CacheGuard-OS
User's Guide - Version UF-2.3.2

Network Security

CacheGuard appliance distinguishes between two types of network traffic: traffic exchanged with the appliance itself and traffic that are only routed via the appliance (for which the source or destination are not the appliance itself). To control the traffic exchanged with the appliance itself, you can use the access command while the firewall command can be used to control routed traffic. Both types of traffic are managed by a stateful firewall integrated into the appliance.

Administration Access

For security reasons, the administration access (via SSH or the Web GUI) to a CacheGuard appliance is only granted to users (or machines) being in trusted networks. The same rule is applied to file servers and monitoring systems that need to access the appliance. File servers are used to exchange files (via TFTP, FTP or SSH) with the appliance for configuration or administration purposes (for instance, to load/save SSL certificates or make a system backup). Monitoring managers can be used to monitor the appliance using SNMP.

In the example below, the appliance is configured to give SSH and Web administration GUI accesses via its internal network interface to remote users (or machines) in the 172.18.2.0 255.255.255.0 network. In addition, the SNMP manager having the 172.18.2.202 IP address is allowed to send SNMP requests to the appliance via its internal network interface and the file server ftp.cacheguard.net is allowed to exchange files with the appliance via its external network interface.

• access admin add internal 172.18.2.0 255.255.255.0
• access file add external ftp.cacheguard.net
• access mon add internal 172.18.2.202
• apply

Note that to exchange files, CacheGuard appliance can use TFTP, FTP or STFP. As FTP and SFTP servers often require authentication (with login/password), you have the possibility to store authentication credentials (login/password) to access those file servers in CacheGuard appliance in order to do not have to interactively provide them whenever your appliance needs to exchange files with them. To set and store credentials to access a file server, you have the possibility to specify them with the access command or use the password command. The following commands set credentials to have an FTP access to the ftp.cacheguard.net file server and an SFTP access to the file server having the 172.18.2.203 IP address.

• password file add ftp ftp.cacheguard.net john
• access file add internal 172.18.2.203 sftp john
• apply

Web Browsing Access

By default, the Web proxy is accessible to all devices except those located in the external zone (routed via the external network interface). This default access policy can be modified by using the access web command usage form in order to limit the Web proxy access to a list of predefined networks only. To activate the Web proxy access limitation, you must define at least one Web access. Note that when at least one previous peer or one transparent network is defiend, the Web proxy access limitation is implicitly activated and you must explicitly define allowed networks to access the Web proxy. Please refer to the peer and transparent commands manual for more information about peers and transparent networks.

To restrict the Web proxy access to devices located on the 172.18.2.0 255.255.255.0 or 10.26.0.0 255.255.0.0 networks via CacheGuard's internal network interface, you can use the following commands:

• access web raz
• access web add internal 172.18.2.0 255.255.255.0
• access web add internal 10.26.0.0 255.255.0.0
• apply

The Firewall

CacheGuard appliance can act as a stateful firewall with NAT capabilities to filter routed network traffic according to the source and destination IP addresses and used protocols. To filter the network traffic, you must define firewall rules. A firewall rule is attached to a network interface and controls incoming traffic via that interface. Rules attached to a network interface form a rule set and you have as many rule set as network interfaces. To use the firewall, you must activate it first by using the mode firewall on command and then you can define rules by using the firewall command. In absence of any rules, the following default rules are applied:

• New connections incoming from the external zone and destined to the internal, auxiliary and vpnipsec zones are denied.
• New connections incoming from the internal zone (the web zone only in VLAN mode) and destined to other zones are allowed.
• New connections incoming from the auxiliary zone are denied by default (to allow traffic you should explicitly specify rules).
• In VLAN mode (mode vlan on), new connections incoming from the rweb, antivirus, admin, mon, file and peer zones are denied by default. In non VLAN mode (mode vlan off), they are all considered as being the internal zone and therefore follow the principals applied to the internal zone.
• New connections incoming from the vpnipsec zone and destined to the internal zone (the web zone only in VLAN mode) are allowed. Incoming connections from the vpnipsec zone and destined to other zones are denied by default.

If at least one firewall rule is present in a rule set, default rules are no longer applied and only network traffic that are explicitly defined by firewall rules would be allowed (or denied). Each firewall rule set, implicitly includes a deny any rule at its end (and you do not need to add it yourself). As an example, the following commands allow all TCP traffic incoming form the web interface that have a source IP address in the 172.18.2.0/24 network and outgo to the external zone (via the external network interface).

• mode firewall on
• mode router on
• firewall web add allTCPToInternet allow tcp 172.18.2.0/24 external
• apply

In the example above, if the VLAN mode is activated, the defined rule is exclusively applied to the web pseudo network interface (tagged VLAN). Otherwise, it would be applied to the internal native network interface.

When defining a firewall rule, you have the possibility to apply a NAT (Network Address Translation) to the source and/or destination IP address of the traffic. As an example, the following commands allow the 192.168.44.55 IP address to establish TCP connections via the external network interface to the 192.168.22.11:80 destination and NAT that destination to 10.0.10.11:81:

• mode firewall on
• mode router on
• firewall external add allWeb allow tcp 192.168.44.55 admin 192.168.22.11 80 nil 10.0.10.11 81
• apply

It is IMPORTANT to note that in firewall rules, destination and source NAT are always applied AFTER the filtering.

IPsec VPN

VPN stands for Virtual Private Network and IPsec for Internet Protocol Security. An IPsec VPN allows you to authenticate and encrypt data packets between private networks over a public IP network (ie internet) to provide secure encrypted communications. You can build persistent IPsec VPNs between sites or allow remote workers to access your internal infrastructures via an IPsec VPN. CacheGuard appliance integrates an IPsec VPN server that you can activate by using the mode vpnipsec on command. Then the vpnipsec command can be used to configure the IPsec VPN server.

We distinguish two types of IPsec VPNs: site to site VPNs and remote access VPNs. A site to site (or inter site) VPN allows you to build a permanent secure tunnel between two sites. With such a tunnel, computers in both sites can communicate with each other in a secure way as they were on the same location whereas in reality they can be separated by several thousands of kilo meters. To build a site to site IPsec VPN tunnel, you need two VPN servers: a local VPN server and the remote (or peer) VPN server.

A remote access VPN is a central VPN server to which remote workers can connect via secure tunnels built on top of the internet. With such tunnels remote workers can access computers protected by the VPN server in a secure way as they were on the same location.

Please note that on a CacheGuard appliance, you have to choose between the site to site mode or the remote access mode (both modes can't be activated at the same time). The vpnipsec access on and vpnipsec access off commands allow you to switch between the two modes.

Remote Access VPN

To build a remote access IPsec VPN, you need a central IPsec VPN server while each remote worker connect the central VPN server using an IPsec VPN client. CacheGuard appliance supports almost all native IPsec VPN clients provided by devices and OS in the market (such as MS Windows™ 11, Apple™ Mac & iPhone...). In case where native VPN clients would not work, alternative third party IPsec VPN clients such as strongSwan can be used. The following commands allow you to activate the IPsec VPN in remote access mode and let CacheGuard appliance to be used as the default gateway for remote users:

• mode vpnipsec on
• vpnipsec access on
• vpnipsec network access add local default
• apply

Site to Site VPN

This section allows you to learn how to build an IPsec VPN tunnel between 2 sites through a simple example. In our example we consider that we want to establish a IPsec VPN tunnel between a site called London (172.22.11.254 255.255.255.0 internal netwrok) and a site called Paris (172.22.10.0 255.255.255.0 internal netwrok). To implement that VPN, the configuration on the Paris site would be:

• ip external 192.168.155.1 255.255.255.0
• ip internal 172.22.10.254 255.255.255.0
• mode vpnipsec on
• vpnipsec access off
• vpnipsec authenticate psk very-strong-and-long-psk-2connect-2paris
• vpnipsec site add London 192.168.155.2 psk very-strong-and-long-psk-2connect-2london
• vpnipsec network site London raz
• vpnipsec network site London add remote 172.22.11.0 255.255.255.0
• apply

while the configuration on the London site is:

• ip external 192.168.155.2 255.255.255.0
• ip internal 172.22.11.254 255.255.255.0
• mode vpnipsec on
• vpnipsec access off
• vpnipsec authenticate psk very-strong-and-long-psk-2connect-2london
• vpnipsec site add Paris 192.168.155.1 psk very-strong-and-long-psk-2connect-2paris
• vpnipsec network site Paris raz
• vpnipsec network site Paris add remote 172.22.10.0 255.255.255.0
• apply

In the example above, to simplify the configuration we used the same network (192.168.155.0) to connect both CacheGuard's external network intefaces. In reality, the external network interface of each appliance is connected to a distinct internet router that source NAT all outgoing traffic with its public IP address. Let’s consider that the internet router in Paris has the 10.0.10.1 public IP address (with the 192.168.155.254 private IP address) and the internet router in London the 10.0.11.1 public IP address (with the 192.168.155.254 private IP address). In this case, the configuration on the Paris site would be:

• ip external 192.168.155.1 255.255.255.0
• ip internal 172.22.10.254 255.255.255.0
• ip route add default 192.168.155.254
• mode vpnipsec on
• vpnipsec access off
• vpnipsec authenticate psk very-strong-and-long-psk-2connect-2paris
• vpnipsec site add London 10.0.11.1 psk very-strong-and-long-psk-2connect-2london
• vpnipsec network site London raz
• vpnipsec network site London add remote 172.22.11.0 255.255.255.0
• vpnipsec nat role London active
• vpnipsec nat public add 10.0.10.1
• apply

while the configuration on the London site is:

• ip external 192.168.155.1 255.255.255.0
• ip internal 172.22.11.254 255.255.255.0
• ip route add default 192.168.155.254
• mode vpnipsec on
• vpnipsec access off
• vpnipsec authenticate psk very-strong-and-long-psk-2connect-2london
• vpnipsec site add Paris 10.0.10.1 psk very-strong-and-long-psk-2connect-2paris
• vpnipsec network site Paris raz
• vpnipsec network site Paris add remote 172.22.10.0 255.255.255.0
• vpnipsec nat role Paris passive
• apply

UDP encapsulation and NATT: it is IMPORTANT to note that UDP encapsulation is systematically used by CacheGuard appliance to allow IPSec traffic to successfully traverse NAT devices.

In our example, as both CacheGuard appliances are behind NAT (their external IP addresses are translated into a public IP address), the VPN tunnel can't be established without some additional settings. In such a situation, one site should take an active role (to initiate the VPN establishment) while the other should act as passive (wait an incoming VPN establishment request). In our example we choose to set the London site as an active site and the Paris site as a passive site. In addition, as the used authentication method is PSK, the passive appliance (in Paris) should know it's public IP address to know which PSK in its PSK base should be used. Hence, the vpnipsec nat public add 10.0.10.1 command used on the Paris site.