3.11 Terminal Server
4.2.3 Kaspersky Proxy
In this section you may activate Kasperky license for the proxy. With this procedure all the web accesses made from the browser are filtered by the Anti-Virus that is running on the proxy to provide an effective protection against Trojans, Spyware, Dialers, etc.
After inserting the license, the interface displays the following links (Figure 4.13):
• Update: After the license expiration you should renew with a new license file;
• Delete: Removes the license;
• Configure: It provides you a general Anti-Virus configuration option;
• Statistics: Interface with specific statistics about proxy Anti-Virus.
Configure
General settings:
• Notify from the address: Sender that will make the notifications;
Figure 4.12: Proxy - Statistics
Figure 4.13: Proxy - Kaspersky - Licence
• Notify to the address: Email address that will receive notifications.
Object settings:
• Objects to analyse:
– Compressed files;
– Archives;
4.2 Proxy 99
– Mail databases;
– Plain mail format.
Scan settings:
• Cure: If activated, detected virus will be automatically removed;
• Use heuristic: If activated, virus can be detected through the analysis of the code with characteristics and behavior similar to a virus.
To modify that configurations (Figure 4.14) you need to click Modify.
Figure 4.14: Proxy - Kaspersky - General Settings
Statistics
Several statistics are displayed in this interface:
• Virus Statistics in period: Options to display present graphic in Virus Statistics:
– Start: The starting date for statistics;
– View: Can be set in hours, days, months or years;
– Repetition: Scale of the graphic horizontal axis;
– Group: It enables you to group data, depending on the chosen view
• V´ırus statistics: The display can be filtered by: Infected files or pro-tected;
• Virus list: Can be organized by Virus name/Number of occurrences.
An example can be viewed at Figure 4.15
Figure 4.15: Proxy - Kaspersky - Statistics
4.3 VPN
VPN3 provide remote access from the exterior (ex. Internet) to the network resources of a defined network.
4.3.1 PPTP
A PPTP4 VPN type works by providing a PPP session with the recipient through the tunneling GRE protocol. It needs another network connection to start and manage PPP session that runs on port 1723 TCP. In IPBrick case, you have to indicate who are the users that access VPN-PPTP connections, as well as the address range that will be used by clients.
Configurations
Top Menu Here you have a link to Configurations. This link gives you access to a form where you define the range of IP addresses chosen for VPN connections.
3Virtual Private Networks
4Point-to-Point Tunneling Protocol
4.3 VPN 101
Figure 4.16: VPN - PPTP - Users
Remote clients will get an IP in this group when they make an IPBrick connection.
It is as if they were connected to the network server with an IP from this range.
Body The user list shown on the left side in Figure 4.16 presents the selected VPN users. On the right side you find the users registered in IPBrick.
Access log
The access log option permit the visualization of all PPTP accesses. It’s pos-sible to filter by:
• IP;
• User;
• Notes:
– Connected;
– Disconnected;
– Wrong password;
– Illegal user;
– Locked;
– Timeout.
• Date;
Options available:
• Clean filters: Will clean all the chosen filters;
• Export PDF: Exports all the information to a .pdf;
• Back: Go back to the top menu;
4.3.2 IPSec
IPSec (IP security) technology is a suite of protocols that ensure confidential-ity, integrconfidential-ity, authenticity to data transmission on an IP network. SSL protocol works at the transport layer level - IPSec operates at the network layer level and consequently provides data encryption in this level.
VPN through PPTP or SSL provides a connection between a defined machine and the network. On the contrary VPN IPSec allows two networks to communi-cate permanently and in a transparent way. This is accomplished with an IPSec configured between two IPBrick’s or between an IPBrick and a router, providing full configuration transparency to users from the two networks.
Example: 192.168.2.0 network that belongs to the Company X headquarters in Oporto, Portugal and network 192.168.4.0 belongs to its office branch located in Japan. Both networks should have Internet connection to make possible the communication between their machines through a VPN IPSec tunnel. With this feature two networks can behave as if they where one.
To configure a VPN connection between two networks you need to have the appropriate configuration in origin and destination IPBrick’s for the IPSec tunnel.
Body After clicking the IPSec, the configured IPSec tunnels are displayed in that section body.
Top Menu There is a connection named Insert that allows to insert a new IPSec tunnel.
Body In this page we have configured the IPSec connection (as you may see in Figure 4.17). The following data are necessary:
• General settings
– Name: VPN IPSec name;
– Description: Description of the IPSec connection;
4.3 VPN 103
– State: VPN IPSec state - enable or disable;
• Local Network Definitions
– Local IP: IPBrick external interface address;
– Local network: Local network address and respective IPBrick network mask;
– Local Gateway: Router internal interface address;
– Local Identification: Dynamic DNS address (by default, this field should be empty. It’s used if the network don’t have fixed public IP);
– Server IP in local network: IPBrick internal interface address.
• Remote network definitions
– Remote IP: Remote public address;
– Remote network: Remote network address and mask;
– Remote Gateway: Remote network router internal interface address (by default, this field should be empty);
– Remote identifier: Dynamic DNS address (by default, this field should be empty. It’s used if the network don’t have fixed public IP).
• Keys Management
– Password: A Pre-Shared Key is a shared key that the VPN service expects as a first credential (before username and password). In order that the VPN server allows the authentication process to continue, it is necessary to pass the correct PSK;
– Type: The IPSec supplies two operation methods specified in this field, which are Tunnel (where the original IP pack is encrypted) and Trans-port (the data (payload) are encrypted, but the original IP heading is not changed);
– Authentication: IPSec adds two extra headers to the IP package -AH and ESP. The -AH (Authentication Header) insures integrity and authenticity, but not confidentiality. ESP provides data integrity, au-thenticity and confidentiality;
– PFS5: Allows PFS protocol that adds additional security in the keys exchange;
– Start: Only automatic is available.
NOTE: When a IPSec tunnel is configured, the MTU for the public IPBrick interface is changed to 1400 because of the additional header overhead added by the IPSec. If you found some LAN problems with web access, change again the MTU to 1500 bytes.
5Perfect Forward Secrecy
Figure 4.17: VPN - IPSec Configuration 1/2
Router configuration
In case of a VPN IPSec not between two IPBrick’s but between a IPBrick and a router, at the router side it’s important to know all parameters used by the IPBrick that are transparent to the web interface. Here are the most important ones:
• Negotiation key protocol: IDE;
• Negotiation mode: Normal;
• Fase 1 encryption Algorithm: 3DES;
• Fase 1 authentication Algorithm: MD5;
• Fase 2 encryption Algorithm: 3DES;
• Fase 2 authentication Algorithm: SHA1;
• Key Group: DH2;
4.3.3 SSL
A VPN-SSL uses the SSL encryption protocol to insure data privacy and in-tegrity between the two parts because the protocol provides data encryption and
4.3 VPN 105
Figure 4.18: VPN - IPSec Configuration 2/2
authentication. SSL is based on TCP protocol and uses the Public key cryptogra-phy concept (introduced by Diffie-Hellman in the 1970 decade).
This concept specifies that each part has a Private Key and a Public Key that can be distributed by people that want to have encrypted communication. Encrypted data with the Public Key are only decrypted by the corresponding Private Key.
Encrypted data with the Private Key are only decrypted by the corresponding Public Key.
After clicking on SSL the list of VPN SSL servers is shown. To configure the tunnel you must click on it (Figure 4.19).
Definitions In this section you can configure the definitions of the VPN-SSL network.
• Name/IP: Name or public IP address of the network;
• Port: The port of the VPN server. The default for SSL is 1194;
• Protocol: The transport protocol used in the communication. TCP is more reliable buy will add an extra overhead;
• VPN Network: The IP network which will be given to the clients. When a user connects to this vpn server, he will get an IP address in this IP network.
Figure 4.19: VPN - SSL Settings
This network should be different from any other IP network in the company;
• Domain: The domain offered to the clients;
• DNS Servers: The DNS server passed to the clients;
• NetBios Servers: The netbios server passed to the clients;
• Routes for clients: Sets all the networks that client must have access through the tunnel.
NOTE: If you want to use a VPN SSL and use the same email client with the internal mail server configurations, you need to add the VPN Network to the Relay networks definitions at email;
Certificates After Definitions configuration its necessary to create SSL digital certificates. A digital certificate has the following informations:
• Identification of the titular entity;
• Public Key for the titular entity;
• Serial number Certificate;
4.3 VPN 107
• Valid date Certificate;
• Identification of the Certifying Authority (The Certificate issuing entity);
• Digital signature of the Certifying Authority.
It will be generated a Digital Certificate for the server and for each of the clients using the VPN SSL connection. Clicking on Insert you start by the server Certificate generation. You have to insert data in the following fields:
• Country Code;
Then you generate the client certificates - you have to insert Certificate name, Client email and Password. The next step consists in downloading the certificate and sending it to the client that will make the VPN connection. The .zip file contains: Server and client public key, client private key and the VPN tunnel con-figuration that will be implemented.
Client
In the client side you have to install the specific software to create the VPN SSL connection- OpenVPN6. Then you must uncompress the certificate file to a new directory in
c:\Program Files\OpenVPN\config.
To start VPN connection you have to click on the OpenVPN icon located in the tool bar with the right button, choose the connection you want and click Connect.
The option Delete All should only be used to restart the all process.
State
This interface shows you the active tunnels and their respective traffic, users and IP
After configuring this service you have to activate it in section Advanced Configurations System Services. The procedure to configure VPN client is described in detail at Appendix B.
6Software: openvpn.net — Windows GUI: openvpn.se
⇒ Note: Before configuring a VPN connection, PPTP, IPSec or SSL, you have to know what is the addressing system used by the local network where the client connects and what is the destination network addressing system. If there is the same addressing system in both networks, obviously the VPN connection will be impossible.
4.4 E-mail
The E-mail section is repeated in the two IPBrick modules. IPBrick.I provides services oriented to Intranet: Base Configuration, Queue Management, User Man-agement, Distribution Lists and Kaspersky Anti-Virus and Anti-Spam. IPBrick.C provides additional services:
• Advanced relay;
• Get Mail from ISP;
• Mail copy.