ACE-Astaro Certified Engineer

8/10/2019 ACE-Astaro Certified Engineer

1/238

Astaro Security Gateway V7

Astaro Certified Engineer

Astaro Security Gateway V7 - Astaro Certified Engineer Page 1 Astaro 2007 / ACE_V7.00-0.16

Courseware Version EN-V7.00-0.16


2/238

DISCLAIMER

All rights reserved. This product and related documentation are protected by copyright and distribution under licensingrestricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,or stored in a database or retrieval system, without prior written permission of the publisher except in the case of briefquotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any otherpurpose is in violation of copyright laws.

While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or

omissions and makes no explicit or implied claims to the validity of this information. This document and features describedherein are subject to change without notice.

This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. NeitherAstaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,loss or damage caused or alleged to have been caused directly or indirectly by this book.

Trademarks:

Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.


Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.

Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.

Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respectivecompanies. Specifications and descriptions subject to change without notice.

All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of aterm in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your productmanuals for complete trademark information.


3/238

Your Name, Company,Responsibility

Your Knowledge

Before we start over

/ Lets introduce each other!


(Networking, Security, Linux,Astaro Security Gateway)

Your Expectations for thecourse


4/238

Agenda - ACEDAY ONE

ASG Overview

Available Products

ASG System Architecture

ASG Security Features

Introduction to ACC

PurposeFeature Overview

Refresher ACA

Networking

VLAN, Link Aggregation

DAY TWO

User Authentication

Users

Groups

Authentication

Web Security

HTTP ProfilesProxy User

Authentication Setup

E-mail Security

SMTP Proxy

DAY THREE

Refresher SSL-VPN

IPSec VPN

IPSec Policy Management

RSA Site to Site VPN

X.509 Site to Site VPN

Certificate ManagementRemote Access with ASC


r g ng, p n a over

Policy Routing & OSPF

Network Security

Server Load Balancing

Quality of Service

Generic-, Socks-,Ident Proxy

VoIP Security

H.323

SIP

Intrusion Protection

Configuration

Implementation Guideline

E-mail Encryption

High Availability

Active/Passive HA

Clustering


5/238


/ Course LayoutHands-On-Training-Scheme

Training Hours

Day One: 10:00 a.m. about 05:00 p.m.

Day Two & Three: 09:00 a.m. about 04:00 p.m.

Prerequisites

Introduction Configuration Summary LAB Review


Training setup / LAB environmentLocation Facilities

Parking

Restrooms

Smoking

Breaks, Lunch, Drinks

Internet Access


6/238


/ ACE ExamACE Certificates & Exams

What is the designation of an Astaro Certified Engineer?

ACE certification signifies that an individual has:

Achieved ACE certification

Passed the ACE web-based examDemonstrated knowledge required to implement and configure Astaro Security Gateway withextended features

How to become an Astaro Certified Engineer?

B assin a web-based exam.


45 questions randomly generated must be answered within 60 minTraining participants have one free trial to pass the ACE Exam

To login you will receive a voucher via e-mail short after the training

ACE Exam site is available at https://my.astaro.com/training/

How to prepare for the ACE exam?

Actively participate in the trainingStudy the ACE-Courseware

Work through the Astaro Security Gateway Manual

Configure and test the discussed scenarios in practice


7/238

ASG System Overview


Architecture

Open Source Components

Configuration Workflow


8/238

ASG System Overview/ Architecture

Astaro Security Gateway is blend of open-source, proprietaryand OEM technology, combined to create an all-in-one devicethat runs as the perimeter security gateway on a network

Astaro Security Gateway is built on an integrated management

platform that makes it easy to install and administer a completesecurity solution



9/238

ASG System Overview/ Security Features

Astaro Security Gateway, based on Astaro's award-winning AstaroSecurity Linux, provides a complete package of 9 perimetersecurity applications.


E-mail Security Virus Protection for

e-mail

Anti-Spam/Phishing

E-mail Encryption

Network Security Intrusion Protection

SPI-Firewall and Proxies

VPN-Gateway

Web Security Spyware Protection

Virus Protection

Content Filtering


10/238

ASG System Overview/ Available Appliances

AstaroSecurityGateway110/120

AstaroSecurity

Gateway 220

Astaro SecurityGateway 320



Users 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted

EnvironmentsHome office,small office

Smallbusiness,

branch office

Medium business,enterprise division

Large enterpriseheadquarters

Large enterpriseCore networks

System


e wor por s3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps

4 x 10/100/1000 Mbps

8 x 10/100/1000 Mbps

Security Co-Processor

10 x 10/100/1000 Mbps

Security Co-Processor

Performance

Throughput(Mbps)FirewallVPNIPS/IDSE-mails/day(without Mail-Security)

ConcurrentConnections

1003055

350,000

60,000

260150120

500,000

400,000

420200180

1,000,000

550,000

1200265450

1,500,000

700,000

3000400750

2,200,000

>1,000,000


11/238

Introduction/ Astaro Configuration Manager

... is the Configuration Manager thatprovides a centralized visualcommand center where security

policies for all Astaro firewall andVPN devices are graphicallydesigned and their correspondingconfigurations automatically

End of Life: 30.06.2007


.

... combines the popular NPmanagement tools from Solsoft withAstaro's comprehensive securityofferings.

... resolves complex and costlynetwork security problems byunifying, automating and simplifyingthe deployment of network securityrules.


12/238

Introduction/ Astaro Report Manager

The Astaro Report Manager is acentralized reporting enginewhich gives you the ability tocollect and analyze log data fromone or more ASG installations

The Report Manager allows you tocreate robust drill down reportsin a variet of out ut formats like

Currently not supported by ASG V.7


Word, Excel, HTML and PDFWith advanced attack and eventanalysis, users can create rules-based alerts which can notifyadministrators when user defined

thresholds have been passed


13/238

Introduction/ Astaro Secure Client

Astaro Secure Client is an easy-to-useremote working software based on thelatest VPN technology

The software provides smoothintegration with a remote network andmay be used with any popular IPSec-compliant gateway


The Astaro Secure Client softwareprovides strong and transparentauthentication and AES encryption toyour network traffic.


14/238

ASG System Overview/ Architecture

ASG is based on Novell/SUSELinux Enterprise 10

ASG comes with its ownhardened and compiled 2.6xkernel

SLES10 RPMs are used butcompletely new compiled

All ma or rocesses includin


WebGUI run in chroot-environments.

ASG is built upon a number ofOpen Source Projects;many of those are

actively developedin cooperation withAstaro, others aresponsored by Astaro.


15/238

Open source software is distributed with thesource code freely available for alterationand customization

Collective work of many programmers

Resulting software can become moreuseful and free of holes and bugs

Architecture/ Open Source Module


Astaro leverages the flexibility andinnovation of Linux and Open Source


16/238

Configuration/ Administration Workflow

Every function can be configured and

controlled via the Web-Admininterface.

There is no need to interact with anyof the other components or the


Command Line Interface (CLI) usinga shell like Bash.


17/238

Refresher ACA


This chapter provides a briefrefresher for:

Interfaces

NAT

Packet FilteringDNS


18/238

Refresher ACA/ Setting up Ethernet Interfaces

An Ethernet interface is a standard10/100/1000 Mbit network card

Things to remember:

Set the correct IP address for eachinterface with the correct netmask

Only define one default gateway

Make sure that each interface has


a unique address range in yourenvironment


19/238

Refresher ACA/ Packetfiltering architecture

masquerading snat conntrack

FORWARD POSTROUTING

PREROUTING

Routing

dnat conntrack mangle

Routing

incomingpackets

outgoingpackets

conntrack man le

ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.

mangle filter ips


mang e

ips

OUTPUT

OUTPUT

Local Processes

Apache

EXIM

SSHD

SQUID

SOCKS

BIND

IPSEC

PPTP

conntrack mangle dnat

filter

ips

Tables:

NAT

Filter


20/238

Refresher ACA/ Network Address Translation: Masquerading

Used if one (or multiple) internal networks should be hiddenbehind one official IP address.

Especially useful if private IP address ranges are used.

RFC 1918-IP Public IP



21/238

Refresher ACA/ DNAT & SNAT

Destination Network Address Translation (DNAT) is used if aninternal resource should be accessible via an IP address assigned tothe firewall

Source Network Address Translation (SNAT) is used likemasquerading, but allows more granular settings


Note: DNAT occurs before packet filtering takesplace. Ensure your packet filtering rules have thetranslated address as the destination


22/238

Refresher ACA/ Packet Filter - Configuration Principles (1)

You only need to maintain one table of filter rules.

ASG automatically creates correct entries in the INPUT, OUTPUT orFORWARD chain as necessary.

The rules in the table are ordered. The first rule to match decides what isdone with the packet.


Possible actions are:Allow

Drop

Reject

Any action allows optional LoggingIf no filter rule matches - the packet is dropped and logged!

Astaro Security Gateway starts with an empty table but keeps implicitinternal rules for all services it is using itself.


23/238


Default View

Source DestinationAction

and

Service

Description(optional)

Enable/Disable


Edit or delete

Groupname

Order


24/238


To create new oredit existing rules:


Name: Name for the ruleMove rule to a specific position

The sources: IP or GroupThe service: TCP/UDP/IP

The destinations: IP or GroupWhat to do: Allow, Drop or RejectWhen to do: The timeLog Packets: Yes or NoComment: Whatever helps


25/238

Refresher ACA/ DNS - Configuration

Global:

Accepts DNS Requests from allowed,internal networks (e.g. your AD-Servers,clients in smaller networks)

Forwarders

Forwards DSN requests of ASG to e.g.Provider DNS servers


When ASG should be able to resolve thehostnames of an internal domain hostedon your own internal DNS server, thisserver could be used as an alternateserver to resolve DNS which should notbe resolved by DNS forwarders.

Static Entries

Handles static mappings of hostnames toIP addresses


26/238

Introduction to ACC


In this chapter you will see:

Astaro Command Center


27/238

Astaro Command Center/ Overview

Centralized and efficient management

configuring applications

monitoring actual device states

updating of device software.

Using state-of-the-art Web 2.0technologies like AJAX (Asynchronous


ava cr p n

Tracking of critical system parametersin real-time

detected threats

license status

software updates

resource usage

No license needed!! Its free!!!


28/238

Astaro Command Center/ Features

Inventory management providescomprehensive information about eachdevice (CPU, hard disk, memory,network interfaces, software version andmore)

All Astaro Security Gateway devices areautomatically organized into device


Single-sign-on eases configurationmanagement

Central update managementenables the possibility of

updating multiple devicesthrough a single click

Role-based multi-administrative support


29/238

Astaro Command Center/ ASG Configuration (1)


Astaro Command Center allows to manage and monitor ASG devices.

This option allows to connect a specific device to a specific ACC for future usage.

The connection between ASG and ACC is SSL encrypted using port 4433

Packet filter rules to allow this communication are created automatically


30/238

Astaro Command Center/ ASG Configuration (2)


Up2Date packages can also be fetchedfrom a cache that can be configuredhere

Specify a host serving as a cache

If the ASG is monitored by an ACC

server, this ACC can act as an Up2Datecache

ACC stores Up2Date packages for thedevices connected to it by default


31/238

Astaro Command CenterReview Questions



32/238

Astaro Command Center/ Review Questions

1. Which technology is ACC built upon?

2. What features does ACC offer?

3. What port is used for communication between ACC and ASG?

4. Is the traffic encrypted?

5. Is it possible to cache the Up2Date packages for multiple ASGs?



33/238

Networking


In this chapter you will learnabout:

VLAN

Link Aggregation

Bridging

Policy Routing

OSPF


34/238

Networking/ VLAN (1)

Virtual LAN (VLAN) technology allows a network to be separated inmultiple smaller network segments on the Ethernet level (layer 2).

A VLAN switch plus a VLAN capable network interface simulate a numberof physical interfaces plus cabling.

Every segment is identified by a "tag (an integer number).Adding a VLAN interface will create a virtual hardware device.

Example

PC1 and PC2 on the first floor and PC4 on theHost6Host4 Host5


Switch a Switch b

Port VLANTag

tagged/untagged

Port VLANTag

tagged/untagged

1 10, 20 T 1 10, 20 T

2 (PC1) 10 U 2 (PC4) 10 U

3 (PC2) 10 U 3 (PC5) 20 U

4 (PC3) 20 U 4 (PC6) 20 U

5 10,20 T

secon oor w e connec e oge er on

VLAN 10.PC3, PC5 and PC6 will be connected togetheron VLAN 20.

Both VLAN can communicate through ASGsRulebase.

Firewall

Router

a1

a2 a3 a4

a5

b1

b2b3

b4

Host1 Host2 Host3

Switch b

Switch a


35/238

Networking/ VLAN (2)

VLAN segments are distinguished by atag (integer value), a 12-bit number,allowing up to 4095 virtual LANs.

When you add a VLAN interface, you

will create a virtual hardware devicethat can be used to add additionalinterfaces (aliases) too.

NOTES:


- It is essential to check HCL for ensuring

VLAN capable NICs are supported.

- PPPoE and PPPoA devices cannot be runover VLAN virtual hardware.

- Make sure you have installed a VLAN-capable NIC or refer to the HCL.


36/238

Networking/ Uplink Fail-Over

Usage:

If a primary connection goes down to the Internet, a secondaryconnection will take over.

Requirements:

Additional NIC in the firewall

Additional connection to the Internet

Restrictions:


Will only be allowed on interfaces where there is a default gateway.

MPLS Connection

Primary

DSL Connection

Backup

LAN


37/238

Networking/ Overview IEEE 802.3ad Link Aggregation

Link aggregation (LA, also known as "port trunking" or "NIC bonding")allows to aggregate multiple Ethernet network ports into one virtualinterface.

Link Aggregation Control Layer(LACL) controls the distribution

of the data stream to thedifferent ports communicationvia Link Aggregation ControlProtocol (LACP).


.

Link aggregation is useful toincrease the link speed beyond the speed of any one single NIC

to provide basic failover and fault tolerance by redundancy

All traffic routed over the failed port or switch is automatically re-routedto remaining ports or switches.

Failover is completely transparent to the system using the connection.

NOTES:

In a HA-Environment, Ethernet connections can even be on different HA units.

Link partners must support IEEE 802.3ad.

LA and Bridging cannot be combined. LA cannot work with DSL.


38/238

Networking/ Link Aggregation using ASG

Link aggregation allows to have:

Trunking two links for speed and

Two links in redundancy mode

Requirement:The link partner needs to support LinkAggregation



39/238

Networking/ Link Aggregation Configuration (1)

IEEE 802.3ad Link Aggregation

Link Trunking (for speed)

Link Redundancy (for high availability)

Combination of both

To enable Link Aggregation:

Add Links to the group


Astaro Supports up to 4 Link Aggregation

Groups


40/238

Networking/ Link Aggregation Configuration (2)

To create a link aggregation group (LAG), proceed as follows:1. Select the interfaces you want to convert into a link

aggregation group.2. Select check box for each unconfigured interface you

want to add to the LAG.3. Enable LAG

Up to four different link aggregation groups with a maximum of fourEthernet interfaces per group possible.


n op o e on ng n er ace you can crea e one o e o ow ng:

Ethernet StandardCable Modem (DHCP)

Ethernet VLAN

Alias interfaces

To disable a LAG, clear the check boxes of the interfaces that make up the LAG

and click Update This Group.

The status of the bonding interface is shown on the Support / Advanced /Interfaces Table tab.

Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAGwill be used for all other NICs within the LAG.


41/238

Networking/ Bridging Overview (1)

Bridging occurs at the link layer (OSIlayer 2)

The link layer controls data flow,handles transmission errors, providesphysical (as opposed to logical)addressing, and manages access to thephysical medium


,

make forwarding decisions based oninformation contained in the frames,and forward the frames toward thedestination

Keep SubnetSplit Subnet

NOTE: Bridging does not requiresplitting a network in two subnetsto integrate ASG into an existingnetwork.


42/238


A bridge transparently relays traffic between multiple networkinterfaces.

Basically, a bridge connects two or more physical networkstogether to form one bigger (logical) network.

How it works:

The default gateway for172.16.1.2 and 172.16.1.4 is


172.16.1.1

172.16.1.1 is the bridgeinterface br0 with ports eth1 andeth2

NOTE: All devices must have thesame maximum packet size (MTU)since the bridge doesn't fragmentpackets.


43/238


The idea is that traffic between 172.16.1.4 and 172.16.1.2 isbridged, while the rest is routed, using masquerading.

How it works:

When ethX interfaces are added to abridge, then become a part of thebr0 interface

The Linux 2.6 kernel has built-in


projectEbtables has very basic IPv4support

Bridge-nf is the infrastructure thatenables iptables/netfilter to see

bridged IPv4 packets and doadvanced things like transparent IPNAT

It forces bridged IP frames/packetsgo through the iptables chains


44/238

Networking/ Bridging Configuration (1)

Configuration Example:


N ki


45/238

Networking/ Bridging Configuration (2)

There two advanced options available:Allow ARP Broadcasts

Ageing timeout

By default, ARP broadcasts are not allowed to pass across

the bridged interfacesIf needed, enable the Allow ARP Broadcasts option

As the network can change, we need to specify when toremove an entry due to in activity, this is the Ageingtimeout.


N t ki


46/238

Prov. A

Networking/ Policy Based Routing (1)

Policy-based routing provides a mechanismfor expressing and implementingforwarding/routing of data packets basedon the policies defined by the networkadministrators.

It provides a more flexible mechanism forrouting packets, complementing theexisting mechanism provided by routingprotocols.

Router Router

Prov. B

MPLS DSL


Packets can now be routed based on source

IP address, source port and destinationport, in addition to normal routing which isbased on the destination IP address.

Example:

DMZ 1

LAN 1

LAN 2ERP

SMTP

interface= anyservice = SAPsource = Financetarget = Provider A

Route ERP traffic from

Finance to MPLS Provider

interface= 2service = SMTPsource = DMZ1target = Provider B

Route SMTP traffic fromDMZ to DSL Provider

Net o king


47/238

Networking/ Policy Based Routing (2)

Policy based routing will route by selectors:Destination

Source

Service

Source Interface

Policy based routing will route to targets:An interface

A host

Limitations:


gateway

Policy routes have an order which is evaluated in the same way as the packetfilter (top to bottom)

Only user defined policy routes are possible

Network groups in policy routes are not possible

The following benefits can be achieved by implementing policy-basedrouting in the networks:

Load SharingCost Savings

Source-Based Transit Provider Selection

Quality of Service (QoS)

OSPF


48/238

OSPF/ Overview

OSPF = Open Shortest Path First

Link-state hierarchical routing protocol

Uses Dijkstras SPF Algorithm to calculate the shortest path tree.

Open standard, developed by IETF

ASG supports OSPF version 2, RFC 2328 (using the Quagga package,http://www.quagga.net)

Interior Gateway Protocol (IGP) for routing within one autonomous


System (AS)

OSPF uses cost as its routing metric (e.g. by dividing 10^8 through thebandwidth of the interface in bits per second)

The cost of an OSPF-enabled interface is an indication of the overhead required tosend packets across a certain interface.

The cost of an interface is inversely proportional to the bandwidth of thatinterface.

A link state database is constructed of the network topology which isidentical on all routers in the area.

OSPF guarantees loop-less routing.

OSPF


49/238

OSPF/ Features & Benefits

Area concepts for hierarchical topologies and reduction of CPU andmemory consumption of routers

Independent from IP subnet classes

Arbitrary, dimensionless metric

Load Balancing for paths with equal costs

Special reserved multicast addresses reduce impact at non-OSPF devices

Authentication


External Route Tags

TOS-Routing possible

Fast database reconciliation after topology changes

Support for large networks

Low susceptibility for fault routing information

OSPF


50/238

OSPF/ Operating Mode

Router identify their neighbors during integration into network

Conciliation of Link State Database (LSDB) with neighbors by reliable

floodingPeriodical keep-alives for maintaining of neighborhood

Periodical Link State Updates for keeping LSDB consistent

Flooding of LSAs when topology changes occur


Example for a LSDB:

LS-Type

Router-LSA

Router-LSARouter-LSA

Router-LSA

Router-LSA

Router-LSA

Link State ID

10.11.12.1

10.11.12.210.11.12.3

10.11.12.4

10.11.12.5

10.11.12.6

Adv. Router

10.1.1.1

10.1.1.210.1.1.3

10.1.1.4

10.1.1.5

10.1.1.6

Checksum

0x9b47

0x219e0x6b53

0xe39a

0xd2a6

0x05c3

Seq. No.

0x80000006

0x800000070x80000003

0x8000003a

0x80000038

0x80000005

Age

0

16181712

20

18

1680

OSPF


51/238

OSPF/ Example LDSB & Principles

10.11.12.1 10.11.12.410.11.12.2

10.11.12.3

10.11.12.6

10.11.12.5

X


Point-To-Point ConnectionsCosts for each connection := 1

Databases are synchronized

Each router knows shortest path to each other router

10.11.12.1 has two equal routes with identical costs to 10.11.12.6

Assume the connection between 10.11.12.2 and 10.11.12.4 fails

LSAs will flooded over the whole network

After LSDB-Sync. only one shortest path will remain


52/238

OSPF


53/238

OSPF/ Router Types & Principles (2)

Backbone Routers (BR)

are part of the OSPF backbone.

An area border router is always also a backbone router, but a backbone

router is not necessarily an area border router.

Designated router (DR)

is the router elected among all routers on a particular multi-access network segment.

is elected based on the following default criteria:

If riorit settin on a OSPF router is set to 0 that means it can NEVER become a DR or BDR


(Backup Designated Router).

When a DR fails and the BDR takes overSending the Hello packets with the highest priority.

If two or more routers tie with the highest priority setting, the router sending the Hello with thehighest RID (Router ID) wins.

Usually the router with the second highest priority number becomes the BDR

The range of priority values range from 1 255 , with a higher value increasing itschances of becoming DR or BDR.

Backup designated router

A backup designated router (BDR) is a router that becomes the designated router ifthe current designated router fails. The BDR is the OSPF router with second highestpriority at the time of the last election.

OSPF


54/238

OSPF/ OSPF Packets

IP Header(Protocol #89)

OSPF Paket

OSPFPaket Header

OSPF Paket Data


Hello

Database Description

Link State Request

Link State Update

Link State Acknowledgement

Transmission via IP, Protocol #89

Transfer direct to neighbor or using multicast addresses

OSPF packets are only exchanged between neighbors within the network never being routed outside of the network they originate from (TTL=1)

OSPF


55/238

/ Header Format

Version Typ

Area ID

Lenght

Router ID

Checksum AuType

Authentication *)

*

8 888

32 Bits


Packet Data

Key ID Auth. Length0x0000Cryptogr. Sequence Number

*) if AuType = 2:

OSPF


56/238

/ Area Types

AS External LSAs are flooded over area borders

Additionally ASBR Summary LSAs are distributed within their areas byABRs

Different area types are used to minimize LSDB s

Stub Areas

Area, which does not receive externalroutes.

AS External LSAs are not transferred to stub areas


no ASBRs & no virtual links

NSSAs (Not-So-Stubby Area )

Type of stub area that can import autonomous system (AS) external routes andsend them to the backbone, but cannot receive AS external routes from thebackbone or other areas.

Extension to Stub Areas

small number of external routes allowed

will be translated at the NSSA-border into AS-External LSAs

NSSA-Border is One-Way-Road for external routing information

OSPF


57/238

/ ASG Configuration OSPF-ID

The OSPF-Id is a unique ID to the router device.

This can be the official Address

It is denoted in x.x.x.x format


OSPF


58/238

/ ASG Configuration OSPF Area


Before you can enable the OSPF

function, you must have at least oneOSPF area configured.

Areas are identified by a 32-bit ID indot-decimal notation similar to thenotation of IP addresses.

OSPF


59/238

/ ASG Configuration OSPF Interfaces (1)


e n er ace e nes n er aces

that can be used to announce OSPFnetworks.

OSPF/ f f ( )


60/238



The OSPF interface must beadded to the area that will beannounced

OSPF/ ASG C fi ti OSPF I t f (3)


61/238



The OSPF debug section gives information about the

current state of OSPF operations. It showsneighbors, routes interfaces etc. in pop-up windows.


62/238

NetworkingReview Questions


Networking/ Review Questions


63/238

/ Review Questions

1. How can VLAN segments being distinguished? How many virtualLANs can be distinguished by ASG?

2. How will ARP broadcasts being handled in terms of bridgedinterfaces?

3. What are the two major benefits of Link aggregation at ASG?

4. On which OSI layer bridging occurs?


.

6. What are the route selectors in Policy Routing?7. Name 5 benefits of OSPF.

8. Which transmission protocol is used for OSPF?

9. What router and area types do you know and how do they

interfere each other?

10. What must be configured before you can enable the OSPFfunction on ASG?


64/238

Network Security


In this chapter you will learn

about:Server Load Balancing

Quality of Service

Generic Proxy

Socks ProxyIdent Proxy

Network Security/ Server Load Balancing (1)


65/238

/ Server Load Balancing (1)

Used if the traffic going to one IP address should be split or"balanced" between multiple servers


Network Security/ Server Load Balancing (2)


66/238

/ Server Load Balancing (2)

Configuration for Server LoadBalancing contains three options:

Service to Balance

The Pre-Balance TargetA Group of Target Hosts

These arameters describe


exactly the situation from the last

slide.

Which traffic on which port (TheBalancing Service) on which IPaddress (The Pre-Balance targethost) will be distributed to which

servers (The Post-Balance targethost)

Quality of Service/ Working Principle


67/238

/ Working Principle

Quality of Service (QoS) can reserve guaranteed bandwidths for certaintypes of outbound network traffic passing between two points in the network.

Inbound traffic is optimized internally by various techniques such asStochastic Fairness Queuing (SFQ) or Random Early Detection (RED).

Without traffic shaping.


ASG leftASG right

Headquarter Branch Office

With traffic shaping.

Quality of Service/ Features and Benefits


68/238

/ Features and Benefits

QoS allows to

Limit available bandwidth

Guarantee minimumbandwidth

Define traffic directions carefully:


and

Works per Interface

Works per Subnet/Host

Works per Service

Upstream shapedownstream

Ext. NIC

Int. NIC

HTTP & FTP

Download fromANY =>outbound fromthe ext. NICsview

Quality of Service/ Configuration


69/238

/ Configuration

Status

The Status tab

TrafficSelectors

Internal & External

Bandwidth Pool describe the


interfaces for

which QoS canbe configured.By default,QoS isdisabled for

each interface.

selector can be

regarded as aQoS definitionfor a certaintype of networktraffic.

an w s are y mu p esources.Bandwidth Pools can also specifyupper bandwidth limits.

Quality of Service/ Configuration: Status Overview


70/238

/ g

Display all available interfaces

Define the available, physical bandwidth.

Define the guaranteed uplink and downlinkbandwidth for any Interface, e.g. the DSL line.


By default, QoS is disabled for each interface

Quality of Service/ Configuration: Traffic Selectors


71/238

/ g

Traffic Selectors describe what traffic needs to be accounted.

The description contains details about the source of the traffic, its

destination and its service.TOS/DSCP allows to pay respect to Type of Service and DiffServflags in the traffic.

It is possible to build groups of Traffic Selectors.


Quality of Service/ Configuration: Bandwidth Pools


72/238

g

Bandwidth Pools

They describe the available andguaranteed bandwidth for the availableinterfaces


Network Security/ Advanced


73/238

The GenericProxy isanother optionwhen rivate

SOCKS is aninternetprotocol toallow clients to

The IdentProtocol isspecified inRFC 1413 and


networks are

being used

use the

services of afirewalltransparentlyand is shortfor SOCKetS

helps

identifyingusers ofparticular TCPconnection.

Network Security/ Generic Proxy


74/238

Works as a port forwarder

Combines features of DNAT andMasquerading

Forwarding all incoming traffic for aspecific service to an arbitrary server.

In contrast to DNAT, source IP address


is replaced with the IP of the interface

of the ASG for outgoing connectionsIt is possible to change target portnumber also

Network Security/ SOCKS


75/238

What is it used for?

Can build TCP and UDP connections for client applications

Can provide incoming ports to listen on

Used with systems that incorporate NAT

Where is it used?

Socks


c en s suc as ,

FTP

RealAudio

Astaro Security Gateway supports SOCKSv5

User authentication can be used

Network Security/ IDENT Relay


76/238

IDENT is an older protocol

Allows external users to associate a username with a TCPconnection

Not very secure because the connection isn't encrypted

Necessary for some services like IRC and some mail servers


default response

Hence the configuration is rathersimple, it offers:

Configuration of the stringto answer with

Optionally the possibility to forwardIdentrequests to the internal clients(which is not always possible)


77/238

Network SecurityReview Questions


Network Security/ Review Questions


78/238

1. What does Server Load Balancing do?

2. With which technology is it realized?

3. For which kinds of traffic is Quality of Service suitable?

4. What is the Generic Proxy used for?

5. What does the Socks Proxy do?



79/238

VoIP Security


In this chapter you will learn how

SIP

and

H.323

security work

VoIP Security/ SIP/H.323 Security


80/238

SIP and H.323 are so called Signalingprotocols, which are designed to notifycommunication partners in telephony likeconnections. These signals containinformation about the state of the

connection, like INVITE, RINGING orHANGUP. The actual voice connectiontakes place on a dynamic port.

Rick Cory

INVITE Cory@IP-BC = IN IP4 IP-AM = audio 2000 RTP/AVP 0

To IP-B, PORT-S

- -


Astaros VoIP Security uses specialconnection tracking helper modules for

monitoring the control channel todetermine which dynamic ports are beingused and then only allowing these portsto pass traffic when the control channel isbusy.

To configure VoIP Security, client andserver network definitions need to bemade.

Time

,

200 OKC = IN IP4 IP-BM = audio 4000 RTP/AVP 3

Audio stream to IP-A, 2000

Audio stream to IP-B, 4000

VoIP Security/ SIP Session Initiation Protocol


81/238

Session Initiation Protocol is is an application-layercontrol (signaling) protocol for creating,modifying, and terminating sessions with one ormore participants. These sessions include Internettelephone calls, multimedia distribution, and

multimedia conferences." (cit. RFC 3261)

A good starting point for reading about SIP is at Rick

INVITE [email protected]


p: en.w pe a.org w ess on_ n a on_ ro oco

Cory SIP Registrar

VoIP Security/ H323 Session Initiation Protocol


82/238

H.323 is an umbrella recommendation from the ITU TelecommunicationStandardization Sector (ITU-T), that defines the protocols to provideaudio-visual communication sessions on any packet network.

H.323 was originally created to provide a mechanism for transportingmultimedia applications over LANs but it has rapidly evolved to address thegrowing needs of VoIP networks.

Currently real-time applications such as NetMeeting and Ekiga (the latterusing the OpenH323 implementation) use H323.


A good link to get started with readings about is athttp://en.wikipedia.org/wiki/H323

VoIP Security/ SIP/H.323 Security


83/238

To configure H.323 or SIP Security, go to

the VoIP Security Menu. Each module canbe activated individually.


Both modules are rather easy to configure,

simply add the allowed clientsto the SIP or H.323 configuration andconfigure one or more SIP serversor H.323 gatekeeper.


84/238

VoIP SecurityReview Questions


VoIP Security/ Review Questions


85/238

1. What does SIP stand for?

2. Which parts do you need to configure for SIP/H323 security?

3. Explain how SIP works.

4. What are the ports SIP is normally making use of?



86/238



In this chapter you will learn about:Statefulness

Configuration

Ruleset

Advanced

Intrusion Protection/ Working Principle


87/238

Astaro Security Gateways IPS operates in inline mode

It is placed logically between external, internal and DMZnetworks, located on one single machine.

Astaro uses Inline Snort (http://snort-inline.sourceforge.net)as IPS, which is a modified version of SNORT (open sourcemodule).


and prevention at the same time.

Another benefit of inline mode is, that all packets must passthe Astaro Security Gateway and no packets can bemissed, e.g. due to high network load.

Intrusion Protection/ Fundamentals


88/238

Inline

1

3


1

2

3

4

In front of the Firewall

Between Firewall and LAN-Switch

Within the DMZ

Within the LAN

2

Sensor Placement Options

E h k t th h th IPS l ONCE

Intrusion Protection/ Working Principle


89/238

masquerading snat

FORWARD POSTROUTINGPREROUTING Routing

dnat conntrack

man le em t

Routing

incomingpackets

outgoingpackets

Each packet runs through the IPS only ONCE:

1. Packet from Network to the local machine

2. Packet from Network to Network

3. Packet from local machine to Network (e.g. of using the proxies and also incase of an exploit to a Linux module on Astaro Security Gateway itself)

mangle filter


Tables:

NAT

Filter

mangle

ipsOUTPUTINPUT

OUTPUT

Local Processes

Apache

EXIM

SSHD

SQUID

SOCKS

BIND

IPSEC

PPTP

spoofdrop

conntrack

mangle dnat

conntrack mangle

filter ips

New netfilter module ips(kernel moduleiptable_ips.o)

Table has lowest priority inthe netfilter hierarchy.

Intrusion Protection/ Limitations of Firewalls and Virus-Scanners (1)

A robust firewall policy can minimize the exposure of many networks


90/238

A robust firewall policy can minimize the exposure of many networks.

Depending on the security level to be achieved, such countermeasures alonemight not be enough.

Packet Filter Firewalls inspect on a per packet basis.

Even invalid packets may pass through

No detection of application-layer attacks


. . , , . ,MMS, ...)

Proxies (Application Level Gateways) have application layer awareness

Can filter unwanted header types or malformed ones

Would be able to detect protocol anomalies

Will not be able to detect higher level attacks (e.g. CGI script attacks)

Therefore IDS are necessary to fulfill higher security requirements

Additionally, hacker tools make attacks easier and are available for everybody

The level of sophistication of attacks is growing

Intrusion Protection/ Limitations of Firewalls and Virus-Scanners (2)

Firewalls inspect for viruses and worms in:


91/238

Firewalls inspect for viruses and worms in:

E-mails & Attachments

SMTP, POP3 and HTTP-Streams

Virus Scanners are unable to monitor data by analyzing thetraffic within a network.


Worms like SQL-Slammer or MS.Blaster spread independentlyOnly detectable after infection

Example: SQL-Slammer

Buffer Overflow in Microsoft SQL-Server

UDP-Packet to Port 1434, Size: 376 Byte (!)In RAM only

Spreads to random IP-Addresses

Very fast infection rates - high-speed worm

Intrusion Detection/ Configuration


92/238

Global AttackPatterns

Anti-DoS /Flooding

Anti-Portscan

Exceptions

Advanced


Settings forIntrusion

Protection

disable thecategories of

attacks thatcan berecognized

Denial ofService and

FloodProtectionhere.

detectionconfiguration

is in here

configurationcan be

limited tocertain hostsand networks

Rules and IPaddress

informationaboutdedicatedservers ishere.

The global settings contain a list of

Intrusion Detection/ Configuration: Global


93/238

The global settings contain a list ofnetworks, that are protected byintrusion prevention

If attacks from the local networks should bedetected, it is important NOT to add them to thislist!

Depending on the traffic between the LANsegments a major impact on the performance ofthe ASG is possible

The global configuration also contains


.default to Drop or Reset packets.

Of course, IDS/IPS also offers a livelog, which can be viewed with the

Live Log button.

LAN1 LAN2 LAN3

Intrusion Protection System/ Configuration: Attack Patterns

i


94/238

Per Group settings:

Action:

What to do with

packets matching thisgroup, if detected

Add extra


Astaro supports roughly 7000 different rules.

Those are made up in 40 different groups, which

are again separated.

warning:

Activate extra rules,that are forinformation only

Notify:

Send an e-mail to theadmin-address, ifpackets are detectedmatching rules of thisgroup.

Intrusion Protection/ Refresher: How SYN Floods work


95/238

SYN Attack: Sends a stream of SYN packets with attacking host(spoofing) source IP-address (to be that of a currently unreachablehost).

SYNSYN

SYNSYN SYNSYN

SYNSYN SYNSYN

IP of Unreachable Host #1

IP of Unreachable Host #2


Unreachable Host #2

Unreachable Host #3

SYN/ACKSYN/ACK

SYN/ACKSYN/ACK

SYN/ACKSYN/ACK

SYNSYN SYNSYNIP of Unreachable Host #3ac ngHost

Unreachable Host #1

Server

Server

Intrusion Protection System/ Anti-DoS / Flooding


96/238


Anti Flooding allows to limit the number of packets per time.

This works for sender and recipients in the protocols TCP, UDP and ICMP.

In the case of TCP flood protection, only SYN Packets are taken intoaccount.

Intrusion Protection System

/ Anti-Portscan / Exceptions / Advanced


97/238


Exceptions:

Skip these checks:


Anti-Portscan

Anti-DoS/Flooding TCP

Anti-DoS/Flooding UDPAnti-DoS/Flooding ICMP

Performance Tuning

For source and

destination networks

Advanced:

Modified Rules

Performance Tuning

Anti Portscan:

Detects Portscans

Can have exceptions


98/238

Intrusion ProtectionReview Questions


Intrusion Protection/ Review Questions

1 How does Intrusion Protection work?


99/238

1. How does Intrusion Protection work?

2. What is the improvement over Firewalls or Anti-Virus Products?

3. Where is Astaro Intrusion Detection placed?

4. How does it integrate with the Packetfilter framework?

5. Which detection methods are applied to traffic?



100/238

User Authentication


In this chapter you will learn about:

UsersGroups

Authentication

User Authentication/ Purpose

Authentication (Greek: = real or genuine, from


101/238

'authentes' = author ) is the act of establishing or confirmingsomething (or someone) as authentic, that is, that claims made byor about the thing are true.

Authenticating an object may mean confirming its provenance,whereas authenticating a person often consists of verifying theiridentity.


.

In computer security, authentication is the process of attemptingto verify the digital identity of the sender of a communication suchas a request to log in.

The sender being authenticated may be a person using acomputer, a computer itself or a computer program.


102/238

Local Authentication


User Authentication/ User Management

User management is necessary to allow orf bid i t t i


103/238

forbid services to certain users or user groups.

To manage local and remote authenticationservices, the web interface offers the Users

menu.


Users local or remote

Groups - local or remote

Remote Authentication Methods

User Authentication/ Local User Management

The User Management in Astaro allows tod i i t l l d


104/238

administer local users and user groups.

Here you can create user profiles local to thefirewall.

No external authentication service is queried toauthenticate these users.

To create a local authenticated user, select


Authentication: Local

NOTE: The additional e-mail-addresses influence the behaviorof the Anti Spam Reports. Seethere.


105/238

Remote Authentication


Remote Authentication/ Available Methods

Astaro has many options forremote user authentication:


106/238

eDirectory

Novell, partly LDAP based

Active DirectoryMicrosoft, partly LDAP based

RADIUS


emo e ccess a - n serService

Livingston Enterprises, laterRFC

TACACS+

Terminal Access ControllerAccess-Control System Plus

Cisco, now RFC

LDAP OSI, X.500, now RFCLightweight DirectoryAccess Protocol

Remote Authentication/ Novell eDirectory

With ASG V7 eDirectory SSO, Novell users will only need toauthenticate once at initial client login to gain web access to theI t t


107/238

Internet.

Based on the ASG V7 SSO authenticated user, user-, group-and/or container-based access control and content inspectionprofiles are assigned.

Once authenticated, Web security capabilities of ASG areapplied to traffic flows based on the user, including preventionof phishing, virus and spam attacks, without the need forfurther authentication at the browser level.


Remote Authentication/ Novell eDirectory

When creating Groups from the Novell eDirectory, ASGoffers a very convenient eDirectory Browser


108/238

offers a very convenient eDirectory Browser

It allows you to select usergroups directly in the WebAdmin Interface


NOTE:

SSO in eDir does not work on machineswhere more than one users are logged in.

Currently ASG V7 does not supportcontainers and multiple root nodes ineDir.

Remote Authentication/ Active Directory (1)

Can be used to implementsingle sign on with Astaro


109/238

single sign on with AstaroSecurity Gateway when usingthe HTTP Proxy

NTLM uses a challenge-response authenticationscheme


have all users centrally

managed in groups of users.

NOTE: Ensure that the Netbios name is an unique name onthe network! The Netbios name is derived from the Hostnamein the Basic System Settings! (see there)

Using Surf-Protection with Active DirectoryAuthentication requires a running Windows

Remote Authentication/ Active Directory (2)


110/238

Authentication requires a running WindowsServer and AD services.

Active Directory Service manages the users of aWindows Domain.

LDAP uses the Distinguished Name (DN) of anuser for identification. The name has to be uniquewithin the directory.


Steps to perform:

1. Create an AD user with read privileges.(applied by ASG to query the AD service)

2. Add the AD Users and Computers SnapInn in the MS Management Console todefine it.

3. To add the user, right click on your Domain

Controller to define a new user.4. Grand full read privileges to your defined

user. (Right click CN: properties)

5. Create as much users as you need in yourActive Directory. All of theses users areable to authenticate.

Remote Access Dial-In User Service (RADIUS)

Uses UDP port 1813 or 1645 to send

Remote Authentication/ RADIUS


111/238

Uses UDP port 1813 or 1645 to sendqueries for authentication

Uses external directory for large

installations, often used by InternetService Providers for the purposeof network, router and internet access


Only the password is encrypted

NOTE: Since the passwords are transferred over thenetwork using a weak encryption, you should place theserver in a trusted network which cannot be sniffed.

Terminal Access Controller Access-Control System Plus (TACACS+)

Uses TCP port 49 to send queries for authentication

Remote Authentication/ TACACS+


112/238

Uses TCP port 49 to send queries for authenticationand is therefore more reliable than RADIUS

Also uses external directory for large

installations, often used by InternetService Providers

TACACS+ separates, unlike RADIUS,


authentication and authorization.

Whole datagram is encrypted

Despite the name, TACACS+ does nothave too much in common with

TACACS (without the +)

LDAP (Lightweight Directory Access Protocol) is an information model and a protocol forquerying and manipulating tree-like directories.

LDAP's overall data and namespace model is essentially that of X 500

Remote Authentication/ LDAP


113/238

LDAP s overall data and namespace model is essentially that of X.500.

The authentication by querying an LDAP Server requires an active DNS Proxy with validentries.

Astaro Security Gateway can connect to LDAP-based directories such as:

Sun Identity Server

Open LDAP


But also these are based on LDAP:Active Directory

Novell eDirectory

Control of Proxy-usage on a per-user basis!

Bind-DN and password are used for login to a LDAP serverBase-DN specifies location of user database in LDAP-tree

Advanced Configuration

Remote Authentication/ Advanced


114/238

Backend query order

Defines in which order all theconfigured backends for

authentication are queried. This isimportant if the same user exists indifferent directories.


Password complexity

When users change their passwordin the Astaro End-User Portal, youcan force them to use complexpasswords with these settings.


115/238

User AuthenticationConfiguration Example


Authentication/ Local Users (1)

To add yourself to the local user directory,

first go to the Users/Users Menu.


116/238

This menu offers you to view existing or add

new user:

When adding a new user, you will need to

fill out the following form, which contains:


a username

the real name

e-mail address

additional e-mail addresses(optional)

authentication is local

Authentication/ Local Users (2)

When you have finished and saved the entry, you should find

the following user in the list:


117/238

Every entry has two buttons which allow you to


e en ry an r ng you ac o euser-add dialog

orDelete the entry

The rest of the line contains information about the user, hiseMail-Address, the authentication source and a comment

Before NTLM/SSO becomes available, youneed to setup the Active Directoryconfiguration.

Authentication/ Remote User-Authentication: NTLM (1)


118/238

Active Directory takes onlyfew parameters:

the server itselfUse an existing or newly created definition here


e or o connec opredefined to 389 (the default)

SSLencrypt or not

The authentication information:

the Bind User Distinguished Name

The user that connects to the directory (read-only)

the authentication passwordA (valid) password for this user.

Once the Active Directory Configuration is setup, NTLM/SSObecomes available and can be configured. To do so, you need tojoin your ASG into your Windows Domain

Authentication/ Remote User-Authentication: NTLM (2)


119/238

join your ASG into your Windows Domain

This works exactly as it would with a Windows PC you need anadminstrative account to approve the join.

Simply enter the Domain Name and the credentials and hitapply.


NOTE: Ensure that the Netbios name is an unique name onthe network! The Netbios name is derived from theHostname in the Basic System Settings! (see there)

Authentication/ Remote User Groups

Finally, to use whole groups on theremote Active Directory, you may want tocreate an assignment of remote user


120/238

create an assignment of remote usergroups to local user groups:

To do so, go to the Users/groups menuand create a new user group


The group should be of group-typeBackend Membership with the backendActive Directory. This example limitsthe membership to the local group

Active Directory to members of theremote AD group http_users (whichexists in the Active Directory).


121/238

User AuthenticationReview Questions


User Authentication/ Review Questions

1. How are Users and Groups structured?

2 Whi h A h i i M h d d b A ?


122/238

2. Which Authentication Methods are supported by Astaro?

3. Whats the benefit of using NTLM Authentication?

4. How is SSO activated when using Active Directory?



123/238

Web Security


In this chapter you will learn about:

HTTP Profiles

HTTP Authentication

Web Security/ HTTP Proxy Overview (1)

The HTTP Proxy allows to doUser Authentication


124/238

Content Filtering

HTTP Protocol Enforcement

The content filter works with


SurfControl

Astaro AVClam AV

Web Security/ HTTP Proxy Overview (2)

The HTTP Proxy relays HTTP, HTTPS, FTPand WebDAV queries

HTTP and FTP queries are cached in diskand memory


125/238

FTP

and memory


HTTPSHTTP

FTP/HTTPProxy & Cache

Web Security/ HTTP Proxy - Workflow

Flexible configuration is


126/238

Flexible configuration ispossible through so calledProxy Profiles and Filters.


Each Profile holds a

combination of options andsettings.

Web Security/ Content Classification

Text ClassificationText is categorized using Bayes' statistic methodology and vector machinealgorithms.


127/238

Optical Character Recognition (OCR)OCR recognizes text in graphics and images, and can even analyze colored typeor transparent text on any background. This module supports a wide range of

type fonts, colors, sizes and rotations.

Logo and Object RecognitionThis module searches for logos, symbols and other graphical elements in photos.


, .

Face Recognition

This module recognizes faces, including color, hue and texture. With high-qualityimages, it is even possible to search for individual persons.

Pornography and Recognition of NudityThis module identifies nudity by analyzing the qualities of human skin andindividual skin tones.

Digital Fingerprint

This module characterizes and labels images and data for later identification onthe Internet, intranets or in e-mail messages.


128/238

HTTP Proxy Configuration Overview


Web Security/ HTTP Proxy (1)

HTTP Proxy Global Configuration


129/238



Operational Modes StandardProxy listens on port 8080

Allows any network listed in


130/238

yAllowed Networks to connect

Client browser must be configured

HTTP proxy service requires avalid Domain Name Server (DNS)


Transparent

Proxy handles all traffic on port 80

Client doesnt need to touch browserconfiguration

Proxy cannot handle FTP and HTTPS

Packetfilter must allow port 21 and 443

No HTTP on other than port 80

Clients must be able to resolvehostnames


Enabling User Authenticationwill bring up a User/Groupselection dialog

Operational Modes withUser Authentication:

Basic


131/238

gas c

Active Directory

Novell eDirectory



Configuring UserAuthentication for HTTP:

When you have selected


132/238

one of the user-authentication operation

modes, a User/Groupsselection boxpops up.


Drag and Drop the

allowed Users andGroups to this box.

Drag & Drop the allowed Users

Web Security/ Anti Virus

HTTP Anti Virus

Enable/Disable Virus scanning


133/238

g

Use one or both Virus scanner

and, if available, the Hardware


can- ng ne

Disallow Downloads by

file-extension

Virus-Scan files up to this size.

Web Security/ Content Filter (1)

HTTP Content Filter:Default profile

Operation mode:


134/238

Black or Whitelist

Categories to block or allow


Black-/White-list these URLs

Activate Spyware Protection

Control Active Content removal


HTTP Content FilterCategory assignment

The Number of Categories is fixed


135/238

The Number of Categories is fixed

Names and Contents can be edited.


Assigned Subcategories

Modify Nameand Assignment

HTTP Content FilterExceptions



136/238

Content Filter Exceptions,

e.g. windowsupdate.com


Skip individual checks, like:

Authentication

Anti Virus

Content Filter

for selected Hosts

HTTP Content Filter Profiles

Content Filter Profiles allow to treat differentuser(-groups) and network-areas differently

Web Security/ Content Filter Profiles (1)


137/238

user(-groups) and network-areas differently.

The configuration is done by linking ProxyProfiles and Filter Actions through FilterAssi nments





138/238

A Proxy Profile

combines


Filter Assignments

and AuthenticationMethods

They are processed in order


A Filter Assignment



139/238

combines

Users and Usergroups

Access times


and Filter Actions


140/238

Web Security/ HTTP Content Filter Working Principle

Networks,


141/238

Proxy Profile FilterActionsUsers, GroupsTime Action

Authentication Methods


FilterAssignment

W W W CategoriesAnti-VirusContent Removal

Web Security/ HTTP Proxy Advanced Options

Skip Hosts and Networks for TransparentProxying


142/238

The port to listen for client requests

-


Care for those services outside.

If integrated in a proxy hierarchy, use thisparent.

The parent proxy takes username and passwordas configuration if authentication is necessary.


143/238

Web SecurityReview Questions


Web Security/ Review Questions

1. What do you need to consider when using NTLM Authentication ifyour PC is not assigned to the domain ASLLAB?

2. Is it possible to limit access to Entertainment, Trading and Gamblingd i ki h b t ll i it ft 6 ?


144/238

during working hours but allowing it after 6 p.m.?

3. What happens if you have time-based profiles for groups during theworking hours created but nothing defined for after hours?


.

5. What might be reasons if NTLM is not working correctly?

6. What is the purpose of different profiles?

7. What happened when downloading eicar.com from the Internet?

8. What would you recommend if servers will download larger patchesautomatically over the http proxy and Virus-scanning is enabled?


145/238

Refresher: SMTP Proxy


Upon completion of this chapter you will be

able to perform the following:

Explain the SMTP proxy architecture

SMTP Proxy/ Overview

Simple Mail Transfer Protocol

SMTP relay shields your internal mail server frommalformed malicious and unwanted messages


146/238

malformed, malicious, and unwanted messages

Can relay incoming and outgoing mails


Scans mails for viruses and other malicious data

Deals with SPAM

NOTES:

The SMTP proxy also supports subdomains

To use the SMTP proxy correctly, a valid name server (DNS)must be configured

SMTP Proxy/ Relaying Incoming / Outgoing e-mail

Define the domains the security system should be responsible for

You should have an DNS MX record for every domain pointing to thesecurity system


147/238

Specify the internal server to which e-mails should be forwarded to

-


Define which networks and hosts are allowed to send outgoing e-mailusing the security system (never use ANY)

Optionally you can switch on authenticated relaying for single users

Define a smarthost if outgoing e-mail is not delivered to the recipientdirectly

SMTP Proxy/ Anti-Virus

Anti-Virus scanning checks every message for viruses,worms and other malware

Astaro Security Gateway features several anti-virus enginesfor best security

Single Scan provides maximum performance

Dual Scan uses two different scan engines for an extra levelf it


148/238

of security

Optionally activate the Hardware accelerated scanner (onlysupported with hardware applicances ASG425/ASG525)

Messages containing malicious content will be blocked


an s ore n e e-ma quaran ne or ns an y remove

Unwanted file attachments can be blocked by fileextensions

End users can review and release their quarantinedmessages either through the Astaro End User Portal orthe daily End User Spam Report

Using the Pattern Up2Date, you will always be protectedagainst the latest threats

SMTP Proxy/ Anti-Spam: Overview

Provides many "arrows for the quiver" in fighting unwanted e-mailsfrom entering the network

Users can consult with real-time blackhole lists and allow certainsenders or networks to be exempt from many of the checks


149/238

Expression (keyword) filtering can take action onmessages that contain certain patterns in thesubject line or message body


Astaro Security Gateway features severaltechniques to reduce Spam:

Realtime Blackhole Lists

Advanced heuristic analysis

Greylisting

SPF record checksBATV reverse path signing


150/238

SMTP Proxy RefresherReview Questions


SMTP Proxy/ Review Questions

1. What is the fundamental precondition that the SMTPproxy will handle incoming e-mails?

2. Is it possible to configure more than one SMTP route?


151/238

3. What are possible configuration options to avoid SPAM?4. What is User spam releasing?


. in Allowed Networks?

6. Does VirusProtection also checks outgoing e-mails?

7. What are the options to handle unwanted e-mails?

8. What happens if BATV is turned on?

8/10/2019 ACE-Astaro Certified Eng

ACE-Astaro Certified Engineer

Documents

Transcript of ACE-Astaro Certified Engineer