Netgear STM150 User's Manual
Contents
1. Business Entertainment Shopping UnCategorized Malware Personal Sites Arts Advertisements amp Pop Ups Government Education Banking Finance Job Search Phishing amp Fraud Spam Sites Chat Figure 5 3 Select the time frame for the Web Usage report then click View The at a glance table on this page allows you to quickly see which categories of Web sites are getting the most access from your network 5 4 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Monitoring Security To view a summary of malware incidents on the network click Monitoring gt Security Figure 5 4 Spam and malware detected on the SMTP IMAP POP3 HTTP HTTPS and FTP protocols are listed on this page in addition to the actions taken on the malicious code The status of the scanning services are also shown here as well The five most frequently detected malware are listed ranked here as well as the five most recently detected malware listed chronologically Monitoring System Performance 5 5 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Running Diagnostics The STM150 provides diagnostic tools that help you analyze traffic conditions and the status of the network Two2. Insert Warning into Email Subject Line SMTP You may insert a tag at the beginning of the email subject line as notification The tag is customizable for example Malware Infected Customizing Scans v1 1 March 2009 4 3 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Select the Insert Warning into Email Subject SMTP check box and then type a message for Malware found and No malware found The default messages are e Malware found Malware Infected e No malware found Malware Free Append Safe Stamp SMTP amp POP3 When there is no malware detected in the mail you have an option to append a safe stamp at the end of a message The safe stamp insertion serves as a security confirmation to the mail recipient The message is customizable Append warning if attachment exceeds size limit and is not scanned SMTP and POP3 When an attachment exceeds the scan size limit and is not scanned by the STM150 a warning message will be appended to the original email Check the box and save your changes to enable Replace Infected Attachment with Warning Message If the attachment in the mail is infected the STM150 will intercept it according to the setting you configured in Email Security gt Anti Virus gt Action You may insert a warning message to inform the mail recipient about the malware as well as the scan actions that the STM150 has taken The message is customizable make sur
3. ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual NETGEAR NETGEAR Inc 350 East Plumeria Drive San Jose CA 95134 USA March 2009 202 10414 02 v1 1 Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSecure is a trademark of NETGEAR Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area i
4. ssc dessa tiseusie sss Sea dendesecueutiessenemsaiecs dberdecenaduliedsaiwaarvedasuods 3 13 Restaring Te Tl eriein a 3 13 Enabling Remote Manege meni srera a 3 14 Administering Software LOCALES snnaririsaic iarna ea aaia i 3 15 Configunng Seheduled Updates ssrin EEO 3 15 To conligure sehaduled UPdalgS sicssssssvedissarsdesveaivnnd asses iaarenieasaRn aaaIeEG gt 3 16 Fer ronan iid a Manual Update scinisssnineisinrnniirnnnnn 3 16 Applying a Software Update that Requires a Reboot cccceceseeeeeteeeeeeeeeeeees 3 17 Administering Admin Login Timeouts and PasswordS ccccessseceeeeeeneeeeeeeeeneeeeeeenas 3 18 Chapter 4 Customizing Scans TE ocan AS a a a E Aa aE 4 1 Gustomizing Emal Scanning SENGS rrei inr aieiaa naana a Siani 4 2 End User Email Notification S TIS ssrsirsouisrsinas rasain a AN 4 3 Emal omeni PUPAE Sas sccsacacicapeeiesaci sa laidebaccceteancene niadaee eindedieevaceon ba incaetea edule 4 5 Proteco Against Emal SPa sairin iniiba aA EAE 4 7 Configuring Distributed Spam AnalySis cccccessccesseeceeecceeeseeeeeeeeeeseeaeeeeaeeeenenees 4 10 Customizing Web Scanning SENGS siciicccsecscobiccacsalmneeicdedesatedacesstedacensesaedialaraeegecivasace 4 12 viii v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Coniguimg Web Malware STANS ees ecieccccctaseetctecenecysncvasube pasvenhordcaadeindensecdeauty EEAS 4 13 Configuring Web Content Filtering
5. esessesseeeenseseneesrnessnesnnssrnnssresssenssernseennsenn nens 4 14 Conig rmg Web URL Fitero senri ea 4 17 Fe IPSS Can SENNIE air N EN 4 19 The TV CA CUCU ess cus xsi ea danas sd wanrnsasegaaanisiaiadsananses a ouuany 4 20 CRITICISES OEIC IN sciis aiia a a a 4 22 TURNO E aa 4 24 aiai leE ie EU E A A E E E nen E E E E A E eeEE RS 4 25 Chapter 5 Monitoring System Performance viewing NGS STONY DIUS ananena a N R 5 2 Using Statistics and Wep Usage Dala siisssscescctspertessassaavaisiavea nada na 5 3 PMSA RY NTN E A a EE EEE T AO 5 5 PRUNING DIAGNOSIS siririn aiaa a aieeneeae ected 5 6 Using the Network Diagnostic TOG sects satvecnciaaatauieasasssenid padasentsarivens oadeeniian 5 6 Using the Realtime Traffic Diagnostic Tools siccsisccssscaastesnaiadatetcessanaetecesavudaeteevsadsatnes 5 7 Gailhenng Important Log WtONNAUON ccrsccccccsantecsacetnesetatonaneedoncetacuetassetemmrsmenrennde 5 7 Te collect information about your STM150 ssces siete neccctcanisetssserueuidannrdensentndearees 5 7 Generate Network Statistics REDOFt ccecccceeeeeeeeeeeeeeeeaeeeeeeeeeeaaeeseeeeeeeaaaeeneneeees 5 8 Using Reports to Optimize Protection and Performance ccceeceeeeseeeeeeteeeeeneeeees 5 8 COO NTLO eee ee re ere cer ty ee cere eer ce eee ey Cerri ee ree Coney Care 5 8 WRUNG WiN ROpONS scissione nona a SRE 5 11 tsino Onine SUPPOR senina a RA a 5 12 Enabling Remote Troubleshooting inczsssscecscianieiccnddueselesaieead ner 5 12 WARRING WN HOL
6. 6 e Using Reports to Optimize Protection and Performance on page 5 8 e Using Online Support on page 5 12 Monitoring System Performance 5 1 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Viewing the System Status To view system status information click Monitoring gt System Status NETGEAR 6 PROSECURE ee TOEA oN Figure 5 1 The at a glance table on this page allows you quickly view the status of important components of the STM150 Information available on this page includes e System Info Shows component version update information hardware serial number and license expiration dates for each type of license e When a license expires a led on the STM150 front panel will blink continuously To stop this click on the Stop Led Blink button After this has been clicked the button will be greyed out until the next time a license expires e Network Shows the network settings of the STM150 e Ports Shows the MAC address for each interface on the STM150 5 2 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Using Statistics and Web Usage Data To view system statistics click Monitoring gt Statistics NETGEAR 6 PROSECURE System Status Security Diagnostics Logs amp Reports Statistics IECIT The page will auto
7. Guide to Perform Initial Configuration 0 ceecceeeeeeeeeeteeeeeneeeees 2 4 bogging Die tme S TNI D aian a aimee dagtndhadanhanaea 2 5 PREC RII mhe STMT caruinis ana aa ia aSa cand DSENA SA ASAE 2 7 Use the Setup Wizard to Complete the Configuration ccccccesssscsceeesesetteeessesaees 2 8 sewr Vra SIONS aaa E ATN 2 8 venving ihe ST SO Mnstalatdii ennnen TAE aanaenss 2 9 e ekeen ea r E E A mameeedcaanee 2 10 vii v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Testing FTG Sart can ses cncts ceedessedondben n a a E E O 2 10 ER ODO NO i aa E 2 10 Chapter 3 Performing System Management Tasks ste Calis Syse i SRNE dnega a err ere tt nem rn ne rent 3 1 Configuring INGTON SETI S soeone a aai 3 1 Enabling Session Limits and TiM Outs anrssniiminiinanaiasni 3 3 ScannNO EXCURSIONES niine E E 3 4 Seting TS Gysen TINE racian E E E 3 5 Specifying the Notification Server ssssesssessesessssessssssssressrressnresrnsesnnsrinssrnnsresseens 3 6 Comigonng SNMF SSNS reniement R 3 9 SHPO MIB BrowsSETE suaran nendsiaraansnnt AAAA NAANA 3 10 Backing Up and Restoring Configurations sirisser ainiin annii aa 3 11 Backing Up the STM150 Connigutatidii sosirii cassius 3 11 Te Baek Up the S TC SENOS donian adia an ene aaidvai aes 3 12 Restormg A CoC TIMID sinenion e 3 12 TO restore The STMI50 SOUS sacs cicctiessccmendeinahtaiantacestasetadstanenay nin aan 3 12 Resetting to Faciory CSIRO
8. Network Traffic for Malware Using the patent pending stream scanning technology you can configure the STM150 to scan HTTP SMTP POP3 HTTPS IMAP and FTP protocols Unlike traditional batch based scan engines that need to cache the entire file before they can scan this scan engine checks traffic as it enters the network ensuring unimpeded network performance Protect the Network Instantly the STM150 is a plug and play security solution that can be instantly added to networks without requiring network reconfiguration Receive Real time Alerts and Generate Comprehensive Reports You can configure the STM150 to send out alerts whenever a malware or an outbreak is detected on the network Real time alerts can be sent out via email allowing you to monitor malware events wherever you are By configuring the STM150 to send out malware alerts you can isolate and clean the infected computer before the malware incident can develop into a full blown outbreak The STM150 also provides comprehensive reports that you can use to analyze network and malware trends SNMP Support You can enable and configure the STM150 s SNMP settings to receive SNMP traps through a supported MIB browser Automated Component Updates Downloading components regularly is the key to ensuring updated protection against new threats The STM150 makes this administrative task easier by supporting automatic malware pattern program and engine updates Introd
9. Security Threat Management Appliance STM150 Reference Manual To configure scheduled updates 1 2 6 On the menu go to Administration gt Software Update In Update From select an update source The default update source is the NETGEAR update server If NETGEAR or its authorized reseller provided you with an alternative update source or if you have set up an update source on the intranet you can also specify this source by selecting Connect to another update server and then entering the IP address or host name of the alternative update source If you want the STM150 to check for and update the pattern file only select the Update signature patterns to check box If you want the STM150 to update all components including the pattern file leave the box unchecked In Update Frequency specify how often you want the STM150 to check for and download updates from the update source You can choose Weekly Daily or Hourly If computers on the network connect to the Internet via a proxy server select the Use HTTPS Proxy Server check box and then enter the proxy server information and if applicable a user name and password If a firewall is installed on the local network make sure port 443 is allowed access to the Internet Click Save Changes Performing a Manual Update If you want to immediately check for and download available updates you can perform a manual update On the menu click Update Now near the bottom of
10. Warning Ignoring this type of note may result in a malfunction or damage to the equipment xi v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual A Danger This is a safety warning Failure to take heed of this notice may result in personal injury or death e Scope This manual is written for the threat management appliance according to these specifications Product ProSecure Web Email Security Threat Management Appliance STM150 Manual Publication Date March 2009 For more information about network Internet firewall and VPN technologies see the links to the NETGEAR website in Appendix B Related Documents Note Product updates are available on the NETGEAR Inc website at http kbserver netgear com products STM 150 asp Revision History Manual Part Manual Publication ae Version Description Number Date Number 202 10414 01 1 0 January 2009 First publication 202 10414 02 1 1 March 2009 Update to change product name heuristic scan terminology changed to distributed soam analysis URL whitelists changed to now be case sensitive correction of regulatory information and various edits to improve clarity xii v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Chapter 1 Introduction This chapter provides an overv
11. address into your MIB browsers Defining Trusted SNMP Hosts In Trusted SNMP hosts type the IP addresses of the computers to which you want to grant GET and SET privileges on the STM150 Only the computers with IP addresses listed here will be able to access the SNMP features of STM150 To define SNMP Traps In SNMP trap type the IP addresses of the SNMP management stations to which you want SNMP traps to be sent 3 10 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Backing Up and Restoring Configurations The STM150 provides backup and restore features to ensure speedy recovery from system errors or configuration on an additional STM150 appliance with the same language and management software versions Access the backup and restore functions at Administration gt Settings Backup amp Restore The backup feature saves all the STM150 settings to a file These settings include e Network settings IP address subnet mask gateway etc e Scan settings Services to scan primary and secondary actions etc e Update settings Update source frequency etc e Anti spam settings Whitelist blacklist content filtering settings etc Tip You can use a backup file to export all settings to another STM150 appliance that has the same language and management software versions Remember to change the IP address of the second ST
12. below the Enable check box enter the file extensions without the period that you want to block Use commas to separate multiple file extensions The list may contain a maximum of 40 different file types You can also add entries from a list of predefined file types For example if you want to block executable files select Executables and they will be automatically entered into the list The predefined file types include the following e Executables exe com dll so lib scr bat cmd e Audio and Video wav mp3 avi rm rmvb wma wmv mpg mp4 aac e Compressed Files zip rar gz tar bz2 Click Reset to clear the block list and to reset the page to its default settings Action Delete file Scan Exception 8 192KB 4 26 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Chapter 5 Monitoring System Performance The STM150 provides online support services along with real time alerts and comprehensive monitoring reporting and logging capabilities to ensure that you are able to effectively respond to the latest threats found on the network This chapter provides information on the available logs and reports and how to view them on the Web interface Topics discussed include e Viewing the System Status on page 5 2 e Using Statistics and Web Usage Data on page 5 3 e Monitoring Security on page 5 5 e Running Diagnostics on page 5
13. did not follow the instructions in the Installation Guide Email Security On this wizard page enable the network services you want to scan and specify the ports for each select the scan actions set the scan exceptions and configure the maximum file size to scan Note Setting the maximum file size to a high value may affect the STM150 s performance The default value is recommended which is sufficient to detect the vast majority of threats Tip To enhance performance you may disable scanning of any protocols that will be G seldom or never used Be mindful of the difference between user and server generated traffic For example your mail server may not use IMAP but some users may configure IMAP clients Web Security On this wizard page enable the network services you want to scan and specify the ports for each select the scan actions set the scan exceptions and configure the maximum file size to scan Check the Streaming checkbox for an even more transparent user Web browsing experience 2 8 Provisioning Threat Management Services v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Email Notification Server On this wizard page type the email address that you want to appear in the notification email as sender For example you can type sTM150 mydomain com Enter the SMTP server host name or IP address The STM150 will send notification emails
14. may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com MD5 Copyright C 1990 RSA Data Security Inc All rights reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing
15. on the Global Settings gt Network Setting gt Session Limit screen Figure 3 2 This page allows you to specify total number sessions per user IP allowed across the router Session limiting is disabled by default When session limiting is enabled the STM150 will set the maximum number of sessions per IP either as a percentage of the maximum sessions or as an absolute number of maximum sessions To increase the maximum number of sessions per IP check Yes under Do you want to enable Session Limit The Percentage of Max Sessions option is computed on the total connection capacity of the device The Number of Sessions option specifies the maximum number of sessions that should be allowed via the STM150 from a single source machine Please note that some protocols like ftp rstp create 2 sessions per connection which should be considered when configuring session limiting Enter the new session limit under User Limit The Session Timeout section allows you to manually define the TCP UDP and ICMP timeout values If a session goes without data flow longer than the configured values the session will be terminated by the system The default session timeout of TCP UDP and ICMP is 1200 800 and 8 seconds Enter the timeout values in their respective fields Performing System Management Tasks 3 3 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Scanning Exclusions To enhan
16. or a combination of protocols In Source IP address enter the origin of traffic that you want to analyze In Destination IP address enter the target host for which the traffic is intended Click Start You will be prompted to save the downloaded traffic capture to your PC Select a location to save the file and click OK A file download will begin Once you are done click Stop The file download will now be complete a oe UA Ge 2B Open the file in a network traffic analyzer tool such as Wireshark Gathering Important Log Information When you request support NETGEAR Technical Support may ask you to collect the debug logs and other information from your STM150 appliance Use the Gather Important Log Information section to export information that can help NETGEAR troubleshoot the appliance To collect information about your STM150 1 On the Diagnostics page click Download Now under the Gather Important Log Information section A pop up message appears prompting you to confirm that you want to download the information file from the STM150 The default file name is importantlog gpg 2 Select a download location for the file and then click OK Your browser downloads the information file to the location you specified 3 When download is complete browse to the download location you specified and verify that the file has been downloaded successfully Monitoring System Performance 5 7 v1 1 March 2009 ProSecure Web Email Secu
17. prompted enter admin for the User Name and password for the Password NETGEAR B PROSECURE User Name admin Password When the STM scans secure HTTPS traffic you must import this root CA certificate into your browser Click to download 2008 Copyright NETGEAR Figure 2 5 Note When the STM scans secure HTTPS traffic import its root CA certificate into your browser Click the link at the bottom of the login screen to download it Provisioning Threat Management Services 2 5 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 3 Click Login The default Monitoring gt Security page displays NETGEAR ROSECURE 6 Wee Sema o a a ae a S i T Aa Se Figure 2 6 gt Note During the initial setup the setup wizard displays when your first log in afterward the login takes you to the system status page The Support tab on the main menu contains links to the online NETGEAR STM150 product documentation and support knowledgebase Note After 10 minutes of inactivity the default login time out you are automatically logged out 2 6 Provisioning Threat Management Services v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Registering the STM150 To rec
18. refresh in 1 seconds Poll Interval 5 Seconds setinterval stop it Usage System Usage Active Connections Connections Status 1000baseT Full 470796 1000baseT Full No Link 1554618 1000baseT Full 100baseT Full 1786519 670883 2008 Copyright NETGEAR Figure 5 2 The at a glance table on the Statistics tab page lets you review the distribution of traffic going through this STM150 Information available on this page includes Usage Shows CPU memory and disk space usage Active Connections Shows the number active connections for each supported protocol Traffic Monitor Shows the status of each network interface and the volume of incoming and outgoing traffic for each interface To change how often the page refreshes enter the desired refresh interval in the Poll Interval field and click the Set Interval button To stop the page from refreshing click the Stop button Monitoring System Performance 5 3 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To view Web usage statistics click Monitoring gt Statistics gt Web Usage From 2009 y Olwy Ot wy To 2009 v 0i 19 v _ Category Webmail Search Engines amp Portals General Computers amp Technology News Social Networking Download Sites
19. server A list of public NTP servers is available at http ntp isc org bin view Servers WebHome e Manually entering the date and time In Time Zone select the correct time zone Click Apply If the time zone has changed a reboot confirmation will appear Performing System Management Tasks 3 5 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Specifying the Notification Server For the STM150 to send out alerts reports and logs via email an SMTP server must be specified on the Global Settings gt Email Notification Server page Note If you do not set a notification server the STM150 will be unable to send email alerts to you Note that same SMTP server will also send you logs and reports If you do not specify an SMTP server the STM150 will still generate reports and logs but it will be unable to send them to you or other members of your organization via email To specify a notification server 1 On the menu go to Global Settings gt Email Notification Server Figure 3 5 2 In Show as mail sender type an email address that will appear in the From field when the email is received by recipients For example you can type STM150 mydomain com 3 In SMTP server type the host name or IP address of the SMTP server on the network that you want to use 4 Ifthe SMTP server you specified above requires a user name and password to send mai
20. subject line Use commas to separate different keywords Then select the actions for SMTP and POP3 protocols Available filtering actions include e Block email amp log e Log default Filter by Password protected Attachments Select the actions to take for the SMTP IMAP and POP3 protocols when a password protected file is attached to an email Currently the STM150 supports blocking of password protected ZIP and RAR files For SMTP select an action the take on password protected attachments Available actions include e Block attachment amp log e Block email amp log e Log For IMAP and POP3 select either Block email amp log or Log File Extension Enter the file extensions that you want the STM150 to filter Use commas to separate multiple entries For SMTP select an action to take on the listed file extensions Available options include e Block attachment amp log e Block email amp log e Log For POP3 select either Block email amp log or Log Filter by File Type Enter the file names that you want the STM150 to filter for example net sky exe Use commas to separate multiple entries For SMTP select an action to take on the listed file names Available options include e Block attachment amp log e Block email amp log e Log 4 6 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual For IMAP and POP3 select eithe
21. test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations v1 1 March 2009 Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman lt brg gladman uk net gt Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentati
22. the hot fix To install a hot fix 1 Obtain the hot fix from Netgear or its authorized reseller 2 Save the hot fix file on the computer that you are using to access the STM150 Web interface 3 Log on 4 Go to Support gt Hot Fixes Monitoring System Performance 5 13 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 5 Browse to the location where you saved the hot fix file and then select it 6 Click Open 7 Click Apply to install the hot fix Sending Suspicious Files to NETGEAR for Analysis You can report any undetected malware file or malicious email to Netgear for online for analysis The file will be compressed and password protected before sending On the menu go to Support gt Malware Analysis NETGEAR 6 PROSECURE Figure 5 8 In Email address type your email address Browse to the infected file or mail that you want to send to Netgear for analysis In Source product model indicate where the file originated for example an email address if received via email or which product or scan feature for example Email or Web Scan detected the file if known In Description optional type a description for the file that you are sending if any Click Submit 5 14 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Appendix A Default Setting
23. the page 3 16 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Applying a Software Update that Requires a Reboot If a downloaded update requires a reboot you will be prompted to perform the update upon login to the system NETGEAR B PROSECURE critical Update Update 4 Critical Update Critical Update There is a critical update available that will need your manual assistance Package contents System OS update to version 1 1 0 27 for STM150 This is an important update it provide some new features for STM150 Recommend to install this update Release notes for OS version 1 1 0 27 is available on Netgear Website WARNING Because this is a critical update we recommend that you take STM150 offline to perform this maintenance Please make sure that power will not be unplugged during update While updating UI access will be frozen and the system will automatically reboot after the update finishes successfully 2008 Copyright NETGEAR Figure 3 13 The update notice will provide information about the update allow you to install it now or install it later and warn you if the update will reboot the system Performing System Management Tasks 3 17 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Administering Admin Login Timeouts and Passwor
24. user will see Security Alerts in their web browser as shown in the following figure This is because the client browser will get a certificate from the STM150 instead of directly from the server Information you exchange with this site cannot be viewed or 9 changed by others However there is a problem with the site s security certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to detemine whether you want to trust the certifying authority iv The security certificate date is valid A The name on the security certificate is invalid or does not match the name of the ste Do you want to proceed Yes C u View Certificate Figure 4 13 During SSL authentication the client authenticates three items e Is the certificate trusted e Has the certificate expired e Does the name on the certificate match that of the Web site If one of these is NOT satisfied a security alert appears in the browser window If HTTPS scan is enabled an alert message appears when a user connected to the STM150 visits an HTTPS site Note that this is not a bug in the STM150 it is a result of HTTPS scanning and the way SSL works The STM150 generated certificate has the same name and expiration date of the original certificate sent by the server However since the certificate was generated by the STM150 and not a trusted certificate authority the browser will notify the user that the cer
25. via this SMTP server If the SMTP server requires authentication select the This server requires authentication check box and then enter the user name and password p Note A different SMTP port number can be configured under the email notification server settings Update Settings The STM150 has four main components which include a pattern file the scan engine operating system OS and software To ensure up to date protection against malware perform updates regularly The default update frequency is set to hourly since updates to the pattern file are released on an hourly basis If the computers on the network connect to the Internet through an HTTPS proxy server enter the IP address and port number of the proxy server If a firewall is installed on the local network make sure that Internet access is allowed via port 443 If the proxy server requires authentication enter a user name and password Web Categories The STM150 lets you choose from a list of Web content categories you can block from being accessed from your network Check those you wish to block Apply the Changes To confirm and apply the STM150 settings that you have configured click Apply The STM150 will reboot to apply the updated settings Verifying the STM150 Installation Test the STM150 before deploying it in a live production environment The following instructions walk you through a couple of quick tests designed to ensure th
26. your network uses both port 80 and port 8080 enter both port numbers This will ensure that STM150 will scan traffic that is sent and received through a non standard HTTP port 4 12 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Configuring Web Malware Scans If you enabled HTTP or HTTPS scan in Web Security gt Policy you can specify what type of action to take against detected malware NETGEAR 0 PROSECURE Figure 4 8 Define the action Delete file Log only and check the Streaming box for each protocol you wish to enable streaming In Scan Exception set the maximum file size that STM150 will scan STM150 can scan files up to 25 600KB 25MB in size gt Note Setting the maximum file size to a high value may affect STM150 s performance Netgear recommends setting this value to 8 192KB default In Notification Settings you may replace a page containing malware with a warning message to inform the user about the malware as well as the scan actions that STM150 has taken The message is customizable make sure to keep the VIRUSINFO variable as this is the place where STM150 inserts malware information Customizing Scans 4 13 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To replace the original page with warning text check the Replace Page with
27. 09 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual INE TGEAR Interface Speed Duplex MAC Address LANA Na Lenk Figure 3 1 For other devices connected to the STM150 such as a firewall or a switch you now have an option to manually change the duplex settings This feature will allow STM150 to integrate with other devices seamlessly The default setting is Auto For example if the firewall is connected to LAN 1 on the STM150 with the 10M s connection setting you may go to the STM150 Web interface and make the changes Go to Global Settings gt Network Setting Under Speed change the duplex setting for LAN 1 The maximum transmission unit MTU is the largest physical packet size that a network can transmit Packets that are larger than the MTU value will be divided into smaller packets before they are sent an action that will prolong the transmission process Most networks have an MTU value of 1500 To minimize transmission delays assure that the MTU setting of the STM150 matches your network Clicking on Reset on the Global Settings gt Network Setting screen will reset all settings back to their default values IP 192 168 1 201 MTU 1500 etc 3 2 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Enabling Session Limits and Timeouts You enable session limits and timeouts
28. 150 package When deciding where to position the STM150 ensure that e Itis accessible and cables can be connected easily e Cabling is away from sources of electrical noise These include lift shafts microwave ovens and air conditioning units e Water or moisture cannot enter the case of the unit e Airflow around the unit and through the vents in the side of the case is not restricted Provide a minimum of 25 mm or 1 inch clearance e The air is as free of dust as possible e Temperature operating limits are not likely to be exceeded Install the unit in a clean air conditioned environment For information on the recommended operating temperatures for the STM150 refer to Appendix A Default Settings and Technical Specifications 1 6 Introduction v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Using the Rack Mounting Kit Use the provided mounting kit for the STM150 to install the appliance to a rack The mounting brackets supplied with the STM150 are usually installed before the unit is shipped out If the brackets are not yet installed attach them using the supplied hardware Before mounting the STM150 in a rack verify that e You have the correct screws supplied with the installation kit e The rack onto which you will mount the STM150 is suitably located Introduction v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Refere
29. 50 can block and delete infected emails or attachments Simply select the action you wish to take from the drop down menu Before configuring the scan options for your network services make sure you enable scanning of the particular service In the Email Security gt Anti Virus gt Exception page set the maximum file size that the STM150 will scan The STM150 can scan files up to 25 600KB 25MB in size gt Note Setting the maximum file size to a high value may affect the performance of STM150 NETGEAR recommends keeping this value set to the default 8 192 KB 4 2 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual End User Email Notification Settings To configure the notification options for email scan go to Email Security gt Anti Virus gt Notification Settings on the menu O Append Safe stamp SMTP and POPI Message Ne ate was found NETGEAR ProSecure w Email Threat Manager has scanned this mail and fs attachment s Append warning if attachment exceeds size limit and is not scanned SMTP and POPS Message Ship E replace Infected Attachments with Warning Message Mossece Sa VIRUSINFO ude the releva malware detection infor je the relevant malware detection information t FILENAME ACTION Figure 4 2 The following options are available on the Notification Settings page
30. Anti Spam gt Whitelist and Blacklist 1 Under the Whitelist column enter the domain name or email address that you want set as a trusted source 2 Click Apply To define the blacklist 1 Under the Blacklist column enter the IP address or IP address range domain name or email address that you want set as a blocked source Click Apply Configuring the Real time Blacklist On the menu go to Email Security gt Anti Spam gt Real time Blacklist Figure 4 5 Blacklist providers are organizations that collect IP addresses of verified open SMTP relays that may be used by spammers as media for sending spam These known spam relays are compiled by blacklist providers and are made available to the public in the form of real time blacklists RBLs By accessing these RBLs the STM150 can block spam originating from known spam sources By default the STM150 comes with three pre defined RBLs Dsbl Spamhaus and Spamcop There is no limit to the number of blacklist providers that you can add to the RBL sources 1 Select which RBL sources you wish to enable under Active 2 Click Apply Customizing Scans 4 9 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To add a new provider 1 Inthe Add Real time Blacklist section type the name of the provider under the Provider column 2 Under RBL Domain Suffix type the domain name from which the ST
31. FRKOS crcidsinn a e 5 13 Sending Suspicious Files to NETGEAR for Analysis 0 c cccsceeeeeeeeeetteeteeeees 5 14 Appendix A Default Settings and Technical Specifications Appendix B Related Documents Index v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual About This Manual The NETGEAR ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual describes how to configure and troubleshoot a ProSecure Web Email Security Threat Management Appliance STM150 The information in this manual is intended for readers with intermediate computer and networking skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs e Typographical Conventions This manual uses the following typographical conventions Italic Emphasis books CDs file and server names extensions Bold User input IP addresses GUI screen text Fixed Command prompt CLI text code italic URL links e Formats This manual uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest oe Tip This format is used to highlight a procedure that will save time or resources A
32. In Subject accept the default alert subject or create your own Jn Outbreak Alerts configure Outbreak Criteria to define what constitutes the outbreak criteria by specifying the number of malware that must be detected during a specified period of time in minutes In Subject type the email subject that you want to appear in the outbreak alert e In Protocols select the check boxes for the protocols services for which you want to enable the outbreak alert 3 Click Apply 3 8 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Configuring SNMP Settings Simple Network Management Protocol SNMP is an application layer Layer 7 protocol that is used by network management systems for monitoring the status of network connected devices SNMP enables administrators to monitor network performance identify bottlenecks and plan for network expansion The STM150 provides support for report aggregation via SNMP version 1 You can configure it to send SNMP traps to management stations on the network To configure the SNMP settings 1 On the menu click Administration gt SNMP Figure 3 7 2 Select the Enable SNMP Yes radio button e Jn Read community type the community name that SNMP management stations on the network need to use to retrieve the STM150 s SNMP parameters e In Set community write type the community name that m
33. M150 appliance before deploying it to eliminate IP address conflicts on the network l Syl THA Backing Up the STM150 Configuration Back up your STM150 settings periodically and store the backup file in a safe place Performing System Management Tasks 3 11 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To Back Up the STM150 Settings 1 On the menu click Administration gt Settings Backup amp Restore The Backup and Restore page appears NETGEAR 0 PROSECURE Oe it a Opening backupgpg a You have chosen to open backup qpa which ts amp GPG file frome https 64 17351 52 What should Fretex do wtth thes fde Open with Browse Seve Fie De this gutomatically for files like this from now on Figure 3 8 2 For the Save a copy of current settings option click Backup A dialog box appears showing the file name of the backup file backup gpg 3 Click Save file and then click OK 4 Open the folder where you saved the backup file and then verify that it has been saved successfully Restoring A Configuration Use the restore feature to import the STM150 settings that you previously backed up Warning Only restore settings that were backed up from the same software version A Restoring settings from a different software version can corrupt your backup file or the STM150 system so
34. M150 will retrieve the real time blacklist 3 Click Add The message configuration saved appears To delete a provider 1 Select the Active check box for the provider that you want to delete 2 Click Delete on the same row as the provider name that you want to delete A confirmation message appears 3 Click OK The message Configuration saved appears Configuring Distributed Spam Analysis The STM150 uses a distributed spam analysis architecture to determine whether or not an email is spam for SMTP and POP3 emails Any email that is identified as spam will be tagged as spam SMTP and POP3 or blocked SMTP gt Note Unlike other scans you do not configure the spam score because Netgear is doing the scoring automatically as long as the STM is connected to the Internet 4 10 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual If tag spam email is selected the STM150 will append a spam tag customizable in the mail subject NETGEAR B PROSECURE I add Tag to Mail Subject SPAM Maximut m 32 Characters Wadd Tag X NETGEAR SPAM to Mail Header 2008 Copyright NETGEAR Figure 4 6 Note For the spam analysis to function correctly the STM150 must be connected to the Internet To configure distributed spam analysis 1 On the main menu go to Emai
35. TM150 s primary features as a Web and Email security solution e Real time Protection The patent pending stream scanning technology enables scanning of previously undefended real time protocols such as HTTP Network activities susceptible to latency for example Web browsing are no longer brought to a standstill e Comprehensive Protection Provides both Web and email security covering six major network protocols HTTP HTTPS FTP SMTP POP3 and IMAP The STM uses enterprise class scan engines employing both signature based and heuristic detection to stop both known and unknown threats Malware database contains millions of signatures of spyware viruses and other malware e Automatic Signature Updates Malware signatures are automatically updated on an hourly basis Critical new signatures are typically deployed hours before they are available from other security vendors e True Appliance Deploys in line in a matter of minutes anywhere in the network Runs automatically and unobtrusively Simply set and forget 1 2 Introduction v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual What Can You Do with an STM150 The STM150 combines robust protection against malware with ease of use and advanced reporting and notification features to help you deploy and manage the device with minimal effort Here are some of the things that you can do with the STM150 Scan
36. Warning Text checkbox Customize the warning text If you wish to present the warning page in HTML format instead of plain text check the HTML Format checkbox If you wish to preview the warning page in HTML format click Preview Click Reset to reset the page to its default settings Action Delete file Streaming off Scan Exception value 8 192KB Configuring Web Content Filtering To configure Web filtering go to Web Security gt HTTP and HTTPS gt Content Filtering NETGEAR Figure 4 9 The following options are available on the Content Filtering page e Scan HTML Files If you wish to scan HTML files check the Scan HTML Files box 4 14 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual e Record HTTP traffic log If you wish to log all scanned HTTP traffic check the Record HTTP Traffic Log box Keep in mind that this will slow down performance e Block Files with the Following Extensions Select the Block Files with the Following Extensions checkbox In the box below the Block Files with the Following Extensions check box enter the file extensions without the period that you want to block Use commas to separate multiple file extensions The list may contain a maximum of 40 different file types You can also add entries from a list of predefined file types For example if you want to block executable files select Executables and they will be
37. ach a kensington lock to prevent unauthorized removal of the unit 3 Restart Press to restart the unit it does not reset the appliance to its factory defaults 4 Reset Use a sharp object press and hold this button for about ten seconds until the front panel Test light flashes to reset the unit to factory default settings Note If you reset the unit all configuration settings will be lost the default password lt will be restored and you will need to re register the product license 5 Power socket Introduction 1 5 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Default IP Address Login Name and Password Location Check the label on the bottom of the STM150 s enclosure if you need a reminder of the following factory default information NETGEAR ProSecure Web Email Security Threat Management panies STM150 YGC A pete SAU Acces oe hie 192 168 1 201 eo rale c fio C X User Name _ Input Rating AC 100 240V 50 40Hz 1 5A r ial 272 41072101 Figure 1 4 Choosing a Location for the STM150 The STM150 is suitable for use in an office environment where it can be free standing or mounted in a standard 19 inch equipment rack Alternatively you can rack mount the STM150 in a wiring closet or equipment room A mounting kit containing two mounting brackets and four screws is provided in the STM
38. anagement stations need to use to set or write the STM150 s SNMP parameters Performing System Management Tasks 3 9 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual e In Contact optional type the name of the person or department responsible for managing the STM150 appliance e In Location optional type the physical location of the STM150 appliance 3 In Trusted SNMP hosts type the IP addresses of the computers to which you want to grant GET and SET privileges on the STM150 Only the computers with IP addresses listed here will be able to enable disable services reboot the STM150 and reset accumulated its statistics 4 In SNMP trap type the IP addresses of the SNMP management stations to which you want SNMP traps to be sent 5 Click Apply Supported MIB Browsers After you configure the SNMP settings the only other thing that you need to do is add the IP address of the STM150 into the management information base MIB browsers on which you want to receive the SNMP notifications Refer to documentation of your MIB browser for instructions The following are recommended MIB browsers for receiving the STM150 SNMP notifications e MG Soft SNMP e Net SNMP Linux Text e SNMP Browser for KDE The STM150 MIB structure is automatically downloaded by management stations You should start receiving notifications after you enable SNMP on the STM150 and add the its IP
39. arch 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Enabling Remote Management To enable remote management go to Administration gt Remote Management SS NETGEAR 6 PROSECURE Example 192 169 3 13 10 2 2 0 10 2 2 255 20AN p Cagyright NETOCAR Figure 3 11 Enter the port number you wish to use You may enter port 443 or a port ranging from 1024 to 65535 Some ports which could have been used by the system such as 2080 8081 cannot be used here Click Apply Click Reset to reset the port to the default value 443 You can also specify IP addresses or IP address ranges that you want to allow access to the Web interface 3 14 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Administering Software Updates The STM150 has four main components pattern file scan engine OS and software To ensure up to date protection against malware perform updates regularly Figure 3 12 The STM150 provides two methods of updating its components e Scheduled automatic update e Manual update Configuring Scheduled Updates Enabling scheduled updates ensures that your the STM150 automatically gets the latest components from the NETGEAR update server Performing System Management Tasks 3 15 v1 1 March 2009 ProSecure Web Email
40. at your STM150 is functioning correctly Provisioning Threat Management Services 2 9 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Testing Connectivity Do the following to verify that network traffic can pass through the STM150 e Ping an Internet URL e Ping the IP address of a device on either side of the STM150 Testing HTTP Scanning If client computers have direct access to the Internet through your LAN try to download the eicar com test file from http www eicar org download eicar com The eicar com test file is a legitimate DOS program and is safe to use because it is not a malware and does not include any fragments of malware code The test file is provided by EICAR an organization which unites efforts against computer crime fraud and misuse of computers or networks 1 Log on to the STM150 interface and then verify that HTTP scanning is enabled For instructions see Customizing Email Scanning Settings on page 4 2 and Customizing Web Scanning Settings on page 4 12 2 Check the downloaded file and note the attached malware information file What to Do Next You have completed setting up and deploying the STM150 to the network The STM150 is now set up to scan the protocols services you specified for malware and perform updates based on the configured update source and frequency If you need to change the settings or to view reports or logs c
41. automatically entered into the list The predefined file types include the following e Executables exe com dll so lib scr bat cmd e Audio and Video wav mp3 avi rm rmvb wma wmv mpg mp4 aac e Compressed Files zip rar gz tar bz2 e Blocked Web Components Select the corresponding check box to automatically block the type of web component you wish to block Note that if any check box is selected STM150 will block any of that type of web component that it detects whether malicious or legitimate e Block these web categories Select the check box s of the categories of websites you wish to block e Block Categories Scheduled Days Here you can configure which days of the week you wish to enable web category blocking You can select the All Days to enable web category blocking every day or select Specific Days and choose the day of week when you want to enable web category blocking e Block Categories Time of Day Here you can configure which times during the day you wish to enable web category blocking You can select the All Day option to enable web category blocking all times during the day or select Specific Times option and type the time range when you wish to enable the blocking Replace the Content of Blocked Pages with the Following Text The Category and URL will be included between the two marks Make sure you keep the CATEGORY and URL tags while modifying the message to automatically include informat
42. ce system performance you may add trusted hosts or connections to this list The STM150 will no longer scan these connections based on the specified hosts or ports To enter a scanning exclusion rule 1 On the menu click Global Settings gt Scanning Exclusions Figure 3 3 2 Enter the IP address range in their respective fields Either the Client IP or the Destination IP can be left blank depending on what traffic you are excluding Enter the destination port number in the Port field Enter a brief description of the rule in the Brief Description field 5 Click Add The rule will now appear in the list and be enabled Check the Enable box to enable disable the rule To delete a scanning exclusion rule click Delete next to the rule you wish to delete 3 4 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Setting the System Time Setting the correct system time and time zone ensures that the date and time recorded in the STM150 logs are accurate Changing the time zone requires a reboot to apply the updated settings To set the system time 1 On the menu click Administration gt Time Zone ur selected time Figure 3 4 2 You can use either the default NTP server or a custom NTP server Set the system time either by e Using a Network Time Protocol NTP
43. d again under the Retype New Password field Click Apply To edit the Guest User Name from the main menu click Administration gt Set Password 1 2 3 4 Select Edit Guest Settings Under Guest Settings type the new user name under the New User Name field Enter the current password guest is the factory default under the Old Password field Click Apply To edit the Guest Password from the main menu click Administration gt Set Password 1 2 3 4 5 Select Edit Guest Settings Enter the current password under the Old Password field Enter the new password under the New Password field To confirm enter the new password again under the Retype New Password field Click Apply You can configure STM150 to automatically log off any of its Web interface sessions if no activity is detected within a specified period of time To configure Web interface timeout from the main menu click Administration gt Set Password In Session Timeout under Web Interface Timeout specify the number seconds of inactivity timeout after which the Web interface session will be terminated The default timeout is 600 seconds Click Apply to save your changes Performing System Management Tasks 3 19 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 3 20 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Ref
44. ds The STM150 specifies one Administrator account Admin and one guest account You can use this section to change the user name or password for either account and adjust the admin login time setting NETGEAR 6 PROSECURE Remote Management SNMP Settings Backup amp Restore Software Update Time Zone Set Password Password Edit Guest Settings New User Name admin New User Name guest Old Password Old Password New Password New Password Retype New Password Retype New Password i Web Interface Timeout Session timeout 600 secon ds ee 2008 Copyright NETGEAR amp Figure 3 14 To edit the Admin User Name from the main menu click Administration gt Set Password 1 Select Edit Admin Settings 2 Under Admin Settings type the new user name under the New User Name field 3 Enter the current password under the Old Password field 4 Click Apply To edit the Admin Password from the main menu click Administration gt Set Password 1 Select Edit Admin Settings 2 Enter the current password password is the factory default under the Old Password field 3 18 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 3 4 5 Enter the new password under the New Password field To confirm enter the new passwor
45. e Use the following procedure to generate the other log types 1 To query logs go to Logs amp Reports gt Log Query 2 In Log Type select the log type that you want to generate 3 Set the filtering criteria by specifying the date range protocol source or destination IP address or scan action If you do not set the filtering criteria all available logs for the selected log type will be displayed 4 Click Search Log records that match the criteria you specified are displayed on the Web interface If you want to save and download the log records to a CSV or HTML file select the format you wish to download and click Download Sending Logs The STM150 can send logs via email and to a syslog server on the network You can configure both log sending methods by clicking Log amp Reports gt Email amp Syslog To configure the STM150 to forward logs to a syslog server 1 Select the Enable check box 2 In IP Address type the IP address of the syslog server 3 In Port type the port number that the syslog server uses to receive logs 4 Select the check boxes for the log information that you want to forward to the syslog server For example if you want malware and spam logs to be sent select the Malware logs and Spam logs check boxes 5 For each log type that you selected select the facility to use and assign a priority level 6 Click Apply To email logs 1 Select the Enable check box 2 On the Log Query pa
46. e support key given to you by Netgear into the Support Key field and then click the Connect button If the status shows the tunnel status is on Netgear s support staff will be able to access your STM150 and perform advanced diagnostics 5 12 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual If NETGEAR support cannot access your the STM150 remotely you may be asked to save a log file to your computer and then email it to NETGEAR for analysis If asked to do so log into the STM150 Web interface go to Monitoring gt Diagnostics gt Gather Important Log Information and click Download Now Save the file to a local hard drive and send it by email to NETGEAR support for analysis Working with Hot Fixes Netgear may release hot fixes or patches if certain problems are found in any software release Whenever a hot fix is available install it immediately to ensure optimum performance of your STM150 appliance Hot fixes may be released through NETGEAR resellers or on the NETGEAR Web site The details of installed Hot Fixs are displayed on the Support gt Hot Fixes page NETGEAR 6 PROSECURE Figure 5 7 e Installed At The date and time in which the hot fix was installed into the system e Component The component in which the hot fix patches e Base Version The base software version for a particular hot fix e Hot Fix Name The name of
47. e to keep the VIRUSINFO tag as this is the place where the STM150 inserts malware information The following is an example of a warning message that the STM150 can insert This attachment contains malware File 1 exe contains malware EICAR Action Delete Send Warning Email When Malware Is Found In addition to inserting an alert to the message the STM150 may send out an email either to the sender recipient or both as notification The subject and message body are customizable Make sure to keep the sVIRUSINFOS tag so that the malware information will be inserted automatically 4 4 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Email Content Filtering The STM150 provides several options for filtering unwanted content in the email You can filter mails based on keywords in the subject file type and file name You can also set an action to perform on emails with password protected attachments NETGEAR 6 PROSECURE Examoie morgage viagra Example exe com pit bat Action SMTP IMAP Pis Nome Example netaky exe eyydoom ow Note A single actertsk matches any file name Figure 4 3 Customizing Scans 4 5 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Filter by Subject Keywords Enter the keywords to filter when they appear in the email
48. eb Emali Threat Manager Enaaak Figure 2 1 In a typical gateway deployment scenario a single STM150 appliance is installed at the gateway between the firewall and the LAN core switch to protect the network against all malware threats entering and leaving the gateway Installing the STM150 behind the firewall protects it from DoS attacks 2 2 Provisioning Threat Management Services v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Server Group tee Firewall Web Emall Threat Manager Core Switch __Desktops _ _Desktops Desktops Figure 2 2 In a server group deployment one STM150 appliance is installed at the gateway and another in front of the server group This type of deployment helps split the network load and provides the mail server with dedicated protection against malware including email borne viruses and spam Note This configuration helps protect the mail server from internal as well as external clients Provisioning Threat Management Services 2 3 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Segmented LAN Deployment tera Firewall Switch 2AA aA oc we Oo E Network Network Network Network Segment Segment Segment Segment Figure 2 3 In a segmented LAN deployment one STM150 appliance is installed in fr
49. eive threat management component updates and technical support you need to register your STM150 appliance ENTER YOUR KEYS HERE Figure 2 7 The registration key see Service Registration Card with License Key s on page 1 4 is provided in the product package If your STM150 is connected to the Internet you can register it online 1 2 3 4 Select Support gt Registration The registration page displays Enter the registration key and contact information Click Register Repeat steps 2 and 3 for each key Provisioning Threat Management Services 2 7 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Use the Setup Wizard to Complete the Configuration Follow the wizard prompts to configure these settings e Network settings If these were set earlier skip this page or update these as needed e Set the system time NTP server and time zone e Configure Email Security settings e Configure Web Security e Specify the Email notification server to receive logs alerts and reports e Configure update settings e Configure Web category blocking Follow the guidelines below for completing the Setup Wizard Setup Wizard Options For most settings the default scan options will be the appropriate choices Also update the basic network settings only if you
50. ent check box Show This Message When an SSL Connection Attempt Fails When the STM150 denies access to an HTTPS web site it will display an HTML warning message The URL and reason will be included between the two marks Make sure you keep the URL and 7REASON tags while modifying the message to automatically include information about the blocked URL and the reason connection to it failed You can preview the warning page by pressing Preview The maximum size for the warning text message is 3 Kilobytes Scripts are not supported The STM150 CA Certificate HTTPS is a secure version of HTTP used by Web sites for handling secure transactions When the STM150 with HTTPS scanning enabled is located between the client and the server the STM150 breaks the SSL connection into two parts 1 Client lt gt STM150 2 STMI150 lt gt Server When the client makes a request the STM150 will communicate with the server on its behalf The server then returns a certificate to the STM150 for authentication Next the STM150 will dynamically generate and pass a certificate of its own to the client in place of the server s certificate which means the client will see the STM150 generated certificate rather than the one from the server 4 20 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Due to the nature of HTTPS scanning and how the certificates are handled the end
51. erence Manual Chapter 4 Customizing Scans This chapter provides information on how to optimize the ProSecure Web Email Security Threat Management Appliance STM150 scan settings Topics discussed include e Default Scan Settings on page 4 1 e Customizing Email Scanning Settings on page 4 2 e Customizing Web Scanning Settings on page 4 12 e Configuring FTP Scan on page 4 25 Default Scan Settings Table 1 lists the default scan and update settings which work in most settings Table 1 STM150 Default Settings Default Setting Scan Type Enabled Disabled Default Actions HTTP X Delete file POP3 X Delete attachment SMTP X Block infected email FTP X Delete file HTTPS X IMAP X Delete attachment Update X Check every hour for updated components Customizing Scans 4 1 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Customizing Email Scanning Settings The Email Security pages allow you to enable and disable scanning of supported network services protocols set the scan actions and configure the maximum file size to scan Service Action SMTP Block infected email_w POP3 Delete attachment v IMAP Delete attachment iw 2008 Copyright NETGEAR amp Figure 4 1 In the Email Security gt Anti Virus gt Action page set an action that you want the STM150 to perform when it detects a threat The STM1
52. ettings continued Feature Default LAN Connections MAC Address Default address MTU Size 1500 Ports 5 AutoSense 10 100 1000BASE T RJ 45 LAN IP Address In line transparent bridged Subnet Mask 255 255 255 0 The STM150 specifications are listed in the table below Table A 2 STM150 Specifications Feature Specification Supported Protocols Data Protocols HTTP HTTPS FTP IMAP POP3 SMTP Power Worldwide 100 240V AC 50 60 Hz universal input 1 5 A max Physical Specifications Dimensions 43 5 x 258 x 440 mm 1 7 x 10 2 x 17 3 in Weight 3 68 kg 8 1 Ib Environmental Specifications Operating temperature 0 to 40 C 32 to 104 F Storage temperature 20 to 70 C 4 to 70 F Operating humidity 5 90 maximum relative humidity non condensing Meets requirements of RoHS Electromagnetic Emissions Meets requirements of FCC Part 15 Class A VCCI Class A CE mark commercial Safety Meets requirements of UL listed C Tick A 2 Default Settings and Technical Specifications v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Internet Net
53. ftware To restore the STM150 settings 1 Copy the backup file to the admin computer 2 For the Restore saved settings from file option click Browse and then locate the backup file 3 Click Restore 3 12 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Resetting to Factory Defaults AN Warning If you reset the unit all configuration settings will be lost the default password will be restored and you will need to re register the product license You can use the default button on the Backup amp Restore Settings page to revert to factory default settings or you can use the reset button on the back of the unit Reset button Figure 3 9 Use the Reset button to restore the factory defaults Use a sharp object press and hold this button for about ten seconds until the front panel Test light flashes to reset the unit to factory default settings Restarting the STM150 Restarting the STM150 will temporarily terminate all network connections that pass through it Network connection is restored as soon as the restart and startup processes are completed usually within a minute or two Restart button Figure 3 10 New Photo On the rear panel press the Restart button this restarts the unit it does not reset the appliance to its factory defaults Performing System Management Tasks 3 13 v1 1 M
54. ge select the type of log to 3 In Send to type the email address of the log recipient 4 In Frequency specify when you want the STM150 to email logs Monitoring System Performance 5 9 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 5 In Select logs to send select the check boxes for the log types that you want the STM150 to send via email 6 In Format click either Plain Text or CSV If you want the STM150 to compress the log file before sending select the Zip the logs to save space check box 7 In Size select the Split log size to box and enter a file size in Megabytes to split the logs into fragments of the file size entered 8 Click Apply The STM150 will email the selected logs based on the schedule you specified If you want the STM150 to email available logs immediately click the Send Now button located next to the Send to text box Using Logs to Identify Infected Clients In addition to identifying malware that has been detected on the network you can also use the STM150 logs to help identify potentially infected clients on the network Clients that are sending out abnormally high volumes of HTTP traffic for example indicate possible spyware infection To identify infected clients that are sending spyware in the outbound traffic query the STM150 malware logs and see if any of your internal IP addresses are the source of spyware detected at the Inter
55. gt Log Management and select the check boxes under Clear the following log information for the logs you wish to purge then click the Clear Log Information button Working with Reports The STM150 provides comprehensive reporting features that enable you to view malware activities on different protocols and the types and volume of traffic entering and leaving the network The STM150 reports provide the following information e Real Time Traffic Summary Shows a graph that indicates the traffic volume for the selected protocols during the report period the total number of malware instances detected and the type of malware method used to block the malware e Top Five Malware Detected Shows the five malware with the highest infection count on the network e Five Most Recent Malware Detected Shows the last five malware detected on the network e Malware Outbreak Alert Shows any outbreak alerts that have been sent out during the report period e Protocol specific Malware Incidents and Traffic Volume Shows graphs that illustrate the traffic volume and malware incidents during the report period Send Reports by Email To specify a recipient s to receive the STM150 reports go to Logs amp Reports gt Scheduled Report and enter the recipient s email address in the field provided Check the Frequency box to enable report delivery and set a frequency to automatically send reports at the specified times You can also send a re
56. iew of the features and capabilities of the ProSecure Web Email Security Threat Management Appliance STM150 It also identifies the physical features of the appliance and the contents of its package Topics discussed in this chapter include e What is the ProSecure Web Email Security Threat Management Appliance STM150 on page 1 1 e Key Features and Capabilities on page 1 2 e What Can You Do with an STM150 on page 1 3 e Service Registration Card with License Key s on page 1 4 e Rear Panel Features on page 1 5 e Default IP Address Login Name and Password Location on page 1 6 e Choosing a Location for the STM150 on page 1 6 What is the ProSecure Web Email Security Threat Management Appliance STM150 The STM150 is an appliance based Web security solution that protects the network perimeter against Web borne threats from spyware viruses email and blended threats Ideally deployed at the gateway it serves as the network s first line of defense against all types of threats and complements firewalls IDS IPS dedicated intranet security products and endpoint antivirus anti spyware software Powered by patent pending stream scanning technology and backed by one of the most comprehensive malware databases in the industry STM150 can detect and stop all known spyware and viruses at the gateway preventing them from reaching your desktops and servers where cleanup would be much more difficul
57. ion about the Customizing Scans 4 15 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual blocked URL and which category it was in You can preview the warning page by pressing Preview The maximum size for the warning text message is 3 Kilobytes Ores DOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Figure 4 10 When the STM150 blocks access to a link of a certain blocked web category it will display an HTML warning message When the user clicks the Submit URL Categorization button the STM150 will present a web form that enables the user to submit their categorization request e Content Filter Lookup To see whether or not a certain URL has been classified by the web category filter Go to Web Security gt HTTP and HTTPS gt Content Filtering Lookup Enter the URL in the in the URL field Click lookup to query the web category database 4 16 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Configuring Web URL Filtering To configure Web filtering go to Web Security gt HTTP and HTTPS gt URL Filtering Figure 4 11 White List Select the Enable check box if you want the STM150 to bypass the scanning of a URL listed here If a URL is in both the white list and black list then the white list will take precedence and files from the URL will not be sca
58. ist 4 22 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Before enabling HTTPS scanning you may specify which certificate to be used by the STM150 to handle HTTPS requests By default a certificate issued by NETGEAR is used This certificate can be downloaded from the STM150 login screen for browser import Click Import to import a certificate of your choice A password is required for some certificates Note that the newly imported certificate will overwrite the existing certificate To import a new certificate used for HTTPS scans 1 In the Import from File field click Browse and then select the certificate file 2 Provide the certificate password 3 Click Upload Trusted Certificate Authorities Trusted certificates are listed here Click Delete Selected to delete a certificate from the trusted list Click View Details to view the details of a certificate Untrusted Certificates When visiting a site with a certificate that was signed by an untrusted CA the site will automatically be listed in the Untrusted Certificates section under the Certificates Management page of the STM150 Web interface After it is added to the list you will have the option to add it to the STM150 s trusted list delete it from the exception list or view the details of the certificate Customizing Scans 4 23 v1 1 March 2009 ProSecure Web Email Security Threat Manageme
59. l messages select the This server requires authentication check box and then type a valid user name and password in the corresponding text boxes 3 6 Performing System Management Tasks v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 5 In Send notification to type up to the email addresses to which you want to send alerts for example admin company com You can send alerts to up to 3 recipients separate each email address with a comma 6 Click Save Changes Customizing Email Alerts After you set an SMTP server to use for notification you need to specify the types of alerts that you want the STM150 to send out The STM150 provides four types of alerts update failed alert license expiration alert malware alert and outbreak alert If the update failed alert is enabled the STM150 will send an email notification to the administrator in the event of an update failure If the license expiration alert is enabled the STM150 will send an email notification to the administrator when a license expires ____ Note License expiration email notification is sent 45 days prior to expiration and by the second day of expiration For trial licenses the notification also is sent 15 days before expiration If malware alert is enabled the STM150 will send email alerts for each malware that is detected on the network Alerts for malware incidents can be customized u
60. l Security gt Anti Spam gt Distributed Spam Analysis 2 In the Distributed Spam Analysis section check the SMTP and POP3 boxes You can either Block spam mail or Tag spam email 3 If you selected Tag spam email select one of or both of the following options e Add tag to mail subject If this is selected then you can customize the spam tag that is appended in the email subject default is SPAM e Add tag X NETGEAR SPAM to mail header 4 Click Apply Customizing Scans 4 11 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Customizing Web Scanning Settings The STM150 also scans Web or HTTP traffic for malicious content and performs the specified action including Delete File Clean Audit or Streaming NETGEAR 6 PROSECURE Figure 4 7 To configure Web security go to Web Security gt Policy to select which protocols to scan Note Scanning all protocols enhances network security but it may affect the gt performance of STM150 For an optimum balance between security and performance only enable scanning of the most commonly used services on your network For example you can scan FTP and HTTP but not HTTPS if this last service is not often scanned If these services use ports other than the standard service ports for example port 80 for HTTP enter these non standard ports in under Ports to Scan For example if the HTTP service on
61. must be in txt format and must be line delimited one URL per line Use Notepad or any other text viewer to open the imported file Click export and save the exported file to your PC To import a list click Browse Select the file you wish to import from then click on the Open button Click on the upload button If the list exceeds 200 entries after the import the import will fail Replace the Content of Blocked Page with the Following Text When the STM150 blocks a page you can display a custom warning text instead of the standard access forbidden prompt The URL will be included between the two marks Make sure you keep the URL tag while composing the message to automatically include information about the blocked URL 4 18 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual HTTPS Scan Settings To configure the HTTPS scan settings go to Web Security gt HTTPS Scan gt Settings NETGEAR Malware Scan Content Filtering _URL Filtering TALES UUEE Certificate Management Trusted Hosts i HTTP Tunneling Allow scanning of HTTPS connections through an HTTP proxy if used Note In order to use this you must add the HTTP proxy server port into the Ports to Scan field under Web Security Policy J i HTTPS 3rd Party Website Certificate Handling When the STM is scanning HTTPS traffic the client builds trust with the STM and the STM builds t
62. nce Manual 1 8 Introduction v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Chapter 2 Provisioning Threat Management Services Provisioning the STM150 ProSecure Web Email Security Threat Management Appliance STM150 in your network is described in this chapter This chapter contains the following sections e Choosing a Deployment Scenario on page 2 1 e Use the Installation Guide to Perform Initial Configuration on page 2 4 e Registering the STM150 on page 2 7 e Use the Setup Wizard to Complete the Configuration on page 2 8 e Verifying the STM150 Installation on page 2 9 e What to Do Next on page 2 10 Choosing a Deployment Scenario The STM150 is an inline transparent bridge appliance that can easily be deployed to any point on the network without requiring network reconfiguration or additional hardware The following are the most common deployment scenarios for the STM150 Depending on your network environment and the areas that you want to protect you can choose one or a combination of these deployment scenarios e Gateway Deployment on page 2 2 e Server Group on page 2 3 e Segmented LAN Deployment on page 2 4 Provisioning Threat Management Services 2 1 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Gateway Deployment m E e Pivewaal W
63. net gateway Clients generating abnormally high amounts of HTTP traffic may also be infected by spyware or other malware To query log data that will show this information 1 On the Log Query page select Traffic as the log type 2 Check the HTTP check box and then run the query 3 On the traffic logs result page click the Size Byte column heading to sort the results in a descending order 4 Check if there are clients that are sending out suspicious volumes of data especially to the same destination IP address on a regular basis If you find a client exhibiting this behavior you can run a query on that client s HTTP traffic activities to get more information Do this by running the same HTTP traffic query and entering the client IP address in the Source IP text box Log Management Generated logs take up space and resources on the STM150 disk To ensure that there is always sufficient space to save newer logs the STM150 automatically deletes older logs whenever the total log size reaches 50 of the allocated file size for each log type 5 10 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual This automated log purging takes the burden of managing the size of the STM150 logs off your shoulders and ensures that the latest malware incidents and traffic activities are always recorded To manually purge selected logs go to Logs amp Reports
64. nned You can enter a maximum of 200 entries to the white list To add a URL to the white list enter the URLs that you want to bypass into the Add URL field and then click add To delete a URL from the white list highlight the URLs that you want to remove in the URL field and then click delete Customizing Scans 4 17 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual In addition to manually entering URLs one at a time you may import and export the list Note that the file to be imported must be in txt format and must be line delimited one URL per line Use Notepad or any other text viewer to open the imported file Click export and save the exported file to your PC To import a list click Browse Select the file you wish to import from then click on the Open button Click on the upload button If the list exceeds 200 entries after the import the import will fail Blacklist Select the Enable check box if you want STM150 to block access to the sites listed here You can enter a maximum of 200 entries to the black list To add a URL to the blacklist enter the URLs that you want to block into the Add URL field and then click add To delete a URL from the blacklist highlight the URLs that you want to remove in the URL field and then click delete In addition to manually entering URLs one at a time you may import and export the list Note that the file to be imported
65. nt Appliance STM150 Reference Manual Trusted Hosts To identify trusted hosts go to Web Security gt HTTP and HTTPS gt Trusted Hosts NETGEAR B _PROSECURE E Enable Note that traffic will not be scanned for hosts in the following list Hosts Add Host Import from File J 2008 Copyright NETGEAR Figure 4 15 Do Not Intercept HTTPS Connections for the Following Hosts The STM150 will bypass the scanning and certificate authentication of the sites listed The certificate will be sent directly to the client for authentication which means that the user will not get a security alert for sites listed Note that certain sites contain elements from different HTTPS hosts For example if https example com contains HTTPS elements from e secureserverl example com e secureserver2 example com e imageserver example com You must add the above mentioned sites to the hostlist to completely bypass the scanning of https example com This is because different files from these three hosts are also downloaded when the user attempts to access the HTTPS page My Page To add hosts to the Host Access Control List 1 Select the Bypass the following Hosts for HTTPS check box to enable the bypass list 4 24 Customizing Scans v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual 2 Enter the host name not the URL of the server int
66. o the Add Host box and then click Add Click Apply To delete hosts from the Host Access Control List 1 Select the host you wish to delete from the bypass list 2 Click Delete 3 Click Apply In addition to manually entering host names and IP addresses one at a time you may import and export the list Note that the files to be imported should be in txt format and both of the IP addresses and host names are required Use Notepad or a similar text editor to open the exported file Configuring FTP Scan To configure FTP scanning go to Web Security gt FTP NETGEAR 0 PROSECURE Figure 4 16 Customizing Scans 4 25 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual If you enabled FTP scan in Web Security gt Policy gt FTP you can specify what type of action to take against detected malware as well as which file types to block on FTP Under Action you can specify what type of action to take against detected malware You can select Delete file or Log only In Scan Exception set the maximum file size that the STM150 will scan The STM150 can scan files up to 25 600KB 25MB in size gt Note Setting the maximum file size to a high value may affect the STM150 s performance NETGEAR recommends setting this value to 8 192KB default In Block Files with the Following Extensions select the Enable check box In the box
67. on and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from this software without his specific prior written permission This software is provided as is with no express or implied warranties of correctness or fitness for purpose iii v1 1 March 2009 Open SSL Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openss core openssl org 5 Products derived from this software may not be called OpenSSL nor
68. onnect to the STM150 Web interface using the IP address you assigned to the STM150 during the preconfiguration process and then log on Refer to the succeeding chapters for information on performing additional tasks using the Web interface 2 10 Provisioning Threat Management Services v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Chapter 3 Performing System Management Tasks This chapter provides information on other tasks that you can perform after setting up and configuring the STM150 This chapter contains the following sections e Modifying System Settings on page 3 1 e Backing Up and Restoring Configurations on page 3 11 e Resetting to Factory Defaults on page 3 13 e Restarting the STM150 on page 3 13 e Enabling Remote Management on page 3 14 e Administering Software Updates on page 3 15 e Applying a Software Update that Requires a Reboot on page 3 17 Modifying System Settings This section covers modifying the settings you initially set in the Setup Wizard or making other system settings changes Configuring Network Settings A valid IP address is required for the STM150 to retrieve online updates It is also needed for access to the STM150 management web GUI Go to Global Settings gt Network Setting to enter the system name and other network settings Performing System Management Tasks 3 1 v1 1 March 20
69. ont of each network segment This type of deployment helps split the network load and protects network segments from malware coming in through the gateway or originating from other segments Note In segmented LAN deployment VLAN is not supported VLAN traffic cannot pass a through the STM150 Use the Installation Guide to Perform Initial Configuration Use the installation guide to perform the initial configuration of the STM150 s basic system settings for example IP address netmask and DNS so that it can function on the network To perform the initial configuration follow the instructions in the NETGEAR Installation Guide STM150 The installation guide will walk you through connecting the unit and using the setup wizard to complete the initial configuration After using the setup wizard to complete the initial configuration you can log in to make additional changes or to monitor the system using the steps below 2 4 Provisioning Threat Management Services v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Logging In to the STM150 Follow these steps to log in to the STM150 1 Use a browser to connect to https 192 168 1 201 CERE Er T e Es Y https 192 168 1 201 7 Figure 2 4 Note The STM150 factory default IP address is 192 168 1 201 If you changed it you must use the IP address you assigned it gt 2 When
70. port manually at any time by clicking the Send Now button To save reports 1 On the menu click Logs amp Reports gt Scheduled Report 2 Select the frequency you want the STM150 to save reports Monthly Weekly or Daily 3 Select the maximum number of reports you want the STM150 to save on the appliance the maximum number of reports is 12 To download saved reports Click the Download button next to a previously saved report to download it to your PC Monitoring System Performance 5 11 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To delete saved reports Click the Delete button next to a previously saved report to delete it from the STM150 Using Online Support Online support includes e Remote Troubleshooting e Hot Fixes e Malware Analysis e Content Filtering Enabling Remote Troubleshooting To enable remote troubleshooting go to Support gt Online Support INETGEAR T PROSECURE Fort Fines Mamere Anahyety Comtet Filter tsdy Rimgintration Kaowhelye Bere Oucirmntation Figure 5 6 One of the advanced features that STM150 provides is online support through the support tunnel With this feature NETGEAR support staff is able to analyze any difficulty you are experiencing from a remote location Make sure that ports 443 and 2222 are open on your firewall and you have the support key on hand Copy and paste th
71. r Block attachment amp log or No Log Protecting Against Email Spam The STM150 integrates multiple anti spam technologies to provide comprehensive protection against unwanted mail You can enable all or a combination of these anti spam technologies The STM150 implements these spam prevention technologies in the following order 1 Whitelist 2 Blacklist 3 Real time blacklist 4 Heuristic scanning This order of implementation ensures the optimum balance between spam prevention and system performance For example if a mail is originating from a whitelisted source the STM150 will deliver the mail immediately to its destination inbox without implementing the other spam prevention technologies thereby speeding up mail delivery and conserving the STM150 system resources However regardless of whether or not an email is whitelisted here it will still be scanned by the STM150 s anti malware engines You can configure these anti spam options in conjunction with content filtering to optimize blocking of unwanted mails Setting Up the Whitelist and Blacklist You can define mails that will be accepted or blocked based on the originating IP address domain and email address by setting up the whitelist and blacklist You can also define mails that will be accepted based on the destination domain and email address The whitelist ensures that mail from listed trusted sources and recipients are not mistakenly tagged as spam Mails going
72. rity Threat Management Appliance STM150 Reference Manual Generate Network Statistics Report The Network Statistic Report provides the user a detailed overview of the network utilization in the STM150 managed network environment Users will be able to see what consumes the most resources on the network On the Monitoring gt Diagnostics page click Generate Network Statistics to send the report to the administrator Using Reports to Optimize Protection and Performance e Working with Logs e Working with Reports Working with Logs The STM150 generates logs that provide detailed information about malware and traffic activities on the network You can view these logs on the Web interface save the log records in CSV format or have them automatically mailed to you Six types of logs are available e System logs e Traffic logs e Malware logs e Spam logs e Content filter logs e Email filter logs You can generate or query each log type separately and filter the information based on a number of criteria Malware logs for example can be filtered using the following criteria other log types have similar filtering criteria e Date range e Protocols e Malware name e Action e Client and server IP addresses 5 8 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Querying Logs System logs have their own page on the Web interfac
73. rust with 3rd party websites If the 3rd party website s certificate is not signed by a trusted CA E Allow the STM to present the website to the client Show This Message When an SSL Connection Attempt Fails lt DOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Transitional EN gt lt HTML gt lt HEAD gt lt TITLE gt NETGEAR ProSecur Notification parn charset windows 1252 gt Note that scripts are not supported Note Use URL to show the URL of the blocked page Use REASON to display why a page was blocked 2008 Copyright NETGEAR Figure 4 12 To configure the HTTPS scan settings click Web Security gt HTTP and HTTPS gt HTTPS Settings and set the following options HTTP Tunneling Check the box to allow and scan HTTPS connections through a HTTP proxy Be sure to add the proxy port into the Ports to Scan for the HTTPS protocol in the Policy page HTTPS Third Party Website Certificate Handling In addition to the trusted certificates you have an option to grant access to the certificates that were not signed by a trusted CA Normally if the certificate does not satisfy all three points Customizing Scans 4 19 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual required the connection will be rejected with an alert message in the browser window To allow access select the Allow the STM to present the website to the cli
74. s and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults e To perform a hard reset press and hold the reset button for approximately 10 seconds until the TEST LED blinks rapidly Your device will return to the factory configuration settings shown in Table A 2 below e Pressing the reset button for a shorter period of time will simply cause your device to reboot Table A 1 STM150 Default Configuration Settings Feature Default Login User Login URL https 192 168 1 201 Admin User Name case sensitive admin Admin Login Password case sensitive password Guest User Name case sensitive guest Guest Login Password case sensitive guest Management System Configuration Web based configuration and status monitoring Required Minimum Browser versions Internet Explorer 5 0 or higher or Mozilla Firefox 1 0 or higher Note When the unit scans secure HTTPS traffic you must import the root CA certificate into your browser from the STM150 login screen Time Zone GMT Time Adjusted for Daylight Saving Time Disabled SNMP Disabled Remote Management Disabled Administration Console Port RS232 Default Settings and Technical Specifications A 1 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Table A 1 STM150 Default Configuration S
75. s likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Changes or modifications not expressly approved by the Netgear could void the user s authority to operate the equipment EU Regulatory Compliance Statement The ProSecure Web Email Security Threat Management Appliance STM150 is compliant with the following EU Council Directives 89 336 EEC and LVD 73 23 EEC Compliance is verified by testing to the following standards EN55022 Class B EN55024 and EN60950 1 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da das ProSecure Web Email Security Threat Management Appliance STM150 gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmaBige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt f r Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby certified that the ProSecure Web Email Security Threat Management Appliance STM150 has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example
76. sets of tools are available network diagnostic tools and traffic diagnostic tools Network diagnostic tools provide PING and DNS lookup while traffic diagnostic tools allow you to perform real time per protocol traffic analysis between specific source and destination addresses as well as the ability to generate reports on network usage in your network Using the Network Diagnostic Tools To use the network diagnostic tools go to Monitoring gt Diagnostics i m eatin Pi Press the Stap hatton tn step the diagnostic test or the results will ant he coved arresttully jatailes wrk ublization ja the STM150 mansced nataerk ames the mast resoar a nepetrk Pie ck the humos belor Figure 5 5 5 6 Monitoring System Performance v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Use PING to check the connection between the STM150 and a specific IP address Enter the IP address or host name and then click PING The PING results appear at the bottom of the page To perform DNS lookup enter the domain name and then click DNS Lookup The page refreshes and then the DNS lookup results domain name and IP addresses appear at the bottom of the page Click Restart or Shutdown to restart or shutdown the system which terminates all sessions Using the Realtime Traffic Diagnostic Tools 1 In Protocol select the protocols that you want to analyze You can select a single
77. sing meta tags to specify the information to include in the alert Alert information can include malware name protocol used date and time detected etc If outbreak alert is enabled the STM150 will send email alerts when a certain number of malware is detected on the network within a specified period Outbreak alerts can be enabled for all protocols scanned and you can manually set the outbreak criteria Performing System Management Tasks 3 7 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To enable system administrator email alerts 1 On the menu go to Monitoring gt Logs amp Reports gt Alerts System Stats Statistics Sorwiy Olagnestire Email and Syslog Alerts Log Query Gen rate Report Scheduled Report _ LL x_ o gt a gt Enable Update Failed Alerts Enable License Expiration Alerts Enable Malware Alerts Subj fix Meassge nable Outbreak Alerts tbreak enters Subject Figure 3 6 2 Configure the Enable Update Failed Alerts Enable License Expiration Alerts Enable Malware Alerts or Enable Outbreak Alerts check boxes as you prefer e For Malware Alerts in Message use the meta tags to specify the information that will be included in the alert message The default message includes the sviRUSINFOs tag which dynamically inserts information on the malware that has been detected
78. t In addition to scanning HTTP HTTPS FTP SMTP POP3 and IMAP traffic the STM150 protects networks against spam phishing attacks and unwanted Web use Introduction 1 1 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual About Stream Scanning Stream scanning is based on the simple observation that network traffic travels in streams The STM150 scan engine starts receiving and analyzing traffic as the stream enters the network As soon as a number of bytes are available scanning commences The scan engine continues to scan more bytes as they become available while at the same time another thread starts outputting the bytes that have been scanned This multi threaded approach in which the receiving scanning and outputting processes occur concurrently ensures that network performance remains unimpeded The result is that the time to scan a file is up to five times faster than traditional antivirus solutions a performance advantage that is easily noticeable to the end user Stream scanning also enables organizations to withstand massive spikes in traffic as in the event of a malware outbreak Key Features and Capabilities The STM150 is a true appliance that provides comprehensive protection against malware and uses real time scanning technology to stop spyware viruses and other types of malware at the gateway without stopping the Internet This section highlights the S
79. this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind These notices must be retained in any copies of any part of this documentation and or software v1 1 March 2009 PPP Copyright c 1989 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h interface of the zlib general purpose compression library
80. tificate is not valid To prevent these popups you must add NETGEAR as a trusted root CA in your browser If client authentication is required the STM150 may not be able to scan the HTTPS traffic in some cases due to the nature of SSL SSL has two parts client and server authentication Server authentication occurs with every HTTPS request but client authentication is NOT mandatory and rarely occurs As a result whether the request is from the STM150 or the real client is of less importance Customizing Scans 4 21 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual However certain HTTPS servers do require client certificate authentication for every HTTPS request By the design of SSL the client needs to present its own certificate rather than using the one from the STM150 The HTTPS scanning process will be affected because of this Certificate Management To manage the security certificates that you use with the STM150 go to Web Security gt HTTPS Scan gt Certificate Management Petey a Malware Scan Contemt Fitering UEL Filtering IFTTPS Settings O trusted Waste an cick View Details Nate To view the detade of a cort icnte select they certificate and th Figure 4 14 To avoid receiving a warning prompt when visiting a site whose certificate is not trusted you may add the certificate issuer or root CA to the trusted l
81. to and from these sources and recipients are delivered to their destinations immediately without being scanned by the anti spam engines This can help speed up the system and network performance The blacklist on the other hand lists sources from which all mail messages will be blocked You can enter up to 200 comma separated entries per list Note The whitelist takes precedence over the blacklist which means that if an email source is on both the blacklist and the whitelist the email will not be scanned by the anti spam engines Customizing Scans 4 7 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To define the sender whitelist On the menu go to Email Security gt Anti Spam gt Whitelist and Blacklist NETGEAR 6 PROSECURE Polky AntiVinwy Filters Figure 4 4 1 address that you want set as a trusted source Under the Whitelist column enter the IP address or IP address range domain name or email Note Whitelist URL entries are case sensitive Here are some examples IP address IP address range 10 1 1 5 of 10 1 2 3 35 e Domain name netgear com e Email address admin netgear com Click Apply 4 8 v1 1 March 2009 Customizing Scans ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual To define the recipient whitelist On the menu go to Email Security gt
82. ublication Part Number 202 10414 02 Publication Version Number 1 1 v1 1 March 2009 vi v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Contents About This Manual Conventions Formats and SCOpE aistresiassernisaasidy sv isnassan ss sasder sanded nn NN Er Ni xi Poe a ON O anr inden niaddasebacniedatmbinledac aia Wieden abindettemone dem Dee aaledacds xii Chapter 1 Introduction What is the ProSecure Web Email Security Threat Management Appliance STM150 1 1 Abau aa Scan diesa N AN 1 2 Key Features and Capabilities uiscci aana A 1 2 What Can Yoi Do wih an STIGO iiaiai Dr Ear 1 3 Service Registration Card with License Key S sssssssssessseesssesssessrrssrrrssrrnssrnnesrnens 1 4 Fon Pene Foue iana bauceeeceetadataenssuiidaiueaaaceans 1 4 Rear Panel POAturee conais a 1 5 Default IP Address Login Name and Password Location ccceceeeeeeeeeeeceeeeeeeeees 1 6 Ghoosing a Location tor the S TMITS0 sci ccscccaseiccenspsiiancteaceaausnetseaieear siecaseese apeuidoeotsartiaaee 1 6 Uomo hie Rack Mouning Ki errabia trnnstseatdanaaeiih ts junaseittsaveaneunnarennlans 1 7 Chapter 2 Provisioning Threat Management Services Ghoosino a Deployment Scenario snaisiinsssse inedi anrasin aasian AARAA AA E 2 1 Gewa CGPS IT IAIIE sarisin E 2 2 Sener WOUD siara a a rN 2 3 Segmented LAN Deployment scsissanonnnersaniu renean neaei endian i anadai aaae 2 4 Use the Installation
83. uction 1 3 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual Service Registration Card with License Key s Be sure to store the license key card that came with your unit in a secure location You will need these keys to activate your product during the initial setup and if you ever have to reset the unit back to its factory defaults NETGEAR DO NOT DISCARD PROSECURE IMPORTANT KEY INFORMATION INSTRUCTIONS L bog in to S unir arepa Accom UEL e NETGEAR orum Figure 1 1 Front Panel Features The ProSecure Web Email Security Threat Management Appliance STM150 front panel shown below includes two groups of RJ 45 connectors and status indicator light emitting diodes LEDs including Power and Test lights Figure 1 2 1 Power status 1 4 Introduction v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual oP amp N Power on test status USB ports Uplink switched N way automatic speed negotiating auto MDI MDIX Ethernet port Downlink Ethernet ports Four switched N way automatic speed negotiating auto MDI MDIX Ethernet ports Rear Panel Features The STM150 rear panel functions are described below Figure 1 3 1 Console port To connect to a COM port on a Microsoft Windows or Linux computer may be used to perform the initial configuration 2 Kensington Lock Att
84. version 1 1 4 March 11th 2002 Copyright C 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly jloup gzip org Mark Adler madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net rfc rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format Product and Publication Details Model Number STM150 Publication Date March 2009 Product Family Threat Management Appliance Product Name ProSecure Web Email Security Threat Management Appliance STM150 Home or Business Product Business Language English P
85. working and TCP IP Addressing Wireless Communications Preparing a Computer for Network Access Virtual Private Networking VPN Glossary http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm http documentation netgear com reference enu glossary index htm Related Documents B 1 v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual B 2 Related Documents v1 1 March 2009 ProSecure Web Email Security Threat Management Appliance STM150 Reference Manual D default settings 4 1 deployment rack mounting 1 7 testing connectivity 2 10 testing HTTP scanning 2 10 verifying 2 9 deployment scenarios choosing 2 1 gateway 2 2 segmented LAN 2 4 E EICAR 2 10 F factory default login 1 6 firewall front panel 4 rear panel 1 5 technical specifications A Z initial configuration 2 4 2 8 L LEDs explanation of 4 MIB 3 10 Index N notification settings 4 3 P package contents 1 4 preconfiguration 2 4 2 8 R real time scanning 2 S SNMP 3 9 stream based scanning 1 2 T testing connectivity 2 10 HTTP scanning 2 10 Index 1 v1 1 March 2009
Download Pdf Manuals
Related Search