CyberGuard Firewall Version 6.2 Quick Start Guide

(1)

CyberGuard Firewall Version 6.2

Quick Start Guide

FW006-000 August 2005

(2)

This publication or any part thereof is intended solely for use with CyberGuard Corporation products by CyberGuard Corporation personnel, customers, and end-users.

The information contained in this document is believed to be correct at the time of publication. It is subject to change without notice. CyberGuard Corporation makes no warranties, express or implied, concerning the information contained in this document. To report an error or comment on a specific portion of the manual, photocopy the page in question and mark the correction or comment on the copy. Mail the photocopied page (and any additional comments) to CyberGuard Corporation, 350 SW 12th Avenue, Deerfield Beach, FL 33442. Mark the envelope “Attention: Publications Department.”

CyberGuard is a registered trademark of CyberGuard Corporation. Linux is a registered trademark of Linus Torvalds in several countries. UNIX is a registered trademark of The Open Group.

Printed in the U.S.A.

Revision History Level Description Effective With

(3)

1 PURPOSE

A firewall is one of the most critical systems in a network infrastructure. Extreme care and attention to detail must be used to ensure that it is implemented correctly. This document, which is designed to supplement the CyberGuard Firewall Installation and Setup Guide and the online help, will help you during the initial installation and configuration of your

CyberGuard Firewall appliance. It steps you through basic configuration in a chronological order, while providing some hands on examples, and it suggests best practices

configurations and can also be used as a configuration standard template to provide a baseline for auditing. VPN and HA configurations are outside of the scope of this document. This document is not intended to replace CyberGuard manuals or training courses. It is important to understand the configurations from a granular level to accomplish new configurations and troubleshoot outages.

2 NETWORK DESIGN

A firewall protects internal network(s) from external networks. Firewalls are typically used in the following two ways:

• An external barrier between the Internet and private networks.

• Separate an organization’s internal networks (such as offices in different departments or different regions).

By default, no traffic will pass through a CyberGuard firewall. The administrator must define internal and external networks and configure rules to permit authorized traffic to pass. In preparation for installation, the firewall administrator should have a network diagram and the network security policy document available for reference.

The network diagram (figure below) detailed throughout this document include a stand-alone firewall supporting external, internal, and DMZ networks. A network security policy defines monitoring rules and basic user accesses. The network and security requirements of each site are unique. The specific network layout and firewall rules included in this

document are for educational purposes only.

FTP Server

Client 1

Cloud

Mail Server Web Server

Client 2 Pr iv a te N e tw or k Pr iv a te N e tw or k 10.0.1.11 10.0.2.21 10.0.2.1 10.0.1.1 DNAT 192.168.1.1 DNAT 192.168.1.2

Firewall A Firewall B

DMZ Network 172.16.1.11 172.16.1.1 172.16.1.12 172.16.1.13 Default Gateway 192.168.1.50 Router

You may replace the IP addresses shown with your existing network IP addresses. If you do so, be sure to notate each change so when a name or IP is referenced, you know what your replacement should be.

(5)

3 INSTALLATION

CyberGuard firewalls are shipped with the operating system and firewall software fully installed. You are to mount the firewall appliance into an appropriate racking system and initially configure your system using either an FWINIT file or the Get Started Wizard. We use the fwinit file in this guide, if you prefer to use the Get Started Wizard, refer to the Firewall

Installation and Setup Guide.

3.1 Firewall

Appliance

1) Secure the firewall in a rack with CyberGuard provided hardware (if applicable). 2) Connect the keyboard, mouse, video, and power cables.

3) Label networking cables in preparation for future hardware replacement or outage troubleshooting. They will be connected to the firewall once it is configured.

3.2 FWINIT

Diskette

To make the FWINIT diskette, you’ll need a blank diskette and knowledge of the IP addresses on your network before making the fwinit file.

1) Create the FWINIT diskette as follows:

a) Insert the CyberGuard Firewall CD-ROM into a workstation running Microsoft Internet Explorer version 6.x or higher.

b) Copy the fwinit folder to the desktop.

WARNING: The CyberGuard Firewall CD-ROM will overwrite any Intel based system upon reboot. Do not leave the CD-ROM unattended in your workstation.

c) Remove the CD-ROM from your workstation. d) Open the FWINIT folder and click FWINIT.HTM.

NOTE: The Help link, located in the upper right corner of the page, provides detailed

descriptions of each option.

e) Address the following options, which are the minimum requirement: i) Leave Configure this node as a secondary node in High Availability mode

unchecked. In our scenario, the system will be in a stand-alone configuration. ii) Select your Firewall Appliance.

iii) Select your Model.

iv) Enter your Firewall Host Name. Do not use an underscore as part of a host name

as they are not supported in DNS. We recommend using all lowercase characters.

v) Enter your Domain Name.

vi) Configure the firewall’s network interfaces from your network diagram:

• A firewall needs at least two interfaces to function. In our fwinit configurations, es0p0 is the external interface and es0p1 supports the internal network.

• In the Name field, use the fully qualified domain name for each interface. • Enter your Subnet Mask Length, use the calculator if you’re not sure what

(6)

vii) Enter the Administrative User who will have full system administration

privileges.

viii) Enter the Password and Password Confirmation for your administrator.

ix) In our example, the Default Route IP, or the default gateway, would be the

router.

x) Select the Device name that will contain the Management Interface, our example

is es0p1, which is the internal network.

xi) Enter the Manager IP address for your Management Interface.

xii) The Manager Route IP is only necessary if your manager is on a different

network from your firewall. xiii) Select your Time Zone.

xiv) You may insert your licensing information now or you may do it later when described in this document.

(7)

f) Click the Submit button at the bottom of the page. A new browser window opens that

contains the configuration file in text format.

NOTE: If the browser window opens to a blank page, click the Refresh button.

g) Insert a blank 3½ inch diskette into the workstation and save the configuration file as per instructions in the file.

4) Insert the diskette into the firewall and power it on.

NOTE: If configuration fails, take the diskette back to your workstation, delete the generic.done file from it, edit the configuration file appropriately, replace the diskette back into the firewall and reboot.

5) When the login prompt appears, remove the diskette.

After the firewall is up and running, you may obtain additional configurations, such as licensing, central authentication, and remote configuration.

3.3 Network

Cabling

Instead of referring you to another document for the physical layout of your network interfaces, we’ll reset the default system passwords and use the mii-tool command to determine them. This will take less time and familiarize you with one of the firewall’s diagnostic commands.

1) Attach an active network cable to one of the firewall’s ports. The other end must be connected to a network device (such as a router or switch).

2) At the system console, login as the administrative user. 3) Type the following command to list the network interfaces:

/sbin/ifconfig -a | more

4) Find the first occurrence of HWaddr (example: 00:07:E9:24:9F:1C) in the ifconfig output, and notate the last eight characters (case sensitive with no colons). These eight characters will be the fwadmin password.

5) Use ONE of the following two options to determine which network interface the cable is connected to:

a) If you choose to use the diagram found in the fwinit, do as follows: i) Click the fwinit.htm file.

ii) Select the appropriate Firewall Appliance and Model.

iii) Click the Help button, scroll down and locate your firewall model, then click the

thumbnail of the network port diagram.

b) If you choose to use the mii-tool command from the system console, do as follows: i) Type su – root and enter your root password.

ii) Type /sbin/mii-tool

iii) Observe the display and label the identified port with the appropriate label provided with your system.

iv) Plug the cable into another port and run the mii-tool command again until you’ve identified every port.

NOTE: While performing the next steps, ensure that each cable distinctly clicks as it is inserted.

(8)

6) Connect the external network cable to the es0p0 interface. 7) Connect the internal network cable to the es0p1 interface.

4 BASIC CONFIGURATIONS

Remember that all the IP addresses and server names used in the following procedures may be replaced with those from your actual network.

4.1 Login to the System

You may access the system either remotely or via the firewall console. 1) If you are logging in remotely, to the following:

a) Go to your management server defined in your fwinit file and use a web browser to connect to the appropriate interface IP address over port 9443 using SSL. Refer below for an example:

https://<firewall_ip_address>:9443/index.jsp b) Login as the administrative user defined in your fwinit file. c) When prompted, reset your password.

2) If you are logging in onto the firewall console, do the following:

a) At the console login prompt, use the user name and password you defined in your fwinit file.

b) When prompted, reset your password. c) Launch a Firefox browser by typing startx.

d) When prompted, select Accept this certificate permanently, click OK.

e) When the Security Error: Domain name Mismatch dialog displays, click OK.

f) When the Security Warning dialog displays, click OK.

4.2 Install a Permanent License Key

The firewall has been installed with a 30 day license. After 30 days, it will no longer pass any traffic. To obtain a permanent license key, do the following:

1) Gather the following information:

a) Software Serial Number: Refer to the CyberGuard Order Fulfillment e-mail. The software serial number begins with a capital letter “C”.

b) License Password: The license password can also be found in the order fulfillment e-mail or you may call the support team (888-411-2924 or 954-958-3898).

c) Hardware ID: The hardware ID can be found via the top menu bar Control tab, Firewall > License Product.

2) Go to the product registration page, located at

https://support2.cyberguard.com/registration/index.asp, and do the following: a) In the Serial Number field, enter the firewall’s software serial number. b) In the Password field, enter the license password.

(9)

3) The permanent license key will be provided upon completion of the licensing wizard. Keep the license key in your permanent records. You will need it if you have to reinstall the system.

4) License your firewall as follows:

a) From the Control tab, select Firewall > License Product.

b) Enter the License Key you received from the licensing wizard. c) Enter the Serial Number of the system.

d) Click the License button to register your appliance.

4.3 Configure Dynamic Network Address Translation (NAT)

One of the primary roles of a firewall is to mask internal IP addresses on your network from external networks. Dynamic Network Address Translation (DNAT) changes an internal IP address to the external IP of the firewall with a unique source port. The outside world sees the external address. Upon return, the firewall knows which internal IP to switch back to from the originating source port.

1) Configure a NAT policy for your external interface: a) From the Customize tab, select System > Interfaces.

b) Double-click the external interface to go to the Interface Edit page. c) At NAT Configuration, select Default.

(10)

2) At the top right corner, click the Apply Needed icon ( ), which brings you to the Apply Configuration page.

3) Click Apply.

4) Observe that your session has ended. This is because the system drops down to run level 1 and returns to normal operations.

5) Log back into the firewall.

6) From the Customize tab, select NAT.

7) At the NAT page side menu, click the NAT Configurations + symbol. 8) At the side menu, click the Default + symbol.

Add an Inbound NAT rule for the mail server 9) At the side menu, click Inbound Rules.

5) Click the Insert icon ( ) and insert the following data: a) For Action, select Pass.

b) For Services, check SMTP.

c) For Sources, check Anywhere.

Enter External Mail Server Endpoint

d) At Destinations, click the + symbol to open the endpoint insert dialog.

e) Click the Insert icon ( ) and insert the following data:

i) For Name, type the actual name of your mail that is available on the Internet (for

example, mail.domain.net).

ii) For Type, select the Host radio button.

(11)

f) Click Save.

g) Click Cancel to close the dialog.

6) Verify that the destination endpoint you just entered is checked. 7) Click Save.

Add an Outbound NAT rule for the mail server 10)At the Nat page side menu, click Outbound Rules.

Enter Internal Mail Server Endpoint

i) For Name, type mailServer.

iii) For IP Address, type 172.16.1.12.

e) Click Save.

f) Click Cancel to close the dialog.

9) Verify that the destination endpoint you just entered is checked. 10)Click Save.

Add an Inbound NAT rule for the FTP server 11)At the side menu, click Inbound Rules.

(12)

12)Click the Insert icon ( ) and insert the following data: a) For Action, select Pass.

b) For Services, check FTP.

Enter External FTP Server Endpoint

i) For Name, type your actual ftp site address (for example, ftp.domain.net).

iii) For IP Address, type your actual ftp server address.

f) Click Save.

13)Verify that the destination endpoint you just entered is checked. 14)Click Save.

Add an Outbound NAT rule for the FTP server 11)At the Nat page side menu, click Outbound Rules.

b) For Services, check FTP.

Enter Internal FTP Server Endpoint

e) Click the Insert icon ( ) and insert the following data: i) For Name, type ftpServer.

f) Click Save.

Add an Inbound NAT rule for the Web server

NOTE: Going into a more complicated area, it is not always necessary to configure a static NAT for your web server; it can be addressed via the HTTP proxy. You can set up rules to redirect http connections for other servers if they use a different port number than 80, thus having multiple http servers sans NAT. That is beyond a novice level and not in the scope of this document.

(13)

b) For Services, check HTTP.

Enter External Web Server Endpoint

i) For Name, type your actual web site address (for example, www.domain.net).

iii) For IP Address, type your actual web server address.

f) Click Save.

Add an Outbound NAT rule for the Web server 12)At the Nat page side menu, click Outbound Rules.

Enter Internal Web Server Endpoint

e) Click the Insert icon ( ) and insert the following data: i) For Name, type webServer.

f) Click Save.

Apply the changes

25)Click the Apply Needed icon ( ), which brings you to the Apply Configuration page. 26)Click Apply.

(14)

4.4 Configure Static Routes

Add static routes to distant networks obscured behind firewalls and/or other network devices (CyberGuard firewalls are already aware of directly attached networks). As new networks are created, they'll need to be added here too. In our environment, the network behind Firewall B needs to be added so Client A can communicate with Client B.

4.4.1 Create Endpoint

Remember that you may replace your actual server names and IP addresses while following this document.

1) From the Customize tab, select Environment > Endpoints.

2) Click the Insert icon ( ) and insert the following data: a) For Name, type 10.0.2.0 Network

b) For Type, select the Subnet radio button

c) For Network Address, type 10.0.2.0.

d) For Network Mask Length, type 24.

3) Click Save.

4) Click the Apply Needed icon ( ), which brings you to the Apply Configuration page. 5) Click Apply.

(15)

4.4.2 Create a Static Route

1) From the Customize tab, select System > Routing, to go to the Static Route page.

2) Click the Insert icon ( ) and insert the following data: a) At Destination, select the Subnet radio button.

b) In the text box, select 10.0.2.0 Network.

c) At Forward To, select the Host radio button.

d) In the text box, select 192.168.1.2.

e) At Metric, type the number 1.

3) Click Save.

4.5 Enable

DNS

The SMTP proxy, HTTP Outbound To proxy and e-mail alerts won't function without DNS. For these reasons, we'll configure the firewall as a split DNS server, providing name resolution for itself and internal systems.

1) From the Customize tab, select System > DNS.

2) Click the Configure button (this button does not appear after the initial configuration of

DNS).

3) Click the Enable split DNS radio button.

4) Under Forwarders, at #1, type 192.0.34.166.

5) Under Forwarders, at #2, type 192.0.34.167.

6) At Private server listens on, select the internal interface.

NOTE: In this example, the firewall is not providing DNS services to inbound connections on the external interface.

(16)

8) At the DNS Server Setup page side menu, click the “+” symbol at Server Setup, and then click Public Zones. (You know you’re on the correct page, if the side menu shows

the Public Zones text in bold.)

9) Click the Insert icon ( ) and insert the following data: a) At the Domain Name field, enter the appropriate domain.

b) At the Networks field, enter the firewall’s external network (192.168.1.0/24) and press

the Tab key to display the Reverse Zone Name.

c) Leave the Reverse Zone Names field at the default (1.168.192).

10)Click Save.

11)At the DNS Server Setup page side menu, click Private Zones.

12)Click the Insert icon ( ) and insert the following data: a) At the Domain Name field, enter the appropriate domain.

b) At the Networks field, enter the firewall’s external network (10.0.1.0/24) and press the

Tab key to display the Reverse Zone Name.

c) Leave the Reverse Zone Names field at the default (1.0.10).

13)Click Save.

4.6 Packet-Filtering Rules

The firewall administrator must configure packet-filter rules to permit traffic to flow through the firewall. The order of packet-filtering rules is significant. Rules are searched from the top down to the bottom looking for the first rule that matches the sought out signature. If a match is found, the rule is applied and no more rules are searched. If no match is found, the datagram is dropped.

4.7 Create Packet-Filtering Rules

In the first two examples, we will add SSH rules for remote command line administration and icmp rules for monitoring and troubleshooting purposes. Subsequent examples include adding rules for your FTP, mail, and web server.

(17)

While configuring a server that is available from the Internet (such as web, FTP, or mail):

• Make one rule to authorize traffic from the Internet and redirect to the server.

• Make another rule to proxy traffic from the firewall to the server and ensure it is placed below the above rule.

When multiple web servers are in use, an inbound proxy rule can be used in combination with static NAT rules for each site. These configurations are typically used for DNS legacy support. They are an alternative to the configurations mentioned in this document.

4.7.1 SSH Rule

1) From the Customize tab, select Packet Filter & Proxies > Packet-Filtering Rules.

b) For Services, select SSH.

c) For Sources, select Internal Sites.

d) For Destinations, select Firewall.

e) For Description, type SSH remote administration rule.

3) Click Save.

4) SSH allows you to remotely administer a CyberGuard firewall via the command line. Verify that remote shell access is enabled as follows:

(18)

b) Verify the Firewall Administrator user has Shell checked.

4.7.2 echo/icmp Rule

Add echo/icmp Services Group

1) From the Customize tab, select Environment > Services.

2) Click the Insert icon ( ) and insert the following data: a) For Name, type echo/icmp.

b) For Type, select the ICMP radio button.

c) For Message Type, select echo.

3) Click Save.

Create echo/icmp Rule

4) From the Customize tab, select Packet Filter & Proxies > Packet-Filtering Rules.

b) For Services, select echo/icmp.

e) For Description, type Ping rule - Required for monitoring and troubleshooting.

6) Click Save.

4.7.3 Server Rules

(19)

Mail Server Inbound Rule

2) At the Packet-Filtering Rules page, click the Insert icon ( ) and insert the following data:

a) For Action, select SMTP Proxy.

b) For Filter Action, select SMTP Inbound.

c) For Services, select SMTP.

d) For Sources, select External Sites.

e) For Destinations, select your external mail server.

3) Click Save.

Mail Server Outbound Rule

a) For Action, select SMTP Proxy.

b) For Filter Action, select SMTP Outbound.

c) For Services, select SMTP.

d) For Sources, select mailServer.

e) For Destinations, select External Sites.

(20)

FTP Server Inbound Rule

a) For Action, select FTP Proxy.

b) For Filter Action, select FTP Inbound.

c) For Services, select FTP.

e) For Destinations, select your external ftp server (for example, ftp.domain.net).

7) Click Save.

FTP Server Outbound Rule

a) For Action, select FTP Proxy.

b) For Filter Action, select FTP Outbound.

c) For Services, select FTP.

d) For Sources, select ftpServer.

9) Click Save.

Web Server Inbound Rule

10)At the Packet-Filtering Rules page, click the Insert icon ( ) and insert the following data:

a) For Action, select HTTP Proxy.

b) For Filter Action, select HTTP Inbound.

c) For Services, select HTTP.

e) For Destinations, select your external http server (for example, http.domain.net).

11)Click Save.

Web Server Outbound Rule

12)At the Packet-Filtering Rules page, click the Insert icon ( ) and insert the following data:

a) For Action, select HTTP Proxy.

b) For Filter Action, select HTTP Outbound.

c) For Services, select HTTP.

d) For Sources, select httpServer.

(21)

Apply the Changes

14)Verify your Packet-Filtering page has your server rules in the proper order, meaning each server set of rules have the rule to authorize traffic from the Internet and redirect to the server on top of the rule that proxies traffic from the firewall to the server.

4.8 Configure

Proxies

Proxies provide an added layer of security by passing traffic on behalf of remote systems rather then allowing them direct contact with internal systems. Proxies also provide

additional control of network traffic (such as, preventing users from deleting files over FTP). By our network security policy, the following proxy configurations allow internal user access to FTP and HTTP and HTTPS. We will also use the SMTP proxy to send and receive e-mail.

4.8.1 Enable the FTP Proxy

1) From the Customize tab, select Packet Filter & Proxies > FTP Proxy.

2) At the FTP Proxy page side menu, click Filter Actions.

3) Under the Name column, double-click FTP Outbound, which takes you to the FTP Filter

Action Edit page.

4) Verify Allow anonymous Logon is checked (we want it checked because many legitimate

download sites use anonymous FTP).

5) Verify Allow Authenticated Logon is checked (this enables users to enter their user id and

password at the remote FTP server; otherwise, they won’t be able to connect). 6) At Allowed Commands, select the desired accesses (such as, All FTP Commands or

Download). Existing command groups can be viewed and edited in the FTP proxy Command Groups window.

NOTE: For more detail of the FTP options, refer to RFC 959 (the official FTP specification from October 1985).

(22)

7) Click Save.

9) Click the Insert icon ( ) and insert the following data: a) For Action, select FTP Proxy.

b) For Services, select FTP.

d) For Destinations, select External Sites.

e) For Filter Action, select FTP Outbound.

f) For Redirect Action, select -None-.

g) For Description, type Proxy traffic from internal systems to external systems.

10)Click Save.

11)At the Packet-Filtering Rules page, you should sort your rules to ensure the destination firewall rule is on top because rules are addressed in the order in which they appear. 12)Click the Apply Needed icon ( ), which brings you to the Apply Configuration page. 13)Click Apply.

4.8.2 Enable the HTTP Proxy

(23)

2) At the HTTP Proxy page side menu, click HTTP Filter Actions.

3) Under the Name column, double-click HTTP Outbound, which takes you to the HTTP Filter

Action Edit page.

4) In the Allowed Commands field, uncheck Delete and Put as they are not required for

internal users to access web sites.

5) Click Save.

7) Click the Insert icon ( ) and insert the following data: a) For Action, select HTTP Proxy

b) For Services, select HTTP

c) For Sources, select Internal Sites

d) For Destinations, select External Sites

e) For Filter Action, select HTTP Outbound

f) For Redirect Action, select

-None-g) For Description, type Proxy traffic from internal systems to external systems

8) Click Save.

NOTE: You may use the HTTP Proxy > URI Redirect Actions page to enable you to run multiple web sites from one or multiple web servers.

9) Click the Apply Needed icon ( ), which brings you to the Apply Configuration page. 10)Click Apply.

(24)

4.8.3 Enable the Circuit Proxy

The Circuit proxy does not examine the application-level content of the packets flowing between the client and the server. Its filtering service forwards all data received from one participant to the other, thus allowing hosts that are hidden behind the firewall to remain hidden.

2) Click the Insert icon ( ) and insert the following data: a) For Action, select Circuit Proxy

b) For Services, select HTTPS

c) For Sources, select Internal Sites

d) For Destinations, select External Sites

e) For Filter Action, select Circuit Outbound

f) For Redirect Action, select

-None-g) For Description, type Proxy traffic from internal systems to external systems

3) Click Save.

4) Click the Apply Needed icon ( ), which brings you to the Apply Configuration page. 5) Click Apply.

4.8.4 Enable the SMTP Proxy

This configuration routes e-mail from the Internet to arrive at the external interface of the firewall, then the firewall proxies the mail traffic to the mail server.

Redirection strategy

1) From the Customize tab, select Packet Filter & Proxies > Common Redirection Strategies.

2) Click the Insert icon ( ) and insert the following data: a) For Name, type SMTP Redirect.

b) For Translate Host, select your previously entered mail server endpoint.

c) At the Translate Port check box, remove the check.

3) Click Save.

Inbound to firewall

4) From the Customize tab, select Packet Filter & Proxies > Packet-Filtering Rules.

5) Click the Insert icon ( ) and insert the following data: a) For Action, select SMTP Proxy.

b) For Services, select SMTP.

e) For Filter Action, select SMTP Inbound.

f) For Redirect Action, select SMTP Redirect.

(25)

6) Click Save.

Inbound to mail server

c) For Sources, select External Sites.

d) For Destinations, select your previously entered mail server endpoint.

e) For Filter Action, select SMTP Inbound.

f) For Redirect Action, select -None-.

g) For Description, type SMTP inbound rule #2.

8) Click Save.

Outbound

d) For Destinations, select External Sites.

e) For Filter Action, select SMTP Outbound.

f) For Redirect Action, select –None-.

g) For Description, type SMTP outbound rule.

10)Click Save.

Ban certain file attachments (optional)

13)From the Customize tab, select Packet Filter & Proxies > SMTP Proxy.

14)At the SMTP Proxy page side menu, click Message Verification.

15)Click the Insert icon ( ) and insert the following data: a) For Name, type Reject banned files.

b) For Banned Attachments, check the following selections: • Default Archive Files

• Default Executable Files

(26)

16)Click Save.

17)At the SMTP Proxy page side menu, click Filter Actions.

18)Double-click the SMTP Inbound rule to edit.

19)Under Message Verification, select Reject banned files.

20)Click Save.

Apply the changes

4.9 Binary

Log

Management

By default, binary logging is turned on. More than 300 different types of events are logged. The following steps move binary logs to an FTP server. This helps prevent logs from filling up the system disk.

1) From the Customize tab, select Audit & Alerts > Audit Archiving.

2) Check the Enable audit archiving checkbox.

3) For Days to keep audit logs before archiving, enter 7.

4) If you want to encrypt your logs, check the Encrypt archived logs checkbox and enter

appropriate key information.

5) At Archive disposal strategy, select Move; observe more configuration items display.

6) Leave the Create Packet-Filtering Rules check box checked.

(27)

8) At Selected Remote Location(s), click the + symbol; observe the URI page opens in a new

dialog window and do the following:

NOTE: Uniform Resource Identifier (URI) is the generic term for the unique name used to access a resource, typically on the Internet. A URI typically describes the mechanism used to access the resource, the specific computer that the resource is housed in, or the specific name of the resource (a file name) on the computer.

a) Create the URI Name for your FTP server.

b) For User Name, type the user name for FTP access.

c) For Host, select ftpServer

d) For Directory, type the appropriate directory for your FTP server

e) For Scheme, select FTP

f) Enter the Password twice for your FTP server g) For Port, select FTP

h) For File Name, type the appropriate file name for your FTP server

i) Click Save.

j) Close the URI window.

9) Back on the Audit Archiving page at Selected Remote Location(s), select your FTP server

URI and click the right arrow ( ) to move it to the Available Remote Location(s) box.

10)Click Save.

(28)

4.10 Functionality

Testing

At this point, the firewall should function per our configurations. Take a moment to confirm that appropriate traffic passes through the firewall (for example, you can access external web sites and FTP servers).

4.11 Backup the System

Now that the system is initially configured, we recommend you back it up. In this section we provide you with two methods: remote FTP transfer or local workstation. System restore is outside of the scope of this document. For more information, refer to the on-line help.

4.11.1 Save Configuration to a Remote Server

1) From the Control tab, select Firewall > Save Configuration.

2) Select the Save to remote server radio button; observe more configuration items display.

3) Check the Include Subsystem Files checkbox.

4) At the Remote System section, make the appropriate selections for your network.

(29)

4.11.2 Save Configuration to a PC

1) From the Control tab, select Firewall > Save Configuration.

2) Check the Download to PC checkbox.

3) Check the Include Subsystem Files checkbox.

4) Click Save.

5) Continue the save via the Windows download dialog boxes.

4.12 Configuration

Tracking

Configuration tracking will record changes made to the system during a login session. It can also be used for recovering configurations after incorrect changes have been instituted. SECURITY NOTICE: All changes to the firewall must be strictly controlled and documented. A formal change control process should be implemented. Consider keeping documentation of the packet-filter rules and periodically comparing them to the actual configurations. It is also important to document the rationale and/or history of each rule.

1) From the Customize tab, select System > Configuration Tracking.

2) Check the Track configuration changes made when applying configuration check box.

3) Observe the Require change ticket when applying configuration check box displays, but do

not check it. (Checking this box enables you to define your own ticket numbering system, the default is a date/time stamp.)

4) Click Save.

(30)

6) At Apply Configuration page Description, type adding configuration tracking to firewall.

7) Click Apply.

View configuration tracking changes

8) From the Monitor tab, select Firewall > Configuration History.

9) At Tickets, check the single date/time stamp checkbox.

10)Click Filter.

11)Notice the report results consist of the entry you just made.

5 BEST PRACTICES

The following items are not necessary to run your firewall, but are recommended for common sense administration.

5.1 Alerts

Establish Alert Actions via the Customize tab, Audit & Alerts > Alerts page, side menu Alert Rules. The following alerts are a minimal recommendation for most installations:

• Archive Failed Alert

• Critical Hardware Event Alert

• Disk Space Alert

• License Warning Alert

• Multiple Authentication Attempt Alert

(31)

Do not select mail notification for events that may generate a large volume of traffic. Test your alerts via the Control tab, Firewall > Test Alert Actions page.

5.2 User

Accounts

To enhance accountability, each firewall user should have a separate account. Only one user should have administrator privileges.

The Users page is accessed via the Customize tab, Authentication > Users.

If you choose to age passwords, ensure that all accounts do not expire on the same day. If all passwords are lost or forgotten, there is no backdoor to gain access to the system.

5.3 User Blacklisting

User blacklisting is used to temporarily disable an account after a series of failed login attempts.

Access the Users Blacklist Configuration via the Customize tab, Authentication > User Blacklist.

6 FINAL CONSIDERATIONS

6.1 Demilitarized Zone (DMZ)

A DMZ is a perimeter network that you would add between a protected network and an external network to provide an additional layer of security. Ideally, you would put your web, mail, and FTP servers in your DMZ. Traffic between the DMZ and the internal network and traffic between the DMZ and the Internet must pass through the firewall.

Network Interface

Physically connect the firewall to the appropriate DMZ network device via one of the firewall’s unused network ports. Take note of which port the cable is connected to for configurations. Configure your network interfaces via the Customize tab, System > Interfaces

page.

If you want DNS enabled on the DMZ, add the new interface in Split DNS (Customize tab, System > DNS).

6.2 Security

Read the Security Considerations section of the Firewall Installation and Setup Guide. It provides you with valuable security information.

If you used the fwinit floppy, be sure to retain it as it will be useful in the event that you need to reinstall from backup. Place it in a physically secure location as it contains sensitive information.

(32)

6.3 Archives

Over the next week or so, monitor the system's disk space to see how much logging is taking place. You may need to change your archiving schedule.

6.4 Training

For best results, attend formal training. A firewall is one of the most critical components of your infrastructure. For more information, visit the CyberGuard web site

(http://www.cyberguard.com/support/training.cfm).

6.5 Support

Establish an on-line support account (https://support2.cyberguard.com). On-line support access enables you to review answer book entries, create support calls, and upload files. Access to on-line support requires an active CyberGuard service or reseller agreement. The phone numbers for the CyberGuard Customer Support Center are as follows:

• Local (South Florida) 954-375-3700

• Toll free 888-411-CYBG (2924)

Help the support team help you. When calling in, provide the support engineer with:

• Your Site ID (also known as the software serial number)

• The software version and PSU level of your firewall

• As much detail of the issue as possible

This information will save time and make it much easier for the engineer to help resolve your issue.

Install Product Software Updates (PSUs) as they become available.

6.6 Warranty

Under no circumstances should you open the case of your system. Doing so will void your warranty.

6.7 Helpful

Commands

Function Command

mount floppy as root user mount /mnt/floppy

copy a file to the floppy cp <file_name> /mnt/floppy unmount floppy umount /mnt/floppy

CyberGuard Firewall Version 6.2 Quick Start Guide