StoneGate Firewall Reference Guide 4.3

  • View
    1.219

  • Download
    0

Embed Size (px)

Text of StoneGate Firewall Reference Guide 4.3

StoneGate Reference GuideSMC 4.3 and Firewall/VPN 4.3

Legal InformationEnd-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html

General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/terms/

Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1259028, 1271283, 1289183, 1289202, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737, 7,234,166, 7,260,843, 7,280,540 and 7,302,480 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise

DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGRG_20080604

Table of ContentsI NTRODUCTIONCHAPTER 1 Using StoneGate Documentation 15How to Use This Guide 16 Typographical Conventions 16 Documentation Available 17 Product Documentation 17 Support Documentation 18 System Requirements 18 Contact Information 18 Licensing Issues 18 Technical Support 18 Your Comments 18 Other Queries 18 Monitoring and Logging 33 Network Address Translation (NAT) 33 Authentication 34 Virtual Private Networks (VPN) 34 Secure Socket Layer Virtual Private Networks (SSL VPN) 34 Content Screening and Unified Threat Management 35 Requirements for Modern Firewalls 36 High Availability 36 Scalability 37 High Throughput 37 Centralized Management 37 Firewall Weaknesses 38 Lack of Administration 38 Internal Attacks 38

CHAPTER 2 Whats New? 19New Features in SMC 4.3 20 New Features in Firewall/VPN 4.3 23 New Features in SOHO Firewalls 23

CHAPTER 4 StoneGate Architecture 39StoneGate Security Platform Overview 40 StoneGate Components 41 StoneGate Management Center 43 Management Server 43 Log Servers 44 Monitoring Server 44 Management Clients 45 Firewall Engines 45 SOHO Firewall Engines 46 Certificates 46 Licenses 47 StoneGate Main Features 47 Advanced Traffic Inspection 47 Built-in Load Balancing and High Availability 48 Integration with StoneGate IPS 48 Multi-Link Technology 48 QoS and Bandwidth Management 49

CHAPTER 3 General Firewall Principles 25The Role of the Firewall 26 Hazards of Networking 26 The Firewall as Protection 26 Example Solution 27 Firewall Technologies 28 Packet Filters 28 Proxy Firewalls 30 Stateful Inspection 31 StoneGate and Multi-Layer Inspection 31 Firewall Functions 33 Access Control 33

3

Reporting Tools 50 Unified StoneGate Management Center 51 Virtual Private Networks (VPNs) 51

CHAPTER 7 Administrator Accounts 85Overview to Administrator Accounts 86 Configuration of Administrator Accounts 87 Default Elements 88 Predefined Account with Unrestricted Permissions 88 Predefined Administrator Roles 88 Predefined Access Control Lists 88 Configuration Workflow 89 Task 1: Create a New Administrator Role 89 Task 2: Create a New Access Control List 89 Task 3: Configure Administrator Password Policy 90 Task 4: Create a New Administrator Element or Monitoring User Element 91 Using Administrator Accounts 92 Customizing Log Color Settings 92 RADIUS Authentication 92 Examples of Administrator Accounts 92 Creating Accounts with Predefined Administrator Roles 93 Creating Accounts with a New Access Control List 93

CHAPTER 5 StoneGate Firewall/VPN Deployment 53Deployment Overview 54 Firewall Deployment 55 Positioning Firewalls 55 Internal Networks 55 DMZ Network 56 External Network 57 StoneGate Management Connections 59 Management Center Deployment 59 Positioning the Management Server 60 Positioning Log Servers 60 Positioning Management Clients 61

S ETTING U P S TONE G ATECHAPTER 6 Management Client Basics 65Introduction 66 General Tools 66 Main Toolbar 66 Status Bar 67 Element Search 67 Bookmarks 68 Online Help 69 System Status View 70 System Summary 70 Status Tree 71 Info Panel 71 Graphical Monitoring 72 Overview 73 Status Icons and Colors 74 Configuration View 78 Logs View 79 Policy Editing View 82

CHAPTER 8 Network Elements and Services 95Introduction to Network Elements and Services 96 Network Element Types 96 Address Range Elements 96 Alias Elements 96 Expression Elements 97 Firewall Elements 97 SOHO Firewall Element 97 Single Firewall Element 97 Firewall Cluster Element 98 Group Elements 98 Host Elements 98 IPS Elements 98 SSL VPN Elements 98 Network Elements 98 Router Elements 99

4

Server Elements 99 Management Server Element 99 Log Server Elements 99 Authentication Server Elements 99 Active Directory Server Elements 99 LDAP Server Elements 100 Content Inspection Server (CIS) elements 100 DNS Server Elements 100 DHCP Server Element 100 Monitoring Server Element 100 Traffic Handler Elements 100 NetLink 100 Multi-Link 101 Server Pool 101 Services 101

Task 5: Install the Firewall Engine 114 Task 6: Install a Firewall Policy 114 Using a Single Firewall 115 Using Multi-Link 115 Internal DHCP Server 115 Running Automatic Tests 116 Sending SNMP Traps 117 Example of a Single Firewall Deployment 117 Setting up a Single Firewall 117 Adding a New Interface to an Existing Configuration 118

CHAPTER 11 Firewall Cluster Configuration 121Overview to Firewall Cluster Configuration 122 Benefits of Clustering 122 Communication Between the Nodes 122 Hardware 123 Configuration of Firewall Clusters 123 Load Balancing 123 Standby Operation 124 Network Interfaces 124 Clustering Modes 125 Configuration Workflow 127 Task 1: Create a Firewall Cluster Element 127 Task 2: Create Physical Interfaces 127 Task 2: Define VLAN Interfaces 127 Task 3: Configure Interfaces 128 Task 4: Install the Firewall Engines 129 Task 5: Install a Firewall Policy 129 Using a Firewall Cluster 129 Using Multi-Link 130 Using VLANs 131 Running Automatic Tests 132 Sending SNMP Traps 133 Advanced Configuration of Clustering 134 Tuning Node Synchronization 134 Security Level for State Synchronization 135 About Manual Load Balancing 136 Examples of Firewall Cluster Deployment 137

CHAPTER 9 SOHO Firewall Configuration 103Overview to SOHO Firewall Configuration 104 Configuration of SOHO Firewalls 104 Default Elements 105 Configuration Workflow 105 Task 1: Create SOHO Firewall Element(s) 105 Task 2: Select the Interface Types 106 Task 3: Define the Interface Settings 106 Task 4: Define General Wireless Channel Settings 106 Task 5: Configure the Main Site Firewall 106 Task 7: Install the SOHO Firewall Appliance 107 Using a SOHO Firewall 107 Configuring Wireless Connections 107 Example of a SOHO Firewall Deployment 109 Setting up Several SOHO Firewalls 109

CHAPTER 10 Single Firewall Configuration 111Overview to Single Firewall Configuration 112 Configuration of Single Firewalls 112 Dynamic Firewall Interface Addresses 112 Configuration Workflow 113 Task 1: Create a Single Firewall Element 113 Task 2: Define Physical Interfaces 113 Task 3: Define VLAN Interfaces 113 Task 4: Define IP Addresses 114

5

Setting up a Firewall Cluster 137 Adding a Node to a Firewall Cluster 139

Task 4: Add Rules 161 Task 5: Validate the Policy 161 Task 6: Install the Policy 161 Using Policy Elements 162 Connectionless Packet Inspection 162 Continue Rules 162 Policy Snapshots 162 Examples of Policy Element Use 163 Protecting Essential Communications 163 Improving Readibility and Performance 163 Restricting Administrator Editing Rights 164

CHAPTER 12 Routing and Antispoofing 141Overview to Routing and Antispoofing 142 Configuration of Routing and Antispoofing 142 Routing on Single and Clustered Firewalls 142 Routing on SOHO Firewalls 143 Reading the Routing and Antispoofing Trees 143 Multi-Link Routing for Single and Clustered Firewalls 145 Default Elements 145 Configuration Workflow 146 Task 1: Add Router or NetLink 146 Task 2: Add Network(s) 146 Task 3: Modify Antispoofing Rules 146 Task 4: Refresh Firewall Policy 147 Using Routing and Antispoofing 147 Policy Routing 147 Static IP Multicast Routing 147 Modifying Antispoofing 147 Examples of Routing 148 Routing Traffic with Two Interfaces 148 Routing Internet Traffic with Multi-Link 148 Routing Traffic to Networks That Use Same Address Space 149

CHAPTER 14 Access Rules 165Overview to Access Rules 166 Configuration of Access Rules 167 Considerations for Designing Access Rules