Copyright © 2001–2004 Stonesoft Corp. Stonesoft Corp. All rights reserved. No
part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information
storage and retrieval system, without permission in writing from Stonesoft
Corporation.
Stonesoft Corporation
Stonesoft Inc.
Stonesoft Corporation
Itälahdenkatu 22 A
South Terraces, Suite 1000
90 Cecil Street, #13-01
FIN-00210 Helsinki
115 Perimeter Center Place
069531 Singapore
Finland
Atlanta, GA 30346 USA
Trademarks
The products described in this documentation are protected by one or more of U.S. Patents and European Patents: U.S. Patent No. 6,650,621, European Patents No. 1065844, 1289202, and may be protected by other U.S. Patents, foreign patents, or pending applications.
Stonesoft, the Stonesoft logo, StoneBeat, FullCluster, ServerCluster, StoneGate, and WebCluster are trademarks or registered trademarks of Stonesoft Corporation in the United States and/or other countries. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries.
Sun, Sun Microsystems, the Sun Logo, Solaris, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. Windows, Windows NT, and Microsoft are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds. IBM, Redbooks, zSeries and z/VM are trademarks or registered trademarks of the International Business Machines Corporation in the United States and/or other countries. Syntax is a registered trademark of Linotype-Hell AG and/or its subsidiaries.
All other trademarks or registered trademarks are property of their respective owners.
Disclaimer
Although every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization.
THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS.
IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.
Table of Contents
GETTING STARTED
CHAPTER 1
Using StoneGate IPS Documentation
. . . 13
Objectives and Audience
. . . 14
Overview of the StoneGate IPS Installation Guide
. . . 14
How to Use This Guide . . . 14
Example Network Scenario . . . 14
Typographical Conventions
. . . 15
StoneGate IPS Documentation Map
. . . 15
Guide Books . . . 16
Support Documentation . . . 16
Contact Information
. . . 17
Technical Support . . . 17
Security Related Questions and Comments . . . 17
Product Sales. . . 18
Documentation Comments . . . 18
CHAPTER 2
Quick Start Instructions
. . . 19
Requirements for the Installation
. . . 20
6
StoneGate IPS System Components. . . 30
Supported Platforms . . . 30
Checking the File Integrity . . . 31
Checking the Surrounding Network Environment
. . . 31
Switch SPAN Ports and Hubs . . . 32
Network TAPs . . . 32
System Installation
. . . 32
Example Network Scenario . . . 33
StoneGate Management Center . . . 34
Combined Sensor/Analyzer . . . 35
Sensor Cluster . . . 35
Single Sensor . . . 36
Analyzer . . . 37
Overview to the Installation Procedure
. . . 37
INSTALLING THE MANAGEMENT CENTER
CHAPTER 4
Installing the Management Center
. . . .41
Installing the Management Center
. . . 42
Installing the Solaris Patches . . . 42
Checking File Integrity . . . 42
Installing the Management Center Components . . . 42
Starting the Installation . . . 42
Installing the Management Server . . . 46
Installing the Log Server . . . 48
Installing the GUI Client . . . 52
Non-graphical Installation
. . . 54
Uninstalling the Management Center
. . . 56
CHAPTER 5
Defining Sensors and Analyzers
. . . 59
Starting the StoneGate Management Center
. . . 60
Starting the Management Server. . . 60
Starting the GUI Client . . . 60
Installing StoneGate IPS Licenses. . . 62
Starting the Log Server . . . 62
Defining an Analyzer
. . . 63
Defining the Network Interfaces . . . 64
Defining Logical Interfaces
. . . 66
Defining a Sensor Cluster
. . . 67
Defining the Cluster Network Interfaces . . . 68
Defining the Node Specific Properties . . . 71
Adding a Node to the Cluster . . . 73
Defining a Single Sensor
. . . 73
Defining the Network Interfaces . . . 74
Defining a Combined Sensor/Analyzer
. . . 77
Defining the Network Interfaces . . . 78
Configuring Routing
. . . 81
Configuring IP Addressing for NAT
. . . 83
Sensor and Analyzer Contact Addresses . . . 84
Management Server Contact Address . . . 86
Log Server Contact Address . . . 88
8
Installing the Sensor or Analyzer
. . . 96
Checking the File Integrity . . . 96
Booting From the CD-ROM. . . 96
Configuring the Sensor or Analyzer
. . . 97
Selecting a Configuration Method . . . 97
Configuring the Operating System Settings . . . 98
Configuring the Network Interfaces. . . 100
Contacting the Management Server . . . 102
Installing in Expert Mode
. . . 104
Checking the File Integrity . . . 104
Booting From the CD-ROM. . . 104
Partitioning the Hard Disk Manually . . . 105
Allocating Partitions. . . 107
UPGRADING STONEGATE IPS
CHAPTER 7
Upgrading StoneGate IPS
. . . .111
Upgrading StoneGate Management Center
. . . 112
Checking the File Integrity . . . 112
Obtaining Licenses . . . 112
Upgrading StoneGate Management Center. . . 112
Upgrading the Sensors and Analyzers Remotely
. . . 116
Upgrading Sensors and Analyzers Locally
. . . 116
APPENDICES
APPENDIX A
Command Line Tools
. . . .121
Software and License Information
. . . 133
CHAPTER 1
Using StoneGate IPS
Documentation
Welcome to Stonesoft Corporation’s StoneGate™ IPS Intrusion Detection and
Response System for Intelligent Analysis. This chapter describes how to use the
StoneGate IPS Installation Guide and related documentation. It also provides directions for
obtaining technical support and how to give feedback about the documentation.
The chapter contains the following sections:
•
Objectives and Audience
, on page 14
•
Overview of the StoneGate IPS Installation Guide
, on page 14
•
Typographical Conventions
, on page 15
•
StoneGate IPS Documentation Map
, on page 15
•
Contact Information
, on page 17.
Chapter 1: Using StoneGate IPS Documentation
14
O b j e c t i v e s a n d A u d i e n c e
This StoneGate IPS Installation Guide describes step by step how to complete installation of
the StoneGate Management Center and the StoneGate IPS Sensors and Analyzers.
This Guide is intended for technical people who administrate and implement StoneGate
IPS installations. The tasks are illustrated by using an example network scenario.
If you need a more comprehensive explanation on the functionality and operation of
StoneGate IPS, please see the StoneGate IPS Administrator’s Reference. For more
information on other related StoneGate IPS documentation, see section
StoneGate IPS
Documentation Map
, on page 15.
O v e r v i e w o f t h e S t o n e G a t e I P S
I n s t a l l a t i o n G u i d e
How to Use This Guide
This guide is organized in chapters explaining the installation of the StoneGate IPS tasks
in a step-by-step format. Each chapter focuses on one area of StoneGate IPS
installation. The chapters are organized following the StoneGate IPS installation steps, as
explained in
Overview to the Installation Procedure
, on page 37. For detailed information on
managing StoneGate IPS, please refer to the StoneGate IPS Administrator’s Guide.
Example Network Scenario
To illustrate the installation tasks, this Guide uses an example network scenario
presented in section
Example Network Scenario
, on page 33. The network scenario is also
presented in the front of the book, before the
Table of Contents
.
Typographical Conventions
Ty p o g r a p h i c a l C o n v e n t i o n s
The following typographical conventions are used throughout this guide:
In addition, we use the following icons to indicate important or additional information.
Note – Notes provide important information that may help you complete a task.
Caution – Cautions provide cautionary or critical information that you should take
into account before performing an action or implementing a feature.
Tip: Tips provide information that is not crucial, but may still be helpful.
S t o n e G a t e I P S D o c u m e n t a t i o n M a p
TABLE 1.1 Typographical Conventions
Formatting
Informative Uses
Normal text
This is normal text.
GUI elements
Interface elements (buttons, menus, icons) and any
other interaction with the user interface are in
bold-face.
References, terms
Cross-references and the described acronyms and
terms are in italics.
Command line
File names, directories, and text displayed on the screen
are
monospaced
.
User input
User input on screen is
monospaced
bold-face
.
Command parameters
Command parameter names are in
monospaced
italics
.
Chapter 1: Using StoneGate IPS Documentation
16
Guide Books
The StoneGate IPS Guide books are the primary resource of technical information. The
Guide books provide comprehensive guidelines on using and configuring StoneGate
IPS, as well as descriptions of its operation and features.
To locate the StoneGate IPS Guide that provides the information you need, see
Table
1.2
.
The StoneGate IPS Guides are available as printed versions in the StoneGate IPS
product kit. The PDF versions are available on the StoneGate IPS CD-ROM and
Stonesoft’s Web site at
http://www.stonesoft.com/products/StoneGate/
.
Support Documentation
The StoneGate IPS support documentation provides additional and late-breaking technical
information on StoneGate IPS and related issues. These documents are supportive
information resources to be used in conjunction with the StoneGate IPS Guide books.
TABLE 1.2 Description of Guide Books
Guide Description
Administrator’s Reference
Describes comprehensively the operation and features
of StoneGate IPS.
Installation Guide
Demonstrates the steps required for planning, installing,
and upgrading a StoneGate IPS system.
Administrator’s Guide
Describes how to configure and manage a StoneGate
IPS system. Uses detailed step-by-step examples.
Online Help
Explains the management GUI client’s buttons, fields,
etc. (Accessible from the GUI client’s Help menu and by
Contact Information
The support documentation is further divided into several document types. To locate the
support document that provides the information you need, see
Table 1.3
.
The latest StoneGate IPS support documentation is available on the Stonesoft Web site
at
http://www.stonesoft.com/support/
.
C o n t a c t I n f o r m a t i o n
For general information about StoneGate IPS and Stonesoft Corporation, please visit
our Web site at
http://www.stonesoft.com/
.
Technical Support
Stonesoft offers global technical support for Stonesoft’s product families. For more
information on the technical support services, please visit the Stonesoft’s Web site at
http://www.stonesoft.com/support/
.
TABLE 1.3 Description of Support Documentation
Documentation
Description
Release Notes
Describe the release specific information. Contains new
features, fixes and enhancements, software version information,
system requirements, and other StoneGate IPS version specific
information.
Technical Knowledge
Base
Answers simple recurrent topics concerning StoneGate IPS.
Technical Notes
Describe related technical information not necessarily limited to
StoneGate IPS software. For example, related third-party
products, technologies, and standards.
Chapter 1: Using StoneGate IPS Documentation
18
Product Sales
For sales questions or other information or comments on the StoneGate IPS product,
please send e-mail to [email protected].
Documentation Comments
Your input is essential in order for the StoneGate IPS documentation to better server
your needs. Let us know of any errors you find, as well as suggestions for future editions,
comments, etc. by writing to
Stonesoft Corporation
Documentation
Itälahdenkatu 22A
FIN-00210 Helsinki
Finland
CHAPTER 2
Quick Start Instructions
These quick start instructions will guide you through setting up a basic StoneGate IPS
system with a default configuration. For detailed instructions, please see the referred
chapters.
This chapter contains the following sections:
•
Requirements for the Installation
, on page 20
•
Quick Installation
, on page 21.
Chapter 2: Quick Start Instructions
20
R e q u i r e m e n t s f o r t h e I n s t a l l a t i o n
The prerequisites for this quick installation setup are described below.
TABLE 2.1 Requirements for the Quick Installation
Item
Description
Hardware: Management Center
Two machines with Windows, Linux, or Solaris installed for the Management Server and the Log Server. One NIC required on each machine. The GUI client can be installed on either or both of these machines.
(Alternatively, all Management Center components can be installed on the same machine.)
See the system requirements in the Release Notes at http://www.stonesoft.com/ download/.
Hardware: Sensor
One Intel compatible machine with at least two NICs. (At least three NICs are required if wire TAP is used.) The Sensor uses an integrated operating system.
See the technical requirements at http://www.stonesoft.com/products/StoneGate/ Technical_Requirements/.
Hardware: Analyzer
One Intel compatible machine with at least one NIC. The Analyzer uses an integrated operating system.
(Alternatively, Sensor and Analyzer can be combined on the same machine.) See the technical requirements at http://www.stonesoft.com/products/StoneGate/ Technical_Requirements/.
Network: Ethernet cabling
Ethernet cabling is needed to network the StoneGate Management Center, the Sensor, and the Analyzer for intercommunications.
Network: traffic capturing One switch SPAN port (port mirroring), a wire TAP device, or a Hub is needed for capturing the traffic on the Sensor.
Network: IP addressing
All the machines require an IP address reachable from the connecting StoneGate IPS or Management Center machines. This may require routing if the machines are not in the same network.
Software: StoneGate IPS
The StoneGate IPS and the Management Center software, documentation, and the Release Notes can be ordered on a CD-ROM or downloaded at http://
www.stonesoft.com/download/. Software: latest update
packages
The latest dynamic update packages for StoneGate IPS can be downloaded at http:// www.stonesoft.com/download/.
License: StoneGate IPS and Management Center
The StoneGate IPS and Management Center evaluation license can be ordered from the Stonesoft License Center at http://www.stonesoft.com/licenses/.
Quick Installation
Q u i c k I n st a l l a t i o n
These instructions will guide you through setting up a basic StoneGate IPS system with a
default configuration. For detailed instructions, please see the referred chapters.
The installation proceeds as follows:
1.
Set up the networking environment
, on page 21
2.
Install the Management Server
, on page 22
3.
Install the Log Server
, on page 22
4.
Install the GUI client
, on page 23
5.
Start up the Management Center
, on page 23
6.
Define the Analyzer element
, on page 23
7.
Install the Analyzer
, on page 24
8.
Define the Sensor element
, on page 25
9.
Install the Sensor
, on page 26
10.
Load Dynamic Updates
, on page 26
11.
Install Policies
, on page 27
12.
Browse the alerts and logs
, on page 27.
▼ Set up the networking environment
(
Planning StoneGate IPS Installation
, on page 29)
1. Select the IP addresses for StoneGate IPS:
TABLE 2.2 IP addresses for StoneGate IPS
StoneGate IPS
component
IP Addressing
Notes
Management Server Log Server
Chapter 2: Quick Start Instructions
22
▼ Install the Management Server
(
Installing the Management Center
, on page 41)
1. Run
setup.exe
or
setup.sh
from the StoneGate Management Center CD-ROM.
2. Select the Custom installation type, and select Management Server and the GUI
client to be installed on the Management Server machine.
3. Define Management Center superuser account.
4. Define the IP address for the Management Server.
5. Select Install as a service.
6. Complete the Management Server installation.
▼ Install the Log Server
(
Installing the Management Center
, on page 41)
1. Run
setup.exe
for Windows or
setup.sh
for Linux/Unix from the StoneGate
Management Center CD-ROM.
2. Select the Custom installation type, and select Log Server from the list.
3. Define the IP address for the Log Server.
4. Define the Management Server’s IP address.
5. Select Certify the Log Server during the installation.
6. Select Install as a service.
TABLE 2.3 Management Server Configuration
Configuration
Item
Value
Notes
Superuser account Management Server IP address
TABLE 2.4 Log Server Configuration
Configuration
Item
Value
Notes
Quick Installation
7. In Certificate Generation window, log in with the Superuser account to establish
a connection to the Management Server.
8. Complete the Log Server installation.
▼ Install the GUI client
(
Installing the Management Center
, on page 41)
1. Run
setup.exe
or
setup.sh
from the StoneGate Management Center CD-ROM.
2. Select the Administration Client Only installation type.
3. Define the Management Server’s IP address.
4. Complete the GUI client installation.
▼ Start up the Management Center
(
Defining Sensors and Analyzers
, on page 59)
1. Start the GUI client and log in with the Superuser account.
2. Import and activate the StoneGate IPS license from the
.jar
license file.
3. Start the Log Server service from the Windows Control Panel or by running the
init script in Linux/Unix.
▼ Define the Analyzer element
(
Defining an Analyzer
, on page 63)
TABLE 2.5 Analyzer Element Definition
Configuration
Item
Value
Notes
Network Interface IP address: Default gateway IP address: One-time password
Chapter 2: Quick Start Instructions
24
4. Click Add Interface and define NIC ID 0 with the IP address for the Analyzer.
Select all the following options for the interface:
• Control IP Address – Primary
• Log/Analyzer connection source IP address.
5. Click OK to create the Analyzer element.
6. Create a Router element for the Analyzer’s default gateway.
7. In the Resource Manager Routing view, drag the default gateway Router element
on the Analyzer’s directly-connected network.
8. Drag the Any Network element on the Analyzer’s default gateway Router
element.
9. In the StoneGate Control Panel, right-click on the Analyzer and select Save
Initial Configuration and save it on a floppy disk. Write down the displayed
one-time password for the Analyzer installation.
▼ Install the Analyzer
(
Installing Sensors and Analyzers
, on page 95)
1. Boot up the Analyzer machine from the StoneGate IPS engine CD-ROM.
2. Select Full Install.
3. Accept the automatic hard drive partitioning by typing
YES
.
4. When prompted, remove the CD-ROM and reboot the machine.
5. In the Configuration Wizard, insert the floppy disk with the initial configuration
and select Import, or configure the engine manually by selecting Next.
6. In OS Settings, define the keyboard layout, timezone, hostname and the root user
password.
7. In network interfaces, click Add and select the driver for the NIC.
8. Select the NIC for management connections in the Mgmt column.
9. In Prepare for Management Contact, select Switch to initial configuration
and define the IP address and default gateway for the Analyzer (if not
automatically defined).
10. Select Contact Management Server, and type in the Management Server’s IP
address and the one-time password in the initial configuration (if not automatically
defined).
Quick Installation
12. In the GUI client Control Panel, double-click on the Analyzer and check that the
Connection field displays “Connected”, indicating a successful initial
configuration.
▼ Define the Sensor element
(
Defining a Single Sensor
, on page 73)
1. In the GUI client, open the Resource Manager by selecting Manage→Resource
Manager from the menu.
2. Create a new Single Sensor element.
3. Select the Analyzer and the Log Server from the drop-down lists.
4. Click Add Interface and select Node Dedicated Interface for the NIC ID 0.
Define the IP address for the Sensor. Select all the following options for the
interface:
• Control IP Address – Primary
• Log/Analyzer connection source IP address.
5. Click Add Interface and select Capture Interface for the NIC ID 1. Select Span
Port mode for a switch or hub, or Wire Tap mode for a wire Tap device. If you
TABLE 2.6 Sensor Element Definition
Configuration
Item
Value
Notes
Capture Interface Capture mode: SPAN or TAP NID ID(s):
NDI NIC ID:
IP address: Default gateway IP address: One-time password
Chapter 2: Quick Start Instructions
26
9. Drag the Any Network element on the Sensor’s default gateway Router element.
10. In the StoneGate Control Panel, right-click on the Sensor and select Save Initial
Configuration and save it on a floppy disk. Write down the displayed one-time
password for the Sensor installation.
▼ Install the Sensor
(
Installing Sensors and Analyzers
, on page 95)
1. Boot up the Sensor machine from the StoneGate IPS engine CD-ROM.
2. Select Full Install.
3. Accept the automatic hard drive partitioning by typing
YES
.
4. When prompted, remove the CD-ROM and reboot the machine.
5. In the Configuration Wizard, insert the floppy disk with the initial configuration
and select Import, or configure the engine manually by selecting Next.
6. In OS Settings, define the keyboard layout, timezone, hostname and the root user
password.
7. In network interfaces, click Add and select the driver for the NIC.
8. Select the NIC for management connections in the Mgmt column for the same
NIC ID that was defined in the GUI.
9. In Prepare for Management Contact, select Switch to initial configuration
and define the IP address and default gateway for the Sensor (if not automatically
defined).
10. Select Contact Management Server, and type in the Management Server’s IP
address and the one-time password in the initial configuration (if not automatically
defined).
11. Select Install Sensor and complete the installation.
12. In the GUI client Control Panel, double-click on the Sensor and check that the
Connection field displays “Connected”, indicating a successful initial
configuration.
▼ Load Dynamic Updates
1. I the GUI client, open the Dynamic Update Manager by selecting
Manage→Admin Tools.
2. Import the latest
.jar
update packages by clicking the toolbar icon or by selecting
Quick Installation
3. Activate the update packages in numerical order by right-clicking on the package
and selecting Activate.
▼ Install Policies
1. Open the Policy Manager by selecting Manage→Security Policies.
2. Right-click on the default Analyzer policy and select Install. Install the policy on
the Analyzer.
3. Right-click on the default Sensor policy and select Install. Install the policy on the
Sensor.
4. In the GUI client Control Panel, right-click on the Sensor node and select
Command→Go Online to start the traffic inspection.
▼ Browse the alerts and logs
1. Open the Alert Browser by selecting Manage→Logs and Alerts→Alert
Browser.
2. Open the Log Browser by selecting Manage→Logs and Alerts→Log Browser.
For detailed introduction to the StoneGate IPS features and their use, please refer to the
Chapter 2: Quick Start Instructions
CHAPTER 3
Planning StoneGate IPS
Installation
This chapter provides general information about the installation, hardware and software
prerequisites, and other important information to take into account before the actual
StoneGate IPS installation can be performed.
This chapter includes the following sections:
•
Important to Know Before Installation
, on page 30
•
System Components and Supported Platforms
, on page 30
•
Checking the Surrounding Network Environment
, on page 31
•
System Installation
, on page 32
Chapter 3: Planning StoneGate IPS Installation
30
I m p o r t a n t t o K n o w B e f o r e I n s t a l l a t i o n
Before you start the installation, you need to plan carefully the site that you are going to
install. Check that your operating system and hardware are supported and familiarize
yourself with the surrounding network components. Please, see the StoneGate IPS Release
Notes for further information. When planning StoneGate IPS installation, please see the
StoneGate IPS Administrator’s Reference for detailed information on the operation of
StoneGate IPS.
S y s t e m C o m p o n e n t s a n d S u p p o r t e d
P la t f o r m s
StoneGate IPS System Components
A StoneGate IPS system consists of the Management Center, one or more Sensors, and
an Analyzer. The StoneGate Management Center consists of the following components:
• the Management Server
• one or more Log Servers
• one or more graphical user interface (GUI) clients.
The StoneGate IPS Sensors and Analyzers can be distributed as follows:
• a combined Sensor/Analyzer with these two components on a single machine.
• a single node Sensor.
• a Sensor cluster which consists of 2 to 16 machines with Sensors called cluster nodes or
nodes for short.
• an Analyzer which is required for the Sensors. An Analyzer located on a combined
Sensor/Analyzer can also be used by other Sensors.
Supported Platforms
For detailed information on the supported platforms, please see the StoneGate IPS
Hardware Requirements available at
http://www.stonesoft.com/
.
The Sensors and Analyzers have an integrated, hardened Linux operating system and
therefore they require no separate operating system installation. The integrated operating
system simplifies upgrading the Sensors and Analyzers significantly, as they can be
upgraded as a whole without having to separately upgrade the operating system and the
StoneGate IPS software.
Checking the Surrounding Network Environment
Checking the File Integrity
Before installing StoneGate IPS, check the installation file integrity using the MD5 or
SHA-1 file checksums. The checksums can be found on the StoneGate IPS installation
CD-ROM and from the product-specific download page at the Stonesoft Web site at
http://www.stonesoft.com/download/
. For more information on MD5 and SHA-1
algorithms, please see RFC1321 and RFC3174, respectively. The RFCs can be obtained
from
http://www.rfc-editor.org/
.
Windows does not have MD5 or SHA-1 checksum tools by default, but there are several
third-party programs available.
▼ To check MD5 or SHA-1 file checksum
1. Obtain the checksum from Stonesoft Web site at
http://www.stonesoft.com/
download/
.
2. Change to the directory that contains the file(s) to be checked.
3. Generate a checksum of the file using the command
md5sum filename
or
sha1sum filename
, where
filename
is the name of the installation file.
ILLUSTRATION 3.1 Checking the File Checksums
4. Compare the displayed output to the checksum on the Web site.
Caution – Do not use files that have invalid checksums. Contact Stonesoft technical
support to resolve the issue.
C h e c k i n g t h e S u r r o u n d i n g N e t w o r k
$ md5sum sg_engine_1.0.0.1000.isoChapter 3: Planning StoneGate IPS Installation
32
Switch SPAN Ports and Hubs
A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined
port on a switch. This is also known as port mirroring. The capturing is done passively, so
it does not interfere with the traffic. With a hub, no special configuration such as a SPAN
port is needed as all the traffic going through the hub is directed to all ports.
A StoneGate IPS capturing interface can be connected directly to a SPAN port of a
switch. Then, all the traffic to be monitored need to be copied to this SPAN port. The
SPAN mode capturing interface is also used when connecting the capture interface to a
hub, although using a hub might not be suitable because of network performance
reasons.
Network TAPs
A Test Access Port (TAP) is a passive device located at the network wire between network
devices. The capturing is done passively, so it does not interfere with the traffic. With a
network TAP, the two directions of the network traffic is divided to separate wires. For
this reason, StoneGate IPS needs two capturing interfaces for a network TAP; one
capture interface for each direction of the traffic. The two related capturing interfaces are
handled in StoneGate IPS as one logical interface that combines the traffic of these two
interfaces for inspection.
S y st e m I n s t a l l a t i o n
The StoneGate IPS system consists of the Management Center, the Sensors, and the
Analyzers. The StoneGate Management Center (SMC) components can be installed
separately on different machines or on the same machine, depending on your
requirements. The Management Center can manage one or more StoneGate IPS Sensors
and Analyzers. The same SMC can also be used for managing StoneGate firewall and
VPN solutions.
The StoneGate IPS Analyzer can be either installed on a separate machine, or combined
with a Sensor on a single machine as a combined Sensor/Analyzer. The combined Sensor/
Analyzer is mainly aimed for small environments, whereas the separate Analyzer
machine should be used where higher performance is required.
The three basic types of StoneGate IPS Sensor installations are as follows:
• Single Sensor installation. A single Sensor has only one node. It does not support load
balancing or high availability. Instructions on defining a single Sensor element is
covered in
Defining a Single Sensor
, on page 73.
System Installation
• Sensor cluster installation. A StoneGate IPS Sensor cluster supports up to 16 nodes
functioning as a single virtual entity. Each node of the cluster uses the same security
policy configuration defined through the GUI client. A cluster can be configured for
dynamic load balancing or as a hot standby solution. Instructions on defining a Sensor
cluster element is covered in
Defining a Sensor Cluster
, on page 67.
• Combined Sensor/Analyzer installation. A combined Sensor/Analyzer is similar to
Single Sensor but it also has the Analyzer on the same physical machine. This
installation does not support load balancing or high availability. Instructions on
defining a combined Sensor/Analyzer element is covered in
Defining a Combined
Sensor/Analyzer
, on page 77.
For more information, please see the StoneGate IPS Administrator’s Reference and the
StoneGate IPS Administrator’s Guide.
Example Network Scenario
Three example Sensor installations are described in this Guide:
• a combined Sensor/Analyzer
• a single Sensor
• a Sensor cluster installation.
The two different Analyzer installations are illustrated with
• a combined Sensor/Analyzer
• an Analyzer on a separate machine.
The network scenario for these installations is based on the example network in
Figure
3.1
. The scenario illustration can also be found in the front of the book.
Chapter 3: Planning StoneGate IPS Installation
34
FIGURE 3.1 Example Network Scenario
StoneGate Management Center
The SMC of the example scenario is described in
Table 3.1
.
TABLE 3.1 SMC in the Example Scenario
SMC
Component
Description
Management Server
The Management Server in the Headquarters’ Management Network with the IP address 192.168.10.200. This Management Server manages all the StoneGate IPS Sensors, Analyzers, and Log Servers of the example network.
HQ Log Server This server is located in the Headquarters’ Management Network with the IP address 192.168.10.201. This Log Server receives alerts and log data from the HQ Analyzer. Branch Office Log
Server
This server is located in the Branch Office Intranet with the IP address 172.16.2.201. This Log Server receives alerts and log data from the Branch Office Sensor/Analyzer.
System Installation
Combined Sensor/Analyzer
In the example scenario, the Branch Office Sensor/Analyzer in the Branch Office network is
a combined Sensor/Analyzer.
Sensor Cluster
In the example scenario, HQ Sensor Cluster is a cluster located in the Headquarters
network. The cluster consists of two Sensor nodes: Node 1 and Node 2.
GUI client
The GUI client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple GUI clients in different locations.
In this example, the GUI client is located in the Headquarters’ Management Network.
TABLE 3.2 Combined Sensor/Analyzer in the Example Scenario
Network
Interface
Description
Capture Interfaces
The Branch Office Sensor/Analyzer has two Capture Interfaces that are connected to a network TAP in a Branch Office Intranet: one interface for each direction of the traffic. All the traffic in this network segment is forwarded to the network TAP for inspection
NDIs
The Branch Office Sensor/Analyzer has one NDI that is connected to the Branch Office Intranet using the IP address 172.16.2.41. This NDI is used for:
control connections from the Management Server sending log data and alerts to the Branch Office Log Server for TCP connection termination (by the Sensor)
TABLE 3.3 Sensor Cluster in the Example Scenario
TABLE 3.1 SMC in the Example Scenario (Continued)
SMC
Chapter 3: Planning StoneGate IPS Installation
36
Single Sensor
In the example scenario, the DMZ Sensor in the Headquarters DMZ network is a single
Sensor.
NDIs
The NDI on each node is connected to the Headquarters Intranet with Node 1’s IP address 172.16.1.41 and Node 2’s address 172.16.1.42. This NDI is used for:
control connections from the Management Server sending events to the HQ Analyzer
for TCP connection termination.
Heartbeat interfaces
The nodes have heartbeat interfaces connected to the dedicated heartbeat network 10.42.1.0/24 as follows: Node 1 uses the IP address 10.42.1.41 and Node 2 uses the IP address 10.42.1.42.
TABLE 3.4 Single Sensor in the Example Scenario
Network
Interface
Description
Capture Interfaces
The DMZ Sensor’s Capture Interface is connected to a SPAN port in the Headquarters’ DMZ Network. All the traffic in this network segment is forwarded to the SPAN port for inspection.
NDIs
The NDI is connected to the DMZ network using the IP address 192.168.1.41. This NDI is used for:
control connections from the Management Server sending event information to the HQ Analyzer for TCP connection termination.
TABLE 3.3 Sensor Cluster in the Example Scenario (Continued)
Network
Overview to the Installation Procedure
Analyzer
In the example scenario, the HQ Analyzer is located in the Headquarters’ Management
network.
O v e r v i e w t o t h e I n s t a l l a t i o n P r o c e d u r e
This Guide provides step-by-step instructions on how to install the StoneGate
Management Center, a combined Sensor/Analyzer, Single Sensor, a Sensor cluster, and
an Analyzer. Installation is straight-forward, consisting of the following steps:
1. Plan the installation of the StoneGate IPS Sensors, Analyzers, and the
Management Center. See
Planning StoneGate IPS Installation
, on page 29.
2. Configure the physical network environment as planned. See
Planning StoneGate
IPS Installation
, on page 29.
3. Check the integrity of the StoneGate IPS installation files using the file checksums.
See
Checking the File Integrity
, on page 31.
4. Install and configure the Management Center and the GUI client. See
Installing the
Management Center
, on page 41.
5. Define the Sensor and Analyzer elements and other necessary elements in the
Management Center. See
Defining Sensors and Analyzers
, on page 59.
6. Generate the initial configuration for the Sensors and Analyzers. See
Saving the
TABLE 3.5 Analyzer in the Example Scenario
Network
Interface
Description
NDIs
The HQ Analyzer’s NDI is connected to the Headquarters’ Management Network using the IP address 192.168.10.61. This NDI is used for:
control connections from the Management Server
receiving event information from the HQ Sensor Cluster and the DMZ Sensor sending log data and alerts to the HQ Log Server
Chapter 3: Planning StoneGate IPS Installation
CHAPTER 4
Installing the Management
Center
This chapter instructs how to install the StoneGate Management Center components on
the supported platforms.
The following sections are included:
•
Installing the Management Center
, on page 42
•
Non-graphical Installation
, on page 54
Chapter 4: Installing the Management Center
42
I n s t a l l i n g t h e M a n a g e m e n t C e n t e r
Before you begin installing, you need to log in to the system with correct administrative
rights to be able to modify certain files. In Windows, you need to log in with
administrator rights. In Linux and Solaris you have to log in as root to install the
software.
Note – If the operating system is an international (non-English) version of Windows,
there might be some complications with running the Management Center on this
platform. In this case, please contact Stonesoft support.
Installing the Solaris Patches
If you are running the StoneGate Management Center on Solaris, you first need to install
certain patches to Solaris for the Java Runtime Environment (JRE). Requirements and
explanation on how to install the patches can be found from the Sun Microsystems’ Web
site at
http://java.sun.com/j2se/1.3/install-solaris-patches.html
.
Checking File Integrity
Before installing StoneGate IPS, check the installation package integrity using the MD5
or SHA-1 file checksums as explained in
Checking the File Integrity
, on page 31.
Installing the Management Center Components
Starting the Installation
The steps described here are the same for the installation of Management Server, Log
Server, and the GUI client.
Note – The Management Center installation requires at least 350 MB of available disk
space in the system’s temporary directory for extracting the installation files.
▼ To start the Management Center installation
1. Insert the StoneGate IPS installation CD-ROM and run the
setup
executable:
• In Windows, run
CD-ROM\Windows\setup.bat
.
• In Linux and Solaris Bourne-compatible shells (e.g., sh, ksh):
1.1 If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux
with “
mount /dev/cdrom /mnt/cdrom
” and in Solaris with “
mount /cdrom
”.
Installing the Management Center
1.2 Change to the
CD-ROM/Linux/
or
CD-ROM/Solaris/
directory according to
the platform used.
1.3 Run the command “
./setup.sh
” to start the installation.
• If you are using Linux or Solaris and want to use the graphical installation,
make sure that X windowing system has been started before launching the
StoneGate IPS setup. Alternatively, please see
Non-graphical Installation
, on
page 54.
• In Linux and Solaris, the installation creates
sgadmin
user and group
accounts. All the shell scripts are owned by sgadmin and can be executed
either by root or sgadmin user. The shell scripts are executed with sgadmin
privileges. After the installation, the sgadmin account is disabled. The
sgadmin account is deleted at the uninstallation.
2. First, the Java Runtime Environment (JRE) is installed for StoneGate IPS.
ILLUSTRATION 4.1 Accepting the License Agreement
3. Read carefully through the license agreement. To accept the license agreement,
select the corresponding radio button and click
Next
.
Chapter 4: Installing the Management Center
44
ILLUSTRATION 4.2 Defining the Destination Directory
4. Define the directory where the Management Center is installed and click
Next
.
Note – When installing the server as a service, define a directory path that does not
contain spaces.
TABLE 4.1 Management Server Default Installation Paths
Platform
Default directory
Windows
C:\Stonesoft\StoneGate\
Linux
/usr/local/StoneGate/
Installing the Management Center
ILLUSTRATION 4.3 Creating Shortcuts
5. In Windows, select the location for the shortcut icons and click Next. By default,
the shortcut icons are located in Start→Programs→StoneGate.
ILLUSTRATION 4.4 Choosing the Installation Type
Chapter 4: Installing the Management Center
46
ILLUSTRATION 4.5 Selecting the System Components for Installation
7.
Illustration 4.5
is displayed for Custom installation. Select the Management Center
components to be installed. The components can be on the same machine or on
separate machines.
• To install the Management Server, proceed to
Installing the Management Server
, on
page 46.
• To install the Log Server, proceed to
Installing the Log Server
, on page 48.
• To install the GUI client, proceed to
Installing the GUI Client
, on page 52.
Installing the Management Server
▼ To install the Management Server
1. Click Next in the installation type selection. A screen like
Illustration 4.6
is
displayed.
Installing the Management Center
ILLUSTRATION 4.6 Creating a Superuser Account
2. Create the default StoneGate Management Center Superuser account by defining a
user name (e.g., “admin”) and password, then click
Next
to continue.
Note – The account specified here is the only account that can be used to log in to
the Management Center after the installation has finished. More administrator
accounts can be defined in the GUI as explained in the Administrator’s Guide.
ILLUSTRATION 4.7 Configuring the Management Server
Chapter 4: Installing the Management Center
48
4. Enter the IP address of the Alert Server. This is the IP address of the Log Server
you want to use for handling alerts.
5. Click Next to continue.
6. If you want to install the Management Server as a service, select the
Install as a
service
checkbox. When the server is run as a service, it is started automatically
and run in the background after the system’s reboot. Otherwise, the server needs
to be started manually after every reboot.
7. If you selected that the Log Server is also installed at the same time on the same
machine, go to the configuration steps in
Installing the Log Server
, on page 48.
8. Otherwise, click Next and the Ready to Install window is displayed.
9. Click
Install
to start the installation.
10. To start the Management Server, please see
Starting the Management Server
, on
page 60.
Installing the Log Server
Before installing the Log Server, the Management Server needs to be installed. This is
required for establishing a trust relationship between the Management and the Log
Server during the Log Server installation by using certificates. If the Log Server is
installed simultaneously on the same machine with the Management Server, the Log
Server certificate is generated automatically.
Note – The screens may differ slightly when installing the Log Server simultaneously
with the Management Server on the same machine.
▼ To install the Log Server
Installing the Management Center
ILLUSTRATION 4.8 Configure Log Server
2. Define the IP address for the Log Server or select the address from the Existing
IP addresses list.
3. Define the Management Server’s IP address in its field. This IP address is used for
contacting the Management Server from the Log Server during normal operation
and when requesting the certificate for the Log Server.
4. Select the
Certify the Log Server during the installation
checkbox to request a
certificate for the Log Server from the Management Server. (The Log Server
certificate is generated automatically if installed at the same time with the
Management Server.)
• If the Log Server certificate is not retrieved during the installation, the certificate
has to be retrieved manually later on. To request a certificate for the Log Server
manually after the installation, stop the Server and proceed as follows:
• In Windows, select
Start→Programs→StoneGate→Request Log Server
Certificate
.
• In Linux and Solaris, run the script
SG_HOME/bin/sgCertifyLogSrv.sh
.
• In the opened authentication window, log in using a Superuser-level
StoneGate administrator account, for example, the account created during
Chapter 4: Installing the Management Center
50
and run in the background after the system’s reboot. Otherwise, the server needs
to be started manually after every reboot.
Note – When installing the Log Server as a service, use an installation directory path
that does not contain spaces.
7. Click Next to continue.
ILLUSTRATION 4.9 Defining the Directory for the Log Server Database
8. Specify a directory for the Log Server database. Click Next to continue. If the
defined directory does not exist, you are prompted for accepting the directory to
be created.
ILLUSTRATION 4.10 Logging into the Management Server for the Certificate Generation
9. When the Log Server certificate is requested during the installation, you need to
log in to the Management Server using a Superuser privileged account. (If the Log
Installing the Management Center
Server is installed simultaneously with the Management Server, continue in
Step
10
.)
9.1 Type in the user name and the password. Click
OK
to continue.
ILLUSTRATION 4.11 Checking the CA Certificate Fingerprint
9.2 Compare the presented certificate fingerprint of the Certificate Authority to
the certificate’s fingerprint on the Management Server. To check the certificate
fingerprint of the Certificate Authority:
• In Windows, select
Start→Programs→StoneGate→Show Fingerprint
on the
Management Server.
• In Linux and Solaris, run the script
SG_HOME/bin/sgShowFingerPrint.sh
on the Management Server.
9.3 Click
Accept Certificate
if the fingerprint is correct.
ILLUSTRATION 4.12 Log Server Selection
Chapter 4: Installing the Management Center
52
• If the Log Server element is already defined on the Management Server,
select
Certify again an existing log server
and select the Log Server from the
list.
• If the Log Server element is not defined on the Management Server, select
Create a new log server
and type in a name for the Log Server element.
10. To start the Log Server, please see
Starting the Log Server
, on page 62.
Installing the GUI Client
Multiple GUI clients can be installed for managing StoneGate products. The GUI client
needs to be able to connect to the Management Server. Access to the Log Server is also
needed for managing the logs and alerts.
▼ To install the Administration client
1. If necessary, click Next to continue to the Configure GUI Client window.
ILLUSTRATION 4.13 Configure GUI client
2. Type in the IP address of the Management Server to which the GUI client is going
to connect. Click
Next
to continue.
Installing the Management Center
ILLUSTRATION 4.14 Check the Installation Information
3. The installation summary window is displayed. Click Install to start the
installation.
Chapter 4: Installing the Management Center
54
N o n - g r a p h i c a l I n s t a l l a t i o n
In Linux and Solaris, the Management Center can also be installed on the command line.
Before installing the Management Center, check the installation package integrity using
the MD5 or SHA-1 file checksums as explained in
Checking the File Integrity
, on page 31.
▼ To run the non-graphical installation
1. Open a Bourne-compatible shell (e.g., sh, ksh).
2. If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with
“
mount /dev/cdrom /mnt/cdrom
” and in Solaris with “
mount /cdrom
”.
3. Change to the
CD-ROM/StoneGate_SW_Installer/Linux/
directory in Linux or
in Solaris to the
CD-ROM/StoneGate_SW_Installer/Solaris/
directory.
4. Run the command “
./setup.sh -nodisplay
” to start the installation.
• In Linux and Solaris, the installation creates
sgadmin
user and group accounts. All
the shell scripts are owned by sgadmin and can be executed either by root or
sgadmin user. The shell scripts are executed with sgadmin privileges. After the
installation, the sgadmin account is disabled. The sgadmin account is deleted after
the uninstallation.
ILLUSTRATION 4.16 Accepting the License Agreement
5. Read the licence agreement and accept it by typing “
Y
” and pressing
Enter
.
ILLUSTRATION 4.17 Defining the Installation Directory
DO YOU ACCEPT THE TERMS OF THE LICENSE AGREEMENT? (Y/N)
Choose Install Directory
---Select a directory for installing StoneGate.
This directory path name must not contain space character. Where would you like to install?
Default Install Folder: /usr/local/stonegate
Non-graphical Installation
6. Type the full path for the installation directory or press
E
NTERto install to the
default directory.
ILLUSTRATION 4.18 Choosing the Link Location
7. Press E
NTER
to create the StoneGate links in the default directory or select one of
the other options.
ILLUSTRATION 4.19 Choosing the Installation Options
Choose Link Location
---Where would you like to create links? ->1 - Default:/StoneGate
2 - In your home folder
3 - Choose another location... 4 - Don’t create links
ENTER THE NUMBER OF AN OPTION ABOVE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:
Choose StoneGate Components
---Please choose the Install Set to be installed by this installer. ->1 - Typical
2- Administration Client Only 3- Customize...
Chapter 4: Installing the Management Center
56
• To install a Management Server, see
Installing the Management Server
, on page 46.
• To install a Log Server, see
Installing the Log Server
, on page 48.
• To install a GUI client, see
Installing the GUI Client
, on page 52.
10. To proceed with the configuration, reboot the machine or restart the services and
continue in
Defining Sensors and Analyzers
, on page 59.
U n i n s t a l l i n g t h e M a n a g e m e n t C e n t e r
▼ To uninstall the Management Center in Windows
1. Stop the Management Server, Log Server, and the GUI client on the machine
before you start the uninstallation.
2. Go to
Start→Settings→Control Panel→Add/Remove Programs
or alternatively
run the
SG_HOME\uninstall\uninstall.exe
program.
3. In the Add/Remove Programs window, Select StoneGate from the list of currently
installed programs and click the
Change/Remove
button.
ILLUSTRATION 4.20 Uninstalling the StoneGate IPS Components
4. Click Uninstall to remove the installed StoneGate Management Center
components from the system.
5. The GUI client uses a “
.stonegate
” directory in the user’s home directory
(usually
c:\Documents and Settings\username
on Windows 2000 and XP,
c:\winnt\profiles\username
on Windows NT). The directory contains the
GUI client configuration files. These files are not automatically deleted but can be
removed manually after the uninstallation.
Uninstalling the Management Center
▼ To uninstall the Management Center in Linux and Solaris
1. Stop the Management Center components on the machine before starting
uninstallation.
2. Run the
SG_HOME/uninstall/uninstall.sh
script.
3. The GUI client uses a “
.stonegate
” directory in the user’s home directory
(usually
/home/username
in Linux or Solaris). This directory contains the GUI
client configuration files. These files are not automatically deleted but can be
removed manually after the uninstallation.
Uninstalling in Non-graphical Mode
You can also uninstall the Management Center in a non-graphical mode in Linux and
Solaris.
▼ To uninstall in non-graphical mode
1. In Linux and Solaris Bourne-compatible shells (e.g., sh, ksh), change to the
SG_HOME/uninstall/
directory.
2. Run the command “
./uninstall.sh
-nodisplay
”.
• In Linux and Solaris, the
sgadmin
account is deleted during the uninstallation.
3. The GUI client uses a “
.stonegate
” directory in the user’s home directory (in
Linux and Solaris, usually
/home/username
). The directory contains the GUI
client configuration files. These files are not automatically deleted but can be
removed manually after the uninstallation.
Chapter 4: Installing the Management Center
