A New Dimension of Network Security and Information Management w w w. s t o n e s o f t. c o m...

A New Dimension of Network Security and Information Management

w w w . s t o n e s o f t . c o m

Training - Customer Services

S t o n e B e a t F u l l C l u s t e r1 FC 2.0 Labs (v1.1)

StoneBeat™

FullCluster Labs

Installation Files





Installation Files on Windows NT:

Create installation folders: C:\Install\Sbfc

C:\Install\Sbgui

Use WinZip to unzip files to installation folders: CDROM:\sbfc_fw1_20\nt\sbfc_xxx.zip to folder c:\install\sbfc

CDROM:\sbgui_42\nt\sbgui_xxx.zip to folder c:\install\sbgui





Installation Files on Solaris:

Create installation folder: mkdir /install

Copy files from the cdrom to the installation folder: cp /cdrom/cdrom0/sbfc_fw1_20/solaris/sbfc_xxx.gz /install

cp /cdrom/cdrom0/sbgui_42/solaris/sbgui_xxx.gz /install

Unzip files: /cdrom/cdrom0/Zip/gunzip.bin /install/sbfc_xxx.gz

/cdrom/cdrom0/Zip/gunzip.bin /install/sbgui_xxx.gz

Untar files: tar xvf /install/sbfc_xxx

tar xvf /install/sbgui_xxx





StoneBeat™

FullCluster Labs

Network Topology





FTP-CLIENT110.0.1.254

SBFC101192.168.1.101

SBFC102192.168.1.102

10.0.1.110.0.1.101

10.0.1.110.0.1.102

204.32.38.101204.32.38.1

204.32.38.102204.32.38.1

FTP-SERVER204.32.38.254

StoneBeat FullClusterLab Network Topology

Site #1





Site #1: /etc/hosts

127.0.0.1 localhost

#Ftp-server for all the sites

204.32.38.254 ftp-server

#Site 1

192.168.1.101 sbfc101 #Control

192.168.1.102 sbfc102

204.32.38.1 site1-external #External

204.32.38.101 sbfc101-external


10.0.1.1 site1-internal #Internal

10.0.1.101 sbfc101-internal


10.0.1.254 ftp-client1 #Ftp-client






SBFC103192.168.1.103

SBFC104192.168.1.104

10.0.2.110.0.2.103

10.0.2.110.0.2.104

204.32.38.103204.32.38.2

204.32.38.104204.32.38.2

FTP-SERVER204.32.38.254


Site #2





Site #2: /etc/hosts

127.0.0.1 localhost


204.32.38.254 ftp-server

#Site 2

192.168.1.103 sbfc103 #Control

192.168.1.104 sbfc104













SBFC105192.168.1.105

SBFC106192.168.1.106

10.0.3.110.0.3.105

10.0.3.110.0.3.106

204.32.38.105204.32.38.3

204.32.38.106204.32.38.3

FTP-SERVER204.32.38.254


Site #3





Site #3: /etc/hosts

127.0.0.1 localhost


204.32.38.254 ftp-server

#Site 3

192.168.1.105 sbfc105 #Control

192.168.1.106 sbfc106













SBFC107192.168.1.107

SBFC108192.168.1.108

10.0.4.110.0.4.107

10.0.4.110.0.4.108

204.32.38.107204.32.38.4

204.32.38.108204.32.38.4

FTP-SERVER204.32.38.254


Site #4





Site #4: /etc/hosts

127.0.0.1 localhost


204.32.38.254 ftp-server

#Site 4

192.168.1.107 sbfc107 #Control

192.168.1.108 sbfc108












StoneBeat™

FullCluster Lab

Installation on Sun Solaris

(FireWall-1)





Installation: Step 1 - Operating System

Install Solaris 7 - DONE Install Solaris 7 suggested patches - DONE Check the hostname - DONE Check the /etc/hosts and /etc/netmasks files - DONE Configure the Control Interfaces - DONE Connect the Control Network Cables - DONE





Installation: Step 2 - FireWall-1

Install FireWall-1 4.1 - DONE Install FireWall-1 Policy - DONE Check the /.profile - DONE Configure Operative Interfaces

Edit /etc/hostname.qfe files:qfe0 External Dedicated IP: 204.32.38.yyy/255.255.255.0qfe0:1 External Cluster IP: 204.32.38.x/255.255.255.0qfe1 Internal Dedicated IP: 10.0.x.yyy/255.255.255.0qfe1:1 Internal Cluster IP: 10.0.x.1/255.255.255.0

Delete the directly connected route from the alias interface/etc/rc3.d/S99staticroutes: route delete net 204.32.38.0 204.32.38.x route delete net 10.0.x.0 10.0.x.1

x=site number, yyy=node number and zzz=partner node number






Enable FireWall-1 Synchronization Edit $FWDIR/conf/sync.conf

192.168.1.zzz

$FWDIR/bin/fwstop

$FWDIR/bin/fw putkey 192.168.1.zzz

$FWDIR/bin/fwstart

Edit /etc/fw.boot/ifdev Add row: sbif accept

Reboot





Installation: Step 3 - FullCluster

Install FullCluster cd /install

pkgadd -d .

Choose all packages: SBFCbase, SBFCconf, SBFCdrv,SBFCgui, SBFCmod and SBFCsnmp

Create the SBFCHOME environment variable Edit /.profile:

SBFCHOME=/opt/fullclusterPATH=$SBFCHOME/bin:$PATHexport PATH SBFCHOME

Use Web Configuration GUI Wizard: hotjava http://localhost:3003/install/

$SBFCHOME/bin/sbfcwebconfig install





Installation: Step 3 - FullCluster node #2






#reboot






How many nodes: 2

How many operative interfaces: 2

Configuration type: multicast

Heartbeat IP addresses: 192.168.1.yyy and 192.168.1.zzz

Cluster mode: balancing

Is this machine FireWall-1 management station: Yes Username: fwadmin

Password: password

Policy name: Standard

Remember to download and rename the GUI certificate files to /install/guikey.pem and /install/guicerts.pem

Check the node.conf file!






#reboot





Installation: Step 4 - StoneBeat GUI

Install StoneBeat GUI version 4.2 pkgadd -d /install/SBFCgui - DONE

Copy Key and Certificate Files:From /install/gui*.pem to /stonebeat/etc






Create and connect a new FullCluster Site Run: /opt/stonebeat/gui/bin/sbgui

Select: Site->New->FullCluster

Enter Site Name and Password

Enter ID, Hostname, IP address and SSL port (3002)

Retrieve

Select: Site->Connect





Installation: Step 5 - Testing

Connect the Operative Network Cables

Configure Ftp-Server Control Panel->Network->Protocols->TCP/IP Protocol->Properties

IP Address 204.32.38.254/255.255.255.0

Add routes to internal networks: 10.0.x.0

Configure Ftp-Client Control Panel->Network->Protocols->TCP/IP Protocol->Properties

IP Address 10.0.x.254/255.255.0.0 - Default Gateway: 10.0.x.1

Test Programs in Ftp-Client Run: \\ftp-server\avi\forest.avi

Run: telnet ftp-server 19

Run: ftp ftp-server (configure filter.conf)





Installation: Additional Step 6

Install StoneBeat GUI in FTP-Client

Create installation folder: C:\Install\Sbgui

Use WinZip to unzip files to installation folder: CDROM:\sbgui_42\nt\sbgui_xxx.zip to folder c:\install\sbgui

Install StoneBeat GUI Run from C:\Install\Sbgui\Setup.exe

Copy Key and Certificate Files

Run: Start->Programs->StoneBeat->StoneBeat GUI

Create and connect a new FullCluster Site





StoneBeat™

FullCluster Lab

Installation on Windows NT

(FireWall-1)





Installation: Step 1 - Operating System

Install WindowsNT 4.0 Server - DONE Install the network - DONE

Only TCP/IP Protocol

Only SNMP Service

Enable IP Forwarding

Install WindowsNT 4.0 Service Pack 6a - DONE Check the Computer name and the Hosts file - DONE Configure the Control Interfaces - DONE Connect the Control Network Cables - DONE






Install FireWall-1 4.1 - DONE Install FireWall-1 Policy - DONE

Configure Operative Interfaces Do you want to install Windows NT Networking now? NO

Control Panel->Network->->Protocols->TCP/IP Protocol->Properties->AdvancedExternal Dedicated IP: 204.32.38.yyy/255.255.255.0External Cluster IP: 204.32.38.x/255.255.255.0 (alias)Internal Dedicated IP: 10.0.0.yyy/255.255.255.0Internal Cluster IP: 10.0.x.1/255.255.255.0 (alias)

x=site number, yyy=node number and zzz=partner node number






Enable FireWall-1 Synchronization Edit %FWDIR%\conf\sync.conf

192.168.1.zzz

%FWDIR%\bin\fwstop

%FWDIR%\bin\fw putkey 192.168.1.zzz

%FWDIR%\bin\fwstart





Installation: Step 3 - FullCluster

Install FullCluster Driver Control Panel->Network->Protocols

Add StoneBeat Driver from C:\Install\Sbfc

Reboot

Install FullCluster Module Run from C:\Install\Sbfc\Setup.exe

Use SNMP Agent

Destination Folder: C:\Program Files\FullCluster

Use WEB Configuration GUI wizard:The browser will be started automatically






How many nodes: 2

How many operative interfaces: 2

Configuration type: multicast

Heartbeat IP addresses: 192.168.1.yyy and 192.168.1.zzz

Cluster mode: balancing

Is this machine FireWall-1 management station: Yes Username: fwadmin

Password: password

Policy name: Standard

Remember to download and rename the GUI certificate files to C:\Install\guikey.pem and C:\install\guicerts.pem

Check the node.conf file!






Install StoneBeat GUI version 4.2 Run from C:\Install\Sbgui\Setup.exe

Destination Folder: C:\Program Files\StoneBeat

Program Folder: Start->Programs->StoneBeat

Copy Key and Certificate Files:From C:\Install\gui*.pem to C:\StoneBeat\etc






Create and connect a new FullCluster Site Run: Start->Programs->StoneBeat->StoneBeat GUI

Select: Site->New->FullCluster

Enter Site Name and Password

Enter ID, Hostname, IP address and SSL port (3002)

Retrieve

Select: Site->Connect





Installation: Step 5 - Testing

Connect the Operative Network Cables

Configure Ftp-Server Control Panel->Network->Protocols->TCP/IP Protocol->Properties

IP Address 204.32.38.254/255.255.255.0

Add routes to internal networks: 10.0.x.0

Configure Ftp-Client Control Panel->Network->Protocols->TCP/IP Protocol->Properties

IP Address 10.0.x.254/255.255.0.0 - Default Gateway: 10.0.x.1

Test Programs in Ftp-Client Run: \\ftp-server\avi\forest.avi

Run: telnet ftp-server 19

Run: ftp ftp-server (configure filter.conf)





Installation: Additional Step 6

Install StoneBeat GUI in FTP-Client

Create installation folder: C:\Install\Sbgui

Use WinZip to unzip files to installation folder: CDROM:\sbgui_42\nt\sbgui_xxx.zip to folder c:\install\sbgui

Install StoneBeat GUI Run from C:\Install\Sbgui\Setup.exe

Copy Key and Certificate Files

Run: Start->Programs->StoneBeat->StoneBeat GUI

Create and connect a new FullCluster Site





StoneBeat™

FullCluster Lab

Filter.conf settings





Filter.conf settings

Configure in filter.conf Tunnel statement

Hide NAT statement

Ignore port statement for FTP

Note! Edit filter.conf in all nodes

Reread configuration files





StoneBeat™

FullCluster Lab

Fetching NAT rules

(FireWall-1)





Fetching NAT rules

Create a simple NAT rule in your FireWall-1 rule base

Fetch NAT rules using FullCluster Web Configuration GUI

Check the filter-nat.conf file!





StoneBeat™

FullCluster Lab

Test Subsystem





Test Subsystem

Configure a multiping test that commands node to offline in case of failure for external unicast addresses 204.32.38.254

Test multi-ping (configure filter.conf) Edit $SBFCHOME/etc/checklist:

multiping 30 online offline 2 1000 multi-ping 204.32.38.254

sbfc reconfigure

sbfc restart

disconnect cable from external interface (blue)





Test Subsystem

Test firewall functionality with fw-module-running (Check Point’s FireWall-1) servicerunning (Network Associate’s Gauntlet

and Axent’s Raptor)

Test fw-module-running Edit $SBFCHOME/etc/checklist:

firewall-module-on 60 online offline 1 1 fw-module-running

sbfc reconfigure

sbfc restart

fwstop





StoneBeat™

FullCluster Lab

Management GUI and sbfc

Command Line Interface





GUI and Command Line Interface

Try do following things on both StoneBeat GUI and command line interface Command one node first to offline state and to online state

Restart all nodes

Check the status of FullCluster site





StoneBeat™

FullCluster Lab

Ten problems





Ten problems

The instructor has changed ten things in the demo site: 1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Note! Only software configuration changes!





StoneBeat™

FullCluster Lab

Switch Configuration





Switch Configuration

Cisco Catalyst 2900 Series XL or equivalent

Configure VLANs EXTERNAL: external ports of the FullCluster nodes and ftp-server

INTERNAL: internal ports of the FullCluster nodes and ftp-client

CONTROL: control ports of the FullCluster nodes

Configure static multicast support 0104.3238.0100: EXTERNAL VLAN ports

0110.0000.0100: INTERNAL VLAN ports

0192.6801.0100: CONTROL VLAN ports





Catalyst 2900 Series XL: VLAN Switch>enable

Switch#vlan database

Switch(vlan)#vlan 10 name EXTERNAL media ethernet

Switch(vlan)#exit

Switch#configure terminal

Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit










Switch(config)#exit

Switch#write memory





Catalyst 2900 Series XL: VLAN Switch#

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8,

Fa0/13, Fa0/14, Fa0/15, Fa0/16,

Fa0/20, Fa0/21, Fa0/22, Fa0/23,

Fa0/24

10 EXTERNAL active Fa0/1, Fa0/2, Fa0/3, Fa0/4

20 INTERNAL active Fa0/9, Fa0/10, Fa0/11, Fa0/12

30 CONTROL active Fa0/17, Fa0/18, Fa0/19

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100110 1500 - - - - - 0 0

20 enet 100120 1500 - - - - - 0 0

30 enet 100130 1500 - - - - - 0 0

Switch#





Catalyst 2900 Series XL: Multicast Group Switch>enable

Switch#configure terminal

Switch(config)#

Switch(config)#mac-address-table static 0104.3238.0100 fastEthernet 0/4 fastEthernet 0/1 fastEthernet 0/2 fastEthernet 0/3

Switch(config)#

Switch(config)#mac-address-table static 0110.0000.0100 fastEthernet 0/12 fastEthernet 0/9 fastEthernet 0/10 fastEthernet 0/11

Switch(config)#

Switch(config)#mac-address-table static 0192.6801.0100 fastEthernet 0/17 fastEthernet 0/18 fastEthernet 0/19



Switch(config)#

Switch(config)#exit

Switch#write memory

Switch#show conf

Switch#





Catalyst 2900 Series XL: Multicast Group Switch#

Switch#show mac-address-table

Dynamic Address Count: 11

Secure Address Count: 0

Static Address (User-defined) Count: 3

System Self Address Count: 47

Total MAC addresses: 61

Maximum MAC addresses: 8192

Non-static Address Table:

Destination Address Address Type VLAN Destination Port

------------------- ------------ ---- --------------------

0000.d1ec.e3b1 Dynamic 20 FastEthernet0/12

0000.d1ec.fde1 Dynamic 30 FastEthernet0/18



0000.d1ec.fed5 Dynamic 30 FastEthernet0/17



0000.d1ec.fef5 Dynamic 10 FastEthernet0/4





Catalyst 2900 Series XL: Multicast Group 0000.d1ed.aa16 Dynamic 10 FastEthernet0/1

0000.d1ed.aa17 Dynamic 20 FastEthernet0/11

0000.d1ed.aa18 Dynamic 30 FastEthernet0/19

Static Address Table:

Destination Address VLAN Input Port Output Ports

------------------- ---- ---------- -----------------------

0104.3238.0100 10 Fa0/1

10 Fa0/2

10 Fa0/3

10 Fa0/4 Fa0/1 Fa0/2 Fa0/3

0110.0000.0100 20 Fa0/9

20 Fa0/10

20 Fa0/11

20 Fa0/12 Fa0/9 Fa0/10 Fa0/11

0192.6801.0100 30 Fa0/17 Fa0/18 Fa0/19

30 Fa0/18 Fa0/17 Fa0/19

30 Fa0/19 Fa0/17 Fa0/18

Switch#





StoneBeat™

FullCluster Lab

VPN Tunnel

(FireWall-1)

Note! A separated FireWall-1 management server is needed to load policy with Gateway Cluster Object!





VPN Tunnel between sites #1 and #2

See the StoneBeat FullCluster Manual Appendix B: 1. Define FireWall-1 and network objects:

Local FireWall-1 Modules: sbfc101 and sbfc102

Local FireWall-1 Management: sbfc105

Local Network: site1-network

Remote Gateway: site2-external (IPSec, Domain: site2-network)

Remote Network: site2-network

2. Enable gateway clustering and define a gateway cluster objects: Local FireWall-1 Gateway Cluster: site1-external (IPSec, Domain: site1-network)

Cluster members: sbfc101 and sbfc102

3. Create SEP VPN-1 configuration on the management Manual IPSec

SPI 0x1234: EPS encryption key 0x1234567890abcdef, no AH





VPN Tunnel between sites #1 and #2

4. Add encryption rules in the FireWall-1 security policies sbfc101 site2-external IPSEC accept long

sbfc102 sbfc102site2-external sbfc101

site1-network site2-network any encrypt longsite2-network site1-network

5. Install the security policy

6. Delete the external routes via dedicated IP addresses and create a route via the cluster IP

7. Configure FullCluster load balancing filter (filter.conf) tunnel 204.32.38.1 204.32.38.2 10.0.2.0 netmask 255.255.255.0

8. Reconfigure and restart FullCluster using GUI sbfc reconfigure all

sbfc restart all

A New Dimension of Network Security and Information Management w w w. s t o n e s o f t. c o m...

Documents

Transcript of A New Dimension of Network Security and Information Management w w w. s t o n e s o f t. c o m...