CacheGuard OS
User's Guide - Version 5.7.6
Network Security
The security issue is one of the major occupations of the appliance. The appliance distinguishes between two types of network traffic: network traffic destined to the appliance itself (Web traffic) and network traffic destined to third parties across the appliance externally.
Accessing the appliance itself or objects accessed by the appliance may all be controlled and configured according to your needs and security policies. The command "access" allows you to control the traffic.
The appliance integrates a stateful IP firewall that controls all other network traffic not destined to the appliance itself. The command "firewall" allows you to control these types of traffic.
Administration Access
For security reasons the appliance administration is only granted to trusted administrators, so administrators must be authenticated before they can access the administration interfaces (with login/password). Moreover remote administrators should be declared as trusted before being allowed to access the administration interfaces. A remote trusted administrator is identified by its IP address. The same restriction is applied for file servers exchanging files with the appliance. To allow remote administrators having the IP address "172.18.2.1" to administrate the appliance, use the following commands:
- access admin add 172.18.2.1
- apply
To trust the file server accessible with the IP address "172.18.2.1" in your networks, use the following commands:
- access file add 172.18.2.1
- apply
Note that supported protocols are FTP and TFP. When using the FTP, if the FTP server requires authentication, a login and password may also be specified with the command "access file". To set the login and password information, give the login name after the IP address and then press return to be prompted to enter the password securely. The FTP password can also be set with the command "password".
Web Surfers Access
By default all internal Web surfers are allowed to connect to the internet by using the appliance as an Internet gateway and a Web proxy. This access may be restricted to predefined subnets only, if desired. To activate this feature at least one Web surfer access rule should be defined. Note that when previous peers (see the command "peer") are defined, this feature is implicitly activated.
To allow only Web surfers located on the subnets "172.18.2.0 / 255.255.255.0" and "10.26.0.0 / 255.255.0.0" to access the internet, use the following commands:
- access web raz
- access web add 172.18.2.0 255.255.255.0
- access web add 10.26.0.0 255.255.0.0
- apply
Web Servers Access
By default the appliance is allowed to access all backend Web servers. This access may be restricted to predefined subnets only. To activate this feature at least one Web server access rule should be defined.
To allow only Web servers located on the subnet "172.18.3.0 / 255.255.255.240" to be accessed by the appliance, use the following commands:
- access rweb raz
- access rweb add 172.18.3.0 255.255.255.240
- apply
The Firewall
The appliance may filter other network traffic than Web traffic as soon as firewall mode is activated and the appliance acts as a router. This way, all incoming network traffic from the external area (internet) destined to the internal area and all outgoing network traffic from the internal area (local Web surfers and Web servers) destined to the external area may be controlled by the appliance. The internal firewall (command "firewall intern") manages outgoing network traffic while the external firewall (command "firewall extern") manages incoming network traffic.
The "firewall" command allows you to configure the integrated firewall. If no rules are specified, all outgoing traffic initiated from the internal area and destined to the external area are allowed while all incoming traffic from the external area and destined to the internal area are denied. If at least one rule is added to the internal firewall then only specified network traffic will be allowed. To allow an incoming network traffic from the external area destined to the internal area, you have just to add the related rule to the external firewall.
In addition, when the firewall feature is activated, the appliance blocks common network attacks like syn-flood attacks, ping-of-death attacks, brute-force, port-scan attacks and much more.
Also the firewall module provides NAT (Network Address Translation) and PAT (Port Address Translation) mechanisms to translate network address and port numbers.
To understand better the firewall mechanism see the following example: to allow a workstation identified by the IP address "172.18.2.5" and located in the internal area to access peer-to-peer applications located in the external area which use the TCP ports 7510:7529, to connect to that workstation, use the following commands:
- mode firewall on
- mode router on
- mode snat off
- firewall intern add tcp 172.18.2.5 any
- firewall extern add tcp any 172.18.2.5 7510:7529 172.18.2.5
- apply
In the above example, to simplify, the "snat" mode (source NAT) was deactivated. If you have to activate the "snat" mode and if the external IP address is set to 192.168.1.254, the commands to use are:
- ip extern 192.168.1.254 255.255.255.0
- mode firewall on
- mode router on
- mode snat on
- firewall intern add tcp 172.18.2.5 any
- firewall extern add tcp any 192.168.1.254 7510:7529 172.18.2.5
- apply
Note that firewall rules are applied after NAT and PAT operations.
Authentication
Authentication is used to restrict the Web (or rWeb) usage to authenticated end users only. The current appliance version supports only the LDAP authentication mode. The command "authenticate" allows you to configure the authentication. To authenticate end users, the authentication mode can be activated using the command "mode".
For instance consider the following commands:
- mode authenticate on
- authenticate ldap attribute 'ou=people,dc=example,dc=com' 'uid' 'userPassword' 'objectClass=inetOrgPerson'
- authenticate ldap server add ldaps ldap.example.com 10.0.10.1
- authenticate ldap binddn set 'cn=admin,dc=example,dc=com'
- password ldap admin
- apply
The first command is used to activate the authentication mode. The second command specifies that authentication is required for users of the class "inetOrgPerson", registered under the object "ou=people,dc=example,dc=com", identified by the LDAP attributes "uid" and for which a password is stored in the LDAP attribute "userPassword". The third command allows you to specify an LDAP server that supports SSL/TLS encryption, having the IP address "10.0.10.1" and named "ldap.example.com". Finally the fourth and fifth commands allow you to specify a bind DN (Distinguish Name) and password to access the LDAP tree.
Password Management
Administrator users are authenticated with a login and password to access the appliance. There are three types of passwords:
- The console password (For SSH and the console port)
- The Web administration GUI password
- The Web auditing GUI password
To set the console password use the following command:
Note that the console password modification takes effect after invoking the command "apply".
To set the Web administration GUI password use the following command:
To set the Web auditing GUI password use the following command:
If accessing authentication information in LDAP servers requires a password, the command "password" is there to set this password. To set the access password for the top LDAP object identified by the distinguished name "cn=admin,dc=example,dc=com", use the following command:
- password ldap set 'cn=admin,dc=example,dc=com'
If no password is required, erase the given password with the following command:
Copyright (C) 2002-2011 CacheGuard - All rights reserved