ace-astaro certified engineer
TRANSCRIPT
-
8/10/2019 ACE-Astaro Certified Engineer
1/238
Astaro Security Gateway V7
Astaro Certified Engineer
Astaro Security Gateway V7 - Astaro Certified Engineer Page 1 Astaro 2007 / ACE_V7.00-0.16
Courseware Version EN-V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
2/238
DISCLAIMER
All rights reserved. This product and related documentation are protected by copyright and distribution under licensingrestricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,or stored in a database or retrieval system, without prior written permission of the publisher except in the case of briefquotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any otherpurpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or
omissions and makes no explicit or implied claims to the validity of this information. This document and features describedherein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. NeitherAstaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 2 Astaro 2007 / ACE_V7.00-0.16
Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respectivecompanies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of aterm in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your productmanuals for complete trademark information.
-
8/10/2019 ACE-Astaro Certified Engineer
3/238
Your Name, Company,Responsibility
Your Knowledge
Before we start over
/ Lets introduce each other!
Astaro Security Gateway V7 - Astaro Certified Engineer Page 3 Astaro 2007 / ACE_V7.00-0.16
(Networking, Security, Linux,Astaro Security Gateway)
Your Expectations for thecourse
-
8/10/2019 ACE-Astaro Certified Engineer
4/238
Agenda - ACEDAY ONE
ASG Overview
Available Products
ASG System Architecture
ASG Security Features
Introduction to ACC
PurposeFeature Overview
Refresher ACA
Networking
VLAN, Link Aggregation
DAY TWO
User Authentication
Users
Groups
Authentication
Web Security
HTTP ProfilesProxy User
Authentication Setup
E-mail Security
SMTP Proxy
DAY THREE
Refresher SSL-VPN
IPSec VPN
IPSec Policy Management
RSA Site to Site VPN
X.509 Site to Site VPN
Certificate ManagementRemote Access with ASC
Astaro Security Gateway V7 - Astaro Certified Engineer Page 4 Astaro 2007 / ACE_V7.00-0.16
r g ng, p n a over
Policy Routing & OSPF
Network Security
Server Load Balancing
Quality of Service
Generic-, Socks-,Ident Proxy
VoIP Security
H.323
SIP
Intrusion Protection
Configuration
Implementation Guideline
E-mail Encryption
High Availability
Active/Passive HA
Clustering
-
8/10/2019 ACE-Astaro Certified Engineer
5/238
Before we start over
/ Course LayoutHands-On-Training-Scheme
Training Hours
Day One: 10:00 a.m. about 05:00 p.m.
Day Two & Three: 09:00 a.m. about 04:00 p.m.
Prerequisites
Introduction Configuration Summary LAB Review
Astaro Security Gateway V7 - Astaro Certified Engineer Page 5 Astaro 2007 / ACE_V7.00-0.16
Training setup / LAB environmentLocation Facilities
Parking
Restrooms
Smoking
Breaks, Lunch, Drinks
Internet Access
-
8/10/2019 ACE-Astaro Certified Engineer
6/238
Before we start over
/ ACE ExamACE Certificates & Exams
What is the designation of an Astaro Certified Engineer?
ACE certification signifies that an individual has:
Achieved ACE certification
Passed the ACE web-based examDemonstrated knowledge required to implement and configure Astaro Security Gateway withextended features
How to become an Astaro Certified Engineer?
B assin a web-based exam.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 6 Astaro 2007 / ACE_V7.00-0.16
45 questions randomly generated must be answered within 60 minTraining participants have one free trial to pass the ACE Exam
To login you will receive a voucher via e-mail short after the training
ACE Exam site is available at https://my.astaro.com/training/
How to prepare for the ACE exam?
Actively participate in the trainingStudy the ACE-Courseware
Work through the Astaro Security Gateway Manual
Configure and test the discussed scenarios in practice
-
8/10/2019 ACE-Astaro Certified Engineer
7/238
ASG System Overview
Astaro Security Gateway V7 - Astaro Certified Engineer Page 7 Astaro 2007 / ACE_V7.00-0.16
Architecture
Open Source Components
Configuration Workflow
-
8/10/2019 ACE-Astaro Certified Engineer
8/238
ASG System Overview/ Architecture
Astaro Security Gateway is blend of open-source, proprietaryand OEM technology, combined to create an all-in-one devicethat runs as the perimeter security gateway on a network
Astaro Security Gateway is built on an integrated management
platform that makes it easy to install and administer a completesecurity solution
Astaro Security Gateway V7 - Astaro Certified Engineer Page 8 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
9/238
ASG System Overview/ Security Features
Astaro Security Gateway, based on Astaro's award-winning AstaroSecurity Linux, provides a complete package of 9 perimetersecurity applications.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 9 Astaro 2007 / ACE_V7.00-0.16
E-mail Security Virus Protection for
e-mail
Anti-Spam/Phishing
E-mail Encryption
Network Security Intrusion Protection
SPI-Firewall and Proxies
VPN-Gateway
Web Security Spyware Protection
Virus Protection
Content Filtering
-
8/10/2019 ACE-Astaro Certified Engineer
10/238
ASG System Overview/ Available Appliances
AstaroSecurityGateway110/120
AstaroSecurity
Gateway 220
Astaro SecurityGateway 320
Astaro SecurityGateway 425
Astaro SecurityGateway 525
Users 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted
EnvironmentsHome office,small office
Smallbusiness,
branch office
Medium business,enterprise division
Large enterpriseheadquarters
Large enterpriseCore networks
System
Astaro Security Gateway V7 - Astaro Certified Engineer Page 10 Astaro 2007 / ACE_V7.00-0.16
e wor por s3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps
4 x 10/100/1000 Mbps
8 x 10/100/1000 Mbps
Security Co-Processor
10 x 10/100/1000 Mbps
Security Co-Processor
Performance
Throughput(Mbps)FirewallVPNIPS/IDSE-mails/day(without Mail-Security)
ConcurrentConnections
1003055
350,000
60,000
260150120
500,000
400,000
420200180
1,000,000
550,000
1200265450
1,500,000
700,000
3000400750
2,200,000
>1,000,000
-
8/10/2019 ACE-Astaro Certified Engineer
11/238
Introduction/ Astaro Configuration Manager
... is the Configuration Manager thatprovides a centralized visualcommand center where security
policies for all Astaro firewall andVPN devices are graphicallydesigned and their correspondingconfigurations automatically
End of Life: 30.06.2007
Astaro Security Gateway V7 - Astaro Certified Engineer Page 11 Astaro 2007 / ACE_V7.00-0.16
.
... combines the popular NPmanagement tools from Solsoft withAstaro's comprehensive securityofferings.
... resolves complex and costlynetwork security problems byunifying, automating and simplifyingthe deployment of network securityrules.
-
8/10/2019 ACE-Astaro Certified Engineer
12/238
Introduction/ Astaro Report Manager
The Astaro Report Manager is acentralized reporting enginewhich gives you the ability tocollect and analyze log data fromone or more ASG installations
The Report Manager allows you tocreate robust drill down reportsin a variet of out ut formats like
Currently not supported by ASG V.7
Astaro Security Gateway V7 - Astaro Certified Engineer Page 12 Astaro 2007 / ACE_V7.00-0.16
Word, Excel, HTML and PDFWith advanced attack and eventanalysis, users can create rules-based alerts which can notifyadministrators when user defined
thresholds have been passed
-
8/10/2019 ACE-Astaro Certified Engineer
13/238
Introduction/ Astaro Secure Client
Astaro Secure Client is an easy-to-useremote working software based on thelatest VPN technology
The software provides smoothintegration with a remote network andmay be used with any popular IPSec-compliant gateway
Astaro Security Gateway V7 - Astaro Certified Engineer Page 13 Astaro 2007 / ACE_V7.00-0.16
The Astaro Secure Client softwareprovides strong and transparentauthentication and AES encryption toyour network traffic.
-
8/10/2019 ACE-Astaro Certified Engineer
14/238
ASG System Overview/ Architecture
ASG is based on Novell/SUSELinux Enterprise 10
ASG comes with its ownhardened and compiled 2.6xkernel
SLES10 RPMs are used butcompletely new compiled
All ma or rocesses includin
Astaro Security Gateway V7 - Astaro Certified Engineer Page 14 Astaro 2007 / ACE_V7.00-0.16
WebGUI run in chroot-environments.
ASG is built upon a number ofOpen Source Projects;many of those are
actively developedin cooperation withAstaro, others aresponsored by Astaro.
-
8/10/2019 ACE-Astaro Certified Engineer
15/238
Open source software is distributed with thesource code freely available for alterationand customization
Collective work of many programmers
Resulting software can become moreuseful and free of holes and bugs
Architecture/ Open Source Module
Astaro Security Gateway V7 - Astaro Certified Engineer Page 15 Astaro 2007 / ACE_V7.00-0.16
Astaro leverages the flexibility andinnovation of Linux and Open Source
-
8/10/2019 ACE-Astaro Certified Engineer
16/238
Configuration/ Administration Workflow
Every function can be configured and
controlled via the Web-Admininterface.
There is no need to interact with anyof the other components or the
Astaro Security Gateway V7 - Astaro Certified Engineer Page 16 Astaro 2007 / ACE_V7.00-0.16
Command Line Interface (CLI) usinga shell like Bash.
-
8/10/2019 ACE-Astaro Certified Engineer
17/238
Refresher ACA
Astaro Security Gateway V7 - Astaro Certified Engineer Page 17 Astaro 2007 / ACE_V7.00-0.16
This chapter provides a briefrefresher for:
Interfaces
NAT
Packet FilteringDNS
-
8/10/2019 ACE-Astaro Certified Engineer
18/238
Refresher ACA/ Setting up Ethernet Interfaces
An Ethernet interface is a standard10/100/1000 Mbit network card
Things to remember:
Set the correct IP address for eachinterface with the correct netmask
Only define one default gateway
Make sure that each interface has
Astaro Security Gateway V7 - Astaro Certified Engineer Page 18 Astaro 2007 / ACE_V7.00-0.16
a unique address range in yourenvironment
-
8/10/2019 ACE-Astaro Certified Engineer
19/238
Refresher ACA/ Packetfiltering architecture
masquerading snat conntrack
FORWARD POSTROUTING
PREROUTING
Routing
dnat conntrack mangle
Routing
incomingpackets
outgoingpackets
conntrack man le
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
mangle filter ips
Astaro Security Gateway V7 - Astaro Certified Engineer Page 19 Astaro 2007 / ACE_V7.00-0.16
mang e
ips
OUTPUT
OUTPUT
Local Processes
Apache
EXIM
SSHD
SQUID
SOCKS
BIND
IPSEC
PPTP
conntrack mangle dnat
filter
ips
Tables:
NAT
Filter
-
8/10/2019 ACE-Astaro Certified Engineer
20/238
Refresher ACA/ Network Address Translation: Masquerading
Used if one (or multiple) internal networks should be hiddenbehind one official IP address.
Especially useful if private IP address ranges are used.
RFC 1918-IP Public IP
Astaro Security Gateway V7 - Astaro Certified Engineer Page 20 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
21/238
Refresher ACA/ DNAT & SNAT
Destination Network Address Translation (DNAT) is used if aninternal resource should be accessible via an IP address assigned tothe firewall
Source Network Address Translation (SNAT) is used likemasquerading, but allows more granular settings
Astaro Security Gateway V7 - Astaro Certified Engineer Page 21 Astaro 2007 / ACE_V7.00-0.16
Note: DNAT occurs before packet filtering takesplace. Ensure your packet filtering rules have thetranslated address as the destination
-
8/10/2019 ACE-Astaro Certified Engineer
22/238
Refresher ACA/ Packet Filter - Configuration Principles (1)
You only need to maintain one table of filter rules.
ASG automatically creates correct entries in the INPUT, OUTPUT orFORWARD chain as necessary.
The rules in the table are ordered. The first rule to match decides what isdone with the packet.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 22 Astaro 2007 / ACE_V7.00-0.16
Possible actions are:Allow
Drop
Reject
Any action allows optional LoggingIf no filter rule matches - the packet is dropped and logged!
Astaro Security Gateway starts with an empty table but keeps implicitinternal rules for all services it is using itself.
-
8/10/2019 ACE-Astaro Certified Engineer
23/238
Refresher ACA/ Packet Filter - Configuration Principles (2)
Default View
Source DestinationAction
and
Service
Description(optional)
Enable/Disable
Astaro Security Gateway V7 - Astaro Certified Engineer Page 23 Astaro 2007 / ACE_V7.00-0.16
Edit or delete
Groupname
Order
-
8/10/2019 ACE-Astaro Certified Engineer
24/238
Refresher ACA/ Packet Filter - Configuration Principles (3)
To create new oredit existing rules:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 24 Astaro 2007 / ACE_V7.00-0.16
Name: Name for the ruleMove rule to a specific position
The sources: IP or GroupThe service: TCP/UDP/IP
The destinations: IP or GroupWhat to do: Allow, Drop or RejectWhen to do: The timeLog Packets: Yes or NoComment: Whatever helps
-
8/10/2019 ACE-Astaro Certified Engineer
25/238
Refresher ACA/ DNS - Configuration
Global:
Accepts DNS Requests from allowed,internal networks (e.g. your AD-Servers,clients in smaller networks)
Forwarders
Forwards DSN requests of ASG to e.g.Provider DNS servers
Astaro Security Gateway V7 - Astaro Certified Engineer Page 25 Astaro 2007 / ACE_V7.00-0.16
When ASG should be able to resolve thehostnames of an internal domain hostedon your own internal DNS server, thisserver could be used as an alternateserver to resolve DNS which should notbe resolved by DNS forwarders.
Static Entries
Handles static mappings of hostnames toIP addresses
-
8/10/2019 ACE-Astaro Certified Engineer
26/238
Introduction to ACC
Astaro Security Gateway V7 - Astaro Certified Engineer Page 26 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will see:
Astaro Command Center
-
8/10/2019 ACE-Astaro Certified Engineer
27/238
Astaro Command Center/ Overview
Centralized and efficient management
configuring applications
monitoring actual device states
updating of device software.
Using state-of-the-art Web 2.0technologies like AJAX (Asynchronous
Astaro Security Gateway V7 - Astaro Certified Engineer Page 27 Astaro 2007 / ACE_V7.00-0.16
ava cr p n
Tracking of critical system parametersin real-time
detected threats
license status
software updates
resource usage
No license needed!! Its free!!!
-
8/10/2019 ACE-Astaro Certified Engineer
28/238
Astaro Command Center/ Features
Inventory management providescomprehensive information about eachdevice (CPU, hard disk, memory,network interfaces, software version andmore)
All Astaro Security Gateway devices areautomatically organized into device
Astaro Security Gateway V7 - Astaro Certified Engineer Page 28 Astaro 2007 / ACE_V7.00-0.16
Single-sign-on eases configurationmanagement
Central update managementenables the possibility of
updating multiple devicesthrough a single click
Role-based multi-administrative support
-
8/10/2019 ACE-Astaro Certified Engineer
29/238
Astaro Command Center/ ASG Configuration (1)
Astaro Security Gateway V7 - Astaro Certified Engineer Page 29 Astaro 2007 / ACE_V7.00-0.16
Astaro Command Center allows to manage and monitor ASG devices.
This option allows to connect a specific device to a specific ACC for future usage.
The connection between ASG and ACC is SSL encrypted using port 4433
Packet filter rules to allow this communication are created automatically
-
8/10/2019 ACE-Astaro Certified Engineer
30/238
Astaro Command Center/ ASG Configuration (2)
Astaro Security Gateway V7 - Astaro Certified Engineer Page 30 Astaro 2007 / ACE_V7.00-0.16
Up2Date packages can also be fetchedfrom a cache that can be configuredhere
Specify a host serving as a cache
If the ASG is monitored by an ACC
server, this ACC can act as an Up2Datecache
ACC stores Up2Date packages for thedevices connected to it by default
-
8/10/2019 ACE-Astaro Certified Engineer
31/238
Astaro Command CenterReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 31 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
32/238
Astaro Command Center/ Review Questions
1. Which technology is ACC built upon?
2. What features does ACC offer?
3. What port is used for communication between ACC and ASG?
4. Is the traffic encrypted?
5. Is it possible to cache the Up2Date packages for multiple ASGs?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 32 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
33/238
Networking
Astaro Security Gateway V7 - Astaro Certified Engineer Page 33 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learnabout:
VLAN
Link Aggregation
Bridging
Policy Routing
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
34/238
Networking/ VLAN (1)
Virtual LAN (VLAN) technology allows a network to be separated inmultiple smaller network segments on the Ethernet level (layer 2).
A VLAN switch plus a VLAN capable network interface simulate a numberof physical interfaces plus cabling.
Every segment is identified by a "tag (an integer number).Adding a VLAN interface will create a virtual hardware device.
Example
PC1 and PC2 on the first floor and PC4 on theHost6Host4 Host5
Astaro Security Gateway V7 - Astaro Certified Engineer Page 34 Astaro 2007 / ACE_V7.00-0.16
Switch a Switch b
Port VLANTag
tagged/untagged
Port VLANTag
tagged/untagged
1 10, 20 T 1 10, 20 T
2 (PC1) 10 U 2 (PC4) 10 U
3 (PC2) 10 U 3 (PC5) 20 U
4 (PC3) 20 U 4 (PC6) 20 U
5 10,20 T
secon oor w e connec e oge er on
VLAN 10.PC3, PC5 and PC6 will be connected togetheron VLAN 20.
Both VLAN can communicate through ASGsRulebase.
Firewall
Router
a1
a2 a3 a4
a5
b1
b2b3
b4
Host1 Host2 Host3
Switch b
Switch a
-
8/10/2019 ACE-Astaro Certified Engineer
35/238
Networking/ VLAN (2)
VLAN segments are distinguished by atag (integer value), a 12-bit number,allowing up to 4095 virtual LANs.
When you add a VLAN interface, you
will create a virtual hardware devicethat can be used to add additionalinterfaces (aliases) too.
NOTES:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 35 Astaro 2007 / ACE_V7.00-0.16
- It is essential to check HCL for ensuring
VLAN capable NICs are supported.
- PPPoE and PPPoA devices cannot be runover VLAN virtual hardware.
- Make sure you have installed a VLAN-capable NIC or refer to the HCL.
-
8/10/2019 ACE-Astaro Certified Engineer
36/238
Networking/ Uplink Fail-Over
Usage:
If a primary connection goes down to the Internet, a secondaryconnection will take over.
Requirements:
Additional NIC in the firewall
Additional connection to the Internet
Restrictions:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 36 Astaro 2007 / ACE_V7.00-0.16
Will only be allowed on interfaces where there is a default gateway.
MPLS Connection
Primary
DSL Connection
Backup
LAN
-
8/10/2019 ACE-Astaro Certified Engineer
37/238
Networking/ Overview IEEE 802.3ad Link Aggregation
Link aggregation (LA, also known as "port trunking" or "NIC bonding")allows to aggregate multiple Ethernet network ports into one virtualinterface.
Link Aggregation Control Layer(LACL) controls the distribution
of the data stream to thedifferent ports communicationvia Link Aggregation ControlProtocol (LACP).
Astaro Security Gateway V7 - Astaro Certified Engineer Page 37 Astaro 2007 / ACE_V7.00-0.16
.
Link aggregation is useful toincrease the link speed beyond the speed of any one single NIC
to provide basic failover and fault tolerance by redundancy
All traffic routed over the failed port or switch is automatically re-routedto remaining ports or switches.
Failover is completely transparent to the system using the connection.
NOTES:
In a HA-Environment, Ethernet connections can even be on different HA units.
Link partners must support IEEE 802.3ad.
LA and Bridging cannot be combined. LA cannot work with DSL.
-
8/10/2019 ACE-Astaro Certified Engineer
38/238
Networking/ Link Aggregation using ASG
Link aggregation allows to have:
Trunking two links for speed and
Two links in redundancy mode
Requirement:The link partner needs to support LinkAggregation
Astaro Security Gateway V7 - Astaro Certified Engineer Page 38 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
39/238
Networking/ Link Aggregation Configuration (1)
IEEE 802.3ad Link Aggregation
Link Trunking (for speed)
Link Redundancy (for high availability)
Combination of both
To enable Link Aggregation:
Add Links to the group
Astaro Security Gateway V7 - Astaro Certified Engineer Page 39 Astaro 2007 / ACE_V7.00-0.16
Astaro Supports up to 4 Link Aggregation
Groups
-
8/10/2019 ACE-Astaro Certified Engineer
40/238
Networking/ Link Aggregation Configuration (2)
To create a link aggregation group (LAG), proceed as follows:1. Select the interfaces you want to convert into a link
aggregation group.2. Select check box for each unconfigured interface you
want to add to the LAG.3. Enable LAG
Up to four different link aggregation groups with a maximum of fourEthernet interfaces per group possible.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 40 Astaro 2007 / ACE_V7.00-0.16
n op o e on ng n er ace you can crea e one o e o ow ng:
Ethernet StandardCable Modem (DHCP)
Ethernet VLAN
Alias interfaces
To disable a LAG, clear the check boxes of the interfaces that make up the LAG
and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced /Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAGwill be used for all other NICs within the LAG.
-
8/10/2019 ACE-Astaro Certified Engineer
41/238
Networking/ Bridging Overview (1)
Bridging occurs at the link layer (OSIlayer 2)
The link layer controls data flow,handles transmission errors, providesphysical (as opposed to logical)addressing, and manages access to thephysical medium
Astaro Security Gateway V7 - Astaro Certified Engineer Page 41 Astaro 2007 / ACE_V7.00-0.16
,
make forwarding decisions based oninformation contained in the frames,and forward the frames toward thedestination
Keep SubnetSplit Subnet
NOTE: Bridging does not requiresplitting a network in two subnetsto integrate ASG into an existingnetwork.
-
8/10/2019 ACE-Astaro Certified Engineer
42/238
Networking/ Bridging Overview (2)
A bridge transparently relays traffic between multiple networkinterfaces.
Basically, a bridge connects two or more physical networkstogether to form one bigger (logical) network.
How it works:
The default gateway for172.16.1.2 and 172.16.1.4 is
Astaro Security Gateway V7 - Astaro Certified Engineer Page 42 Astaro 2007 / ACE_V7.00-0.16
172.16.1.1
172.16.1.1 is the bridgeinterface br0 with ports eth1 andeth2
NOTE: All devices must have thesame maximum packet size (MTU)since the bridge doesn't fragmentpackets.
-
8/10/2019 ACE-Astaro Certified Engineer
43/238
Networking/ Bridging Overview (3)
The idea is that traffic between 172.16.1.4 and 172.16.1.2 isbridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to abridge, then become a part of thebr0 interface
The Linux 2.6 kernel has built-in
Astaro Security Gateway V7 - Astaro Certified Engineer Page 43 Astaro 2007 / ACE_V7.00-0.16
projectEbtables has very basic IPv4support
Bridge-nf is the infrastructure thatenables iptables/netfilter to see
bridged IPv4 packets and doadvanced things like transparent IPNAT
It forces bridged IP frames/packetsgo through the iptables chains
-
8/10/2019 ACE-Astaro Certified Engineer
44/238
Networking/ Bridging Configuration (1)
Configuration Example:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 44 Astaro 2007 / ACE_V7.00-0.16
N ki
-
8/10/2019 ACE-Astaro Certified Engineer
45/238
Networking/ Bridging Configuration (2)
There two advanced options available:Allow ARP Broadcasts
Ageing timeout
By default, ARP broadcasts are not allowed to pass across
the bridged interfacesIf needed, enable the Allow ARP Broadcasts option
As the network can change, we need to specify when toremove an entry due to in activity, this is the Ageingtimeout.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 45 Astaro 2007 / ACE_V7.00-0.16
N t ki
-
8/10/2019 ACE-Astaro Certified Engineer
46/238
Prov. A
Networking/ Policy Based Routing (1)
Policy-based routing provides a mechanismfor expressing and implementingforwarding/routing of data packets basedon the policies defined by the networkadministrators.
It provides a more flexible mechanism forrouting packets, complementing theexisting mechanism provided by routingprotocols.
Router Router
Prov. B
MPLS DSL
Astaro Security Gateway V7 - Astaro Certified Engineer Page 46 Astaro 2007 / ACE_V7.00-0.16
Packets can now be routed based on source
IP address, source port and destinationport, in addition to normal routing which isbased on the destination IP address.
Example:
DMZ 1
LAN 1
LAN 2ERP
SMTP
interface= anyservice = SAPsource = Financetarget = Provider A
Route ERP traffic from
Finance to MPLS Provider
interface= 2service = SMTPsource = DMZ1target = Provider B
Route SMTP traffic fromDMZ to DSL Provider
Net o king
-
8/10/2019 ACE-Astaro Certified Engineer
47/238
Networking/ Policy Based Routing (2)
Policy based routing will route by selectors:Destination
Source
Service
Source Interface
Policy based routing will route to targets:An interface
A host
Limitations:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 47 Astaro 2007 / ACE_V7.00-0.16
gateway
Policy routes have an order which is evaluated in the same way as the packetfilter (top to bottom)
Only user defined policy routes are possible
Network groups in policy routes are not possible
The following benefits can be achieved by implementing policy-basedrouting in the networks:
Load SharingCost Savings
Source-Based Transit Provider Selection
Quality of Service (QoS)
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
48/238
OSPF/ Overview
OSPF = Open Shortest Path First
Link-state hierarchical routing protocol
Uses Dijkstras SPF Algorithm to calculate the shortest path tree.
Open standard, developed by IETF
ASG supports OSPF version 2, RFC 2328 (using the Quagga package,http://www.quagga.net)
Interior Gateway Protocol (IGP) for routing within one autonomous
Astaro Security Gateway V7 - Astaro Certified Engineer Page 48 Astaro 2007 / ACE_V7.00-0.16
System (AS)
OSPF uses cost as its routing metric (e.g. by dividing 10^8 through thebandwidth of the interface in bits per second)
The cost of an OSPF-enabled interface is an indication of the overhead required tosend packets across a certain interface.
The cost of an interface is inversely proportional to the bandwidth of thatinterface.
A link state database is constructed of the network topology which isidentical on all routers in the area.
OSPF guarantees loop-less routing.
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
49/238
OSPF/ Features & Benefits
Area concepts for hierarchical topologies and reduction of CPU andmemory consumption of routers
Independent from IP subnet classes
Arbitrary, dimensionless metric
Load Balancing for paths with equal costs
Special reserved multicast addresses reduce impact at non-OSPF devices
Authentication
Astaro Security Gateway V7 - Astaro Certified Engineer Page 49 Astaro 2007 / ACE_V7.00-0.16
External Route Tags
TOS-Routing possible
Fast database reconciliation after topology changes
Support for large networks
Low susceptibility for fault routing information
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
50/238
OSPF/ Operating Mode
Router identify their neighbors during integration into network
Conciliation of Link State Database (LSDB) with neighbors by reliable
floodingPeriodical keep-alives for maintaining of neighborhood
Periodical Link State Updates for keeping LSDB consistent
Flooding of LSAs when topology changes occur
Astaro Security Gateway V7 - Astaro Certified Engineer Page 50 Astaro 2007 / ACE_V7.00-0.16
Example for a LSDB:
LS-Type
Router-LSA
Router-LSARouter-LSA
Router-LSA
Router-LSA
Router-LSA
Link State ID
10.11.12.1
10.11.12.210.11.12.3
10.11.12.4
10.11.12.5
10.11.12.6
Adv. Router
10.1.1.1
10.1.1.210.1.1.3
10.1.1.4
10.1.1.5
10.1.1.6
Checksum
0x9b47
0x219e0x6b53
0xe39a
0xd2a6
0x05c3
Seq. No.
0x80000006
0x800000070x80000003
0x8000003a
0x80000038
0x80000005
Age
0
16181712
20
18
1680
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
51/238
OSPF/ Example LDSB & Principles
10.11.12.1 10.11.12.410.11.12.2
10.11.12.3
10.11.12.6
10.11.12.5
X
Astaro Security Gateway V7 - Astaro Certified Engineer Page 51 Astaro 2007 / ACE_V7.00-0.16
Point-To-Point ConnectionsCosts for each connection := 1
Databases are synchronized
Each router knows shortest path to each other router
10.11.12.1 has two equal routes with identical costs to 10.11.12.6
Assume the connection between 10.11.12.2 and 10.11.12.4 fails
LSAs will flooded over the whole network
After LSDB-Sync. only one shortest path will remain
-
8/10/2019 ACE-Astaro Certified Engineer
52/238
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
53/238
OSPF/ Router Types & Principles (2)
Backbone Routers (BR)
are part of the OSPF backbone.
An area border router is always also a backbone router, but a backbone
router is not necessarily an area border router.
Designated router (DR)
is the router elected among all routers on a particular multi-access network segment.
is elected based on the following default criteria:
If riorit settin on a OSPF router is set to 0 that means it can NEVER become a DR or BDR
Astaro Security Gateway V7 - Astaro Certified Engineer Page 53 Astaro 2007 / ACE_V7.00-0.16
(Backup Designated Router).
When a DR fails and the BDR takes overSending the Hello packets with the highest priority.
If two or more routers tie with the highest priority setting, the router sending the Hello with thehighest RID (Router ID) wins.
Usually the router with the second highest priority number becomes the BDR
The range of priority values range from 1 255 , with a higher value increasing itschances of becoming DR or BDR.
Backup designated router
A backup designated router (BDR) is a router that becomes the designated router ifthe current designated router fails. The BDR is the OSPF router with second highestpriority at the time of the last election.
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
54/238
OSPF/ OSPF Packets
IP Header(Protocol #89)
OSPF Paket
OSPFPaket Header
OSPF Paket Data
Astaro Security Gateway V7 - Astaro Certified Engineer Page 54 Astaro 2007 / ACE_V7.00-0.16
Hello
Database Description
Link State Request
Link State Update
Link State Acknowledgement
Transmission via IP, Protocol #89
Transfer direct to neighbor or using multicast addresses
OSPF packets are only exchanged between neighbors within the network never being routed outside of the network they originate from (TTL=1)
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
55/238
/ Header Format
Version Typ
Area ID
Lenght
Router ID
Checksum AuType
Authentication *)
*
8 888
32 Bits
Astaro Security Gateway V7 - Astaro Certified Engineer Page 55 Astaro 2007 / ACE_V7.00-0.16
Packet Data
Key ID Auth. Length0x0000Cryptogr. Sequence Number
*) if AuType = 2:
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
56/238
/ Area Types
AS External LSAs are flooded over area borders
Additionally ASBR Summary LSAs are distributed within their areas byABRs
Different area types are used to minimize LSDB s
Stub Areas
Area, which does not receive externalroutes.
AS External LSAs are not transferred to stub areas
Astaro Security Gateway V7 - Astaro Certified Engineer Page 56 Astaro 2007 / ACE_V7.00-0.16
no ASBRs & no virtual links
NSSAs (Not-So-Stubby Area )
Type of stub area that can import autonomous system (AS) external routes andsend them to the backbone, but cannot receive AS external routes from thebackbone or other areas.
Extension to Stub Areas
small number of external routes allowed
will be translated at the NSSA-border into AS-External LSAs
NSSA-Border is One-Way-Road for external routing information
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
57/238
/ ASG Configuration OSPF-ID
The OSPF-Id is a unique ID to the router device.
This can be the official Address
It is denoted in x.x.x.x format
Astaro Security Gateway V7 - Astaro Certified Engineer Page 57 Astaro 2007 / ACE_V7.00-0.16
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
58/238
/ ASG Configuration OSPF Area
Astaro Security Gateway V7 - Astaro Certified Engineer Page 58 Astaro 2007 / ACE_V7.00-0.16
Before you can enable the OSPF
function, you must have at least oneOSPF area configured.
Areas are identified by a 32-bit ID indot-decimal notation similar to thenotation of IP addresses.
OSPF
-
8/10/2019 ACE-Astaro Certified Engineer
59/238
/ ASG Configuration OSPF Interfaces (1)
Astaro Security Gateway V7 - Astaro Certified Engineer Page 59 Astaro 2007 / ACE_V7.00-0.16
e n er ace e nes n er aces
that can be used to announce OSPFnetworks.
OSPF/ f f ( )
-
8/10/2019 ACE-Astaro Certified Engineer
60/238
/ ASG Configuration OSPF Interfaces (2)
Astaro Security Gateway V7 - Astaro Certified Engineer Page 60 Astaro 2007 / ACE_V7.00-0.16
The OSPF interface must beadded to the area that will beannounced
OSPF/ ASG C fi ti OSPF I t f (3)
-
8/10/2019 ACE-Astaro Certified Engineer
61/238
/ ASG Configuration OSPF Interfaces (3)
Astaro Security Gateway V7 - Astaro Certified Engineer Page 61 Astaro 2007 / ACE_V7.00-0.16
The OSPF debug section gives information about the
current state of OSPF operations. It showsneighbors, routes interfaces etc. in pop-up windows.
-
8/10/2019 ACE-Astaro Certified Engineer
62/238
NetworkingReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 62 Astaro 2007 / ACE_V7.00-0.16
Networking/ Review Questions
-
8/10/2019 ACE-Astaro Certified Engineer
63/238
/ Review Questions
1. How can VLAN segments being distinguished? How many virtualLANs can be distinguished by ASG?
2. How will ARP broadcasts being handled in terms of bridgedinterfaces?
3. What are the two major benefits of Link aggregation at ASG?
4. On which OSI layer bridging occurs?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 63 Astaro 2007 / ACE_V7.00-0.16
.
6. What are the route selectors in Policy Routing?7. Name 5 benefits of OSPF.
8. Which transmission protocol is used for OSPF?
9. What router and area types do you know and how do they
interfere each other?
10. What must be configured before you can enable the OSPFfunction on ASG?
-
8/10/2019 ACE-Astaro Certified Engineer
64/238
Network Security
Astaro Security Gateway V7 - Astaro Certified Engineer Page 64 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learn
about:Server Load Balancing
Quality of Service
Generic Proxy
Socks ProxyIdent Proxy
Network Security/ Server Load Balancing (1)
-
8/10/2019 ACE-Astaro Certified Engineer
65/238
/ Server Load Balancing (1)
Used if the traffic going to one IP address should be split or"balanced" between multiple servers
Astaro Security Gateway V7 - Astaro Certified Engineer Page 65 Astaro 2007 / ACE_V7.00-0.16
Network Security/ Server Load Balancing (2)
-
8/10/2019 ACE-Astaro Certified Engineer
66/238
/ Server Load Balancing (2)
Configuration for Server LoadBalancing contains three options:
Service to Balance
The Pre-Balance TargetA Group of Target Hosts
These arameters describe
Astaro Security Gateway V7 - Astaro Certified Engineer Page 66 Astaro 2007 / ACE_V7.00-0.16
exactly the situation from the last
slide.
Which traffic on which port (TheBalancing Service) on which IPaddress (The Pre-Balance targethost) will be distributed to which
servers (The Post-Balance targethost)
Quality of Service/ Working Principle
-
8/10/2019 ACE-Astaro Certified Engineer
67/238
/ Working Principle
Quality of Service (QoS) can reserve guaranteed bandwidths for certaintypes of outbound network traffic passing between two points in the network.
Inbound traffic is optimized internally by various techniques such asStochastic Fairness Queuing (SFQ) or Random Early Detection (RED).
Without traffic shaping.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 67 Astaro 2007 / ACE_V7.00-0.16
ASG leftASG right
Headquarter Branch Office
With traffic shaping.
Quality of Service/ Features and Benefits
-
8/10/2019 ACE-Astaro Certified Engineer
68/238
/ Features and Benefits
QoS allows to
Limit available bandwidth
Guarantee minimumbandwidth
Define traffic directions carefully:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 68 Astaro 2007 / ACE_V7.00-0.16
and
Works per Interface
Works per Subnet/Host
Works per Service
Upstream shapedownstream
Ext. NIC
Int. NIC
HTTP & FTP
Download fromANY =>outbound fromthe ext. NICsview
Quality of Service/ Configuration
-
8/10/2019 ACE-Astaro Certified Engineer
69/238
/ Configuration
Status
The Status tab
TrafficSelectors
Internal & External
Bandwidth Pool describe the
Astaro Security Gateway V7 - Astaro Certified Engineer Page 69 Astaro 2007 / ACE_V7.00-0.16
interfaces for
which QoS canbe configured.By default,QoS isdisabled for
each interface.
selector can be
regarded as aQoS definitionfor a certaintype of networktraffic.
an w s are y mu p esources.Bandwidth Pools can also specifyupper bandwidth limits.
Quality of Service/ Configuration: Status Overview
-
8/10/2019 ACE-Astaro Certified Engineer
70/238
/ g
Display all available interfaces
Define the available, physical bandwidth.
Define the guaranteed uplink and downlinkbandwidth for any Interface, e.g. the DSL line.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 70 Astaro 2007 / ACE_V7.00-0.16
By default, QoS is disabled for each interface
Quality of Service/ Configuration: Traffic Selectors
-
8/10/2019 ACE-Astaro Certified Engineer
71/238
/ g
Traffic Selectors describe what traffic needs to be accounted.
The description contains details about the source of the traffic, its
destination and its service.TOS/DSCP allows to pay respect to Type of Service and DiffServflags in the traffic.
It is possible to build groups of Traffic Selectors.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 71 Astaro 2007 / ACE_V7.00-0.16
Quality of Service/ Configuration: Bandwidth Pools
-
8/10/2019 ACE-Astaro Certified Engineer
72/238
g
Bandwidth Pools
They describe the available andguaranteed bandwidth for the availableinterfaces
Astaro Security Gateway V7 - Astaro Certified Engineer Page 72 Astaro 2007 / ACE_V7.00-0.16
Network Security/ Advanced
-
8/10/2019 ACE-Astaro Certified Engineer
73/238
The GenericProxy isanother optionwhen rivate
SOCKS is aninternetprotocol toallow clients to
The IdentProtocol isspecified inRFC 1413 and
Astaro Security Gateway V7 - Astaro Certified Engineer Page 73 Astaro 2007 / ACE_V7.00-0.16
networks are
being used
use the
services of afirewalltransparentlyand is shortfor SOCKetS
helps
identifyingusers ofparticular TCPconnection.
Network Security/ Generic Proxy
-
8/10/2019 ACE-Astaro Certified Engineer
74/238
Works as a port forwarder
Combines features of DNAT andMasquerading
Forwarding all incoming traffic for aspecific service to an arbitrary server.
In contrast to DNAT, source IP address
Astaro Security Gateway V7 - Astaro Certified Engineer Page 74 Astaro 2007 / ACE_V7.00-0.16
is replaced with the IP of the interface
of the ASG for outgoing connectionsIt is possible to change target portnumber also
Network Security/ SOCKS
-
8/10/2019 ACE-Astaro Certified Engineer
75/238
What is it used for?
Can build TCP and UDP connections for client applications
Can provide incoming ports to listen on
Used with systems that incorporate NAT
Where is it used?
Socks
Astaro Security Gateway V7 - Astaro Certified Engineer Page 75 Astaro 2007 / ACE_V7.00-0.16
c en s suc as ,
FTP
RealAudio
Astaro Security Gateway supports SOCKSv5
User authentication can be used
Network Security/ IDENT Relay
-
8/10/2019 ACE-Astaro Certified Engineer
76/238
IDENT is an older protocol
Allows external users to associate a username with a TCPconnection
Not very secure because the connection isn't encrypted
Necessary for some services like IRC and some mail servers
Astaro Security Gateway V7 - Astaro Certified Engineer Page 76 Astaro 2007 / ACE_V7.00-0.16
default response
Hence the configuration is rathersimple, it offers:
Configuration of the stringto answer with
Optionally the possibility to forwardIdentrequests to the internal clients(which is not always possible)
-
8/10/2019 ACE-Astaro Certified Engineer
77/238
Network SecurityReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 77 Astaro 2007 / ACE_V7.00-0.16
Network Security/ Review Questions
-
8/10/2019 ACE-Astaro Certified Engineer
78/238
1. What does Server Load Balancing do?
2. With which technology is it realized?
3. For which kinds of traffic is Quality of Service suitable?
4. What is the Generic Proxy used for?
5. What does the Socks Proxy do?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 78 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
79/238
VoIP Security
Astaro Security Gateway V7 - Astaro Certified Engineer Page 79 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learn how
SIP
and
H.323
security work
VoIP Security/ SIP/H.323 Security
-
8/10/2019 ACE-Astaro Certified Engineer
80/238
SIP and H.323 are so called Signalingprotocols, which are designed to notifycommunication partners in telephony likeconnections. These signals containinformation about the state of the
connection, like INVITE, RINGING orHANGUP. The actual voice connectiontakes place on a dynamic port.
Rick Cory
INVITE Cory@IP-BC = IN IP4 IP-AM = audio 2000 RTP/AVP 0
To IP-B, PORT-S
- -
Astaro Security Gateway V7 - Astaro Certified Engineer Page 80 Astaro 2007 / ACE_V7.00-0.16
Astaros VoIP Security uses specialconnection tracking helper modules for
monitoring the control channel todetermine which dynamic ports are beingused and then only allowing these portsto pass traffic when the control channel isbusy.
To configure VoIP Security, client andserver network definitions need to bemade.
Time
,
200 OKC = IN IP4 IP-BM = audio 4000 RTP/AVP 3
Audio stream to IP-A, 2000
Audio stream to IP-B, 4000
VoIP Security/ SIP Session Initiation Protocol
-
8/10/2019 ACE-Astaro Certified Engineer
81/238
Session Initiation Protocol is is an application-layercontrol (signaling) protocol for creating,modifying, and terminating sessions with one ormore participants. These sessions include Internettelephone calls, multimedia distribution, and
multimedia conferences." (cit. RFC 3261)
A good starting point for reading about SIP is at Rick
INVITE [email protected]
Astaro Security Gateway V7 - Astaro Certified Engineer Page 81 Astaro 2007 / ACE_V7.00-0.16
p: en.w pe a.org w ess on_ n a on_ ro oco
Cory SIP Registrar
VoIP Security/ H323 Session Initiation Protocol
-
8/10/2019 ACE-Astaro Certified Engineer
82/238
H.323 is an umbrella recommendation from the ITU TelecommunicationStandardization Sector (ITU-T), that defines the protocols to provideaudio-visual communication sessions on any packet network.
H.323 was originally created to provide a mechanism for transportingmultimedia applications over LANs but it has rapidly evolved to address thegrowing needs of VoIP networks.
Currently real-time applications such as NetMeeting and Ekiga (the latterusing the OpenH323 implementation) use H323.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 82 Astaro 2007 / ACE_V7.00-0.16
A good link to get started with readings about is athttp://en.wikipedia.org/wiki/H323
VoIP Security/ SIP/H.323 Security
-
8/10/2019 ACE-Astaro Certified Engineer
83/238
To configure H.323 or SIP Security, go to
the VoIP Security Menu. Each module canbe activated individually.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 83 Astaro 2007 / ACE_V7.00-0.16
Both modules are rather easy to configure,
simply add the allowed clientsto the SIP or H.323 configuration andconfigure one or more SIP serversor H.323 gatekeeper.
-
8/10/2019 ACE-Astaro Certified Engineer
84/238
VoIP SecurityReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 84 Astaro 2007 / ACE_V7.00-0.16
VoIP Security/ Review Questions
-
8/10/2019 ACE-Astaro Certified Engineer
85/238
1. What does SIP stand for?
2. Which parts do you need to configure for SIP/H323 security?
3. Explain how SIP works.
4. What are the ports SIP is normally making use of?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 85 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
86/238
Intrusion Protection
Astaro Security Gateway V7 - Astaro Certified Engineer Page 86 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learn about:Statefulness
Configuration
Ruleset
Advanced
Intrusion Protection/ Working Principle
-
8/10/2019 ACE-Astaro Certified Engineer
87/238
Astaro Security Gateways IPS operates in inline mode
It is placed logically between external, internal and DMZnetworks, located on one single machine.
Astaro uses Inline Snort (http://snort-inline.sourceforge.net)as IPS, which is a modified version of SNORT (open sourcemodule).
Astaro Security Gateway V7 - Astaro Certified Engineer Page 87 Astaro 2007 / ACE_V7.00-0.16
and prevention at the same time.
Another benefit of inline mode is, that all packets must passthe Astaro Security Gateway and no packets can bemissed, e.g. due to high network load.
Intrusion Protection/ Fundamentals
-
8/10/2019 ACE-Astaro Certified Engineer
88/238
Inline
1
3
Astaro Security Gateway V7 - Astaro Certified Engineer Page 88 Astaro 2007 / ACE_V7.00-0.16
1
2
3
4
In front of the Firewall
Between Firewall and LAN-Switch
Within the DMZ
Within the LAN
2
Sensor Placement Options
E h k t th h th IPS l ONCE
Intrusion Protection/ Working Principle
-
8/10/2019 ACE-Astaro Certified Engineer
89/238
masquerading snat
FORWARD POSTROUTINGPREROUTING Routing
dnat conntrack
man le em t
Routing
incomingpackets
outgoingpackets
Each packet runs through the IPS only ONCE:
1. Packet from Network to the local machine
2. Packet from Network to Network
3. Packet from local machine to Network (e.g. of using the proxies and also incase of an exploit to a Linux module on Astaro Security Gateway itself)
mangle filter
Astaro Security Gateway V7 - Astaro Certified Engineer Page 89 Astaro 2007 / ACE_V7.00-0.16
Tables:
NAT
Filter
mangle
ipsOUTPUTINPUT
OUTPUT
Local Processes
Apache
EXIM
SSHD
SQUID
SOCKS
BIND
IPSEC
PPTP
spoofdrop
conntrack
mangle dnat
conntrack mangle
filter ips
New netfilter module ips(kernel moduleiptable_ips.o)
Table has lowest priority inthe netfilter hierarchy.
Intrusion Protection/ Limitations of Firewalls and Virus-Scanners (1)
A robust firewall policy can minimize the exposure of many networks
-
8/10/2019 ACE-Astaro Certified Engineer
90/238
A robust firewall policy can minimize the exposure of many networks.
Depending on the security level to be achieved, such countermeasures alonemight not be enough.
Packet Filter Firewalls inspect on a per packet basis.
Even invalid packets may pass through
No detection of application-layer attacks
Astaro Security Gateway V7 - Astaro Certified Engineer Page 90 Astaro 2007 / ACE_V7.00-0.16
. . , , . ,MMS, ...)
Proxies (Application Level Gateways) have application layer awareness
Can filter unwanted header types or malformed ones
Would be able to detect protocol anomalies
Will not be able to detect higher level attacks (e.g. CGI script attacks)
Therefore IDS are necessary to fulfill higher security requirements
Additionally, hacker tools make attacks easier and are available for everybody
The level of sophistication of attacks is growing
Intrusion Protection/ Limitations of Firewalls and Virus-Scanners (2)
Firewalls inspect for viruses and worms in:
-
8/10/2019 ACE-Astaro Certified Engineer
91/238
Firewalls inspect for viruses and worms in:
E-mails & Attachments
SMTP, POP3 and HTTP-Streams
Virus Scanners are unable to monitor data by analyzing thetraffic within a network.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 91 Astaro 2007 / ACE_V7.00-0.16
Worms like SQL-Slammer or MS.Blaster spread independentlyOnly detectable after infection
Example: SQL-Slammer
Buffer Overflow in Microsoft SQL-Server
UDP-Packet to Port 1434, Size: 376 Byte (!)In RAM only
Spreads to random IP-Addresses
Very fast infection rates - high-speed worm
Intrusion Detection/ Configuration
-
8/10/2019 ACE-Astaro Certified Engineer
92/238
Global AttackPatterns
Anti-DoS /Flooding
Anti-Portscan
Exceptions
Advanced
Astaro Security Gateway V7 - Astaro Certified Engineer Page 92 Astaro 2007 / ACE_V7.00-0.16
Settings forIntrusion
Protection
disable thecategories of
attacks thatcan berecognized
Denial ofService and
FloodProtectionhere.
detectionconfiguration
is in here
configurationcan be
limited tocertain hostsand networks
Rules and IPaddress
informationaboutdedicatedservers ishere.
The global settings contain a list of
Intrusion Detection/ Configuration: Global
-
8/10/2019 ACE-Astaro Certified Engineer
93/238
The global settings contain a list ofnetworks, that are protected byintrusion prevention
If attacks from the local networks should bedetected, it is important NOT to add them to thislist!
Depending on the traffic between the LANsegments a major impact on the performance ofthe ASG is possible
The global configuration also contains
Astaro Security Gateway V7 - Astaro Certified Engineer Page 93 Astaro 2007 / ACE_V7.00-0.16
.default to Drop or Reset packets.
Of course, IDS/IPS also offers a livelog, which can be viewed with the
Live Log button.
LAN1 LAN2 LAN3
Intrusion Protection System/ Configuration: Attack Patterns
i
-
8/10/2019 ACE-Astaro Certified Engineer
94/238
Per Group settings:
Action:
What to do with
packets matching thisgroup, if detected
Add extra
Astaro Security Gateway V7 - Astaro Certified Engineer Page 94 Astaro 2007 / ACE_V7.00-0.16
Astaro supports roughly 7000 different rules.
Those are made up in 40 different groups, which
are again separated.
warning:
Activate extra rules,that are forinformation only
Notify:
Send an e-mail to theadmin-address, ifpackets are detectedmatching rules of thisgroup.
Intrusion Protection/ Refresher: How SYN Floods work
-
8/10/2019 ACE-Astaro Certified Engineer
95/238
SYN Attack: Sends a stream of SYN packets with attacking host(spoofing) source IP-address (to be that of a currently unreachablehost).
SYNSYN
SYNSYN SYNSYN
SYNSYN SYNSYN
IP of Unreachable Host #1
IP of Unreachable Host #2
Astaro Security Gateway V7 - Astaro Certified Engineer Page 95 Astaro 2007 / ACE_V7.00-0.16
Unreachable Host #2
Unreachable Host #3
SYN/ACKSYN/ACK
SYN/ACKSYN/ACK
SYN/ACKSYN/ACK
SYNSYN SYNSYNIP of Unreachable Host #3ac ngHost
Unreachable Host #1
Server
Server
Intrusion Protection System/ Anti-DoS / Flooding
-
8/10/2019 ACE-Astaro Certified Engineer
96/238
Astaro Security Gateway V7 - Astaro Certified Engineer Page 96 Astaro 2007 / ACE_V7.00-0.16
Anti Flooding allows to limit the number of packets per time.
This works for sender and recipients in the protocols TCP, UDP and ICMP.
In the case of TCP flood protection, only SYN Packets are taken intoaccount.
Intrusion Protection System
/ Anti-Portscan / Exceptions / Advanced
-
8/10/2019 ACE-Astaro Certified Engineer
97/238
Astaro Security Gateway V7 - Astaro Certified Engineer Page 97 Astaro 2007 / ACE_V7.00-0.16
Exceptions:
Skip these checks:
Intrusion Protection
Anti-Portscan
Anti-DoS/Flooding TCP
Anti-DoS/Flooding UDPAnti-DoS/Flooding ICMP
Performance Tuning
For source and
destination networks
Advanced:
Modified Rules
Performance Tuning
Anti Portscan:
Detects Portscans
Can have exceptions
-
8/10/2019 ACE-Astaro Certified Engineer
98/238
Intrusion ProtectionReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 98 Astaro 2007 / ACE_V7.00-0.16
Intrusion Protection/ Review Questions
1 How does Intrusion Protection work?
-
8/10/2019 ACE-Astaro Certified Engineer
99/238
1. How does Intrusion Protection work?
2. What is the improvement over Firewalls or Anti-Virus Products?
3. Where is Astaro Intrusion Detection placed?
4. How does it integrate with the Packetfilter framework?
5. Which detection methods are applied to traffic?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 99 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
100/238
User Authentication
Astaro Security Gateway V7 - Astaro Certified Engineer Page 100 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learn about:
UsersGroups
Authentication
User Authentication/ Purpose
Authentication (Greek: = real or genuine, from
-
8/10/2019 ACE-Astaro Certified Engineer
101/238
'authentes' = author ) is the act of establishing or confirmingsomething (or someone) as authentic, that is, that claims made byor about the thing are true.
Authenticating an object may mean confirming its provenance,whereas authenticating a person often consists of verifying theiridentity.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 101 Astaro 2007 / ACE_V7.00-0.16
.
In computer security, authentication is the process of attemptingto verify the digital identity of the sender of a communication suchas a request to log in.
The sender being authenticated may be a person using acomputer, a computer itself or a computer program.
-
8/10/2019 ACE-Astaro Certified Engineer
102/238
Local Authentication
Astaro Security Gateway V7 - Astaro Certified Engineer Page 102 Astaro 2007 / ACE_V7.00-0.16
User Authentication/ User Management
User management is necessary to allow orf bid i t t i
-
8/10/2019 ACE-Astaro Certified Engineer
103/238
forbid services to certain users or user groups.
To manage local and remote authenticationservices, the web interface offers the Users
menu.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 103 Astaro 2007 / ACE_V7.00-0.16
Users local or remote
Groups - local or remote
Remote Authentication Methods
User Authentication/ Local User Management
The User Management in Astaro allows tod i i t l l d
-
8/10/2019 ACE-Astaro Certified Engineer
104/238
administer local users and user groups.
Here you can create user profiles local to thefirewall.
No external authentication service is queried toauthenticate these users.
To create a local authenticated user, select
Astaro Security Gateway V7 - Astaro Certified Engineer Page 104 Astaro 2007 / ACE_V7.00-0.16
Authentication: Local
NOTE: The additional e-mail-addresses influence the behaviorof the Anti Spam Reports. Seethere.
-
8/10/2019 ACE-Astaro Certified Engineer
105/238
Remote Authentication
Astaro Security Gateway V7 - Astaro Certified Engineer Page 105 Astaro 2007 / ACE_V7.00-0.16
Remote Authentication/ Available Methods
Astaro has many options forremote user authentication:
-
8/10/2019 ACE-Astaro Certified Engineer
106/238
eDirectory
Novell, partly LDAP based
Active DirectoryMicrosoft, partly LDAP based
RADIUS
Astaro Security Gateway V7 - Astaro Certified Engineer Page 106 Astaro 2007 / ACE_V7.00-0.16
emo e ccess a - n serService
Livingston Enterprises, laterRFC
TACACS+
Terminal Access ControllerAccess-Control System Plus
Cisco, now RFC
LDAP OSI, X.500, now RFCLightweight DirectoryAccess Protocol
Remote Authentication/ Novell eDirectory
With ASG V7 eDirectory SSO, Novell users will only need toauthenticate once at initial client login to gain web access to theI t t
-
8/10/2019 ACE-Astaro Certified Engineer
107/238
Internet.
Based on the ASG V7 SSO authenticated user, user-, group-and/or container-based access control and content inspectionprofiles are assigned.
Once authenticated, Web security capabilities of ASG areapplied to traffic flows based on the user, including preventionof phishing, virus and spam attacks, without the need forfurther authentication at the browser level.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 107 Astaro 2007 / ACE_V7.00-0.16
Remote Authentication/ Novell eDirectory
When creating Groups from the Novell eDirectory, ASGoffers a very convenient eDirectory Browser
-
8/10/2019 ACE-Astaro Certified Engineer
108/238
offers a very convenient eDirectory Browser
It allows you to select usergroups directly in the WebAdmin Interface
Astaro Security Gateway V7 - Astaro Certified Engineer Page 108 Astaro 2007 / ACE_V7.00-0.16
NOTE:
SSO in eDir does not work on machineswhere more than one users are logged in.
Currently ASG V7 does not supportcontainers and multiple root nodes ineDir.
Remote Authentication/ Active Directory (1)
Can be used to implementsingle sign on with Astaro
-
8/10/2019 ACE-Astaro Certified Engineer
109/238
single sign on with AstaroSecurity Gateway when usingthe HTTP Proxy
NTLM uses a challenge-response authenticationscheme
Astaro Security Gateway V7 - Astaro Certified Engineer Page 109 Astaro 2007 / ACE_V7.00-0.16
have all users centrally
managed in groups of users.
NOTE: Ensure that the Netbios name is an unique name onthe network! The Netbios name is derived from the Hostnamein the Basic System Settings! (see there)
Using Surf-Protection with Active DirectoryAuthentication requires a running Windows
Remote Authentication/ Active Directory (2)
-
8/10/2019 ACE-Astaro Certified Engineer
110/238
Authentication requires a running WindowsServer and AD services.
Active Directory Service manages the users of aWindows Domain.
LDAP uses the Distinguished Name (DN) of anuser for identification. The name has to be uniquewithin the directory.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 110 Astaro 2007 / ACE_V7.00-0.16
Steps to perform:
1. Create an AD user with read privileges.(applied by ASG to query the AD service)
2. Add the AD Users and Computers SnapInn in the MS Management Console todefine it.
3. To add the user, right click on your Domain
Controller to define a new user.4. Grand full read privileges to your defined
user. (Right click CN: properties)
5. Create as much users as you need in yourActive Directory. All of theses users areable to authenticate.
Remote Access Dial-In User Service (RADIUS)
Uses UDP port 1813 or 1645 to send
Remote Authentication/ RADIUS
-
8/10/2019 ACE-Astaro Certified Engineer
111/238
Uses UDP port 1813 or 1645 to sendqueries for authentication
Uses external directory for large
installations, often used by InternetService Providers for the purposeof network, router and internet access
Astaro Security Gateway V7 - Astaro Certified Engineer Page 111 Astaro 2007 / ACE_V7.00-0.16
Only the password is encrypted
NOTE: Since the passwords are transferred over thenetwork using a weak encryption, you should place theserver in a trusted network which cannot be sniffed.
Terminal Access Controller Access-Control System Plus (TACACS+)
Uses TCP port 49 to send queries for authentication
Remote Authentication/ TACACS+
-
8/10/2019 ACE-Astaro Certified Engineer
112/238
Uses TCP port 49 to send queries for authenticationand is therefore more reliable than RADIUS
Also uses external directory for large
installations, often used by InternetService Providers
TACACS+ separates, unlike RADIUS,
Astaro Security Gateway V7 - Astaro Certified Engineer Page 112 Astaro 2007 / ACE_V7.00-0.16
authentication and authorization.
Whole datagram is encrypted
Despite the name, TACACS+ does nothave too much in common with
TACACS (without the +)
LDAP (Lightweight Directory Access Protocol) is an information model and a protocol forquerying and manipulating tree-like directories.
LDAP's overall data and namespace model is essentially that of X 500
Remote Authentication/ LDAP
-
8/10/2019 ACE-Astaro Certified Engineer
113/238
LDAP s overall data and namespace model is essentially that of X.500.
The authentication by querying an LDAP Server requires an active DNS Proxy with validentries.
Astaro Security Gateway can connect to LDAP-based directories such as:
Sun Identity Server
Open LDAP
Astaro Security Gateway V7 - Astaro Certified Engineer Page 113 Astaro 2007 / ACE_V7.00-0.16
But also these are based on LDAP:Active Directory
Novell eDirectory
Control of Proxy-usage on a per-user basis!
Bind-DN and password are used for login to a LDAP serverBase-DN specifies location of user database in LDAP-tree
Advanced Configuration
Remote Authentication/ Advanced
-
8/10/2019 ACE-Astaro Certified Engineer
114/238
Backend query order
Defines in which order all theconfigured backends for
authentication are queried. This isimportant if the same user exists indifferent directories.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 114 Astaro 2007 / ACE_V7.00-0.16
Password complexity
When users change their passwordin the Astaro End-User Portal, youcan force them to use complexpasswords with these settings.
-
8/10/2019 ACE-Astaro Certified Engineer
115/238
User AuthenticationConfiguration Example
Astaro Security Gateway V7 - Astaro Certified Engineer Page 115 Astaro 2007 / ACE_V7.00-0.16
Authentication/ Local Users (1)
To add yourself to the local user directory,
first go to the Users/Users Menu.
-
8/10/2019 ACE-Astaro Certified Engineer
116/238
This menu offers you to view existing or add
new user:
When adding a new user, you will need to
fill out the following form, which contains:
Astaro Security Gateway V7 - Astaro Certified Engineer Page 116 Astaro 2007 / ACE_V7.00-0.16
a username
the real name
e-mail address
additional e-mail addresses(optional)
authentication is local
Authentication/ Local Users (2)
When you have finished and saved the entry, you should find
the following user in the list:
-
8/10/2019 ACE-Astaro Certified Engineer
117/238
Every entry has two buttons which allow you to
Astaro Security Gateway V7 - Astaro Certified Engineer Page 117 Astaro 2007 / ACE_V7.00-0.16
e en ry an r ng you ac o euser-add dialog
orDelete the entry
The rest of the line contains information about the user, hiseMail-Address, the authentication source and a comment
Before NTLM/SSO becomes available, youneed to setup the Active Directoryconfiguration.
Authentication/ Remote User-Authentication: NTLM (1)
-
8/10/2019 ACE-Astaro Certified Engineer
118/238
Active Directory takes onlyfew parameters:
the server itselfUse an existing or newly created definition here
Astaro Security Gateway V7 - Astaro Certified Engineer Page 118 Astaro 2007 / ACE_V7.00-0.16
e or o connec opredefined to 389 (the default)
SSLencrypt or not
The authentication information:
the Bind User Distinguished Name
The user that connects to the directory (read-only)
the authentication passwordA (valid) password for this user.
Once the Active Directory Configuration is setup, NTLM/SSObecomes available and can be configured. To do so, you need tojoin your ASG into your Windows Domain
Authentication/ Remote User-Authentication: NTLM (2)
-
8/10/2019 ACE-Astaro Certified Engineer
119/238
join your ASG into your Windows Domain
This works exactly as it would with a Windows PC you need anadminstrative account to approve the join.
Simply enter the Domain Name and the credentials and hitapply.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 119 Astaro 2007 / ACE_V7.00-0.16
NOTE: Ensure that the Netbios name is an unique name onthe network! The Netbios name is derived from theHostname in the Basic System Settings! (see there)
Authentication/ Remote User Groups
Finally, to use whole groups on theremote Active Directory, you may want tocreate an assignment of remote user
-
8/10/2019 ACE-Astaro Certified Engineer
120/238
create an assignment of remote usergroups to local user groups:
To do so, go to the Users/groups menuand create a new user group
Astaro Security Gateway V7 - Astaro Certified Engineer Page 120 Astaro 2007 / ACE_V7.00-0.16
The group should be of group-typeBackend Membership with the backendActive Directory. This example limitsthe membership to the local group
Active Directory to members of theremote AD group http_users (whichexists in the Active Directory).
-
8/10/2019 ACE-Astaro Certified Engineer
121/238
User AuthenticationReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 121 Astaro 2007 / ACE_V7.00-0.16
User Authentication/ Review Questions
1. How are Users and Groups structured?
2 Whi h A h i i M h d d b A ?
-
8/10/2019 ACE-Astaro Certified Engineer
122/238
2. Which Authentication Methods are supported by Astaro?
3. Whats the benefit of using NTLM Authentication?
4. How is SSO activated when using Active Directory?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 122 Astaro 2007 / ACE_V7.00-0.16
-
8/10/2019 ACE-Astaro Certified Engineer
123/238
Web Security
Astaro Security Gateway V7 - Astaro Certified Engineer Page 123 Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learn about:
HTTP Profiles
HTTP Authentication
Web Security/ HTTP Proxy Overview (1)
The HTTP Proxy allows to doUser Authentication
-
8/10/2019 ACE-Astaro Certified Engineer
124/238
Content Filtering
HTTP Protocol Enforcement
The content filter works with
Astaro Security Gateway V7 - Astaro Certified Engineer Page 124 Astaro 2007 / ACE_V7.00-0.16
SurfControl
Astaro AVClam AV
Web Security/ HTTP Proxy Overview (2)
The HTTP Proxy relays HTTP, HTTPS, FTPand WebDAV queries
HTTP and FTP queries are cached in diskand memory
-
8/10/2019 ACE-Astaro Certified Engineer
125/238
FTP
and memory
Astaro Security Gateway V7 - Astaro Certified Engineer Page 125 Astaro 2007 / ACE_V7.00-0.16
HTTPSHTTP
FTP/HTTPProxy & Cache
Web Security/ HTTP Proxy - Workflow
Flexible configuration is
-
8/10/2019 ACE-Astaro Certified Engineer
126/238
Flexible configuration ispossible through so calledProxy Profiles and Filters.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 126 Astaro 2007 / ACE_V7.00-0.16
Each Profile holds a
combination of options andsettings.
Web Security/ Content Classification
Text ClassificationText is categorized using Bayes' statistic methodology and vector machinealgorithms.
-
8/10/2019 ACE-Astaro Certified Engineer
127/238
Optical Character Recognition (OCR)OCR recognizes text in graphics and images, and can even analyze colored typeor transparent text on any background. This module supports a wide range of
type fonts, colors, sizes and rotations.
Logo and Object RecognitionThis module searches for logos, symbols and other graphical elements in photos.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 127 Astaro 2007 / ACE_V7.00-0.16
, .
Face Recognition
This module recognizes faces, including color, hue and texture. With high-qualityimages, it is even possible to search for individual persons.
Pornography and Recognition of NudityThis module identifies nudity by analyzing the qualities of human skin andindividual skin tones.
Digital Fingerprint
This module characterizes and labels images and data for later identification onthe Internet, intranets or in e-mail messages.
-
8/10/2019 ACE-Astaro Certified Engineer
128/238
HTTP Proxy Configuration Overview
Astaro Security Gateway V7 - Astaro Certified Engineer Page 128 Astaro 2007 / ACE_V7.00-0.16
Web Security/ HTTP Proxy (1)
HTTP Proxy Global Configuration
-
8/10/2019 ACE-Astaro Certified Engineer
129/238
Astaro Security Gateway V7 - Astaro Certified Engineer Page 129 Astaro 2007 / ACE_V7.00-0.16
Web Security/ HTTP Proxy (2)
Operational Modes StandardProxy listens on port 8080
Allows any network listed in
-
8/10/2019 ACE-Astaro Certified Engineer
130/238
yAllowed Networks to connect
Client browser must be configured
HTTP proxy service requires avalid Domain Name Server (DNS)
Astaro Security Gateway V7 - Astaro Certified Engineer Page 130 Astaro 2007 / ACE_V7.00-0.16
Transparent
Proxy handles all traffic on port 80
Client doesnt need to touch browserconfiguration
Proxy cannot handle FTP and HTTPS
Packetfilter must allow port 21 and 443
No HTTP on other than port 80
Clients must be able to resolvehostnames
Web Security/ HTTP Proxy (3)
Enabling User Authenticationwill bring up a User/Groupselection dialog
Operational Modes withUser Authentication:
Basic
-
8/10/2019 ACE-Astaro Certified Engineer
131/238
gas c
Active Directory
Novell eDirectory
Astaro Security Gateway V7 - Astaro Certified Engineer Page 131 Astaro 2007 / ACE_V7.00-0.16
Web Security/ HTTP Proxy (4)
Configuring UserAuthentication for HTTP:
When you have selected
-
8/10/2019 ACE-Astaro Certified Engineer
132/238
one of the user-authentication operation
modes, a User/Groupsselection boxpops up.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 132 Astaro 2007 / ACE_V7.00-0.16
Drag and Drop the
allowed Users andGroups to this box.
Drag & Drop the allowed Users
Web Security/ Anti Virus
HTTP Anti Virus
Enable/Disable Virus scanning
-
8/10/2019 ACE-Astaro Certified Engineer
133/238
g
Use one or both Virus scanner
and, if available, the Hardware
Astaro Security Gateway V7 - Astaro Certified Engineer Page 133 Astaro 2007 / ACE_V7.00-0.16
can- ng ne
Disallow Downloads by
file-extension
Virus-Scan files up to this size.
Web Security/ Content Filter (1)
HTTP Content Filter:Default profile
Operation mode:
-
8/10/2019 ACE-Astaro Certified Engineer
134/238
Black or Whitelist
Categories to block or allow
Astaro Security Gateway V7 - Astaro Certified Engineer Page 134 Astaro 2007 / ACE_V7.00-0.16
Black-/White-list these URLs
Activate Spyware Protection
Control Active Content removal
Web Security/ Content Filter (2)
HTTP Content FilterCategory assignment
The Number of Categories is fixed
-
8/10/2019 ACE-Astaro Certified Engineer
135/238
The Number of Categories is fixed
Names and Contents can be edited.
Astaro Security Gateway V7 - Astaro Certified Engineer Page 135 Astaro 2007 / ACE_V7.00-0.16
Assigned Subcategories
Modify Nameand Assignment
HTTP Content FilterExceptions
Web Security/ Content Filter (3)
-
8/10/2019 ACE-Astaro Certified Engineer
136/238
Content Filter Exceptions,
e.g. windowsupdate.com
Astaro Security Gateway V7 - Astaro Certified Engineer Page 136 Astaro 2007 / ACE_V7.00-0.16
Skip individual checks, like:
Authentication
Anti Virus
Content Filter
for selected Hosts
HTTP Content Filter Profiles
Content Filter Profiles allow to treat differentuser(-groups) and network-areas differently
Web Security/ Content Filter Profiles (1)
-
8/10/2019 ACE-Astaro Certified Engineer
137/238
user(-groups) and network-areas differently.
The configuration is done by linking ProxyProfiles and Filter Actions through FilterAssi nments
Astaro Security Gateway V7 - Astaro Certified Engineer Page 137 Astaro 2007 / ACE_V7.00-0.16
HTTP Content Filter Profiles
Web Security/ Content Filter Profiles (2)
-
8/10/2019 ACE-Astaro Certified Engineer
138/238
A Proxy Profile
combines
Astaro Security Gateway V7 - Astaro Certified Engineer Page 138 Astaro 2007 / ACE_V7.00-0.16
Filter Assignments
and AuthenticationMethods
They are processed in order
HTTP Content Filter Profiles
A Filter Assignment
Web Security/ Content Filter Profiles (3)
-
8/10/2019 ACE-Astaro Certified Engineer
139/238
combines
Users and Usergroups
Access times
Astaro Security Gateway V7 - Astaro Certified Engineer Page 139 Astaro 2007 / ACE_V7.00-0.16
and Filter Actions
-
8/10/2019 ACE-Astaro Certified Engineer
140/238
Web Security/ HTTP Content Filter Working Principle
Networks,
-
8/10/2019 ACE-Astaro Certified Engineer
141/238
Proxy Profile FilterActionsUsers, GroupsTime Action
Authentication Methods
Astaro Security Gateway V7 - Astaro Certified Engineer Page 141 Astaro 2007 / ACE_V7.00-0.16
FilterAssignment
W W W CategoriesAnti-VirusContent Removal
Web Security/ HTTP Proxy Advanced Options
Skip Hosts and Networks for TransparentProxying
-
8/10/2019 ACE-Astaro Certified Engineer
142/238
The port to listen for client requests
-
Astaro Security Gateway V7 - Astaro Certified Engineer Page 142 Astaro 2007 / ACE_V7.00-0.16
Care for those services outside.
If integrated in a proxy hierarchy, use thisparent.
The parent proxy takes username and passwordas configuration if authentication is necessary.
-
8/10/2019 ACE-Astaro Certified Engineer
143/238
Web SecurityReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 143 Astaro 2007 / ACE_V7.00-0.16
Web Security/ Review Questions
1. What do you need to consider when using NTLM Authentication ifyour PC is not assigned to the domain ASLLAB?
2. Is it possible to limit access to Entertainment, Trading and Gamblingd i ki h b t ll i it ft 6 ?
-
8/10/2019 ACE-Astaro Certified Engineer
144/238
during working hours but allowing it after 6 p.m.?
3. What happens if you have time-based profiles for groups during theworking hours created but nothing defined for after hours?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 144 Astaro 2007 / ACE_V7.00-0.16
.
5. What might be reasons if NTLM is not working correctly?
6. What is the purpose of different profiles?
7. What happened when downloading eicar.com from the Internet?
8. What would you recommend if servers will download larger patchesautomatically over the http proxy and Virus-scanning is enabled?
-
8/10/2019 ACE-Astaro Certified Engineer
145/238
Refresher: SMTP Proxy
Astaro Security Gateway V7 - Astaro Certified Engineer Page 145 Astaro 2007 / ACE_V7.00-0.16
Upon completion of this chapter you will be
able to perform the following:
Explain the SMTP proxy architecture
SMTP Proxy/ Overview
Simple Mail Transfer Protocol
SMTP relay shields your internal mail server frommalformed malicious and unwanted messages
-
8/10/2019 ACE-Astaro Certified Engineer
146/238
malformed, malicious, and unwanted messages
Can relay incoming and outgoing mails
Astaro Security Gateway V7 - Astaro Certified Engineer Page 146 Astaro 2007 / ACE_V7.00-0.16
Scans mails for viruses and other malicious data
Deals with SPAM
NOTES:
The SMTP proxy also supports subdomains
To use the SMTP proxy correctly, a valid name server (DNS)must be configured
SMTP Proxy/ Relaying Incoming / Outgoing e-mail
Define the domains the security system should be responsible for
You should have an DNS MX record for every domain pointing to thesecurity system
-
8/10/2019 ACE-Astaro Certified Engineer
147/238
Specify the internal server to which e-mails should be forwarded to
-
Astaro Security Gateway V7 - Astaro Certified Engineer Page 147 Astaro 2007 / ACE_V7.00-0.16
Define which networks and hosts are allowed to send outgoing e-mailusing the security system (never use ANY)
Optionally you can switch on authenticated relaying for single users
Define a smarthost if outgoing e-mail is not delivered to the recipientdirectly
SMTP Proxy/ Anti-Virus
Anti-Virus scanning checks every message for viruses,worms and other malware
Astaro Security Gateway features several anti-virus enginesfor best security
Single Scan provides maximum performance
Dual Scan uses two different scan engines for an extra levelf it
-
8/10/2019 ACE-Astaro Certified Engineer
148/238
of security
Optionally activate the Hardware accelerated scanner (onlysupported with hardware applicances ASG425/ASG525)
Messages containing malicious content will be blocked
Astaro Security Gateway V7 - Astaro Certified Engineer Page 148 Astaro 2007 / ACE_V7.00-0.16
an s ore n e e-ma quaran ne or ns an y remove
Unwanted file attachments can be blocked by fileextensions
End users can review and release their quarantinedmessages either through the Astaro End User Portal orthe daily End User Spam Report
Using the Pattern Up2Date, you will always be protectedagainst the latest threats
SMTP Proxy/ Anti-Spam: Overview
Provides many "arrows for the quiver" in fighting unwanted e-mailsfrom entering the network
Users can consult with real-time blackhole lists and allow certainsenders or networks to be exempt from many of the checks
-
8/10/2019 ACE-Astaro Certified Engineer
149/238
Expression (keyword) filtering can take action onmessages that contain certain patterns in thesubject line or message body
Astaro Security Gateway V7 - Astaro Certified Engineer Page 149 Astaro 2007 / ACE_V7.00-0.16
Astaro Security Gateway features severaltechniques to reduce Spam:
Realtime Blackhole Lists
Advanced heuristic analysis
Greylisting
SPF record checksBATV reverse path signing
-
8/10/2019 ACE-Astaro Certified Engineer
150/238
SMTP Proxy RefresherReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer Page 150 Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy/ Review Questions
1. What is the fundamental precondition that the SMTPproxy will handle incoming e-mails?
2. Is it possible to configure more than one SMTP route?
-
8/10/2019 ACE-Astaro Certified Engineer
151/238
3. What are possible configuration options to avoid SPAM?4. What is User spam releasing?
Astaro Security Gateway V7 - Astaro Certified Engineer Page 151 Astaro 2007 / ACE_V7.00-0.16
. in Allowed Networks?
6. Does VirusProtection also checks outgoing e-mails?
7. What are the options to handle unwanted e-mails?
8. What happens if BATV is turned on?
-
8/10/2019 ACE-Astaro Certified Eng