CacheGuard-OS
User's Guide - Version UF-2.3.5


The Network

A freshly installed CacheGuard-OS has no IP configurations at all and before being able to connect to it as an administrator (admin user), you must set an IP address for at least one of its network interfaces. The only way to set an IP address for the first time on a CacheGuard appliance is to use the CacheGuard appliance console port. At the first login (as the admin user) via the console port, a command named setup is automatically executed and allows you to set CacheGuard's internal and external IP addresses. As an alternative method, you can use the ip command.

Network Interfaces

With a CacheGuard appliance, the network is divided into at least two zones: the internal zone and the external zone. The external zone is considered an untrusted zone (the Internet), while protected users and servers should be placed in the internal zone (considered trusted). A third optional zone called auxiliary can be created and used as per your convenience (for instance, as a DMZ or as a Back Office zone). The internal zone can optionally be divided into sub-zones using tagged VLANs.

CacheGuard appliance connects each zone via a distinct logical network interface. Hence, a CacheGuard appliance can support up to three logical network interfaces: the external, the internal, and the auxiliary logical network interfaces. In this network topology, internal users and servers are routed via the internal interface, while the CacheGuard appliance uses its external interface to connect to the Internet.

A logical network interface should be associated with at least one physical network interface. The link command allows you to associate a logical network interface with a physical (eth0, eth1...) network interface. A link configuration in which more than one physical network interface is associated with a logical network interface is called link bonding. The link bonding is an active/backup link configuration that allows service continuity in the event of a link failure. You can refer to the Link Bonding section for further information on link bonding.

Appliance IP Addresses

To support the IP protocol, a logical network interface must be associated with a main IP address. The ip command allows you to set main IP addresses. Additional IP addresses can be implicitly associated with a logical network interface by other commands. For instance, the vrrp command allows you to create floating IP addresses in HA mode, while the rweb command may create IP aliases associated with a main IP address. The example below sets the external IP address to 192.168.1.1 255.255.255.0 and the internal IP address to 10.20.0.254 255.255.0.0:

Using 802.1q VLANs

CacheGuard appliance supports 802.1q VLAN (Virtual LAN) tagging on its internal network interface to secure and isolate predefined functional traffic (admin, web, rweb...). When using tagged VLANs, a pseudo network interface is implicitly created for each defined VLAN. To use VLANs, you have to activate the VLAN mode by using the mode vlan on command and then configure VLANs with the help of the vlan and ip commands. Note that in VLAN mode, the native IP address associated with the internal network interface is no longer active, and you should configure a separate IP address for each pseudo network interface. For instance, the following commands define tagged VLANs 10, 20, and 30 respectively associated with the web, rweb, and admin functional traffic, and set a distinct IP address for each created VLAN (all other functional traffic will remain in the default VLAN 0).

Network Routes

To route (or forward) IP traffic, you must create routing tables. CacheGuard-OS supports static routes only. However, you have the possibility to create multi-gateway routes to balance the IP routing between multiple gateways. In a multi-gateway configuration, gateway failures can be detected and the routing configuration dynamically modified to avoid routing traffic via failed gateways. Please note that gateways in a route specification should be directly connected to a CacheGuard network interface and have an IP address in the same network as the connected network interface IP address. For example, the following commands allow you to create two default gateways via the 192.168.1.254 and 192.168.1.253 gateways and a static route to the 172.22.22.0 255.255.255.0 network via the 10.20.0.1 gateway.

Domain Name Servers

To connect to external name-based services (for instance, websites), CacheGuard appliance needs a DNS (Domain Name Server) to translate domain names to IP addresses. CacheGuard appliance embeds a caching-only DNS (Domain Name Server) that you can activate by adding the localhost (or the 127.0.0.1 loopback IP address) to the list of DNS servers. You also have the possibility to add external DNS to the system using the dns command. If you activate the internal DNS server, you will have the possibility to allow external clients to use it as a service. Please note that you can restrict DNS access to trusted networks only by using the access command. The example below activates the internal DNS and allows IP clients to use it as a service.

DHCP Server

CacheGuard appliance integrates an easy-to-handle DHCP server that you can activate to deliver dynamic IP addresses to connected devices. The dhcp command allows you to define dynamic IP address ranges and/or fixed IP addresses for particular devices identified by their MAC addresses on an Ethernet network. Please note that dynamic IP addresses can only be delivered to devices connected to the internal network interface (or the web interface in VLAN mode). The example below activates the DHCP server, configures it to deliver dynamic IP addresses between 10.20.0.11 and 10.20.0.15, and fixes the IP address 10.20.0.10 and hostname john for a device having the MAC address 00:01:00:02:00:03.

High Availability

CacheGuard appliance uses several technologies to ensure the High Availability of the services that it offers. The HA in a CacheGuard appliance is based on redundancy and resiliency concepts. If you plan to implement CacheGuard solutions to secure and/or optimise critical services in your organisation, it is highly recommended to implement the HA offered in CacheGuard-OS.

The VRRP Protocol

By associating several CacheGuard appliances in HA mode, you can ensure service continuity and HA (High Availability) in the event of a software or hardware failure on one of them. To associate two (or more) CacheGuard appliances in HA mode, you must activate the HA mode on them using the mode ha on command. In HA mode, operational appliances automatically start handling network traffic that was initially destined for a failed appliance. The HA mode is based on the VRRP (Virtual Router Redundancy Protocol) and can be configured using the vrrp command.

When using VRRP, two (or more) CacheGuard appliances share the same virtual IP (VRRP IP) address (in addition to their real IP addresses) on their same network interface. External services or clients should then address appliances configured in HA mode by using their VRRP IP addresses (and not their real IP addresses). A VRRP IP address can be master (active) or backup on a network interface. The master VRRP IP is active on a network interface until a failure occurs on that interface. Following that failure, the backup VRRP IP becomes active (on the backup appliance). Each CacheGuard appliance embeds a service called health checker that continuously verifies the health of the services running on it. In case of a repeated failure on a service, the health checker deactivates its network interfaces, allowing other associated appliances in HA mode to take over the failed appliance.