Secure Web Gateway Network Guardian Administration Guide

Transcription

1 Secure Web Gateway Network Guardian Administration Guide For future reference Network Guardian serial number: Date installed: Smoothwall contact:

2 Smoothwall Network Guardian, Administration Guide, December 2014 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Network Guardian contains graphics taken from the Open Icon Library project openiconlibrary.sourceforge.net/ Address Web Telephone Fax Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom info@smoothwall.net USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:

3 Contents About This Guide... 1 Audience and Scope... 1 Organization and Use... 1 Conventions... 2 Related Documentation... 2 Chapter 1 Introduction... 3 Overview of Network Guardian... 3 Annual Renewal... 3 Chapter 2 Network Guardian Overview... 5 Accessing Network Guardian... 5 Dashboard... 6 Logs and reports... 6 Reports... 7 Alerts... 7 Realtime... 8 Logs... 8 Settings... 9 Networking... 9 Filtering... 9 Routing... 9 Interfaces Settings Services Authentication User Portal Proxies SNMP Message Censor System Maintenance Central Management iii

4 Contents Preferences Administration Hardware Diagnostics Certificates Guardian Quick Links Web Filter Policies HTTPS Inspection Policies Content Modification Policies Anti-malware Policies Block Page Policies Policy Objects Swurl Web Proxy Web Proxy Upstream Proxy Authentication MobileProxy Configuration Guidelines Specifying Networks, Hosts and Ports Using Comments Creating, Editing and Removing Rules Connecting via the Console Connecting Using a Client Secure Communication Unknown Entity Warning Inconsistent Site Address Chapter 3 Working with Interfaces Configuring Global Settings for Interfaces Working with Bridges Creating Bridges Editing Bridges Deleting Bridges Working with Bonded Interfaces Creating Bonds Editing Bonds Deleting Bonds Configuring IP Addresses Adding an IP Address Editing an IP Address Deleting an IP Address Chapter 4 Deploying Web Filtering Getting Up and Running Blocking and Allowing Content Immediately Blocking Locations Excepting Computers from Web Filtering About Shortcuts iv Smoothwall Ltd

5 Contents About Network Guardian s Default Policies About the Default Web Filter Policies About the Default Authentication Policies Chapter 5 Working with Policies An Overview of Policies Types of Policies How Policies are Applied Guardian Getting Started Working with Category Group Objects Creating Category Group Objects Creating Custom Categories Editing Category Group Objects Deleting Category Group Objects Working with Time Slot Objects Creating a Time Slot Editing a Time Slot Deleting a Time Slot Working with Location Objects Creating a Location Object Editing Location Objects Deleting Location Objects Working with Quota Objects About the Default Quota Object Creating Quota Objects Editing Quota Objects Deleting Quota Objects Managing Web Filter Policies Creating Web Filter Policies Editing Web Filter Policies Deleting Web Filter Policies Managing HTTPS Inspection Policies Enabling HTTPS Inspection Policies Creating an HTTPS Inspection Policy Editing HTTPS Inspection Policies Deleting HTTPS Inspection Policies Configuring HTTPS Inspection Policy Settings Clearing the Generated Certificate Cache Managing Content Modification Policies Creating a Content Modification Policy Editing Content Modification Policies Deleting Content Modification Policies Creating Custom Content Modification Policies Managing Anti-malware Policies Creating an Anti-malware Policy Configuring Anti-malware Protection Configuring Anti-malware Status Information Editing Anti-malware Policies Deleting Anti-malware Policies v

6 Contents Using the Policy Tester Other Ways of Accessing the Policy Tester Working with Policy Folders Creating a Policy Folder Editing Policy Folders Deleting Policy Folders Censoring Web Form Content Configuring Organization Accounts Chapter 6 Managing Authentication Policies About Authentication Policies Creating Authentication Policies Creating Non-transparent Authentication Policies Creating Transparent Authentication Policies Managing Authentication Policies Editing Authentication Policies Deleting Policies Managing Authentication Exceptions Identification by Location Connecting to Network Guardian About Non-transparent Connections About Transparent Connections Authentication Scenarios New Content Filtering Changing the Listening Port Providing Filtered Web Access to the Public Requiring Authentication to Browse the Web Using Multiple Authentication Methods Controlling an Unruly Class Chapter 7 Managing Web Security Overview of the Web Proxy Global Options Advanced Web Proxy Settings Using PAC Scripts Using a Built-in Script Using a Custom Script Managing the Configuration Script Limiting Bandwidth Use Ordering Bandwidth Limiting Policies Editing Bandwidth Limiting Policies Deleting Bandwidth Limiting Policies Configuring WCCP Managing Upstream Proxies Overview Configuring an Upstream Proxy Configuring Source and Destination Filters Using a Single Upstream Proxy Working with Multiple Upstream Proxies Managing Blocklists Viewing Blocklist Information vi Smoothwall Ltd

7 Contents Manually Updating Blocklists Managing Block Pages Customizing a Block Page Using a Custom HTML Template Using an External Block Page Configuring a Block Page Policy Managing Block Page Policies Working on Block Pages Chapter 8 Managing Your Network Infrastructure Creating Subnets Editing and Removing Subnet Rules Using RIP Chapter 9 General Network Security Settings Blocking by IP Creating IP Blocking Rules Editing and Removing IP Block Rules Configuring Advanced Networking Features Working with Port Groups Creating a Port Group Adding Ports to Existing Port Groups Editing Port Groups Deleting a Port Group Chapter 10 Configuring Inter-Zone Security About Zone Bridging Rules Creating a Zone Bridging Rule Editing and Removing Zone Bridge Rules A Zone Bridging Tutorial Creating the Zone Bridging Rule Allowing Access to the Web Server Accessing a Database on the Protected Network Group Bridging Group Bridging and Authentication Creating Group Bridging Rules Editing and Removing Group Bridges Chapter 11 Authentication and User Management Configuring Global Authentication Settings About Directory Servers Configuring a Microsoft Active Directory Connection Configuring an LDAP Connection Configuring a RADIUS Connection Configuring an Active Directory Connection Legacy Method Configuring a Local Users Directory Reordering Directory Servers vii

8 Contents Editing a Directory Server Deleting a Directory Server Diagnosing Directories Managing Local Users Adding Users Editing Local Users Deleting Users Managing Groups of Users About Groups Adding Groups Editing Groups Deleting Groups Mapping Groups Remapping Groups Deleting Group Mappings Managing Temporarily Banned Users Creating a Temporary Ban Removing Temporary Bans Removing Expired Bans Managing User Activity Viewing User Activity Logging Users Out Banning Users About SSL Authentication Customizing the SSL Login Page Reviewing SSL Login Pages Managing Kerberos Keytabs Adding Keytabs Managing Keytabs Chapter 12 Centrally Managing Smoothwall Systems About Centrally Managing Smoothwall Systems Pre-requirements Setting up a Centrally Managed Smoothwall System Configuring the Parent Node Configuring Child Nodes Adding Child Nodes to the System Editing Child Node Settings Deleting Nodes in the System Managing Nodes in a Smoothwall System Monitoring Node Status Accessing the Node Details Page Working with Updates Rebooting Nodes Disabling Nodes Using BYOD in a Centrally Managed System Appendix A User Authentication Overview Verifying User Identity Credentials viii Smoothwall Ltd

9 Contents About Authentication Mechanisms Other Authentication Mechanisms Choosing an Authentication Mechanism About the Login Time-out Network Guardian and DNS A Common DNS Pitfall Working with Large Directories Active Directory Active Directory Username Types Accounts and NTLM Identification About Kerberos Kerberos Pre-requisites and Limitations Troubleshooting Glossary Index ix

10

11 About This Guide Smoothwall s Network Guardian is a licenced feature of your Smoothwall System. This manual provides guidance for configuring Network Guardian. Audience and Scope This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge: An overall understanding of the functionality of the Smoothwall System An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: Chapter 1, Introduction on page 3 Chapter 2, Network Guardian Overview on page 5 Chapter 3, Working with Interfaces on page 25 Chapter 4, Deploying Web Filtering on page 31 Chapter 5, Working with Policies on page 37 Chapter 6, Managing Authentication Policies on page 77 Chapter 7, Managing Web Security on page 93 Chapter 8, Managing Your Network Infrastructure on page 123 1

12 About This Guide Chapter 9, General Network Security Settings on page 127 Chapter 10, Configuring Inter-Zone Security on page 135 Chapter 11, Authentication and User Management on page 143 Chapter 12, Centrally Managing Smoothwall Systems on page 167 Appendix A:User Authentication on page 179 Glossary on page 185 Index on page 195 Conventions The following typographical conventions are used in this guide: Item Convention Example Key product terms Initial Capitals Network Guardian Cross-references and references to other guides Italics See Chapter 1, Introduction on page 3 Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics This guide is written in such a way as to be printed on both sides of the paper. Related Documentation The following guides provide additional information relating to Network Guardian: Network Guardian Installation Guide, which describes how to install Network Guardian Network Guardian Operations Guide, which describes how to maintain Network Guardian Network Guardian Upgrade Guide, which describes how to upgrade Network Guardian Network Guardian User Portal Guide, which describes how to use the Network Guardian user portal contains the Smoothwall support portal, knowledge base and the latest product manuals. 2 Smoothwall Ltd

13 1 Introduction This chapter introduces Network Guardian, including: Overview of Network Guardian on page 3 Annual Renewal on page 3 Overview of Network Guardian Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users. Network Guardian provides: Protection from pornography and objectionable content Controlled access to non work-related sites, such as news, sport, travel and auctions. Protection from web-borne spyware, malware and browser exploits Reporting on Internet behavior and resource utilization security: anti-spam, anti-malware, mail relay and control. Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. 3

14

15 2 Network Guardian Overview In this chapter: How to access Network Guardian An overview of the pages used to configure and manage Network Guardian. Accessing Network Guardian To access Network Guardian: 1. In a web browser, enter the address of your Network Guardian, for example: Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide. 2. Accept Network Guardian s certificate.the login screen is displayed. 5

16 Network Guardian Overview 3. Enter the following information: Field Username Password Information Enter admin This is the default Network Guardian administrator account. Enter the password you specified for the admin account when installing Network Guardian. 4. Click Login. The Dashboard opens. The following sections give an overview of Network Guardian s default sections and pages. Dashboard The dashboard is the default home page of your Network Guardian system. It displays service information and customizable summary reports. Logs and reports The Logs and reports section contains the following sub-sections and pages: 6 Smoothwall Ltd

17 Network Guardian Overview Reports Pages Summary Reports Recent and saved Scheduled Custom Displays a number of generated reports. For more information, refer to the Network Guardian Operations Guide. Where you generate and organize reports. For more information, refer to the Network Guardian Operations Guide. Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide. Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide. Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide. Alerts Pages Alerts Alert settings Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide. Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide. 7

18 Network Guardian Overview Realtime Pages System Firewall Portal IM proxy Web filter Traffic graphs A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide. A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide. Displays the log viewer running in real time mode. For more information, see Logs on page 112. A real time view of activity on user portals. For more information, refer to the Network Guardian Operations Guide. A real time view of recent instant messaging conversations. For more information, see Realtime Instant Messaging on page 104. Displays the web filter log viewer running in real time mode. For more information, see Web Filter Logs on page 105. Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide. Logs Pages System Firewall IM proxy Web filter Log settings Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide. Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide. Displays sender, recipient, subject and other message information. For more information, see Logs on page 112. Displays information on instant messaging conversations. For more information, see IM Proxy Logs on page 116. Displays time, username, source IP and other web filtering information. For more information, see Web Filter Logs on page 105. Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the Network Guardian Operations Guide. 8 Smoothwall Ltd

19 Network Guardian Overview Settings Pages Datastore settings Groups Output settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide. Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide Settings to configure the to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide. Networking The Networking section contains the following sub-sections and pages: Filtering Pages Zone bridging Group bridging IP block Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 135. Used to define the network zones that are accessible to authenticated groups of users. For more information, see Group Bridging on page 140. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 127. Routing Pages Subnets RIP Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Creating Subnets on page 123. Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using RIP on page

20 Network Guardian Overview Interfaces Pages Interfaces Internal aliases Configure and display information on your Network Guardian s internal interfaces. For more information, see Configuring Global Settings for Interfaces on page 26. Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet without the need for physical switches. For more information, see on page 126. Settings Pages Port groups Advanced Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 132. Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 129. Services The Services section contains the following sub-sections and pages: 10 Smoothwall Ltd

21 Network Guardian Overview Authentication Pages Settings Directories Groups Temporary bans User activity SSL login Kerberos keytabs BYOD Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 144. Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Servers on page 145. Used to customize group names. For more information, see Managing Groups of Users on page 156. Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 159. Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 161. Used to customize the end-user SSL login page. For more information, see About SSL Authentication on page 162. This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 164. Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide. User Portal Pages Portals Group access User access This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide. 11

22 Network Guardian Overview Proxies Pages Instant messenger FTP Used to configure and enable instant messaging proxying. For more information, refer to the Network Guardian Operations Guide. Used to configure and enable a proxy to manage FTP traffic. For more information, refer to the Network Guardian Operations Guide. SNMP Pages SNMP Used to activate Network Guardian s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide. Message Censor Pages Policies Filters Time Custom categories Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the Network Guardian Operations Guide. Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide. 12 Smoothwall Ltd

23 Network Guardian Overview System The System section contains the following sub-sections and pages: Maintenance Pages Updates Modules Licenses Archives Scheduler Shutdown Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide. Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide. Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide. Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the Network Guardian Operations Guide. Used to shutdown or reboot the system. For more information, refer to the Network Guardian Operations Guide. Central Management Pages Overview Child nodes Local node settings This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 173. This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 169. This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page

24 Network Guardian Overview Preferences Pages User interface Time Registration options Hostname Used to manage Network Guardian s dashboard settings. For more information, refer to the Network Guardian Operations Guide. Used to manage Network Guardian s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide. Used to configure Network Guardian s hostname. For more information, refer to the Network Guardian Operations Guide. Administration Pages Admin options External access Administrative users Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide. Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide. Hardware Pages UPS Modem Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide. Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, refer to the Network Guardian Operations Guide. 14 Smoothwall Ltd

25 Network Guardian Overview Diagnostics Pages Functionality tests Configuration report IP tools Whois Traffic analysis Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide. Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide. Contains the ping and trace route IP tools. For more information, refer to the Network Guardian Operations Guide. Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide. Used to generate and display detailed information on current traffic. For more information, refer to the Network Guardian Operations Guide. Certificates Page Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide. Guardian The Guardian section contains the following sub-sections and pages: 15

26 Network Guardian Overview Quick Links Page Getting started Shortcuts Quick block/allow Policy tester This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 40. This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see About Shortcuts on page 35. This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 32. The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page 69. Web Filter Policies Pages Manage policies Policy wizard Location blocking Exceptions Outgoing This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 49. This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 50. Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 33. Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 33. This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page Smoothwall Ltd