Nettion Security Software Guide
Contents
1. 22 38 4 3 Domains 2 a 38 4 3 1 Support of Domains Cadastre 2 20208 39 phe ee Ae eee E eae oe 40 4 4 1 Support of Expressions Cadastre ooa a a a 40 4 5 CMCC eu sara adas aaa hee eee eae 40 4 5 1 Support of Schedules Cadastre 0 02008 40 4 5 2 Determining Intervals eee 41 4O Services sass ses dtaa aaa Ee A ee a Ses 41 4 6 1 Predefined o0 a aa a 41 46 2 _ Personalized gt e srs ee keane esrar erered kereda 41 43 AP ee ee ee ee ee E ee 43 5 1 1 NISDerVen 2a dae cede eee de eee dee Re dee Re ows 43 5 1 2 Windows Ve 44 6 Da USCIS uo ae eu wae ee Oe eo eae ee aw ee ae ee ee 46 M E ee A 46 54 Access Profiles se sassu eo bee wehbe ebb ee hee ee as 47 Proxy 49 FEET IEEE 49 6 1 1 Intranet NettioMl a 49 6 1 2 __Nettion Internet a a a a a a a ee en 49 caras AAA 50 6 2 1 Proxy with Authentication 0 048 50 6 2 2 Transparent Proxy lt lt i4 6 a we Be hoe we we Rw wes 50 6 2 3 General Settings 50 6 2 4 Error Messages 3 02 51 SA N e e 6 a eRe ee a a ea e S 52 aa ee ee ee ee 53 6 4 1 Screen 1 Rule Definition aoa a a a a 0 00004 53 6 42 Screen 2 Schedule 2 a a 0 54 6 4 3 Screen 3 Apply for ooa 200 002 000 020 084 99 o 56 CONTENTS Ob CAs oe hoo REESE RRR ERR EEE EHH ED SHS Dee EHR Se HERES He ee eee ee eee2. Besides the easiness of the 24 hours connection with the internet leads a lot of times employees to waste his time of work accessing several personal information provoking a significant fall of individual productivity and consequently of the company Many times internet becomes slow compelling to acquire a link of larger speed However you don t know that is possible to implement a control on that traffic in your link having not need of extra costs with larger links in most cases In this reality NIS Nettion Information Security offers through Nettion the com plete solution for the 24 hours internet connection of your organization propitiating the implantation of an administrative politics of safety and optimization use of your link besides the detailed control of the information that pass through it All of that through an interactive administration of management and monitoring tool Nettion R benefits e Nettion can make the load swinging and redundancy of your internet links where through simple and intuitive rules you establish for which link the services should be directed by pattern and through where they should leave in case of fails all this in an automatic way e The proxy module of Nettion makes possible an increase of the speed when access ing pages in the internet without necessarily have to invest in larger links That s possible due the Nettion s capacity of storing the visited pages in
3. Nettion Security Software User s Guide Nettion Copyright 2002 2008 by Nettion Information Security This material can freely be reproduced since that kept notes of copyright and its original content Send critics and suggestions to suporte nettion com br Revised and updated by Deyvson Matos in July 23 2008 Translated to english by Marcos Correia solsticio2for hotmail com This User s Guide is based on Nettion 4 0 Series To download User s Guide from Nettion 3 0 Series access http www nettion com br comunication geral Manual Nettion3 pdf Contents 11 aia aida ee eae ee eee ee eae ee eee ee 11 13 ee ee 13 ea ee asa ee 13 IA ee ee ee ee 14 17 Dik sais gx ci a amp Gm tt o Ge eee ee A ee E S 17 3d Administratorj s 4 be ee eb REO REE ERE RE DEE 17 jee eed eee dae ee hoe eee ee ee 18 AENA 20 3 2 1 Interface connection o 20 3 2 2 oub Interfaces 21 ETE ETE ETE ETA 24 A AER 2r 3A ROUNA osas See ee A ARA ee we es 27 VA Nol ewe eb eo th ee Re ee Re oe eR eS 31 eee peewee peewee eee eee eke eee eee ee ee 32 35 AA Objects support 44 4s 64 ee ee ee OES EY OE ee OO Eo 39 4 1 1 Objects Inclusi n 22 asnicar 36 Arado AAA 36 CA A 36 Ira asa a aaa sas 37 4 1 5 Object Search 254 ee tke eG Rew G RE EE RE eH HE 37 4 2 Hosts and Networks oa a a a a a a Of CONTENTS 4 2 1 Support of Hosts and Networks Cadastre
4. 11 1 Settings 11 1 1 Global Settings To configure Nettion DHCP server access DHCP gt Settings In screen that will be exhibited the fields should be filled out according to description below Set default configuration Primary DMs O jer 10 10 10 1 Secondary DNS _ jer 1010102 Default Gateway po ies 10 0 0 1 Mask Default class 4 2 wt eh Save settings Interfaces that will response for client broadcasts Back Items Figure 11 1 Global Settings of DHCP Server e Domain specify domain which will answer to DHCP Example fictitious com e Primary DNS primary name server Example 128 0 0 1 e Secondary DNS secondary name server Example 128 0 0 2 e Default Gateway exit machine of net Example 128 0 0 1 e Mask net mask which IP of DHCP server belongs Example Class B default 16 91 92 CHAPTER 11 DHCP 11 1 2 Interface Still in global configurations screen select the interfaces that will answer for DHCP requisitions in your net according to following illustration 11 2 Set interfaces to listen to DHCP requests MEE O Ethi ad Save sethngs Interface s that will response for client broadcasts Back Items Figure 11 2 Selection of DHCP operation Interface 11 2 Hosts This section allows administrator to associate IP addresses with net MAC addresses doing with that certain machines always receive a static IP It is especially useful when we want to do specifi
5. Figure 15 28 Advanced Settings of DNS Domain 15 6 3 Master Domain Items To access this modality select domain to which one you want to add the items and click in Items button on inferior right side of screen Click in Add button in the following window In the screen that will be exhibited report e In Type field To define type of item There are 6 types of items SOA Start of Authority marks the beginning of zone data and defines param eters that affect the entire zone NS Identifies the names server of a domain MX Mail eXchange List of e mail servers for delivery SMTP A Direct resolution of a name for an IP CNAME Defines an alias for a hostname PTR Maps an address for a hostname TXT Allows the creation of registries SPF DKIM DomainKeys and supply of additional information Example SPF example net IN TXT v spf1 a mx 1p4 192 0 2 32 27 all DKIM mail _ domainkey example net IN TXT g k rsa t y p MF X YZ INFO example net IN TXT in case of problem call 85 3878 1900 e Field Description Description for items management e Field Priority Define server MX S priority e Field IP Host To define resolutions hosts to the types PTR A and CNAME e Field Resolve in Used to determine resolution of name or type e Field Status To define the item s status 152 CHAPTER 15 NETTIONPLUGS Type Mame of Host tat tat Al IP of Host
6. Source Filters Destination Filters Hosts An Hosts Chosen Openepn clients Fas localhost Openven clients DMZ to DMZ G Internal Inter G Internal Interf External_Interf External_Interf Intranet Intranet Services Chosen OOOO Z Finish Back Iter 5 Figure 8 5 Objects Selection for Rule Application Advanced Settings In case you are making a packages redirection rule or want to apply other settings to rule before Finish click in Advanced button METIA l To optimize this traffic iSelect lal Select Type of optimize Minimize cost tsetse reliability El Redirect this 1 Manimize throughput Minimize dela Host PC Manager 192 168 0 50 1 W Port 80 C Log this traffic fw when necessary mask this traffic dynamic 4 State Established andor Related in return of conection Back Teenage Figure 8 6 Rule s Advanced Settings In this section you will be able to e To optimize this traffic This option allows that traffic treated by this rule is optimized The optimization is made through special packages header setting TOS Type of Service that has the function of specifying one of following settings Minimize cost Maximize reliabilty Maximize throughput 71 CHAPTER 8 FIREWALL Minimize delay e Redirect this traffic for other host use this option when you are creating a redirection packages rule for instanc
7. Any 3 gS oO 13 14 15 16 20 21 Pr ra 2 E O E E E A PR _ A A SUN seme ms rt ree ee eer MON E a ee ee ee ee ee ee ee ee ee ee ie og gg a gS SSG Tu E AO IO IO IO IO IO O IO TT TT O TST Te Te E l ee of fF fF Gg ft Gt gg TC TTT Tec CTT CT S TC TCS Finish Boel Hame Figure 3 19 Creating Rule Step 2 e Step 3 In this step you will select the services and or hosts that will have your traffic routed for a specific link In Origin Filters Hosts selects for left box the Host s or Network s from where start the connections In case you want to specify any origin leave left box empty In Origin Filters Services selects for left box the origin service s In case you want to specify any service leave empty the left box In Destiny Filters Hosts selects for left box the Host s or destiny Network s of the connection In case you want to specify any destiny leave empty the left box 30 CHAPTER 3 SETTINGS In Destiny Filters Services selects for left box the destiny service s In case you want to specify any service leave empty the left box Notice that through these options you ll have all flexibility of specifying the traffic that you want to control given by a certain origin and or for a certain destiny Source Filters Destination Filters Hosts Chosen Hosts An localhost Google Range Google Range Gi MSof_ Rangel MSat R
8. Figure 3 16 Listing of Routes Advanced The advanced routing makes only sense in an environment that possesses more than one internet link In it you have the power to choose a complete group of characteristics of traffic that will specifically be directed by one of registered gateways Each rule can contain a priority list of gateways through where that traffic should be directed being always used the first with active status as in illustration Pos ald pda i HTTP Access F any a localhost D any SO web Back Add Edit Items De Figure 3 17 Rules list of Advanced Routing The creation of these rules is very simple Firstly it would be more interesting if you d already have in your mind what you need to do If necessary create a draw of the traffic before After this using the Advanced Routing Wizard create the rules as you wish The creation of these rules contains four steps as shown below e Step 1 Inform a description position that rule will occupy in list and in your status activate or inactive according to following illustration ahead 3 2 NETWORK Description HTTP Access Status Finish Back teers Figure 3 18 Creating Rule Step 1 e Step 2 Select the schedule in which that rule will be valid The available schedules are defined in Objects gt Schedules it conforms the following illustration below ic AA A ERA AR 1 Eee Tr Schedule 5 F ee pe F Fy i 17 Schedule
9. The administrator can define schedule by selecting one or more cells of table composed by days and schedules The selection will be made with mouse in the following way the administrator should click in the initial cell with left mouse button maintaining it pressed during the cursor displacement in the screen and selecting the wanted interval Once selected the wanted area click in Mark button A same schedule object can have several schedule regions selected In case you want to do an adjustment for division of hours after selecting the wanted area a line will be exhibited together with the fields for fittings with the buttons to Mark and Unmark User can alter content of fields in agreement with your need and click in Marking or Unmarking according to the case To confirm the interval definitions the user should click in Save Settings button 4 6 Services In this section administrator can register services for further use on Nettion s Setting functionalities There is also one option of predefined services check Nettion already possesses registered a series of services the more acquaintances in Internet which are the predefined services objects 4 6 1 Predefined On this option the administrator can consult the predefined services list by Nettion When selecting a service click in items button to visualize the ports that certain service uses 4 6 2 Personalized In case the wanted service isn t registered in Nettion
10. The picture shows a graphic by partition that presents 1 In red the disk used space 2 In yellow the free space for the use with your respective percentile Frequency Weekly bl Prune information older than Prune logs from El Audit O Backup E Blitz 4 Firewall ad Gateways ed Messages la Hids le pete O Proxy quarantine ke Save settings Back Items Figure 14 9 Pruning Frequency Configuration To configure automatic pruning you should fill out the logs minimum interval that will be maintained and the modules whose logs you want to delete After that click in Start Pruning button and click on Start Pruning button The pruning process will be started The frequency choice depends on the accesses amount that company accomplishes and of used disk space 14 5 2 Manual Administrator can make any time a pruning differentiated of automatic pruning con figured being enough to inform which are minimum interval for the logs that will be maintained and modules whose logs is wanted to delete Soon after click in Start Pruning button to begin the pruning process 122 CHAPTER 14 SYSTEM Prune information older than Prune logs from O Audit Backup O Blitz 2 Firewall C Gateways E Messages b Mids 4 pete e Prony aal Quarantine h Start Pruning Back Items Figure 14 10 Form of Manual Pruning Configuration 14 6 Update For being a solution based on soft
11. s information There are two types of resolutions a direct when we want to find an IP of a name and other when we have an IP and we want to know its name This second form has a differentiated organization and it guarantees that a certain IP is of a known net For instance an E mail server SMTP receives a connection of source host recognized by 192 168 5 4 For this IP to send e mails it has to have the configured reverse It s done this way to prevent a possible fraud The reverse domains are in path in addr arpa This path is not open to public access Therefore it is reliable In the previous example above the reverse IP would be 4 5 168 192 in addr arpa After the installation you access this plugin through the menu DNS gt Domains DNS Server WEB Server nettion com br Figure 15 25 DNS Demonstrative Scheme 15 6 2 Master Domains This modality allows that you create and manage your Masters domains There are two fields that only appear in domain creation NS and SOA necessary items to any DNS The SOA Start Of Authority it is the initial server of consultation It is him who will determine the other domain names The NS is the domain authority it can be used to resolve the domain names but it is usually used when SOA is overloaded To configure a domain access in menu DNS gt Domains and click in Add button In the first screen of add wizard configure e Name Domain name
12. select the file exported by server insert the file safety password and click in Import At this time Nettion will import all necessary configuration of connection Click in Finish button accordingly to the illustration Import Settings Import of settings exported from server connection Mame Brazil USA Use same password defined in export Status BERS File CADbocuments and set Filen L20 compress Yes OO DETS ETE Back isre 5 Figure 15 17 Import OpenVPN Configuration File 142 CHAPTER 15 NETTIONPLUGS Firewall As commented previously each OpenVPN tunnel works in a different port in agreement with your setting in the moment of creating the server tunnel For the connection es tablishment liberate in your Firewall the connection between the servers in the used ports Supposing that server is configured for port 1184 UDP create a service object with this port and create a Firewall rule as shown in table 15 5 Rule Liberating OpenVPN server Source Destiny OpenVPN Client Table 15 5 Access OpenVPN server In this case we are just liberating for ClienteOpenVPn object to connect the server In case it is not possible to identify the connection origin leave the source in Any Besides the rule to allow the interconnection between Nettions it is also necessary to liberate the traffic between VPN nets in agreement with your needs See summary of necessary rule in table 15 6 Rule
13. BACKUP 119 M Used 1459 ME Free dad ME Select backup modules E Settings C Emails O Logs from Audit O Loss from Backup O Logs from Firewall O Loss from Gateways O Loss from Messages O Logs from Nids HO Logs from PPTP O Loss from Proxy O Loss from Quarantine File name optional nettion 4 02 bkp nettion 2008613 1 aa Start Backup Back Items Figure 14 5 Manual Backup 14 3 3 Reports History The backup history will be exhibited with the following information date hour file and status The status can have a green or red light The first signaling that backup was successfully accomplished and the last signaling that file writing was not successfully If some problem happens with the backup Nettion will send an e mail automatically to Administrator defined on product s settings DATE TIME FILE STATUS Os fo4 2008 10 00 03 nettion 4 02 bkp nettion 200548 1001 nbf OF fO4 2008 10 00 02 nettion 4 01 bkp nettion 200847 1000 nbf 0604 2008 10 00 03 nettion 4 01 bkp nettion 200846 1001 nbf OS fO4 2008 10 00 02 nettion 4 01 bkp nettion 200545 1001 nbf LODOS 0404 2008 10 00 03 nettion 4 01 bkp nettion 200544 1001 nbf Previous 1 5 of 12 Next Back Iterns Figure 14 6 Backups History 120 CHAPTER 14 SYSTEM 14 4 Restore The restoration process of a backup is quite simple First select backup file and click in Upload button It is possible to select file through Search butto
14. Liberating Traffic on VPN Local Net Remote Net Table 15 6 Liberating Traffic Inside of VPN Launching OpenVPN Service Now that server and client are properly configured launch OpenVPN service in each Nettion server and client in menu System gt Services At Last launch the tunnel Through connection listing screen click in Start button correspondent to the created connection to begin the tunnel between Nettions See topic 15 5 2 At this time connection indicative status should be green and the net stations can already communicate to each other In case not verify if you didn t forget some step above 15 5 3 Nettion Users This OpenVPN modality allows safe connection of external users to your organization Through the established tunnel the users can have access to net resources as share sys tems printers in agreement with adopted safety s politics as if they were locally con nected to the net As commented previously one thing that differentiates this plugin is its possibility to operate even in internet atmospheres with net masking NAT as in nets of hotels cyber coffees or airports Other important characteristics are its configuration easiness as much server as Clients flexibility to users authentication which operates together with Nettion centralized authentication 15 5 OPENVPN 143 15 5 4 Settings To configure OpenVPN server access the menu VPN gt OpenVPN gt Nettion
15. NTLM authentication scheme making transparent the authentication scheme of proxy to user To use this authentication scheme it s necessary the setting of some referring fields to the Windows domain Another important characteristic of this authentication scheme is the compulsory nature of the users synchronization between Nettion and controller domain Enabling NTLM authentication Jo enable the NTLM service the administrator should enable the option Synchronize Users and Groups of Nettion with Users and Groups of Windows domain and add the login and password of some user with ad ministrator s level In case server Windows is of AD type Active Directory activates the option The Windows server possesses Active Directory service enabled Therefore it s enough to save the information so that Nettion can connect itself with Domain Controller synchronizing the users and authenticating through NTLM Important Observations 1 The users have to be connected to the Windows domain to authenticate and navigate in Internet 2 Should create an additional firewall rule to give access permission to Nettion gt Domain Controlling Server using the predefined Services such as smb win2000 and winnt 3 For authentication works it s primordial that proxy rules exist For more information see chapter 6 Proxy 4 For each alteration in users information in the domain Controller it s necessary to synchronize the users
16. be delivered to one or more recipients O Enable purge of mailbox messages in server Trash Sent mails E Save settings Back EERE Figure 12 1 E mail Authentication 12 1 2 Relay It is important not to allow that e mail server is used improperly to send useless messages unpleasant and almost always undesirable spams what is usually made by some user that is not part of your network Nettion allows administrator to define which networks or hosts will have access of sending e mail through your server Technically that permis sion calls itself relay To open the relay for somebody means to allow that certain host or network send e mails through your server A system well administered certainly it will only allow access for those that are right to do it Therefore it is necessary to maintain a closed relay against intruders Intranet Internal Network Company 192 168 110 292 290 295 0 Filial Internal Metwork Filial 10 10 0 0 255 255 0 0 Back Add Items Del Figure 12 2 E mails Server Relay We have here a hosts networks list with clearance to use server for send messages The I2 SETTINGS 97 liberation cadastre it is very simple taking in consideration the previously registered objects and filling out a form as following In the left box are hosts networks that have permission and in right box are all objects inserted in Nettion Using the buttons between two windows of intuitive charact
17. create an expressions group called Liberate MSN logon and in it add the following terms as being of regular expression type e nexus passport com 443 e login live com 443 e loginnet passport com 443 e omega contacts msn com 443 e storage msn com 443 e Install Messenger exe 4 To create other rule in Proxy liberating this expressions group You can Allow for any user once the control will be in own Blitz Create this rule in position 2 after Block MSN rule Any doubt on Proxy rules access Chapter 6 Proxy It is also necessary create rules in firewall that blocks any access attempt to MSN through a possible net masking For that you should create in firewall a rule blocking the access of whole intranet or at least of users IPs that should access through Blitz to Microsoft networks 65 52 0 0 14 and 207 46 0 0 16 in ports 1863 TCP 80 TCP and 443 TCP This rule should be in upper positions assuring that it stay above of any net masking except for users masking that by chance don t access MSN through Blitz as display table 15 2 Rule Intranet gt Microsoft Range MS1 Range MS2 msn http https Table 15 2 Blocking the access to MSN through Masking Notel Before creating the rule create Hosts and Nets objects containing the Microsoft ranges mentioned for example RangeMS1 and RangeMS2 For larger information on how to create Hosts and Nets objects see the Chapter 4
18. the administrator can create per sonalized services and to do so he should increase a new group of services clicking in Inclusion In the following screen identify a name and description for your new Service To add items to a service select the wanted service and click in Items Each Service can contain one or more protocol port combinations For each item of service the items below should be configured e Protocol TCP UDP ICMP GRE ESP or HA e Port It can be a number a strip or a special P2P service e Description it adds a description for the item 42 CHAPTER 4 OBJECTS e To also add this service for the UDP protocol Mark this option in case you want to insert this same port for UDP protocol this option will only be available in case you are inserting a TCP service Chapter 5 User Groups 5 1 Authentication Nettion possesses three alternatives in users authentication The first is to use a base of users data that will be registered in own Nettion Second is to authenticate from a users base already existent in a UNIX Linux machine through NIS Network Information System and the third are through a users base data registered in a server Windows This option also supports the authentication through NTLM that doesn t request login and password in the browser of Windows stations that make part of a Windows domain This schema uses the login information of the Windows domain to authen
19. will have access But it is possible to specify which users will have access For that select the option Allow only selected users e In Users Groups specify which groups and or users will have access permission As said previously the users will be authenticated in the moment of connection in indicated base in Nettion Centralized Authentication System Notel To create a user and give OpenVPN access it has to be created before the creation of Open VPN rule For that see how to proceed to create user on Chapter 5 of this manual Note2 It s recommended that be selected ONLY users which must have access to VPN to avoid users malicious intentions Note3 We recommend the use of strong passwords in other words passwords that contains letters majuscule and minuscule numbers and special charac ters See the following illustration Z Finish Back Items Figure 15 19 Selection of Users for Access Through OpenVPN Step 3 In Advanced indicate e Port Nettion already suggests the connection port e Protocol default protocol is UDP e LZO Compress use compression to optimize traffic inside of tunnel 15 5 OPENVPN 145 e Type of Server use Tunnel option for point to point default or Ethernet for con nection similar to a common net e Accept Connects by defaults the connection between clients it s allowed YES See the following illustration Z Finish Back I
20. 20 20 20 25 From 2107 2008 19 56 54 gt To 21 07 2008 20 26 54 M Access Last 15 77 Bytes Average 29 45 Bytes Maximum 378 01 Bytes Figure 6 8 Users Graph 6 6 1 Selecting a Period To select a specific period for graphic visualization click in magnifying glass that is in the superior right part of the graph In next screen you will have two selection options of the period The first of them is through the selection box in graphics base that allows the selection of the periods of 30 minutes to 1 year The second option is using the mouse Click with left button in a graphics position and drag making an area selection After that the graph will be recharged with selected period 6 6 2 Visualizing Accesses Starting from the Graph It is also possible to visualize the user s accesses starting from a selected graph area For that after selecting a period click on icon that s in superior right part of graph 6 6 3 Realtime Monitoring Once selected wanted user click Monitor button to accompany graphics formation as long user makes accesses To stop the monitoring click in Stop button 6 7 Configuring Net Stations So that net stations use Nettion s Proxy in way non transparent it is necessary that Proxy Settings of your navigators are pointing for IP and port of Nettion This setting 6 7 CONFIGURING NET STATIONS can vary in agreement with the used navigator We listed the necessary setting be
21. 40 67 119 TOTAL time 7s hosts 2 TCP 3 UDP 0 STEALTH 17 14 39 17 4 08 portscan status from 139 40 96 30 1 connections across 1 hosts TCP 1 UDP 0 STEALTH 17 10 01 17 4 08 PORTSCAN DETECTED to port 9003 from 139 67 252 153 STEALTH 17 10 00 17 4 08 PORTSCAN DETECTED to port 9003 from 129 40 96 30 STEALTH Lro ar 17 4 08 Previous 1 40 of 782416 Next Back Items Figure 10 7 Report of Detected PortScans 10 1 9 Blocked IPs Exhibits a list with IPs blocked through NIDS web interface IPs contained in this list won t have any access to Nettion in any direction going by any interface Through this 89 CHAPTER 10 NIDS list it is also possible the removal of IPs blocked Note IPs will only be blocked if Firewall is active List of IP blocked by inclusion date Illustration 10 8 IP address Reason Time amp Date 201 19 221 158 spp_stream4 possible EVASIVE RST detection 23 08 37 10 9 05 lol Remove 10 16 0 123 spp_stream4 STEALTH ACTIVITY Wecna scan detection 15 23 19 18 9 03 ES Remove 60 36 140 143 Portscan 15111 1513 9 04 lo Remove 82 224 133 3 Portscan 15 07 23 13 9 04 lo EES 200 164 242 201 BAD TRAFFIC udp port O traffic 08 02 06 19 1 04 lo A Total of Blocked IPs 5 Figure 10 8 Report of Blocked IPs Chapter 11 DHCP Nettion DHCP server can be configured to distribute IP addresses of the stations of one or more linked networks to product allowing treating in a different way each one of them
22. Firewall available for Linux operating system through IPTables and Kernel 2 6 and ally to that also offers a quite simple interface of inclusion and rules maintenance avoiding that in little time administrator already gets lost with so many rules maid 8 1 Settings In Firewall gt Settings administrator will define standard access politics that will be used by Nettion s firewall The standard politics establishes actions that will be taken on any access that has not been liberated by administrator through rules The ideal is that standard politics is configured Deny everything Attention however Before doing this setting some basic rules should be created as ones that they liberate the Nettion own ACCESS The standard politics access can be e Drop All obstructing any access not liberated in rules e Accept All obstructing only what was defined in rules Originally politics is defined as Accept All so that user has access to Nettion and can register the necessary rules to your accesses Only after making that process and that you should alter the standard politics to Drop All 67 68 CHAPTER 8 FIREWALL Default Access Policy Setup the system s default access policy Prop all O Accept all eh Save settings Figure 8 1 Firewall Standard Politics Setting 3 2 Rules Each packagd that traffics through Nettion is analyzed by packages filter that opens and extracts information like origin IP pa
23. Liberation Source Localhost Table 9 3 Liberating IPsec 9 2 VPN IPSEC Besides this rule it is necessary to make a rule that liberates trafic among connected nets by IPSec Follows a rule summary of the rule to be created in table considering that e Local net Object of Host Net previously configured with IP of your local net e Remote net Object of Host Net previously configured with IP of remote net e Any Service considering that any service will be available among the nets Choose specific services case it s necessary Note To allow connection be initiated starting from both sides local net and remote net unmark the option Established State and or Related on Connection s Return in rule s advanced settings Rule Liberating traffic inside of VPN Local Net Remote Net Table 9 4 Liberating Traffic Inside of VPN 9 2 1 Settings Authentication Keys and Cryptography That exist 2 possible types of key TIP in case you are using 2 Nettions to establish VPN open a browser window through secure connection with each one of sides This way it is easier to configure your VPN PSK Key The authentication system under PSK key consists of an only key shared among 2 VPN sides that promotes system s cryptography uncryptography and authen tication Advantages e To use IPSec protocol specifically projected for information safe traffic through TCP IP protocol Nettion VPN IPSec becomes one
24. Save Settings button Remember that as more modules you select as space in disk will be necessary mainly when selecting e mail modules and some types of system logs The illustration to proceed exhibits the screen of Nettion backup modules selection 14 3 BACKUP 117 s Settings Ol Emails O Loss from Audit Ll Loss from Backup Cl Logs from Blitz O Loss from Firewall DO Loss from Gateways Ll Loss from Messages Cl Loss from Nids O Lows from PPTP DO Logs from Prony CI Logs from Quarantine 7 Save settings Back Items Figure 14 2 Modules for backup Storage Besides the Nettion backup file it is also important to create a copy of this file in another machine of your net because the backup can be easily stored like this in digital media creating backup packs For that click in Storage option and fill out the fields as presented description below Host ie Backup host 1 ir Shared folder Lest backup pe gA Save settings Back Items Figure 14 3 Windows Shared Network e Host machine name on network where file copies will be made Example backup e IP Corresponding IP of backup machine Example 128 0 0 21 e Shared Folder shared folder name of machine Example bkpnettion e User user s login with permission to write in these directories Example Backup 118 CHAPTER 14 SYSTEM e Password password to accomplish shared access Example password Note The password appears under mas
25. Status e Save settings Back Items Del Figure 15 29 Add Items in the DNS Domain 15 6 4 Slave Domains This modality allows you to create and manage Slave domains For that access menu DNS gt Domains and click in Add button In the first screen of add wizard configure e Name Name of the domain that you will create Description Description of the domain which you will manage Type The domain type that you will create In this case Slave e Status Active Name Description Principal Domain of Your Company Type Status Back Items Figure 15 30 Add a Slave Domain in DNS 15 6 DNS 153 In the second wizard screen select the Master servers that it should synchronize It must be selected obligatorily a server as display illustration below Domain Config It selects below Hostis Slaves that they willbe allowed and notified by this domain Hosts Chosen DMS Master Met_Google Gal Net Google Het Irsoft Met Matt P advanced J 4 pack fe 7 Fish Back Items Figure 15 31 Masters DNS Selection 15 6 5 Slave Domain Items e The items of Slave domain will be all imported items of the Master domain 15 6 6 Reverse Domains The reverse domains are special types Its syntax is in addr arpa They proceed at NAME field side There are a button called GENERATE THE REVERSE in the creation wizard that will make the work easier When clicked it will request the ip ma
26. again in Nettion 5 In some situations Nettion can lose communication with the controller domain In case of temporary shutting down of Domain Controller for instance In these cases Nettion R should be reconnected to make authentications again 5 2 GROUPS 45 IMPORTANT When synchronizing the data with the domain controller all the groups and users previously registered will be deleted It s of extreme importance to do a settings backup before accomplishing this procedure Synchronization and reconnection There are two additional options in the NTLM settings e To synchronize Users and Groups This option is to synchronize the Nettion users again with the domain controller s users It should be used whenever alterations are made in the users and domain controller s groups e Reconnecting to the Domain This option is to reconnect Nettion to the controller domain in case the communication among them is lost Example server shutdown 5 2 Groups Nettion R allows administrator to create groups of users and to use it in the Proxy rules creation This makes possible that the users from a group can be subjected to specific rules controlling their Internet access Description OOOO O administrative administrative commercial commercial customers customers support support financial financial marketing marketing nettion nettion Back Add Edit Items Del Figure 5 2 Groups Management
27. allows the Administrator to define which modules of the tool can be visualized in the users access menu in a certain profile Handling is very simple as displays the illustration ahead 48 CHAPTER 5 USER GROUPS Name a check All O uncheck all Oesipindan O collapse All Home q Settings a d Graphs q Basic E He F Administrator ii CI Date Time i E Network O Interfaces Connections O Gateways dl Settings CI Historic of Status E Routing pits C Basic KA Save settings Back Items Figure 5 6 Selection of the Modules After a profile creation administrator should link it to users which apply This link is made directly in user s cadastre Will be attributed a standard profile automatically with limited access to users that aren t linked to a specific profile Chapter 6 Proxy The Proxy service possesses two basic functions The first is Cache that makes possible an increase of the speed when accessing pages in internet without necessarily to invest in larger links because it optimizes the navigation making a local cache of objects web accessed by users Allows that objects already accessed and still valid they re locally available to users which need that same object avoiding link use for each access to the same site or file for instance Besides Proxy also acts as a firewall in application level This way it s possible that administrator does users accesses co
28. authorized people to configure the system Remember to alter that password case it becomes known for unauthorized personal Note On Chapter 5 you will obtain information about how to create users and system access profiles This way you will be able to create a user and define the Nettion modules which can be accessed 3 1 1 Administrator Password To change password fill out the current password field new password and confirmation and click in the Save Settings button 4 Save settings Back Items Figure 3 1 Change Password 17 18 CHAPTER 3 SETTINGS For E mail setting fill out the Administrator s fields E mail your Server SMTP and click in the button to Save Settings This e mail will be used by Nettion to send some notification to the administrator as for instance notification of some problem in the backup system SMTP MX Sever Td Gh Save setings Back Items Figure 3 2 E mail Setting 3 1 2 Date Time To configure system s date and hour you have two options to configure manually Local Clock or to synchronize with some server NTP Network Time Protocol a Clock Local O Clack Local O MTP Server Time Zone AtricaMairabi A Time zone of hardclock Greenwich time 137 168 1 2 Date 22 04 2008 ddimmiyyyy Time 07 48 hhimmi A Save settings Back Items Figure 3 3 Manual Date and Hour Setting 3 1 BASIC 19 Time Zone select your time zone e T
29. change the gateway s state for down when stops answering inside here of the stipulated time For not indicating a time limit select the option Limitless Redefine settings in the change of gateway s state mark this option in case you want that the Nettion redefines gateways settings to each state change as for instance the participation settings of the gateways in the default route 29 26 CHAPTER 3 SETTINGS Notice that the traffic can be divided in agreement with a specified percentile participation in pattern route allowing to define priorities with relationship to the use of one of the links It s also possible that a gateway doesn t participate in default route 0 In this case the link will be used through two forms for accesses originated externally to available services in your net Example VPN E mail Portal Web and for traffic foreseen in advanced routing rules as it will be shown ahead in the topic Monitoring By default the links are monitored by the system that reconfigures auto matically the atmosphere in agreement with the availability Each change is registered in the state of your links allowing your audit For that to select a gateway and click in Items button The state report of the gateways will be exhibited according the illustration 3 12 below Interface All From 01 06 2008 To 26 06 2008 o Search Dae Tim 28 02 2008 14 38 25 00 200 200 1 eth
30. classified in any rule The device s total band is defined in net interface setting in menu Settings gt Net gt Interfaces We ll use the presented scenery of E mails delivery for that concept is clearer Imagine on that environment we have a band of 1Mbit with internet and our need is to restrict band of e mails download preventing that this traffic disturbs other services Once defined net interface see section 7 3 1 the next step is to do class creation in agreement with steps to proceed 1 Click in menu Bandwidth Control gt Settings 2 Click in button Configure of defined interface in section 3 Next screen will show a Classes listing Click in Inclusion button 4 Fill out the fields e Name Name of Class Example Class 1 e Description Description of Class Example Class 1 e Min Vel insert reserved band for this class For our example it will be of 1 Mbit e Max Vel insert maximum band allowed for the class For our example it will be of 1 Mbit 5 Click in Save Settings button give an idea of your current setting Nettion offers a graphic that shows Interface and its Classes and Objects divisions To visualize it 1 Click in menu Bandwidth Control gt Settings 2 Click in Visualize Graphic button of wanted interface Observing the image the orange circle represents net Interface the blue circles represents the classes Positioning mouse on circ
31. configure it in each station browser 6 2 2 Transparent Proxy Transparent use of proxy just works with cache with no restrictions possibility to users In Transparent Proxy case it s necessary that a Firewall additional rule is created It will be responsible for traffic redirection in port 80 to Proxy port 3128 object squid by default Rule Transparent Proxy Intranet Redirect to localhost 3128 Table 6 3 Transparent Proxy Redirection 6 2 3 General Settings To access the proxy general settings screen access Proxy gt Settings gt General Settings Follows a description of settings screen fields e Port port in which will work Proxy service Example 3128 default e Cache Size Size of the cache in MB Example 1000 e Main Memory Size amount of RAM memory in MB that will be used to store frequently accessed objects Example 100 It can be made a 10 calculation of machine RAM memory for this setting in case Nettion it s also used as Firewall VPN E mail etc In case Nettion is just used for Proxy purpose we can get larger values as 60 to 70 of the available RAM The objects storage in RAM memory 6 2 SETTINGS ol accelerates the navigation due to larger access speed compared to the hard disk ACCESS e Maximum object size in disk until which size in MB an object is stored in cache Example 64 e Default policy standard politics to be used Example To deny any access The ideal pattern is to
32. deny access and that you create rules liberating what is necessary e Error messages determines in which language the error messages will appear to users e Basic Authentication Processes determines how many processes Nettion should maintain open to make users authentication Varies in agreement with people s number that will access Internet simultaneously e NTLM Authentication Processes determines how many NTLM authentications pro cesses Nettion should maintain open to accomplish the users authentication This number varies with the proxy users amount through NTLM authentication The default is 20 processes however in some networks with many users and many si multaneous authentications can be necessary to increase this number e Company for the error messages Allows specifying the company s name which will be exhibited in proxy error messages The illustration 6 1 displays an example of Proxy Settings Cache size 1034 mb Main Memory Size Mb Masimun object size in disk Mb Default policy Transparent proxy Error messages Basic Authentication Processes HTLM Authentication Processes Company forthe error messages gA Save settings Back Items Figure 6 1 Proxy Settings 6 2 4 Error Messages In Nettion all Proxy error messages can be edited allowing setting flexibility To edit Proxy messages access Proxy gt Settings gt Error Messages The Illustration 6 2 exhibits the Prox
33. e OpenVPN Plugin 9 1 VPN PPTP The PPTP protocol allows establishing connection of a belonging internet host to local net controlled by Nettion Your cryptography is medium or lower depending on client used In operating systems Windows with version same or subsequent to 2000 settle down connections of 128 bits medium cryptography In Windows 98 clients settle down connections with 40 bits cryptography A common use case comes when user wants to have access company s net controlled by Nettion starting from a dialed connection DialUP or ADSL Attention for VPN PP TP use it is necessary that administrator add in firewall rules to foresee access Make use of predefined pptp object A summary of necessary rule follows in table Rule VPN PPTP Liberation Table 9 1 Liberating VPN PPTP 19 16 CHAPTER 9 VPN 9 1 1 Settings To configure VPN PPTP server access VPN gt PPTP gt Settings AThe settings screen will be exhibited as display illustration 9 1 bellow Running Interface All ha Server Ip ethO 192 168 13 30 Range IP client 192 1685 13 42 43 he 110 0 0 1 200 eh Save settings Back Items Figure 9 1 Settings of VPN PPTP e Running Interface Indicates net interface for which server will answer for PPTP requisitions It will usually be net interface that Internet is connected with public IP or All for any interface Example eth0 200 200 200 200 e Server IP IP that will be PPTP clien
34. in quarantine screen as displays illustration 12 24 12 7 5 Top Mail The access graphics in E mail module can be visualized With that administrator follows which user sends more e mails and which generates more traffic in e mail server See in illustration 112 26 that follows Ser Fe johan simpson yourcompany com val MBytes anna thompson2yourcompany com 20 83 MBytes george smith2yourcompany com 250193 MBytes andrew mcdovwellayourcompany com 24 45 MBytes sarah watsonayourcompany com PA V karol jackson yourcompany com AAA AAA katherine rich ieldEyourcompany com 1842 MBytes 17 48 MBytes 16 56 MBytes thomas meressauQyourcompany com 13 91 MBytes phillipe collins yourcompany com A 13 22 MBytes gerald winston2yourcompany com 13 04 MBytes Graphic User x Traffic Mega Bytes Figure 12 26 Top Mail Graphic 112 CHAPTER 12 E MAIL Chapter 13 Tools All the tools possess a same interface but each service is applied by your defined functions as following described 13 1 Reverse This option exists to identify which domain refers an IP or which IP refers to a specific domain In case administrator fills out IP HOST field with an IP the result will be your equi valent domain e Example 1 IP HOST 200 200 200 1 Return 200 200 200 1 gt www test com e Example 2 IP HOST www test com Return www test com gt 200 200 200 1 IP HOST ices www grupofortes com br 200
35. local net interconnection as head office and other stores and of users physically separate from the local net using Internet as communication way and guaranteeing the safety of the data e The Integrated Authentication System of Nettion facilitates the local net con trol with users synchronization and integration and groups with Linux NIS or Windows not needing to reregister or additional works with maintenance Also al lows integrated authentication NTLMV2 avoiding retype the password whenever it begins the internet session e E mail service makes possible full autonomy for administration of mail accounts with multiple domains allowing audit of messages system AntiSPAM application with system training for the local net users and Antivirus integrated system The accounts administration and the users authentication come integrated with Nettion authentication system facilitating the administration of the e mail accounts e The Automated Backup and Restore Systems make possible a fast recovery of all services and information in case of hardware failure e Updating through Internet the constant updating provide more safety with safety bugs upgrade and with the inclusion of new resources to the tool These and other Nettion tools are available in an easy and simple way not requesting therefore advanced technical knowledge to operate them With this document you will learn how to do it the settings of Nettion to ada
36. of Domains Group select wanted group and click in Items button In the following screen you will find a screen with the listing of items of the domain Click in the button Inclusion and fill out the information on the item e Domain type the domain beginning for dot to identify whole domain example hotmail com or to identify a specific host that domain uses without the point Example login hotmail com e Description description concerning the item Example Blocked domains 40 CHAPTER 4 OBJECTS 4 4 Expressions In this section the administrator can register expression groups words or regular ex pressions for been used in proxy setting and as happens with domains each group can contain one or more items making possible use of whole group in one only proxy rule 4 4 1 Support of Expressions Cadastre The maintenance of expressions and items cadastre follow established previously pattern For expressions some following fields should be filled out e Name name that you want to give to group Example Forbidden Expressions e Description description concerning the group Example Expressions that should be blocked To add items of Expressions Group select the wanted group and click in the Items button In following screen you ll find the items listing of expressions group Click in the Inclusion button and fill out the information on item e Type type of item to be created if Word or Regula
37. of information of the device as model manufacturer and chipset e In the following screen it fills out the information of your network device Driver Detected automatically by default IP address Indicate IP address that will be attributed to device or click in DHCP option for Nettion use a supplied IP by your DHCP net server Net Mask Indicate the mask of your actual net 3 2 NETWORK 21 Speed Indicate the speed of the device This information will be used in Band width Control service Description It indicates a description on the net interface as Intranet Inter face Obtain server DNS To obtain the setting of DNS automatically That s possible in cases of activated DHCP Answer DNS requests in this interface This option makes Nettion announces your service of DNS in this interface Boot activate Indicate Yes to activate the interface automatically in the boot of Nettion Interface Eth0O Q MAC Address 00 30 6E 27E 0B 8C Driver IP Address O puc Internal Interface Get DNS from Server O Respond ONS requests on this Interface Active on boot yee A gA Save settings Back Items Figure 3 6 Add Edit of Ethernet Interface 3 2 2 Sub Interfaces Nettion also supports the inclusion of net sub interfaces They re always associated to physical Interface and they possess two purposes basically 1 Additional IPs in an Interface it allows an interf
38. of messages E Unlimited Administrator Password postmaster fo Password Retype AAA E Redirect invalid e mail O Use Mettion authentication Import user s group Start suchranization T Synchronize 4 Save settings Back Items Figure 12 9 Add Edit of Domains 12 3 Users In this section administrator can search and edit users besides of create them 12 3 1 Searching Users To visualize existent users e mail accounts in the system access E mail gt Users gq anna thompson yourcompany com Anna Thompson 250 00 MBytes 10000 1 bernard watson yourcompany com Bernard Watson 250 00 MBytes 10000 0 dennis smith yourcompany com Dennis Smith 250 00 MBytes 10000 0 john simpson yourcompany com John Simpson Ilimitada 10000 3 george lopez yourcompany com George Lopez 250 00 MBytes 10000 3 phillipe stuart yourcompany com Phillipe Stuart 250 00 MBytes 10000 2 A tom madson yourcompany com Tom Madson 250 00 MBytes 10000 1 Back Export Add Edit Items Del Figure 12 10 Users Management In the screen that will be exhibited all users will be shown of all existent domains in e mail server and in alphabetical order However exhibition order can be altered being 12 3 USERS 101 enough for that to click in the corresponding header of wanted order To facilitate search Users search which is located above users screen can be used 12 3 2 Editing Users When making the search you can edit account clicking in Edi
39. of the safest choices for infor mation traffic e The PSK system is simpler of being configured that of double key RSA However the cryptography level and safety is lower e Total compatibility with other VPN PSK systems as Symantec Raptor Disadvantages e Does not support NAT e Less safe than RSA system Precautions e Do not use humanly comprehensible keys 19 SU CHAPTER 9 VPN e Do not give your key for VPN other side for e mail instant messages or other public means of communication Use SSH HTTPS or other safe way of messages transfer In case you use diskette or CDROM for key transport destroy 1t e Don t reveal your key for anyone e Generate safe keys with more than 128bits Key RSA The authentication system under RSA keys consists in 2 keys a public one and a private one that makes cryptography system uncryptography and authentication This setting request the secret key generation that Nettion can supply The secret key possesses a high cryptography level Example 2048bits or 4096bits configurable by administrator that guarantees a high level of safety in transactions Advantages e To use IPSec protocol specifically projected for information safe traffic through TCP IP protocol VPN IPSec becomes one of the safest choices for information traffic e RSA system is extremely safe e Trusted system has many years with a test solid base of safety and usability Disadvantages e Do
40. other words the accounts of which we want to obtain e mails To add these accounts click in Add button as shown in illustration 15 33 J ayes Dor ih E E Ea me e i p a E anna smith pop3 gmail corn john simpson mailhotmailcam george watson pop3 Yahoo com eae eats ons Sect S Back O Edit Items Del Figure 15 33 Created Source Account List In the screen that will be exhibited report e Source Server the name IP of source accounts POP POP3 server Example pop3 yourprovider co e User the account user of access e Password the password used for login e Confirmation retype the password for login The above information should be typed correctly so that GetMail access in the account can be successfully accomplished Such information should be obtained directly with the users of each registered source account See illustration 15 34 156 CHAPTER 15 NETTIONPLUGS Source Server pop3 gmail corn User anna mith Password ooo Confirmation dodo KA Save settings Back Iterns Figure 15 34 Source Account Creation 15 7 4 Rules The rule creation process in GetMail is quite simple Basically it consists of to specify one or more source accounts and specify a destiny account that can be local accounts in own Nettion or remote accounts in other servers For that follow these steps Step 1 To create a GetMail rule access Getmail gt Rules In the screen that will be exhib
41. s license and version Nettion Security Software Version 4 02 Copyright a 2000 2008 Mettion Information Security http re netbtion com br Copy licensed to Nettion NAME OF YOUR COMPANY INZ 01001001000101 SOTUN Security Expiration date 18 03 2009 Figure 14 16 Nettion s License Data 14 9 Audit Daily several operations are accomplished in Nettion Security Software such as object changes firewall and proxy rules between others To visualize and follow all the actions accomplished in Nettion you can use audit service It informs alteration date module and sub module that was altered which action was accomplished user and IP Access Audit menu through System gt Audit according to illustration 14 17 bellow From 01 06 2008 dd mmn yyyy To 27 06 2008 dd mm yyyy Module SubModule 27 06 2008 09 44 36 System Login Lipdate nettion 172 16 30 100 oH 27 06 2008 09 34 35 System Logout Update nettion 172 16 30 100 27 06 2008 09 34 30 Mail Domains Update nettion 172 16 30 1 27 06 2008 09 33 06 LiserGroups Auth gt Settings Update nettion 172 16 30 30 27 06 2008 09 32 33 System Login Update anna telles 172 16 30 100 27 06 2008 09 03 43 Mail Quarantine Report Search john simpson 172 16 30 10 27 06 2008 09 03 05 System Login Update george watson 172 16 30 160 26 06 2008 14 23 26 System Logout Update bob srnith 172 16 30 120 26 06 2008 13 13 50 Getmail Source Accounts Insert nettion 172 16 3
42. s wanted objects on right 10 CHAPTER 8 FIREWALL objects list of Hosts and Nets previously cadastre transferring them for left box The transfer can be made by clicking twice in wanted object or using controls between the boxes To specify that doesn t matter the packages origin in other words of any origin Host Network leave left selection box empty To specify that is Nettion use special object called localhost TIP In case you are using Mozilla Firefox Browser it is possible to obtain larger objects information during rule creation For that it is enough to posi tion mouse on wanted object as shown in illustration Source Filters Destination Filters Hosts An Hosts An 49 29 Services An a G Back Items Figure 8 4 Objects Information In Destination Filters gt Hosts you will select destiny hosts or networks of connec tion in other words those that will receive the connection To specify that it does not matter the packages destinies leave the left selection box empty To specify that is Nettion use special object called localhost In Destination Filters gt Services you will select which service s will be accessed in connection s destiny For default Nettion offers a list of services previously defined with principal services but you can create your own in menu Objects gt Services gt Personalized See the illustration ahead 8 2 RULES
43. that you will create e Description Domain description which you will manage e Type The domain type that you will create In this case Master e Status Active e SOA Start of domain authority Only in creation of master e NS NS of domain master As displays following illustration 149 150 CHAPTER 15 NETTIONPLUGS Name yourcompany com Description Principal Domain of Your Company Type Master We Status Active hd 2 S04 HS naz Back arae Figure 15 26 DNS Domain Settings In the second wizard screen select the slave servers that will be notified by master reminding that to whole list of Items of NS type will also be notified Domain Config It selects below Hostis Slaves that they willbe allowed and notified by this domain Hosts Chosen IS eee DHS Slave 4 Net_Soogle Met Googles Het_Insoft 9 Het_MSofe oa Met_Msofez P advanced M4 pack J MI Finish j Back Items Figure 15 27 DNS Slaves Selection In third wizard screen Advanced Button that it is optional configure e TTL Time of validity of cache information in other servers e Expire in Total time of updating attempts e Refresh in Time requested for the updating e Retry in Time of retries in case of updating flaws e Postmaster The administrator s of the domain e mail See the illustration 15 6 DNS lol mi Refresh in ETE DEE VETE Back Items
44. where is object In case the object is a host remember to use mask 255 255 255 255 32 e Description explanatory text on the object Former Company s Web Server Object SSS IP Address E Mask Host 255 255 2595 255 32 4 Description Eh Save setings Back Items Figure 4 7 Adding a Host Network Object 4 3 Domains In the cadastre of domains the administrator should create the list of the group domains that will be used in the Nettion s Setting Each group can contain one or more domains 4 3 DOMAINS 39 Educational Educational Domain List Prohibited Prohibited Comain List Governmental Governmental Comain List Pornographic Pornographic Domain List Relationships Relationships Domain List Without Authentication List of Domais Without Authentication Blitz List of Domains to Blitz Authentication Back Add Edit Items Del Figure 4 8 Domain Objects Listing See a domain objects listing example in the illustration 4 8 in page 39 4 3 1 Support of Domains Cadastre The support of domains cadastre and of items follows the previously established default For domains the following fields should be filled out see illustration in page 39 e Name name that you want to give to the Former group Government e Description description concerning the group Former Government domains Mame Description gA Save settings Back Items Figure 4 9 Setting Form of Domains Group To add items
45. 0 100 26 06 2008 13 06 43 System Login Update paul phillipe 172 16 30 70 2606 2008 11 59 40 System Login Update sarah callins 172 16 30 36 26 06 2008 11 28 15 System Logout Update nettion 172 16 30 17 Page 1of4 3 9 Go to 1 to 50 of 189 record s AA Back Edit Items Figure 14 17 Audit of Interventions Accomplished in Nettion 126 CHAPTER 14 SYSTEM Clue Configure user s accounts so that system administrator has an own user account for product administration Like this the standard nettion user will be used exclusively by support team 14 10 On Off In case there is need administrator can restart or even turn off Nettion selecting one of buttons of this topic Shutdown 5 Reboot Back Items Figure 14 18 Restart or Shut Down of Nettion Chapter 15 NettionPlugs 15 1 What s NettionPlugs NettionPlugs are additional functionalities plugins that NIS Nettion Information Security developed thinking about each customer s specific needs Each NettionPlug has a different application This way you decide which plugin is most adequate for your business Each plugin can be installed for evaluation by 15 days After this period contact your Nettion reseller to acquire it The acquisition of NettionPlugs is very easy If your company already has Nettion R 1t is enough to access Systems menu to select Plugins option and install wanted functionalities You still have fifteen days tota
46. 08 04 2008 Nospam 2 1 he 08 04 2008 Spam 10 9 07 04 2008 Nospam oF oO fe 07 04 2008 Spam 22 22 hee 06 04 2008 Nospam o 06 04 2008 Spam oF o hs 05 04 2008 Nospam 1 1 fe 05 04 2008 Spam oF oO hb Previous 1 10 of 14 Next Back Items Figure 12 19 Historical of trainings accomplished e spams number and no spams trained e amount of new spams and antispams e training status if successful or unsuccessful 108 CHAPTER 12 E MAIL 12 6 3 Whitelist There is also a possibility to define a list of users called reliable that can send messages that overcome sensibility limit and even so don t be classified as spam This is system whitelist a commercial yourpartner cam Commercial Department of your Partner marketing yourpartner com Marketing Department of your Partner Gyourcustomer cam Domain of your Customer Back Add Edit Items Del Figure 12 20 Antispam Whitelist To add an e mail in Whitelist click in Add button In the screen that will be exhibited type the complete e mail address and without errors and a description that defines what refers this e mail At the end clicks in Save Settings button as display illustration 12 21 GA Save settings To enter domain mail start with Ba ck Items Figure 12 21 E mail Inclusion in Antispam Whitelist 12 7 Reports 12 7 1 Queue All messages that were sent for Nettion e mail users go by a queue to be processed and definitively transmitte
47. 108 ee eee TE 108 hee eh eae eee ee ee ee ee ee ee 108 Phe wee eee pe ee eae ee ee eee hee ee eee ee ee 109 PAE Go oa ee eee HARD ARAB Ree eee 109 AAA AAA He ee eRe ee eee 110 20 Top Mal ess s sese Hom A A A 111 13 Tools 113 13 1 Reverse 113 EANN a paepae eee eo ew eee oe ee 113 o LI rs oras rs sas ass a 113 13 4 Route laca 114 DER AAA Asa sa As 114 115 lA CIVICS ae yp ON ER Oo RR RG MA OHA Oe ae eae ae es 115 eee Reese ee ee eae eee ee eee eee eee ee as 116 WES Dac se cao see Rw EEE RG Re EG RR we eee eS RR Ta 116 ee ee ee ee ee ee 116 io INIA romeo hhh bee Ree ee eS 118 PRs ee ka a eae eee Aaeee tne ee eanee ee we 119 Ie Restorej caso onto rostros asas 120 EA EEE 120 TEE ETE ETE 121 102 Mantal s ss koh ao eee aA a ha ee 121 ee ee ee ee ee ee ee ee ee 122 o da roads 123 MTL OPU oc a bP ae eb Pee ee Pee Rha R hw RR ya 123 14 72 MEMON une eee eee eG ERP Ee BERS Ree Ee g 124 ie Gao SS amp od ee oe beh eee hehe ee eee ee eee ewe eS ee 124 CONTENTS ERA IIA 125 PM EEE 125 AN 126 127 15 1 What s NettionPlugs e 127 15 2 Installing a NettionPlug 428 se 668 ans AA 127 EXA A 128 rar AAA 128 15 3 2 Client Software Stations o e 2 129 ESA AENA 129 FEINA 130 rosada Aa 130 arias aaa aa sa sas sa AAA 130 l4 Howlit works aw we bo as we Eee eee EE ee Ee ew 130 TERA 130 LAS Adil e Re PERE EERE EER Ass 132 15 4 4 Firewall 152 aaa eee eee ee eae eee A 133 asas a
48. 138 Also read about NettionPlugs in Chapter 15 in page 127 Chapter 10 NIDS The Network Intrusion Detection System of Nettion works investigating if there is someone trying to apply some of more than 1 600 types of invasion attempts classified in Nettion through your connection Once attempt is detected Nettion will send an e mail to administrator giving notice of event and it will register the fact in a log regarding NIDS 10 1 Settings Defines referring information to detection system which can be e Interface used to monitor traffic e IPs and networks that are monitored by attacks e Signature Filters etc The signatures update is made through the updating system of Nettion Verify new versions of software in system module 10 1 1 Interfaces Selection The administrator can select which interface wants to monitor regarding invasion detec tion attempts In case you want to monitor all won t be necessary to click individually in each one of them It is enough to click in All option as display the illustration below Specify the interface to be monitored cm KA Etho Ethi CP Eth2 all ay Save settings Figure 10 1 Selection of NIDS Interfaces 9 86 CHAPTER 10 NIDS 10 1 2 Objects An objects list is presented in Nettion for administrator to classify which are reliable and which will be monitored When selecting an object to be monitored whole trafhc regarding cho
49. 17 06 2008 dd mm yyyy J Search john yourcompany com alexsander uqurcompany cam O9f04 2008 07 06 26 mary yourcompany corm alfred yourcompany com 09 04 2008 04 50 30 joseph yourcompany com washington uqurcompany cam 08 04 2008 22 40 15 Z phillip hotmail com gerald yvourcompany com 09042008 06 59 01 freddy lyourcompany com mary dE yahoo com 03 04 2008 22131143 5 ON Page 1 of 558 4 Go to 27894 record s s Back Edit Items Del Figure 12 23 Messages Auditing 110 CHAPTER 12 E MAIL 12 7 4 Quarantine The quarantine works in a similar way of auditing keeping all e mails that are contami nated with virus It is also allowed that administrator visualize a copy of each quarantine message It is also possible manage quarantine excluding or liberating captured e mails For that in exhibited report of illustration 12 24 select e mail which you want to Del or to liberate and click in Edit button The retained e mail will be exhibited Source Destination Date 1906 2005 19 06 2008 iddi mmiyyyy pa Search ursulacrain autoliike com john yourcompanyicom 1404 2005 10 00 23 Super duper copies of brand watches SPAM 4 0 4 0 ursulacrain autoliike com anna yourcompany com 14 04 2008 10 00 08 Soigne repl c ted fashion items SPAM 4 0 4 0 ursulacrain autoliike com bruceg yourcompany cam 1404 2008 10 00 06 Gorgeous beauty of fashion timepieces SPAM 4 0 4 0 upro pilara campdevanalorg richard yourcompany com 14 04 2008 10 00 1
50. 22 04 2008 09 30 38 115200 ppp3 197 188 224 34 Hormal john stuart 2 09 2008 aiz so 22 04 2008 10133137 115200 ppp 192 168 224 55 Marmal karolmcdowell 22 04 2008 Aaa 22 04 2008 09 10 50 115200 pppi 192 168 224 07 Mormal phillipe smith 2 04 2008 DON327 22 04 2008 08 52 43 115200 ppp 02 188 334 30 Mormal eduardjackson 22 04 2008 08 33 22 22 04 2008 08 33 25 115200 ppp 192 168 224 210 Ao Previous 1 40 of 431 Next Figure 9 3 Report of Accomplished Connections Connections Administrator can follow up accesses done through PPTP facilitating net s administration It s also possible that administrator disconnects a connected user manually clicking in Stop button as shown in illustration 9 4 bellow 22 04 2008 john simpson 09 02 56 115200 ppp 192 100 10 190 george thompson 22 04 2005 09 22 20 115200 pppi 192 100 10 212 hellen morisan 22 04 2008 07 56 11 115200 ppp 192 100 10 193 tom mcdolle 22 04 2008 08 53 11 115200 ppp ESOO oz Back Items Figure 9 4 Listing of Active Connections 9 2 VPN IPSec IPSec is one of safest protocols that exist for VPN s establishment through public commu nication nets This happen because it uses a strongest public algorithms of cryptography with safety levels configured by administrator Attention for VPN IPSec use it is necessary that administrator add in firewall rules to foresee your access Follows a summary of rule to be created in table 9 3 page 78 Rule IPSec
51. 253 206 126 cL Execute Diagnostic Figure 13 1 Names Resolution 13 2 Whois Whois will give you the cadastre report of a respective IP or domain in FAPESP This report can also be printed 133 Ping The ping is used to check if a certain machine it is connected and linked This process as others of this section is quite simple fill out the field IP HOST with IP to be tested 113 114 CHAPTER 13 TOOLS 13 4 Route Trace To know which is path for a certain machine IP fill out IP HOST field and wait the report of route traveled to reach it 13 5 DNS Diagnosis In this section administrator can execute a DNS diagnosis that will show information regarding SMTP servers list of names and IPs nameservers list and host authority The consultation can be made using Host IP address or its name a List of SMTP servers E Exchange mail yourcompany cam IF 200 200 200 1 Reverse Name mail yourcompany corn MA Diagnostics Host yourcompany cam IP 200 200 200 1 Reverse Mame reverseuvourcompany caom a List of names and IP E Tipy A Name yourcompany cam Address 200 200 200 1 4 List of nameserver of authority 4 Name of n ns1 Yourcompan y com IP 200 200 200 2 4 Host authority bd Name Yourcormpany com Nameserver Master nsLl yourcampany cam Responser hostmaster Yourcompany corn Back Items Figure 13 2 DNS Diagnosis Chapter 14 System 14 1 Services Through this option it i
52. 28 02 2008 10 28 33 200 200 200 1 eth 1 28 02 2008 10 25 31 200 200 200 1 ethi 20 02 2008 23 21 08 200 200 200 1 eth 1 20 02 2008 23 19 16 200 200 200 1 eth 1 Page lofi Go to 5 record s Back Items Figure 3 12 Gateways Monitoring However it s possible to edit the monitoring options of gateways state in accordance with your need For that select the wanted gateway and click in the Edit button The edition options of the gateway will be exhibited as display the illustration below Interface eth2 200 200 200 2 e Gateway 200 200 200 1 Dynamically obtained Participation in de default route 100 e Timeout s seg 2 Unlimited E Redefine settings on the change of the gateway s state A Salvar Configuragoes Every minute Mettion monitors the gateways connection trying to ping reference servers on the Internet Timeout configures the time to wait for a reply Using a short value will make it more sensitive regarding the gateways s state The System will be reconfigured in accordance with the availability of a gateway using redundancy in case such gateway inactive t x Back Items Interfaces will be automatically re established in case they are detached Figure 3 13 Gateways Edition Modify the setting options according to section Gateways Edition of this chapter 3 2 NETWORK 21 3 2 4 DNS In this section you configure the machine s name and DNS servers that will be consulted by N
53. 5 2 1 Support for Groups Cadastre We have two forms of working with users groups being divided in agreement with the authentication type chosen 46 CHAPTER 5 USER GROUPS Case 1 remote base authentication by NIS or Windows without users synchronization or in Local base The group s maintenance cadastre proceeds like pattern previously established For users groups the following fields should be filled out see illustration below ay Save settings Back Items Figure 5 3 Inclusion Edit Groups e Name name that you want to give to the group Example Financial e Description description on what refers this group Example Financial Section Case 2 authentication with user s synchronization by NIS or Windows In this case administrator should edit the groups in Windows or NIS controller domain and synchronize the users bases again in authentication option of Users and Groups See the item 5 3 Users We have two forms of working with users being divided in agreement with the type of chosen authentication Case 1 authentication by NIS or Windows without NTLM synchronization Nettion R allows you to register independent of authentication s kind the users that need of differentiated treatment on internet access being able to administrator to attribute the user in one or more groups to facilitate the maintenance of proxy rules for these Case 2 Windows authentication with NTLM In thi
54. 5 Smashing style accessories SPAM 4 0 4 0 upro pilar campdevanalorg joseph yourcompany com 14 04 2008 10 00 16 Smashing style accessories SPAM 4 0 4 0 upro pilar campdevanalorg georgea yourcompany cam 140420085 10 00 19 Perfect clones of famous watches SPAM 4 0 4 0 Back Edit Items Del Figure 12 24 Quarantine of Messages with Virus Below the text of retained e mail as displays illustration 12 25 In this screen it is possible to see retained e mail and decide for deleting or liberate it to be delivered to your address through the buttons Delete ou Liberate Subject come now 15 off replica From OSdreyesd sewsus com To john simpson yourcompany cam Priority 3 Date 04 16 20086 Message ID lt O000701c89fclsO4aTolorseasobdbdabtengtte gt From jef gilman lt OSdreyesde sewsus com gt To lt jo0hn simpson yourcompany com gt Subject come now 155 off replica Date Wed 16 Apr 2006 11 07 42 0000 MIME Version 1 0 mg s Attachments Enough zip application octet stream eee Items Del Allow Figure 12 25 Liberate Delete of Retained E mail in Quarantine Click in Delete button to exclude message of quarantine definitively or in Liberate button to remove the message of the quarantine and to deliver it to your address 12 7 REPORTS 111 Note To exclude message from quarantine it is not necessary to edit it because Delete button is also available
55. FOLT ODPAigkiExTYHiK S8mg2xruk207 T SMulbuuggoxSLOl4ATirUpPcrrasic dTIOewbu Yu s VASA YbwEnoS Sock lhCBZgbSZlkbT SIINHFpnVk rra T gD Save settings Back Items Figure 9 5 IPSEC Server Settings 9 2 2 Connections In this module administrator will register and control VPN IPSec connections It s pre sented to administrator a list of connections already registered For each listed connection there is a status indicator that can be green active or red inactive in agreement with connection state and Start or Stop button which should be pressed to begin or stop the connection in agreement with your state Are listed in each connection your name net A and your Gateway net B and your Gateway Connection Status and Action Start or Stop button Attention before beginning your connection be certified that the VPN IPSec service in menu System gt Services is marked as Auto for Nettion to begin service in machine s boot i l Company Filial 192 168 0 1 24 00 200 200 1 200 250 130 1 172 16 0 0f16 N Back Add Edit Items Del Figure 9 6 Listing of IPSEC connections The exhibition of registered connections list can be ordered by any of exhibited columns For system to alternate exhibition and ordination of table items the user should click on specific column Scroll bar can be used to navigate among these items CHAPTER 9 VPN Maintenance of connections cadastre The connections maintenan
56. IP we will see marked the Default Route item and in Nettion with Static IP we will see marked the Any item e 4 Nettion makes possible that both connections Nettion A and Nettion B possess Dynamic IPs of ADSL type for instance For that it is necessary to do settings using host name and not the Host IP As IP is dynamic use Nettion dynamic DNS service and for each Nettion associates a DNS name Once made settings Nettion maintain the connection activate even if IPs vary CHAPTER 9 VPN See the the illustration 9 7 bellow USA Brazil Connection Mame US4 Brazil Gateway A O IP Hostname O An Default Route 00 200 200 1 Metwork A 192 168 0 1 24 jes 10 0 0 0 24 Hest Hop A 00 200 200 254 Gateway A ID hostil pourcompanyl ie Ghostiidomain com Gateway A key public Key RSA sh Key PSE Os400RrHx6L7 DNiz gpSTSsdhk 282 ill ee Import my public key Gateway B IPfHostname O Any Default Foute Metwork B het 192 163 0 0 16 Gateway BIG el host domain com Gateway B key pubic kev RSA Shared Key PSK JsoyuvFrsDWmwleloRPWintizlgpeTog P Import my public key paneer A Use an alternative DNS Server lives nti no ip comi nfZ no ip cam opt Connection O Manual Auto Connection Status O Active O Inactive KA Save settings Back Items Cel Figure 9 7 Add Edit of IPSEC Connection 9 3 OpenVPN NettionPlug Open VPN s documentation is in item of Chapter 15 about Nettion Plugs in page
57. Objects Note2 Also create a service object with the door 1863 TCP called msn For larger information on how to create objects of services see the Chapter 4 Objects Note3 Http and Https services should also be added in the blockade rule See the summary rule in table 15 2 132 CHAPTER 15 NETTIONPLUGS 15 4 3 Audit All the chats accomplished through Blitz are audited To accompany chats click in menu Blitz gt Audit all chats will be exhibited by date To visualize its content select it and click in itens button as displays the illustration 15 3 User john simpson Date 73 04 2008 Conversation members john simpson yourcompany com mathew thompson yourcompany com gt From john simpson 2 yourcompany com 19 11 53 Hello I did one more sale for Mettion 19 22 59 I will send the request form to you right now From mathew thompson yourcompany com 19 12 11 This is Great 29 12 19 Hey I did one toa From john simpson2yourcompany com 19 12 43 Really From mathew thompson2yourcompany com 19 12 59 Yeah It s a big one From john simpson yourcompany com 20 00 45 Congratulations For you and for me of course E Back Items Figure 15 3 Chats Audit of Blitz 15 4 4 Firewall Now it is necessary allow that own Nettion makes connections starting from Blitz service For that it is necessary to create a rule liberating traffic starting on Nettion w
58. Rules The Firewall Setting requests detailed environment analysis so that whole necessary traffic is contemplated through rules Follow some basic rules which are useful in most of environments 8 3 1 Access to Nettion It is necessary that you create a rule that allows you to access Nettion administration interface Liberation of this rule can be just made for a fixed IP in net the administrator s machine or for whole local net destined for Nettion Rule summary to be created follows in table page 72 Rule Nettion Administration Destiny Sos htt Host Administrator localhost P Accept https ssh Table 8 1 Liberation of Nettion Access Note as commented previously special object localhost references own Nettion 8 4 REPORTS Ta 8 3 2 Access Nettion gt Internet In most of cases Nettion is used with the function of Net Proxy That requests that Net tion accesses some services in Internet as DNS HTTP and HTTPS See a rule summary to be created below in table 8 2 bellow Rule Nettion gt Internet h localhost any med Accept dns Table 8 2 Nettion gt Internet Access 8 3 3 Local Network Names Resolution Most of time Nettion is responsible for names resolution in Internet for machines of local net For that follows the rule summary to be created in table 8 3 Rule DNS for Internet Destiny Table 8 3 Liberation of DNS for Internal Net OBS We remind that
59. ace to answer for other IPs ad dresses besides the principal 2 ADSL connections it allows that an ADSL connection is attributed to an Interface This option will only be available on DHCP Interface as you will be seen more ahead Additional IPs To add an additional address to an Interface follows the steps see the illustration in page 22 22 CHAPTER 3 SETTINGS e In the listing screen select the Interface that will receive additional IP and click in the button Items e In the following screen a listing of device sub interfaces will be presented Click Inclusion button e In the following screen select Sub interface type and click in Next e Now indicate IP Address Net Mask Description and if the interface will answer for requisitions DNS in the sub interface e To conclude click in Add Interface button Etn0 0 IP Address Netmask Sub interface Description Respond DNS requests on this Interface KA Save settings Back Items Figure 3 7 Sub Interface Inclusion After the inclusion the Sub interface will be listed as shown in illustration 3 8 page 22 Note that the nome of the subinterface has the same name of the main device number of subinterface If needed include others subinterfaces following the same steps ri aE ds r 1 TES TM sl E E 192 168 0 30 255 255 255 0 Service 01 Sub Interface MN Page 1 of 1 Go to 1 record s Bac
60. ade system of e mails attachments by size and extension report system queue con trol makes possible administrator to follow if a message was not still delivered the reason and even your exclusion logs system and quarantine that makes possible following the e mails that were blocked by containing virus and several other functions that are deci sive in monitoring of your e mail server To e mails reception users have possibility to use following kinds of accounts POP3 POP3s IMAP or IMAPs or even a webmail that is available by Nettion 12 1 1 Authentication T his option doesn t refer to authentication way since it was previously defined in chapter regarding Users and Groups but to maximum number of allowed simultaneous authen tications That will depend on the system users number As large the number of users larger will be simultaneous authentication number Twenty 20 are an ideal value However administrator can increase 1t when noticing that your users need to do several authentication attempts on e mail client to conclude operation or reduce it so that memory is not used without need in server 95 CHAPTER 12 E MAIL Simultaneous authentications allowed Mas attachment size allowed Mb Port SMTP Block hosts without reverse DNS i Motices Failures M arnings Sender Mail Delivery System postmaster Subject Undelivered Mail Returned to Sender I m sorry to have to inform you that your message could not
61. and fills out the following field with one or more accounts where new messages should be directed Remember to separate them with semicolon C Unlimited 2 Unlimited ey Save settings Figure 12 12 Add Edit E mail Users 12 4 Aliases In this section administrator can define Aliases a kind of nickname another name for which one or some accounts should be known 12 4 1 Creating a Alias In Aliases section click in Add and the following screen will appear In this example was created a george thompson default com alias This address is an alias for the e mail george default com Therefore send a message for george thompson default com is the same as send a message for georgeQdefault com 12 5 ANTIVIRUS 103 Alias Domain yourcompany cam iy Users defined for alias john simpson yourcompany cam alex connor yourcompany com sophia watson uaurcampany cam andrew madson yourcompany com tomstuart yourcompany cam billie morison yourcompany cem bobbie jacksan yourcompany cam OOOO catherine steve yourcompany com eric bolton yourcompany com O E ed Save settings Back Items Figure 12 13 Add a E mail Alias e Alias Alias name In this example george thompson e Domain select in the list a domain for which you are creating an alias In this example default com e Defined Users to Alias Define the use
62. angel Mot Range Mot Range P 01 pe 0i a 2 Services An Services Chosen y 99 0 Back lterns Figure 3 20 Creating Rule Step 3 e Step 4 The gateways can be selected in a priorities list where which that is above will be the first used T he following gateways will be used in agreement with established order measuring that the superior gateways fail Turn on the option Case all the selected Gateways fail to direct for default route it does with that Nettion s standard gateway is used in flaw case of all the selected exits See following illustration bellow Aplyto 4 Route by Gateways to this route The Mettion will use individually the chosen Gateways to this route according to the priority order defined in the left column A subsequent Gateway of this same column will be used case the Gateway currently in use fails Gateways etho 200 200 201 4 x ethi 189 200 201 Case all the selected Gateways fails then route by Default Gateway d k j Back Items Figure 3 21 Creating Rule Step 4 3 2 NETWORK e Advanced Settings By default Nettion does the masks NAT of connections done by the hosts with private IPs destined for Internet which come of your internal net for instance This section allows you to disable this function for the case where you want literally to inform for Nettion not to mask the traffic coming of the net DMZ with public IPs for instance or it allows the IP
63. attachment and not in e mail s body Example You received an e mail marked as POSSIBLE SPAM and you verified that this e mail is really a SPAM and wants to send it for Nettion to learn this e mail like a SPAM Then click in e mail with right button in case of Outlook Express and select option forward as attachment Soon after it continues with normal e mail sending procedure Note2 Sees in your e mail client how to forward an e mail as attachment 12 6 2 Learning In this section administrator will configure training system schedule of Nettion antispam and will have information regarding such trainings Scheduling Here administrator is going to schedule antispam system training defining in which period it will be executed The available options are e Daily daily training administrator defines training schedule 12 6 ANTISPAM 107 e Weekly weekly training administrator defines day of the week in which the training will be accomplished besides the schedule e Monthly monthly training administrator defines the day of the month in which the training will be accomplished besides the schedule Day Hot applicable bd Save settings Back Items Figure 12 18 Learning Schedule Historical In this section administrator will obtain an accomplished trainings report by antispam system with information such as Date E Mail Total New Status 09 04 2008 Nospam 100 90 09 04 2008 Spam io 8
64. aunching the ChatSever Service To start service click in menu System gt Services Then click in Start button re garding Chat Server service To maintain service always active in Nettion boot mark Auto box and click in Apply changes to selected items 15 3 5 More Information You can also access Step by Step tutorial available in Nettion s site for more information of how to configure plugin server and clients 15 4 Blitz Blitz is NettionPlug responsible for administration and control of MSN use in compa nies It was developed for organizations that need to use IM for commercial contacts Besides controlling MSN permission levels for user or users groups Blitz makes possible the contact list administration This way if your company needs to use IM to commu nicate with external contacts with NettionPlug you guarantees that communication is established for appropriate ends Blitz is totally a web plugin integrated with Nettion in other words it is not necessary a new hardware acquisition for your installation Easily acquired the application has an intuitive interface of simple administration through wizard The functionality was developed by NIS seeking increase productivity of your business as well as the reduction of band consumption and phone bills 15 4 1 How It works Blitz works as a type of Proxy server Socks5 that has the function of control MSN access of your net making the wh
65. btaining we would apply a rule in Eth0 interface interface of delivery of the data restricting trafic originated in port 110 destined for internal net or some specific machine We will see more creation rules 7 2 Dynamic Band Redistribution Second concept not less important it s of dynamic band redistribution It will allow that an allocated band for certain service or host network it is consumed by other service when idle To be clear imagine a situation where you allocated a part of your band 300Kbits for a certain host of your net however you want that when idle this band is distributed for other net machines For that we use minimum speed and maximum speed concept where the minimum speed will be what it will be reserved in other words it won t be shared and maximum speed will be band that can be used in case idle band exists This whole control is made through Classes which represent band reservations and its Rules In next section you will learn how classes settings and rules are made 7 3 Settings To configure Nettion Bandwidth Control you should access menu Bandwidth Con trol gt Settings In screen that will be exhibited they will be available all existent net interfaces of system as display illustration bellow IN Nettion s Bandwidth Control is oriented by your network devices Each device has your own control according to classes and rules applied to these classes oil 1 rete AT The e
66. c rules for some net IPs The exhibition of registered hosts list can be ordered by column host or IP address For that the system alternates exhibition and ordination of table items being necessary for that the user clicks on specific column The user can use scroll bar to navigate between items table 11 2 1 Support for Hosts Cadastre The hosts maintenance cadastre proceeds like previously established default For hosts the following fields should be filled out MAC Address es OOreOi4e 39 09 Fe IP Address _ Les 10 0 0 34 Network ed Save settings Back Items Figure 11 3 Inclusion of New Host 11 3 NETWORKS 93 e Host Name description of host Example Machine of John e MAC Address specification of network adapter physical address Mac Address Example 00 E0 7D 00 E3 23 e IP Address IP Address to be supplied e Network net of which host will be part Example 128 0 0 0 11 3 Networks DHCP Server will attribute IPs inside of specified networks for the interface which be addressed The exhibition of registered nets list can be ordered by column network or mask For that administrator should click on specific column That will do with that system alternates the exhibition and ordination of table items Administrator can use scroll bar to navigate between items of table 11 3 1 Support for Networks Cadastre The cadastre maintenance of networks follows previ
67. cal base is already updated e Unsuccessful when Nettion R can not connect with the remote bases Date File New signatures Status 10 04 2008 main cud 2062 k3 09 04 2008 mainicud 1891 Ea 08 04 2008 main cud 337 3 07 04 2008 maincud 388 Ed 06 04 2008 main cvd 443 ba 05 04 2008 mainicud 1393 E 04 04 2008 main cud 631 i 03 04 2008 main cwd 521 Es 02 04 2008 main cud 359 k3 01 04 2008 mainicud 1395 bd Previous 1 10 of 43 Next Back Items Figure 12 16 Update History 12 6 ANTISPAM 105 12 6 Antispam Nettion R antispam is a functionality that controls undesirable messages Even if e mails server relay of Nettion is closed in some places there are administrators that don t have due concern with closing of relay The spammers those that send hundreds or even thousands of not requested messages they take advantage of this fragility Good administrators should worry with others bad work done and to ensure that your users will be less affected for that problem An antispam is a software that is based on some characteristics of e mails classified as spam like word keys and HTML format 12 6 1 Settings To each spam characteristic found in an e mail it receives a punctuation that depends on what was located When this punctuation reaches a certain limit in settings sensibility e mail suffers an alteration Message title identified as spam will be preceded by expression POSSIBLE SPAM Message will usually be give
68. ce cadastre proceeds like previously established pattern For new connections the following fields should be filled out To facilitate understanding we identify as A and B the two sides that will close VPN e Name indicate a name with which you want to identify connection Example Store le e GATEWAY A IP Address of machine that will serve as gateway in other words the machine that will connect with other net Example 200 253 5 10 Usually Nettion Itself Administrator has 3 options in this item IP Hostname Any Default Route IP Hostname when Nettion possesses a Valid and Fixed IP of exit Example for Brazil TELEMAR LINK IP LINK EMBRATEL Any when on side A of VPN in this same position the option is registered as Default Route on side B of VPN Any will be registered Example connection between a Nettion with static IP ac cepting a connection with a dynamic IP Nettion Default Route when administrator makes a VPN setting using a dynamic IP link it s impossible to determine which will be Nettion s 1P and consequently 1t s Gateway In this case mark the Default Route option Example Setting of VPN using ADSL or Cable e Network A net that will be connection s part and that therefore will be accessible by other side Net B Example 128 0 0 0 16 e Next Hop A Standard exit of Nettion that acts like Gateway A Example 200 253 5 9 Nettion s gateway In case you are registering data of a VPN that us
69. ch contacts the users can communicate In Source Filters select the user s and in Destination Filters select the contact s allowed for that user s See illustration 15 10 Source filters Destination filters Groups Contacts Groups commercial A administration e Customers Call Center Financial Contacts john simpson i contact3hotmail t Y contacti hotmail A ee david smith contact4 hotmail e fea CONtact2 hotmail mary stu art contacts hotmail De acc newton phillipe contact Ia msn car contact Fa hotmail i IETS ENS UES Back meme Figure 15 10 Users Selection and Passports of the Rule 15 4 BLITZ 137 Step 5 In last screen of Wizard you define if will be allowed for the rule user s chat and or transfer files with the selected contact s To create the rule click in Finish button See illustration 15 11 Traffic tupe Select the traffic types that will be handle by this rule E Chat E File transter HETE DEE VETS Back Items Figure 15 11 Definition of Activities Allowed through Blitz 15 4 8 Beginning the Blitz Service To begin the service click in menu System gt Services Later click in Start button regarding Blitz service To always maintain the service active in Nettion s boot mark box Auto and click in Apply changes to selected items 15 4 9 Configuring the Stations Now it is necessary to do stations sett
70. ck in Apply changes to selected items button if you had change the checkbox in Auto column 14 2 Plugins For more detailed information on NettionPlugs see Chapter 15 14 3 Backup Nettion R is a system that provides many services of which some are plenty critical Such services require a great amount of information and settings The damages caused by possible loss of such information can be depending on the case incalculable This way reinstall and reconfigure everything in an emergency moment would be a plenty harmful process Being considered this factor was created a form of system backup that makes possible the immediate restoration of all information and existent configurations in Nettion and the return to its normal operation The process consists in the creating of a compacted file containing system data as well the capability of sending a backup copy for a machine of your net through a shared Windows network Administrator can configure the backup file content which can contain Nettion logs e mails besides your configurations The backup is automatic in agreement with the periodicity previously configured by Administrator Still are possible to make a manual backup 14 3 1 Settings Modules To access Nettion Backup service access menu System gt Backup gt Settings gt Modules In the screen that will be exhibited it is possible to select wanted modules which will enter in backup file To end click in
71. ckage destiny ports etc verifying if these information hit with some registered rule in firewall In case yes the firewall takes the action that rule says blocks accepts or audits In case there is not a specific rule in firewall that treats this package the standard politics will be used defined in Nettion s firewall which can be Accept All or Drop All 8 2 1 Including a New Rule So that user can add rules on Nettion firewall is necessary that objects that will be used are previously registered It s recommended that plans a rules sketch of which will be registered Nettion already makes available great majority of services that you will need in firewall setting but you also have option to add new ones in case it s necessary To make a rule inclusion click in the Inclusion button in the menu Firewall gt Rules and fill out the requested fields Basic Rule definitions e Description description of rule for instance Access VNC to Machine01 e Action indicates actions that firewall will take on packages treated by this rule which can be Allow Liberates traffic Deny Blocks traffic Log Generates registrations on treated connections by rule It is especially useful when you want to discover the ports used by a certain service T he whole trafic audited can be seen through the Firewall Report e Pos Position in rules list The rules are processed in sequential order and that order is impor
72. consumption graph you can obtain a consumption history so much of main memory as of SWAP memory inside of a time period being also possible realtime accom paniment for that click in Start button Henory Utilization e 1001044 33A1130 1301 LI q m oo E 1700 17 05 17 10 17 15 1720 17125 From 26 06 2008 15 26 23 To 26 06 2008 15 56 23 O Main Last 1 390 GB tes Average 1 89 GBytes Maximum 1 90 GBytes E swap Last 0 00 Bytes Average 0 00 Bytes Maximum 0 00 Bytes M Total Last 1 390 GBvtes Average 1 83 GBytes Maximum 1 90 Etes P start Back Items Figure 14 14 Memory Consumption Graph 14 7 3 Disks In disk consumption graph you can obtain a report of all read and written data inside of a time period to see in real time click in the Start button SDA Disk 1 0 5 100 k E Eee eee re etree TT lb Ta ao bs nos N eee COET TT e s Ter aa rey A A AN m ee oe ee ee ee ee ee oe oe a ee a de 8 E ui m I T ps OF co 400 k i i F E e E J F i 5 i F 5 I s 1 F i z 17 15 17 20 17 25 17 30 ti 35 17 40 From 26062008 15 24 22 To 26 06 2008 15 54 22 O Write Last 175 44 kEytess Average 130 77 KBytes s Maximum 316 36 KBytes s M Read Last 0 00 Eptess Average 4 55 B tes s Maximum 491 52 Bytes s P start Back Items Figure 14 15 Disk Consumption Graph 14 8 ABOUT 125 14 8 About Administrator will have access in this section to data referring Nettion
73. d to your addresses While they wait processing these messages are in a queue that is accessible so administrator can verify it according to illustration It is possible apply filters to queue search and with that to obtain origin and destiny of e mail the number of delivery attempts size and time that e mail entered in line 12 7 REPORTS 109 sources Destination O Attempts Size biagerthan KBytes bates 19 06 2008 19 06 2008 ddimmryyyy el DM john yourcompany cam patunhadOO hotmail cam 1 048 00 KBytes 10 04 2008 09 55 21 anna yvourcompany cam pattiat donin com 10 2 13 KBytes 10 04 2008 07 25 45 bruce yvourcompany cam panaramicteboamiflarg 3 2 15 KBytes 10 042008 15 57 30 richard vaurcampany com oyciovak 1992 STUDICART C RU 12 1 89 KBytes 10 04 2008 02 29 45 z josephtyourcompany com ricardo Ha hotmail com 1 1 048 00 KBytes 10 04 2008 09 55 21 Qeorge yourcompany cam comercial empresaoft cam 1 453 09 KBytes 10 04 2008 07 27 13 Back Edit Items Del Figure 12 22 E mail Log Registers 12 7 2 Logs After processing of a queue message it is made a register of what happened with it In the screen above the message status is seen if it was given with success or if there was some problem in the delivery 12 7 3 Auditing In auditing there is a list of all messages that went by server The auditing option makes possible that administrator visualizes a copy of each processed message Date 17 06 2008
74. dicate Belong to group and select an object of domains to apply the rule to the domains of the group or still Not indicate belonging to the group and select an object of domains to apply the rule to domains that are not part of selected group e Filter use here same logic applied to domains applied this time to objects of Ex pressions e Position position of rule in table Determine priority of rules interpretation e Status rule status Indicates if a rule is Active or Inactive Options Activate or Inactive Important In case you select domain filter and expression filter in a same rule Nettion will apply the rule only if URL accessed satisfies demands of domain and expressions filters of selected groups logic and The criterion for positioning the rules will vary in agreement with implemented safety s politics We suggest however some concepts that can be observed in that way Permission rules that don t request authentication should be in first positions 59 54 CHAPTER 6 PROXY a De A e t mra m E a E A ee m p e e 4 TA a Action Allow 4 Comain Amy Ww Filter WEL containing any expression hal Position Status Y Finish Back Items Figure 6 5 Rule Definition RULES 1 Allow the domains without authentication of commercial schedule for any user 2 Permission rules that request selected users authentication should be positioned below the rules that don t requ
75. e dates and hour in which was generated the last alert Example 21 12 2002 14 27 13 10 1 8 Last Signatures Here administrator visualizes page by page last signatures alert specifying the following fields e Signature signature in which alert makes reference Example WEB PHP content disposition e Source IP IP that originated the alert Example 10 0 3 30 e SP machine s source port from where it starts access attempt Example 6040 IP e Destination IP IP that connection is destined Example 10 0 3 12 e DP destination port for which destiny access was addressed Example 80 e Protocol type of protocol used for access Example TCP 10 1 SETTINGS Signature Source IP SP Destination IP DP Protocol Time amp Date spp_stream4 possible EVASIVE RST detection 201 255 147 64 56806 200 200 200 1 25 TCP 16 36 17 17 4 08 spp_stream4 possible EYASI E RST detection 201 255 147 64 56806 200 200 200 1 25 TCP 16 36 17 17 4 08 spp_stream4 possible EYASIYE RST detection 201 9 11 70 60243 200 200 200 3 30 TCP 16 36 16 17 4 08 spp_stream4 possible EYASIYE RST detection 201 9 11 70 60243 200 200 200 5 0 TCP 16 36 16 17 4 08 spp_stream4 possible EVASIVE RST detection 70 239 136 121 54422 200 200 200 1 25 TCP 16 36 12 17 4 08 spp_stream4 possible EYASI E RST detection 70 239 136 121 54406 200 200 200 5 25 TCP 16 36 12 17 4 08 spp_stream4 possible EVASIVE RST detection 10 1 1 20 9003 200 200 200 5 494 TCP 16 36 10 17 4 08 s
76. e redirecting VNC connections that arrive to Nettion for a specific host of your net Important observation In case your intention is to do redirection services that arrive to Nettion for another host without altering destiny Ports leave the Port field empty In case not indicate number of a different port e Log this traffic Allows that traffic treated by this rule it is logged That will do that Nettion generates Logs registrations of connections that can be accessed through Firewall Reports e When necessary mask this traffic dynamic this option does with that Nettion applies NAT Vetwork Address Translation in packages treated by this rule when necessary That happens for instance when a host of local net with a private IP needs to access a service directly in Internet e State established and or Related in return of connection This option allows treat the connection state Stateful Firewall When marked it will allow only origin hosts to begin connection in direction to destination hosts of rule When there is need to leave that both sides Source and Destination originate the connection as between two nets of a VPN unmark this option TIP during rules inclusion it s important that you evaluate if new rule fits with some already maid In case yes It s enough you to edit the existent rule and add desired objects This will do with that Firewall be more organized facilitating your maintenance 8 3 Firewall Basic
77. e of the shown columns being only necessary that the administrator clicks on the specific column for the system to alternate the exhibition and ordination of list items Use the scroll bar to navigate among the registered objects The adminis trator will be able to then add alter or exclude an object for instance clicking in the respective buttons 4 1 1 Objects Inclusion To add new objects the administrator should click in the button Inclusion see illus tration in page 36 Add Figure 4 1 Add button When clicking in the Add button the inclusion screen will be exhibited where you should fill out the object s referring fields to be created To confirm the inclusion click in the Save Settings button 4 1 2 Objects Edition To access the edition module the administrator should give a double click on the object that wants to edit or to select it and click in the Edit button see illustration 4 2 in page 30 Edit Figure 4 2 Edit button In the edition screen the administrator can alter the cadastral data of selected object and confirm the alterations with a click in the Save Settings button 4 1 3 Support Object Items The objects Domains Expressions Schedules and Services are formed by groups of ob jects in other words each object contains your items To have access to the items select wanted object and click in the Items button see illustration in page 37 Will be exhibited the list
78. ed Click in the button Inclusion e In the following screen select ADSL wan and click in Next e In the following screen fill out provider ADSL S information User access login Password access password Extra parameters only if necessary and supplied by the provider Speed indicate the speed of the link To obtain Server DNS mark for Nettion to receive the information of the provider s DNS To activate in the boot indicating Yes connection will be activated automat ically in the boot 24 CHAPTER 3 SETTINGS 2a ACslO Connection User B5322271122 telem Extra Parameters fp pp ed Rate Get OMS fram Server e Active an boot a Yes O Ho EA Add Connection Back Items Figure 3 10 Setting of ADSL connection After your ADSL interface inclusion will be listed as follows it in the illustration page 24 with information of IP and Connection status In case the Status isn t ok red verify again the settings of the connection e A rea pa EE adsl 00 200 200 200 a rd be iv a er ACLS Interface Velox PON Page lofi Go to 1 records Back Add Edit Items Del Figure 3 11 Listing of the ADSL Connection 3 2 3 Gateways So that Nettion can have Internet access it s necessary that it has at least one Gateway in other words at least an access exit for Internet Therefore this is one important setting in the implantation of your Net
79. eee ee eae ae ee 85 N ee ee ee ee ee 85 ee ee a a a a 86 pho aee eae eee eo os 4 eee oe ae oe Se oe 86 PSR e ewe ed eee ev ee eee eae 87 10 1 5 E mail alert 87 arenas esas eee ee eee eee ee we ee ee 88 WALES amp ais e oo Amo e Oe Bee Ee dee A 88 me epee ee ewe eer eagerness hee ee be ee se ee 88 1019 Blocked TES ea eee senke eee eee eee ee eee 89 91 ee ee ee ee ee ee ee 91 ee ee ee ee ee eee 91 11 1 2 Interfacel 2 2 a 92 lie Osis Bae ee ew ee hee cra 92 TENIAN 92 11 3 Networks oa e om 2d de a eG amp A E A AA RR are 93 EUA AAA 93 12 E mail 95 dano PERRO ee eee eee eee ea eS 95 ee ee ee 95 I CIL Baw eeeee eb eRe DREGE RER SP RERG SR RS 96 12 1 3 Webmail l 6 a eee amp ae oo eS ewe RG ee 97 eee RRR ERR REP Rhee eRe ee eee ee ee 98 12 1 5 Extensions 2nehneeeaeaneeatantacent aden t aad wt 98 AA teas keane E hee ee hee wee we 99 pee eee epee eee eee ep eee ee eee es 99 PAIS Ba Ge Gee eee eee se eeeeeeteeeeeteeeae eee ae oe oe 100 ee a Aa AA AA 100 a oso aa aaa 101 aaa aaa ee eee ee ee es 101 PENITA EER RRS ORR HEE RR RE wD 102 heehee GO ee eRe eee ee eee eR 102 12 5 AMUIVIFUS oe sxe eee eee eRe eee eee Ree RRS 103 CONTENTS Io pCa ee tne ee teense tetas teens tee ae tue 103 12 5 2 Scheduling e 104 PAR Mol ne ek Re RRR RRR OSE eS 104 a AAA 105 PHoo we aeueneeee AAA 105 12 6 2 Learning s s eosa e de SREB REE RR RET aa 106 ADS Whitelist ee ote eRe Ree ERR wee eS ER ee ii
80. eferring signatures to item Example WEB IIS Therefore in case you want to mark all it is not necessary to select one by one This configuration influences the performance directly for that it should be done with very care and conscience 10 1 5 E mail alert Specify the interval of time in case you want to receive alert notifications by e mail To disable that option specify sending frequency for None and save settings 88 CHAPTER 10 NIDS Specify here a frequency if you want to receive alert notification by email In order to disable this option choose Mane The alerts will be sent to the Mettion administrator Frequency EA Save settings These configurations may influence performance therefore it should be done carefully Figure 10 5 Alert through E mail Settings 10 1 6 Reports Exhibits alert reports and invasion attempts with details on captured packages Origin and destiny IPs protocol ports etc 10 1 7 Alerts Administrator can visualize last detected signatures and also portscans accomplished List of general information regarding NIDS configuration e Active signatures informs the amount of active rules and total of existent rules Example 721 of 1601 e Detected signatures exhibits the amount of active signatures that were detected by NIDS in your connection Example 101 e Detected PortScans number of portscan that were detected by NIDS Example 247 e Last Alert Dat
81. elow in agreement with the illustration bellow ol CHAPTER 3 SETTINGS Service IP 7 Save setings Back Items Figure 3 23 Inclusion Dynamic DNS services The listing of illustration page shows the example of a Dynamic DNS service configured in Nettion CES on i ee ol i l E a MaO IP vourhost no ip into Mettion Server 189 70 156 170 234 2008 21 34 Status Action ES Back Add Edit Items Del Figure 3 24 List of Dynamic DNS services 3 2 7 Graphics Interfaces In this section they are the graphs of band s use by Nettion s interface Besides the on line monitoring resource you still have the option of consulting whole report of each graph See example in following illustration ahead 3 2 NETWORK Bytes 7s M Received M sented p start Back Items Interface Traffic ETHO 192 168 0 1 E A PRA A ersa ma nee saje aprii a a 16 55 From 2606 2008 15 44 28 To 26 06 2008 15 44 23 Last 1 74 KB tes s Average 12 74 KBytes s Maximum 107 83 kBrtesss Last 290 87 Byrtes s Average 4 49 KBytes 5 Maximum BB FT KBytes s Figure 3 25 Band s Use Graphic by Network Interface F y3AILa IJL 99 34 CHAPTER 3 SETTINGS Chapter 4 Objects With the intention of simplifying the way of configuring the services Nettion works with the concept of objects that consists on a group of information mapped in objects that w
82. en click in Start button regarding the Bandwidth Control Service CHAPTER 7 BANDWIDTH CONTROL To activate automatically the service when Nettion starts mark the option Auto of service and click in Activate changes for selected button them accordingly illustration bellow Auto Service Acton k Blite Men Control wa Stop bP Restart k Chat Server Stop bP Restart J Bandwidth Control p Start Get Mail Server A Stop bb Restart E E Mail POPS IMAP E Stop b gt Restart E E Mail SMTP La Stop bP 0 Restart E NIDS E stop bb Restart E OpenVPN m Stop bP Restart E Name Server Stop bp Restart 2 DHCP Server m Stop P gt Restart E Firewall Server Stop bp Restart E Promy Cache Server H Stop b gt Restart E VPN IPsec WN Stop bP Restart W VPN PPTPY E Stop bb Restart rl Apply changes to selected items Figure 7 6 Activation of Bandwidth Control Service Chapter 8 Firewall Firewall is a resource of safety that makes control of what is allowed or not to pass through Nettion for instance between your net and internet It works as a filter avoiding that improper services are accessed reducing the risks of exhibition of your network on internet The simple fact of having a Firewall in local net doesn t mean that he is being useful For that is necessary that it is well configured and tuned in with the safety politics needs of your organization Nettion R uses advanced technologies of
83. ent that try to send e mail for invalid user e Message informing that share limit is about to be reached e Message returned for remittent when his e mail exceeded limit quote Warning User does not exists Alert Quote 90 used Warning Limit quate exceeds ON Page lofi Go to 3 record s o Back Edit Iterns Figure 12 5 Messages Setting of E mails Server 12 1 5 Extensions E MAIL Initially antivirus should maintain away files that easily are infected and that can carry virus for e mail clients Some extensions already classic they can carry virus In general terms the self executed files as exe and com extension are the most frequently in fected Due to larger virus incidence and larger infection probability in files with certain extensions Nettion blocks the delivery or exit of e mails that contains attachments with such extensions Back Add Access Project Extension COMMAND COM batch file JavaScript Page lofi Go to 44 record s y Access Project Wisual Basic Class Module JP Software fast batch file Edit Items Cel Figure 12 6 List of Blocked Extensions on The Add or Edit screen is simple and intuitive where it is just necessary to register extension and a small description as shown in following illustration 12 2 DOMAINS 99 Extension KA Save settings B a ck Items Figure 12 7 Add Edit of Blocked Extensions 12 2 Domains In this section admin
84. er for ones that are not In that example the accounts will be respectively spam default com and nospam default com Reminding that those accounts should be created in chosen domain as any other user account The Nettion antispam learning system is described below The antispam will work as always marking as FPOSSIBLE SPAM e mails that it considers In case users receive SPAMS that they were not marked by antispam they can forward that message as attachment for selected e mail to receive spam in case Spam padrao com br Works in same way with messages that are not spam s but they were classified like SPAMS The users have the option of forwarding them for e mail that was selected to receive the messages that are not spams In our example nospam padrao com br Pe riodically by administrator scheduling the antispam checks the two accounts and it learns as spam the messages of spam account and as non spam the mes sages of no spam account This continuous training improves the effectiveness of antispam and it allows him to reach better indexes when classifying futures e mails In case you want antispam system to execute training of spam and antispam message boxes click in Learn button It is common that the administrator schedule training of antispam in next section Learning Notel Remember that when forwarding e mails for spam default com and nospamOdefault com accounts that should be made forwarding wan ted e mail as
85. erating Traffic Internal Net VPN Net 9 1 2 Support of clients cadastre for VPN PPTP The support of clients cadastre PPTP proceeds previously established pattern For PPTP clients following fields should be filled out User Confirmation Ip Allow Multiple Logons Ho Ro Save settings Back Items Figure 9 2 Adding Editing PPTP Users e User user s login Example John e Password password authentication Example passwordpptp e Confirmation confirmation of password Former passwordpptp e IP IP that client will receive when closing VPN connection with Nettion In case this field is filled out with an asterisk the client will receive one of existent IPs inside of range make available by Server In case an IP is specified this client will always receive this IP when connecting For a larger safety suggest a static IP Example 1 Example 2 128 0 0 11 Active connections Nettion R makes possible that administrator has knowledge on which connections are ac tive in consultation s moment This information will be available in subsequent reports Reports In this section administrator can visualize reports on PPTP accomplished connections CHAPTER 9 VPN From Date To Date Host Interval SS Search User Start Date Start Time Stop Date Stop Time Rate Device IP End Type anna simpson 22 04 2008 09 32 05 22 04 2008 09 32 09 115200 ppp3 192 168 224 10 Hormal george thompson 22 04 2008 OF 30 34
86. eristics it can be added or excluded those that will be clearance of sending messages through this server It s enough at all alterations end click on Saving Settings to finish Allowed hoastsfnets Intranet Back Items D DMZ External Interface Internal Interface localhost Mail Server Save settings Figure 12 3 Relays Administration 12 1 3 Webmail Nettion offers a Webmail system with Send Receive e mails option through Web being just necessary for this the identification with a combination of complete e mail and user s password Nettion Webmail can be accessed through your IP followed by webmail for example http 200 200 200 200 webmail Some characteristics are configurable to personalize Nettion R webmail as webmail stan dard language the icon that appears in login screen which needs to contain an absolute address as the default example and the folder directory name that will keep the trash messages sent messages and draft e mail Company logo Company name Company URL Default e mail domain Default language Draft messages folder IMAP Host IMAP Port Sent messages folder Page lofi Back Edit Items logo jpg Hone Default yourcompany com English Draft localhost 143 Sent Go to 12 record s Figure 12 4 Webmail Settings 98 CHAPTER 12 12 1 4 Messages In this section administrator can edit the three following messages e Returned message for remitt
87. es dynamic IP this option will be disabled because it would be impossible to determine Nettion s Gateway in a static way e Gateway A key communication key of Gateway A Example OsAQU7tMehTP69r Pr4PSTUmiYMDLQ4Lf70kWBgbhf hhBKuh7Dk4XRNZcn8AYL15Pmig hjuUoAhJEQWW1VzsdzmQosWAh6URQpQmYQ bwymJpFAVTBFEgaJo6r vP0lrn7 FhI411 tnioJ rCpEKtq41fDEe0K5MDeNK6za Rx4WED8Dr8k3jR0ePK9uPzb1xEwEizrIBUZfm4h BXVI 7LKXZG1Hf90uc6RKhPX1N Hkh1C2s0m61TIwTzqHwx Qd48B701TZs1cms0kK2W1 JjZgqt5dPZQnHjoXsAuN JaNVXkQZFMNQZiwznF J 7D2D1igfuVIizeVYgLso6yBJgw QG ush Gateway B IP Address of machine that will serve as gateway in other words inter connection with other net Example 200 195 152 2 Network B net that will be connection s part and that therefore will be accessible by other side Net A Example 192 168 1 0 24 Next Hop B Standard exit of Nettion that acts like Gateway B Example 200 195 152 1 See item NextHop A 9 2 VPN IPSEC e Gateway B key communication key of Gateway B Example OsSAQPZTUID9sYTuasmkJYfUSJmpKwphyfxTO0NtUmzTT6S5D8FX1a6qEFJrv9JglHFtp8Dl h6wHa6a9069bHg MZX3GLtb4ynGaFtVsqvuNx9aVgnuliunxaXwsq2zs5hTBBgrCTedbo9 YBMms11tdx1I6PusoeD1JrzQkI5JOb0qo3ukx0 nqwUmDJRVHfL1zgbVeeTmn86LmhuMYp zwCcBdBB5RZaesxnLOroUN7XUnjOg2VeHWVUk9giwS628KKLbc1WIBc18hInixc30qzr3l vaPAZggNGNt3w8592boxPRn UvXNkadxfOxKeoF8DyLsrbvl161RAq7erQWyNVUvCz e Connection if connection will be activated manually or automatically Configure this option for Auto fo
88. es not support NAT Precautions e Do not give your key for VPN other side for e mail instant messages or other public means of communication Use SSH HTTPS or other safe way of messages transfer In case you use diskette or CDROM for key transport destroy 1t e Do not reveal your key for anyone General Settings To configure VPN IPSec server access VPN gt IPSEC gt Settings The settings screen will be exhibited as display illustration 9 5 e Running Interface Interface for which server will connect Usually will be net interface that connects to internet with public IP Use option Default Route case your Internet Link possesses a dynamic public IP variable e Type key type that will be used for encryption 3des 3desmd5 96 or 3des sha1 96 Example 3des md5 96 e Re create Secret Key only RSA marking YES field will recreate the encryption key demonstrated in Public Key field Size field will be activated in which ad ministrator can specify key size that wants to use in bits 512 1024 2048 etc e Public Key only RSA key generated by Nettion for this server 9 2 VPN IPSEC 31 Running Interface 10 10 10 10 feth1 hal Encryption Type Sdes shal 96 MW Re create secret key E Yes Size 2048 bits OsADORr6L7 DMi2IqpeTGSdMX28 2p WiuVetuceT ZisojORM4Cshiclk mPSudSRfINkfsIWd2KRIiTqk prAq ZinCocSamVEW TF Gnek2if2PgZacLle VLbigeLtEsak Shnuce2 igajnFo ic2 Public Key OOduclglGokV92VgON Oke Sgi
89. est authentication Example Allow any domain in any schedule for users of Management group 3 Permission rules that request authentication for valid users should be positioned below the referring rules to selected users Example Allow any domain without forbidden words in any schedule for valid users 4 Rule regarding standard politics selected in proxy settings will be implicit and it will be written after the last rule registered by user Like this the standard politics will only be interpreted by proxy case requested access doesn t fit in none of previous rules 6 4 2 Screen 2 Schedule It determines schedule for action Defines the schedule in which the rule will act with base in one schedule previously registered Options Any Inside of the schedule or Out of the schedule The Any pattern will be used when administrator doesn t specify a relation schedule during rule elaboration To specify a relation schedule the administrator should select an different option from Any so that registered schedules list is exhibited and which of those will select the wanted schedule that will be exhibited in yellow in other words the schedule in which rule will act 6 4 COMPOSITION OF PROXY RULES 59 See schedules selection screen in the illustration ahead Back Items Figure 6 6 Schedule Selection for Rule Application 6 4 3 Screen 3 Apply for To conclude determine for who the ru
90. ettion for resolution of Internet names The machine s name should be complete machine s name domain If you don t possess a domain it can use localdomain At least a DNS server should be configured for correct operation of product That setting can be automatic if you have an activate Ethernet interface configured through DHCP or an ADSL connection in this case select the item Obtain DNS from server in the respective connection setting Nettion can be DNS server since it possesses Internet direct access in the port 53 TCP and UDP To use it as server indicate IP 127 0 0 1 Host Domain nettion Yourcompany camm ay Save settings Primary 127 0 0 1 Secondary 200 200 200 200 k Save settings Back Items Figure 3 14 Machine s Name and DNS Setting 3 2 5 Routing In that section it s possible to add rules that will control the net traffic destiny Basic Basic routing or else by destiny it s the functionality that turns reachable a net host through a host gateway also reachable MetworkHost Mask Interface ad Save settings as Back Items Figure 3 15 Basic Route Inclusion 28 CHAPTER 3 SETTINGS Example The following route makes that the traffic for net 192 168 254 0 24 it can be given with the mediation of host 10 0 0 254 by eth0 interface see illustration 3 16 Network Host 222 O Mask 5 5 a 192 165 50 0 ol 192 165 1 254 172 16 20 0 fod OO 197 166 1 253 Back Add Edit Items Del
91. ews as Oo LODE AAA 6 9 4 Blocked Accesses a a a a O20 OG cant ee ETE EEE EDEHE EEE HERES SEE PEE SDEHEE SDH ES EHE ESSERE ERE He sete eee ee 6 0 1 Selecting a Period s4425a49 424456 sed eee adue 6 6 2 Visualizing Accesses Starting from the Graph 6 6 3 Realtime Monitoring 0 0 0000 ee eee 6 7 Configuring Net Stations 4 4 i 4444544 s44 66 s4 4H e244 4 7 Bandwidth Control 7 1 Reprioritizing packages a a 1 2 Dynamic Band Redistribution 0 0 0 000000 eee 7 3 Settings 13 1 Network Interface Definition 2 2 04 1 3 2 Classes 0 ee kk a a a 7 3 3 Rules 2 aa a a 7 4 Activating Bandwidth Control Service 2 2 ee 8 Firewall 8 1 Settings SL INCH woe PRE PEPER GES AH HE RRE RB EERE Hee BREE a 8 2 1 Including a New Rule o 0 2000 0 8 3 Firewall Basic Rules e 8 3 1 Access to Netti0Ml 2 a 2 8 3 2 Access Nettion gt Imtermetl 0 00048 Pa eeEe eee ee eee eee 9 VPN Ol VENDE 6 oy ey ee rana asas 9 1 1 Settings oa aes ares hae eae ee eueee GC eeeues 9 1 2 Support of clients cadastre for VPN PPTP 92 VPN IPSec 92 1 Seting e og hae Be A Be ee 9 2 2 Connections 2 0 0 0 2 ee 9 3 OpenVPN 61 61 62 62 63 63 64 65 67 67 68 68 2 ie 13 13 13 CONTENTS 10 NIDS 85 pee eee new eae ee ee eee eae ae
92. ey still count with antivirus and antispam safety to filter the downloaded messages in case the company s e mails server it is own Nettion local accounts In that way you reduce the risks of being virus infected and guarantee a larger productivity of your collaborators 15 7 1 Advantages GetMail NettionPlug provides the following advantages e Speed and safety in the emails access e Virus and spam control accessing external providers messages e Better resources management e Compatibility with the messages solution used in your company being capable for any network environment e Search of messages in several servers of mail independent of the provider e Creation of access permission determining which external accounts can be accessed 15 7 2 Settings To configure GetMail access menu GetMail gt Settings In the screen that will be exhibited report e Verification interval Time Interval in seconds in which verifications for new e mails will be made e Destination Server SMTP Server that will be used for sending of the messages usually own Nettion 15 7 GETMAIL 155 Then click in Save Settings button as display illustration 15 32 abaixo Verification Interval 300 seconds Destination Server SMTP ey Save settings Back Item Figure 15 32 GetMail Basic Settings 15 7 3 Source Accounts To begin the GetMail rules creation firstly we need to register the source accounts in
93. h hotmail com Ly Page lofi Go to 12 record s Back Edit Del newton smith Newton Smith Figure 15 6 Passport Contacts 15 4 7 Rules Blitz wizard of rule creation is very similar to other Nettion services like Firewall and Proxy To create rules in Blitz click in menu Blitz gt Rules and follow these steps On next login Blitz makes only the maintenance of these contacts adding or deleting as necessary 15 4 BLITZ 135 Step 1 In list of rules screen click in Add button as exhibited in illustration 15 7 1 Blitz Default Fule Back l Edit Items Del Figure 15 7 List Add Rules of Blitz Step 2 In Wizard first screen define a description for the rule an action and a position defines the rule priority order and finally select the rule status as exhibited in illustration that follows Description Action Posi 1 Status Back Items Figure 15 8 Rule Description of Blitz Step 3 In following screen select schedule in that the rule will be applied in agreement with schedules objects previously defined 136 CHAPTER 15 NETTIONPLUGS See illustration bellow Time Any t a 8 20 N 1 1a 13 14 15 16 17 186 20 21 22 23 24 a A ee ee ee Gr eeepecsseserereperssssen con se ae E A A 5 a SaaS a Sea a ae aS AAA OA DETS CES Back Items Figure 15 9 Selection of Schedule for Rule in Blitz Step 4 In this screen you had defined with whi
94. i 201 57 91 146 M Server IP 201 57 91 146 Back Items Figure 15 23 Export Settings for OpenVPN Client Once installed it s time to do proper settings To make this task easier Nettion VPN server offers the file export that makes all settings of clients See illustration above To export this file enter again in OpenVPN Nettion users settings and click in down load option If this option is not still available it s because server configuration was not still made Now in Windows station with Open VPN Client installed click with the right button in OpenVPN Client icon and choose New Connection Nettion option In following window select exported file by Nettion With that settings will be concluded Note After installation see that a new icon will appear on windows clocks left side on Start menu 148 CHAPTER 15 NETTIONPLUGS See the following illustration that shows how to import the configuration file Proxy Settings Mew Connection Nettion About Quit Figure 15 24 Setting File Import in OpenVPN Client Now it is time of connecting for that click again with right button in OpenVPN Client icon and chooses the Connect option At this time will appear a screen requesting your username and password for Nettion au thentication Reminding that this authentication is made in agreement with centralized authentication configured in your Nettion After the connection acce
95. ibility to build those that should be applied in access control For rules formation previously registered information is used See reference in Chapter 4 Objects and in Chapter 5 Users and Groups The administrator should elaborate the administration rules of access 6 4 COMPOSITION OF PROXY RULES Search 8 3 gt 3 gt m X iA 2 2 gt ct Z F A ry v i Allow domains NoAuthentication ra Allow domains Govemmental Allow domains MSN ww N Allow any domain with MSN Deny any domain with Downloads T n 2 Deny domains Pomographics 7 Deny any domain with Pornography Allow domains Prohibited CHOCCO Y Y Y Y Y Y Y Y OOOOOOO 9 Allow any domain Add Edit Items Del Figure 6 4 Listing of Proxy rules 6 4 Composition of Proxy Rules The Proxy rules creation edition is made through a Wizard that will guide you in access filters composition Each rule allows application of filters by domain regular expressions schedule and IP that are applied to Users and or Users Groups The rules are analyzed one by one in agreement with its position beginning by rule number 1 settling down a priority order This way it s important that most specific rules are above the most generic rules 6 4 1 Screen 1 Rule Definition e Action action of the rule Allow or Deny e Domains indicate Any in case you doesn t want to restrict by domain in this rule or in
96. ides the control has flexibility of doing the allocation in a dynamic way what allows that not used band and allocated band can be consumed by another service in an automatic way To make clear the Bandwidth Control concept its necessary we understand packages reprioritization concepts and of Dynamic Band Redistribution 7 1 Reprioritizing packages Reprioritization acts on packages delivery making a decrease of packages delivery speed or making a larger liberation of band according with established rules For instance imagine that you are receiving your e mails of an external provider of your organization See illustration ahead E Mail Server Internet Nettion Remarked N packages delivery Internal Network Figure 7 1 Scenery Controls Band 61 62 CHAPTER 7 BANDWIDTH CONTROL The line 1 green of image indicates the sense of your solicitation to the provider in port 110 POP3 account and the line 2 blue indicates the data packages your e mails leaving the server of E mails and going in machine direction Arriving to Nettion that makes connection intermediation they will enter for the net interface Ethl and they will leave in direction your machine line 3 yellow through the interface Eth0 At the delivery time Nettion will make packages reprioritization restricting or liberating more bands for connection What if we wanted for this scenery for instance restrict the band for e mails o
97. ient Now that server is created it is time to configure the Nettion client s To make this task easier the Nettion server of VPN offers the file export that makes the entire client configuration To export the file access Nettion OpenVPN Server on connections listing and click twice in connection server that you just created In the following screen in Export settings to Nettion clients define a safety password for the file and click in Export button Soon after save the file so that can be used in Nettion client configuration See the following image 15 5 OPENVPN 141 Mame Export Settings ii wmm gt nn q This settings will be exported and will have to be imported in client connection eins Lise same password defined here to import Proto Define a password LZ2O compress Confir El setings for Windows clients This settings will be exported and will have to be Export imported for Hettion w PH client Mlindowz DETE DEZE ETIE Back Iterns Figure 15 16 Export of Nettion OpenVPN Client Settings Now access the Nettion OpenVPN Client and follow these steps e Access the menu VPN gt OpenVPN gt Nettion Nettion gt Connections e In the following screen of connections listing click in Add button e In the first page of Wizard define the following fields Type select the Client type now Name indicate a name for the connection In Import Settings
98. ill be used by the several services available by the software The objects are classified according of information s type that you store facilitating your support Ideal is that the administrator makes a previous evaluation of the network en vironment identifying which objects should be created and saving time in the services setting We related some of Nettion services available below and its respective objects for them used e Advanced Routing hosts and nets services and schedules e Proxy domains expressions schedules hosts and nets e Bandwidth Control hosts and nets e Firewall hosts and nets services and schedules e NIDS hosts and nets e OpenVPN hosts and nets e DHCP hosts and nets Observe this example To give reference to a company work station IP an administrator created a host kind object with the name PC_01 attributing a certain IP 192 168 254 10 with NetMask 255 255 255 255 Soon after he used the object PC_01 in the proxy rules Bandwidth Control Firewall and NIDS If for some reason you have to alter IP of PC_01 it s enough to alter Object IP and all the Nettion s Settings that use this Object will be automatically updated for new IP 4 1 Objects support After selecting object s class type in the main menu it will be exhibited for adminis trator a list containing the registered objects in case they exist The exhibition can be 30 CHAPTER 4 OBJECTS ordered by any on
99. ime zone of hardclock choose if you want to use your time zone Local time or the Greenwich time GMT Date adjust the date in the format day month year DD MM YYYY e Time adjust the hour in the format hour minute HH MM b NTP Server Back O Clack Local O MTP Server Time Zone Africas Nairobi hd E i Time zone of hardclock O Local time Greenwich time MTP Server Date 16 06 2008 dd mmfyoyy Time 10 20 Chhimm ey Save settings Items Figure 3 4 NTP Server Settings e Time Zone select your time zone e Time zone of hardclock choose if you want to use your time zone Local time or the Greenwich Time GMT e NTP Servers The NTP server addresses that you which synchronize date and time Remember to add at least one server if you want to use this function Firewall It s necessary to crate a rule of Firewall to allow Nettion communicate with the NTP servers configured An Example of the necessary rule is in table page 19 Rule Nettion gt NTP Servers Table 3 1 Liberating Nettion for NTP servers All the details of how to configure Firewall and your rules are in the Chapter S in page 20 CHAPTER 3 SETTINGS 3 2 Network 3 2 1 Interface connection In this section you can make the setting of other interfaces and net connections of your equipment the first was already configured during the installation Ethernet Interfaces LAN As it was previously commented Nett
100. ings pointing in MSN the Nettion Blitz IP De pending on MSN version the place of configuration can change However in a general way you should indicate the socks and http server of your MSN Normally the path is Tools gt Options gt Connection Point to Nettion s IP the socks service and http proxy It is necessary that you also indicate the user s information authentication user and password Note Remember that the information about the configuration of your Proxy Server comes from Internet Explorer this way you can not put it here manu ally You must put it in the Internet Explorer configuration then it will appear in the MSN configuration This way you must specify only the username password for the Http Proxy 138 CHAPTER 15 NETTIONPLUGS See illustration 15 12 ahead Settings Browser Connection Settings SOCKS 10001 es Username john simpson Password eeeeeees Define the HTTP Proxy Server and port using Internet Explorer ETT E Gx eane john simpson Password island Figure 15 12 Settings of MSN Connection through Blitz 15 4 10 More Information You can also access Step by Step tutorial available in Nettion s site www nettion com br for more information of how to configure plugin server and clients 15 5 OpenVPN OpenVPN is one more form of VPN offered by Nettion Through
101. ion already configure the first interface Ethernet of the equipment eth0 during the software installation To add other net Interfaces access menu option Settings Network Interfaces Connections In the following screen you ll have access the listing of interfaces already registered in your Nettion as it proceeds in the example of illustration 3 5 page 20 Ad ch CL 2 E ES ethO 192 168 0 1 2 2 207 0 Internal Het LAH 100Mbit ethi 200 200 200 1 Pra balers beers bap 192 External Met WAN 1Gbit eth 200 200 200 32 Zod 2022 2b DMZ Area 100Mbit Back Add Edit Items Del Figure 3 5 Listing of Interfaces and Connections To add a new Interface Ethernet follow these steps you also can see the illustration in page 21 e Click in the button Add located below the listing e In the following screen select the interface Ethernet type and click in Next and walt e At this time Nettion will try to detect your net devices installed and its respective drivers Each detected interface will be shown in the following screen Select one of them and click Next Important In case the driver of the device has not been automatically identified the device will be listed marked with a In these cases it s probable that Nettion doesn t possess the appropriate driver to support it Please contact with the manufacturer through the address suporte nettion com br and send the largest number
102. istrator will control e mails domains It is possible to create and remove domains as well as to add or remove users of such domains domain i com za 10 00 MBytes Unlimited Local domainO2 com 22 10 00 MBytes Unlimited Mettion Back Add Edit Items Del Figure 12 8 Listing of E mail Domains Observe To your e mail domain works perfectly in Internet it is necessary that DNS of domain is properly configured and saying that Nettion will be responsible for e mails 12 2 1 Including a Domain In case you want to add a domain click in Add button and fill out the fields according to descriptions below e Domain name of domain to be added Example nettion com br e Quota maximum disk space that each account can occupy e Max number of messages quota for message Number of messages by account e Administrator password postmaster Administrator of domain password In case you want to redirect invalid messages sent to inexistent addressees for another e mail account mark the checkbox Redirect invalid e mail and type an e mail account in the field below The standard procedure would be to send a message to remittent informing that destiny account does not exist In case you want to use Nettion authentication mark this checkbox and choose groups to import users It is possible to import users of all groups or of some specific group 100 CHAPTER 12 E MAIL See illustration that follows Quote O unlimited Mas number
103. ited report e Description resumed rule description e Protocol Select the protocol to be used POP or IMAP e Status active to make the rule enters in effect immediately See the illustration 15 35 to proceed MA Description Protocol POPS e Status Back Items Figure 15 35 GetMail Rule Creation 15 7 GETMAIL 157 Step 2 In the following screen specify in Source Accounts the accounts of which you want to obtain the e mails Remembers that they should previously be created In Destination Accounts specify if destination account is Local or Remote For Local select the local e mail account for which e mails will be directed For Remote type the electronic address of e mail account of remote server Also select below one of the three options e Get seen emails too specifies that GetMail should also bring e mails that have already been read e Keep messages in server specifies if will be left in source server copies of the messages that are being obtained e Use safe connection TLS Marks this option if source server demands safe authen tication See illustration 15 36 Apply to Source Account accounti gmail cc o accountz gmail ce Destination Account accounts gqmail ce dm john simpson yourcompany com 4 3 accountom gmail cc oo account qmail cc E Get seen emails too ll Keep mensages in server O Use safe connection TLS OMS DEB ETIS Back Items Figure 15 36 S
104. ith destiny to port 1863 TCP as it proceeds in summary rule in table 15 3 Rule Blitz gt Internet Table 15 3 Liberating Blitz service Note before creating the rule verify the existence of some rule that already con templates this liberation otherwise create a service object with port 1863 TCP called msn before creating suggested rule For larger information on how to cre ate services objects see Chapter 4 Objects 15 4 BLITZ 133 Besides this rule it is necessary to liberate local net access to Blitz service which works for default in TCP 1080 port See summary rule in table 15 4 Rule Intranet gt Blitz Table 15 4 Liberating Access to Blitz Note before creating the rule verify the existence of some rule that already con templates this liberation otherwise create a service object with port 1080 TCP called blitz before creating suggested rule For larger information on how to create services objects see Chapter 4 Objects 15 4 5 Settings As well as Nettion Proxy and Firewall Blitz also possesses a default access politics It will define what will be made in case user it is not inserted in some access rule which will be seen more ahead Default politics is configured through menu Blitz gt Settings In this menu it is also possible define if users will be informed that your chats are being audited and recorded For that mark option Apply notification in the beginning of
105. k At the end click in Save Settings button as display the illustration 14 3 Schedule In illustration ahead the screen is exhibited where you define the interval with that the backups will be accomplished specifying e Frequency interval of backup accomplishment daily weekly or monthly Example weekly e Day week day or of the month in that backup will be accomplished In case chosen interval has been weekly will be shown week days Sunday Monday Tuesday Saturday in this option In case it is monthly it will presented the days of month 1 2 3 31 If chosen interval it has been daily this option will be disabled Example Monday e Schedule schedule in that safety copy will be accomplished Example 01 00 A M Frequency Weekly 1 Day Sunday Time range FEBS DO RE 7 Save settings Back Items Figure 14 4 Configuring the interval with that backup will be made To finish click in Saving Settings 14 3 2 Manual We will imagine a case in that after added configurations to product administrator wants to accomplish a backup copy immediately instead of wait for copy to be accomplished by schedule So Select modules and begin backup clicking in Start Backup button Tn case Nettion is synchronized with a Windows Domain indicate a valid user password for the domain e ensure yourself that this user has writing privileges in the selected network share 14 3
106. k Add Edit Items Del Figure 3 8 Sub Interfaces Listing of a Net Device ADSL Connections WAN To add a ADSL Connection the main Interface physics should be configured to receive IP through DHCP and should be with the setting to Activate in the boot as No as 3 2 NETWORK 23 shown in the illustration of the page Interface Ethi MAS Address IP Address Cp se E pHep peas ADSL Interface Description E Get ONS fram Server F Respond DNS requests on this Interface Active on boot O Yes O Ho y Save settings Back Items Figure 3 9 Interface Setting for ADSL Connection Important These connections depend properly on a modem ADSL installed and config ured The modems ADSL can be configured in bridge where Nettion will make the administration of the connection ADSL and it will be with the IP given by provider recommended or in router where the modem will be responsible for doing this man agement The settings to proceed are for bridge In case it s in router configures ethernet interface to communicates with the modem and configure Nettion s Gateway appearing for modem s IP The procedure is similar for inclusion of additional IPs see illustration in page 24 e In the listing screen select the Interface that will receive ADSL connection and click in the Items button e In the following screen a listing of device s sub interfaces will be present
107. le should be applied e Host Network host or net definition that will be treated by this rule with base in host network previously registered Options Any Equal to ou Different from The Any pattern will be used when administrator doesn t specify a relationship with host network during rule elaboration To specify a relation with host network the administrator should select an option different from Any so that registered hosts nets list in which administrator will choose the wanted host network e Groups Users The users that will be treated by this rule considering groups and users previously registered or synchronized with an external base Options Any the rule will be applied any user authenticated or not Valid users the rule will only be applied to valid users in other words authenticated users For that if user has not still been authenticated Proxy will request it Only selected the rule will be applied to authenticated users that be selected in Groups and Users boxes Therefore choosing this option the selection boxes will be qualified Select for the left box the Groups and or Users wanted Observation To optimize users and groups time load Nettion carries only first 100 registrations of each selection box On list s end possesses an option called more Click twice in it and will open 100 next registers Case you prefers you will also be able to use search field that i
108. les you will have larger information about your band settings as shown in illustration bellow 63 CHAPTER 7 BANDWIDTH CONTROL Classi O Default Class Classt ascription Back Items Figure 7 3 Interface Eth0 Graphic Once Class is created next step will be to create rules as we will see in the next section 7 33 Rules The rules which will always be linked to a class will identify traffic to which control will be applied On it we will indicate origin from where they data start the destiny where data arrive and minimum and maximum bands The minimum band reserve and band maximum concepts are equivalent to seen in Classes Following our example supposing that limit to be established for traffic comes from Internet any origin in port 110 with net intern machines destiny is 100Kbits Follow steps to proceed for rule creation e Click in menu Bandwidth Control gt Settings e Click in Configure button of Eth0 interface e Select Class 1 class and click in Items button e In following screen of rules listing click in Inclusion button e Insert rule information now See illustration page 65 Name rule name Example POP3 Note Is not allowed spaces in rule name Description Insert a description Example POP3 Band Object of Origin insert object from where data start In this case selects the Any object meaning any origin host Object of Destiny inse
109. lly free to test applications efficiency 15 2 Installing a NettionPlug To do installation of NettionPlugs in your Nettion access menu System gt Plugins according to displayed illustration below and follow the steps UA ae ae Enhla 2 Y IEA PERSE OE E A Chat Server Chat Server 3 85 at E Install Blitz MSH Control 205 bt le Uninstall Open PH Opent PH 3 500 i lel Uninstall GetMail GetMail 3 87 en Install DHS CMS Server 2 92 4 oS Uninstall Back Items Figure 15 1 NettionPlugs Installation e In the listing that will be exhibited Nettion will show all available NettionPlugs by NIS 127 128 CHAPTER 15 NETTIONPLUGS e Click in Install button of wanted plugin Observe that if your version is previous than requested for plugin this option will be disabled In this case will be necessary to update your Nettion before e After installation the status will assume green color case your company has already acquired plugin license or will assume orange color in case of an installation for evaluation Once installed the plugin will totally work integrated with Nettion and will be available in menu as well as other functionalities 15 3 Chat Server Chat Server it s a NettionPlug developed by NIS to be the instant messenger IM of your company The program uses Jabber as bases known as the best system of IM for Linux Created in agreement of NIS quality Chat Server possesses a dedicated server to se
110. low in more popular and used e Firefox version 2 0 With the navigator open click in menu Tools Options In the following screen click in Advanced option Now click in the brim Net and later in the button Settings In the following screen select the Proxy Manual Setting option and fill out the HTTP information with Nettion s IP access and the Proxy port by default is port 3128 In this same screen in Without Proxy for option also indicates Nettion s IP that will avoid that accesses to Nettion are made through Proxy Later click in OK and the navigator will be configured e Internet Explorer version 7 0 With the open navigator click in the menu Tools Internet Options Click in the brim Connections and later in LAN Setting button In the following screen select option Use a Proxy Server and indicate IP and access port to Nettion Default Nettion s port is 3128 In Advanced Options type Nettion s IP in Exceptions to avoid that access to own Nettion is made through proxy Click in OK and the navigator will be configured 59 60 CHAPTER 6 PROXY Chapter 7 Bandwidth Control The Nettion s band administration has objective of optimizing the links use through Reprioritizing packages of data With it is possible to allocate a larger band amount of link for services or more important machines of your net Bes
111. ministration Interface the administrator log in informing user s name and password as shown in the illustration 2 3 in page e User the user s name Example nettion e Password the user s password Example nettion Note the original password of nettion user is nettion For measures of safety it s important that you alter it soon after the first logon It s possible to choose between Portuguese and English languages besides accessing the interface of the Nettion using a HTTPS connection In case you want to use HTTPS mark box Secure Connection It s time to begin your software settings It s important that you begin for Product s Basic 2 3 LOGIN 15 Language i Secure Connection C Nettion i iri Security sollware Figure 2 3 Login form Settings see chapter 3 In this chapter you will learn how to altering the administrator s password configure the other net interfaces of the equipment and how to go online with Nettion 16 CHAPTER 2 INSTALLATION REGISTER LOGIN Chapter 3 Settings 3 1 Basic In the first access to Nettion the administrator should access Basic Settings and update your data in relation to password pattern and to the sending of e mails of the system as well as system s Date Time for registration in the software reports For your safety the administrator should alter the Nettion user s password for a personal password which should only have been known by
112. mpany YOUR COMPANY NAME INC Product Unregistered Version Figure 2 1 First Registration Form 13 14 CHAPTER 2 INSTALLATION REGISTER LOGIN e CNPJ CPF CNPJ in the case of legal entity or CPF if natural person e Social denomination social denomination of natural person or legal entity Example Fortes Computer Science Inc e Product Product Type Example Nettion Professional in agreement with the license acquired Filled out the fields of the first registration form the administrator should click in the Next button The second registration form will appear as shown in the illustration REGISTER API 01 001 001 0001 01 Company YOUR COMPANY MAME IHC Operational Code c2hm hket 42rg 6 Answer Code Nettion 2 cet on line Figure 2 2 Second Registration Form e Operational code Code for generation of the answer code e Answer Code Code to liberate the registration of the product In this second form you should supply the Answer Code Administrator will obtain the answer code after liberation requesting of your software version in our commercial department clicking in the Get On line button A window will open up with the code and the administrator should copy the code informed for the field Answer Code of that form and finally to click in Register Register Success We will discover hot to configure it in way to use all the resources that the software offers 2 3 Login To access Nettion s ad
113. n that will open a navigation window in folder or to click in Select File button that will present a list of safety copies available for restoration M Used 1050 Mb Free 6522 MB br Upload ch Select File y5 Select File Back Items Figure 14 7 Restore The administrator should select the wanted backup file and click in Select button Observation Backup file should be in the same version of installed Nettion After file selection for one of mentioned means select between modules contained in backup which will be restored and soon after click in Select modules Don t forget that the selected module s will be uncompressed and saved on machine overwriting current data existent for corresponding module ATTENTION This is a very simple process however extremely critical because when recovering a backup depending on the case we will be overwriting the current system settings 14 5 Pruning The several services which run in Nettion constantly realize the activity registration called logs The size of log file s varies depending on users amount access permission and of amount of active services With intention of liberating disk space the oldest logs should be gradually deleted This process receives the name of Pruning 14 5 PRUNING 121 14 5 1 Settings Disk Status by Partition Jarttion disk status gt O M Used od MB OA Free 1106 ME Figure 14 8 Disk Status by Partition
114. n to client It is not automatically deleted because a message can possess key words and formats that identify them as undesired message spam but is not it really Like this each user must define filters in your e mail readers to separate the legit messages of those undesired The indicative number of sensibility represents the point s limit that a message can reach until spam status is given As SMALLER the number more easily a message will be classified like this Identify messages as spam if score greater or equal that Mark messages subject identified as spam with tE DOSSIBLE SPAM 4 Block spam in quarantine Block spams if score greater or equal that E Learn user classified messages Spam e mail parto dc arma ps na com ye Mo spam e mail NospPamiyourcompany cam Wr Start learn 2 Learn y Save sebings The less value more emails will be trapped by antispam Figure 12 17 Antispam Settings HTML Hypertext Markup Language It s a language used for create web pages and e mails with a more rich formatation like bold format font colors and images 106 CHAPTER 12 E MAIL The new version of Nettion antispam adds support to messages training in spam and no spam mode for users Mark the Learn user classified messages option in case you want to activate such resource If you decide to use this resource you should con figure two e mail accounts one for messages classified as spam and oth
115. nd and receive internal messages With that you prevent the external users addition and improve productivity in your company NettionPlug also allow communication with other networks of a same company Besides saving phone bills you still guarantee the safety of messages sent and received therefore application is not subject to virus infection and other common threats in internet 15 3 1 Settings Chat Server configuration is quite simple once your users and your authentication are totally integrated Nettion With that your organization Chat integration becomes still simpler and faster To configure it access menu Chat Server gt Settings of your Nettion In following screen fill out the data as shown below in illustration Domain E mail of administrator admin yourcompany cam Interdace of working All wt q Sawe settings Figure 15 2 Chat Server Settings e Domain Your company s internet domain This domain will be part of user s identification for Chat Server e E mail of administrator Administrator s E mail in Chat Server 15 3 CHAT SERVER 129 e Interface of working Indicate Nettion network interface that will receive con nections It is important to say that if you select only your local interface only machines of your local net will connect to Chat server Therefore if you select only your remote interface interface connected to internet just machines in internet will have access to Chat Server Selec
116. ntrol through related rules schedules domains words or regular expressions user s groups or related to hosts and nets objects 6 1 Necessary Firewall Rules As any other service Proxy needs that liberations are made in Firewall to work appro priately The necessary rules are 6 1 1 Intranet Nettion It s necessary to create a rule that allows that intern net users and of nets that are also necessary they can access Nettion in the services squid port 3128 and DNS port 53 See in table a summary of the rule of Firewall page 49 Rule Intranet Nettion Destiny dns Table 6 1 Firewall Liberation Intranet gt Nettion 6 1 2 Nettion Internet It is also necessary allow Nettion to Internet access to look for sites For that Nettion should access the default Web services http https and tomcat and also the DNS service resolution of names See a summary of necessary rule in the table in the page AQ CHAPTER 6 PROXY Rule Nettion Internet Source http htt localhost Any o t Accept dns Table 6 2 Firewall Liberation Nettion gt Internet 6 2 Settings Nettion makes possible that works with a transparent proxy or with authentication We will approach the two cases 6 2 1 Proxy with Authentication In proxy use with authentication works with cache and access control having the possi bility of restrictions by user For proxy use with authentication it s necessary to
117. of cadastre items and its controls for cadastre maintenance of object items T he maintenance of used items follows the procedures default used for object maintenance inclusion edition and exclusion The buttons Edit Items e Delete will just be enabled when there is a selected object 4 2 HOSTS AND NETWORKS 37 Items Figure 4 3 Items button 4 1 4 Object Exclusion To exclude a specific object it s enough to select it and to click in the Delet button Del Figure 4 4 Delete button The administrator can add more than one and delete all of them clicking only one time in the appropriate button To select consecutive objects maintain pressed the Shift key click once in the object that will give start to selection and click a second time in the object that the conclude selection A screen will be exhibited requesting the exclusion confirmation of selected object s to avoid that the administrator excludes one or more objects accidentally Note System won t make the exclusion in case of object possess registered items or when it s associated with firewall rules proxy or Bandwidth Control etc without before association is removed 4 1 5 Object Search To accomplish the consultation of an object it s enough to access consultations guide in the cadastre of wanted object Each object possesses your own consultation options however all the screens follow the same operation pattern The illustration that follows displa
118. offers automatically a port suggestion Each OpenVPN tunnel will work in a different port remember to create a firewall rule that corresponds to this port to liberate VPN connection e Protocol UDP default e LZO Compression apply to optimize traffic inside VPN with data compression See the following illustration e Type of the tunel ie Types Status Port Proto L20 compress OO DETS ETE Back Items Figure 15 14 Creation of OpenVPN Rule 140 CHAPTER 15 NETTIONPLUGS Step 2 In the following page defines e Local IP indicate IP Hostname for which Nettion client s will find this Nettion Virtual IP indicate a virtual IP for connection between Nettions after VPN establishment Example 192 168 200 1 Nets indicate the local net s that will connect with the remote net s e Remote IP indicate the Nettion client s IP In case it doesn t possess a static IP leave this field in blank Virtual IP this field will be filled out automatically Nets indicate the remote net s that will connect with the local net s e Click in Finish button to create the connection See the following illustration Local Local IP 700 200 200 1 IF 200 253 200 200 Virtual IP 192 168 224 1 Virtual IP 192 168 224 2 Mets hats pm Filial Met Intranet ee Back Items Figure 15 15 Definition of OpenVPN Connection Nets Configuring the OpenVPN Cl
119. ole access filtering It is possible to establish through its rules which users will have access to MSN and even with which contacts they can communicate besides the chats audit For that it is necessary to block any other form of MSN access and to configure in stations MSN Settings Nettion as Socks server and Proxy obligatorily See how to avoid the MSN direct access 15 4 2 Blocking MSN Direct Access For default MSN software seeks several communication alternatives with your server in Internet and to force your exit only by Blitz it is necessary to block such alternatives of direct access In case the stations of your network are using Nettion Proxy some settings should be made 1 Block expression gateway dll and to do so follow these steps 15 4 BLITZ 131 e Create an expressions objects group called Block MSN Any doubt regarding how to configure expression objects see Chapter 4 Objects e Add in this group the gateway dll term as being of word no to whole word any position 2 To create a Proxy rule blocking expressions group created above Apply this rule to all users or to users that you want to block MSN direct access Create this rule in first position to avoid that other more generic rule liberates access Any doubt on Proxy rules access Chapter 6 Proxy 6 Proxy 3 To liberate some URLS that MSN uses to do user s authentication in your server In the same way
120. ource Destination Accounts Selection At the end click in Finish button for rule creation to conclude 15 7 5 Starting GetMail Service Start GetMail through menu System gt Services gt Getmail To obtain more information on how to begin services in Nettion see topic 14 1 15 7 6 Maore Information For larger information about the settings of this plugin also access the site in www nettion com br A product by Nettion Information Security Northeast Brazil Fortaleza City Factory Phone 55 85 3878 1900 Fax 55 85 3878 1920 Oliveira Paiva Avenue 941 Cidade dos Funcion rios ZIP Code 60822 130 Fortaleza City Administration Phone 55 85 3878 1900 Fax 55 85 3878 1920 Ant nio Fortes Street 330 gua Fria ZIP Code 60813 630 Southeast Brazil Sao Paulo City Phone 55 11 3013 3010 Cincinato Braga Street 59 Cj 5 B1 Bela Vista ZIP Code 01333 010 comercial nettion com br nettion com br
121. ously established pattern For net works following fields should be filled out Mask Default class A S yt IP range End Le 10 255 255 254 Keep this fields blank to use global settings Primary DNS Les 10 10 10 1 Secondary DNS ier 10 10 10 2 Default Gateway 51 es 10 0 0 1 Allow only configured MACs C Gh Sawe settings Required fields Back Items Figure 11 4 Specification of Network DHCP 94 CHAPTER 11 DHCP e Network IP IP of network Example 128 0 0 0 e Mask New network mask Example Class B pattern 16 e IP Range Range of IPs that will be supplied by Nettion e Begin Initial IP of IP Range Example 128 0 0 21 e End Last IP of IP Range Example 128 0 0 50 e Interface Interface that will answer for network requisitions In case you want to work with registries in DHCP Global Settings other fields are not necessary Otherwise they should be filled out Chapter 12 E mail 12 1 Settings Nettion R can also be used as your e mail server doing all administration work of multi ple domains and users integrated with a quite robust system of antivirus updated daily and anti spam with learning system and quarantine As base for this function Nettion uses a Linux e mail server called Qmail plenty known by your safety and stability in administration of a great number of accounts Besides this function Nettion offers integrated authentication quote system by user block
122. ple www nettion com br Will bring a list with all users that accessed to this site www nettion com br Example Nettion Will bring a list with all users that accessed some site URL that contains Nettion word 6 6 GRAPHICS 6 5 2 By Domain This report makes possible to Nettion administrator generate access reports in a cer tain period grouped by domains according to fields SINCE DATE and TO DATE Administrator can select a specific group for which the report will be exhibited or just specify one user e Clicking in hits column the administrator will visualize detailed report regarding the domain e Group Specifies on which group the report will be demonstrated Example Devel opment Will exhibit all accesses accomplished by the development group in specified period in fields SINCE DATE and TO DATE e User To specify on which user report will be demonstrated Example Sophia Will exhibit all accesses accomplished by Sophia in specified period in fields SINCE DATE and TO DATE 6 5 3 Top This report makes possible to Nettion administrator to identify which were the Top accesses through three different reports By User Domain or Host Top Users still allows the selection of three measure units could be for Traffic amount of bytes transferred by Hits amount of done accesses each item of a site represents a hit or for access time it considers the sites load time web files in other wo
123. pp_stream4 possible EYASIYE RST detection 10 1 1 20 9003 189 66 22 83 29328 TCP 16 36 09 17 4 08 spp_stream4 possible EVASIVE RST detection 200 183 3 130 36341 200 200 200 3 25 TCP 16 36 06 17 4 08 Previous 1 15 of 368203 Next List with interval of 15 alerts Y Back Items Figure 10 6 Report of Detected Signatures e Time and Date hour and date in which NIDS registered alert Example 16 20 47 07 04 2003 The administrator can select the amount of alert that wants to visualize for page through alteration of field List with interval of 15 alerts that for default presents 15 alerts In case administrator wants to add one of presented IPs in list to blocked IP he should click on wanted IP and confirm the blockade in picture that will request confirmation Last PortScans This report shows specifications on accomplished portscans Source IP amount of con nections by host used protocols and date hour of portscan Clicking in one of list items it will be requested to administrator the inclusion confirmation of portscan source IP in list of blocked IPs as displays illustration Alert Description Time amp Date End of portscan from 129 40 142 719 TOTAL time 0s hosts 1 TCP 1 UDP 0 STEALTH 17 19 44 17 4 08 portscan status from 139 40 142 219 1 connections across 1 hosts TCP 1 UDP 0 STEALTH 17 19 40 17 4 08 PORTSCAN DETECTED to port 9003 from 139 40 142 219 STEALTH 17 19 34 17 4 08 End of portscan from 189
124. pt it to your net environment Chapter 2 Installation Register Login 2 1 Installation Nettion works on Linux distribution Nettion Linux totally appropriate and optimized to the operation of all your resources Therefore your installation demands a dedi cated machine doesn t request a preinstalled operating system Your Installer Setup already integrates Nettion Linux s installation and the Interface of Administration of the resources The Installation Guide of the product in your hardware is in a separate document which can be easily accessed on the Nettion s website or through the Installation Guide link 2 2 Register After the installation access your Nettion through a browser Mozilla Firefox or Internet Explorer using the IP address that you configured during the installation Example http 192 168 254 1 At this time you will have access the Interface Logon screen of Administration of the product through which you will make all the necessary settings to adapt Nettion to the atmosphere of net of your company Logging on by the first time the software register process will begin The product reg istration it s an obligatory procedure because only after registration it s use is allowed In the first register form the administrator should fill out the fields with your company information and Nettion s Version that is being registered according with illustration REGISTER CMPI 01 001 001 0001 01 Co
125. r Expression e Word word that should be identified in URL for Nettion s Proxy Example sex e Position position in which the word should be identified In case you want for instance identify URLs finished by exe choose the in the end option e Complete Word just select Yes to identify only the whole expression in other words it won t be identified when the word is contained in other words For example of word sex sexology would not hit the pattern Select No to criticize the word even inside of other words In that case the sexology example will match with sex word 4 5 Schedules In schedules cadastre should be created a list of schedules that will be used in Nettion s Setting With those schedules the administrator can create rules in Proxy Firewall etc to do access control 4 5 1 Support of Schedules Cadastre The maintenance of schedules cadastre and of items follows a previously established pat tern For schedules following fields should be filled out Nettion makes possible the inclusion of more complex regular expressions through the choice of Regular Expression type however the choice of associated Word type to other options as Position and whole expression can assist great part of cases 4 6 SERVICES 41 e Object name to be given a schedule Example Expedient e Description detailing schedule text Example Schedule of normal work 4 5 2 Determining Intervals
126. r VPN it is always restarted automatically Example Auto e Connection Status if connection is active or not Note the Administrator can import Nettion s key that being configured giving a click in Import my public key button TIPs of settings e 1 When configuring a VPN among 2 Nettions open a browser window for each one of them e 2 Settings on 2 sides will be totally IDENTICAL except in cases of dynamic IPs use This means that if administrator registers data of Nettion 1 as being Nettion A of the setting when you will accomplish the setting of Nettion 2 the information will be identical including in positioning Nettion 1 as being the side A e 3 In settings being Nettion 1 Side A Static IP and Nettion 2 Side B Dynamic IP obligatorily B side will have as gateway the item Default Route marked Following the previous item tip administrator is taken to configure same item in same position in each one of Nettion However this is the only rule excep tion Observing Nettion 2 in setting items on side B administrator will configure the Default Route item To see this same setting in same position on side A administrator will have to configure the Any item Note whenever there is a VPN setting between a static IP and a dynamic IP the fields corresponding to static IP will be identical in both Nettions However the corresponding setting fields beside dynamic IP will be different in Nettion with dynamic
127. r portscan char acterization Here administrator can increase or reduce the NIDS sensibility for invasion attempts detection To increase sensibility it is enough to reduce the number of ports for interval of time To decrease increase the number of ports for interval of time as displays illustration 10 3 Soon after click in Save Settings button 10 1 SETTINGS 31 Specify here the number of ports and the interval to consider a portscan from a same machine valid for UDP and TOP Syn packets Humber of ports J Restore default values Interval in seconds ey Save sethngs Figure 10 3 NIDS PortScan Settings 10 1 4 Detection of Signatures Nettion R possesses registered more than 1 600 types of invasion attempts that are dif ferentiated by type and they are exhibited when administrator clicks in Signature Type field As some examples of signature types we can mention Backdoors DOS Exploit WEB IIS etc When you click in one of these signature types the Enable Disable Signatures button will be activated When clicking in this button a list of signatures will be presented referring to selected item Example WEB IIS to administrator This will select the signatures that administrator consider important for NIDS to monitor As shown in illustration 10 4 Enable Disable Signatures Figure 10 4 Selection of NIDS Signatures At lists end there is a button that selects all r
128. rder to start your Netton software updating process T E pr Upload Figure 14 12 Update File s Upload Finished return to previous page and begin the update selecting the new version file through Search button After selecting it click in Upload and in the following screen in Update to begin it The existent system settings will be maintained in other words all objects groups rules and other information will stay as previously In case some consequence for the update exists this will be informed with update on its information 14 7 Graphs Nettion offers graphs of your equipment resources consumption that are useful for eval uation of a possible machine overload See the following graphics CPUs usage Memory and Disks 14 7 1 CPUs In the CPU usage graphic you can obtain a CPU usage history for user and for system inside of a time period being also possible the accompaniment in real time clicking in Start button CPUO Utilization a rc 3341130 1301 Percent 1 a La ME 16 55 pes Lado E Pis j a i a ee A j 16 45 16 50 From 26 06 2008 15 18 48 To 26 06 2008 45 48 48 O User Last 1 70 Average 1 46 Maximum 3 93 3 M system Last 200 00 m Average 432 70 m Maximum 1 31 amp M Total Last 1 90 X Average 1 89 Maximum 4 56 Back Items Figure 14 13 CPU Usage Graph 123 124 CHAPTER 14 SYSTEM 14 7 2 Memory In memory
129. rds the time that user really used Proxy 6 5 4 Blocked Accesses This report makes possible that Nettion s administrator generates analytic reports of accessed sites and that they are blocked for respective user in a certain period for simple identification of unauthorized attempt access Case the fields are not filled out the report will be general 6 5 5 On line This report makes possible that Nettion s administrator makes online accompaniment of sites that are being accessed To begin accompaniment the administrator should click in the button Start and to interrupt should click the button Stop 6 6 Graphics Besides the reports Nettion also make available graphic in real time of users accesses or net hosts Through them administrator will graphically be able to analyze the accesses of all or of a specific user inside of a chosen period Two options of graphs are available could be by user or host ot IS CHAPTER 6 PROXY To have access to Graphics access the menu Proxy gt Graphics gt Users or Hosts The graphics are initially loaded with all users data or hosts according to example in illustration Use selection in graphic s upper part to visualize a user s graph or specific host Proxy Utilization ALL a f A AA Ca es ME OR OA Tar 13 1 E E t l t a 4 E i i i J ee Bytes 20 00 20 05 20 10 20 15
130. rs for which the alias will refer in the example georgeOdefault com 12 5 Antivirus Every day people with bad purposes create viruses to harm and to infect systems and computers It would be of little usefulness an antivirus that blocks all suspicious files but didn t contain an updated list of virus in your database This way a good tool should supply an instantaneous and configurable updating system 12 5 1 Updating That is first way of Nettion to update done in an immediately when it goes more appropriate to administrator Nettion makes a search for more updated base and syn chronizes with local base maintaining system stronger 64 Update virus database Back Items Figure 12 14 Antivirus Update 104 CHAPTER 12 E MAIL 12 5 2 Scheduling It is also possible to define an ideal moment at administrator s criterion for Nettion to do update in virus base For that define day schedule for updating to happen filling out the form below and then save settings Day Mot applicable Ed Save settings Back Items Figure 12 15 Antivirus Update Scheduling 12 5 3 Historical Nettion R allows a direct accompaniment on report of database updating There are three possible states for each updating e Successful with updates when Nettion k search for updates in database and be comes necessary to update the local base e Successful without updates when Nettion search for updates in database but lo
131. rt destiny s object of data In this case selects object Internal Net previously created Port of Origin insert origin port of data In this case inserts 110 Port of Destiny insert destiny port of data In this case selects Any clicking in side box Minimum Speed insert reserved band In this case inserts 100 Kbits Maximum Speed insert allowed maximum band This field defines until how many of idle band can be used for this rule In this case as we want to restrict it inserts value 100 Kbits 7 4 ACTIVATING BANDWIDTH CONTROL SERVICE 65 Priority defines the priority of this rule in relation to others In this example it selects value 1 Mame POPS Description Band for POPS Source Object Any ha Destination Object Source Port 110 O Any Destination Port Any Min Rate 2 kbit Man 260KEbit Mas Rate 128 kbit Man 960Kbit Priority GA Save settings Back Items Figure 7 4 POP3 Rule Again access Eth0 Interface graphic to visualize how Bandwidth Control is being applied Observe that now a white circle appeared representing the created rule See in the illustration page 65 e image of Rules and Classes A E de Class 1 e Default Back Iterns Figure 7 5 Eth0 Interface New Graphic 7 4 Activating Bandwidth Control Service After these Settings it is necessary that service is activated For that click in menu System gt Services Th
132. s above the boxes Tn case Nettion to be using the NTLM Integrated Authentication the authentication has already been negotiated and the authentication box will not appear asking for it again 50 CHAPTER 6 PROXY Host Hetwork Any e Groups Llsers Any we Except users 4 Administration Commercial Financial Marketing Support bob mith john simpson karol stuart thomas mecdall Finish Back Items Figure 6 7 Objects Selection Users Hosts of the Rule 6 5 Reports Nettion R turn available to administrator referring managerial reports to accesses through Proxy When authentications are used it s possible to administrator filter the referring accesses to each user 6 5 1 Default This report makes possible to Nettion administrator to generate analytic reports of ac cessed sites specific in a certain period In case fields are not filled out the report will be general The fields for composition of reports are e User selects on which user the report will be demonstrated Example Sophia Will bring all accomplished accesses by user Sophia on specified period in fields SINCE DATE and TO DATE e Host Specifies of which machine broke internet access Example 10 0 0 36 It will bring all accomplished accesses starting from the machine 10 0 0 36 in the specified period e URL complete address or space of an address that are wanted to know who accessed it in the specified period Exam
133. s case the administrator should edit the users in the domain controller and syn chronize users bases again in the Authentication option of Users and Groups menu See the item 5 3 1 Support for Users Cadastre The users cadastre maintenance proceeds like pattern previously established For users cadastre the following fields should be filled out see illustration 5 4 bellow 5 4 ACCESS PROFILES 47 User Confirm 152 Group Extra groups Groups list 0 Administratars Commercial Marketing Acess Profile gA Save set ngs Access Profile to the System Management Interface Back Items Figure 5 4 Inclusion Edit Users User Field user s login Example John Name user s name Example John Simpson Password password for access Example Confirmation confirmation of the password Example Group default group which user will be part of Example Commercial Additional groups additional group which user will be part of Example Financial 5 4 Access Profiles Starting from version 3 98 Nettion Security Software starts to contain access profiles To create access profiles and to attribute a profile to each user access Users Groups gt Access Profiles Names teseripition oe System Manager Total Access to System Top Prony Access to Top Proxy Report Firewall Manager Access to Firewall Functionality Back Add Edit Items Del Figure 5 5 List of profiles This functionality
134. s possible to visualize in one screen the current state status of all services supplied by Nettion it is also possible to begin or stop any service For that click in the option System Services to have access Nettion services list Will be exhibited the current status of each service if Started or Stopped and option of alteration of its status There is also the possibility of making it start with Nettion through Auto option See illustration 14 1 Auto HH Ed HY HY HF dd Ed Ed E 0 E El Service Blitz Men Control Chat Server Bandwidth Control Get Mail Server E Mail POP3 IMAP E Mail SMTP Hibs pen PH Mame Server DHCP Server Firewall Server Prosny Cache Server WPM IPsec VPM FPTE rm gt Start Apply changes to selected items Action Stop Stop Stop Stop Stop Stop Stop Stop Stop Stop Stop Stop wY we lt PY TAATAaEESAEP Figure 14 1 Services List 115 Restart Restart Restart Restart Restart Restart Restart Restart Restart Restart Restart Restart Restart 116 CHAPTER 14 SYSTEM The Action column will present three buttons for each service Start Stop and Restart with which administrator can initialize stop or restart the respective service In case a service is in operation will appear activated the buttons Stop and Restart In case it is stopped only Start button will appear active Remember to cli
135. sas ads 134 TA les AH ae REE RRR ERE aaa 134 eh eae eth oes eb oe ee es 137 S 137 rar ara ee eee pees ee ae 138 Dee eh ee ee eee eed ee ares vre see eee enone oe 138 15 5 1 Nettion Nettion amp ea1b tae ooo ae eee ae Seo eu oe 138 eae oe eee ee eee ee ee 138 15 5 3 Nettion Users ais non HERR REE RE HERERO ES 142 Na ia a eee oe eae oda a 143 15 5 5 Active Connections 4 0G ek ewe de bee se 145 PHOS RE E ee eae ee ee 148 EOBIN ee ee Behe aR eR Ree eee aR ee ee 148 15 6 1 How it Works a 149 15 6 2 Master Domains 2 2 149 15 6 3 Master Domain Items e 151 15 6 4 Slave Domains 2 aa a a a 152 15 6 5 Slave Domain Items 0 0 0 a 153 CONTENTS 15 6 6 Reverse Domains 15 6 8 Firewall with DNS ad 15 7 GetMaill 15 7 1 Advantages 15 7 2 Settings 15 7 3 Source Accounts 15 7 4 Rules 15 7 5 Starting GetMail Service 2 0 15 7 6 More Information 10 CONTENTS Chapter 1 Introduction 1 1 Presentation With the need of organizations direct connection to internet the factor Security of In formation became a primordial investment stopping being a characteristic just of great institutions The reason of this change is that without the protection network environ ment of the company it will be subject sooner or later to a significant institutional damage either moral or material
136. selection that will be used for the masks of each Gateway as shown in the following illustration 3 22 ahead E aoe Y A a Wa eee AAN Mask dinamically HAT the connections trom this route Each one of gateways selected can use an alternative IP for the masquerade For default each gateway use the IP of your device In case that itis necessary select other IP for your gateway Gateways ethO 200 200 200 254 M Back Items Figure 3 22 Creating Rule Advanced Settings 3 2 6 Dynamic DNS The services of Dynamic DNS are especially useful for Internet connections with dynamic IP address because they allow you to find your Nettion starting from a name as for instance nettion mycompany dyndns org and make connections like VPN This service setting in Nettion guarantees the updating of DNS when there is change of interface IP address sort of ADSL or Ethernet with DHCP With that it will always be possible to access your Nettion for configured Host To configure this service you should be registered in one of the unpaid listed following Dynamic DNS services e No IP http www no ip com e DynDNS http www dyndns com e ChangelP http www changeip com After the cadastre done in the service site you ll have information about User password and host that will serve as entrance for the Nettion Settings To add a service click in the button Inclusion and fill out the information b
137. sen item will be analyzed After make wanted alterations it is necessary to click in Save Settings button for these take effect Object IP Description Reliable Monitor OpenvpnClients 172 16 32 0 Mettion Mettion Opent PN Clients E e DMF 200 200 200 100 DMZ Met L E Inf_Intermnal01 192 168 0 29 LAN Interface 01 E E Inf_Intemal0z 172 16 30 254 LAN Interface 02 E C Inf Test 192 168 1 0 Test Interface E C Intranet 172 16 30 0 Local Het E C Link01 200 200 200 1 Remote Support Link 01 L jw Link02 200 150 150 1 Remote Support Link 02 E E localhost 127 0 0 1 Local Interfaces L E Servendl 1712 16 30 102 ServerOl LI Notebooki 172 16 30 67 Motebook O1 El C nstartup 172 16 31 132 nettion startup E C Workstationt i 172 16 30 97 Workstation 01 LI C Workstaton0 172 16 30 35 Workstation 02 E CIl Workstationt3 172 16 30 33 Workstation 03 LI E Workstationd4 172 16 30 100 Workstation 04 E CI Workstation05 172 16 30 65 Workstation 05 El E Worstationd6 172 16 30 98 Workstation 06 O O RaisNET 161 148 185 46 Rais Server E C Range Serveri 200 200 0 0 Range Serveri E C KD Save settings Figure 10 2 Objects Selection to be Monitored 10 1 3 PortScan Settings Administrator should specify number of ports and interval of time necessary here to consider a portscan coming of a same machine These settings are valid even to UDP or TCP packages Standard value is four ports detection in an interval of three seconds fo
138. settings in the change of gateway s state mark this option in case you want that the Nettion redefines gateways settings to each state change as for instance the participation settings of gateways in the default route Inclusion of new Gateways and Internet Multiple Links In case there is not any configured Gateway or you want to do the inclusion of additional Gateways for the case of Internet multiple Links follow the steps to proceed e Access the Settings menu Net Gateways e In the following screen of the registered gateways listing select Gateway that you want to edit and click in the button Inclusion e In the following screen Interface indicates the Nettion s interface that is directly linked to the gate way In the case of a Gateway for ADSL connection select the ADSL Interface corresponding Gateway indicate Gateway s IP in other words IP through which Nettion will have Internet access that is supplied by your access provider In the case of a dynamic gateway like DHCP or ADSL mark the option Dynamic Obtained Participation in the route default it indicates the percentage of this link s participation in the Nettion s standard exit for Internet in relation to other Gateways already registered In case of an only link the default will be 100 Timeout indicate here the maximum time without answer in seconds in that Nettion will consider that a gateway is offline Nettion will
139. sk in xxx xxx xxx xxx VYY VVY VVV YVV format This way the name will be changed for the correct format 15 6 7 Starting DNS Service Begin DNS server through menu System gt Services gt Server of Names To obtain more information on how to start Nettion services see topic 14 1 15 6 8 Firewall with DNS So that external users can be connected to Nettion it is necessary to do Nettion Firewall liberation For that create a rule allowing the access of any host Internet in direction to Nettion in the established port for the server Supposing that the server is configured for the default port 53 UDP 53 TCP use the predefined DNS service and create a Firewall rule as shown in table 15 9 Create an object with the Server name and its associated IP See Chapter 4 Objects 154 CHAPTER 15 NETTIONPLUGS Rule Liberating DNS Server Table 15 9 DNS Server Access 15 6 9 More Information For larger information about the settings of this plugin also access the Step by Step tutorial available in Nettion s site www nettion com br 15 7 GetMail The GetMail NettionPlug works as an e mail messages receiver of remote servers POP or IMAP and direct them to an only e mail server usually the default e mails server of the company facilitating the messages management that concern the company s busi ness With GetMail the users don t need to access e mails accounts of other people nor webmails and th
140. ss your net as always 15 5 6 More Information You can also access Step by Step tutorial available in Nettion s site www nettion com br for more information of how to configure plugin server and clients 15 6 DNS DNS is NettionPlug responsible for names direct and reverse resolutions 66 9 DNS is a hierarchical system The highest level is represented for and denominated root Under there are several High Level Domains TLDs being ORG COM EDU and NET the more acquaintances There are 13 root DNS servers in the whole world and without them Internet would not work Of these ten are located in United States of America one in Asia and two in Europe To Increase the installed base of these servers Replicas were created in whole world including in Brazil since 2003 In other words the directories servers responsible for pro viding information like names and addresses of machines are usually called names servers In Internet the names service used is DNS that presents an architecture client server could involve several DNS servers during the answer to a consultation 15 6 DNS 15 6 1 How it Works The DNS service architecture is distributed in Masters and Slaves The first is the re sponsible and it should be altered initially It is that server who notifies other servers where are the replicas of the information Those are called Slaves because they just receive Master
141. t s Gateway after the connection Example 128 0 0 1 e Range IP Client IP s Range that will be supplied to VPN clients Example 128 0 0 11 20 Administrator should cadastre users that will use VPN PPTP which we will call Clients could attribute to client an IP which will be selected for ones with differentiated treatment needs with firewall to each connection Or can allow PPTP server to attribute one of IPs inside of range informed in available server setting in moment of connection Important So that PPTP clients can access your net and so that they can also be accessed it s necessary that is made a traffic liberation rule See rule summary for an example where VPN net and local net are in 128 0 0 0 24 in table page 77 considering that e Local Net Object of Host Network configured for 128 0 0 0 24 e Any Any service which can be accessed between nets Choose specific services case it s necessary Note To allow that connection can be initiated from both sides unmark option Estab lished Service and or Related on Connection s Return in advanced settings of this rule The exhibition of registered clients list can be ordered by column Login or Name or Description The clients should click on specific column for system to alternate exhibition and items ordination on table It will be possible to use scroll bar to navigate between table items 9 1 VPN PPTP 7 Rule VPN PPTP Liberation Table 9 2 Lib
142. tant because once a package is embraced by a rule the action of this is taken and it are not more processed by following rules The data in a IP net are sent in blocks referred as packages or datagrams the terms are basically synonymous in IP being used for data in different places in IP layers In case some package is treated by a rule whose action is to Audit it continues until that is treated by some other rule to Allow or Deny or for standard politics 8 2 RULES 69 e Status Defines rule status as active or inactive a EP FSE i A EAT N Description Action Pos ans Status W Finish Back Pet Figure 8 2 Basic Definitions of Firewall Rule After filling out that form click in Next and choose the schedules in which this rule should act as shown in illustration 8 2 above Schedules If you want a rule to act always choose Any default option You can also use objects of schedule type to determine when rule should act Defined when rule should act click in Next and you will configure the rule properly said AA pce ee en eee ee tule Schedule Aply to idvanced Schedule Any 13 14 15 iz L x 23 E y 24 i qe Back He Figure 8 3 Schedule Definition of Rule Application Objects Selection for Rule Application In Source Filters gt Hosts you will define starting from which host s or net s the connection will begin To do selection mark the selection box
143. tar button The following screen will appear gt 10485760 JL Bytes e O Unlimited Max number of messages o E Unlimited KA Save settings Leave password blank if you do not want change it Figure 12 11 User Edit The fields Name Quota e Max number of messages can be edited Alter them according with your need In case you want to use Forward to other e mails this option send copies of e mails received for another account resource mark this option and fill out the following field with account for which will be send a copy If you want to direct for more than one account separate them with semicolon Don t forget to Save Settings in case you set some changes 12 3 3 Inserting Users When clicking in add button following screen will appear and it will allow a new e mail user s addition e Login The first part of e mail address the one that appears before strudel O Example George 102 CHAPTER 12 E MAIL e Domain The existent domains will be listed in a combo box You should choose the domain for which is creating a new account e Name The user s name Example George Thompson e Quota maximum disk space that an account can occupy e Max number of messages quota by number of messages e Password user s password In case you want to forward a copy of received messages for another e mail mark Forward to others e mails option
144. tems Figure 15 20 Advanced Specifications of OpenVPN 15 5 5 Active Connections In active connections will be listed VPN connections now established to Nettion In listing it is possible to identify user s name date and time in that connection was established and it is also possible to disconnect user through the button Stop See Illustration 15 21 john simpson 22 04 2008 09 17 45 7 karolemith 22 04 2008 08 10 55 Back Items Figure 15 21 Active Users List 146 CHAPTER 15 NETTIONPLUGS Reports Em VPN gt OpenVPN gt Nettion Users gt Reports gt Connections you have access to connections report history made to OpenVPN server Through filter it is possible to do detailed searches on done accesses as shows the following illustration 15 22 User From Date To Date Virtual IP Remote IP Interval a A a JO search User Start Date Start Time Stop Date Stop Time Remote IP Virtual IP User l 21 09 2008 19 31 51 21 04 2008 22127111 200 200 200 1 172 16 32 18 User z 19 04 2008 14 25 56 13 04 2008 16 03 57 200 200 200 34 O ovat Sree User 3 18 04 2008 16 45 54 18 04 2008 17 09 16 200 253 177 130 172 16 32 6 UserOd 16 04 2008 09 31 59 16 04 2008 09 52 07 200 200 253 200 172 16 32 2 UserO5 15 04 2008 04114123 15 04 2008 04 23 36 200 200 200 8 LPTs Userls os fo4f2o08 21 51 18 03 04 2008 22117 235 200 200 200 198 172 16 32 6 Previous 1 36 of 36 Next Figure 15 22 VPN Access Report Firewall So that e
145. the session as display illustration 15 4 Port 1080 Policy of access m le Apple notification in the beginning ofthe session Your chats are being audited and recorded by Mettion Blitz ey Save settings Figure 15 4 Basic Blitz Settings The default politics is usually defined as Deny any access and through rules only users that really have to access MSN are allowed as well as contacts with whom can communicate 134 CHAPTER 15 NETTIONPLUGS 15 4 6 Automatic Cataloguing of Contacts Through menus Contacts and Groups of Blitz you can manually insert contacts with whom your users will be able to communicate as display illustration 15 5 Mame E mail MSM Passport e fave setings Back Items Figure 15 5 Manual Inclusion of a Contact However Blitz offers an automatic way of cataloguing these contacts which occurs when user makes your first connection through Blitz This process makes easier the rules maintenance as it will be seen more ahead In User Passports guide it is possible see organized contacts for each passport To see contacts of a passport select it and click in Items button as display illustration 15 6 kI Ll r E Li e john simpson John Simpson hA john simpsoni yourcompany corm id kelly watson Kelly Watson A S kelly wakson yourcompany com mel phillipe Mel Phillipe Ss mel philipea yourcompany com 3 newton smith yourcompany cam JB newtonbsmit
146. these are tips of firewall basic rules that can and they should be complemented however they still exist many other rules that should be created to really turn your firewall efficient Such rules depend on some factors as e Company s Politics of Safety e Services and Used External Applications e Services and Internal Applications Externally Accessed e Etc Examples of other rules can be found in this document in other modules settings of Nettion like Proxy and VPN 8 4 Reports Through Firewall report you will have access to generated registers by Log rules of your Firewall The research filters allow you to filter for a specific log rule as for an advanced hosts and services selection 14 CHAPTER 8 FIREWALL See the illustration that follows E E E Rule Position From Date To Date Interval E AE PE Advanced search Figure 8 7 Firewall Reports Chapter 9 VPN VPN Virtual Private Network or Virtual Net involves use of internet as safe communi cation middle between two points To guarantee traffic safety of information for public middle that internet represents Nettion through your VPN functionality creates a com munication tunnel among two points for which the trafic data is cryptographed That means that only these two points will have uncryptography key and of interpretation of data received Nettion R possesses four types of VPN e PPTP e IPSec Public Key RSA e IPSec Shared Key PSK
147. this resource you can interconnect nets between head office and other stores or allow an external user to access the net in a simple and safe way A great differential of OpenVPN is your possibility to operate even on internet with mask NAT as in nets of hotels cyber coffees or airports After installation see topic of this chapter you access this plugin through the menu VPN gt OpenVPN of your Nettion It offers two types of connections as will be shown 15 5 1 Nettion Nettion This option allows interconnect two or more networks through VPN as interconnect subsidiary to head office Each one with Nettion and OpenVPN Plugin installed In this case one of Nettions will be VPN server and the other will be client 15 5 2 Configuring OpenVPN Server To configure a Nettion Nettion OpenVPN connections access the menu VPN gt Open VPN gt Nettion Nettion gt Connections The following screen will be exhibited 15 5 OPENVPN 139 E 7 ape Es ae Type OS Mettion Server 172 16 0 0 ae 200 200 200 1 amp j 2 200 253 200 200 E 410 0 0 0 ial 2 192 168 1 0 Back Add Edit Items Del Reload Figure 15 13 Listing of OpenVPN connections To create a new connection click in Add button The following steps should be followed Step 1 In the first page of Wizard define the following fields e Type Server e Name identify connections name e Status Active e Port Nettion already
148. ticate in proxy Use Mettion O Use HIS Server Unix O Lise Windows domain Authenticate in the Local base of users and groups O Authenticate in a Remote base of users and groups IP Address Fart Password Synchronize Mettion Users and Groups with remote Mettion KA Save settings Back Items Figure 5 1 User s Authentication 5 1 1 NIS Server To use the Server NIS Unix option fill out the fields e Domain NIS Network Information System domain where are the registered users in the Server Example NISGROUP e Address IP Server s IP Address Example 192 168 0 1 43 44 CHAPTER 5 USER GROUPS 5 1 2 Windows Server To use option Windows Domain fill out the fields e Domain domain where the users are registered in the Server Example corporation e Server Name Example Serv corp e IP Address Server s IP Address Example 10 0 0 2 Activate the settings clicking in Save Settings button Windows Server with Synchronization and NTLM Operation of NTLM system This option does with that Nettion negotiates with Server Windows the rehearsed authentication by the browser users avoiding the need of identification user s login and password each times you use navigation Remember that this option will only work in a network environment Windows Samba where the machines and users are properly logged to domain NTLM in Nettion Since the version 2 5 Nettion Security Software supports the
149. ting All both local and remote machines will get connected to Chat Server 15 3 2 Client Software Stations For that users access Chat is necessary the use of some compatible software with Jabber protocol installed in your stations The software to proceed is the most known and used for this e Windows Pandion i V Exodu e Linux Kopete 3 gt 7 Client software configuration In client software configurations insert internal IP of Nettion as being server and to user authentication make use of username Oyourcompany com where yourcompany com is the used domain in server settings see section 15 3 1 Ex johnQyourcompany com The password will be in agreement with Nettion integrated authentication could be in own Nettion in Windows Active Directory or a NIS server Linux 15 3 3 Firewall So that net stations have access to server it is necessary that you authorize it in Nettion Firewall The port to be liberated for default is 5222 of TCP protocol A summary of Firewall rule to be created follows below in table 15 1 Rule Internet Nettion Destiny localhost Chat Server Table 15 1 Chat Server Rule Observe that this rule is contemplating access of internal net object to Nettion Chat Server add other nets if necessary Create a service object to this port called Chat Server with port TCP 5222 see Chapter 4 Objects 130 CHAPTER 15 NETTIONPLUGS 15 3 4 L
150. tion You ll also see that Nettion management multiples Gateways making the whole redundancy treatment and swinging of the links Edition of Gateways A Gateway is usually configured already during the Nettion s installation in the equip ment In case you want to edit your information follows the steps below 3 2 NETWORK e Access the menu Settings Net Gateways e In the following screen of registered gateways listing select Gateway that you want to edit and click in the button edit e In the following screen Interface indicates the Nettion s interface that is directly linked to the gate way In the case of a Gateway for ADSL connection select the ADSL Interface corresponding Gateway indicate Gateway s IP in other words IP through which Nettion will have Internet access that is supplied by your access provider In the case of a dynamic gateway like DHCP or ADSL mark the option Dynamic Obtained Participation in the route default it indicates the percentage of this link s participation in the Internet s standard exit of Nettion In case of one only link the pattern will be 100 Timeout indicate here the maximum time without answer in seconds inthat Nettion will consider that a gateway is offline Nettion will change the gateway s state for down when stops answering inside here of the stipulated time For not indicating a time limit select the option Limitless Redefine
151. users gt Settings and follow these steps Step 1 In the first page of setting screen configure the following items e Status indicate the server status Active e Connection name indicates a connection name Nettion will already make a sug gestion e Default interface here you can choose a specific interface the one that possesses public IP or All to wait for connections in any interface e Server IP indicate IP through which your Nettion will be found by clients It will usually be your Nettion public IP but in situations where Nettion is being masked NAT for a router for instance indicate router s public IP e Virtual network Net that will be created between Nettion and connected users Network will be the virtual network Nettion will already making an automatic indication Mask indicate the net mask Nettion will also indicate Server IP will be inside Nettion s IP on virtual net Clients IP it will be IPs interval that will be supplied by VPN clients e Nets accessed by users Nets in which Nettion supplies access for connected users Select for the left column the local nets that will be offered to VPN users See the following illustration General settings Y Finish Figure 15 18 Nettion User Connection Settings 144 CHAPTER 15 NETTIONPLUGS Step 2 In Access Control indicate e By default net valid users authenticated
152. ware Nettion is in constant evolution Consequently new system versions are released making available to administrator new tools that give more functionality to Nettion solution Notification of updates is sent by e mail to Nettion customers and they are also notified through superior bar of own software that shows a message indicating the existence of a new available version for update Through update menu System Update administrator checks the innovations of ver sion released in relation to installed previous version Learn how to Update your Nettion In update screen we have two pictures Step 1 Update Verify and Download and Step 2 Select File for Update Clicking in Check Updates button in following illustration Nettion will check the existence of a newer version In case there are not updates the message Without updating at the moment will be exhibited Otherwise the most recent versions than will be listed including the detailed information of each one of them Update Netton has an On Line update system making the last software version always available easier with new features and eventual bugs fixed ch Check Updates Figure 14 11 Check for Updates The next step is to download the update file For that click in Download button At this time in agreement with your contract conditions the update file will be supplied 14 7 After the update file is downloaded select it in o
153. xample below shows these concepts IDA na o alocat ent class i 0 Class Bw 286Kbits Besides alocate Qos thes nternet itis disired to alocate erent classes for two networks Clas s B wit ocate f is disired to subdivide the Class 4 amp according to Web and E mail access RULES BandWidth Control D e Etho 192 165 0 254 Interface LAN aN Configure View Graph IP Ethi 200 200 200 1 Interface LINK1 Configure View Graph D e Eth2 200 200 100 1 Interface LINK2 Configure View Graph Figure 7 2 List of available net interfaces 1 3 SETTINGS 7 3 1 Network Interface Definition Before beginning Bandwidth Control Setting it s necessary that you make scenery s eval uation and indicate origin and destiny of data that should be controlled After identifying from where data starts and where it goes you will identify in which interface control will be made which is that makes data delivery directly to who requested them 7 3 2 Classes The first step will be to do a class creation which means to create a band reservation of your link At this time still we won t say to who host or service this reservation is destined That will be made in rules creation Besides classes created by Nettion s administrator also exists default class concept The default class represents remaining of available band in net device in other words that was not still allocated in any class and that will be used by any traffic that has not been
154. xternal users can be connected to Nettion its necessary to allow it in Nettion Firewall Create a rule allowing access for Any host Internet in Nettion s direction in the established server port Supposing that server is configured for default port 1183 UDP create a service object with this port called openvpn clients and create a Firewall rule as shown in table 15 7 Rule Liberating OpenVPN Server Destiny localhost openvpn clients Table 15 7 Access to OpenVPN Server Besides the rule to allow clients interconnection to Nettion it is also necessary to lib erate traffic between allowed local nets and the configured virtual net See summary of necessary rule in table 15 8 Rule Liberating Traffic Inside VPN Action Virinal Net Table 15 8 Liberating Traffic inside VPN Note Virtual Net object corresponds to IP established in OpenVPN server settings see section 15 9 4 15 5 OPENVPN 147 Starting OpenVPN Service Open OpenVPN server through menu System gt Services To obtain more informa tion about how to start Nettion services see topic 14 1 Clients Settings In Windows client stations download and install OpenVPN Client software Installation in stations is quite simple and follows installing software pattern for this platform i A DACE TRA TE JN D are o General settings f Status File for the clients Download Connection Name Default interface eth
155. y error messages screen 52 err_access denied Acesso negado errocache_access denied Acesso negado errocache_mgr_access denied Acesso negado err_cannot_forward 2 requisi o nao pode ser encaminhada para o servidor de origem err connect fail Falha na conexz o err_dn _ fail Falha na resolu o de DHS err_dom denied Dominio nao permitido err_enp denied Url cont m palavra ou espress3o nao permitida err_forwarding denied Forwarding negado pelo cache err_invalid reg Requisi o inv lida Back Edit Items CHAPTER 6 PROXY Access denied as Access denied Access denied Unable to forward the request at this time Connection Failed DAS Failed E Access denied to this domain URL contains forbidden word or expression Forwarding Denied Invalid Request ne Figure 6 2 Listing of Proxy error messages To edit a message select it and click in Edit button In the screen that will be exhibited alter the message content according to your need however without leave message s real reason Notice that the message should also be transcribed in the English language To finish click in Save Settings button as display the illustration 6 3 bellow Portuguese Message English Message Items Falha na resolu o de GHS Save settings Figure 6 3 Edition of Proxy Error Messages 6 3 Rules The proxy rules can be interpreted as sentences see illustration 6 4 it s of administrator s respons
156. y the objects search screen Hosts and Networks Figure 4 5 Objects search screen Note Remember that the search screen follows the same operation pattern just changing the fields in agreement with the selected object 4 2 Hosts and Networks In the network and hosts cadastre the administrator will create the IP s list that will be used in Nettion s Setting We understand for host the IP of a specific machine as well 38 CHAPTER 4 OBJECTS as we understand net as an IP that represents an interval of IP s Nettion R interprets as host the object of mask 255 255 255 255 the others they will be interpreted as being nets See the listing example of hosts objects and nets in the illustration 4 6 page 38 a DHS Sur DMS External Server 200 200 200 1 o ah APA Int_FTP Internal FTP 10 85 9 0 255 255 255 0 Intranet Local Net 10 85 8 0 2505 25050 255 0 DMZ DMZ Met 10 85 12 0 255 255 255 0 Po 01 Workstation 01 192 168 0 3 a Sa eh cn eed eee el Back Import Add Edit Items Cel Figure 4 6 Hosts and Networks 4 2 1 Support of Hosts and Networks Cadastre The hosts and networks cadastre maintenance follow the established pattern previously see section 4 1 For hosts and networks should be filled out the following fields according to illustration in page 38 e Object name to be given to object Example Web Server e IP Address IP address of the host or net Example 192 168 1 2 e Mask mask of the net
157. your cache An other advantage the software allows you to make a meticulous net traffic control by user establishing rules schedules and blocking unwanted sites With Nettion you also can implant rules of safety on the local net access by users of the internet and it avoids the total exhibition to the hackers attack e Through reports and established rules the computer users will make more profes sional use of Internet increasing the productivity and reducing the risks associated 11 CHAPTER 1 INTRODUCTION to IT The applied rules are flexible offering limits by users and or by schedules System Setting is very simple and there won t be need of specialized staff The reports are diversified and intuitive propitiating fair and real analyses e The Network Intrusion Detection System NIDS of Nettion have records of almost 2 000 invasion attempt ways what makes possible the blockade of users access with bad intentions e Another Nettion s resource disposes is the Bandwidth Control that allows you to establish percentile of link use for webpage access e mail traffic etc optimizing and guaranteeing that all these services are simultaneously available e With VPN Virtual Private Network of Nettion you will use the internet as communication way in a safe mode because your cryptographed data shufflings after going into internet communication tunnels With this feature you can reduce the costs sensibly with
Download Pdf Manuals
Related Search