traps Yes No enterprise oid mGuardInfo generic trap linkUp linkDown specific trap 0 Explanation Sent when the connection to a port is interrupted linkDown or restored linkUp e Coldstart Activate traps Yes No enterprise oid mGuardInfo generic trap coldStart specific trap 0 Explanation Sent after cold or warm start e Admin access SSH HTTPS new DHCP client Activate traps Yes No enterprise oid mGuardb generic trap enterpriseSpecific specific trap mGuardHTTPSLoginTrap 1 additional mGuardHTTPSLastAccessIP Configuration Management Menu Explanation enterprise oid generic trap specific trap additional Explanation enterprise oid generi
234. nciple procedures for X 509 authentication e The authentication of a remote peer is carried out on the basis of the certificate lt gt remote certificate In this case the consulted remote certificate must be given for each individual connection e g for VPN connections AND OR e The mGuard consults the provided CA certificate to check whether the certificate shown by the remote peer is authentic In this case all CA certificates must be available in mGuard in order to build a chain up to the root certificate using the certificate displayed by the remote peer Available means that the corresponding CA certificates must be installed in the mGuard see CA Certificates on page 144 and must be made available additionally during the configuration of the corresponding applications SSH HTTPS VPN Whether both procedures are used alternatively or in combination varies on the application VPN SSH and HTTPS Consult the following tables for more details Configuration Authentication Menu SSH Authentication for SSH The remote peer shows the following Certificate specific to individual signed by CA Certificate specific to individual self signed The mGuard authenticates the remote peer using Y Y All CA certificates that build the chain to the root CA certificate together with the certificates displayed by the remote peer or ADDITIONALLY Remote certificates if used as
235. nding IP address is sent back from the DNS to the remote system which can then use this as the destination address This now leads directly to the desired local computer In principle all Internet addresses are based on this procedure First a connection to a DNS is established in order to determine the IP address assigned for the host name Once this has been accomplished the established IP address is used to set up a connection to the desired remote peer which could be any site on the Internet Every host or router on the Internet intranet has a unique IP address IP Internet Protocol An IP address is 32 bits 4 bytes long and is written as four numbers each from 0 to 255 which are separated by a dot An IP address consists of 2 parts the network address and the host address Network Address Host Address All network hosts have the same network address but different host addresses The two parts of the address differ in length depending on the size of the respective network networks are categorized as Class A B or C 1 Byte 2 Byte 3 Byte 4 Byte Network Host Address cas Address Class B Network Address Host Address Network Address Host cee Address Glossary IPsec The first byte of the IP address determines whether the IP address of a network device belongs to Class A B or C The following has be specified Value of No of the bytes No of bytes 1st byte
236. nfiguration of SSH Menu Management gt System settings Shell access and HTTPS Menu Management gt Web settings Access the imported certificates in the mGuard are given as a selection list The certificates are displayed under the short name entered for each individual certificate For this reason the entry of a name is necessary Creating a certificate copy You can make a copy of the imported remote certificate To do this proceed as follows Click on the Current Certificate File button on the remote certificate next to the Download certificate row title Make the desired entries in the dialog that opens Configuration Authentication Menu CRL CRL Authentication Certificates Remote Certificates CRL E ERE rssuer r o Upoas lc ist Browse Import CRL Certificate Revocation List The CRL is a list containing the serial numbers of blocked revoked certificates This page is used for the configuration of sites where the mGuard should download CRLs in order to use them B Certificates are only checked when Yes is set under Enable CRL checking See Certificate settings on page 140 gt A CRL with the same issuer name must be present for each issuer name entered in the checked certificate If a CRL is absent and CRL checking is enabled then the certificate is declared invalid Issuer Only displays information that the mGuard reads directly from the CRL Shows the iss
237. ng ID fw incoming N JeBb1245 3440 1149 9786 Log ES EE rromir_ Fromport tor tovore action comment SF Tic f fo 0 0 o o Jany 0 0 0 0 0 Jany Accept gt These rules specify which traffic from the outside is allowed to pass to the inside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts No Incoming Lists the firewall rules that have been set These rules apply for incoming data connections that were initiated externally If no rule has been set all incoming connections except VPN are dropped factory default Configuration Network Security Menu not for blade controller You have the following options Protocol TCP UDP ICMP All From To IP 0 0 0 0 0 means all IP addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 From To Port Only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that data packets may
238. nly has a clock when the State of installed clock option is visible The display shows whether the clock is synchronized A synchronized installed clock ensures that the mGuard has a synchronized system time even after rebooting b The administrator has defined the current time for the mGuard run time by entering the relevant values under Local system time c The administrator has set the Timestamp in file system to Yes and has either transmitted the current system time to the mGuard by NTP see below under NTP server or under Local system time The system time of the mGuard is then synchronized using the time stamp after rebooting even if it has no installed clock and is set exactly again afterwards using NTP d The administrator has activated NTP time synchronization under NTP Server has entered the address of at least one NTP server and the mGuard has opened connections with at least one of the defined NTP servers If the network is working correctly then this occurs seconds after rebooting The display in the NTP state field may only change to synchronized much later See also the explanation below under NTP state State of installed clock For mGuard industrial RS and mGuard delta The state of the installed clock is only visible when the mGuard possesses a clock that also runs when the system is turned off or has no power supply The display shows if the clock has been synchronized with the current time The installed cloc
239. nnection attempt No standard The mGuard also allows connections where the beginning is not specified This means that the mGuard can carry out a reboot during an established connection without the connection being stopped Yes The mGuard must register the SYN packet of an existing connection Otherwise the connection is stopped This means that the connection is broken if the mGuard carries out a reboot during the establishment of a connection Attacks and hijacks on existing connections are thus prevented Timeout for established TCP connections Ifa TCP connection is not used after this time period then the connection data is deleted A connection assigned by NAT not 1 1 NAT must then be newly established The factory default is 432000 seconds 5 days 156 from 243 Configuration Network Security Menu not for blade controller FTP Yes No If an outgoing connection is established to call up data during the FTP protocol then there are two variations of data transfer With active FTP the called server establishes an additional counter connection to the caller in order to transfer data over this connection With passive FTP the client establishes this additional connection to the server for data transfer FTP must be set to Yes default so that additional connections pass through the firewall IRC Yes No Similar to FTP For IRC chat over the Internet to work properly incoming connections must be a
240. nnels is not possible If individual channels are deactivated Active No then these are not started In this way starting and stopping have no effect on the settings of the individual channels i e the list under Transport and Tunnel Settings Starting and stopping a connection using a URL only makes sense if the configuration of the connection is deactivated Active No or when Connection startup is set to Wait Otherwise the connection to the mGuard is established independently If the status of a VPN connection is queried using the URL detailed above then the following answers can be expected Answer Meaning unknown A VPN connection with this name does not exist void The connection is inactive due to an error e g the external network is down or the hostname of the remote peer could not be released in an IP address DNS ready The connection is ready to establish channels or allow incoming queries regarding channel set up active At least one channel is set up for the connection 183 from 243 Configuration IPsec VPN Menu not for blade controller 6 9 3 Defining VPN connection VPN connection channels The following page appears after clicking the Edit button according to the mGuard network mode for Stealth and Router modes see Network gt Interfaces on page 99 General IPsec VPN Connections London General Authentication Firewall Options A descriptive name
241. not pass through Data packets are discarded and the sender is not informed of their whereabouts Name of rule records if defined When a rule record name is entered the firewall rules saved under this name come into effect see the Sets of Rules tab gt In Stealth mode Reject has the same effect as Drop Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default Log entries for unknown connection attempts Yes No When set to Yes all attempts to establish a connection that are not covered by the rules defined above are logged factory default No 149 from 243 Configuration Network Security Menu not for blade controller Outgoing Rules 150 from 243 Network Security Packet Filter Incoming Rules Outgoing Log ID fw outgoing N0 3eBb1246 3440 1149 9786 E e erotocol rromir_ rrompore vom torore action comment F afan vf fo 0 0 0 o 0 0 0 0 0 Accept gt default rule These rules specify which traffic from the inside is allowed to pass to the outside Please note Port settings are only meaningful for TCP and UDP Outgoing Lists the firewall rules that have been set These rules apply for outgoing data connections that were initiated internally in order to communicate with a remote peer Factory default A
242. nstalled between an individual computer and the rest of the network The settings for firewall anti virus and VPN can be made using a web browser under the URL https 1 1 1 1 No configuration changes are required on the computer itself Intranet DSL modem Internet or router en Firewall HQ The mGuard can provide an Internet connection for a group of computers whilst protecting the company network using the firewall One of the following network modes may be used here e Router if Internet access is established via a DSL router or dedicated line e PPPoE if Internet access is established via a DSL modem using the PPPoE protocol e g in Germany e PPTP if Internet access is established via a DSL modem using the PPTP protocol e g in Austria e Modem if Internet access is established via a serial connected modem compatible with Hayes or AT instruction sets The mGuard must be set as the default gateway on computers placed in the Intranet Intranet Internet Server Firewall Firewall HQ A DMZ Demilitarized Zone is a protected network that sits between two other networks For example a company website may be inside a DMZ granting FTP write access to computers in the intranet and HTTP read only access to both networks i e also over the Internet Typical
243. nticates the remote peer Us Use gt ho 40 44 er authentication r authentication method Login with X 509 client certificate or password Fy o OE x CA certificate Web RootCA 01 v E Web SubCA 01 gt x X 509 Subject Authorized for access as La i admin zj x X 509 Certificate Authorized for access as E Meyer Ralf z admin Bj These rules allow to enable HTTPS remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The HTTPS access from the internal side is enabled by default and can be restricted by firewall rules Us er authentication method Login with password Specifies that the remote mGuard user must use a password for authentication The password is specified under the Authentication gt Local Users menu For more details see Authentication gt Local Users on page 132 in this manual Depending on which user ID is used user or administrator password the user has the right to operate and configure the mGuard Login with X 509 client certificate or password Specifies the following 1 User authentication is made with a password see above OR 2 The system of the remote user or the system browser is verified according to X 509 so that the mGuard c
244. oma Down zTno000s0 4 2 0 pre0S beta Unknown Unknown Unknown Unknown B Automatic configuration backup is enabled disabled Rack ID The ID of the rack where the mGuard is mounted This value can be configured for all blades on the control unit Power supply P1 P2 State of the power supplies P1 and P2 e OK e Absent e Defect e Fatal error Blade Number of the slot where the mGuard is installed Device Device name e g blade or blade XL Status Online The device in the slot is working correctly Present Device is present but not yet ready e g in start up phase Absent No device found in the slot WAN Status of the WAN port LAN Status of the LAN port Serial number The serial number of the mGuard Version The software version of the mGuard 96 from 243 Configuration Blade Control Menu control unit only B Backup Automatic configuration backup on the controller is activated deactivated for this slot R Restore Automatic configuration restoration after replacing the mGuard is activated deactivated for this slot 6 3 2 Blade Control gt Blade 01 to 12 These pages show the status information of each installed mGuard and allow the configuration backup and restoration of the respective mGuard Blade in slot Blade Control Blade 01 Blade in slot 01 Overview Device type ID bus controller ID Serial number Flash ID Software version MAC addresses
245. oming on Port The original destination port set in the incoming data packets Either the port number or the corresponding service name can be entered here e g pop3 for port 110 or http for port 80 Redirect to IP The internal IP address to which the data packets should be forwarded The original destination address is overwritten with this address Redirect to Port The port to which the data packets should be forwarded The original destination port will be overwritten with this port Either the port number or the corresponding service name can be entered here e g pop3 for port 110 or http for port 80 Comment Freely selectable comment for this rule Log For each individual port forwarding rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default Configuration Network Security Menu not for blade controller 6 6 3 Network Security gt DoS Protection Flood Protection Network Security DoS Protection Flood Protection TCP Maximum number of new outgoing TCP connections SYN per second Maximum number of new incoming TCP connections SYN per second ICMP Maximum number of outgoing ping frames ICMP Echo Request per second Maximum number of incoming ping frames ICMP Echo Request per second Stealth Mode Maximum number of outgoing ARP requests or ARP replies per second in each case Maximum number of
246. omputer or network In this case 1t is simply inserted The mGuard will analyze the network traffic passing through it and configure its network connection accordingly It will then operate transparently i e without client reconfiguration As in the other modes firewall anti virus and VPN security functions are available Externally delivered DHCP data is passed through to the connected client Tf the mGuard provides services such as VPN DNS NTP etc then a firewall installed on the client must be configured to allow ICMP Echo Requests ping In Stealth mode the mGuard uses 1 1 1 1 as its internal IP address This is accessible when the configured default gateway of the client 1s also accessible Router factory default for mGuard delta and blade controller If the mGuard is in Router mode it serves as a gateway between different networks and has both an external interface WAN port and an internal interface LAN port with at least one IP address WAN Port The mGuard is connected to the Internet or other external parts of the LAN over the WAN port e mGuard smart The WAN port is given by the ethernet socket LAN Port The mGuard is connected to a local network or an individual computer over the LAN port e mGuard smart The LAN port is given by the ethernet connector e mGuard PCI In Driver mode the LAN port is shown by the network interface of the operating system that has the network card operating syst
247. on Pull Management Central Management 92 from 243 Configuration Pull Configuration Pull A Never Directory Filename When empty 2T900054 atv will be used E 120 Number of times a configuration profile is ignored after it was rolled back Server Certificate The server s certificate is needed here if and only if it is self signed Otherwise the root certificate of the CA which issued the server s certificate must be installed Browne Download Test Test Download The mGuard can retrieve new configuration profiles from a HTTPS server in configurable time intervals providing the server makes them available as files for the mGuard file format atv When a new mGuard configuration differs from the current configuration it will be downloaded and activated automatically Configuration Pull Pull Schedule Enter here if and if so when and in which intervals the mGuard should attempt to download and apply a new configuration from the server To do this open the selection list and select the desired value A new text field opens when Time Schedule is selected Enter here whether the new configuration should be downloaded daily or repeatedly on a certain weekday and at which time The time controlled download of a new configuration can only be made after synchronization of the system time see Management gt System Settings Time and Date on page 59 Time control sets the s
248. on for FTP gi Jo 0 0 0 o 21 FTP out to any Scan y Scan a subnet and exclude a trusted FTP server E g I 192 168 2 5 unprotected FTP No Scan J 192 168 2 0 24 protected FTP Scan N N Scan a single untrusted FTP server in a subnet ea ee A p T 192 168 2 5 protected FTP Scan unprotected FTP No Scan 4 wo N A a ES N o N A N BO To activate virus protection for FTP data traffic over a proxy insert a new row to the server list and change the default port 21 to the proxy port The rule record is processed top down meaning the order of the rules is decisive for the results BO The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number results in the refusal of further connection attempts 171 from 243 Configuration Web Security Menu not for blade controller 172 from 243 B Scanning for viruses may allow outgoing connections that are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 155 to adjust this behavior You have the following options Server 0 0 0 0 0 means all addresses This means files from all FTP servers are scanned To enter an address use CIDR notation see CIDR Classless Inter Doma
249. on profile If this is unsuccessful then another rollback is made The selection criteria is enforced for further load cycles for the period defined in Number of times If the value 0 is defined in the Number of times field then the selection criteria will never come into effect the offered configuration profile is ignored if it remains unchanged As a result the second of the following goals can then no longer be reached This mechanism has the following goals 1 After enforcing the new configuration the mGuard must still be configurable from a remote location 2 When cycles are close together e g Schedule 15 minutes the mGuard must be prevented from testing a possibly defective configuration profile over and over in such a short space of time This can lead to blocking of external administrative access as the mGuard is busy dealing with its own processes 3 External factors e g network outage must be ruled out as a reason for the mGuard s consideration of a defective configuration An application note is provided by Innominate This contains a description of how a rollback can be started using a configuration profile 93 from 243 Configuration Management Menu Download timeout seconds Standard 120 Defines after how long a timeout is made during the download of a configuration file i e when no action is taken The download is canceled if this time is exceeded If and when a new download attem
250. ond to process SNMP get or walk requests However the standard timeout value of many SNMP management applications is set to one second In case you experience timeout problems please set the time out of your management application to values between 3 and 5 seconds Enable SNMPv3 access Yes No If you wish to allow monitoring of the mGuard via SNMPv3 set this option to Yes Access via SNMPv3 requires authentication with a login and password The factory defaults for the login parameters are Login admin Password SnmpAdmin please pay attention to capitalization MDS is supported for the authentication process DES is supported for encryption The login parameters for SNMPv3 can only be changed using SNMPv3 Enable SNMPv1 v2 access Yes No If you wish to allow monitoring of the mGuard via SNMPv1 v2 set this option to Yes You must also enter your login data under SNMPv1 v2 Community Port for incoming SNMP connections external interface only Standard 161 Configuration Management Menu SNMPv1 v2 Community Read Write Community Read Only Community Enter the required login data in these fields Allowed Networks Lists the firewall rules that have been set These apply for incoming data packets of an SNMP access From IP Enter the address of the system or network where remote access is permitted in this field You have the following options e An IP address e To enter an address use CIDR
251. or and not over the mGuard WAN port First MSN For outgoing calls the mGuard transmits the entered MSN Multiple Subscriber Number to the called remote peer The mGuard can also receive incoming calls over this MSN provided dial in is enabled see General tab Max 25 letters numbers the following special characters can be used colon Second MSN If the mGuard can also receive incoming calls under another number then enter the second MSN here ISDN protocol The EuroISDN also known as NET3 ISDN protocol is used in Germany and many other European countries Otherwise the ISDN protocol is specified according to the country If necessary this must be requested from the relevant telephone company Layer 2 protocol This is the control equipment over which the local mGuard ISDN terminal adaptor communicates with the ISDN remote peer This is generally the ISDN modem of the ISP used to create an Internet connection This must be requested from the ISP HDLC is often used 123 from 243 Configuration Network Menu Hardware Network Interfaces MAU Configuration Media Type Link State Automatic Configuration Manual Configuration Current Mode External 10 100 BASE T RJ45 up ves 100 Mbit s FOX y 100 Mbit s FDX ves y Internal 10 100 BASE T RJ45 up ves zi 100 Mbit s FOX 100 Mbit s FOX ves v Configuration and status display of the ethernet ports MAU Configuration Port Name of the ethe
252. or example these must be set as the default gateway for clients on the LAN port of the mGuard connected to the network Can be freely defined providing it is actually used in the internally configured network and does not overlap with another IP address Redundancy Firewall Redundancy Redundancy ICMP Checks ICMP Checks Enable ICMP checks Hosts to check via ICMP in the external network Hosts to check via ICMP in the internal network if 192 168 1 30 ICMP checks provide an additional way of monitoring the network connections between mGuards working as a virtual router If one of the two direct ethernet connections that exist between the LAN ports of the two mGuards left of both mGuards in the drawing on page 212 and between the WAN ports right of both mGuards in the drawing fails the backup becomes the master However the Virtual Router Redundancy Protocol VRRP used by the Guard cannot inform the master of this while it is still operating In such cases the two masters would then be in conflict over the existing network connection With ICMP checks ICMP ping the master can check the connection to the backup and deactivate itself if needed Enable ICMP Checks Yes No When Yes is selected the connection to the backup is monitored using the ICMP protocol If the backup mGuard is not accessible the master attempts to access the hosts entered under Hosts to check via ICMP in the external internal network
253. or Diffserv RFC3168 The Addition of Explicit Congestion Notification ECN to IP 210 from 243 Configuration QoS Menu RFC2474 Definition of the Differentiated Services Field DS Field RFC1349 Type of Service in the Internet Protocol Suite Queue Name Name of the Egress Queue where the traffic is assigned Comment Optional Text comment 211 from 243 Configuration Redundancy Menu 6 11 Redundancy Menu 6 11 1 Firewall Redundancy Using redundancy it is possible to combine two mGuards in a single virtual router Master In the event of an error the second mGuard backup takes over the function of the first mGuard master Additionally the state of the stateful firewall is synchronized between both mGuards so that current connections are not interrupted during a changeover B gt Requirement Both mGuards must be configured accordingly The firewall configuration should be identical to avoid problems after a switch over Redundancy is supported in the following network modes Router mode static Stealth mode with Management IP and in Stealth mode several clients E gt Both mGuards may not be used as a VPN gateway when redundancy is activated B gt Devices connected to the mGuard LAN port must be configured to use the mGuard s internal virtual IP address see below as the standard gateway The following features are supported by the virtual router configuration r
254. ort instead of the mGuard WAN interface In this case a modem must be connected to the serial port BO Data traffic can pass over the Analog line or ISDN line instead of the WAN interface for the mGuard industrial RS with built in modem or terminal adaptor 27 from 243 Startup 4 2 Connecting the mGuard smart LAN Port Ethernet connector for direct connection to the protected system or network local system or network USB connector for connection to a USB interface Only used as a power supply WAN Port Socket for connection to an external network e g WAN Internet Connections to the remote device or network are established over this network Use a UTP cable CAT 5 If your computer is already attached to a network then insert the mGuard between the existing network interface of the computer network card and the network Before Ob O gt Ch O After Ch gt mGuard B Additional driver installation is not necessary B gt For security reasons we recommend that you change the default Root and Administrator passwords during the first configuration 28 from 243 Startup 4 3 Installing the mGuard blade mGuard bladeBase mGuard blade Power supply switches P1 amp P2 Handling plate Screws mGuard blade 1 to 12 Power supply connections P1 4 P2 See Sa Installing the e Install the mGuard bladeBase into the rack e g close to
255. orts by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 To IP IP address of the network or device where the data is sent to Entries correspond to From IP as detailed above To Port Port used at the source where the data is sent to Entries correspond to From Port as detailed above Current TOS DSCP Each data packet contains a TOS or DSCP field TOS stands for Type Of Service DSCP for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP telephone writes outgoing data packets differently into this field than a FTP program that loads the data packages to a server When you select a value here only the data packets that have this TOS or DSCP value in the corresponding fields are chosen This sets a different value according to the entry in the New TOS DSCP field New TOS DSCP If you want to change the TOS DSCP values of the data packets that are selected using the defined rules then enter what should be written in the TOS or DSCP field here You can also accept the filled TOS field as the only allocation criteria This occurs when the source and destination IP addresses and ports are freely defined and the TOS field has a specific value Further details concerning the Current TOS DSCP and New TOS DSCP can be found in the following RFC documentation RFC3260 New Terminology and Clarifications f
256. ou want to use this option then set it to Yes BO If Yes is selected then the setting only comes into effect when the remote peer 1s an mGuard with installed firmware above version 5 1 0 In all other cases the setting has no effect also no negative effects MTU for IPsec factory default of 16260 The methods for avoiding oversized IKE data packages incorrect transfer can also be applied for IPsec data packages In order to remain below the upper limit set by DSL 1500 bytes we recommend setting a value of 1414 bytes This also allows enough space for additional headers If you want to use this option then set the value to 1414 BO If 1414 is selected then the setting only comes into effect when the remote peer is an mGuard with installed firmware above version 5 1 0 In all other cases the setting has no effect also no negative effects 180 from 243 Configuration IPsec VPN Menu not for blade controller DynDNS Monitoring IPsec VPN Glob DynDNS Monitoring Watch hostnames of remote VPN Gateways Refresh Interval sec See below for an explanation of DynDNS Services gt DynDNS Registration DynDNS Monitoring Watch hostnames of remote VPN Gateways Yes No If the mGuard has been given the address of the remote VPN gateway as a hostname see Defining VPN connection VPN connection channels on page 184 and this hostname is registered with a DynDNS Service then the mGuard can check the
257. pboard 3 Click on the Lookup button Result The configuration page containing the firewall rule that the log entry refers to is displayed In addition to error messages the following messages are output on the blade controller The areas enclosed by lt and gt are replaced by the respective data in the log entries 218 from 243 Configuration Logging Menu Anti virus General messages blade daemon lt version gt starting Blade lt bladenr gt online Blade lt bladenr gt is mute Blade lt bladenr gt not running Reading timestamp from blade lt bladenr gt When activating a configuration profile on a blade Push configuration to blade lt bladenr gt reconfiguration of blade lt bladenr gt returned lt returncode gt blade lt bladenr gt lt text gt When retrieving a configuration profile from a blade Pull configuration from blade lt bladenr gt Pull configuration from blade lt bladenr gt returned lt returncode gt The anti virus log contains the following messages from the virus filter e Any detected viruses together with the relevant details virus name file name plus in the case of an e mail sender date and subject e Warnings sent when pass through mode is activated automatically due to excessive size and unscanned file e Startup and shutdown of the virus filter programs e Error messages from the anti virus filter Error Messages Virus Detection A virus
258. pdate B gt From mGuard version 5 0 0 onwards a license must be purchased for the affected device before the installation of a major release update e g from version 4 x y to 5 x y or from version 5 x y to 6 x y The license must be installed on the device before a firmware update is made see 6 2 3 Management gt Licensing Install on page 75 Minor release upgrades 1 e same main version e g within version 5 x y can be installed without a license until further notice gt From firmware version 5 0 onwards licenses also remain installed after firmware is flashed Management Update Overview AntiVirus Pattern System Information Version Base Updates AntiVirus Information AntiVirus Engine Status Last AntiVirus Update AntiVirus Update Status Package Versions D Package version Flavour bcron 1 0 3 default bootloader 1 3 3 default bridge utils 1 2 0 default busybox 1 2 4 default bzip2 0 1 0 default chat 2 5 7 default clamav 1 1 10 default You can check the successful unblocking of the virus filter For information regarding the expiry date of your anti virus license See Management gt Licensing on page 75 System Information Version The current software version of the mGuard Base The software version that was originally used to flash this mGuard Updates List of updates that have been installed on the base AntiVirus Information AntiVirus Engine Status Displays the state of
259. peer is authentic using CA certificates In this case all CA certificates must be available in mGuard in order to build a chain with the certificate displayed by the remote peer Aside from the CA certificate whose signature can be seen in the displayed certificate of the remote peer to be checked the CA certificate of the superordinate CA up to the root certificate must be used See glossary under CA certificate Authentication using CA certificates allows an expansion in the number of possible remote peers without any increased management output as the installation of a remote certificate for each possible remote peer is not compulsory For certificate creation a private key and the corresponding public key are needed Programs are provided where any user can create these keys A certificate with the relevant public key can also be created resulting in a self signed certificate Further documentation on self creation can be downloaded from www innominate de This can be found in the download area as an application note under the title How to obtain X 509 certificates A related certificate signed by a CA must be requested from the CA 137 from 243 Configuration Authentication Menu Authentication procedure 138 from 243 In order for the private key to be imported to the mGuard with the related certificate these components must be packed into a PKCS 12 file file name extension p12 The mGuard can use two pri
260. ple Global activation of anti virus protection for HTTP gi 0 0 0 0 0 80 HTTP out to any Scan y Scan a subnet and exclude a trusted HTTP server g I 192 168 2 5 80 unprotected HTTP No Scan gt FJ 192 168 2 0 24 80 protected HTTP Scan Scan a single untrusted HTTP server in a subnet f 192 168 2 5 80 protected HTTP Scan y T 192 168 2 0 24 feo unprotected HTTP No Scan gt BO To activate virus protection for HTTP or FTP over HTTP data traffic over a proxy insert a new row to the list and change the default port 80 to the proxy port set in your web browser Common proxy port numbers are 3128 and 8080 Configuration Web Security Menu not for blade controller gt The rule record is processed top down meaning the order of the rules is decisive for the results B The virus filter can only handle a limited number of simultaneous connections to mail HTTP and FTP servers Exceeding this number results in the refusal of further connection attempts B Scanning for viruses may allow outgoing connections that are usually blocked by the firewall rules defined under Network Security gt Packet Filter and Network Security gt User Firewall Please see Connections scanned for viruses are subject to firewall rules Yes No on page 155 to adjust this behavior You have the following options Server 0 0 0 0 0 means all addresses This means that files from all HTTP se
261. pt is made can be seen in the Schedule setting see above Login The login user name on the HTTPS server Password The password on the HTTPS server Server Certificate The certificate that the mGuard uses to check the authentication of the certificate suggested by the configuration server It is used to prevent unauthorized configurations from being installed on the mGuard The following may be entered here A self signed certificate of the configuration server i e the remote certificate of the self signed configuration server machine certificate OR The root certificate of the CA that created the server certificate This is valid when the configuration server certificate is signed by a CA instead of a self signed one If the configuration profiles also contain the private VPN key for VPN connections or VPN connections with PSK then the following conditions must be fulfilled e The password should consist of at least 30 random upper and lower case letters and numbers prevention of unauthorized access The HTTPS server should only grant access to this individual mGuard using the login and password Otherwise users can access other mGuards The IP address or the hostname specified under Server must be the same as the certificate s Common Name CN Self signed certificates should not use the key usage extension To install a certificate please proceed as follows Requirement The cert
262. query a domain name server DNS for the IP address belonging to the host name If the mGuard is not in Stealth mode locally connected clients can be configured to use the mGuard for releasing hostnames in IP addresses Servers to query Possible settings DNS Root Servers e Provider defined e g via PPPoE or DHCP e User defined servers listed below DNS Root Servers Queries are sent to the root server in the Internet whose IP address is stored in the mGuard These addresses rarely change Provider defined e g via PPPoE or DHCP The domain name server of the Internet Service Provider is used that provides access to the Internet Only select this setting 1f the mGuard is operated in PPPoE PPTP Modem mode or in Router mode with DHCP User defined servers listed below If this setting is selected the mGuard will connect to the domain name servers shown in the list of User defined name servers User defined name servers You can enter the IP addresses of domain name servers in this list If one of these should be used by the mGuard select the option User defined servers listed below under Servers to query 125 from 243 Configuration Network Menu DynDNS 126 from 243 DynDNS DynDNS Register this mGuard at a DynDNS Service Status Refresh Interval sec DynDNS Provider DynDNS Server DynDNS Login DynDNS Password DynDNS Hostname host examnle com At least one partner IP
263. r mode The mGuard PCI can be used like a normal network card The network card then also provides the mGuard functions In this case the driver provided must be installed Power over PCI mode If the mGuard network card function is not needed or should not be used then the mGuard PCI can be connected behind an existing network card of the same or another computer It then essentially acts as a stand alone mGuard device In reality the mGuard PCI is only plugged into the PCI slot of the computer to receive a power supply and housing This operating mode is known as Power over PCI mode No drivers are installed Decide which mode the mGuard PCI should use before installation on your computer In this mode a mGuard PCI interface driver needs to be installed afterwards on the computer available for Windows XP 2000 and Linux No further network cards are required for the computer in Driver mode Stealth mode in Driver mode factory default 34 from 243 The LAN ethernet socket is deactivated in Driver mode The mGuard LAN Es interface is occupied internally by the host WAN computer The mGuard in Stealth mode acts as a normal network card The IP address configured for the network interface of the operating system LAN port is also used by the mGuard for its WAN port By doing this the mGuard does not appear as an individual device with address for data traffic to and from the computer BO It
264. rmware e EAGLE The 1 2 and V 24 LEDs are out the p1 p2 and status LEDs light up green continuously e delta The status LED lights up continuously The new software is unpacked and configured This takes approximately 20 minutes As soon as the procedure has been completed e mGuard industrial RS The modem state and LAN LEDs flash green simultaneously e smart All three LEDs light up green continuously and at the same time e blade PCI The mGuard restarts EAGLE The 1 2 and V 24 LEDs light up green continuously and at the same time e delta The status LED flashes once per second 3 Restart the mGuard not necessary for blade and PCI To do this press the Rescue button briefly OR Disconnect the power supply and then connect again for smart using a USB cable used as a power supply only Result The mGuard is restored to its factory settings You can now configure it once again see Setting up a local configuration connection on page 49 Requirements for To flash firmware a DHCP and TFTP server must be installed on the locally flashing the connected system or network computer firmware DHCP DHCP Dynamic Host Configuration Protocol TFTP Trivial File Transfer and TFTP server Protocol Install the DHCP and TFTP server if necessary see below gt The installation of a second DHCP server in a network can affect the configuration of the entire network 229 from 243 The Rescue Button Restarting
265. rnet port that the row refers to Media Type Media type of the ethernet port Link State Up Connection is made Down Connection is not made Automatic Configuration Yes No Yes Tries to determine the required operating mode independently No Uses the operating mode specified in the Manual Configuration column B gt When connecting the mGuard industrial RS or EAGLE mGuard to a hub please note the following When Automatic Configuration is deactivated the Auto MDIX function is also deactivated This means that the mGuard industrial RS or EAGLE mGuard port must either be connected to the uplink port of the hub or be connected using a cross link cable Manual Configuration The desired operating mode when Automatic Configuration is set to No Current Mode Current network connection mode Port On Yes No only mGuard industrial RS EAGLE mGuard and mGuard smart Enables disables the ethernet port 124 from 243 Configuration Network Menu 6 4 2 Network gt DNS DNS Server DNS DNS Server DNS Servers to query User defined servers listed below User defined name servers j j i 10 1 0 253 In Stealth Mode only User defined and DNS Root Servers are supported Other settings will be ignored When the mGuard has to initiate a connection on its own to a remote peer e g a VPN gateway or a NTP server and it is defined in host name form i e as in www example com then the mGuard has to
266. rs using the machine certificate that was previously imported to the mGuard The mGuard is a machine after all A certificate certificate specific to an individual or user certificate displaying a person is one used by operators to authenticate themselves to remote peers e g for an operator attempting remote access to the mGuard using HTTPS and a web browser When aquired by a web browser a certificate specific to an individual can be saved on a chip card and then inserted into the card reader of the owner s computer A certificate is thus used by its owner person or machine as a form of ID in order to verify that they really are the individual they identify themselves as As there are two communication partners the process takes place alternately Partner A shows their certificate to their remote peer partner B Partner B then shows their certificate to their remote peer partner A Configuration Authentication Menu CA certificates Creation of certificates In order for A to accept the certificate shown by B thus allowing communication there is the following option A has earlier received a copy of the certificate from B e g by data carrier or e mail with which B will verify itself A can then verify the certificate shown later by B by comparing it to this certificate When related to the mGuard interface the certificate copy given here by B to A is an example of a Remote certificate For bilateral authent
267. rt and DHCP range end Select No if you wish to use IP addresses statically assigned using the MAC address see below DHCP lease time Time in seconds for which the network configuration assigned to the client is valid The client should renew its configuration shortly before this time expires Otherwise 1t may be assigned to other computers With enabled dynamic IP address pool When the DHCP server and the dynamic IP address pool have been activated you can enter the network parameters to be used by the client DHCP range start The start and end of the address range from which the mGuard s DHCP server should DHCP range end assign IP addresses to locally connected clients Local netmask Defines the netmask of the client The factory setting is 255 255 255 0 Broadcast address Defines the broadcast address of the client Default gateway Defines which IP address should be used by the client as the default gateway Usually this is the internal IP address of the mGuard 128 from 243 Configuration Network Menu DNS server Address of the server used by clients to release hostnames in IP addresses over the domain name service DNS If the DNS service of the mGuard is used enter the internal IP address of the mGuard here WINS server Address of the server used by clients to release hostnames in addresses over the Windows Internet Naming Service WINS Static Mapping according to MAC address Find out the MAC
268. rule is set that allows all outgoing connections If no rule is set then all outgoing connections are forbidden except VPN BO The anti virus function see Web Security gt HTTP on page 167 Web Security gt FTP on page 170 E mail Security gt POP3 on page 173 E mail Security gt SMTP on page 176 has priority over the firewall rules defined here and can partially override them This behavior can be overridden in the Network Security gt Packet Filters Advanced menu by setting the option to Connections scanned for viruses are subject to firewall rules see Advanced AntiVirus Scanning on page 155 You have the following options Protocol TCP UDP ICMP All From To IP 0 0 0 0 0 means all IP addresses To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 From To Port Only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that data packets may pass through Reject means that the data packets are rejected The sender is informed that the data packets have been rejected In Stealth mode Reject has the same effect as Drop see below Drop means that data packets may not pass through Data packe
269. rver authentication no 7 Dial on demand ves A Idle timeout ves A Idle time seconds 300 Local IP poor FJ Remote IP 6 0 0 0 E Netmask Kann E Username User name entered during ISP login to access the Internet Password Password entered during ISP login to access the Internet PAP server authentication Yes No Yes The following two fields appear Server user name Server password User name and password that the mGuard queries from the server mGuard only allows the connection when the server provides the agreed user name and password combination Subsequent fields See under If None is selected as authentication on page 113 Configuration Network Menu If authentication is made via CHAP Authentication Local name Remote name El Secret for client authentication COCO CHAP server authentication Dial on demand e AS Idle timeout Yes y Idle time seconds Boo Local IP 6 0 0 0 El Remote IP 6 0 0 0 m MNatmaekl FR pai Local name A name used by the mGuard at the ISP The service provider may have several customers This name allows the ISP to identify who is dialing After the mGuard has provided this name the ISP also checks the Password for client authentication see below The connection can only be made successfully when the name is known to the ISP and the password matches Remote peer name A name given by the ISP to the mGuard for identification purposes The mGuar
270. rvers are scanned To enter an address use CIDR notation see CIDR Classless Inter Domain Routing on page 224 BO Since a connection attempt is first handled by the mGuard if a nonexistent server is requested e g a bad IP address the user software will act as though the connection to the server has been established but no data has been sent The entry of exact server addresses in the list prevents this behavior Server Port Enter the number of the port for the HTTP protocol in this field The default setting for the HTTP port is 80 Comment Freely selectable comment for this rule Scan Scan The virus filter is activated for the server specified in this rule No Scan The virus filter is deactivated for the server specified in this rule 169 from 243 Configuration Web Security Menu not for blade controller 6 7 2 Web Security gt FTP Requirements The following requirements must be fulfilled in order to use the virus filter e The anti virus license has been installed Instructions on how to request and install a license can be found under the section Management gt Licensing on page 75 e Access to an update server with the current versions of the virus signatures see section Management gt Update on page 77 Virus Protection Web Security FTP Virus Protection Options Action for infected web content Notify with browser error Action for web content exceeding maximum Let
271. s Logging Settings Remote Logging Settings Activate remote UDP logging AUS oz160 1 254 PA Log Server port normally 514 514 All log entries are recorded by default in the mGuard s temporary memory RAM Once the memory for log entries has been filled the oldest log entries are overwritten Furthermore all log entries are deleted when the mGuard is switched off To prevent this the log entries can be transferred to an external system This is particularly useful if you wish to have centralized administration of the logs Activate remote UDP logging Yes No If all log entries should be sent to an external log server specified below set this option to Yes Log Server IP address Enter the IP address of the log server where the log entries should be sent via UDP This entry must be an IP address not a hostname This function does not support hostnames as it would otherwise not be possible to log the loss of a DNS server Log Server port normally 514 Enter the port of the log server where the log entries should be sent via UDP Standard 514 Configuration Logging Menu 6 12 2 Logging gt Browse local logs Log entry categories Common Logging Browse local logs dynip register DynDNS org trying dynip register no update needed at this time success pluto 2820 packet from 77 245 32 76 4500 received Vendor 1D payload draft ietf pluto 2820 packet from 77 245 32 76 4500 re
272. s on the CD delivered with the device The Innominate website www innominate com Stealth Auto Static Multi Router Static DHCP Client PPPoE for DSL PPTP for DSL and Modem modes VLAN DHCP Server Relay on external and internal network interfaces DNS cache on the internal network interface Administration using HTTPS and SSH Optional rewrite of DSCP TOS values Quality of Service values Stateful Packet Inspection Anti spoofing IP filter L2 filter only in Stealth mode NAT with FTP IRC and PPTP support only in Router mode 1 1 NAT only in Router mode Port forwarding only in Router mode Individual firewall rules for different users user firewall Individual rule records as action target of firewall rules apart from user or VPN firewall Firewall throughput max 99 MBit s ClamAV virus protection Supported protocols HTTP FTP POP3 and SMTP sending The virus filter can decompress the following formats ZIP e RAR e GZIP e BZIP2 e TAR e MS OLE2 e MS Cabinet files CAB e MS CHM compressed HTML e MS SZDD e UPX e FSG e Petite Introduction VPN features Additional features Support Protocol IPsec Tunnel and Transport mode IPsec encryption in hardware with DES 56 Bit 3DES 168 Bit AES 128 192 256 Bit Packet authentication MD5 SHA 1 Internet Key Exchange IKE with Main and Quick mode Authentication using e Pre Shared Key PSK e X 509v3 certif
273. s software may impair or destabilize the correct operation of your system either immediately or in the future Microsoft strongly recommends that you stop this installation now and contact the hardware vendor for software that has passed Windows Logo testing Continue Anyway STOP Installation 38 from 243 Startup 3 Click on Continue Anyway Found New Hardware Wizard 4 Click on Finish Completing the Found New Hardware Wizard The wizard has finished installing the software for Innominate mGuardPCl Click Finish to close the wizard Windows 2000 e Please first complete the steps described under Hardware installation on page 37 Bo Installation of the driver is only necessary when the mGuard PCI operates in driver mode see Driver mode on page 34 Switch on the computer login and wait for the following window to appear 1 Click on Next Found New Hardware Wizard a Welcome to the Found New Hardware Wizard This wizard helps you install a device driver for a hardware device To continue click Next E Cancel 39 from 243 Startup Found New Hardware Wizard Install Hardware Device Drivers A device driver is a software program that enables a hardware device to work with an operating system 2 After inserting the mGuard CD choose Search for a suitable driver for my device and click on Next Found New Hardware Wizard Locate Driver Files Where do
274. self to the remote peer using a machine certificate in the local mGuard The machine certificate is the passport of an mGuard with which it can authenticate itself to the respective remote peer For more details see Authentication gt Certificates on page 136 By importing a PKCS 12 file the mGuard obtains a private key and the corresponding machine certificate Several PKCS 12 files can be loaded into the mGuard The mGuard can then show the remote peer a self signed certificate or certificate signed by the CA for different connections Bo In order to use the installed machine certificate it must be referenced additionally during the configuration of applications SSH VPN so that it can be used for the respective connection or remote access type Example of imported machine certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates Machine Certificates PX Certificate METE vr terminal service L L O Sample Supplier C UK MIE es ven subca 01 0 Sample Supplier C UK MEA From dun 20 12 04 59 2007 GMT to Jun 20 12 04 59 2010 GMT MDS 12 27 5A 38 98 9D 4B 4F 5E 2A 42 11 83 64 2C FC SHA1 9E 5E 1B A3 78 F4 6E C4 81 25 4E A5 33 64 25 97 3C 3F C6 55 a Shortname terminal service London Upload Filename Browse Import PKCS 12 Password certificate f Certificate Current Certificate File MIENTE en mavard m customer co uk L M 0 Sample Customer
275. stination IP addresses If a computer is connected to a network the operating system creates a routing table internally It lists the IP addresses that the operating system has identified based on the connected computers and the routes available at that moment The routing table thus contains the possible routes destinations for sending IP packets If IP packets are to be sent the computer s operating system compares the IP addresses stated in the IP packets with the entries in the routing table in order to determine the correct route If a router is connected to the computer and its internal IP address i e the IP address of the router s LAN port has been relayed to the operating system as the standard gateway in the network card s TCP IP configuration then this IP address is used as the destination if all other IP addresses in the routing table are not suitable In this case the IP address of the router specifies the default route because all IP packets by default standard whose IP address have no counterpart in the routing table i e cannot find a route are directed to this gateway 233 from 243 Glossary DynDNS provider IP address 234 from 243 Also known as Dynamic DNS provider Every computer connected to the Internet has an IP address IP Internet Protocol If the computer accesses the Internet via a dial up modem ISDN or ADSL its ISP will assign it a dynamic IP address In other words the address
276. t for the following window to appear Found New Hardware Wizard This wizard helps you install software for Ethemet Controller If your hardware came with an installation CD or floppy disk insert it now What do you want the wizard to do O Install the software automatically Recommended 8 Install from a list or specific location Advanced Click Next to continue lt Back Next gt Cancel 1 After inserting the mGuard CD choose the Install from a list or specific location Advanced option and click on Next Found New Hardware Wizard Please choose your search and installation options Search for the best driver in these locations Use the check boxes below to limit or expand the default search which includes local paths and removable media The best driver found will be installed Search removable media floppy CD ROM Include this location in the search O Dont search will choose the driver to install Choose this option to select the device driver from a list Windows does not guarantee that the driver you choose will be the best match for your hardware lt Back Next gt Cancel 2 Click on Next Hardware Installation The software you are installing for this hardware Innominate mGuardPCl has not passed Windows Logo testing to verify its compatibility with Windows XP Tell me why this testing is important Continuing your installation of thi
277. t Protocol TCP IP Properties General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically 2 Use the following IP address IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 2 Use the following DNS server addresses Preferred DNS server Altemate DNS server After you have configured the network interface you can access the mGuard configuration interface using a web browser under the URL https 1 1 1 1 If this is not possible then the default gateway of the computer may not be available In this case you must simulate the process as follows Initializing the default gateway 1 Determine the currently valid default gateway address If you are using Windows XP follow the steps described above under Configuring the network interface on page 47 to open the Internet Protocol TCP IP Properties text field If no IP address has been entered as the default gateway in this dialog box e g because the Obtain an IP address automatically function has been activated 47 from 243 Preparing the configuration then enter the IP address manually To do so first select Use the following IP and then enter the following addresses example IP address 192 168 1 2 Do not under any circumstances Sub netm
278. te 6 A mGuard Power Status LAN SWITCH Power Status Reserved Ethernet WAN Ethernet LAN LEDs State Meaning Power On The power supply is active Status On The mGuard is booting Heartbeat The mGuard is ready flash flash pause 1 2 Reserved 3 WAN On Link detected Flashing Data transfer 4 7 LAN On Link detected Flashing Data transfer 20 from 243 Startup 4 Startup Safety instructions General notes regarding usage Startup steps Step 1 The Innominate mGuard is intended for safety extra low voltage SELV operation Only connect the mGuard network ports to LAN installations Some communication connection points also use RJ45 sockets The mGuard must not be operated on communication connection points Warning o Before handling the mGuard PCI touch the bare metal case of your PC to discharge the build up of static electricity Warning o This is a Class A device which may cause radio interference in residential areas In this case the operator may be requested to take appropriate preventative measures and liquids mGuard PCI Your PC must have a free PCI slot 3 3 V or 5 V Use a soft cloth to clean the device housing Do not use abrasive solvents Ambient environmental conditions 0 to 40 C smart blade delta 70 C PCI 55 C mGuard industrial RS EAGLE mGuard e Max 90 non condensing humidity mGuard
279. terface after entering the address as https 1 1 1 1 see Setting up a local configuration connection on page 49 Continue from this point If the computer s network interface has not been configured If the configuration system was not previously connected to a network e g because the computer is new then the network interface is not usually configured This means that the computer does not yet know that network traffic is handled by this interface In this case you must initialize the default gateway by assigning it a dummy value To do this proceed as follows Initializing the default gateway 1 Determine the currently valid default gateway address If you are using Windows XP Click on Start Control Panel Network Connections Right click on the icon of the LAN adapter so that the pop up menu appears Click on Properties In the Properties of LAN connections local network on the General tab select Internet Protocol TCP IP under This connection uses the Preparing the configuration The IP address of the default gateway can be searched for or set here following items Then click on Properties so that the following window is displayed Internet Protocol TCP IP Properties General o You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automa
280. ternal IP Network Mode Status Displays the status of the selected network mode Active Defaultroute The IP address that the mGuard uses to try to reach unknown networks is displayed here none is shown here if the mGuard is in Stealth mode or if the IP address that is specified as the standard gateway in the configuration of the connected computer is incorrect Network Mode Stealth Router PPPoE PPTP Modem Built in Modem The mGuard has to be set to the network mode that corresponds to its local computer or network connection See Typical Application Scenarios on page 12 Depending on which network mode the mGuard is set to the page will change together with its configuration parameters Modem or Built in Modem network mode Only available for the following mGuard types mGuard industrial RS mGuard blade EAGLE mGuard mGuard delta These all have a serial port with external access and or have a built in modem 99 from 243 Configuration Network Menu 100 from 243 Stealth factory default except mGuard delta and blade controller Stealth mode is used when a single computer or local network is connected to the mGuard Important If the mGuard is in the Stealth network mode the connected client single computer or network does not have to reconfigure its interface to the mGuard interface In Stealth mode the mGuard can be integrated easily into an existing network connection of the respective c
281. th IEC EN 60950 Operating voltage NEC class 2 power source 12 V DC or 24 V DC 25 33 safety extra low voltage SELV PELV decoupled redundant entries max 5 A Buffer time min 10 ms at 24 V DC Redundant power supply Redundant power supplies are supported Both inputs are decoupled There is no load distribution With a redundant supply only the power supply unit with the higher output voltage supplies the EAGLE mGuard The supply voltage is electrically isolated from the housing a Signal contact The signal contact is used to monitor the functions of the EAGLE mGuard and thereby allows remote diagnosis The following is reported through interruption of the contact using potential free signal contacts relay contact closed current circuit e The failure of at least one of the two supply voltages A permanent fault on the EAGLE mGuard internal 3 3 V DC voltage supply voltage 1 or 2 lt 9 6 V e The faulty link status of at least one port The link state report on the EAGLE mGuard can be masked on a port by port basis using the management software No connection monitoring is offered in the supplied condition e Self test error gt In case of a non redundant voltage supply the EAGLE mGuard indicates the failure of the supply voltage You can prevent this message by connecting the supply voltage to both inputs Grounding connection The EAGLE mGuard is grounded with a separate screw connection Assembly
282. the Internet and installs the respective license on the mGuard if the voucher is valid Reload Licenses Use this function if the license installed in the mGuard has been lost e g by flashing the firmware Click on the Online License Reload button The licenses that had been previously issued for the mGuard are then retrieved from the Internet and installed Manual License Installation Order License After clicking the Edit License Request Form button an online form is provided which can be used to order the desired license In the request form enter the following information Voucher Serial Number The serial number printed on the voucher Voucher Key The voucher key on the voucher Flash ID Filled out automatically E mail Address Your e mail address for delivery of the license file After the form is completed the license file will be sent to the e mail address indicated You can then install the license file Filename installing the license Once the license has been purchased the license file is sent as an e mail attachment In order to apply the license first save the license file as a separate file on your computer and continue as follows 1 Click on the Browse button next to the Filename field Select the file and open it so that the file name or path is displayed in the Filename field 2 Click on the Install license file button Configuration Management Menu 6 2 4 Overview Management gt U
283. the factory default of the device then you must obtain the relevant license for using this update This applies to major release upgrades for example from version 4 x x to version 5 x x to version 6 x x etc The DHCP and TFTP servers can both be accessed under the same IP 227 from 243 The Rescue Button Restarting the Recovery Procedure and Flashing Firmware 228 from 243 address see Requirements for flashing the firmware DHCP and TFTP server on page 229 mGuard PCI When the mGuard is operated in Power over PCI mode the DHCP TFTP server must be connected to the mGuards LAN socket When the mGuard is operated in PCI Driver mode the DHCP TFTP server must be operated on the computer or operating system provided by the the interface to the mGuard Keep the Rescue button pressed until the Recovery status is entered as follows The mGuard is restarted after approx 1 5 seconds After another 1 5 seconds the mGuard enters the Recovery status mode e mGuard industrial RS The state LAN and WAN LEDs light up green e smart All LEDs light up green e blade PCI The green and red LAN LEDs light up EAGLE The 1 2 and V 24 LEDs light up e delta The status LED fades slowly Release the Rescue button not later than one second after the Recovery status is reached The mGuard restarts if the Rescue button is not released quickly enough The mGuard will now start the Recovery system It searches for a DHC
284. these configuration files can then be read back onto the mGuard and activated You can restore the mGuard to the factory default at any time Configuration profiles on the mGuard EAGLE can also be stored on an automatic configuration adaptor ACA that can be connected to the V 24 USB port of the mGuard see Profiles on the ACA EAGLE mGuard only on page 82 BO Passwords are not saved in the configuration profiles Configuration Profiles The top of the Configuration Profiles page has a list of configuration profiles that are stored on the mGuard for example the Factory Default configuration profile If any configuration profiles have been saved by the user see below they will be listed here Active configuration profile The configuration profile currently in effect has an Active symbol at the front of the entry You can perform the following with configuration profiles that are stored on the mGuard e Activate them e Save them to a file on the connected configuration computer e Delete them e Display them Displaying the configuration profile Click the name of the configuration profile in the list 81 from 243 Configuration Management Menu Profiles on the ACA Configuration profiles can also EAGLE mGuard only 82 from 243 Applying the factory defaults or a configuration profile stored by the user Click the Restore button located to the right of the name of the relevant configuration profile R
285. tically 2 Use the following IP address IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 A Use the following DNS server addresses Preferred DNS server Altemate DNS server If no IP address has been entered as the default gateway in this text field e g because the Obtain an IP address automatically function has been activated then enter the IP address manually To do so first select Use the following IP and then enter the following addresses example IP address 192 168 1 2 gt Do not under any circumstances Sub netmask 255 255 255 0 assign an address like 1 1 1 2 to Default gateway 192 168 1 1 the configuration system On the DOS level Start Programs Accessories Command Prompt enter the following command arp s lt IP of the default gateway gt aa aa aa aa aa aa Example You have determined or set the address of the default gateway as 192 168 1 1 The command should then be arp s 192 168 1 1 aa aa aa aa aa aa To proceed with the configuration establish the necessary configuration connection see Setting up a local configuration connection on page 49 After setting the configuration restore the original setting for the default gateway address To do this either restart the configuration computer or enter the following command on the DOS level arp d B gt Depending on the configuration of the mGuard it may then be necessary
286. tication Local Users Passwords root Root Password Account root admin Administrator Password Account admin user Disable VPN until the user is authentified via H User Password To login at a specific authorization level the user must enter the corresponding password assigned to the level Authorization level root Grants full rights to all parameters of the mGuard Note This is the only authorization level that allows you to setup an SSH connection to the device with which you can alter the entire system settings irreparably Then only a flashing of the firmware can restore settings to the factory defaults see Flashing the firmware on page 227 Default root password root administrator Grants all rights required for the configuration options accessed via the web based administrator interface Default user name admin Default password mGuard The user name admin cannot be changed user If a user password has been defined and activated the user must enter this password to enable an mGuard VPN connection when they first attempt to access any HTTP URL This must be made after every restart of the mGuard To use this option enter the desired user password once in each of the corresponding entry fields 132 from 243 Configuration Authentication Menu root Root Password Account root Default setting root To change the root password enter the current password in the
287. tination MAC Ethernet Protocol y E i XXIXXIXXIXXIXXIXX XK EXKEXK EX KEK KKK any Accept xj Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Along with the packet filter OSI layer 3 4 that filters ICMP messages and TCP UDP connections the mGuard can additionally be set with a MAC filter OSI layer 2 when operating in Stealth mode A MAC filter layer 2 filters according to MAC addresses and ethernet protocols In contrast to the packet filter the MAC filter is stateless This means additional rules must be created in the opposite direction where necessary When no rules are defined all ARP and IP packets are allowed B gt When defining MAC filter rules pay attention to the screen display Rules defined here have priority over packet filter rules Source MAC Definition of the source MAC address xx xx xx xXx xx xx stands for all MAC addresses Destination MAC Definition of the destination MAC address xx xx xx xx xx xx stands for all MAC addresses ff ff ff ff ff ff is the broadcast MAC address where all ARP requests are sent Ethernet Protocol any stands for all ethernet protocols Additional protocols can be specified in name or hexadecimal value for example IPv4 or 0800 e ARP or 0806 Action Accept means that data packets may pass through Drop means that data packets may not pass through dropped Comment Fre
288. tion Authentication method Local X 509 Certificate Remote CA Certificate Remote Certificate VPN Identifier Remote Local Authentication Authentication method VPN terminal service London i ven subca 01 EJ o o OE Browse The following two possibilities are available X 509 Certificate standard Pre Shared Key Depending on the chosen option the page has different setting possibilities Authentication method X 509 Certificate This method is supported by most modern IPsec implementations Each VPN participant possesses a secret private key plus a public key in the form of an X 509 certificate This contains further information on the owner and Certificate Authority CA The following aspects must be defined a How the local mGuard authenticates itself to the remote peer b How the local mGuard authenticates the remote peer Authentication Authentication method Local X 509 Certificate Remote CA Certificate Remote Certificate 190 from 243 VPN terminal service London x VPN SubCA 01 7 E KA Configuration IPsec VPN Menu not for blade controller gt a How the local mGuard authenticates the remote peer Local X 509 Certificate Defines which machine certificate the mGuard uses as authentication to the VPN remote peer Select one of the machine certificates from the selection list The selection list gives a selection of machine certificates that are loaded in t
289. tion of an mGuard blade into the CTRL slot the blade is reconfigured as a control unit as follows The user interface is reconfigured for operation as a control unit e It switches into router mode with the local IP address 192 168 1 1 e The firewall anti virus and VPN services are reset and deactivated 29 from 243 Startup mGuard blade connection 30 from 243 Computer in patch panel Patch panel Switch mGuard blade Before After If your computer is already attached to a network then patch the mGuard blade between the existing network connection Please note that initial configuration can only be made from the local computer over the LAN interface The mGuard firewall rejects all IP traffic from the WAN to the LAN interface B Additional driver installation is not necessary gt For security reasons we recommend that you change the default Root and Administrator passwords during the first configuration Startup 4 4 Installing the EAGLE mGuard Terminal block The power supply and signal contact are connected via a 6 pin terminal block with screw mechanism Signal contact 24 V P1 OV OV 424 V P2 ve eae ae R OI HA Warning The mGuard is intended for safety extra low voltage SELV operation Therefore power supply and signal contact connectors may only be connected with PELV or SELV circuits with voltage restrictions in accordance wi
290. tocol eee ceeeseceseceeceeeceseeeseeseceseceeeeeasesaecsaeees 238 SOTVICE DIVINA monni enh ena Gea ee TAE 238 Spoofing anti SPOO M Gs iesene iene a a aee iron ed 238 Symmetrical CNcryption senene a i i ran crnnacnnccnns 239 TCP IP Transmission Control Protocol Internet Protocol oooooocinncccnnonncoss 239 NLA Nooo cars loba deat ets stan Das eo owes cadens baa ees 239 VPN Virtual Private Network ccccccccsessecesseeceeesseecessseceesseeeeceseecesseeeeeesseaaees 239 AA sseacesesecsses 240 Gem ral sic s veeavas dec A RA AA A Ad it Es 240 mGuard Industrial RS dt A ania a 240 EXAGEE DOG as 241 7 from 243 Introduction 1 Introduction Network features Firewall features Anti virus features 8 from 243 The mGuard protects IP data connections In doing this the device incorporates the following functions Network card mGuard PCI switch mGuard delta VPN router VPN Virtual Private Network for the secure transfer of data via public networks hardware based DES 3DES and AES encryption IPsec protocol Configurable firewall for protection against unauthorized access The dynamic packet filter inspects data packets using the source and destination addresses and blocks undesired traffic Anti virus protection with support for HTTP FTP SMTP and POP3 protocols The device can be easily configured using a web browser For further information consult The product data sheet
291. ts are discarded and the sender is not informed of their whereabouts Name of rule records if defined When a rule record name is entered the firewall rules saved under this name come into effect see the Sets of Rules tab Configuration Network Security Menu not for blade controller gt In Stealth mode Reject has the same effect as Drop Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule e should be logged set Log to Yes or e should not be logged set Log to No factory default Log entries for unknown connection attempts Yes No When set to Yes all attempts to establish a connection that are not covered by the rules defined above are logged Factory default No Sets of Rules Network Security Packet Filter Sets of Rules a Yes Y Office Yes Y Production Yes Y Consultants Rule records are defined and stored for structuring incoming and outgoing rules These rule records can then be referred to when setting incoming and outgoing rules This allows to the rules contained within to be used as modules It is also possible to refer to another defined rule record during rule record definition i e inserting this as a module in the current rule record Do not create any circular references Otherwise network packages that land in a permanent circuit through indirect self referencin
292. tually been synchronized with a valid time If the system time of the mGuard has not been synchronized then the mGuard does not perform any time controlled activities These are as follows e Time controlled pick up of configuration from a configuration server This is the case when the Time Control setting is selected under the Management gt Central Management Get configuration menu for the Schedule setting see 6 2 5 Management gt Configuration Profiles Configuration Pull on page 92 e Interruption of the connection at a certain time using the PPPoE network mode This is the case when PPPoE is set under the Network gt Interfaces General menu under Network mode see 6 4 1 Network gt Interfaces gt Network Mode PPPoE on page 108 e Acceptance of certificates when the check certificates are classified as invalid as a precaution as long as the system time has not been synchronized This is the case when the Wait for system time synchronization setting is selected under the Authentication gt Certificate Certificate settings menu for the Check the validity period of certificates and CRLs option see 6 5 3 Authentication gt Certificates Certificate settings on page 140 Configuration Management Menu The system time can be synchronized by various events a The mGuard possesses an installed clock which is synchronized with the current time at least once The mGuard o
293. ubject i e certificate owner during VPN connections and remote service access to the mGuard by SSH or HTTPS After this only certificates from remote peers are accepted that have certain attributes in the subject line During Network Address Translation NAT also known as IP Masquerading an entire network is hidden behind a single device known as a NAT router If you communicate externally via a NAT router the internal computers in the local network and their IP addresses remain hidden The remote communication partner will only see the NAT router with its own IP address In order to allow internal computers to communicate directly with external systems over the Internet the NAT router must modify the IP datagrams that are passed to and from the internal computers and the remote peers If an IP datagram is sent from the internal network to a remote peer the NAT router modifies the UDP and TCP headers of the datagram It replaces the source IP address and port with its own IP address and an unused port A table is stored in which the original values are listed together with the corresponding new ones When a reply datagram is received the NAT router will recognize that it is intended for an internal computer using the destination port of the datagram Using the table the NAT router will replace the destination IP address and port and then forward the datagram on via the internal network A port number is assigned to each UDP and
294. uer of the affected CRL Last Update Only displays information that the mGuard reads directly from the CRL Time and date of creation for CRL currently present on the mGuard Next Update Only displays information that the mGuard reads directly from the CRL Estimated time and date when the CA will next issue a new CRL BO These entries are not influenced by the CRL download interval URL Enter the CA URL where CRL downloads are obtained from if the CRL is downloaded on a regular basis as defined in the CRL download interval under Certificate settings tab see Certificate settings on page 140 Upload If the CRL is present in file form then it can be loaded onto the mGuard manually To do this click on the Browse button then select the file and click on Import 147 from 243 Configuration Network Security Menu not for blade controller 6 6 Network Security Menu not for blade controller 6 6 1 Network Security gt Packet Filter The mGuard comes with an integrated Stateful Packet Inspection Firewall The connection data for each active connection is collected in a database connection tracking Therefore it is only necessary to define rules for one direction Only data from the opposite direction of the connection is allowed through and none other A side effect is that existing connections are not cancelled during reconfiguration even if a corresponding new connection can no longer be setup Factory defaults
295. up authentication No gt L gustav RADIUS y Lists the firewall users by their user names Also defines the authentication methods Enable user firewall Yes No Under the Network Security gt User Firewall menu firewall rules can be defined and assigned to specific firewall users By selecting Yes the firewall rules for the listed users are activated as soon as the corresponding user logs in Enable group authentication Yes No If enabled the mGuard forwards login requests for unknown users to the RADIUS server If successful the reply from the RADIUS server will contain a group name The mGuard then enables user firewall templates containing this group name as the template user The RADIUS server must be configured to deliver this group name in the Access Accept package as a Filter ID lt groupname gt attribute Username Required name of the user during login Authentication Method RADIUS Local Local When Local DB is selected the password must be entered in the User Password column next to the Username RADIUS When RADIUS is selected the user password can be stored on the RADIUS server User Password Only active when Local is selected as authentication method Configuration Authentication Menu RADIUS Servers Authentication Firewall Users Firewall Users R RADIUS Servers RADIUS timeout RADIUS retries gt ES SI E RADIUS Servers Status RADIUS timeout
296. urther text fields are provided for the static stealth configuration multiple clients As with autodetect but it is possible to connect more than one computer to the mGuard LAN port secure port meaning that several IP addresses can be used here For technical reasons the mGuard VPN functionality cannot be used with this mode Stealth Management IP Address Stealth Management IP Address Here you can specify an additional IP address to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will or be possible using this IP address An IP address of 0 0 0 0 disables this feature Note using management VLAN is not supported in Stealth autodetect moc Netmask 255 255 0 0 Default gateway 10 1 0 254 Use Management VLAN No Ki Management VLAN ID An additional IP address can be specified here to administrate the mGuard Remote access via HTTPS SNMP and SSH is only possible using this address if Stealth configuration is set to the option multiple clients The client does not answer ARP requests No client is available B gt In the Static stealth configuration the Stealth management IP address is always accessible even when the network card of the client PC is not activated 103 from 243 Configuration Network Menu IP address The additional IP address for contact and administration of the mGuard The IP address 0 0 0 0 disables the management IP address Net
297. us change enterprise oid genericTrap specific trap additional Explanation enterprise oid genericTrap specific trap additional Explanation Userfirewall traps Yes No enterprise oid generic trap specific trap additional mGuardTrapAv enterpriseS pecific mGuardTrapAvVirusDetected 3 mGuardTResAvVirusDetected Sent when virus is found by the AV function mGuardTrapAv enterpriseSpecific mGuardTrapAvFileNotScanned 4 mGuardTResAvFileNotScanned Sent when file has not been scanned for viruses Activate traps Yes No mGuardTrapRouterRedundancy enterpriseSpecific mGuardTrapRouterRedStatusChange TRAP TYPE 1 mGuardTResRedundancyState mGuardTResRedundancyReason Sent after change in current HA cluster status mGuardTrapRouterRedundancy enterpriseSpecific mGuardTrapRouterRedBackupDown TRAP TYPE 2 mGuardTResRedundancyBackupDown Sent when the master device cannot reach the backup device only sent when ICMP checks are activated mGuardTrapUserFirewall enterpriseSpecific mGuardTrapUserFirewallLogin 1 mGuardTResUserFirewallUsername 89 from 243 Configuration Management Menu 90 from 243 VPN traps Explanation enterprise oid generic trap specific trap additional Explanation enterprise oid generic trap specific trap additional Explanation mGuardTResUserFirewallSrcIP mGuardTResUserFirewallAuthenticationMethod
298. uthentication gt Firewall Users on page 134 Firewall rules Network Security User Firewall remote service Template users Firewall rules Firewall rules Source IP eauthorized_ip Log ID ufw uWOD000 No 3e8b12d1 3440 1f49 97e6 000cbe0220ct ex gL Ter y fany o 0 0 0 0 http no y Please note If the template is configured with dynamic timeout the logout timer will be reset to its initial value if TCP UDP or any other network traffic except ICMP is passing the device due to a matching user firewall rule For a more precise description of this feature please see the user manual Firewall rules Source IP The IP address from which the user connected to the mGuard Coauthorized_ip is a placeholder for this address B gt If multiple firewall rules are defined and activated for a user they will be searched in the order in which they are listed top down until a suitable rule is found This rule is then applied If there are other suitable rules further down the list then these are ignored You have the following options Protocol All means TCP UDP ICMP and other IP protocols From To Port Only evaluated for TCP and UDP protocols any describes any selected port startport endport e g 110 120 defines a range of ports You can specify individual ports by giving either their port number or the corresponding service name e g 110 for pop3 or pop3 for 110 To IP 0 0 0 0 0 means all IP a
299. uthentication procedure or the procedure according to X 509 The selection list gives a selection of machine certificates that are loaded in the mGuard under the Authentication gt Certificate menu see Authentication gt Certificates on page 136 in this manual gt b How the local mGuard authenticates the remote SSH client The following definition relates to how the mGuard verifies the authentication of the remote SSH client The table below shows which certificates must be provided for the mGuard to authenticate the SSH client if the SSH client displays one of the following certificate types on connection e A certificate signed by a CA Configuration Management Menu e A self signed certificate For further information on the following table see chapter 6 5 3 Authentication gt Certificates on page 136 Authentication for SSH The remote peer shows Certificate specific to Certificate specific to the following individual signed by CA individual self signed The mGuard authenticates the remote peer using All CA certificates Remote Certificate that build the chain to the root CA certificate together with the certificates displayed by the remote peer or ADDITIONALLY Remote certificates if used as filter According to this table the certificates must be provided that the mGuard uses for authentication of the respective SSH client The following instructions
300. wall rules for a specific connection Move rows sorts them to another location Delete rows deletes the entire data record 53 from 243 Configuration Operation Inserting rows gt IE gt lt O O i ee ll EEE L 2 Orr rm 1 Click on the arrow where you want to insert a new row F 2 Result The new row is inserted You can now enter or specify values in the row Moving rows gt lt IES gt lt IE gt lt IE SL 1 A 10 INC S 1 0 2 CO O gt gt ae a INICIE cL sC 1 Select the row s you want to move 2 Click on the arrow where you want to move the selected rows to 3 Result The rows are moved Deleting rows O gt lt IE gt lt IE eU eL x EE 05 2 gh 2 e e SOT 3 eel 3 rmm pr ST L 1 Select the rows you want to delete 2 Click on the symbol to delete the rows x tl 3 Result The rows are deleted Working with non sortable tables Tables are non sortable when the sequence of the data records contained within does not play any technical role It is then not possible to insert or move rows With such tables you can carry out the following actions Delete rows as above under sortable tables Append rows to the end of the table in order to create a new data record and settings e g user firewall templates The symbols for appending and inserting a new table row are therefore different E for inserting rows
301. y and a network address area is defined then the only requirement for the establishment of a connection by a remote peer is that the relevant address es of the computer s is are found in the area entered in this dialog B gt To do this the VPN tunnel group license must be installed unless the device was delivered accordingly The system must be rebooted in order to use this installed license Virtual IP only in Stealth mode Virtual local Network An A IPsec Tunnel Client s virtual J CO A ag IP Sa s p gt oN a TS a Client s actual internet VPN gateway Network Po o gt remote remote In Stealth mode the VPN local network is simulated by the mGuard Within this virtual network the client is known and accessible under the virtual IP address entered here 187 from 243 Configuration IPsec VPN Menu not for blade controller gt Further settings can be made by clicking More e Connection type Tunnel IPsec VPN Connections Tunnel Settings General Options Enabled Comment Type Local Remote Ej Tunnel y 1192 168 1 1 32 1192 168 254 1 32 1 to 1 NAT Enable 1 to 1 NAT of the local network to an internal network Enable 1 to 1 NAT of the remote network to a different network A A Protocol Protocol General Options Enabled Yes No As above Comment Freely selectable comments Can be left empty Type Tunnel Transport As above When a c
302. y have an optional built in modem If used this must be configured The built in modem can be used as follows For configuration connections over the PPP dialin option for configuration purposes see Serial Port PPP dialin options tab OR For data traffic in Built in Modem network mode In this network mode data traffic is made over the built in modem and not over the mGuard WAN port External Modem As for mGuard industrial RS without a built in modem mGuard blade EAGLE mGuard and mGuard delta Configuration as above for External Modem see above under External Modem on page 120 Built in Modem analog 122 from 243 Country The country where the mGuard and built in modem is operated must be entered here This ensures that the built in modem works according to the valid remote access guidelines in the respective country and that it recognizes and uses dial tones correctly Extension outside line Yes No When No is selected the mGuard waits for the dial tone when the telephone network is accessed and the mGuard calls the remote peer When Yes is selected the mGuard does not wait for a dial tone Instead it begins dialing the remote peer immediately This procedure is necessary when the installed mGuard modem is connected to a private extension that does not emit a dial tone when it is picked up When a specific number must be dialed to access an external line e g 0 then this should be
303. y others However there is a problem with the site s seculy catiicele can only be performed when secure encrypted The security certificate was issued by a company you have not chosen to trust View the certificate to detemine whether access to the device has you want to trust the certifying authority been established a self The security certificate has expired or is not yet valid signed certificate is returned The name on the security certificate is invalid or does not match the name of the site Do you want to proceed Acknowledge the associated security notice by clicking on Yes Result The login window is displayed mguard login Username admin Password PE Access Type inistration User Firewall Choose the access type Administration or User Firewall and enter your username and password for this access type For the user firewall see Network Security gt User Firewall on page 163 50 from 243 Preparing the configuration The factory defaults for administration purposes are Login admin Password mGuard B Pay attention to capitalization To configure the device make the required changes on the individual pages of the mGuard website See Configuration on page 53 gt For security reasons we recommend that you change the default Root and Administrator passwords during the first configuration see Authentication gt Local Users on page 132 51 from 243 Pr
304. you want Windows to search for driver files fa Floppy disk drives 3 Choose CD ROM drives and click on Next Found New Hardware Wizard Driver Files Search Results The wizard has finished searching for driver files for your hardware device 4 Click on Next 40 from 243 Startup Digital Signature Not Found xj The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested The software you are about to install does not contain a Microsoft digital signature Therefore there is no guarantee that this software works correctly with Windows Innominate mGuardPCI If you want to search for Microsoft digitally signed software visit the Windows Update Web site at http windowsupdate microsoft com to see if one is available Do you want to continue the installation vests No More Info 5 Click on Yes Found New Hardware Wizard E Completing the Found New Hardware Wizard ua Innominate mGuardPCl Windows has finished installing the software for this device To close this wizard click Finish lt Back i i Cancel 6 Click on Finish 41 from 243 Startup Linux The Linux driver is available as a source archive and must be compiled before usage e Build and install the Linux kernel 2 4 25 in the usr sre linux directory e Unpack the driver from the CD to usr sre p
Download Pdf Manuals
Related Search