Innominate mguard/mguard PCI

Transcription

1 Innominate mguard/mguard PCI Configuration Examples mguard 2.x Innominate Security Technologies AG Rudower Chaussee Berlin Germany Phone: +49 (0) Fax: +49 (0)

2 Innominate Security Technologies AG December 2004 Innominate and mguard are registered trademarks of the Innominate Security Technologies AG. All other brand names or product names are trade names, service marks, trademarks, or registered trade marks of their respective owners. mguard technology is protected by the German patent # Further national and international patent applications are pending. No part of this documentation may be reproduced or transmitted in any form, by any means without prior written permission of the publisher. All information contained in this documentation is subject to change without previous notice. Innominate offers no warranty for these documents. This also applies without limitation for the implicit assurance of scalability and suitability for specific purposes. In addition, Innominate is neither liable for errors in this documentation nor for damage, accidental or otherwise, caused in connection with delivery, output or use of these documents. This documentation may not be photocopied, duplicated or translated into another language, either in part or in whole, without the previous written permission of Innominate Security Technologies AG. Innominate Document Number: Version

3 Contents 1 Introduction 3 2 mguard operating as DSL-Router (PPPoE-Mode) Replacing an existing DSL-Router with the mguard Menu: Firewall -> NAT Menu: Network -> PPPoE Menu: Network -> Base Required IP settings on the Clients 5 3 mguard operating as Router (Router-Mode) Configuration of the client Configuration of the mguard Menu: Network -> Base Menu: Network -> Router Menu: Firewall -> NAT 8 4 VPN Connections Limitations Pre-shared Key (PSK) with dynamic IP Pre-shared Key (PSK) with NAT/NAT-T L2TP and NAT/NAT-T VPN Transport Connection and NAT/IPSec Passthrough L2TP and mguard in Stealth-Mode VPN Transport Connection (PSK) between two mguards in Stealth-Mode Common configuration of the mguards Menu: VPN -> Connections VPN Tunnel Connection (PSK) between two mguards Common configuration of mguard #1 (Router-Mode) Common configuration mguard #2 (Stealth-Modus) Menu: VPN -> Connections Using X.509-certificates 14 5 L2TP/IPSec Connection Required X.509-Certificates Configuration of the mguard Menu: VPN -> Connections Menu: VPN -> Machine Certificate Menu: VPN -> L2TP Configuration of the Windows-Client Microsoft Management Console (MMC) Import of the X.509-Certificates Configuration of the L2TP/IPSec Dial-up Connection 20 6 Firewall Basic rules for setting up the Firewall Example for a wrong configured Firewall 21 Version

4 1 Introduction This guide should help you getting familiar with the configuration of the mguard. It explains on a basis of several examples how to test the different operating modes of the mguard and the required configuration steps. 2 mguard operating as DSL-Router (PPPoE-Mode) In this example, we will use the mguard as DSL-Router (PPPoE-Mode) for connecting the company s network to the Internet through a DSL-Modem. The following diagram illustrates the machines and addresses involved in the connection. Using the mguard as DSL-Router Version

5 2.1 Replacing an existing DSL-Router with the mguard Follow these steps if you want to replace a DSL-Router with the mguard in an already configured network: Make a note of the IP address of the DSL-Router. You will need it later. In our example, we take the IP address Replace the DSL-Router with the mguard. Restart the switch for deleting possibly cached arp-entries. The mguard is in Stealth-Mode if you did not preconfigure it before installation. In this case you can access the mguard through the web-browser by using the URL Note that the default gateway can t be reached anymore due to the replacement of the DSL-router. Therefore you need to perform the following steps on the client you use for configuring the mguard: o Open a DOS-prompt. o Execute the command: arp a. This command lists all existing arp-entries. If the IP address of the router appears in this list (in our example: ) then you need to delete this entry by using the command: arp d <IP-address> (in our example: arp -d ). o Now you need to assign a static MAC address to the IP address of the default gateway with the command: arp s <IP-Adresse> aa-aa-aa-aa-aa-aa (in our example: arp -s aa-aa-aa-aa-aa-aa). Now you can configure the mguard from the webbrowser by using the URL Menu: Firewall -> NAT You should activate NAT (Network Address Translation) to allow access to the external network (Internet) from the local network. Menu: Firewall -> NAT Click at New. Enter the network IP and the appropriate subnet mask in CIDR-notation (e.g = 16, = 24, = 32) into the field From IP. A value of /0 means that all internal IP addresses will have access to the external network (Internet). If only a special subnet should have access to the Internet then you need to enter this subnet and the appropriate subnet mask into the field From IP (e.g /24). If only one client should have access to the Internet then you need to enter its IP address and as subnet mask the value 32 (e.g /32). Click at OK. Version

6 2.3 Menu: Network -> PPPoE This input mask is used for entering the user name (Login) and password, which is required by your Internet Service Provider (ISP) when you setup a connection to the Internet. Menu: Network -> PPPoE Enter the user name (Login) into the field PPPoE Login. Enter the appropriate password twice into the fields PPPoE Password. Click at OK. 2.4 Menu: Network -> Base Menu: Network -> Base Enter the local IP of the mguard into the field IP. This IP address must be part of the internal network. If you have replaced an existing DSL-router then you need to enter the original IP address of the DSL-router into the field IP (in our example ). Enter the appropriate subnet mask into the field Netmask. Select as Network Mode the option PPPoE from the drop-down list. Click at OK. When the Network Mode has been changed, the mguard will reboot automatically. After the reboot you have access to the mguard from the web-browser through the URL IP of the mguard> (in our example: Required IP settings on the Clients You need to specify the local IP of the mguard as default gateway and as DNS nameserver on the clients of the internal network. Version

7 3 mguard operating as Router (Router-Mode) The mguard shall be used as router between two networks. The following diagram illustrates the machines and addresses involved in the configuration. The examples used in this chapter are taken from this setup. mguard as router between two networks 3.1 Configuration of the client The client (Client #1) has been configured with the following IP-settings: IP-address = Subnet mask = Default gateway = Note: You need to specify the local IP address of the mguard as default gateway on the clients. We will configure this value later on the mguard. Version

8 3.2 Configuration of the mguard Menu: Network -> Base This input mask is used for entering the parameters for the internal network. Menu: Network -> Base Set Network Mode to Router. Enter into the field IP the local IP of the mguard. This value must be specified as default gateway on every client of the internal network as already mentioned before. Enter into the field Netmask the appropriate subnet mask. If the internal network consists of several subnets then you can add them in the section Additional Internal Routes. Click at OK. Note: When the Network Mode has been changed, the mguard will reboot automatically Menu: Network -> Router This input mask is used for entering the parameters for the external network. Menu: Network -> Router In our example the mguard won t receive its external configuration from a DHCP server. Therefore we have set Obtain external configuration via DHCP to No. The External IP specifies the external IP address of the mguard for accessing it from the external network. In our example we have defined it as Version

9 Enter into the field Netmask the appropriate subnet mask. If the external network consists of several subnets then you can add them in the section Additional External Routes. You need to specify the IP of default gateway if the access to the Internet is located in the external network and if the clients of the internal network should have access to the Internet Menu: Firewall -> NAT Menu: Firewall -> NAT Click at New. Enter the network IP and the appropriate subnet mask in CIDR-notation (e.g = 16, = 24, = 32) into the field From IP. A value of /0 means that all internal IP addresses will have access to the external network (Internet). If only a special subnet should have access to the Internet then you need to enter this subnet and the appropriate subnet mask into the field From IP (e.g /24). If only one client should have access to the Internet then you need to enter its IP address and as subnet mask the value 32 (e.g /32). Click at OK. Version

10 4 VPN Connections 4.1 Limitations The following operating modes are not supported Pre-shared Key (PSK) with dynamic IP PSK with dynamic IP requires that Aggressive Mode is supported as authentication method. The mguard does not support Aggressive Mode because it is too easy to hack. IPSec distinguishes between the authentication methods Main Mode and Aggressive Mode. Main Mode uses the IP address as part of the authentication whereas Aggressive Mode does not. This is the condition for a successful hacker attack on a VPN connection with Pre-shared Keys. Today common VPN gateways support both methods. If a hacker tries to establish a VPN connection using a dynamic IP then the IP address is unknown to the gateway. In this case the IP address can t be used for authentication. Therefore the gateway suggests to use the Aggressive Mode. Only three messages will be exchanged in Aggressive Mode for establishing the VPN connection. The first message includes among other things the request to use the Aggressive Mode. The VPN gateway replies with a detailed answer. This is the only message which is send by the gateway for establishing the connection. This message is transferred unencrypted and contains a hash-value which has been calculated out of the Pre-shared Key. If the hacker has recorded the transferred data packages with tcpdump or windump then he has the possibility to find out the used Pre-shared Key with hacker tools like e.g. IKECrack. Once he has retrieved the Pre-shared Key he will have access to the company s network so to speak through the main entrance. Possible alternatives are: Use static IP addresses. Use X.509 certificates instead of Pre-shared Keys. Use of a DynDNS services Pre-shared Key (PSK) with NAT/NAT-T You can t use Pre-shared Keys with NAT/NAT-T because the mguard does not support Aggressive Mode (please refer to the explanation above) L2TP and NAT/NAT-T NAT/NAT-T can only be used for tunnel connections due to technical reasons. L2TP is a transport connection VPN Transport Connection and NAT/IPSec Passthrough NAT/IPSec Passthrough can only be used for tunnel connections due to technical reasons L2TP and mguard in Stealth-Mode The mguard does not provide a L2TP service for the Stealth-Mode. Version

11 4.2 VPN Transport Connection (PSK) between two mguards in Stealth-Mode In this example we want to establish a VPN Transport Connection between two mguards in Stealth- Mode using Pre-shared Keys. The following diagram illustrates the machines and addresses involved in the configuration. The examples used in this chapter are taken from this setup. VPN Transport Connection between two mguards in Stealth-Mode Common configuration of the mguards We have kept the default settings and removed the outgoing firewall rules (menu: Firewall -> Outgoing). Version

12 4.2.2 Menu: VPN -> Connections Menu: VPN -> Connections Entries marked with the red equals-sign must correspond on both mguards. Set Connection type to Transport (Host <-> Host). 1. You have to enter as Address of the remote site s VPN gateway the IP address of the remote client. On mguard #1 you have to enter the IP address of Client #2 and on mguard #2 the IP address of Client #1. 2. Connection startup: This option defines if the mguard should set up the VPN connection or if this will be done by the remote system. If you select Start connection to on both sides then the VPN connection can be initiated from both sides. 3. Authentication method: Select whether you want to use X.509-certificates or Pre-shared Keys. In our example we select Pre-Shared Keys. Click at Configure to enter the Pre-shared Key. Tunnel Settings: These parameters are not relevant for a VPN Transport Connection. Firewall incoming/firewall outgoing: we have kept the default settings. If the mguard is in Router-Mode then the mguard tries to establish the VPN connection as soon as it has been enabled. If the mguard is in Stealth-Mode then the VPN connection will be established the first time it ll be used, for example by sending a ping from Client #1 to Client #2. Now it is possible to access Client #2 from Client #1 through the VPN tunnel and vice versa. For doing this you need to specify the IP address of the remote client. The status of the VPN connection (menu: VPN -> IPSec Status) should be established for ISAKMP and IPSec. Version

13 4.3 VPN Tunnel Connection (PSK) between two mguards In this example we want to establish a VPN Tunnel Connection between two mguards using Preshared Keys. A VPN tunnel can only be established between two different networks. Note that we are in a virtual environment with a homogenous network. Therefore we assign a client (Client #1) to a different network and use the connected mguard (mguard #1) as router between the two networks for simulating this scenario. The following diagram illustrates the machines and addresses involved in the configuration. The examples used in this chapter are taken from this setup. VPN-Tunnel between two mguards Common configuration of mguard #1 (Router-Mode) mguard #1 has to be configured as router as described in chapter mguard operating as Router (Router-Mode) Common configuration mguard #2 (Stealth-Modus) We kept the default settings. Version

14 4.3.3 Menu: VPN -> Connections Menu: VPN -> Connections Entries marked with the red equals-sign must correspond on both mguards. Select Tunnel (Net <-> Net) as Connection type. 1. Address of the remote site s VPN gateway: mguard #1 (Router-Mode): We need to enter the IP address of the client to which mguard #2 is connected, in our example mguard #2 (Stealth-Mode): This is the external IP address of mguard #1, in our example Connection startup: It should be possible to initiate the VPN connection from both sides. Therefore we select the option Start connection to. 3. Authentication method: Select whether you want to use X.509-certificates or Pre-shared Keys. In our example we select Pre-Shared Keys. Click at Configure to enter the Pre-shared Key. 4. Tunnel Settings (locale network address and appropriate local netmask): mguard #1 (Router-Mode): The local network address is already given by the internal network which is connected to the mguard. In our example we need to specify / If several internal routes have been defined (menu: Network -> Base, Additional Internal Routes) then you can configure a VPN tunnel for each internal route by specifying the appropriate subnet. mguard #2 (Stealth-Mode): If the mguard is in Stealth-Mode then you need to use a pure virtual network for the VPN endpoint. It is up to you to select the network IP but it shouldn t be part of an already existing network. In our example we have chosen / Version

15 5. The virtual IP which will be used by the client in Stealth mode: This parameter is only required if the mguard operates in Stealth-Mode (mguard #2). This IP address is used for accessing Client #2 from the internal network through the VPN tunnel. The IP address must be part of the network you ve specified in Tunnel Settings (locale network address and appropriate local netmask) for mguard #2. In our example we have chosen the IP Tunnel Settings (remote network address and appropriate remote netmask): Here you must enter the appropriate network address and netmask of the remote site of the VPN tunnel. Firewall incoming/firewall outgoing: we kept the default settings. If the mguard operates in Router-Mode then the VPN connection will be established as soon as you enabled it. If the mguard is in Stealth-Mode then the VPN connection will be established when it is used the first time, for example by sending a ping from Client #2 to Client #1. Now it is possible to access Client #2 from Client #1 through the VPN tunnel. Therefore you need to use the IP address you have specified in the field virtual IP which will be used by the client in Stealth mode on mguard #2, in our example To access Client #1 from Client #2 you need to specify the IP address of Client #1, in our example The status of the VPN connection (menu: VPN -> IPSec Status) should be established for ISAKMP and IPSec Using X.509-certificates If you want to use X.509 certificates instead of Pre-shared Keys, then the following steps are required: Create a X.509-certificate for mguard #1 and one for mguard #2. Export both certificates as machine certificate (PKCS#12, *.p12) and as connection certificate (PEM, *.cer, *.crt). Configuration of mguard #1: o Menu: VPN -> Connections Edit the VPN connection. Set Authentication method to X.509 Certificate. Click at Configure and import the connection certificate (PEM) of mguard #2. o Menu: VPN -> Machine Certificate Import the machine certificate (PKCS#12) of mguard #1. Configuration of mguard #2: o Menu: VPN -> Connections Edit the VPN connection. Set Authentication method to X.509 Certificate. Click at Configure and import the connection certificate (PEM) of mguard #1. o Menu: VPN -> Machine Certificate Import the machine certificate (PKCS#12) of mguard #2. Version

16 5 L2TP/IPSec Connection In this example we want to establish a L2TP/IPSec connection from a Windows-Client to the mguard (Router-Mode). A L2TP/IPSec connection can only be established between two different networks. Note that we are in a virtual environment with a homogenous network. Therefore we assign a client (Client #2) to a different network and use the connected mguard as router between the two networks for simulating this scenario. The following diagram illustrates the machines and addresses involved in the configuration. The examples used in this chapter are taken from this setup. L2TP/IPSec Connection from a Windows-Client to the mguard Version

17 5.1 Required X.509-Certificates Requires X.509 certificates and exports At first you need to create a CA-certificate. This CA contains the private key and will be used for signing the mguard and Windows certificate. Based on the CA you need to create a certificate for the Windows-Client and a certificate for the mguard. The following exports are required: CA-Certificate as Trusted CA: export as PEM, e.g. TrustedCA.crt. This certificate needs to be imported at the Windows-Client with the Microsoft Management Console (MMC) as Trusted Root Certification Authorities. Windows-Certificate as Machine Certificate: export as PKCS#12, e.g. WinMaCert.p12.. This certificate needs to be imported at the Windows-Client with the Microsoft Management Console (MMC) as Personal certificate. Windows-Certificate as Connection Certificate: export as PEM, e.g. WinCoCert.crt. This certificate needs to be imported at the mguard in the VPN Connection (menu: VPN -> Connections). mguard-certificate as Machine Certificate: export as PKCS#12, e.g. mguardmacert.p12. This certificate needs to be imported at the mguard as machine certificate (menu: VPN -> Machine Certificate). The configuration of the mguard and the usage of MMC are described below. 5.2 Configuration of the mguard The mguard has to be configured as router as already described in chapter mguard operating as Router (Router-Mode). We want to access the client behind the mguard (Client #2) from the external network. Therefore we only need to configure the menu options Network -> Base und Network -> Router. We don t need to configure NAT and DNS. Version

18 5.2.1 Menu: VPN -> Connections We created a new VPN connection with the name L2TP. Menu: VPN -> Connections 1. Address of the remote site s VPN gateway: If you enter %any then you may establish the connection from every Windows-Client on which the L2TP/IPSec-Client with the appropriate certificates is configured. Otherwise only the Windows-Client can establish the connection which has the corresponding IP address. In our example we could enter the IP address Connection Type: has to be defined as Transport (L2TP Microsoft). If you ve installed the Windows-Update L2TP/IPSec NAT-T update for Windows XP and Windows 2000 then you must select Transport (L2TP SSH Sentinel). 3. Connection startup: Has to be specified as Wait for connection from because the connection will be initiated by the Windows-Client. 4. Authentication method: Select X.509 Certificate. Click at Configure and import the connection certificate of the Windows certificate, in our example the certificate called WinCoCert.crt. 5. Perfect Forward Secrecy (PFS): Must be disabled for a L2TP-Connection. Tunnel Settings: Those parameters are not used in case of a L2TP-Connection. Incoming and outgoing firewall: We kept the default settings Menu: VPN -> Machine Certificate You need to import the machine certificate of the mguard, in our example it is the certificate called mguardmacert.p12. Version

19 5.2.3 Menu: VPN -> L2TP Menu: VPN -> L2TP Start L2TP Server for IPSec/L2TP: this option must be enabled for a L2TP connection. Local IP for L2TP connections: the IP address of the mguard for the L2TP Connection. It is up to you to select the IP address. Remote IPs for L2TP connections range: this IP address range is used for assigning IP addresses for L2TP Connections to the remote systems (Windows-Client). The IP address specified in the field Local IP for L2TP connections must be within the same network. 5.3 Configuration of the Windows-Client Microsoft Management Console (MMC) MMC is used for importing the required certificates. Please refer to chapter Required X.509- Certificates. At first we need to configure MMC. The following steps have been executed on a Windows 2000 system. Click at Start -> Run, enter mmc and click at OK. Select Console -> Add/Remove Snap-in from the menu, click at Add. Select Certificates from the list, click at Add. Select Computer account, click at Next. Select Local computer, click at Finish. Close the Add Standalone Snap-in window. The entry Certificates (Local computer) should appear in the list. Click at OK. Now you need to save the configuration. Select Console -> Save from the menu. Select Desktop from the Save in field. Enter a file name and click at Save Close MMC by selecting Console -> Exit from the menu. Now it is possible to start MMC by making a double click at the MMC-icon on the desktop. Version

20 5.3.2 Import of the X.509-Certificates Start MMC and reload the previously saved configuration or make a double click at the MMC-icon on the desktop. Import of the trusted CA: Expand the tree Console Root -> Certificates (Local computer) in the left window. Make a right click at Trusted Root Certification Authorities and select All Tasks -> Import. The Certificate Import Wizard appears. o Click at Next. o Click at Browse. o Select the option X.509-Certificate (*.cer,*.crt) from Files of type and select the trusted CA, in our example the certificate called TrustedCA.crt. o Click at Open and then at Next. o Select the option Place all certificates in the following store, click at Next. o Click at Finish. The message should appear that the certificate was imported successfully. Import of the windows machine certificate: Expand the tree Console Root -> Certificates (Local computer) in the left window. Make a right click at Personal and select All Tasks -> Import. The Certificate Import Wizard appears. o Click at Next. o Click at Browse. o Select the option Personal Information Exchange (*.pfx,*.p12) from Files of type and select the windows machine certificate, in our example the certificate called WinMaCert.p12. o Click at Open and then at Next. o Enter the password, which protects the certificate against unauthorized usage and click at Next. o Select the option Place all certificates in the following store and click at Next. o Click at Finish. The message should appear that the certificate was imported successfully. You need to save the configuration before closing MMC. Select Console -> Save from the menu. Version

21 5.3.3 Configuration of the L2TP/IPSec Dial-up Connection Select Start -> Settings -> Control Panel -> Network and Dial-up Connections. Double click at Make New Connection. The Network Connection Wizard appears. o Click at Next. o Select the option Connect to a private network through the Internet and click at Next. o Select the dial-up connection you want to use and click at Next. In our example we select Do not dial the initial connection because we are within our company s network. o Enter the hostname or IP address of the remote entity. In our example we enter This is the external IP of the mguard. Click at Next. o Choose, whether the connection can be used by all users of the Windows-Client or only by yourself. Click at Next. o Enter a descriptive name for the connection (e.g. L2TP-Connection) and click at Finish. Now the Connect <Connection name> window appears. o Click at Properties. o Switch to the tab Networking. o Select Layer-2 Tunneling Protocol (L2TP) as Type of VPN. o Switch to the tab Security. o Activate Advanced (custom settings) and click at Settings. o Select Optional encryption as Data encryption and activate Unencrypted password (PAP). o Click at OK and again at OK to close the connection properties. o Finally click at Connect for establishing the L2TP-Connection. Now it is possible to establish a L2TP-Connection from the Windows-Client to the mguard. In our example we can access Client #2 through its IP Version

22 6 Firewall 6.1 Basic rules for setting up the Firewall Keep in mind the following rules when setting up the firewall: 1. The specified firewall rules will be checked one by one, starting with the first rule. If one rule matches the criteria, independent if the action is reject, accept or drop, then the subsequent rules won t be considered. 2. Specified ports ( From Port and To Port ) are only considered if Protocol is set to TCP or UDP. In all other cases the port entries won t be considered! 6.2 Example for a wrong configured Firewall Access to the Internet shouldn t be granted to the employees in this example. Example for a wrong configured Firewall The settings above have a couple of errors: 1. Line #1: The specified firewall rules will be checked one by one, starting with the first rule. If one rule matches the criteria, no matter if the action is reject, accept or drop, then the subsequent rules won t be considered. The first rule will match in any case. Therefore the second rule will never be checked removing it would have the same effect. The order of the two rules needs to be changed. 2. Line #2 - Ports: Specified ports ( From Port and To Port ) are only considered if Protocol is set to TCP or UDP. In all other cases the port entries won t be considered! In this example Protocol is set to All. This rule will block any outgoing traffic because the Action is Reject. In this case you d need to set Protocol=TCP. 3. Line #2 From Port =80: HTTP-Requests issued be web-browser usually use a port number above 1024 and send their requests to port number 80. This rule won t have any effect because From Port=80. In this case you d need to specify From Port=any (and To Port=80 ). Version

23 The correct configuration would look like: Example of a correct configured Firewall A HTTP-Request will match to the first rule and will be rejected. All other requests will match the second rule which allows everything. Version