Professional Documents
Culture Documents
Isa Ig 060516 PDF
Isa Ig 060516 PDF
5/16/06
Instructor Guide
Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328-4233 United States (404) 236-2600 http://www.iss.net Internet Security Systems, Inc. 2003-2004. All rights reserved worldwide. This publication may not be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc. Patent Pending. Internet Security Systems, the Internet Security Systems logo, System Scanner, Wireless Scanner, SiteProtector, Proventa, Proventa Manager, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU, X-Force, and X-Press Update are trademarks and service marks, and SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed trademark, and ICEcap a registered trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. InstallShield is a registered trademark and service mark of InstallShield Software Corporation in the United States and/or other countries. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice. Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an AS IS condition, without warranties of any kind, and any use of this information is at the users own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes. Please direct any comments concerning ISS courseware to training@iss.net. Print Date: May 16, 2006
Contents
How to Use this Training Guide
About the Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-i Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-i Time Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-i About the Training Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii For the Students . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii For the Instructor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii Following the Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii Using Leader Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii Understanding the Icons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-v Providing Feedback on the Training Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-v Preparing for Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Preparation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Required Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Required Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Required Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Assumptions for Performing the Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi
Contents
Overview of Proventa M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 What is Proventa M? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Key Benefits of the Proventa M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Proventa M Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Traditional Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 Gateway Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Virus Prevention System (VPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Additional Proventa M Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Local Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 SiteProtector Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Appliance Specification Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
ii
Contents
Retrieving Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab: Check and install updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventa Manager Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logs Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintenance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter DB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Backup & Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System/Full Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Support File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Labs: Configuring and Enabling Event Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring an Email Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling Email System Warning Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-11 3-12 3-14 3-17 3-18 3-18 3-20 3-20 3-23 3-24 3-25 3-26 3-28 3-28 3-33 3-34 3-38 3-39 3-40 3-41 3-43 3-45 3-45 3-46 3-48 3-49 3-50 3-51 3-51 3-51 3-52 3-53
iii
Contents
Why Use Spanning Tree Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 STP Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Bridge IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Failover Process - Determining the Primary Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 The STP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 STP Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Failover Protection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Configuring Spanning Tree Protocol Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Considerations When Deciding to Use Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . 4-13 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Module 6: Antivirus
About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An Antivirus Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Is A Computer Virus? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventa Ms Antivirus Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-1 6-1 6-1 6-2 6-2 6-3 6-4
iv
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Types of AV Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Proventa Ms Antivirus Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 The Signature Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Signature Scanner Pros and Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Virus Prevention System (VPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 What Ms AV Components Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Protocols Scanned by Proventa M Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 The Blocking Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 Antivirus Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 A Note About Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 Configuring Proventa M Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Antivirus Status Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17 Quarantine File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17 SMTP Config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19 Labs: Testing with the eicar Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Disable IIS SMTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Install a Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Creating an Email Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Enabling Antivirus Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Sending an Email to Test Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 Pulling the eicar Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
Contents
ISS Web Filter Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Web Filter and Antispam Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sources of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WebLearn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Proventa M Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Filtering Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Labs: Configuring and Testing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Web Filter Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing a Web Site in the Sports Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Web Filter Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing your Access to the Blocked Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Destination Blacklist Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing your Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-18 7-20 7-20 7-20 7-20 7-21 7-23 7-23 7-23 7-24 7-24 7-25 7-29 7-29 7-29 7-30 7-30 7-31 7-31 7-31 7-32
Module 8: Antispam
About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Why Use Antispam? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Challenges for Email Content Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Email Flood Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 The Costs of Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Countering the Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Proventa Ms Antispam Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Spam Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 The Antispam Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Configuring Proventa M Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Antispam Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10 Labs: Testing Antispam Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Configuring Antispam Functionality for SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Sending an Email to Test SMTP Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17 Configuring Antispam Functionality for POP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 Sending an Email to Test POP3 Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 Configuring Antispam Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
vi
Contents
Sending an Email to Test Antispam Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 View the Spam Detected events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
vii
Contents
Firewall Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Advantages of Network Obejcts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Network Object Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Dynamic Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Lab: Creating Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10 Creating Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12 Proventa M Firewall Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12 The Proventa M Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13 Creating an Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Lab: Configuring your Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17 Enable Partner 2 to connect to Proventa Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18 Testing your Firewalls Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19 Creating Inbound Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19 Creating Outbound Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21 Re-Test your Firewalls Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25 How Proventas NAT Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Source NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Destination NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Lab: Creating Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Configuring Destination NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Adding an Access Rule for the Translated Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30 Testing your Firewalls Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31 Configuring Source NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31 Verify the Disabled NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32 More Firewall Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33 Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33 Advanced Firewall ALG Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-34 Asymteric Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-35 Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-37
viii
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 Types of wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 What is Created by the Wizards? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6 Rules for using VPN wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6 Lab: Configuring the VPN for Site-to-Site Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Use the M Series to M Series Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Lab: Configuring the VPN for Client-to-Site Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Using the SoftRemote VPN Client to M Series Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Demonstration: Creating a New Connection for SoftRemote. . . . . . . . . . . . . . . . . . . . . . . 11-10 Creating the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11 Testing the Client-to-Site Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13 More VPN Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14 VPN Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14 Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-18 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19
ix
Contents
HA Classroom Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HA IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable and Test High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconfigure the class network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Proventa Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable the eth2 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create the High-Availability Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12-23 12-24 12-24 12-25 12-25 12-28 12-29 12-31 12-33 12-35
Course Review
Review Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R-1 Ask Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R-2
Time Requirements
The following tables provide suggested times for each module: Day 1 Introduction to the Proventa M Series Configuration of the Proventa M appliance General Settings Transparent Mode Configuring Intrusion Prevention Configuring Antivirus Configuring Web Filtering Configuring Antispam Approximate Length 15 minutes 1 hour 1 hours 45 minutes 45 minutes 30 minutes 1 hour 45 minutes
Day 2 Routing Mode Configuring Firewalls Configuring the VPN High Availability
H-i
resources. Encourage the students to takes notes in the training guide during class and to use the guide as a reference when back on the job.
In this column, you see suggestions and instructions for conducting the class.
Underlined blue text in the right column (this main column) provides answers for questions the instructor should ask the class. See the following example: Underlined blue text in this column provides answers to questions or information for a discussion.
H-ii
How to Use this Training Guide You will see the following types of leader notes (in the table, they are listed in alphabetical order): This word in bold... Ask Provides this kind of information... Followed by a question the instructor can pose to the students to stimulate a group discussion. Example ASK: Who are some people you think should be involved?
Demonstrate
Indicates that the instructor DEMONSTRATE: should perform a Installing the Console procedure while the students watch. Provides guidelines for conducting the demonstration. Indicates that the instructor should stress the importance of this information. EMPHASIZE: Setup can archive private keys only when it creates them; it cannot archive existing private keys. EXAMPLE: If this Console is going to communicate with any Unix sensors, a Certicom provider, like the ISS ECNRA Built-In provider, must be listed in this dialog.
Emphasize
Example
Explain
Provides information on the EXPLAIN: topic to help the Instructor If the destination teach it. location is the same and you choose not to use or back up these databases, info in the database is lost when the installation is complete. Provides instructions for conducting an exercise or demonstration. GUIDELINES: You demonstrate the installation first. Students will install the Console at the end of this module.
Guidelines
H-iii
How to Use this Training Guide This word in bold... Key Points Provides this kind of information... Summarizes, at a high level, the main points of a section. If the instructor says only this, he/she is presenting the most important information. Provides information that the instructor may use if asked a question.
Example KEY POINTS: You should monitor your systems to identify risks and apply the appropriate patches and software. NOTE: This is just an overview. Youll go into more detail in the following sections. POINT OUT: These options on the View menu: Auto-Scroll Lock Clear All Events Inspect Events
Note
Point Out
Indicates that the instructor should physically point to a feature/function/option to show the location of it.
Review
Briefly lists information the REVIEW: instructor has covered The options for before. Used as a reminder installing RealSecure. to students of options/ processes/similarities. Information the instructor can actually say. STATE: When you come under attack, its time to implement your incident response procedures. STEP 6REVIEW: Installation options: From the CD From the website How well do it in class
State
Step # + word Provides information that applies to that specific step of a procedure. Works in conjunction with other words listed here.
H-iv
How to Use this Training Guide This word in bold... Transition Provides this kind of information...
Example
Summarizes a section and TRANSITION: leads into the next one. Now that you have seen how RS responds when under attack, lets discuss why you need intrusion detection software such as RealSecure.
Stopwatch
Slide
Show the students the slide that displays key points on this topic.
Exercise
H-v
Study how the leader notes guide you through the course. Make
your own notes in the training guide to help you teach the course.
Make sure all equipment and software is working. Make sure all student materials are available.
Required Software
Carefully read the Classroom Set-Up Guide for Product End-User Training; it contains all hardware and software requirements for each training.
Required Hardware
Make sure you have enough extra cables for the setup exercises.
INSTRUCTOR: Refer to the ISS Classroom Set-Up Guide for Product End-User Training for details about configuring the SiteProtector classroom.
H-vi
15 minutes
Getting Acquainted...
Slide 1
GUIDELINES: Welcome students to the class. Introduce yourself and describe your background. Ask students to introduce themselves and describe their job responsibilities. TRANSITION: Now that we have introduced ourselves, lets talk about getting the most out of this course.
Notes
W-1
Your Role
Your active participation is important to us. Feel free to share your experiences with the class. Take this chance to build relationships with other professionals in the field. We can all learn from each other. Ask questionsboth of the instructor and your fellow students. If the instructor cannot immediately answer your question, the instructor will write the question down and consult other resources at Internet Security Systems, Inc.
Notes
W-2
Course Objectives
By the end of this course, you will be able to: Describe the six components of the Proventa M. Reconfiguring the Proventa M appliance. Discuss Transparent Mode functionlality and configuration. Discuss components of the Proventa M Intrusion Prevention module and configure Intrusion Prevention functionality. Detect and block an attack, enable auditing, and view intrusion prevention events. Discuss the basics of antivirus technology and configure the antivirus portion of the Proventa M. Use a test virus to view virus blocking within the Proventa M. Describe the Proventa M Series Web filtering process. Configure the Web filtering module, creating whitelists and blacklists.
Slide 3
Describe the basics of Proventa Ms antispam technology and configure the antispam portion of the Proventa M using whitelists and blacklists. Identify firewall methods and translate your security policy into firewall policies. Configure the Proventa M firewall, creating objects and policies. Perform network address translation. Configure a Virtual Private Network for site-to-site and client-to-site connectivity. Describe High Availability deployments and configuration of a HA environment.
Notes
W-3
Slide 4
Course Outline
Integrated Security Appliance is a 2-day course that covers the following topics: Day 1 Module 1 Module 2 Module 3 Module 4 Module 5 Module 6 Module 7 Module 8 Day 2 Module 9 Module 10 Module 11 Module 12 Routing Mode Configuring Firewalls Configuring the VPN High Availability Introduction to the Proventa M Series Configuration of the Proventa M appliance General Settings Transparent Mode Configuring Intrusion Prevention Configuring Antivirus Configuring Web Filtering Configuring Antispam
Course Review
Notes
W-4
15 minutes
Module 1
Slide 6
Module Objectives
When you complete this module, you will be able to: Discuss the need for a unified protection solution. Describe the six components of the Proventa M. Discuss the differences between the M10, M30 and M50 appliances.
Notes
1-1
Secure Communications
Slide 7
The three main objectives of secure communication are Confidentiality, Integrity, and Availability.
C onfidentiality
Integrity
Confidentiality
Confidentiality can be defined as:
Availability
The prevention of unauthorized users accessing information to which they are not entitled
Example: A salesperson looking through employee records in the HR
Notes
1-2
Integrity
Information Integrity can be defined as: The prevention of unauthorized users from modifying, inserting and deleting data, such that the data itself remains in its intended state
Example: That same salesperson changing his pay rate in the payroll
database. He has not breached the confidentiality of the data if he has not seen anyone elses pay rate. He has modified data that he is not authorized to modify.
Availability
Availability can be defined as: Ensuring that the systems services are accessible on demand, by an authorized entity
Example: The same salesperson deleting the payroll file. He has made it
Slide 8
Protection Controls
Authentication making sure you are who you say you are. We will accomplish this with the use of encryption. Access Control making sure you have access to only what you should have access to. We will accomplish this with the use of firewalls.
Audit catching breaches to mitigate damage. We will accomplish this with the use of log files and intrusion detection.
Notes
1-3
Slide 9
Notes
1-4
Slide 10
Slide 11
Notes
1-5
Slide 12
With the Proventa M multi-function edge appliance in place, you no longer need to acquire, install and manage separate gateway and network products.
Notes
1-6
Overview of Proventa M
Slide 13
What is Proventa M?
The Internet Security Systems (ISS) Proventa M Series Appliance is a gateway protection appliance that offers the following protection technologies:
Stateful packet inspection firewall VPN server (for client-toserver and site-to-site implementations) Intrusion Prevention Gateway Antivirus and Virus Prevention System (VPS) Web Filtering Antispam The Proventa M automatically blocks viruses, unauthorized access, network attacks, malicious code, and hybrid threats like SQL Slammer, Code Red and MS Blaster. It also filters out unauthrized Web access and alerts you to unwanted email. Built on ISS award-winning intrusion detection and prevention system, the Proventa M brings the level of protection demanded by global enterprises and world governments to remote offices and mid-sized businesses.
IPS AV FW VPN WF AS
IMPORTANT: Mention that Proventa M now addresses the issue of Spyware - its been added as a category that is blocked by the web filter.
Notes
1-7
Slide 14
Notes
1-8
Proventa M Components
Slide 15
STATE: Now lets talk about some of the features of each Proventa component.
Notes
1-9
Slide 16
Proventia G Proventia G
M M
Notes
1-10
Slide 17
Intrusion Prevention
Proventa M offers the same proven intrusion prevention technology as the Proventa A & G series: High speed deep traffic analysis Multiple methods of detection Automatic updates from the X-Force the world leader in security research and vulnerability detection In addition, the M Series has been called X-Force in a box because it has automatic protection (users are not required to set policies or analyze events): X-Force tags events as block or alert. Tuning by users is allowed. ICSA Certification is pending.
Notes
1-11
Slide 18
Gateway Antivirus
With the Antivirus module, Proventa M offers: High speed analysis of files in real time from:
STRESS: Ms AV is SOPHOS, the top-tier AV provider, fastest to market, etc. EXPLAIN: The WildList Organization International is a great source of information on which viruses are spreading in the wild. Their site: http://www.wildlist.org
Web sites and webmail (HTTP) Download sites (FTP) Corporate and personal email (SMTP, POP3)
All traffic through the gateway is filtered, even if desktop protection is disabled or out of date
Slide 19
Notes
1-12
Slide 20
Web Filtering
With the web filtering module, the Proventa M Series offers the following: Filtering of Web sites based on pre-defined categories that you select Protection against spyware Specification of individual URLs, domains, or IP addresses that the appliance blocks or allows Tracking of URLs that users request and access Specification of static source IPs that can override the filters, to allow select users to surf the Internet freely
Slide 21
Antispam
Based on a huge database of known sources, key words, etc., Proventa Ms antispam software allows you to prevent undesired advertisements and offensive emails from entering your network undetected.
Slide 22
Slide 23
Notes
1-13
Slide 24
SiteProtector Management
SiteProtector is an ISS management console. SiteProtector can manage a variety of network assets such as appliances, agents, and sensors. If you use a SiteProtector controller with your appliance, you can:
POINT OUT: We will not talk about SiteProtectorTM during this training. Slide 25
Report alerts and events to the SiteProtector console Enable a SiteProtector Agent Manager to manage many important functions of your M Series appliance
High Availability
The Proventa M Series appliance offers active-passive high availability (HA) by using Virtual IP addresses shared between a primary appliance and a secondary appliance. With HA enabled and configured, the secondary appliance (in passive mode) is ready to operate as the primary appliance if the primary appliance fails.
Slide 26
Slide 27
Notes
1-14
Slide 28
All-in-One Protection
M10
Firewall VPN Intrusion Prevention with blocking IDS Antivirus Web Filtering Antispam X X X X X X X
M30
X X X X X X X
M50
X X X X X X X
Notes
1-15
Slide 29
Performance
M10
Maximum Recommended Users Stateful Throughput Speed (Firewall only) Full Inspection Speed: Protecting over 600 vulnerabilities Blocking 0 viruses Blocking over 95% of spam Blocking available for over 60M URLs by category Full Inspection Speed: Protecting over 600 vulnerabilities Blocking over 120,000 viruses over SMTP and POP3 Blocking over 95% of spam Blocking available for over 60M URLs by category Maximum Connections per Second Maximum Concurrent Sessions 100 100 Mbps 100 Mbps
M30
500 200 Mbps 200 Mbps
M50
2500 1600 Mbps 800 Mbps
43 Mbps
200 Mbps
566 Mbps
2,125 101,000
4,100 101,000
4,100 101,000
Note: The more modules and blades you utilize, the more performance
is offset.
Management
M10
Centralized Management Web-Based Local Management X X
M30
X X
M50
X X
Notes
1-16
POINT OUT: M50 is too loud to run the training on but all we will see applies the same way. CAUTION: You must operate this unit with the top cover installed to ensure proper cooling. NOTE: ISS does not support use of additional PCI cards.
C - power button D - power LED E - hard drive activity LED F - fault LED G - system ID LED H - system ID button I - reset button J - USB (unused) K - NMI (unused) L - video
A B
C D
E F
Notes
1-17
Slide 31
CAUTION: Reset button immediately reboots appliance without performing normal shutdown procedure. If you use the reset button, you may lose data. Use only when a normal shutdown is not possible.
redundant AC power one serial port an internal interface (INT0) an external interface (EXT1) six additional ethernet interfaces eth2 through eth7 one video interface one keyboard port strain relief
Notes
1-18
Module Review
Slide 32
You should now be able to:
Discuss the need for a unified protection solution. Describe the six components of the Proventa M. Discuss the differences between the M10, M30, and M50 appliances.
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
1-19
Notes
1-20
1 hour
Module 2
Slide 34
Module Objectives
When you complete this module, you will be able to: Install the Proventa M software and configure the appliance. Set the time, date and time zone settings. Change passwords. Reboot the appliance. Connect to the Web-based Proventa Manager.
Notes
2-1
Slide 35
Notes
2-2
Slide 36
Classroom Topology
The graphic below illustrates the final layout of the classroom at the conclusion of the exercises contained in this module.
Notes
2-3
Classroom IP Addresses
The following table highlights the resulting IP settings.
Table 1
IP Address Appliance Name <LAN>.10 <LAN>.20 <LAN>.30 <LAN>.40 <LAN>.50 <LAN>.60 <LAN>.70 <LAN>.80 MF49.xfeducation.local MF39.xfeducation.local MF29.xfeducation.local MF19.xfeducation.local
iss30 iss40
MGMT: <LAN>.29
iss50 iss60
MGMT: <LAN>.39
iss70 iss80
MGMT: <LAN>.49
Notes
2-4
Lab: Configuration
Slide 37
Introduction
This lab walks you through the steps that you will take when configuring your Proventa M appliance: Re-cable the network Configure the appliance Connect to Proventa Manager
Exercise 1
EXT2 socket.
Exercise 2
your system.
2. If asked, select to boot from the CD. 3. When prompted, boot your Proventa M appliance. 4. When prompted, press L to boot from LAN.
Note: you have 5 seconds before the system will boot normally.
Notes
2-5
POINT OUT: Should they forget the nodb option they can kill the setup when the DB CD is requested. POINT OUT: As of Firmware 3.2 there is a web setup. With earlier firmware versions there was only the admin interface via serial connection.
The system will restore the distribution image without copying the database used for the web and mail filtering. These will be copied in the following exercise.
6. Allow the appliance to reboot.
IP: 192.168.123.X/24 where X remains unchanged from the current value (if the NIC is not set to DHCP, you can simply add the new address). Note the settings as you will have to restore them.
9. Launch your web browser. Once at the browser window, enter the
10. On the Security Alert dialog, click Yes to accept the digital
certificate.
11. On the login dialog, enter your user name, admin, and press TAB. 12. Enter your password, admin, and press ENTER. 13. If you are not prompted to install Java, proceed to step 21. 14. If you are prompted to install Java, click download the file here. 15. Click Open. 16. Choose I accept the terms in the license agreement, and click Next. 17. Accept the Typical installation, and click Next. 18. Click Finish. 19. Close your browser. 20. If you are prompted to restart your system, click Yes to restart and
Notes
2-6
IP Address: <LAN>.X9 (see table on page 2-4 for reference) Netmask: 255.255.255.0 Default gateway (IP): <LAN>.GW. Your instructor will give you this address.
27. Click Next.
28. On the Name Servers screen insert Primary, Secondary and Tertiary
field add both students IP addresses space delimited <LAN>.X0 <LAN>.Y0 and click Next.
31. On the Time Zone screen select the appropriate Timezone and click
Next.
32. On the Date and Time screen insert the appropriate Month, Day,
33. On the Root Password screen type in the new password iss123+
Notes
2-7
appliance.
35. On the Proventa Manager Password screen check the Same as
unauthorized users during the boot process. When you enable the bootloader password, then you must enter the root password to use a boot option other than the default.
37. Review your settings and click on Finish. 38. Read the information on the Setup Complete screen and close the
browser window.
39. Restore the original Local Area Connection settings.
POINT OUT: Students wont have to go through these steps; they are added here only as reference.
press ENTER.
8. At the password prompt, type admin and press ENTER. Note: No text appears on screen when you type a password. 9. On the HTTP Authenticatoin screen press TAB twice and press
ENTER.
10. On the Welcome screen press ENTER to select Next (default
position).
11. On the End User License Agreement screen, review the license
Notes
2-8
#>9.xfeducation.local.
18. TAB to the NEXT button and press ENTER. 19. On the Management Address screen insert:
IP Address: <LAN>.X9 (see table on page 2-4 for reference) Netmask: 255.255.255.0 Default gateway (IP): <LAN>.GW. Your instructor will give you this address.
20. TAB to the NEXT button and press ENTER. 21. On the Name Servers screen, type the IP address of the Primary,
Secondary and Tertiary nameserver. Your instructor will provide this IP address.
22. TAB to the NEXT button and press ENTER. 23. On the DNS Search Path screen, type the DNS search path list
name, xfeducation.local.
24. TAB to the NEXT button and press ENTER.
POINT OUT: By typing a letter the cursor moves to the first entry starting with it. Use PgDn and PgUp to move more quickly.
25. On the Configure Time Zones screen, select the appropriate time
zone by pressing ENTER and scrolling to desired value (the default time zone is America/New York).
26. TAB to the NEXT button and press ENTER. 27. On the Date and Time insert the appropriate Month, Day, Year,
Notes
2-9
as Root, press TAB 3 times to the NEXT button and press ENTER.
33. On the Proventa Manager Password screen press ENTER to select
Same as Root, press TAB 3 times to the NEXT button and press ENTER.
34. On the Enable Bootloader Password screen, press ENTER to select
Enable, press TAB twice to the NEXT button and press ENTER.
35. Scroll the Setting Review and press ENTER when the cursor is
positioned on Fininsh.
36. After the request is sent and the system reboots, press CTRL+G to
Exercise 3
POINT OUT: This is the way to connect via HyperTerminal even when there are no troubles.
3. Click OK to accept the connection via COM1. 4. Select 9600 Bits per second and click OK to start the connection. 5. Under FileProperties select the Settings tab. 6. Select VT100 under Emulation and click OK to accept the settings. 7. Under FileSave As... save the settings for future perusal by just
clicking on Save.
8. Press ENTER to see the prompt. 9. Log into Proventa as root. 10. Enter your password, iss123+. 11. Type reboot and press ENTER.
Notes
2-10
Exercise 4
STATE: Make sure to put an s at the end of http or it wont work. POINT OUT: This can happen only if the appliance was configure via the LMI.
certificate.
3. On the login dialog, enter your user name, admin, and press TAB. 4. Enter your password, iss123+, and press ENTER. 5. If you are not prompted to install Java, proceed to step 14. 6. If you are prompted to install Java, click download the file here. 7. Click Open. 8. Choose I accept the terms in the license agreement, and click Next. 9. Accept the Typical installation, and click Next. 10. Click Finish. 11. Close your browser. 12. If you are prompted to restart your system, click Yes to restart. 13. Proceed from step 4. 14. If you are prompted that the Certificate is not valid, click Yes or OK
to continue.
15. If the Hostname Mismatch message dialog appears, click Yes or OK
to continue.
16. When you are prompted to log in a second time. If so, on the login
Notes
2-11
Module Review
Slide 38
You should now be able to:
Install the Proventa M software and configure the appliance. Set the time, date and time zone settings. Change passwords. Reboot the appliance. Connect to the Web-based Proventa Manager.
Review Objectives Ask For additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
2-12
1 hour
General Settings
Module 3
Slide 40
Module Objectives
When you complete this module, you will be able to: Install license keys. Install firmware and security updates. Describe information on the Home page. Get the status of Proventa components on your system. Describe information in the System node and subnodes. Locate ISS contact and support information. Set up your basic configuration.
Notes
3-1
The License
The Home page
The Home page provides a snapshot of the current status of the appliance as well as access to all modules.
EXPLAIN: To completely exit out of a Proventa M session, you must click the End Session button and close your browser.
Notes
3-2
Proventa Licensing
EXPLAIN: Base license covers HW maintenance, firmeware update, security content downloads, and the IPS module is essentially free with the firewall purchase. On the M10 there are only 2 licenses. EXPLAIN: It is important to install the IP license first.
The auto update and/or download mechanisms require a license in order to function. Before you can install the license key file, you must do the following: Register your customer license. Download the license key file from the ISS Registration Center.
Notes
3-3
Slide 41
Lab: Licensing
Installing the license key file.
Exercise 5
given to you by the instructor. Click Open. The file path appears in the field.
4. Click Upload. 5. Locate and select the AntiVirus license key file that was given to you
by the instructor. Click Open. The file directory path appears in the field.
6. Click Upload. 7. Note your license information now on the page.
Notes
3-4
Introduction
You should always make sure your appliance is running the latest firmware, security content, and database updates. The updates that you can install are: Firmware updates Security content updates Database updates
Note: Your appliance retrieves updates from the ISS Download Center,
Update Status
The Update Status page lets you know if you are up-to-date and gives you your update history.
Notes
3-5
Update Alerts
On the Alerts page, you can filter for information on appliance updates.
Notes
3-6
On this page, you will do the following: Enable or disable automatic updates Enable or disable automatic installations Schedule automatic updates and installations Set up HTTP proxy You can set up the following automatic options:
Notes
3-7
Module 3: General Settings Automatically Check for Updates This option automatically checks for new updates that are available for download and installation. Automatically Download Security, Database and Firmware Updates These options automatically download intrusion prevention, antivirus, and firmware updates based on your settings. Automatically Install Firmware Updates This option automatically installs firmware updates based on your settings. You can also enable the option to automatically perform a full system backup the appliance installs each firmware update. Automatically Update Web Filter and Antispam Database This option downloads and applies updates to the Web Filter and Antispam Database.
Note: You must install a Intrusion Prevention license before you can
configure automatic updates. Defining Settings You must define the following when configuring automatic updates for your appliance: When the appliance automatically checks for updates When to download and install security updates When to download database updates When to download firmware updates How and when to install firmware updates Which firmware update version(s) to install
Notes
3-8
On this page you will be able to configure a different server than the default one at ISS. When using a different server you will have to specify its name (or IP address if DNS resolution might be problematic), the port (3994 is used to talk to SiteProtectors Update Server), the trust level and the CA Certificate if you decide to use the explicit-trust security level.
Notes
3-9
Event NotificationTab
On this page you will be able to configure the notification settings for available updates, for update installation and for update errors. The three different type of notifications are email, SNMP or notification via SiteProtector.
Advanced ParametersTab
You can configure (or tune) certain parameters for the appliance to better meet your security needs, e.g. for a specific update retrieval policy and update storage policy.
Advanced parameters are composed of name/value pairs. Each name/ value pair has a default value. Not all general settings advanced parameters appear here, but the most often used ones do.
Notes
3-10
Module 3: General Settings If you do not want to use the default value, you can add or edit name/ value pairs for any component that can be tuned.
Retrieving Updates
Your appliance retrieves updates from the ISS Download Center, accessible over the Internet. The appliance first checks for updates that have been downloaded, but not yet installed. Then, it connects to the ISS download center or other network location that is specified in the Source Location field of the Automatic Update Settings page for updates that have not been downloaded. To manually find updates, click the button on the Update Status page.
Note: If you have enabled email notification for System Informative Events, the appliance notifies you via email when updates are available to download and install.
Notes
3-11
Module 3: General Settings In addition, if you use SiteProtector to manage your appliance, you can configure the appliance to use the SiteProtector X-Press Update Server as an alternate update server (instead of the ISS Download Center). You will configure the appliance to use the SiteProtector X-Press Update Server on the Automatic Update Settings page.
Slide 43
Exercise 6
you will see that they have not yet been downloaded.
9. Select the MaintenanceUpdatesAvailable Downloads node
Notes
3-12
POINT OUT: The same comand could be used to transfer update packages. INSTRUCTOR: Tell the students if they should wait after the updates or go ahead. POINT OUT: We will not install any firmware update; this is where Install Firmware Updates would be selected.
<path>\pscp.exe <updates path>\*.db root@<LAN>.X9:/cache/ ofconf/ofdb Note: once this transfer has started you will have to wait for its termination before being able to install firmware updates. Decide together with the instructor if it is better to update the appliance before uploading the database.
12. If prompted, type y and ENTER. 13. Type the root password iss123+. 14. When the transfer is finished you are positioned in the
MaintenanceUpdatesStatus node. In the Updates window, in the Intrusion Prevention section click on Install Now.
15. In the Updates window, in the Antivirus section click on Install
Now
16. Go to the MaintenanceUpdatesAutomatic Settings node. 17. In the Automatically Check For Updates area, select an Interval of
60 minutes.
18. In the Security Updates ares, enable both Automatically Download
INSTRUCTOR: It is important to enable the filter DB update because it will trigger the creation of the index file and categories file.
19. In the Web Filter & Antispam Database Updates area, enable
Notes
3-13
Navigation Tree
In the left pane, this tree gives you quick access to any module page in the Proventa Manager. You can minimize or maximize the navigation pane by clicking on the icon on the top right.
Notes
3-14
Device Name
Located in the top right corner, this is the appliance domain name you configured during setup.
End Session
In order to completely exit out of a Proventa M session, you must click the End Session button and close your browser.
Protection Status
This describes the current status of each of the Proventa components. In addition, each of the component names is a link to that components status page. The status page includes statistics that may help you identify a problem in the event of an unexpected component status.
EXPLAIN: Antivirus status is stopped when you first install because Antivirus functionality has not yet been enabled.
You can determine the current status of a component by glancing at the status icon. The status icons are as follows: Icon Status
Indicates that the component is active. Indicates that the component is stopped. Indicates that the component is in an unknown state. This status may require immediate attention.
EXPLAIN: You can also access module status info from SiteProtector if the appliance is managed centrally.
Module Status
This area describes the current status of each module in the appliance. You can access this information from the Home Page in two ways:
1. Click on the module name in the Protection Status area 2. Click on the module name in the navigation pane
(StatusModuleStatus).
Notes
3-15
Help
TRANSITION: In the rest of this module, were going to cover System Settings, Backup and Recovery, Updates, Support and Logs.
ISS Help is based on Web technologies and uses Internet Explorer (the browser) as its viewer. Topics use many common features of Web pages, such as links to other information. The built-in functionality of Internet Explorer is also available.
Notes
3-16
System Status
Slide 44
There are three tabs within the StatusSystem area. Each one provides useful information for you to use in analyzing your system. Selecting the Status node the System Status page appears, displaying statistics for memory usage, CPU usage, the bridge configureation, and the internal and external interfaces.
Notes
3-17
Logs Status
The Logs Status page displays summary data for the Alert Event Log statistics:
Description
The number of alert events that have been written to the log file. The percentage of allocated space that contains alert event log entries. The date and time of the last alert written to the log file.
Alerts
This is the same interface used for the Log Alerts (Alerts on page 320) filtered by System alert type.
Notes
3-18
Refreshing Data
STATE: This is the first place we are seeing the Refresh Data option. Lets take a minute and discuss it.
The Proventa M allows you to refresh data on a page manually or automatically at the following intervals: Now (use to manually refresh the page) Every 10 seconds Every 20 seconds Every 30 seconds Every 1 minute Every 2 minutes Auto off (use to disable automatic refresh) You will determine the refresh setting for each module separately.
Notes
3-19
Logs
Messages for all components are logged on the Proventa M. It's essentially the same thing as a console, only web-based. Events generated by all components are formatted with the appropriate information and presented in the Logs area for correlation. There are two tabs within the Logs area. Each one provides useful information for you to use in analyzing your system.
Alerts
EXPLAIN: The Alert Event Log keeps 31 days worth of information in a rolling refresh.
The Alerts Event Log is a subset of events from the System Event Log that are pulled out of the system log. The detail is presented in an ordered and easy fashion. This is where you would look to find information such as traffic blocked by a firewall rule or VPN conflicts preventing clients from connecting. When you click on an event name, you are presented with the details of that event.
EXPLAIN: The circled X icon after an event name will take you to online XForce Help. Antivirus events will be followed by a bug icon which will take you straight to the SOPHOS web page. POINT OUT: The Refresh dropdown.
Notes
3-20
Module 3: General Settings This page also allows you to access Log File Management where you save, clear and view log files.
Clicking on the circled X icon just after an event name will take you to online X-Force help about this issue. Antivirus events will be followed by a bug icon which will take you straight to the SOPHOS web page.
Notes
3-21
Notes
3-22
System Logs
This is a graphical representation of the system log. This is not Mspecific information, but it is useful for application or system issues.
Notes
3-23
Configuration Settings
Slide 45
You will user Configuration settings to configure access to the appliance andpasswords, SMTP and HTTP proxy servers, time settings, SSH, service groups, and SiteProtector management. Once you click the ConfigurationSystem node in the navigation tree, the following subnodes are displayed (remember the appliance is configured in transparent mode. More/differnet subnodes: are available in routing mode and they will be discussed later in the training). Appliance Access Networking
Interfaces Routing
Notification Passwords
Notes
3-24
Appliance Access
When the appliance is in transparent mode, all interfaces reply to the same management IP address (see Network on page 3-26 for further details. You can use one of the following options to determine which system is allowed to connect to the management interface: Single IP Address Static Address Address Name Dynamic Address Name Address Range Static Address Range Address Range Name Dynamic Address Range Name
Notes
3-25
Network
NOTE: Go through options on the screen and show them what was entered during installation.
The Network Configuration page houses configuration for the appliance network interface cards. This is the same data that you first entered when you reinstalled the appliance. You can alter that data here.
Network Interfaces
This page is where you can change the settings you configured for the Managment Address when you installed the appliance.
Notes
3-26
Notes
3-27
Routing
NOTE: Open the Add screen and discuss.
If necessary, static routes may be added through the Routing tab.
Notification
You wil use the Event Notification Options page to configure how the appliance sends notification responses for events. There are three tabs within the Notification area: Delivery Setup Event Notification Advanced Parameters
Notes
3-28
EXPLAIN: Leaving the body format blank will send full event details.
Note: Leaving the body format blank will send full event details.
Notes
3-29
Module 3: General Settings This table describes icons that may appear on the page: Icon Description
If this icon appears next to a field on this page, then data is required in the field or the data in the field is invalid. If the icon appears next to a policy or a tab on this page, then the policy or tab contains invalid settings or empty fields that require data. If this icon appears at the top of a list, you can select an item in the list and click the icon to move the item toward the top of the list.
If this icon appears at the top of a list, you can select an item in the list and click the icon to move the item toward the bottom of the list.
If this icon appears at the top of a list, you can select an item in the list and click the icon to copy the item to the clipboard.
If this icon appears at the top of a list, you can paste select an item in the list and click the icon to paste the item from the clipboard into a list. Then, you can edit the pasted item.
Notes
3-30
STATE: The Alert Logging for System Informative Events option is useful for firmware updates or auto download when youre not auto installing. In this case, it will give you an update that it has been downloaded.
By default the first option is enabled, so you need to make sure to enter an email address.
Notes
3-31
Notes
3-32
Passwords
You will use the ConfigurationSystemPassword page to manage the appliance passwords.
Root: for the command line, it should be used with ISS Tech Support assistance. Admin: terminal account which invokes the reconfiguration process Proventa Mgr User: separate account for logging into the interface Boot Loader: protects the appliance from unauthorized users during the boot process. When you enable the bootloader password, then you must enter the root password to use a boot option other than the default. Note: To change passwords, you must enter both your current and new passwords.
Notes
3-33
Services
Use the Service page to enable and configure the following: SSH SMTP proxy HTTP proxy SNMP response
Note: If SSH is disabled, the only way into the machine is via the serial
cable.
Notes
3-34
SMTP Tab
EXPLAIN: This will be covered in depth in the Antivirus module.
You must configure the SMTP proxy server to use the Antivirus and Antispam modules. This will allow you to scan files for viruses and to prevent the use of your email server in sending SPAM to others.
Item
My Domain
Description
The primary doman where you expect mail to be coming to and going from. This option is used to prevent spam and open relay. Allow users to email other domains and allow inbound email to the internal network and from other top level domains.
Relay IPs
Notes
3-35
SNMP Tab
The SNMP tab allows you to configure SNMP to poll the device for information and specify the SNMP server where traps are processed. You can configure two SNMP responses: SNMP Get SNMP Traps
Notes
3-36
Notes
3-37
SiteProtector
EXPLAIN: This will be covered in depth in an upcoming module.
You will use the SiteProtector Management page to do the following: Register your appliance with a SiteProtector desktop controller Manage most appliance functions in SiteProtector Add multiple Agent Managers
EXPLAIN: The appliance will try to heartbeat into the agent managers in the order in which they are listed.
Note: The appliance will try to heartbeat into the agent managers in the order in which they are listed.
Notes
3-38
Time
Use the Time Settings page to configure the date, time, and time zone. In addition, use this page to enable and configure Network Time Protocol (NTP).
Notes
3-39
Maintenance Settings
Slide 46
You will user Maintenance settings to configure backup and recovery settings, manager the Filter Database, Licensing and the updates Settings. Once you click the Maintenance node in the navigation tree, the following subnodes are displayed. Backup and Recovery (see page 3-45)
STATE: We will now take a look at the tabs we have not seen yet.
Notes
3-40
Filter DB
EXPLAIN: This will be covered in depth in an upcoming module.
Use the Web Filter and Antispam Database page to: View database status Download or overwrite the database Use advanced tuning parameters
When the Integrated security appliance has been re-initialized without a database, the system wont have any information to show and will not allow any of the filtering tasks to be enabled before downloading or uploading a filter database.
Notes
3-41
Module 3: General Settings Once a valid database is locally available, the page will show its version:
Notes
3-42
Tools
You can use the options on the System Tools page to do the following: Reboot or shut down the appliance
NOTE: The features on this page are available only in Proventa Manager; you cannot perform these tasks from the SiteProtector interface.
Use the traceroute utility to provide a list of all the routers along the path to a computer or destination Ping a computer on your network to determine whether it is reachable
Traceroute Protocols
You can use two types of protocols for the traceroute utility: UDP (UNIX "traceroute" command) ICMP (Windows "tracert" command) When you select a UDP traceroute protocol, the appliance sends a UDP packet to a random port on the target host. The TTL (Time to Live) field and the destination port field are incremented for each "ICMP Port Unreachable" message that is returned, or 30 hops are reached.
Notes
3-43
Module 3: General Settings When you select an ICMP traceroute protocol, the TTL (Time to Live) field and the destination port field are incremented for each "ICMP Echo Request" message that is returned, or 30 hops are reached..
Notes
3-44
Snapshots
A snapshot is a file that stores your appliances configuration settings. You can use the file to restore the appliances settings or to configure the settings on another appliance.
Notes
3-45
System/Full Backup
Backups store the operating system and configuration of the appliance. When you restore from a system backup, you restore the appliance to a previous state.
EXPLAIN: You should create a full system backup before you apply firmware updates and when you need to save your configuration.
You should create a full system backup before you apply firmware updates and when you need to save your configuration.
You can have only one system backup. Creating a system backup overwrites the previous backup. Creating a system backup takes the appliance offline and disrupts connectivity for several minutes. If you configure the appliance and then click Restore from Backup before you create a system backup, the appliance is restored from the default system backup. This default backup does not contain your system configuration. You cannot log into the Proventa Manager interface until you reconfigure the appliance using the Proventa Setup utility (the command line interface).
Notes
3-46
Module 3: General Settings In addition to creating a system backup before applying a firmware update, ISS recommends that you download snapshot files to a local computer. After you restore the system from backup, be sure that you close all browser windows and clear the Java cache before you log back into the Proventa Manager. If you do not , the Proventa Manager may behave unpredictably after the system restore is completed.
Notes
3-47
Support
Clicking on the Support node in the navigation tree displays self-help information such as the ISS Knowledgbase and product documentation.
Notes
3-48
Support Contacts
Clicking on the Support Contacts subnode displays the following ISS support information:
Notes
3-49
This page allows you to create, delete, or download data files that capture appliance information.
Note: Support data files have a .tgz file extension.
Notes
3-50
Introduction
Complete the following exercises to: Configure an email response Disable Email System Warning Notification
Exercise 7
click Add.
3. The Add Email Configuration window appears. Type Email Note
email notifications.
5. In the To field, enter sp_partner1. 6. Click the Subject Format arrow to see a list of message subject
Notes
3-51
Exercise 8
Notes
3-52
Module Review
Slide 48
You should now be able to:
Install a license key. Install firmware and security updates. Describe information on the Home page. Get the status of Proventa components on your system. Describe information in the System node and subnodes. Locate ISS contact and support information. Set up your basic configuration.
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
3-53
Notes
3-54
45 minutes
Transparent Mode
Module 4
Slide 50
Module Objectives
When you complete this module, you will be able to: Describe Transparent Mode functionality. Explain how to configure Local Routers. Describe the use of Spanning Tree Protocol to set up a Failover Configuration.
Notes
4-1
Transparent Mode
Slide 51
Introduction
When your appliance is in Transparent Mode, it acts as a bridge device and filters packets that traverse the firewall, without modifying any of the source or destination information in the IP packet header. The IP addresses of all interfaces are set at 0. 0.0. 0, which makes the presence of the appliance invisible to the network. When you power on an appliance in transparent mode, required access policies to allow traffic through the appliance are enabled by default.
Slide 52
Slide 53
Notes
4-2
Slide 54
A Note About Transparent Mode and VPN Although the appliance does not function as a VPN appliance, in transparent mode, VPN traffic can still travel through the appliance to another VPN transportation point. If you want to see alerts about VPN traffic, you can configure alert notification for these events on the Firewall/VPN Event Notification tab.
Notes
4-3
Slide 55
The management IP, configured during your appliance setup, should reside within the same IP range as your external gateway IP address. The management IP is restricted, by default, to hosts on the same subnet. Hosts on different IP subnets that need to manage the Proventa appliance require appropriate static routes and access rules. In this example, the management address (10.10.10.2) is a virtual IP, configured during your appliance setup. The internal and external interfaces do not apply in transparent mode and do not need IPs. The management address IP should reside within the same IP range as your external gateway. The management IP is restricted, by default, to hosts on the same subnet. Hosts on different IP subnets that need to manage the Proventa appliance, require appropriate static routes and access rules.
Notes
4-4
Introduction
The Local Routers tab only appears when you are in transparent mode, and you will need to configure the IP addresses of routers that reside in the same network segment as your appliance. The appliance uses this information to resolve destination MAC addresses that it does not find in its internal forwarding database. When the appliance receives a packet, it checks the IP address of the packet against the IP addresses and destination MAC addresses in its internal forwarding database. The appliance sends an ARP message to: Each local router IP address The destination IP address of the packet that has no destination MAC address When each local router responds with its ARP information, the appliance can resolve the packet's IP address with the destination MAC address.
In the Proventa Manager, select the following nodes: ConfigurationFirewall, or In the SiteProtector interface navigation pane, select the Firewall/VPN node, and then select Settings.
2. Select the Local Routers tab. 3. Click Add. The Add Local Routers window appears. 4. Type a name for the router in the Name box. 5. Type the IP address for the router in the Router IP Address field.
Notes
4-5
In the Proventa Manager interface, click Save Changes. In the SiteProtector interface, click OK.
Notes
4-6
Introduction
When you appliance is in transparent mode, you can not use the high availability functionality. You can, however, use Spanning Tree Protocol (STP), a link management protocol that is part of the IEEE 802.1 standard for media access control bridges, to configure your appliance for failover to a second appliance.
Slide 58
Slide 59
STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail. If STP costs change, or if one network segment in the STP becomes unreachable, the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby path. Without spanning tree in place, it is possible that both connections may be simultaneously live, which could result in an endless loop of traffic on the LAN.
Notes
4-7
Slide 60
STP Illustration
Here is a diagram illustrating the physical connectivity for two appliances in transparent mode failover configuration:
Hub/Switch 1 connects M1(eth0) and M2(eth0) Hub/Switch 2 connects M1(eth1) and M2(eth1
Notes
4-8
Slide 61
Bridge IDs
STP requires that: Each bridge is assigned an unique identifier, typically the bridge's MAC address plus a priority value On each bridge, each port is also assigned a unique identifier on the bridge, typically the port's MAC address Each bridge port is associated with a path cost that represents the cost of transmitting a packet to the LAN on that port
Slide 62
Notes
4-9
Description
Select a root bridge. The bridge with the lowest assigned priority value becomes the root bridge. This is the only bridge on all the connected LANs that performs the root bridge function. Select a root port. Each bridge identifies a root port that it uses to connect to the root bridge. The root port has the lowest assigned path cost. Select a designated bridge for each LAN. The designated bridge has the path with the lowest cost value to the root bridge, and forwards packets from that LAN to the root bridge. Select a designated port for each bridge. This is the port that each bridge on the LAN uses to connect to the designated bridge.
STP Tasks
You will perform the following tasks to configure failover protection for two appliances in Transparent Mode: Task
1 2
Description
Make sure that both appliances are connected to a managed switch that has Spanning Tree Protocol (STP 802.1D) enabled Install the first appliance using one cable to connect only a single interface (not more than one). Use Proventa Setup Assistant to configure the appliance for Transparent Mode. Important: Assign a unique IP address for management purposes. Install the other appliance using one cable to connect only a single interface (not more than one), using a unique IP address for management purposes. On the first appliance, go to the Spanning Tree Tab and select the Spanning Tree Protocol Enabled checkbox. Accept all other default settings on this tab, and then click Save.
Notes
4-10
Description
On the other appliance, go to the Spanning Tree Tab and select the Spanning Tree Protocol Enabled checkbox. Accept all other default settings on this tab, and then click Save.
Tip: Open two Web browsers so that you can easily access both
Notes
4-11
In the Proventa Manager interface navigation pane, click + to expand the System node, select the Networking node, and then select the Spanning Tree tab. In the SiteProtector interface navigation pane, select the Spanning Tree tab: Networking node, and then select the Spanning Tree tab.
Note: You must first select Transparent from the Mode list for this
tab to appear.
2. Select the Spanning Tree Protocol Enabled checkbox. 3. In the Maximum Age (secs) field, use the up and down arrows to
specify the maximum number of seconds that the appliance waits before it discards protocol information received on a port.
4. In the Hello Time (secs) field, use the up and down arrows to specify
the maximum number of seconds that the appliance waits between sending STP hello broadcast messages.
5. In the Forward Delay (secs) field, use the up and down arrows to
specify the number of seconds that the appliance waits before forwarding packets.
6. In the Aging Delay (secs) field, use the up and down arrows to
specify the maximum number of seconds that the appliance waits before aging out dynamically learned forwarding information.
7. Do one of the following:
In the Proventa Manager interface, click Save Changes. In the SiteProtector interface, click OK.
Notes
4-12
Slide 63
Slide 64
If you enable STP on a Proventa appliance that is connected to other managed devices, STP topology changes could cause network traffic to bypass the appliance. If the network traffic bypasses the appliance, then the traffic bypasses appliance security functionality. Non-STP devices do not monitor the STP heartbeats and are not aware of a topology change, so you must enable STP on the managed device for the failover to occur. Non-STP switches will continue to relate MAC addresses to the original switch ports. If using Spanning Tree Protocol to enable HA for transparent mode appliances, SiteProtector sees the appliances by their management IPs as two different non-related systems. You should make sure however, that both appliances have identical configurations and policies.
Notes
4-13
Module Review
Slide 65
You should now be able to:
Describe Transparent Mode functionality. Explain how to configure Local Routers. Describe the use of Spanning Tree Protocol to set up a Failover
Configuration.
Take this opportunity to ask questions about the information we have discussed.
Notes
4-14
45 minutes
Intrusion Prevention
Module 5
Slide 67
Module Objectives
When you complete this module, you will be able to: Discuss components of the Proventa M intrusion prevention module. Detect and block an attack. View events.
Notes
5-1
Slide 69
Notes
5-2
Slide 70
Proventa M Intrusion Prevention consists of two components, the Protocol Analysis Module and the Quarantined Rules Table. Here is a brief description of both: Protocol Analysis Module (PAM) The core of the intrusion prevention module, PAM is capable of analyzing and reporting more than 1500 network events. Currently, over 600 of these events have a dynamic blocking response enabled.
STATE: Proventas Intrusion Prevention consists of two modules: PAM and Quarantine Rules table. Here is a brief description of both. EXPLAIN: Signatures are based on vulnerabilities, not exploits. We are stopping them before the exploit is released.
Quarantine Rules Table (QRT) Populated by PAM/IPM as a response to events, this table consists of dynamically created quarantine rules. These rules specify the packets to block and the length of time to block them.
Notes
5-3
EXPLAIN: PAM looks for inconsistencies in behavior. Signatures look for specific behavior - PAM evaluates behavior, & compares it against known standards or expected behavior. Slide 72
Structural analysis of packets is the first step in protocol analysis. By analyzing individual IP header fields relative to known field structure, bit definitions, and RFC compliance guidelines, it is possible to identify anomalous packets. The next step is to apply intelligent parsing technology. Protocol analysis provides fast and efficient processing by minimizing the number of calculations required to identify an attack. It is also highly accurate because it can determine what a packet actually is and how it behaves on the network, as opposed to what it appears to be.
Notes
5-4
Slide 73
The PAM logic uses these deep packet analysis techniques in a variety of orders and combinations. It performs full seven-layer, state-based decoding and analysis of over 100 Internet protocols. The specific elements within this broader category are: Stateful packet inspection Protocol anomaly detection
STATE: The PAM logic uses these deep packet analysis techniques in a variety of orders and combinations. It performs full sevenlayer, state-based decoding and analysis of over 100 internet protocols.Outbound hybrid threat detection
Port Variability (port-independent protocol decoding) Application-layer Pre-processing Heuristics Context Field Analysis IP Defragmentation TCP Reassembly Vulnerability Signatures Exploit Signatures Pattern-matching Signatures Host Response Analysis Pre-emptive Behavioral Analysis IPv6 Native Traffic Analysis IPv6 Tunnel Analysis SIT Tunnel Analysis Reconnaissance (port probe detection) Custom Signatures
Notes
5-5
Slide 74
Benefits of PAM
The benefits of using the PAM include: Protocols are decoded and interpreted making the Proventa practically immune to evasion techniques, such as:
Polymorphic shellcode Unicode URL encoding SNMP floods SNMP OID translation RPC record marking FTP, Telnet option code insertion Evasion tools such as ADMutate, stick, snot, whisker, and fragroute
Verify protocol compliance by checking protocol fields for illegal or suspicious values, such as sequence number gaps or overlap, and checksum and CRC modification. Minimize false positives The speed and accuracy that Proventa M achieves by utilizing the PAM cannot be matched by systems which rely on simpler analysis techniques, pure anomaly detection, or pattern matching alone.
Notes
5-6
Slide 75
pcanywhere pcnfsd pptp rfb selnsvc snmpxdmid ssrp syslog tftp virus ypbind q931 rip sgifam sntp statd talk tns xdmcp yppasswdd
Notes
5-7
Slide 76
EXPLAIN: Dynamic blocking response and protection response are the same thing. Both are referred to in the appliance interface. Slide 77
Although PAM can flag well over 1,000 known attacks, dynamic blocking is limited to a subset of attacks that may be persistent and reccuring. This set of attacks will grow over time. When a packet matches a PAM signature which has dynamic blocking enabled, the Proventa M responds in one of several ways. The response taken is based on many variables such as the protocol involved, the direction of the traffic, the state of the connection, etc. Here are two of the possible responses:
Response Blockconnection Definition IPM will drop the packet and tear down the connection by sending resets to both sides, preventing retransmission of the dropped packet. No quarantine table (QRT) rule is added. IPM will drop the packet, stopping the attack at the Proventa M. No QRT rule is added.
Drop-packet
Since quarantine rules are automatically created, the only user interaction is to remove them. All QRT issues expire automatically after one hour by default, but this can be customized in the Advanced Parameters section of IPM settings.
Notes
5-8
Slide 78
Notes
5-9
Settings
You will use the ConfigurationIntrusion PreventionIntrusion Prevention Settings page to make changes to your intrusion prevention configuration.
Slide 79
EXPLAIN: Module enabled by default to prevent log flooding. Consolidated events will appear with a count in the event details. EXPLAIN: If your X-Force Protection Responses box is unchecked, you will have detection but not prevention. EXPLAIN: The IPM module is enabled by default to prevent log flooding (someone sending a ton of attacks and filling your logs) Consolidated events will appear with a count in the event details.
To configure the appliance to enable protection responses as specified by the X-Force, you will enable the X-Force Protection Responses, featuring Virtual Patch Technology checkbox. If this box is left unchecked, you will have detection but not prevention.
Notes
5-10
Slide 80
Notes
5-11
Module 5: Intrusion Prevention General Intrusion Prevention Notifications The following table defines the options in the Alert Logging for General Events section of this page:
Option Quarantine Rule Added Quarantine Rule Removed Quarantine Rule Expired Packet Dropped Definition Rule added to the Quarantine Rules Table (QRT) Rule was removed from the DBT by the administrator Rule expired in the DBT and has been removed Notification that IPM has dropped a packet This is not an error. Common causes include: Invalid Checksum Packet not part of an existing connection
Notes
5-12
Slide 81
DEMONSTRATE: Adding a filter. EXPLAIN: You can only set these after you have some traffic flowing through the system. If you keep getting a false positive on a certain IP address, you can use Event Filters to make an exception.
Filtering of false alarms and false positives without disabling the event entirely Advanced filtering by IP address, ICMP type, protocol number, or port Reverse filters - ignore all traffic except for this
Note: You can use the not for your reverse filters.
Notes
5-13
Module 5: Intrusion Prevention This graphic shows an event filter for an HTTP GET.
Slide 82
Notes
5-14
Module 5: Intrusion Prevention You will find PAM information, including a list of PAM tuning parameteres, at the following address: http://www.iss.net/security_center/reference/help/pam?
Slide 83
Issue List
The Intrusion Prevention Issue List provides a comprehensive summary of the attacks and audits the Intrusion Prevention module of your Proventa M software can detect. It is also only found in the Proventa Manager.
DEMONSTRATE: Pull up an issue and point out the Issue ID and the status. Shot of Issue ID is on the next page.
Notes:
The priority, status and response can be modified via the Advanced Parameters or Event Filters, but the category (attack or audit) is hard coded. Attacks and audits can be individually enabled via the main Settings screen. The pam.zip .chm file is found in SiteProtector in the following directory: Help/Attack Signatures/Protocol Analysis Module. This file will give you information about Pam and the Issues list.
Notes
5-15
Slide 84
Issue IDs
An issue id is required when using advanced parameters to modify an event, and each intrusion prevention event has its own unique issue id mapped to its event name. This is labeled as algorithm-id when viewing events.
Notes
5-16
Slide 85
STATE: You will only find Quarantine Rules in the Proventa Manager. EXPLAIN: Rules cannot be added.
A rule can be viewed or removed and will expire after a set period of time (Default is 3600 seconds).
Note: Rules cannot be added.
Notes
5-17
Module 5: Intrusion Prevention The following table lists the fields available in the quarantine rules table:
Field Source IP Source Port Dest IP Dest Port ICMP Type ICMP Code Protocol Expiration Time Block Percentage Description Indicates the source IP address of packets to block. Indicates the source port number of packets (if protocol is 6 or 17) to block. Indicates the destination IP address of packets to block. Indicates the destination port number of packets (if protocol is 6 or 17) to block. Indicates the ICMP type number of packets (if protocol is 1) to block. Indicates the ICMP code number of packets (if protocol is 1) to block. Indicates the IP protocol of the rule (ICMP=1, TCP=6, UDP=17). Indicates the expiration time of the rule. Indicates the percentage of packets that will be dropped (values less than 100% can be used to lessen the impact of some denial-of-service attacks).
Note: An asterisk * in a field means that the rule is ignoring that aspect.
Notes
5-18
Introduction
Complete the following exercises to: Enable Intrusion Prevention Module Detect an Attack Block an Attack Clearing Quarantined Hosts
Exercise 9
3. In the right pane, on the Protection Settings tab, ensure that the
Exercise 10
Detecting an Attack
Both partners
1. Copy the follwing files in the c:\inetpub\wwwroot directory:
You can modify the default.htm as you like; it will make it easier to understand which web server you are accessing.
Notes
5-19
Module 5: Intrusion Prevention Now can try to access partners web site:
1. Make sure that your partner has completed the previous exercises. 2. Open a new web browser window. 3. Enter http://<your partners web server>. 4. Press ENTER.
A page will appear that says Welcome to our Website, indicating that you have accessed your partners site.
5. Close this browser window.
Partner 1 From the internal network, you will now attack your external machine with an HTTP_DotDot directory traversal attack.
1. Launch a new browser window. 2. Enter http://<Partner 2 web server IP address>/ to
Exercise 11
Blocking an Attack
Partner 2
1. Navigate to your Proventa Manager. 2. In the navigation pane, select the StatusIntrusion
PreventionAlerts node.
The Alert page is displayed, and you should see an HTTP_DotDot alert. Click on the Alert link.
3. Review this alert and the response that IPM took to the alert. Notice
that it did not take any block response and it is reporting the attack.
Notes
5-20
Module 5: Intrusion Prevention Look up the issue id for the dotdot attack and record it: _______2000603___________________
4. Close the Alert window. 5. Go to the ConfigurationIntrusion PreventionIntrusion
ipm.issue.response.<http_dotdot_issue_id#>.
9. Set the type of value to string, and set it's value to block-worm. 10. Click OK. 11. Click Save Changes to update.
POINT OUT Close the browser or empty the cache for the exercise to work.
Attack on page 5-19. This time you will not get an error from the web server.
13. Partner 2 Repeat step 2 and notice that this time the attack has been
blocked.
14. In the navigation pane, select the following nodes:
Exercise 12
PreventionQuarantined Intrusions.
2. Select each rule and click Remove. 3. Click Save Changes.
Notes
5-21
Module Review
Slide 87
You should now be able to:
Notes
5-22
30 minutes
Antivirus
Module 6
Slide 89
Module Objectives
When you complete this module, you will be able to: Discuss the basics of Antivirus signature-based technology. Describe Proventa Ms Virus Prevention System (VPS) functionality. Configure the Antivirus portion of the Proventa M. Use a test virus to view virus blocking within the Proventa M.
Notes
6-1
Module 6: Antivirus
An Antivirus Overview
Slide 90
Notes
6-2
Module 6: Antivirus
Slide 91
Notes
6-3
Module 6: Antivirus
Introduction
A virus is a program like any other, and it is made up of binary code. The precise order of that code will be unique and can be used to identify a virus. This is called the virus' signature. Each virus has a different signature. Antivirus programs reference a database of all the different replicating viral signatures that are already out there, and then compare them to the signatures of incoming files to see if anything suspect is lurking on your doorstep.
Slide 93
Types of AV Technology
The are many different types of antivirus technology: Integrity Checkers Sandboxes/Behavior Blockers Heuristics Signature Scanners
Slide 94
The Signature Engine that uses virus definitions, or signatures, to detect viruses The new ISS VPS Engine, which uses behavioral analysis to identify new and unknown viruses and worms that do not yet have virus signature updates
Notes
6-4
Module 6: Antivirus
Slide 95
(http://www.wildlist.org) is a great source of information about which viruses are spreading in the wild.
Slide 96
Easy to implement Proven, reliable detection of known attacks Little to no false positives Does not find new or modified viruses Perpetual signature update process - performing auto download and auto install will combat this con Exposed to a virus while waiting for signature update and distribution
Cons:
Notes
6-5
Module 6: Antivirus
Slide 97
Slide 98
VPS complements traditional antivirus software by: Using behavioral analysis to detect and block any malicious code coming into your network. Preemtively detecting and preventing entire famillies of malicious code, based on what they do. Gathering a complete picture of the entire code execution before making a diagnosis, so there is a high degree of detection and almost no false positives. Offering zero-day virus prevention.
Notes
6-6
Module 6: Antivirus
Slide 99
What Ms AV Components Do
ISS highly recommends that you use both antivirus components for full protection. Together, they do the following: Check all email traffic passing through your network, providing protection against mass mailing viruses and zero-day attacks
STATE: A great site, www.virustotal.com, offers a free service for scanning suspicious files using several antivirus engines. Slide 100
Quarantine infected email and attachments at the gateway, protecting WANs and LANs from viruses before they enter or leave your network. Note: Proventa Ms antivirus functionality does not scan encrypted, password protected or corrupted files (due to SOPHOS).
Notes
6-7
Module 6: Antivirus
Slide 101
An Example
An email server is setup in the DMZ. A default firewall rule is setup that allows the email server to receive email on port 25. The email goes through the appliance, where the Proventa M SMTP component intercepts the email. The SMTP component then disassembles and scans the email for viruses. If the email is not infected, the appliance routes the email to the destination email server. If the email is infected, then one of the following occurs: If the Quarantine Infected Files option is selected, the portion of the email that is infected is quarantined and the remainder of the file is deleted. If the Quarantine Infected Files option is not selected, the entire file is deleted. In either case, a reject message is returned to the sender and an alert is written to the logs.
Notes
6-8
Module 6: Antivirus
Slide 102
Note: You can not modify the AV block page as it is generated on the fly
Notes
6-9
Module 6: Antivirus
Slide 103
Antivirus Deployment
The Proventa M is intended to provide reinforcement or redundancy for your desktop antivirus solution. You should deploy antivirus software on the following: Desktops Servers
Slide 104
Notes
6-10
Module 6: Antivirus
Antivirus Quarantine Daemon State HTTP Enabled HTTP State FTP Enabled FTP State SMTP Enabled SMTP State
Notes
6-11
Module 6: Antivirus
Statistic POP3 Enabled POP3 State Description Whether the antivirus software is monitoring for POP3-transmitted viruses. Current state of POP3 monitoring
Notes
6-12
Module 6: Antivirus
Settings
There are two main tabs within Antivirus Protection Settings that you will use to configure the antivirus software: Basic Configuration Advanced Parameters
Notes
6-13
Module 6: Antivirus
An Important Note About Protected Ports The antivirus software protects POP3, SMTP, HTTP, and FTP protocols that are set up on standard ports. If these protocols are set up in your network using non-standard ports, then the protocols are not protected.
Note: To successfully implement proxy settings, you must enable proxy
redirection rules for any protocols you select. If you select the SMTP protocol, you must configure the SMTP proxy server.
Notes
6-14
Module 6: Antivirus
Notes
6-15
Module 6: Antivirus
Notes
6-16
Module 6: Antivirus
Advanced Parameters
STATE: The User Guide Appendix has details about advanced parameter names and values.
There may be instances in which the antivirus settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs on this page.
the Appliance User Guide for more information about advanced parameter names and values.
Notes
6-17
Module 6: Antivirus
EXPLAIN: Only the infected portion of the file is quarantined. There is only one quarantine entry for each instance, based on md5 sum, and entries listed are on a 1st in-1st out basis. Files will stay in the list for thirty days unless the hardware space hits a cerain watermark. Then the system starts deleting files. NOTE: This page should be used for forensics purposes only
The files listed here are suspected of containing or are known to contain a virus. Only the infected portion of the file is quarantined. The remainder of the file is deleted. Quarantine files will stay in the list for thirty days. There is only one quarantine entry for each instance, and entries listing are on a 1st in/1st out basis.
Caution: ISS recommends that you use this page for forensic purposes
only. Files are quarantined so that they cannot be executed inadvertently on the client system. If you take files out of quarantine, you risk infecting your network with whatever virus is contained in the files.
Notes
6-18
Module 6: Antivirus
SMTP Config
NOTE: This is the same SMTP info that we saw in the Proventa M System Settings area. In SiteProtector, its found in Services. EXPLAIN: Proxying the connection when you use Antivirus can cause latency.
You must configure the SMTP proxy server to use the Antivirus and Antispam modules. You will need to configure SMTP for transparent proxy to scan files for viruses and to prevent the use of your email server in sending SPAM to others.
You can use relay IPs to control which computers in your network can send email outside your domain (outside your network), and which domains can send email to users in your network.
Notes
6-19
Module 6: Antivirus Example You set up an email server on the DMZ segment of your network, and then create an access policy on your appliance that allows the email server to receive email on port 25. When a sender outside the network sends an email to a user inside the network, the email goes through the appliance, where the SMTP proxy server intercepts the email. The SMTP proxy server disassembles and scans the email for viruses. If the email is not infected, the SMTP proxy server routes the email to the destination email server. There is no indication to either user that the email was intercepted or scanned. If the email is infected, then one of the following occurs: If you have selected the Quarantine Infected Files option, the appliance quarantines the portion of the email that is infected, deletes the remainder of the file, and returns a reject message to the sender. If you have not selected the Quarantine Infected Files option, the appliance deletes the entire file and returns a reject message to the sender.
Notes
6-20
Module 6: Antivirus When a user in your domain sends an email to another domain, the antivirus software compares the source IP address of the email sender to the list of relay IP addresses. The appliance does one of the following: If the source IP address is on the relay IP list, then the appliance relays the email to the destination domain. If the source IP address is not on the list, and the destination domain is not listed in the local domains, then the appliance notifies the sender that the system is not authorized to relay the email.
Notes
6-21
Module 6: Antivirus
Introduction
Complete the following exercises to: Disable IIS SMTP service Install a Mail Server Create email accounts Send a virus via email Verify the antivirus module for HTTP
Exercise 13
Exercise 14
Notes
6-22
Module 6: Antivirus
8. Click on I agree to accept the End-user license agreement. 9. Click on OK to accept the default install directory. 10. Click on OK to terminate. 11. Open StartProgramsAdministrative ToosServices and make
sure that XMail Server has started. Note: in doubt you can reboot now.
12. Start StartProgramsXMail AdministratoXMail Admin. 13. Add the local server:
Server Name: <Your Host Name> Server Address: <Your IP Address> Login Name: admin Password: admin
14. Click Add New Server. The server will be listed on the left pane. 15. Click on the Server on the left hand pane. You will see its
Exercise 15
Express.
2. If the Internet Connection Wizard appears click on Cancel and Yes. 3. In the Outlook Express window, select ToolsAccounts. The
Notes
6-23
Module 6: Antivirus
8. Update the mail server address with <Partner 2 IP Address>. 9. Click on Apply, OK and Close.
Send emails to sp_partner1@xfeducation.local and sp_partner2@xfeducation.local to make sure the mails are exchanged.
To: sp_partner1@xfeducation.local Cc: sp_partner2@xfeducation.local Subject: Training Message Body: This Proventa M class sure is swell!
Exercise 16
enabled.
9. Click Save Changes to update.
Notes
6-24
Module 6: Antivirus
Exercise 17
4. After you complete your email, click Send. 5. Analyze the different behaviour based on the position of the
Partner 1 cannot send any email because the SMTP AV blocks it before it reaches the server. Partner 2 can send his/her emails because the server is local on the host, hence the appliance has not chances to block it. Partner 2 can receive his/her own mail because, again, the appliance is not between the POP3 server and the client. Partner 1 receives a mail from the appliance informing that an email was sent but blocked because it had a virus.
Note: If the signature AV is enabled the message will contain Virus name: EICAR-AV-Test, if only VPS is enabled, the message will contain Virus name: Malcode-5083.
Notes
6-25
Module 6: Antivirus
Exercise 18
If there is no internet access, you can access your instructors machine by entering the following in your web browser: http:// <Instructors IP>/eicar.exe).
2. When you attempt to access this file, you should be alerted that this
Note: If the signature AV is enabled the message will contain Virus name: EICAR-AV-Test, if only VPS is enabled, the message will contain Virus name: Malcode-5083.
3. Navigate to your Proventa Manager. 4. In the navigation pane, select the following nodes:
StatusAntivirusAlerts. The Alert page is displayed. Check your logs for a virus alert.
5. Select the following nodes: StatusAntivirusQuarantine. 6. You should now see a listing of the virus file on this page. Note: The virus scanner uses a MD5 caching daemon. When you
transfer the same eicar virus over HTTP or FTP, you will only see one virus alert. In the background the caching daemon (when enabled) will be keeping track of how many times it has seen the same virus-infected file. 3600 seconds (1 hour) later, you will receive a second event updating your on this count.
Notes
6-26
Module 6: Antivirus
Module Review
Slide 107
You should now be able to:
Discuss the basics of Antivirus signature-based technology. Describe Proventa Ms Virus Prevention System (VPS)
functionality.
Configure the Antivirus portion of the Proventa M. Use a test virus to view virus blocking within the Proventa M.
Review Objectives Ask: For additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
6-27
Module 6: Antivirus
Notes
6-28
1hour
Web Filtering
Module 7
Slide 109
Module Objectives
When you complete this module, you will be able to: Discuss the use for Web filters. Describe the Proventa M Series Web filtering process and each of the technologies used in that process. Configure the Web filtering module, creating whitelists and blacklists. Test category blocking and Web site filtering.
Notes
7-1
Employees need it to acquire and transmit information At least every 3rd workplace has access to the Internet
30-40% of usage is not job-related At least 60% of all employees use the Internet privately (news, chats, job market, auctions,...) 70% of all accesses to porn sites occur on weekdays between 9:00 and 17.00 hours Liability risks for company management
Notes
7-2
Slide 111
Notes
7-3
Slide 112
Blocking undesirable sites Allowing free access to permitted sites Defining company-related requirements Implementing organizational and technical changes Taking legal requirements into account
Notes
7-4
Introduction
The Web Filter Module of the Proventa M Series blocks or allows access to Web sites based on criteria that you select, allowing you to control the following on your network: What Web content is allowed or blocked Who can override the Web filters to freely surf the Internet How the appliance notifies you about URL requests on your network
When a computer in your network attempts to access a Web site, the appliance will reference the Web Filter and Antispam Database, enforce the Web filter rules you have established, and display statistics about the Web filter data.
Notes
7-5
Slide 114
2 3
Web Filter categories containing the URLs that you want the appliance to log Whether the appliance blocks requests for the URLs in those categories How the appliance responds to Web Filter eventshow often the appliance downloads database updates
To control access to specific Web sites, domains, and servers, add these entries to the Blacklist or Whitelist filter overrides. The appliance enforces your Web Filters. If a user attempts to access a forbidden Web site, the appliance displays a Web page that informs the user that the site is blocked.
Notes
7-6
Slide 115
Web Crawlers
ISS Web crawlers classify millions of Web pages every day. The process of crawling the Internet is based on a "snowball" principle, so that the Web crawler analyzes a Web site and then follows all the hyperlinks to other sites as well.
Slide 116
The following table describes how a Web crawler downloads information about a Web site.
Stage Description 1 2 3 4 The Web crawler visits a new or updated Web site. The Web crawler downloads all HTML text and images on the Web site, and stores this content for further analysis. The Web crawler follows all hyperlinks to other sites, until no more unknown hyperlinks are found. The Web crawler sends the information to ISS for analysis and inclusion in the Web Filter and Antispam Database.
Notes
7-7
Slide 117
Notes
7-8
Slide 118
Slide 119
Notes
7-9
Slide 120
Web Categories
Here are the 60 categories:
EXPLAIN: The chart has not been officially updated to show Spam and Spyware categories, but they have been added. NOTE: Dark blocks represent major categories, and lighter blocks represent subcategories.
These categories are then organized into 19 major groups and displayed in the Web Filter tree.
Note: Dark blocks represent major categories, and lighter blocks
represent subcategories.
Notes
7-10
Slide 121
Notes
7-11
Slide 122
Classification Tools
ISS uses the following tools to classify Web sites into categories: Keyword searches Intelligent text classification Visual pornography detection Visual object recognition Visual optical character recognition Overall classification
Keyword Searches
The keyword search determines the appropriate category for a Web site based on the occurrence of certain words. Keyword searches are useful for classifying a URL.
Notes
7-12
Overall Classification
Overall classification processes the results of all the tools that the Web crawler uses to analyze Web content. This prevents a single tool from incorrectly classifying a Web site.
Notes
7-13
Slide 123
Filter Overrides
You can also use the Blacklist or Whitelist filter overrides to control access to specific Web sites, domains, and servers. These Web filter overrides will do the following:
EMPHASIZE: If a user is put on a Source Whitelist, that user is exempt from all Web filters. and can access any URL, domain, or IP address, even those on the Destination Blacklist. Slide 124
Exempt one or more specific Web sites, domains, or servers from Web Filters Block or allow access to individual Web sites, domains, or servers Allow specific users in your network to surf the Internet freely When you add a URL, domain, or IP address to a Blacklist or Whitelist, that entry is an exception to the Web filter category.
Source Whitelist, that entry is an exception to all Web filter categories. The user can access any URL, domain, or IP address on the Whitelist, even those included on the Destination Blacklist.
Notes
7-14
Slide 125
Wildcards
Wildcards are an important part of utilizing filter overrides to their fullest.
Whitelist Wildcards
In a Source Whitelist filter override entry, you can use the asterisk (*) wildcard character in the trailing segment of an IP address range.
Note: The asterisk must be the final character in the entry.
The following examples include all IP addresses in the subnet: 192.168.120.* 192.168.* 192.*
Slide 126
Blacklist Wildcards
You can use two wildcard characters in the Destination Whitelist or Blacklist filter override entries: The question mark (?) represents any single character The asterisk (*) includes groups of URLs such as the following:
You can use the asterisk wildcard character in the leading or trailing segments of an IP address range or URL.
Note: You cannot use a wildcard character in the middle segment of an
IP address or URL.
Notes
7-15
Slide 127
Notes
7-16
Slide 128
URL Blocking
When you enable Web Filters, URL blocking is enabled by default, and the appliance blocks all requests for URLs that belong to the Web Filter categories you select.
NOTE: Even if the site is blocked by more than one category, it will only show one at a time. NOTE: See the note below the graphic about altering the blocking page.
Note: If you want to log URL requests, but not block them, then you can
Blocking page
When you attempt to access a blocked Web site, the appliance generates a blocking page in your Web browser. This page displays the blocked URL, and informs you that the Web site is blocked.
Note: Altering the blocking page is not supported. There is, however, a
Knowledgebase article (2466) on the ISS Web site which tells you how to. The web-filter block page template is located on the box at /etc/ squid/errors/ERR_ISS_BLOCKED.
Notes
7-17
Slide 129
Slide 130
Notes
7-18
Slide 131
EXPLAIN: The Proventa Web/ Mail Filter Database Categories gives you an up-to-date listing of all categories and sub categories.
Notes
7-19
Introduction
The ISS Web Filter and AntiSpam Database contains the classification information that ISS gathers about Web sites. Once ISS has used Web crawlers to inspect Web sites, and then analyzed and classified that information into categories, the database acts as a repository for this data. The appliance then uses this information to enforce Web filters and identify spam email.
Slide 133
Sources of Information
In addition to Web crawlers, ISS uses several methods to add information to the database, including: Managed link lists Newsgroups Search engines Other Resources
Slide 134
Types of Information
The following is a list of the types of information contained in the database: Domains - inappropriate_site.com Hosts - www.inappropriate_site.com Directories - www.inappropriate_site.com/pics/ HTML pages - www.inappropriate_site.com/pics/index.html Image URLs - www.inappropriate_site.com/pics/001.jpg
Notes
7-20
Slide 135
Filter Database
In order to access the Proventa Database, you must navigate to the Filter DB tab within your general Settings. You will use the Web Filter and Antispam Database page to: View database status
STATE: In order to look at the Database, we have to go back to the main System Settings area in Proventa Manager and look at the Filter DB tab that we skipped earlier. Explain: Bottom tabs and Web Learn are invisible in Proventa Manager when SiteProtector management is turned on. Those features are then found in SP.
Database Status
The appliance displays status information based on the following: The database mode Whether a local database is installed
Notes
7-21
Module 7: Web Filtering Current database statistics are described in the following table:
Statistic Mode Description The current database status. The mode statuses are: Not installed Installed The local database version, in the following format: x.xxxx The status of the local database. The possible statuses are: Installed Downloading Updating The progress of the local database download. The possible statistics are: x% (percentage of completed download) Indexing Database
Version Status
Download Progress
Notes
7-22
Slide 136
download overwrites the existing database on your appliance. This could take several hours.
Slide 137
Explain: Because the database gets updated so frequently, a full download will be performed if it has been 10 days or more since the last update. Slide 138
Update Methods
The two ways to update your database are as follows: Manually update the database from the MaintenanceUpdatesStatus page. You can click on the Find Updates button at the top of the screen to access it. Schedule automatic database updates from the Automatic Update Settings page. This is the recommended way to update.
WebLearn
The WebLearn feature helps increase coverage of the Web crawling process, so that the ISS database is kept as current as possible. If you enable the WebLearn feature, the appliance automatically reports unknown or unrecognized URLs to ISS anonymously during database updates.
Note: the appliance waits until it has gathered 10 uncategorized URLs
Notes
7-23
Notes
7-24
Settings
There are two tabs that you will use to configure settings: Protection Settings Event Notification
Slide 140
Notes
7-25
Slide 141
After you enable the Web Filter Module, the appliance enforces the default Web filter settings described below:
Option URL Blocking Filter Override - Destination Allow List Web Filter Categories Default Setting Enabled The following URL is added to the Destination Whitelist by default: www.iss.net The following Web Filter Categories are selected by default:
An Important Note about URL Blocking When you enable Web Filters, URL Blocking is enabled by default. When URL blocking is enabled, the appliance blocks all requests for URLs that belong to the Web Filter categories you select. If you want to log URL requests, but not block them, then you can disable URL Blocking.
Notes
7-26
Slide 142
Notes
7-27
Log Only Blocked Web Displays an event on the Alert Event Log page for Page Requests each blocked URL request. Log All Web Page Requests Displays an event on the Alert Event Log page for each URL request.
Note: If you enable the Log All Web Page Requests option, the event log
file could fill very quickly. ISS recommends that you enable this option for troubleshooting only.
Note: If you have registered your appliance with SiteProtector, enable
alert reporting to SiteProtector, and then enable the Log All Web Page Requests option, then the appliance could send a large number of alerts to SiteProtector.
Delivery Options
The table below details the notification delivery options:
Option Email Enabled Default Setting Sends an email for each blocked URL request. The email contains the source IP address, the requested URL, and the corresponding Web Filter category. Sends an SNMP trap for each blocked URL request. The trap contains the source IP address, the the requested URL, and the corresponding Web Filter category. Sends the alert to the SiteProtector Agent Manager. Caution: If you send alerts to SiteProtector for events that occur frequently, the appliance can generate a large number of alerts to SiteProtector.
SNMP Trap
SiteProtector Enabled
Notes
7-28
Introduction
Complete the following exercises to: Enable Web filter functionality Access a Web site in the sport category
Important Note: Exercises 34-46 will ony work if you have Internet access.
Select web filter categories Test access to your blocked category Test access to anoter web site Add a destination blacklist entry Test your filter
Settings.
EXPLAIN: If you pull sites from cash, they will not display the blocking page. You must launch a new browser.
3. In the right pane, on the Protection Settings tab, select the Web
Notes
7-29
Exercise 19
www.gazzetta.it
3. Press ENTER.
If your classroom has Internet connectivity, you should be able to gain access.
Exercise 20
Categories.
2. In the right pane, select the Lifestyle node on the Web Filter tree to
expand it, and select the box for the Sports category.
3. Click Save Changes to update.
Notes
7-30
Exercise 21
Exercise 22
Settings.
1. In the right pane, on the Protection Settings tab, select the Filter
Exercise 23
Notes
7-31
Module Review
Slide 144
You should now be able to:
Discuss the use for Web filters. Describe the Proventa M Series Web filtering process and each of
the technologies used in that process.
Notes
7-32
45 minutes
Antispam
Module 8
Slide 146
Module Objectives
When you complete this module, you will be able to: Discuss the need for antispam technology. Describe the basics of Proventa Ms antispam module. Configure the antispam portion of the Proventa M using whitelists and blacklists.
Notes
8-1
Module 8: Antispam
30% of all employees have sent confidential information to external recipients, intentionally or by mistake. 66% of all companies have received viruses in e-mail attachments.
Notes
8-2
Module 8: Antispam
Slide 148
Notes
8-3
Module 8: Antispam
Slide 149
Slide 150
Notes
8-4
Module 8: Antispam
Introduction
The purpose of antispam functionality is to prevent annoying, nonproductive, or offensive spam emails from entering your network undetected.
Inbound
Proventia Antispam
Outbound
The M Series appliance filters spam email by analyzing the text and attachments in all email traffic passing through your network. It then references the list of known spam sources in the Web Filter and Antispam Database. If an email is identified as harmless, it is allowed to pass instantly. If the appliance identifies an email as spam, one of the following will happen: The email is labeled as spam by [SPAM] being added to the subject line. The email is deleted.
Notes
8-5
Module 8: Antispam
Slide 152
Spam Identification
Proventa Ms antispam software uses a variety of analysis techniques to identify spam without blocking legitimate email. Some of the technologies used to scan email traffic passing through your network are as follows: Text recognition Text classification Object recognition Pornography and nudity detection Keyword detection URL detection
Notes
8-6
Module 8: Antispam
Slide 153
Whether the appliance tags or deletes emails identified as spam The threshold of spam content in a spam email that results in tagging or deleting How the appliance responds to Antispam events
If you want to control access to specific email addresses or domains, you can add these entries to the Email Sender Whitelist or the Email Sender Blacklist. The appliance evaluates all incoming email for sender information and spam content. The appliance references the Web Filter and Antispam Database to identify known spam sources and URLs linked to inappropriate Web sites. If the appliance identifies an email as spam, the appliance assigns a numerical value to the email based on the amount of spam content. A higher value corresponds to a higher amount of spam content. The appliance tags or deletes the spam email, based on the spam sensitivity settings.
3 4
Notes
8-7
Module 8: Antispam
Slide 154
Notes
8-8
Module 8: Antispam
EXPLAIN: For each Antispam statistic, the number of URLs is followed by its percentage of the total.
Notes
8-9
Module 8: Antispam
Settings
There are two main tabs that you will use to configure antispam settings: Protection Settings Event Notification
Slide 155
Slide 156
Slide 157
Notes
8-10
Module 8: Antispam The Delete Threshold slider allows you to set the level of spam content that the appliance uses as the baseline to tag or delete spam email. This setting determines whether the appliance responds to a spam email by: Tagging it as [SPAM] Tagging it as [SPAM+] Deleting it Setting the slider to the minimum delete threshold will delete all email that might be spam, even if some emails might be legitimate. Setting the slider to the maximum delete threshold will delete only the email with high spam content.
Slide 158
Learning Mode
In Learning Mode, the appliance tags spam emails according to the Delete Threshold level you select. If the email contains less spam content than the threshold, the appliance adds a [SPAM] header to the email subject line.
EXPLAIN: Anything to the left of the slider is tagged as [SPAM]. Anything to the right is [SPAM+].
If the email contains more spam content than the threshold, the appliance adds a [SPAM+] header to the email subject line.
Note: Learning Mode is useful if you want to see which emails the
appliance identifies as [SPAM] and [SPAM+]. This allows you to adjust the Delete Threshold setting to get the best performance for your network before you begin deleting spam emails.
Notes
8-11
Module 8: Antispam
Slide 159
Delete Mode
In Delete Mode, the appliance deletes spam emails according to the delete threshold level you select.
EXPLAIN: Anything to the left of the slider is tagged as [SPAM]. Anything to the right is deleted. Slide 160
If the email contains less spam content than the threshold, the appliance adds a [SPAM] header to the email subject line. If the email contains more spam content than the threshold, the appliance deletes the email.
EXPLAIN: You can include email distribution lists in an Email Sender list. The appliance filters for the entries on the Email Sender list, but does not enforce the Antispam settings for individuals included in that distribution list.
If you include an email address or domain on the Email Sender Whitelist, then the appliance accepts all email from that sender, regardless of content. If you include an email address or domain on the Email Sender Blacklist, then the appliance blocks all email from that sender, regardless of whether the Antispam Module is in Learning Mode or Delete Mode.
Note: You can include email distribution lists in an Email Sender list.
The appliance filters for the entries on the Email Sender list, but does not enforce the Antispam settings for individuals included in that distribution list.
Notes
8-12
Module 8: Antispam
Slide 161
Wildcards
You can use two wildcard characters in an Email List entry: The question mark wildcard character (?) represents any single character The asterisk wildcard character (*) includes groups of email addresses or domains You can use wildcards to the left, middle, or right of entries, and you can combine wildcards. Both of these examples identify spam_sender as a source of spam: spam_sender@*. *spam_sender@
Note: If an entry is incomplete and includes no wildcards, then the
Notes
8-13
Module 8: Antispam
Slide 162
Event Logging Type If you enable Web Filter event logging, you can choose which events the appliance displays on the Alert Event Log page. You can select one of the following event log types:
Type Log Only Email Tagged As Spam Log All Email Description Displays an event on the Alert Event Log page for each email tagged as spam. Displays an event on the Alert Event Log page for each email the appliance processes.
Note: If you select Log All Email, then the appliance logs all email that
the appliance processes, but the email and SNMP Trap delivery options are not available.
Notes
8-14
Module 8: Antispam
Caution: Enabling the Log All Email option, the event log file could fill
very quickly. ISS recommends that you enable this option for troubleshooting only. Delivery Options Below is a description of the delivery options:
Option SNMP Trap Description Sends an SNMP trap for each email identified as spam. The trap contains the sender's email address, the target email address, and the corresponding category in the Web Filter and Antispam Database controller Sends the alert to the SiteProtector desktop
SiteProtector Enabled
Note: If you send alerts to SiteProtector for events that occur frequently,
Notes
8-15
Module 8: Antispam
Introduction
Complete the following exercises to: Configure antispam functionality Send emails to test antispam functionality
Exercise 24
option.
4. On the Protected Protocols sub-tab, select SMTP only. 5. On the Spam Tagging Sensitivity sub-tab, select the Learning
Mode option.
6. Select the Event Notification tab. 7. Select the Enable Event Logging option. 8. Select the Log Only Email Tagged As Spam option. 9. Click Save Changes to update.
Notes
8-16
Module 8: Antispam
Exercise 25
To: partnerx@xfeducation.local Subject: Penis enlargement 1 Message Body: Limited offer, act now! Only $29.95
3. After you complete your email, click Send. 4. When received, Partner 1 will see his own mail tagged whereas
To: partnery@xfeducation.local Subject: Penis enlargement 2 Message Body: Limited offer, act now! Only $29.95
3. After you complete your email, click Send. 4. When received, the mail to Partner 2 will be tagged whereas the
mail to Partner 1 wont. Again this is due to outbound SMTP AntiSpam. Note: this is the opposite result as when sending the mail to yourself.
Notes
8-17
Module 8: Antispam
Exercise 26
POP3 only.
4. Click Save Changes to update.
Exercise 27
To: partnerx@xfeducation.local Subject: Penis enlargement 3 Message Body: Limited offer, act now! Only $29.95
3. After you complete your email, click Send. 4. When received, Partner 1 will see his own mail tagged whereas
Partner 2 wont. This is due to POP3 Anti-Spam. Note: So far there is no difference with the previous exercise.
To: partnery@xfeducation.local Subject: Penis enlargement 4 Message Body: Limited offer, act now! Only $29.95
Notes
8-18
Module 8: Antispam
3. After you complete your email, click Send. 4. When received, the mail to Partner 1will be tagged whereas the mail
to Partner 2 wont due to POP3 Anti-Spam. Note: This is the opposite behaviour as for SMTP Anti-Spam.
Exercise 28
Exercise 29
To: partnery@xfeducation.local Subject: Penis enlargement 5 Message Body: Limited offer, act now! Only $29.95
3. After you complete your email, click Send. 4. Partner 1 will receive an error message (552 Seems to be spam)
Notes
8-19
Module 8: Antispam
Scanner with subject [SPAM_BLOCK] informing him/her that a mail was blocked. Note: Without enabling the Delete Mode, both partners would receive a tagged mail.
Exercise 30
Notes
8-20
Module 8: Antispam
Module Review
Slide 164
You should now be able to:
Discuss the need for antispam technology. Describe the basics of Proventa Ms antispam technology. Configure the antispam portion of the Proventa M using whitelists
and blacklists.
Take this opportunity to ask questions about the information we have discussed.
Notes
8-21
Module 8: Antispam
Notes
8-22
45 minutes
Routing Mode
Module 9
Slide 166
Module Objectives
When you complete this module, you will be able to: Configure the appliance in Routing Mode Describe Routing Mode functionality. Review how to switch to Transparent mode. Discuss Routing Mode settings.
Notes
9-1
Slide 167
Notes
9-2
Slide 168
Classroom Topology
The graphic below illustrates the final layout of the classroom at the conclusion of the exercises contained in this module.
Notes
9-3
Classroom IP Addresses
The following table highlights the resulting IP settings. Table 1 Host Name iss10 iss20 2 iss30 iss40 3 iss50 iss60 4 iss70 iss80 IP Address 192.168.1.101 192.168.2.101 192.168.3.101 192.168.4.101 192.168.5.101 192.168.6.101 192.168.7.101 192.168.8.101 MF49.xfeducation.local MF39.xfeducation.local MF29.xfeducation.local Appliance Name MF19.xfeducation.local IP Address EXT1: <LAN>.19 INT0: 192.168.1.1 EXT2: 192.168.2.1 EXT1: <LAN>.29 INT0: 192.168.3.1 EXT2: 192.168.4.1 EXT1: <LAN>.39 INT0: 192.168.5.1 EXT2: 192.168.6.1 EXT1: <LAN>.49 INT0: 192.168.7.1 EXT2: 192.168.8.1
Notes
9-4
Lab: Configuration
Slide 169
Introduction
This lab walks you through the steps that you will take when reconfiguring your Proventa M appliance: Reconfigure the appliance Reconfigure the hosts IP addresses
Exercise 31
ConfigurationSystemObjectsDynamic Address.
3. Select CORP and click on Edit.... 4. Insert the parameters according to the table starting on page 9-4:
Comment: Corporate Network Dynamic AddressNetwork Address / Subnet Mask: 192.168.Y.0 / 255.255.255.0 (network of EXT1).
5. Click on OK. 6. Click on Add.... 7. Insert the parameters according to the table starting on page 9-4:
Name: DMZ (it is the only available option) Comment: DMZ Network Dynamic AddressNetwork Address / Subnet Mask: 192.168.X.0 / 255.255.255.0 (network of INT0).
8. Click on OK. 9. Position yourself on the
ConfigurationSystemNetworkInterfaces.
10. Change Transparent Mode to Routing Mode. 11. On the External Interface Tab, check the Enabled box.
Notes
9-5
the table starting on page 9-4: IP Address: <LAN>.X9 Subnet Mask: 255.255.255.0 Gateway: <LAN>.GW
14. In the DNS area, disable the Use Dynamic Settings and insert
Primary, Secondary and Tertiary DNS Servers according to the instructorss directions.
15. In the DNS Search Path area click Add.... 16. Insert xfeducation.local as a Domain Name and click OK. 17. Select the Internal Interfaces tab. 18. Click Add. 19. Insert the values for INT0 according the table starting on page 9-4:
Interface: eth0 Check Enabled IP Address: 192.168.X.1 Subnet Mask: 255.255.255.0 Check Primary Management Interface Click OK
20. Click Add.
INSTRUCTOR: If the students get an error due to SysTransmgmtRange they will have to go to the Appliance Access tab and remove the line that contains the variable.
21. Insert the values for EXT1 according the table starting on page 9-4:
Interface: eth2 Check Enabled IP Address: 192.168.Y.1 Subnet Mask: 255.255.255.0 Click OK
22. Click on Save Changes. 23. Read the Alert message and close your browser while the appliance
reboots.
Note: You can follow the reboot process using the hyperterminal
connection.
Notes
9-6
Exercise 32
IP: 192.168.X.101/24 (refer to the table starting on page 9-4) GW: 192.168.X.1 DNS: Ask the instructor. Partner 2
1. Modify the Local Area Connection properties as follows:
IP: 192.168.Y.101/24 (refer to the table starting on page 9-4) GW: 192.168.Y.1 DNS: Ask the instructor.
Exercise 33
certificate.
3. On the login dialog, enter your user name, admin, and press TAB. 4. Enter your password, iss123+, and press ENTER. 5. If the Hostname Mismatch message dialog or any other message
Notes
9-7
appliance).
Notes
9-8
Routing Mode
Slide 170
Introduction
When your appliance is in Routing Mode, it routes and filters traffic according to its firewall, VPN and NAT-ing rules, accordingly modifying source and destination information in the IP packet header. Each interface has its own IP address and must be in different collision domains. When you power on an appliance in routing mode, required access policies to allow traffic through the appliance are disabled by default but for the traffic coming from the Corporate network.
Slide 171
Slide 172
Notes
9-9
Slide 173
Slide 174
Configuration Tasks
To complete Transparent Mode settings, you must do the following: Configure the CORPTRANS Dynamic Address Configure Transparent Mode management settings Edit the Transparent Mode external interface Configure the Transparent Mode internal interfaces
Notes
9-10
Module 9: Routing Mode Again, ISS recommends that you use the Proventa Setup Assistant to configure initial settings for Transparent Mode on your appliance. Use the following tasks to configure Transparent Mode if you switch modes after initial configuration: Task
1
Description
On the Firewall/VPN Dynamic Addresses Page, create a Dynamic Address List that contains the static IP address that you will use as the virtual management IP address associate the new Dynamic Address List with the CORPTRANS Dynamic Address Name. Important: The static IP address must be in the subnet that you defined as the CORPTRANS Dynamic Address Name in the IP Address field on the Network Configuration Management tab. Create a system backup of your appliance in Routing Mode. Important: A system backup is a safety net to preserve your system configuration until you are sure that your appliance is working correctly in Transparent Mode. After you are sure that your appliance is working correctly in Transparent Mode, create another system backup. Create and save a settings snapshot of your appliance in Routing Mode. Important: If you switch from Transparent Mode to Routing Mode, the appliance reverts to default settings. After you switch to Routing Mode, you can apply a settings snapshot to restore your appliance settings. Select one of the following options from the Action to Take When Changing Modes area: Reboot Halt Select Transparent Mode from the Network Mode list on the Network Configuration Page. Configure appliance management settings on the Management tab. Make sure that the external interface is enabled on the External Interface tab. On the Internal Interfaces tab, configure the internal interfaces to allow network segments.
5 6 7 8
Notes
9-11
Description
Click Save Changes. The appliance halts or reboots, depending on the option you selected. Close your Web browser, and then restart the browser to access Proventa Manager with the virtual management IP address that you configured. Important: You must access the appliance from an IP address in the same subnet as the appliance. After the appliance powers up in Transparent Mode, you can modify access policies to allow HTTPS traffic from other subnets to allow you to manage the appliance from an IP address outside the subnet. View the Transparent Mode access policies on the Firewall/VPN Settings Access Policy tab to allow network traffic through the appliance, and make sure that the policy settings are appropriate for your appliance. View the configure Layer Two protocol access rules on the Firewall/ VPN Settings Layer Two Access Control tab, and make sure that the protocol rule settings are appropriate for your appliance. You must add any routers that bracket the M appliance. If needed, configure local routers on the Firewall/VPN/Settings/ Local Routers tab.
11
12
13
Notes
9-12
Introduction
This section describes how to switch your appliance operation between Routing and Transparent modes.
Considerations
You will want to consider the following before you switch network modes:
POINT OUT: We will not do a change of operation mode from Routing to Transparent mode.
If you switch from routing to transparent mode, you must define the Transparent Mode settings before you click Save Changes. After the appliance reboots in transparent mode, you must use the management virtual interface to access Proventa Manager. You must create a Dynamic Address List that contains the static IP address that you will use as the virtual management IP address
Slide 176
You must associate the new Dynamic Address List with the CORPTRANS Dynamic Address Name
Note: The static IP address must be in the subnet that you defined as
the CORPTRANS Dynamic Address Name in the IP Address field on the Network Configuration Management tab. You are not required to enable full transparency for advanced firewall ALGs to run your appliance in transparent mode. You can use tuning parameters to enable or disable full transparency for firewall ALGs when your appliance is running in routing mode, but any firewall ALGs that you are using become fully transparent when your appliance is running in transparent mode.
Notes
9-13
Slide 177
route from another subnet to the virtual management IP address to manage the appliance in Transparent Mode.
ConfigurationSystemNetworkInterfaces .
2. In the Action to Take When Changing Modes area, select one of the
following:
Reboot Halt
appears at the command line before you press the power button to turn off the appliance.
Notes
9-14
System Status
POINT OUT: It has different content than in Transparent mode.
When you click on the System node, the System Status page appears, displaying statistics for memory usage, CPU usage, and the internal and external interfaces.
Caution: When you first click on any tab in Settings, you will get
warning message and login screens. You MUST say Yes to all prompts and log in again.
Notes
9-15
Module 9: Routing Mode Once you click the System node in the navigation tree, the following subnodes are displayed: Appliance Access DHCP High Availability Networking
Notification Passwords
STATE: We will now take a look at the subnodes we have not analyzed yet or have changed.
Notes
9-16
DHCP
Use the DHCP Configuration pages allow you to enable and configure the following: DHCP relay agent DHCP server, including DNS and WINS configuration DHCP advanced parameters In addition, you can view the current DHCP leases.
Notes
9-17
Notes
9-18
Notes
9-19
High Availability
In many environment, there is very little downtime tollerance, therefore the Integrated Security Appliance offers the possiblity to configure two systems in High Availability.
In this section you enable High Availability by determining the interface that will be connected to the second device, the timeout setting (per default 30 seconds), the secret phrase the two systems share and the virtual gateway IP address. The virtual IP addresses have to be defined in the bottom part of the window, together with the list of IP addresses to monitor and the list of Alternate Node Interfaces.
Notes
9-20
Networking
POINT OUT: Here the content is different than in Transparent mode.
The Network Configuration page houses configuration for the appliance network interface cards. This is the same data that you entered when you configured the Routing mode the appliance. You can alter that data here.
Notes
9-21
This is also where you add interfaces such as DMZ as eth2 and above.
Notes
9-22
OSPF
STATE: More info on OSPF is in the User Guide.
OSPF is an internal routing protocol used within autonomous systems, such as service provider networks, universities, and private companies. OSPF was developed to satisfy the need for a scalable, open-standards routing protocol for large IP networks. It is a link state protocol that provides highly efficient routing and fast convergence.
Router ConfigurationTab
Explain: Proventa M does not support other protocols like RIP. If you dont use OSPF as routing protocol, you can only configure static routes on the appliance. Work with your ISP to configure OSPF.
Notes:
The M appliance supports only OSPF. If does not support other routing protocols such as RIP. If you do not use OSPF as the routing protocol, then you can only configure static routes on the appliance. You should work with your ISP to configure OSPF. In order to use OSPF, you must configure some access policies to allow OSPF traffic. Consult your User Guide for more information concerning OSPF and your Proventa M.
Notes
9-23
Area ConfigurationTab
An OSPF Area Configuration is a generalization of an IP subnetted network. Area Configurations accomplish the following: Make the network more manageable by enabling you to partition them into administrative domains. Reduce the amount of routing information that the appliance and neighboring routers. Allow the appliance and neighboring routers to maintain a link state database only for the Area Configuration where the device resides. The following steps have to be taken for each Area Configuration : Define the network area as a number, or as an IP address.
NOTE: A stub area cannot receive external advertisements (LSAs), which means RIP or static routes cannot be redistributed into this area.
Specify whether the Area Configuration is a stub area. Specify whether to use authentication for LSAs that the appliance and neighboring routers broadcast in the area
Notes
9-24
This is the node where OSPF Interface Configuration can be added, edited, copied, pasted, and removed.
The appliance supports the use of virtual links between the appliance and neighboring routers that are not physically connected to the backbone Area Configuration. This virtual tunnel provides a logical path to the appliance through another Area Configuration that is
Notes
9-25
Module 9: Routing Mode connected to both. This area is called the transit area. The virtual link must be configured both on the appliance and the remote router for the Area Configuration that provides the virtual link to the backbone.
OSPF Database
The OSPF database on your appliance contains the information about neighboring routers and the traffic status of the network. The appliance and other routers in the domain broadcast (LSAs) throughout the domain, and the routing devices use this information to form the database. The appliance and each router on the domain has an identical, synchronized database. The appliance and network routers each use the database to build a routing table by calculating a shortestpath tree, with the root of the tree being the device itself. In particular the fields shown are: OSPF Router ID Router Link States Net Link States Summary Link States
NOTE: ABSR=Autonomous System Boundary Router. An ASBR located between an OSPF autonomous system and a non-OSPF network.
OSPF Neighbors
The OSPF neighbors page allows you to have a more operational view of the neighboring routers and their status. In particular the fields shown are: Neighbor IP address Interface IP address The routers area and interface The assigned priority The state The state changes The Designated Router
Notes
9-26
Module 9: Routing Mode The Backup Designated Router The number of seconds befor the neighbor is declared down
List of summary LSAs from the adjacent neighbor List of LSA requests from the adjacent neighbor List of LSA retransmission from the adjacent neighbor Thread Database Description Retransmition (On/Off) Thread Link State Request Retransmission (On/Off) Thread Link State Update Retransmission (On/Off)
Notes
9-27
Maintenance Tools
You can now additionally use the options on the System Tools page to do the following:
NOTE: The features on this page are available only in Proventa Manager; you cannot perform these tasks from the SiteProtector interface.
Reset all existing firewall connections, and reload all Firewall/VPN policies Reconnect the PPPoE on the external interface Release and renew a DHCP lease for the external interface
Notes
9-28
Module Review
Slide 179
You should now be able to:
Configure the appliance in Routing Mode. Describe Routing Mode functionality. Review how to switch to Transparent mode Discuss Routing Mode settings.
Review Objectives Ask: For additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
9-29
Notes
9-30
3 hours
Firewalls
Module 10
Slide 181
Module Objectives
When you complete this module, you will be able to: Translate your security policy into firewall policies. Configure the Proventa M firewall. Create network objects. Create rules. Perform Network Address Translation (NAT)
Notes
10-1
Proventas Interfaces
Proventa M appliances have up to eight interfaces:
INT0 (eth0)
This interface leads to your internal, trusted network. The internal LMI rule is the only one enabled by default.
EXT1 (eth1)
This external interface leads up-stream, usually towards the Internet. This is considered the untrusted side of your firewall.
EXT2 (eth2)
NOTE: The user can still use and configure their DMZ network on any eth port except INT0 or EXT1. If migrating, those polices will be migrated to eth2.
This interface can be configured as the DMZ. This is a network segment that is designated for publicly-accessed servers. The DMZ segment is treated differently, since the hosts on this network tend to be of both high value and high risk. They are high value because they are generally public-facing assets like your web servers and mail servers. They are high risk because you have to open these assets up to the entire Internet. If a security breach is going to occur, it will likely take place in the DMZ. That is why it is important to isolate these potential breaches to their own segment. These interfaces can also be configured as any other internal network interface (after the release of 2.2 they can be used for high availability).
EXT3-EXT7 (eth3-eth7)
These are all user-configured interfaces and their availability depends on the model to be configured.
Notes
10-2
Slide 183
Firewall Policies
Your firewall policy should be derived from your organizations toplevel security policy, specifically what is acceptable usage of your Internet connection - both inbound and outbound.
EXPLAIN: If you follow best practices and allow your organizations security policy to be derived from an ongoing vulnerability assessment plan, you will minimize the risks associated with opening up protocols through your perimeter firewall.
Your firewall policy should answer the following questions: What protocols and servers do you need to make available to the untrusted public? What protocols and servers do you need to make available to your trusted internal users? What protocols and servers do you need to make available to trusted users coming from the Internet (road warriors, partner organizations, etc.)? If you follow best practices and allow your organizations security policy to be derived from an on-going vulnerability assessment plan, you will minimize the risks associated with opening up protocols through your perimeter firewall.
Slide 184
Notes
10-3
Slide 185
Access Policies
The Proventa appliance firewall uses access policies to prevent unwanted traffic from coming into and leaving your network.
You can use access policies together with NAT policies or port forwarding to customize the way your firewall handles network traffic.
Rule Order
In the Proventa M firewall, rule order is very important: Rules are applied in order and the packet is processed by the first rule it matches.
Once you have created a list of rules, the appliance firewall compares network packets against each rule in descending order until it finds a rule that accepts or denies the packet. You can reorder your rules by moving them up or down in the list.
EXPLAIN: If you create deny rules for all networks and they are above enabled LMI access rules, you will lock yourself out of the box.
Notes
10-4
There is a limit to the number of connections each interface will allow: Internal - 100,000 External - 100,000 Self - 100,000 External to Self - 4,999 Future sessions to or through the Proventa M will not be established once these limits are reached.
Notes
10-5
Slide 189
Network Objects
Your appliance uses information, such as IP addresses and ports, for several firewall (access policy) and VPN components. Instead of entering this data over and over again, Proventa M has Network Objects, which allow you to create object containers and then share this data across multiple components.
Address Name Address Group Port Name Port Group Dynamic Address Name
Notes
10-6
Slide 190
Address Objects
Address objects are a shorthand, representing individual IP addresses, IP ranges, network IDs, and groups of IP addresses. Typical entries would include:
EXPLAIN: Network objects are stored on the Proventa M, not in SiteProtector. Slide 191
Your public web server Your internal network IP range of your administrative staff A group of back-end networks
Port Objects
You can use a network object to assign a name to a particular TCP or UDP service. Use the port name to create a firewall rule instead of specifying the protocol and port for the service.
Example: You can set up a port list entry, named "https," for the TCP
protocol on port 443. When you configure firewall rules, use the https port name entry for TCP traffic on port 443 instead of specifying the protocol and port number each time.
192.168.5.34 becomes Sales Web Server 192.168.5.35 - 192.168.5.45 becomes Atlanta Web Servers
Notes
10-7
Slide 193
Slide 194
Dynamic Objects
There are two types of dynamic network objects: Dynamic Address Names - Containers to be used in firewall rules, they provide one name with which you can associate unique dynamic address lists across multiple appliances in your Site.
EXPLAIN: You can only set up dynamic names on the device itself. Dynamic addresses can be used to represent multiple IP addresses. Create them at the top level so they will be available to all Ms in your site.
Dynamic Address Lists - Defining what is in the container in each individual appliance, lists contain addresses specific to an appliance that are associated with a shared dynamic address name. Each appliance has one or more Dynamic Address Lists that contain addresses specific to that appliance.
Notes
10-8
with other firewall components, those associations are also removed. To restore those associations, you must manually associate those network objects with another Dynamic Address List or other network object.
Copying Lists
You can copy and paste a Dynamic Address List before editing it. This is useful if you want to add an entry that is similar to an entry already in the list.
Notes
10-9
Slide 195
Exercise 34
Objects node.
3. In the right pane, select the Address Names tab. 4. Click Add. The Add Address Name window appears. 5. Enter the following values: Item Name Comment Single IP Address IP Address 6. Click OK. 7. Click Add. 8. Enter another address name using the following values: Item Name Comment Network Address/ Network Bits (CIDR) IP Address/Mask 9. Click OK. Select/Enter int_net Internal Network Select 192.168.X.0 / 24 Select/Enter www Web Server on Partner 1 Select Your IP address: 192.168.X.101
Notes
10-10
Notes
10-11
Advanced Parameters
Notes
10-12
Slide 197
Access policies contain the firewall rules that define how your firewall responds to network traffic. An access policy applies to both inbound and outbound traffic on your network.EXPLAIN:
The checkboxes can be enabled from the main screen, and most of the fields are editable.
Were now going totalk about Proventas firewall policies and then configure the firewall.
Notes:
POINT OUT: The checkboxes can be enabled from the main screen and most of the fields are editable here. EXPLAIN: Policies are not active until you enable them.
You can add an access policy to the list without enabling it, but the policy is not active. You must enable the policy before the appliance applies it to traffic on your network. You can use access policies together with NAT policies or port forwarding to customize the way your firewall handles network traffic.
Notes
10-13
Note: If you select a rule before clicking Add, the new rule that you
create is added above the selected rule. If no rule is selected, the new rule is added to the bottom of the list.
Note: Adding a rule without changing any options will create a rule
Notes
10-14
appliance will create an entry in the system logs for packets that match the rule. The alert name is either Firewall_Deny_Rule or Firewall_Allow_Rule Contents display the flow information of the packet (Source IP/ Port, Destination IP/Port, Protocol)
6. Enter a meaningful description in the Comment field. 7. Select the Protocol tab. 8. Select a protocol for the network packet. 9. Select the Source Address tab. 10. Select a source IP address or addresses in the Source Address area. 11. Select the Source Port tab. 12. Select a source port. 13. Select the Destination Address tab. 14. Select a destination IP address or addresses in the Destination
Address area.
15. Select the Destination Port tab. 16. Select a destination port in the Destination Port area. 17. Click OK.
Notes
10-15
Slide 198
Deprecation
If you update your appliance to the current firmware version from older versions, the appliance automatically migrates existing firewall settings. After the appliance migrates firewall settings from some older versions, firewall rules contain settings that are deprecated. They exist so that you can continue using your old rules. If an access policy has deprecated settings, then a check mark appears for that policy in the Deprecated column of the Access Policy table, and the settings are indicated on the Deprecated tab.
Slide 199
Notes
10-16
Introduction
You have a web server that you want to make publicly available. You also want to protect this server with the Proventa M. You will deploy the Proventa M to make HTTP, HTTPS, and SMTP publicly available (to the rest of the class). You will also allow FTP, but only to a trusted neighbor (your neighbor in the class). As a review, here is the class topology:
Notes
10-17
Exercise 35
Source Address Single IP Address Source Port Destination Address Any Self
Destination Port Specific Network Objects Add OK 5. Bring the rule to the top (Rule 0). 6. Click Save Changes to validate and apply your updates. HTTPS, SSH
Partner 2
1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance.
Notes
10-18
Exercise 36
192.168.X.101.
3. Press ENTER.
You will find that you cant access it because no firewall rules have been put in place. If the routing exercise was completed successfully you will have an alert from Proventa M with Service Unavailable. If this is not the case, please review your routing settings.
4. Close this browser window.
Exercise 37
Notes
10-19
NOTE: Instead of Ingress and Egress, Inbound and Outbound are the terms used in this guide because they match the interface and Help. Feel free to refer to them as you wish. EXPLAIN: When selecting ports, you must leave the protocol as Any if you are using Network Objects for the port definitions. Otherwise, you will receive errors when the policy is applied.
Source Address Any Source Port Destination Address Any Specific Network Objects Add OK Destination Port Specific Network Objects Add Add Add OK 5. Click OK. 6. Click Add. HTTP HTTPS SMTP www
Notes
10-20
Source Address Specific Network Objects Add OK Source Port Destination Address Any Specific Network Objects Add OK Destination Port Specific Network Objects Add OK 8. Click OK. 9. If the HTTP rule is not already at the top of the 2 rules you created, FTP www int_neighbor
Exercise 38
Notes
10-21
Module 10: Firewalls Create an outbound rule allowing your local client source IP address access to your neighbors web server IP address for FTP. To create these rules, do the following:
1. First, delete the default outbound rule. To do so, click on the default
rule, (CORP, any, any, any, any, Allow), and clean the Enabled check box.
2. Click Add. The Add Access Policy window appears. 3. Enter an outbound rule for HTTP using the following values: Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Allow outbound traffic for www
Source Address Specific Network Objects Add OK Source Port Destination Address Any Any www
Destination Port Specific Network Objects Add OK 4. Click OK. 5. Click Add. HTTP, HTTPS, SMTP, DNS_namequery and DNS_zonetft
Notes
10-22
Source Address Specific Network Objects Add OK Source Port Destination Address Any Specific Network Objects Add OK Destination Port Specific Network Objects Add OK 7. Click OK. 8. Ensure the HTTP rule is at the top of the 2 rules you just created. 9. Click Save Changes to validate and apply your updates. FTP int_neighbor www
Notes
10-23
Exercise 39
You can modify the default.htm as you like; it will make it easier to understand which web server you are accessing. Partner 1 now can try to access neighbors Partner 1 web site:
1. Make sure that your neighbor has completed the previous exercises. 2. Open a new web browser window. 3. Enter your neighbors web server address: http://192.168.N.101. 4. Press ENTER.
A page will appear that says Welcome to our Website, indicating that you have accessed your neighbors site. You can access it because firewall rules have been put in place.
5. Close this browser window.
Notes
10-24
Introduction
With IP addresses becoming scarce and expensive, Cisco developed Network Address Translation (NAT) to allow a single device such as a firewall, router, or Proventa appliance to act as an agent between an internal (or private) network and the public network (Internet). NAT allows the appliance to translate your non-routable IP addresses to routable ones, so that computers inside your network can use the Internet to communicate with outside computers and servers.
STATE: Well now discuss NAT and NAT lists. Slide 202
The device "translates" public and private IP addresses so that one public IP address can represent an entire group of computers with private IP addresses. RFC 1918 provides three reusable address ranges that are available to anyone: 10.0.0.0 - 10.255.255.255 (Class A) 172.16.0.0 - 172.31.255.255 (Class B) 192.168.0.0 - 192.168.255.255 (Class C)
Addresses in these ranges can be used without fear of conflict with another network using the same address range. The only drawback is that, in order to avoid conflicts, these addresses are not routable on the Internet without network address translation. NAT enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. If you use nonroutable IP addresses in your internal network, you must use NAT to translate those addresses into one or more routable addresses.
Notes
10-25
Slide 203
2 3
4 5
When a packet comes back from the destination computer, the appliance checks the address translation table for the incoming address on the packet to determine which computer inside the network should receive the packet. If the appliance finds a match in the table, it translates the incoming address to the non-routable internal address, and forwards the packet to the computer inside the network. The process repeats as long as the internal computer is communicating outside the network.
Notes
10-26
Slide 204
Slide 205
Configuring NAT
There are two kinds of NAT rules: Source Destination
Notes
10-27
addresses.
10. Select the Destination Address tab, and then select a destination IP
address or addresses.
11. Select the Destination Port tab, and then select a destination port. 12. Select the Translated Address tab: 13. Click OK.
Slide 206
EXPLAIN: You can only NAT inbound for Destination NAT rules.
They prevent non-routable IP addresses in your network from appearing to users outside the network. They translate the destination port of a TCP or UDP packet to another port. In the Proventa M, you will use Destination NAT Rules to configure NAT for inbound network traffic.
Notes
10-28
Introduction
You will now configure a destination NAT rule which masks your actual web server address. To do so, you will need to create the following: A destination NAT rule which creates a translated address, <LAN>.X9, for your web server A firewall access policy which allows traffic to the new, translated address
Exercise 40
Source Address Any Destination Address Single IP Address NAT address: <LAN>.X9 80
Notes
10-29
Exercise 41
settings:
Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Access rule for NAT
Source Address Any Source Port Destination Address Any Single IP Address Partner 1 NAT address: <LAN>.X9 HTTP
Destination Port Specify Network Object 4. Click OK. 5. Click Save Changes to update.
Notes
10-30
Exercise 42
previous exercises.
2. Open a new web browser window. 3. Enter his web server address: http://<LAN>.X9/. 4. Press ENTER.
A page will appear that says Welcome to our Website, indicating that you have accessed your neighbors site. You can access it because NAT rules have been put in place.
5. Close this browser window.
Exercise 43
(http://192.168.Y.101/).
2. You will obtain the message that The page cannot be displayed.
necessary.
3. Position yourself on the ConfigurationFirewall node. 4. In the right pane, select the NAT Policy tab. 5. Select the Source NAT Rules tab. 6. Click Add, and the Add Source NAT Rules window appears.
Notes
10-31
Destination Port Any Translated Address 8. Click OK. 9. Select the new rule as use the Arrows to position it above the default Do Not Translate
Hide rule.
10. Click Save Changes to update.
Exercise 44
A page will appear that says Welcome to our Website, indicating that you have accessed your neighbors site. You can now access it because NAT has been disable withing the 2 networks of the appliance.
Notes
10-32
Event Notification
This page is specific to the firewall/VPN module. This notification page allows you to choose the events you want to be notified of.
Event Messages
You can configure the types of messages that the firewall writes to the log file. There are two types: Alert General
CAUTION: Do not turn on Access Statistics. It will log every packet and be a huge performance hit.
Alert Messages Alert Messages notify you of security-related events: Syn Flooding Ping of Death IP Spoofing Invalid Packets General Attacks
Notes
10-33
Module 10: Firewalls General Messages General messages are events that are related to the following aspects of your network: Status of the firewall or firewall activity Network or system activity User activity Level of detail in messages written to the log file There are three event notification options from which to choose: Alert Logs Alert emails Alert SNMP traps Enabling alert logging for alert or general events will flag those log entries to be listed in the Alert Log. If you would also like to receive an email or SNMP trap, you can enable those options here.
Slide 209
Explain: The ALG policies have to remain in place for AV, web filtering and antispam functionality. You will want to keep them enabled.
Notes
10-34
Slide 210
Asymteric Redirection
Asymmetric redirection allows you to bypass security functionality on the M by allowing out-of-state traffic to pass through the appliance. In addition, the M will send ICMP redirect messages if needed. Here is an example:
feature on your appliance ONLY if your network contains a mix of internal hosts and routing devices that rely on ICMP Redirect for proper routing.
Notes
10-35
Advanced Parameters
There may be instances in which the firewall settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.
Appliance User Guide for more information about advanced parameter names and values.
Notes
10-36
Module Review
Slide 211
You should now be able to:
Translate your security policy into firewall policies. Configure the Proventa M firewall. Create network objects. Create rules. Perform Network Address Translation (NAT).
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
10-37
Notes
10-38
2 hours
Module 11
Slide 213
Module Objectives
When you complete this module, you will be able to: Configure a virtual private network for site-to-site connectivity using the VPN Wizard. Configure a virtual private network for client-to-site connectivity using the VPN Wizard.
Notes
11-1
Introduction
This module walks you through adding site-to-site and client-to-site VPN configurations. We will also discuss the radius client page, certificates, and advanced parameters as they relate to VPNs.
Slide 214
Notes
11-2
Module 11: Configuring the VPN IKE SA information statistics are described in the following table:
Statistic Policy Name State Description The name of the policy in use in one or more VPN connections. The current state of the policy. The possible states are as follows: Unused states (indicate that the policy is not in use) INIT_IDLE RESP_IDLE Transient states (indicate that IKE negotiations are occurring) Note: These states may last for a few seconds only. MM_SA_WAIT AM_SA_WAIT RESP_KE_WAIT INIT_KE_WAIT RESP_ID_WAIT INIT_ID_WAIT HASH_WAIT
Established states (indicates that IKE SA is established) SA_MATURE IPSEC SA count The total number of SAin and SAout.
Notes
11-3
VPN Checklist
This checklist is helpful when gathering information you need before configuring your VPN tunnel.
EXPLAIN: This checklist is for you to use when you get back to work.
Subnet A IP address/mask
_____________________________
IKE Phase 1 (Main Mode) Authentication __MD5 __SHA1 IKE Phase 1 Encryption __3DES __DES __AES IKE Phase 1 Key Lifetime Seconds ____________________________ IKE Phase 1 Key Lifetime Kbytes _____________________________ IKE Phase 1 Diffie-Hellman Group __ Group1 __ Group2 __
Group5
IKE Phase 2 (Quick Mode) Authentication __ MD5 __ SHA1 IKE Phase 2 Encryption ___ 3DES __ DES __ AES IKE Phase 2 Key Lifetime Seconds ____________________________ IKE Phase 2 Key Lifetime Kbytes _____________________________ IKE Phase 2 Diffie-Hellman Group ___ None ___ Group1 ___
Group2 ___ Group5
11-4
VPN Wizards
Introduction
VPN wizards simplify the task of creating VPNs between your M Series appliance and various VPN clients. The wizard uses the information you provide to automatically create required firewall rules and other settings.
Note: The wizards contain default settings that are optimized for most networks. ISS recommends that you accept the default settings.
Slide 215
Types of wizards
There are three VPN Wizards that will help you create the VPN connections for your appliance:
Slide 216
Notes
11-5
Slide 217
Slide 218
Explain: Once you complete the wizard and establish your connections, you will want to fine tune the policies that were created. The wizard rules grant all access between the two networks.
Use the wizards to create the VPN connection. To edit the VPN connection, you must manually edit individual firewall rules, security gateways, or network objects created by the wizard. To remove the VPN connection, you must remove individual firewall or IPSEC rules created by the wizard.
Notes
11-6
Introduction
You will now use the M-to-M VPN wizard to connect your appliance to your neighbors. You will also go back to your Access Policy to see the additions that have been made by the wizard.
Exercise 45
(192.168.N.101) You will see that you wont be able to reach it. Let the ping run while you continue the exercise. Partner 2:
1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance if
necessary.
3. Position yourself on the VPNWizardM Series to M Series. 4. Select the General tab and enter the following settings: Select Name Log Enabled Select/Enter VPN_2_<your neighbors table number> Selected
5. Select the Local Network tab and enter the following settings: Select Network Address/ #Network Bits Select/Enter Partner 1 network address: 192.168.x.0 / 24
Notes
11-7
7. Select the VPN tab and configure the following security gateway
settings:
Select Select/Enter
Create New Auto Select Key Security IPSEC... Name Local Address Remote IP Address Remote ID IP Address Authentication Mode Preshared Key <Your neighbors table number>_IKE Your external address: <LAN>.X0 Your neighbors external address: <LAN>.N0 Static Address <LAN>.N9 Pre-shared Key 123456789abcdefg
INSTRUCTOR: Walk through the policy which was created by the wizard.
Once both you and your neighbor have completed your VPN configuration, the ping will succeed through the tunnel.
Notes
11-8
Introduction
There are two things that must happen in order for a client-to-site VPN connection to be established:
EXPLAIN: You will configure the VPN for client-to-site connectivity with SR. I will then create a new connection for SoftRemote. Exercise 46
A tunnel for the VPN connection A connection for the new VPN tunnel, created specifically for the client system You will now configure the VPN for client-to-site connectivity with a SoftRemote client. The instructor will then create a new connection for SoftRemote.
necessary.
3. Position yourself on the VPNWizardSoftRemote VPN Client to
M Series.
4. Enter the following settings: Select Comment Select/Enter SoftRemote to M
Logging Enabled Select Local Network IP Your network address: 192.168.x.0 / 24 Address/ #Network Bits Authenticate Peer Users Disabled
Notes
11-9
Address Range1 10.1.2.1-10.1.2.254 Local IP Address Your firewalls external address: <LAN>.X9 Remote ID Authentication Type FQDN: xfeducation.local Preshared Key: 123456789abcdefg
external IP address.
3. Install SafeNet with typical installation options. 4. After reboot open an cmd shell with ping -t <Student IP>.
Notes
11-10
Editor.
2. In the Security Policy Editor, click the New icon (top left), and then
following settings:
Item ID Type Subnet Mask Protocol Connect using ID Type Select/Enter IP Subnet Students IP Address, 192.168.X.0 255.255.255.0 All Enable and select Secure Gateway Tunnel Select IP Address and enter the students external IP Address: <LAN>.X9
Mode.
3. Enable Perfect Forward Secrecy with PFS Key Group set to Diffie-
Hellman Group 2.
4. Disable the Enable Replay Detection option.
Notes
11-11
Configuring My Identity
1. In the tree view, select My Identity. 2. In the My Identity area, configure the following settings: Item Select Certificate ID Type Virtual Adapter Select/Enter None Select Domain Name and enter the domain name for the client: xfeducation.local Disabled
Notes
11-12
settings:
Item Encrypt Algorithm Hash Alg Encapsulation 4. Click FileSave. 5. The ping is now successful. Select/Enter Triple DES SHA-1 Tunnel
Exercise 47
http://192.168.X.101.
Notes
11-13
Slide 221
Notes
11-14
Slide 222
Notes
11-15
Slide 223
NOTE: L2TP is included with most new Microsoft Operating systems. EXPLAIN: You can configure an L2TP/IPSEC VPMN connection between the appliane and a Windows 2000 or XP VON client.
L2TP does not include encryption, but defaults to using IPSec in order to provide VPN connections from remote users to the corporate LAN. The combination of L2TP for packet encapsulation and IPSec for encryption, known as L2TP/IPSec, is a highly secure technology for creating remote access VPN connections across public networks. L2TP IP addresses will be used when you create an L2TP/IPSEC VPN connection, and you add them on the VPN Advanced tab.
Notes
11-16
Slide 224
Advanced Parameters
There may be instances in which the VPN settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.
Note: Enabling ICMP for the external interface in the Self policy is not
enough to allow you to ping. In order to do so, you must add the advanced parameter access.ext_allow_ping and make sure that Boolean is enabled.
Notes
11-17
Slide 225
Certificates
In order for public key cryptography systems to work on a large scale, there must be a method of trust established such that entities that do not know of each other can have enough faith in the public keys they receive to trust any transactions that take place with them. This is the function of Certifying Authorities. Basically, they validate the owners of public keys so that when someone gets a key from that certifying authority, there is a high degree of assurance that the key belongs to the entity whose name is associated with that key.
EXPLAIN: Certificates are found in the Proventa M. They allow you to integrate PKI with your Proventa box. EXAMPLES: VeriSign - issues digital IDs for individuals, independent software vendors, and secure servers. Entrust - creates software and services that secure digital identities and information for enterprise and government customers.
In order to use certificates from your trusted certificate authority, you must install the certificate on the appliance. Doing so adds the authority to the trusted certificate authority list.
Note: Before installing a trusted certificate authority certificate, you must download the certificate file from your chosen certificate authority.
Notes
11-18
Module Review
Slide 226
You should now be able to:
Configure a VPN for site-to-site connectivity. Configure a VPN for client-to-site connectivity.
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.
Notes
11-19
Notes
11-20
1 hour
High Availability
Module 12
Slide 228
Module Objectives
When you complete this module, you will be able to: Explain the concept of High Availability. Describe High Availability Deployments and Configuration of a HA Environment. Discuss the Updating of Appliances in High Availability Mode.
Notes
12-1
Slide 230
With a dedicated interface link connecting the primary and secondary appliances, the appliances periodically send heartbeats to monitor status. If the secondary appliance does not receive a response from the primary appliance for a predetermined period of time, called the dead timeout, the primary appliance is considered to have failed. When this occurs, the secondary appliance takes over all virtual IP addresses for all interfaces and becomes the primary appliance. When the primary appliance fails, it loses FTP, VPN and other TCP persistent connections, and you must reconnect them on the secondary appliance. This is known as "warm" failover.
Slide 231
Notes
12-2
Slide 232
Logical HA Diagram
First is a logical diagram of standard HA deployment. In this example, there is only one external IP address: 10.10.100.1. The appliances use non-routable IP addresses for their external interface:
Notes
12-3
on both appliances.
2. Create new Address Name network objects 3. Add Required Access Policies and Source NAT Rule 4. Edit existing policies and configurations 5. Dedicate an HA Interface
Slide 233
Notes
12-4
Slide 234
Slide 235
shown in the Logical Network Diagram shown previously. Create an Address Name network object called ClusterIPAddresses for the IP address ranges of all enabled interfaces in the HA cluster, including the HA interface and virtual IP addresses:
Create an Address Name network object called HANetIPAddresses for the static IP address range of the HA interface only, as follows:
192.168.100.1-192.168.100.2
Notes
12-5
Slide 236
The access policies and Source NAT Rule must work on both appliances in the cluster. You must add the access policies and Source NAT Rule before you enable the HA feature.
Slide 237
Notes
12-6
This policy allows the secondary appliance to receive updates. For the Source Address, you must use an Address Name network object for the static IP address range of the HA interface only. Example: Name: Allow secondary appliance updates over HA network Action: Allow Protocol: TCP Source Address: HANetIPAddresses (Address Name network object) Source Port: Any Destination Address: Any Destination Port: Any
Note: When you configure the secondary appliance, you are not required to add this access policy, because the first two access policies allow HA functionality. The secondary appliance can receive the third access policy to allow updates from the primary appliance after you enable HA.
Notes
12-7
Slide 238
Notes
12-8
Slide 239
the appliance uses the virtual IP addresses to route traffic. In the case of access policies, IPSEC policies, NAT policies, or advanced firewall ALGs, change any IP address information that references a static interface address to one of the virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-add conflicting security gateways. If Source or Destination NAT Rules reference a static IP address (physical interface), you must change the IP address for the rule to match the virtual IP address of that interface.
The Hide NAT Source Rule is enabled by default. This Many-toOne configuration translates all non-routable IP addresses to the IP address of the eth1 interface. If you use the high availability feature, you must edit the Hide NAT Source rule. On the Translated Address tab, change the IP address entry to the virtual IP address for the HA cluster. When you set up a security gateway with an IP address as the Local ID, you must use the first virtual IP address for the interface as the Local ID value. Do not use an alias, an IP address using a proxy ARP, or the second or later virtual IP address.
Notes
12-9
Slide 240
Dedicating an HA Interface
You must dedicate an interface to enable HA functionality, and each appliance must dedicate the same HA interface. This simplifies use of HA functionality and provides good throughput when the appliances share state information. The HA interface must also be dedicated to avoid the possibility of user traffic interfering with the cluster nodes' communication. Match any of the available interfaces eth2 through eth7; the number of available interfaces varies depending on your appliance model. Do not use INT0 (eth0) or EXT1 (eth1) for your high availability interface. Use the same appliance model for both the primary and secondary device. Example - M50 to M50 Do not route user network traffic across the dedicated HA interfaces.
Notes
12-10
Introduction
You will now walk through each of the steps involved in configuring a high availability environment. You cannot save the changes in this area until you have completed all required settings on the following tabs: Base Configuration Virtual IP Addresses
State: You cannot save the changes on this page until you have completed all required settings on these tabs.
Notes
12-11
Slide 242
Notes
12-12
Module 12: High Availability The following table describes the required fields:
Option Enabled Definition Check to enable high availability. Important: The default setting is unchecked. Complete the configuration procedures, required access policies, and required NAT Source Rule for HA on both appliances before you select the Enabled check box. The interface for HA state communication. Note: The default is eth2. The dead timeout or failure timeout is the amount of time that the secondary appliance waits for a heartbeat message or ICMP reply message from the primary appliance. The default value is 30000 milliseconds (30 seconds). A smaller dead timeout value causes a faster failover to the secondary appliance. Note: To help determine the timeout value, ISS recommends you monitor the system logs for warning messages from the heartbeat module, to see if heartbeats arrive late. The heartbeat message indicates how late the message is. Double this time and use that value as a new failure timeout. Continue to monitor the system logs for more heartbeat warning messages. You should not see more than one or two heartbeat warning messages per day. The secret text string shared between the primary and secondary appliances. Note: The text string must contain no spaces, and must be between 16 and 64 characters. The IP address of the default external gateway for the HA cluster. Example: 10.10.100.1
Shared Secret
Virtual Gateway
Notes
12-13
Slide 243
Interface Name Network interface name. The default is None. IP Address Virtual IP address. Also known as virtual IP address. The default is none. The external VIP is also used as your Virtual Gateway IP address, on the Base Configuration page.
Notes
12-14
Slide 244
Here is an example: A common configuration contains two appliances with the following assigned IP addresses:
one static internal interface address one static external interface address one static high availability interface address one virtual internal address one virtual external address
This address is also your Virtual Gateway IP address. The primary appliance owns the virtual IP addresses until a failover occurs. When a failover occurs, the secondary appliance takes ownership of the virtual IP addresses, and becomes primary.
Notes
12-15
Slide 245
When You Will NOT Use Virtual IP Addresses When performing HA management, you will always use virtual IP addresses, except when you must connect to each appliance individually to do the following: Install firmware updates Perform a system backup Restore from a system backup You are directed to do so by ISS Technical Support personnel You can connect to individual appliances by using the unique IP address of the appliance, or with a serial connection. You must perform all other HA cluster management tasks using the virtual IP addresses.
Notes
12-16
Slide 246
Notes:
To add or remove Monitor IP Addresses after enabling HA, you must disable HA before you make any changes. ISS recommends that you carefully select devices such as an email server or Web server that are highly available, reliable, and maintain average traffic. If you use Monitor IP addresses, the dead timeout value should be set to accommodate peak traffic. The following table describes the required fields on the Monitor IP Addresses tab:
Field Enabled IP Address Definition Monitor IP Address usage is enabled. The default is Checked. IP Address to send SICMP requests. The default is None.
Notes
12-17
Slide 247
must disable HA before you make any changes. It is important to choose devices which are known to be reliable before enabling HA to avoid unnecessary downtime.
Notes
12-18
Slide 248
Notes
12-19
Slide 249
the Proventa Manager home page if an HA appliance is in a failure state and not responding to requests. This status information only pertains to appliances in a high availability configuration in routing mode. The following table describes the HA Status fields:
Field Definition
High Availability The status of the HA feature. Options are as follows: Mode Enabled
Disabled
High Availability The node name of the appliance, in the following format as Node Name follows: hostname.ipaddress High Availability The HA role of the appliance. Options are as follows: Operating As Unknown
Primary Secondary
High Availability The status of the primary appliance. Options are as Active Status follows:
Running Stopped Not configured Not installed Unknown
High Availability If the High Availability feature is enabled, then this statistic Secondary appears on the primary appliance only. This is the status Status of the secondary appliance. Options are as follows:
Unknown Running Stopped Failure
Notes
12-20
Introduction
The following update requirements apply to both appliances with the HA feature enabled: You can enable automatic update downloads and automatic security update installation, but you must apply firmware updates manually in the Proventa Manager for each appliance.
Important: Do not enable the automatic firmware update installation
option. You must apply the same firmware version to both the primary and the secondary appliances. The HA feature will not function properly if the primary and secondary appliances run different versions of firmware. In a standard IP high availability environment, a firmware update installation to the primary appliance forces a failover to the secondary appliance. The primary appliance becomes the secondary appliance in the cluster.
Caution: Applying firmware updates to an HA appliances requires a
failover. ISS recommends that you install firmware updates during off hours.
Notes
12-21
Slide 251
Recommendations
Consider the following recommendations before you apply updates to an appliance in routing mode with the HA feature enabled: To maintain up-to-date security and database content, enable automatic scheduled security and database updates.
Important: Do not enable automatic firmware updates.
Open two browser windows so that you can more easily access both appliances during the update process.
Notes
12-22
Lab: Configuration
Introduction
In this lab you will re-install the appliance from scratch in routing mode, in order to configure and test High-Availability.
Slide 252
HA Classroom Topology
The graphic below illustrates the final layout of the first raw of the classroom at the conclusion of the exercises contained in this module.
Notes
12-23
HA IP Addresses
The following table highlights the resulting IP settings. Table Host IP Address Name Appliance Name IP Address EXT1: <LAN>.19 INT0: 172.16.100.2 EXT2: 10.10.100.1 EXT1: <LAN>.29 INT0: 172.16.100.3 EXT2: 10.10.100.2 EXT1: <LAN>.39 INT0: 172.16.200.2 EXT2: 10.10.200.1 EXT1: <LAN>.49 INT0: 172.16.200.3 EXT2: 10.10.200.2
1 & 2 iss10 iss20 iss30 iss40 3 & 4 iss10 iss20 iss30 iss40
172.16.100.4 MF19.xfeducation.local 172.16.100.5 172.16.100.6 MF29.xfeducation.local 172.16.100.7 172.16.200.4 MF39.xfeducation.local 172.16.200.5 172.16.200.6 MF49.xfeducation.local 172.16.200.7
Slide 253
Notes
12-24
Exercise 48
IP: 172.16.X00.Y (refer to the tables starting on page 12-24) GW: 172.16.X00.1 DNS: Ask the instructor.
POINT OUT: The default GW is already the one which will be valid after the HA configuration.
Partner 2
1. Modify the Local Area Connection properties as follows:
IP: 172.16.X00.Z/24 (refer to the table on page 12-24) GW: 172.16.X00.1 DNS: Ask the instructor.
Exercise 49
your system.
2. If asked, select to boot from the CD. 3. When prompted, boot your Proventa M appliance. 4. When prompted, press L to boot from LAN.
Note: you have 5 seconds before the system will boot normally.
5. At the boot prompt, type reinstall nodb and press ENTER.
The system will restore the distribution image without copying the database used for the web and mail filtering. These will be copied in the following exercise.
6. Allow the appliance to reboot.
Notes
12-25
press ENTER.
8. At the password prompt, type admin and press ENTER. 9. On the HTTP Authenticatoin screen press TAB twice and press
ENTER.
10. On the Welcome screen press ENTER to select Next (default
position).
11. On the End User License Agreement screen, review the license
press ENTER.
14. Read the information on your screen and press ENTER to continue. 15. On the Hostname screen, press BACKSPACE as necessary to delete
#>9.xfeducation.local.
17. TAB to the NEXT button and press ENTER. 18. On the Internal Interface (eth0) screen, accept the default Activate
your internal IP address, 172.16.X00.# (refer to the tables starting on page 12-24), and press ENTER.
20. To accept the default Netmask (network mask) value, 255.255.255.0,
press ENTER.
21. To select NEXT, press ENTER. 22. On the Configure External IP Type screen, press the SPACE BAR to
Notes
12-26
POINT OUT: Communicate the students the actual classroom network might be different.
<LAN>.X9 (refer to the tables starting on page 12-24 and verify with the instructor), and press ENTER.
26. To accept the default Netmask (network mask) value, 255.255.255.0,
press ENTER.
27. Type the Default gateway (IP Address), <LAN>.GW. Your
Secondary and Tertiary nameserver. Your instructor will provide this IP address.
30. TAB to the NEXT button and press ENTER. 31. On the DNS Search Path screen, type the DNS search path list
name, xfeducation.local.
32. TAB to the NEXT button and press ENTER. 33. On the Appliance Management Access screen leave Management
access for machines on the eth0 subnet enabled checked; click TAB 4 times and press ENTER.
34. On the Configure Time Zones screen, select the appropriate time
zone by pressing ENTER and scrolling to desired value (the default time zone is America/New York).
35. TAB to the NEXT button and press ENTER. 36. On the Date and Time insert the appropriate Month, Day, Year,
Notes
12-27
as Root, press TAB 3 times to the NEXT button and press ENTER.
42. On the Proventa Manager Password screen press ENTER to select
Same as Root, press TAB 3 times to the NEXT button and press ENTER.
43. On the Enable Bootloader Password screen select Enable and press
positioned on Fininsh.
45. After the request is sent and the system reboots, press CTRL+G to
Exercise 50
and add the eth2 netwok interface with IP 10.10.X.Y (refer to the tables starting on page 12-24 and verify with the instructor).
Notes
12-28
Exercise 51
Objects node.
3. Select the Address Names tab. 4. Create an object ClusterIPAddresses containing:
The IP addresses of the external inteface of both Proventa appliances (<LAN>.X9 and <LAN>.N9). The IP addresses of the internal interface of both Proventa appliances (172.16.X00.2 and 172.16.X00.3). The IP addresses of the EXT2 interface of both Proventa appliances (10.10.X00.1 and 10.10.X00.2). Both the External and Internal virtual IP addresses of your HA setup (<LAN>.X5 and 172.16.X00.1). The IP addresses of the EXT2 interface of both Proventa appliances (10.10.X00.1 and 10.10.X00.2).
6. Position yourself on the Firewall/VPNSettings node. 7. In the right pane, on the Access Policy tab, click Add. The Add
Notes
12-29
Source Address Address Name network object Source Port Destination Address Any Self
2998
POINT OUT: In our configuration we have 3 valid IP addresses in the same range, therefore we dont need an access and a NAT rule to allow the secondary appliance to receive updates via the primary.
Source Address Address Name network object Source Port Destination Address Any Self
694
Notes
12-30
Exercise 52
Configure High-Availability
Note: Do NOT save changes until you complete all tabs. Partner 1
1. Connect to your Proventa Manager. 2. Position yourself on the ConfigurationSystemHigh
Availability node.
POINT OUT: Do NOT save changes until you complete all tab. POINT OUT: On the primary appliance the default gateway entered during the setup will be overwritten with this Virtual Gateway value.
3. Select the Enable check box. 4. Select eth2 as the HA Interface Name. 5. Leave the Dead Timeout default value of 30000. 6. In the Shared Secret field enter abcdefghij123456 (16 characters). 7. In the Virtual Gateway field enter the network gateway
(<LAN>.GW).
8. On the Virtual IP Addresses tab, Add the following 2 addresses:
Internal Virtual IP Address: Verify that the Enabled field is checked. Interface Name: eth0 IP Address: 172.16.X00.1 Subnet Mask: 255.255.255.0 External Virtual IP Address: Verify that the Enabled field is checked. Interface Name: eth1 IP Address: <LAN>.X5 Subnet Mask: 255.255.255.0 Monitor the Instructors machine: Verify that the Enabled field is checked. IP Address: <Instructors IP> Your partners machine: Verify that the Enabled field is checked. IP Address: <Your partners IP>
Notes
12-31
POINT OUT: It is important to add all active interfaces of the other appliance. If this doesnt match the actual settings of the alternate appliance, the HA configuration cannot be applied.
10. On the Alternate IP Addresses tab, Add the following 3 addresses: Value Alternate Node Internal Interface (eth0) External Interface (eth1) EXT2 Interface (eth2) 11. Click Save Changes. 1st Table MFN9 172.16.X00.3 <LAN>.N9 10.10.X00.2 2nd Table MFX9 172.16.X00.2 <LAN>.X9 10.10.X00.1
Partner 2
1. Connect to your Proventa Manager. 2. Wait until you get the LMI screeen with an orange banner
Notes
12-32
Exercise 53
Test High-Availability
Partner 1
1. Connect to the Proventa Manager via the Internal Virtual IP
address 172.16.X00.1.
2. Add an Access Rule to allow ICMP traffic from the Instructor
machine.
INSTRUCTOR: Verify you can ping the external interfaces of both Proventas and the External Virtual IP. If it does not work, verify that ICMP is enabled for you.
appliances and the Internal Virtual IP address: ping 172.16.X00.1. ping 172.16.X00.2. ping 172.16.X00.3.
2. On your host machine, open a command shell and at the command
prompt issue an arp -a command. Verify that the Phyisical Addresses of 172.16.X00.1 and 172.16.X00.2 are the same. This implies that 172.16.X00.2 currently is the primary node of the HA setup. Partner 1
1. Connect to the primary appliance via putty. 2. Start tail -f /var/log/messages. 3. On your host machine open a command shell and start ping -t
Also verify your arp table to make sure which appliance is primary.
<Instructor IP>
4. Unplug the cable going from MFX9 (the primary appliance) to the
Clear messages in your tail...-session indicating that a monitored IP cannot be reached anymore. The failover procedure taking place. Your ping will fail for about 30 seconds and succeed again after the failover.
Notes
12-33
prompt issue an arp -a command. Verify that the Phyisical Addresses of 172.16.X00.1 and 172.16.X00.3 are the same. This implies that 172.16.X00.3 has become the primary node of the HA setup. Partner 2
1. Connect to the Proventa Manager via the Internal Virtual IP
address 172.16.X00.1.
2. Verify on the Home Page that the High Availability settings have
Notes
12-34
Module Review
Slide 254
You should now be able to:
Explain the concept of High Availability. Describe High Availability Deployments and Configuration of a HA
Environment.
Notes
12-35
Notes
12-36
15 minutes
Course Review
Review Objectives
You should now be able to:
Slide 255
Describe the six components of the Proventa M. Reconfigure the Proventa M appliance. Discuss Transparent Mode functionlality and configuration. Discuss components of the Proventa M Intrusion Prevention
module and configure Intrusion Prevention functionality.
Use a test virus to view virus blocking within the Proventa M. Describe the Proventa M Series Web filtering process. Configure the Web filtering module, creating whitelists and
blacklists.
Notes
R-1
Slide 256
Configure the Proventa M firewall, creating lists and rules. Perform network address translation and Reverse NAT. Configure a Virtual Private Network for site-to-site and client-to-site
connectivity.
Ask Questions
Notes
R-2
Appendix A
What is Encryption?
Encryption is the science of encoding data to ensure the privacy or integrity of a communication. The most effective way to achieve data security, it is a fundamental component of techniques that provide confidentiality, integrity, and authentication. The encryption process involves three components: Plain text - the original message you want to encrypt
Notes
A-1
Appendix A: VPN and Encryption Technologies Encryption algorithm - a mathematical algorithm used to jumble your plain text Encryption key - a small piece of data used in conjunction with the encryption algorithm to jumble your plain text The result of this process is ciphertext, encrypted data which can be stored on non-secure media or transmitted on a non-secure network and still remain secret. Later, the ciphertext can be decrypted back to plain text using the same encryption algorithm and a decryption key. There are two types of encryption algorithm: Symmetric Asymmetric They are used to protect the confidentiality of data.
Symmetric algorithms are considered very fast and are therefore preferred when encrypting large amounts of data. A disadvantage to using a symmetric algorithm is that keys must be distributed in advance, thereby leaving open the possibility that they are discovered. Examples of symmetric encryption algorithms:
Notes
A-2
Appendix A: VPN and Encryption Technologies DES 3DES RC4 RC5 AES (Rijndael)
DES
The Data Encryption Standard (DES) algorithm was the United States Governments encryption standard through the 1990s. It uses a 56-bit key and is considered insecure these days.
3DES
The 3DES algorithm, a simple variant on the DES algorithm, was created to overcome security weaknesses in the short DES key. A single DES round is replaced by three rounds and three DES keys. Because of a specific type of attack, the brute force strength of 3DES is 112 bits. Although 3DES solves the security issues of the short, 56-bit DES key, it must go through the DES process 3 times in order to gain 112 bits of security. This can be resource intensive.
AES
The Advanced Encryption Standard (AES) is a symmetric block cipher. The AES algorithm was designed from the ground up to use long keys with a single round of encryption. AES key lengths are variable - 128, 192, or 256 bits in length. AES is the current encryption standard of the United States Government.
Scenario
We will use Bob and Alice, two coworkers, to illustrate symmetric encryption: Bob and Alice are coworkers at the ABC company.
Notes
A-3
Appendix A: VPN and Encryption Technologies Evil Eve, another coworker, is in charge of all corporate communications. She has been abusing her access and rights to eavesdrop in on everyone elses communications. To avoid Evil Eve, Bob and Alice have decided to use encryption and initially decide to use symmetric encryption because of its speed. Bob encrypts a message to Alice and emails it to her. In order for Alice to decrypt the message, she will need a copy of the same key Bob used to encrypt the message. This will be their shared secret. How does Bob securely get the key to Alice?
Can he tell it to her over the phone? No, Evil Eve is listening. Can he email it to her? No, Evil Eve can access their email. Can he send it to her in an envelope? No, Evil Eve is in charge of all interoffice mail.
The Problem
Symmetric encryption is very fast but suffers from a catch 22 - Bob and Alice want to use symmetric encryption in order to secure their communication channel, but they need a secure channel of communication before they can share symmetric keys.
Notes
A-4
Appendix A: VPN and Encryption Technologies ElGamal Asymmetric cryptography uses a pair of mathematically related keys: a public key, which is freely distributed and can be seen by all users; and a private key, which is kept secret and not shared among users.
The public key and private key perform inverse operations and are used together. For example, if a message is encrypted with the public key, only the private key can decrypt it. Conversely, a message encrypted with the private key can only be decrypted with the public key. Compared to symmetric encryption, asymmetric encryption is approximately 1000 times slower, but it does not suffer the key distribution problems that plague symmetric encryption.
Scenario
We will use Bob and Alice to illustrate the Asymmetric algorithm: Bob generates a pair of keys. One he calls his private key, the other his public key. Anything encrypted with the public key can only be decrypted using the private key, and vice-versa. Bob sends his public key to Alice in an email attachment. Alice encrypts messages to Bob using his public key. Since Bobs public key was transferred to Alice insecurely (via email), we can assume that Evil Eve has a copy as well. Luckily, Bobs public key does not help Evil Eve. She cannot decrypt Alices message to Bob without Bobs private key.
Notes
A-5
Appendix A: VPN and Encryption Technologies It is Bobs responsibility to keep his private key safe and confidential.
The Problem
Although secure in its method of key distribution, Asymmetric encryption is far too slow and resource intensive for large amounts of data.
Hashing Algorithms
While symmetric and asymmetric algorithms protect confidentiality of data, hashing algorithms protect data integrity. Hashing algorithms rely on mathematical formulas that take a given input, such as a message, and produce a message digest, or output, that is statistically unique to the original message. With this technology, if the message is altered in any way, the hash output will change dramatically. This makes it very easy to detect if a message has been tampered with. The two most used hashing algorithms are: MD5: creates a 128 bit message digest SHA-1: creates a 160 bit message digest
Scenario
Alice wants to send Bob an email congratulating him on a job well done and announcing his promotion. The congratulatory email is public information, so we are not concerned with the confidentiality of the message. If Alice sends the message in the clear to Bob, Evil Eve can intercept it and modify it to read that Bob has been fired rather than promoted. A message digest would help Bob verify that the message he received was the same message that Alice originally sent.
Notes
A-6
Appendix A: VPN and Encryption Technologies Alice creates a message digest of the promotion before she sends it, and Bob creates a message digest of the email after he receives it. If the two message digests are equal, the message received is the same as the one that was sent.
The Problem
If Evil Eve can intercept and modify the email, she can also intercept and modify the message digest. We need to make sure that the message digest is not tampered with. We do this with digital signatures.
Digital Signatures
A digital signature is a encrypted message digest that performs the following functions: Makes sure that a message can only have come from the sender that sent it. Makes sure that the message has not been tampered with.
Notes
A-7
Scenario
Alice runs her email through a hashing algorithm to produce a message digest. Alice encrypts the message digest with her private key - producing a digital signature. Alice sends the original message and the digital signature to Bob. Bob extracts the digital signature and decrypts it with Alices public key - producing the original message digest. Bob runs the message he receives through the same hashing algorithm used by Alice and compares the resulting message digest to the one that was decrypted with Alices public key. If the results are equal, Bob knows that the message could only have come from Alice and that the message has not been tampered with.
Encryption Schemes
In practice, algorithms are not used independently. Symmetric algorithms are very fast but insecure in their key distribution. Asymmetric algorithms are very slow but secure in their key distribution. This makes symmetric and asymmetric encryption very complimentary, each providing what the other lacks. The same holds true for hashing algorithms. Hashing algorithms protect integrity but not confidentiality while encryption algorithms protect confidentiality but not integrity. Again, each has what the other is lacking. In order to truly secure our communication channel, we must blend all of these algorithm types together. Blending multiple algorithms in this fashion is referred to as an encryption scheme. Examples of encryption schemes: SSL PPTP L2TP IKE/IPSEC
Notes
A-8
Notes
A-9
Tunnel Mode
Tunnel mode is the most used encapsulation method. In tunnel mode, the entire IP datagram is protected. Tunnel mode allows a packet to be delivered to a host that is not the cryptographic endpoint, such as a Gateway device.
An IPSEC packet in tunnel mode has two IP headers. The outer IP header contains the information for delivering the entire packet to the Gateway device. The inner IP header is encrypted and contains only the original information intended for the targeted host on the other side of the VPN tunnel.
Notes
A-10
Transport Mode
Transport mode is used to protect only the upper layer of protocols; the original IP header is not encrypted. Transport mode can only be used when the cryptographic endpoint is the same as the communication endpoint. This limits transport mode to host-to-host tunnels.
IPSEC Protocols
IPSEC uses the following protocols for data encryption and authentication: Encapsulating Security Payload (ESP) for encryption Authentication Header (AH) for authentication
Authentication Header
AH is used to ensure data integrity, origination authentication, and limited anti-replay protection. AH does not encrypt the IP datagram, so it does not need to use an encryption algorithm. In tunnel mode, the most commonly used mode, IPSEC hashes the entire packet and adds on a new IP and AH header.
Notes
A-11
Security Associations
A Security Association (SA) defines how two hosts communicate with each other using IPSEC. An SA defines: Which protocol to use. Which encapsulation mode to use. The keys involved. The duration for which the keys are valid. SAs are maintained in an SA database (SADB) for the lifetime of the IPSEC connection, which can be defined in seconds or in bytes transferred. Each host creates a minimum of two SAs: SAin and SAout. If the hosts use more than one protocol, such as ESP and AH, then additional pairs of SAs are created for each protocol. SAs are created either manually and off-line, such as in manual keying IPSEC, or automatically by a key management protocol, such as IKE. Since a single host may need to maintain many different security associations, SAs are referenced using a unique 32-bit address called a security parameters index or SPI. The initiator includes the SPI in the ESP or AH header so that the responder can locate the correct SA for the packet.
Notes
A-12
IKE Phase 1
Phase 1 begins with an exchange of proposals on how to protect the secure channel. This involves exchanging public keys and agreeing on all of the components of the security association. The two hosts exchange the following information: Encryption algorithms and hashing-algorithms A Diffie-Hellman group and nonce (pseudo-random number) A preshared key or a certificate that proves their identity The IKE Phase 1 session results in a shared SA that will define the encrypted channel over which Phase 2 can take place.
Notes
A-13
Phase 1 Modes
Phase 1 uses one of two modes: Main Aggressive
Main Mode
In main mode, the initiator (client) and responder (server) exchange six packets:
the encryption and the authentication algorithms for the Phase 1 negotiation.
2. The responder accepts the proposal. 3. The initiator sends a Diffie-Hellman proposal and a nonce value
(random number).
Notes
A-14
Aggressive Mode
With Aggressive mode connections, the Initiator and Responder exchange only three packets:
authentication, starts the Diffie-Hellman exchange, and then sends its nonce value and proof of identity.
2. The responder accepts the security proposal, and then sends its own
While aggressive mode saves three packets during negotiation, it sends ID information in the clear and is open to denial of service attacks.
Notes
A-15
IKE Phase 2
Phase 2 negotiation looks very similar to Phase 1 in Aggressive Mode. It is a three packet exchange used to establish a shared SA on both sides. The primary difference between Phase 1 in Aggressive Mode and Phase 2 is that Phase 2 negotiation is encrypted using the SAs negotiated in Phase 1. Hosts use the following items in a proposal: Security protocol: Authentication Header (AH) or Encapsulating Security Protocol (ESP) or both If ESP is involved, an Encryption method (DES, 3DES, or AES) If AH is involved, an Authentication algorithm (MD5 or SHA1) If Perfect Forward Secrecy is used, a Diffie-Hellman group At the end of Phase 2, a shared SA has been securely negotiated through an encrypted channel. We are now ready to encrypt our communication.
Notes
A-16
Phase 2 Mode
Phase 2 takes place in "quick mode".
IKE policies
IKE policies define the security protocol, authentication algorithm, and other necessary information needed to create Security Associations (SAs) and to exchange keys.
IKE XAuth
XAuth, which is short for extended authentication, provides secondary authentication for the IKE session using username/password pairs rather than preshared secrets or digital certificates. After IKE Phase I is completed, an extra session occurs in which the remote VPN and peer send a message requesting a user name and password. The local peer prompts the user for it or finds it in a policy, and then forwards it to the remote peer. The remote peer validates the user name and password pair. There are two methods for authenticating the name/password pair: Generic, which uses a built-in local database Radius, which passes the information to a Radius server
Notes
A-17
Notes
A-18