StoneGate Reference Guide

Transcription

1 SMC FW IPS SSL VPN VPN StoneGate Reference Guide Firewall/VPN 5.0

2 Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: Third Party Licenses The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website: U.S. Government Acquisitions If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense ( DoD ), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations ( DFAR ) in paragraph (c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government s rights in the Software will be as defined in paragraph (c) (2) of the Federal Acquisition Regulations ( FAR ). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions. Product Export Restrictions The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities. General Terms and Conditions of Support and Maintenance Services The support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: Replacement Service The instructions for replacement service can be found at the Stonesoft website: Hardware Warranty The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: Trademarks and Patents The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos , , , , , , , , , , , , , and and US Patent Nos. 6,650,621; ; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; and 7,461,401 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2009 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Revision: SGFRG_

3 Table of Contents INTRODUCTION CHAPTER 1 Using StoneGate Documentation 13 How to Use This Guide 14 Typographical Conventions 14 Documentation Available 15 Product Documentation 15 Support Documentation 16 System Requirements 16 Contact Information 16 Licensing Issues 16 Technical Support 16 Your Comments 16 Other Queries 16 CHAPTER 2 What s New? 17 New Features in Firewall/VPN Changes in Documentation 20 CHAPTER 3 General Firewall Principles 21 The Role of the Firewall 22 Hazards of Networking 22 The Firewall as Protection 22 Example Solution 24 Firewall Technologies 24 Packet Filters 25 Proxy Firewalls 26 Stateful Inspection 27 StoneGate and Multi-Layer Inspection 28 Firewall Functions 29 Access Control 29 Monitoring and Logging 29 Network Address Translation (NAT) 30 Authentication 30 Virtual Private Networks (VPN) 30 Secure Socket Layer Virtual Private Networks (SSL VPN) 31 Content Screening and Unified Threat Management 31 Requirements for Modern Firewalls 32 High Availability 32 Scalability 33 High Throughput 33 Centralized Management 34 Firewall Weaknesses 34 Lack of Administration 34 Internal Attacks 35 CHAPTER 4 Introduction to StoneGate Firewall/ VPN 37 The StoneGate Security Platform 38 StoneGate Firewall/VPN System Components 39 Firewall/VPN Engines 40 SOHO Firewall Engines 40 Main Benefits of StoneGate Firewall/VPN 41 Advanced Traffic Inspection 41 Built-in Clustering for Load Balancing and High Availability 41 Multi-Link Technology 42 Built-in Inbound Traffic Management 43 QoS and Bandwidth Management 43 Integration with StoneGate IPS 43 Clustered Multi-Link VPNs 43 CHAPTER 5 StoneGate Firewall/VPN Deployment 45 Deployment Overview 46 Supported Platforms 46 3

4 General Deployment Guidelines 46 Positioning Firewalls 47 External to Internal Network Boundary 48 Internal Network Boundaries 49 DMZ Network Boundaries 50 Positioning Management Center Components 51 INTERFACES AND ROUTING CHAPTER 6 SOHO Firewall Configuration 55 Overview to SOHO Firewall Configuration 56 Configuration of SOHO Firewalls 56 Default Elements 57 Configuration Workflow 57 Task 1: Create SOHO Firewall Element(s) 57 Task 2: Select the Interface Types 58 Task 3: Define the Interface Settings 58 Task 4: Define General Wireless Channel Settings 58 Task 5: Configure the Main Site Firewall 58 Task 7: Install the SOHO Firewall Appliance 59 Using a SOHO Firewall 59 Example of a SOHO Firewall Deployment 61 CHAPTER 7 Single Firewall Configuration 63 Overview to Single Firewall Configuration 64 Configuration of Single Firewalls 64 Dynamic Firewall Interface Addresses 64 Internal DHCP Server 65 Configuration Workflow 65 Task 1: Create a Single Firewall Element 65 Task 2: Define Physical Interfaces 65 Task 3: Define VLAN Interfaces 65 Task 4: Define IP Addresses 66 Task 5: Install the Firewall Engine 66 Task 6: Install a Firewall Policy 66 Example of a Single Firewall Deployment 67 Setting up a Single Firewall 67 Adding a New Interface to an Existing Configuration 68 CHAPTER 8 Firewall Cluster Configuration 69 Overview to Firewall Cluster Configuration 70 Benefits of Clustering 70 Communication Between the Nodes 70 Hardware 71 Configuration of Firewall Clusters 72 Load Balancing 72 Standby Operation 72 Network Interfaces 72 Clustering Modes 74 Configuration Workflow 76 Task 1: Create a Firewall Cluster Element 76 Task 2: Create Physical Interfaces 76 Task 2: Define VLAN Interfaces 77 Task 3: Configure Interfaces 77 Task 4: Install the Firewall Engines 78 Task 5: Install a Firewall Policy 78 Using a Firewall Cluster 79 Tuning Node Synchronization 79 Security Level for State Synchronization 80 Manual Load Balancing 80 Examples of Firewall Cluster Deployment 81 Setting up a Firewall Cluster 81 Adding a Node to a Firewall Cluster 83 CHAPTER 9 Routing and Antispoofing 85 Overview to Routing and Antispoofing 86 Configuration of Routing and Antispoofing 86 Routing on Single and Clustered Firewalls 86 Routing on SOHO Firewalls 87 Reading the Routing and Antispoofing Trees 87 Multi-Link Routing for Single and Clustered Firewalls 89 Default Elements 90 Configuration Workflow 90 Task 1: Add Router or NetLink 90 Task 2: Add Network(s) 90 Task 3: Modify Antispoofing Rules 90 Task 4: Refresh Firewall Policy 91 Using Routing and Antispoofing 91 4

5 Policy Routing 91 Static IP Multicast Routing 91 Modifying Antispoofing 92 Examples of Routing 92 Routing Traffic with Two Interfaces 92 Routing Internet Traffic with Multi-Link 92 Routing Traffic to Networks That Use Same Address Space 93 ACCESS CONTROL POLICIES CHAPTER 10 Firewall Policies 97 Overview to Firewall Policies 98 Policy Hierarchy 98 How StoneGate Examines the Packets 98 Configuration of Policy Elements 101 Default Elements 102 Configuration Workflow 103 Task 1: Create a Firewall Template Policy 103 Task 2: Create a Firewall Policy 104 Task 3: Create a Firewall Sub-Policy 104 Task 4: Add Rules 105 Task 5: Validate the Policy 105 Task 6: Install the Policy 106 Using Policy Elements and Rules 107 Connection Tracking vs. Connectionless Packet Inspection 107 Policy Snapshots 110 Rule Counter Analysis 110 Continue Rules 110 Adding Comments to Rules 110 Examples of Policy Element Use 111 Protecting Essential Communications 111 Improving Readability and Performance 112 Restricting Administrator Editing Rights 112 CHAPTER 11 Access Rules 115 Overview to Access Rules 116 Configuration of Access Rules 117 Considerations for Designing Access Rules 119 Default Elements 120 Configuration Workflow 121 Task 1: Define the Source and Destination 121 Task 2: Define the Service 121 Task 3: Select the Action 122 Task 4: Select Rule Options 123 Task 5: Add User Authentication 124 Task 6: Restrict the Time When the Rule Is Enforced 125 Task 7: Restrict the Rule Match Based on Source VPN 125 Using Access Rules 126 Allowing System Communications 126 Configuring Default Settings for Several Rules 126 Using Continue Rules to Set Logging Options 127 Using Continue Rules with Protocol Agents 128 Using Aliases in Access Rules 128 Examples of Access Rules 129 Example of Rule Order 129 Example of Continue Rules 130 CHAPTER 12 Inspection Rules 133 Overview to Inspection Rules 134 Configuration of Inspection Rules 135 Considerations for Designing Inspection Rules 137 Default Elements 138 Configuration Workflow 139 Task 1: Add Situations 139 Task 2: Limit the Situations by Severity 139 Task 3: Define the Source and Destination 140 Task 4: Define the Protocol 140 Task 5: Select the Action 140 Task 6: Set the Options for the Rule 140 Task 7: Restrict the Time When the Rule is Enforced 142 Using Inspection Rules 142 Setting Default Options for Several Inspection Rules 142 Example of Inspection Rules 143 Eliminating a False Positive 143 5

6 CHAPTER 13 Network Address Translation (NAT) Rules 145 Overview to NAT 146 Static Source Translation 147 Dynamic Source Translation 147 Static Destination Translation 148 Destination Port Translation 149 Configuration of NAT 149 Considerations for Designing NAT Rules 151 Default Elements 151 Configuration Workflow 152 Task 1: Define Source, Destination, and Service 152 Task 2: Define Address Translation 152 Task 3: Define the Firewall(s) that Apply the Rule 152 Task 4: Check Other Configurations 152 Using NAT and NAT Rules 153 NAT and System Communications 153 Example of a Situation Where a Contact Address is Needed 154 Contact Addresses and Locations 155 Outbound Load Balancing NAT 155 Proxy ARP and NAT 156 Protocol Agents and NAT 156 Examples of NAT 156 Dynamic Source Address Translation Example 156 Static Address Translation Example 157 NAT with Hosts in the Same Network 158 CHAPTER 14 Protocol Agents 161 Overview to Protocol Agents 162 Connection Handling 162 Protocol Validation 163 NAT in Application Data 163 Configuration of Protocol Agents 163 Configuration Workflow 164 Task 1: Create a Custom Service with a Protocol Agent 164 Task 2: Set Parameters for the Protocol Agent 164 Task 3: Insert the Service in Access Rules 164 Using Protocol Agents 165 FTP Agent 165 H.323 Agent 166 HTTP Agents 167 HTTPS Agent 168 ICMP Agent 168 MSRPC Agent 168 NetBIOS Agent 169 Oracle Agent 169 Remote Shell (RSH) Agent 170 Services in Firewall Agent 171 SIP Agent 171 SMTP Agent 172 SSH Agent 172 SunRPC Agent 173 TCP Proxy Agent 173 TFTP Agent 174 Examples of Protocol Agent Use 175 Preventing Active Mode FTP 175 Logging URLs Accessed by Internal Users 175 CHAPTER 15 User Authentication 177 Overview to User Authentication 178 Configuration of User Authentication 179 User Databases 180 Authentication Services 182 RADIUS Authentication 182 TACACS+ Authentication 182 Default Elements 183 Configuration Workflow 183 Task 1: Create an External Authentication Server Element 183 Task 2: Create an LDAP Server Element 184 Task 3: Create an Authentication Service Element 184 Task 4: Add an LDAP Domain 184 Task 5: Add Users and User Groups 185 Task 6: Define User Authentication in Access Rules 185 Examples of User Authentication 186 6

7 Using the Internal Database for Authenticating Users 186 Using StoneGate with a Microsoft Active Directory Server 187 Using SecurID Authentication with StoneGate VPN Clients 188 CHAPTER 16 HTTPS Inspection 191 Overview to HTTPS Inspection 192 Configuration of HTTPS Inspection 193 Default Elements 193 Configuration Workflow 194 Task 1: Create Server Protection Credentials Elements 194 Task 2: Create Client Protection Certificate Authority Elements 194 Task 3: Specify HTTPS Inspection Options in the Firewall Properties 194 Task 4: Create an HTTPS Inspection Exceptions Element 194 Task 5: Create a Custom HTTPS Service 194 Task 6: Create an Access Rule 195 Using HTTPS Inspection 195 Security Considerations 195 Virus Scanning of Decrypted HTTPS Traffic 195 Examples of HTTPS Inspection 195 Server Protection 195 Client Protection 196 CHAPTER 17 Virus Scanning 197 Overview to Virus Scanning 198 Configuration of Virus Scanning 198 Configuration Workflow 198 Task 1: Activate the Anti-Virus Feature for a Firewall 198 Task 2: Select Traffic for Inspection with Access Rules 198 Task 3: Define the Content Not to Be Scanned 199 Using Virus Scanning 199 Integrated Scanning vs. Content Inspection Server 199 Limitations of Virus Scanning on Clusters 199 CHAPTER 18 External Content Inspection 201 Overview to Content Inspection 202 Configuration of Content Inspection 203 Default Elements 204 Configuration Workflow 204 Task 1: Create a CIS Server Element 204 Task 2: Create a Custom Service for Content Inspection Server Redirection 204 Task 3: Define Access Rules for Redirection 204 Task 4: Configure NAT Rules for Content Inspection Server Redirection 205 Using Content Inspection 205 Example of Content Inspection 206 Inspecting Internal User s Web Browsing and File Transfers 206 CHAPTER 19 Situations 209 Overview to Situations 210 Configuration of Situations 210 Situation Contexts 211 Anti-Virus Contexts 211 Protocol-Specific Contexts 211 System Contexts 212 Default Elements 212 Configuration Workflow 212 Task 1: Create a Situation Element 212 Task 2: Add a Context for the Situation 213 Task 3: Associate Tags with the Situation 213 Task 4: Associate the Situation with a Vulnerability 213 Using Situations 214 Example of Custom Situations 214 Detecting the Use of Forbidden Software 214 CHAPTER 20 Blacklisting 215 Overview to Blacklisting 216 Risks of Blacklisting 216 Whitelisting 216 Configuration of Blacklisting 217 Configuration Workflow 218 7

8 Task 1: Define Blacklisting in Access Rules 218 Task 2: Define Analyzer-to-Firewall or Analyzer-to- Sensor Connections 218 Task 3: Define Inspection Rules in the IPS Policy 218 Using Blacklisting 219 Automatic Blacklisting 219 Monitoring Blacklisting 219 Examples of Blacklisting 220 Blacklisting Traffic from a Specific IP Address Manually 220 Automatic Blacklisting with IPS 220 TRAFFIC MANAGEMENT CHAPTER 21 Outbound Traffic Management 223 Overview to Outbound Traffic Management 224 Configuration of Multi-Link 224 Load Balancing 225 Standby NetLinks for High Availability 225 NetLink Monitoring 226 Configuration Workflow 226 Task 1: Create NetLink Elements 226 Task 2: Configure Routing for NetLinks 227 Task 3: Combine NetLinks into Outbound Multi- Link Elements 227 Task 4: Create Access Rules to Apply QoS Class 227 Task 4: Create NAT Rules for Outbound Traffic 227 Using Multi-Link 228 Multi-Link with a Single Firewall 228 Multi-Link with a Firewall Cluster 229 Using Multiple Outbound Multi-Link elements 229 Examples of Multi-Link 230 Preparing for ISP Breakdown 230 Excluding a NetLink from Handling a QoS Class of Traffic 230 Balancing Traffic According to Link Capacity 231 Balancing Traffic between Internet Connections 231 CHAPTER 22 Inbound Traffic Management 233 Overview to Server Pool Configuration 234 Configuration of Server Pools 234 Multi-Link for Server Pools 235 Default Elements 236 Configuration Workflow 236 Task 1: Define Hosts 236 Task 2: Combine Hosts into a Server Pool Element 236 Task 3: Configure the External DNS Server 237 Task 4: Create an Inbound Load Balancing Rule 237 Task 5: Set up Server Pool Monitoring Agents 237 Using Server Pools 238 Dynamic DNS (DDNS) Updates 238 Using Server Pool Monitoring Agents 238 Examples of Server Pools 241 Load Balancing for Web Servers 241 Setting up Multi-Link and Dynamic DNS Updates 241 CHAPTER 23 Bandwidth Management And Traffic Prioritization 243 Overview to Bandwidth Management and Traffic Prioritization 244 Bandwidth Management 244 Traffic Prioritization 244 Effects of Bandwidth Management and Prioritization 245 Configuration of Limits, Guarantees, and Priorities for Traffic 245 Default Elements 246 Configuration Workflow 247 Task 1: Define QoS Classes 247 Task 2: Define QoS Policies 247 Task 3: Assign QoS Classes to Traffic 248 Task 4: Define QoS for Firewall Interfaces 249 8

9 Using Bandwidth Management and Traffic Prioritization 249 Implementation Options 250 Designing QoS Policies 250 Communicating Priorities with DSCP Codes 251 Managing Bandwidth of Incoming Traffic 252 Examples of Bandwidth Management and Traffic Prioritization 253 Ensuring Quality of Important Communications 253 Preparing for ISP Breakdown 254 Limiting the Total Bandwidth Required 255 VIRTUAL PRIVATE NETWORKS CHAPTER 24 Overview to VPNs 259 Introduction to VPNs 260 IPsec VPNs 261 Tunnels 261 Security Associations (SA) 261 Internet Key Exchange (IKE) 262 Perfect Forward Secrecy (PFS) 262 AH and ESP 263 Authentication 263 Tunnel and Transport Modes 264 VPN Topologies 264 Task 9: Configure VPN Clients and External Gateway Devices 275 Using VPNs 275 VPN Logging 275 Using a Dynamic IP Address for a VPN Endpoint 276 Using a NAT Address for a VPN Endpoint 276 Supported Authentication and Encryption Methods 277 FIPS Mode 277 GOST-Compliant Systems 277 Message Digest Algorithms 277 Authentication Methods 278 Encryption Algorithms 279 Using Pre-Shared Key Authentication 280 Using Certificate Authentication 281 Validity of Certificates 282 The Internal Certificate Authority 282 External Certificate Authorities 282 Configuring VPNs with External Gateway Devices 283 Clustering and VPNs 284 Multi-Link VPN 284 Examples of VPN Configurations 286 Creating a VPN Between Three Offices 286 Creating a VPN for Mobile Users 287 Creating a VPN That Requires NAT 289 CHAPTER 25 VPN Configuration 267 Overview to VPN Configuration 268 Configuration of VPNs 268 Default Elements 270 Configuration Workflow 270 Task 1: Define the Gateway Settings 270 Task 2: Define the Gateway Profile 271 Task 3: Define the Gateways 271 Task 4: Define the Sites 271 Task 5: Create Certificates 272 Task 6: Define the VPN Profile 272 Task 7: Define the VPN Element 273 Task 8: Modify the Firewall Policy 274 9

10 APPENDICES APPENDIX A Default Communication Ports 293 APPENDIX B Command Line Tools 301 APPENDIX C Predefined Aliases 321 APPENDIX D Regular Expression Syntax 325 APPENDIX E Schema Updates for External LDAP Servers 337 APPENDIX F SNMP Traps and MIBs 339 APPENDIX G Guidelines for Building Network Security 353 APPENDIX H Multicasting 361 Glossary 369 Index

11 Introduction

12

13 CHAPTER 1 Using StoneGate Documentation Welcome to StoneGate High Availability Firewall/VPN solution by Stonesoft Corporation. This chapter describes how to use this Guide and related documentation. It also provides directions for obtaining technical support and giving feedback about the documentation. The following sections are included: How to Use This Guide, on page 14 Documentation Available, on page 15 Contact Information, on page 16 13

14 How to Use This Guide This StoneGate Reference Guide provides information that helps administrators of StoneGate installations to understand the system and its features. It provides descriptions of all the configuration tools and gives examples on what you can do with the system. This guide is divided into several sections. The chapters in the first section provide a general introduction to StoneGate and firewalls. The sections that follow each include the chapters related to one feature area. The last section provides detailed reference information in tabular form, and some guideline information. For other available documentation, see Documentation Available, on page 15. Typographical Conventions The following typographical conventions are used throughout the guide: TABLE 1.1 Typographical Conventions Formatting Informative Uses Normal text User Interface text References, terms Command line User input Command parameters This is normal text. Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in boldface. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is in monospaced bold-face. Command parameter names are in monospaced italics. We use the following ways to indicate important or additional information: Note Notes provide important information that prevents mistakes or helps you complete a task. Caution Cautions provide critical information that you must take into account to prevent breaches of security, information loss, or system downtime. Tip: Tips provide information that is not crucial, but may still be helpful. 14 Chapter 1: Using StoneGate Documentation

15 Documentation Available StoneGate technical documentation is divided into two main categories: Guide Books and Support Documentation. StoneGate Firewall/VPN and StoneGate IPS have their separate sets of manuals, despite the fact that they are managed through the same user interface. Only the Administrator s Guide and the Online Help system cover both the Firewall/VPN and IPS products. Product Documentation The table below lists the available guides. PDF versions of these guides are available on the Management Center CD-ROM and at TABLE 1.2 Product Documentation Guide Reference Guide Installation Guide Online Help Administrator s Guide User s Guide Appliance Installation Guide Description Explains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Management Center, Firewall/VPN, and StoneGate IPS. Instructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Management Center, Firewall/VPN, IPS, and SOHO firewall products. Detailed instructions for configuration and use. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Web Portal. An HTMLbased system is available in the StoneGate SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-bystep. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StoneGate IPsec VPN Client. Instructions for end-users. Available for the StoneGate IPsec VPN client and the StoneGate Web Portal. Instructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling etc.). Available for all StoneGate hardware appliances. How to Use This Guide 15

16 Support Documentation The StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios. The latest StoneGate technical documentation is available on the Stonesoft website at System Requirements The system requirements for running StoneGate, including the approved network interfaces, supported operating systems, and other such hardware and software requirements for StoneGate engines and the Management Center can be found at Certified_Servers/ (see the technical requirements section at the bottom of the page). The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website. Contact Information For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at Licensing Issues You can view your current licenses at the License Center section of the Stonesoft website at For license-related queries, Technical Support Stonesoft offers global technical support services for Stonesoft s product families. For more information on technical support, visit the Support section at the Stonesoft website at Your Comments We want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, feedback@stonesoft.com. To comment on the documentation, documentation@stonesoft.com. Other Queries For queries regarding other matters, info@stonesoft.com. 16 Chapter 1: Using StoneGate Documentation

17 CHAPTER 2 What s New? This section lists major changes since the previous release. Most new or reworked features in the software are listed here. Changes that do not significantly affect the way StoneGate is configured are not listed. For a full list of changes in the software, consult the Release Notes. The following sections are included: New Features in Firewall/VPN 5.0, on page 18 Changes in Documentation, on page 20 17

18 New Features in Firewall/VPN 5.0 * The Russian product version has no strong encryption algorithms. Attention This may change your configuration Changes in Supported VPN Settings Support for CAST-128 and Twofish settings has been removed. If your VPNs are using either of these two settings, reconfigure the VPNs before you upgrade the firewall/vpn engines to the new version. Support for the SHA-256, AES-GCM, and Deflate settings has been added.* Client Security Check for StoneGate VPN Clients The IPsec VPN clients version 5.0 and higher can perform a local security check based on the status of basic security software (as reported by Windows). The VPN client stops the user from opening a VPN connection if basic security requirements are not met on the client computer. The checks are activated by the Gateway. For more details, see the Administrator s Guide or the Online Help of the Management Client. Command Line Tool for Resetting VPNs The new sg-ipsec tool available on the engine command line can be used for resetting VPN tunnels. For more details, see Command Line Tools, on page 127. Connection Tracking Configuration Improved There are now more options for adjusting the connection tracking on a rule-by-rule basis. Access rules can now be set to enforce one of several connection tracking modes that require varying degrees of adherence to network protocol standards. This may allow handling more types of problematic connections statefully and, on the other hand, may help you in imposing stricter controls on traffic that follows standards well. For more details, see Connection Tracking vs. Connectionless Packet Inspection, on page 107. End-User Notifications You can set up different ways to notify users when their HTTP or HTTPS connections match an Inspection rule that stops the user s connection attempt. For example, you can display a message in the user s browser as a response when the user tries to open an HTTP URL that you have banned. Note that this feature is not available in firewall Access rules at this time. For more details, see Administrator s Guide or the Online Help of the Management Client. Full VPN Hub Support You can now forward connections from any type of VPN tunnel to another VPN tunnel. This allows setting up a hub gateway that forwards connections between different 18 Chapter 2: What s New?

19 sites, allowing centralized inspection and reducing the number of tunnels required at the spoke gateways that connect to each other through the hub compared to connecting directly. This feature requires SMC version or higher. For more details, see Administrator s Guide or the Online Help of the Management Client. HTTPS Traffic Inspection The engines can now decrypt HTTPS traffic for inspection. This allows deep packet inspection and other checks for HTTPS traffic as if it was plaintext HTTP traffic. However, decrypted connections cannot be redirected to external content inspection servers (even after re-encryption). For more details, see HTTPS Inspection, on page 191. Attention This may change your configuration Log Entry Compression To prevent overloading the network and the system components with a flood of log entries, excessive (system-generated) antispoofing and (user-configurable) discard events can be automatically compressed by the engine. You can activate this feature globally and on the level of individual physical interfaces. After upgrading, compression for antispoofing entries is activated on all interfaces. Compression for discard entries is always enabled manually. For more details, see Administrator s Guide or the Online Help of the Management Client. Rule Hit Counters Firewall Access rules now count how many times each rule has matched. You can view the hits as a field in the Access rule table in the policies. Rule hit counters allow you to optimize your policies and eliminate rules that are not needed anymore. For more details, see Rule Counter Analysis, on page 110. SYN Flood Protection The firewalls can now protect your networks from SYN flood attacks, ensuring the continuity of services even in high-bandwidth environments. You can activate this feature globally and on the level of individual physical interfaces. The SYN flood protection is disabled by default. For more details, see Administrator s Guide or the Online Help of the Management Client. Attention This may change your configuration VPN Client 2.x Versions no Longer Supported Legacy VPN Clients (version 2.6 or older) are no longer supported by this engine version. Users must upgrade their StoneGate VPN clients (or install a third party general-use IPsec VPN client) to connect to Firewall/VPN engines version 5.0. New Features in Firewall/VPN

20 Wireless-Only Interfaces on SOHO Firewalls The SOHO Firewall Properties now allow you to activate wireless Guest or Corporate networking without allocating a physical interface for the same type of access. Changes in Documentation What do you think of these changes? documentation@stonesoft.com to let us know. More Product-Specific Reference Guides The background information for understanding the StoneGate Management Center, Firewall/VPN, and IPS products is now covered in the following books: Management Center Reference Guide. Firewall/VPN Reference Guide. IPS Reference Guide. The Firewall/VPN and the IPS Reference Guides no longer contain Management Center -specific information. 20 Chapter 2: What s New?

21 CHAPTER 3 General Firewall Principles This chapter introduces and discusses the underlying security principles of firewalls in general. In this chapter we will discuss what firewalls are, which different types of firewalls there are, how they are used, what they are capable of, as well as what their possible weaknesses are. The following sections are included: The Role of the Firewall, on page 22 Firewall Technologies, on page 24 Firewall Functions, on page 29 Requirements for Modern Firewalls, on page 32 Firewall Weaknesses, on page 34 21

22 The Role of the Firewall It is difficult to give an all-inclusive, yet simple definition of a firewall, but here we shall present some outlines that help form a picture of features and functions they have. First, we ll take a look at which types of threats in addition to the opportunities the modern network environment contains, and how firewalls can respond to these concerns. Hazards of Networking Internet can be seen today both as an opportunity and a threat. Today, as corporations are more and more dependent on their Internet connections, they are also becoming more and more frequently attacked from the outside by way of exploiting those very connections; be it by adventurous hackers or professional information thieves. In general, it could be said that there is no rhyme or reason to network attacks, and no network is small enough to be safe. Any system can become the target of an attacker, and no matter what the motives for the attack are, the consequences can be severe. Attackers may grab data to sell as mailing lists, to use for credit or financial access, to add to corporate profiles, or to cripple competitors. They may take over computing resources and use them for their financial gain. They may also destroy data for many reasons, including vindictiveness, an urge to show off, or even just boredom. In addition to such external attacks, internal network attacks are also a serious issue. Although firewalls can limit access between any separate networks, it is beyond the scope of firewalls to give protection against attacks by authorized persons located within the protected network. Other aspects of the corporate security policy must cover that type of risk. You do not want unauthorized parties to get their hands on confidential data. You also want to ensure that information remains intact, so that no one can alter crucial data unnoticed. And of course, you want your data and resources to be available whenever needed. These three parameters confidentiality, integrity, and availability are the main goals of any credible security policy. Firewalls can help to achieve these objectives in the network environment by blocking unauthorized persons from having access to sensitive data, computer memory and processing power. The Firewall as Protection The advantages of the Internet in communication and business cannot be attained without proper protection from hostile attackers and without confidence that private information remains private. Firewalls are a cornerstone in the defense strategy that aims at eliminating the misuse of confidential data and resources by any unauthorized parties. A firewall is just one, albeit important, element in the overall corporate security policy. Firewalls regulate communication on data networks; or more precisely, between networks with different security levels. Their main purpose is to control the traffic that passes through from one network to another, and deny access to network resources 22 Chapter 3: General Firewall Principles

23 from undesired or potentially harmful packets and connections as far as they are distinguishable from allowed traffic. Although an advanced firewall can do much more than filter packets based on sources and destinations, some threats are most efficiently tackled by complimenting the firewall with intrusion detection or intrusion prevention systems (IDS/IPS), content inspection servers (CIS), and anti-virus gateways. The principle of access control is ideally expressed as whatever is not expressly permitted is denied. By default, nobody and nothing must be permitted entry to the protected network. That means that in order for any traffic to be allowed into the network, it must first satisfy a specifically designed rule that permits limited access. Typically, internal network clients are granted a more unrestricted access to external networks, but outbound connections must also be controlled. Some advantages that firewalls can provide include: Firewalls can protect the corporate intranet from undesired traffic, including everything from malicious attackers to unsolicited (spam), on the basis of the corporate security policy implemented by the network administrators. Firewalls can secure sensitive corporate information and resources within a local area network (LAN). This insulates departments such as Research & Development, or Human Resources from other company departments, limiting the access within any one area to authorized users only. Firewalls can concentrate network security policies at a single point, a choke point. When policies or administrators change, the instructions, configurations, and passwords need only be changed in one place. One must, however, ensure that the firewall doesn t turn out to be a single point of failure. Firewalls can also be used for other purposes, such as monitoring network traffic and the use of network resources, authenticating users, managing network bandwidth and implementing virtual private networks (VPN). These functions will be covered in more detail in section Firewall Functions, on page 29 and in subsequent chapters. The firewall offers a reasonable amount of protection against Internet intruders, on the condition that the security policies enforced by the firewalls are carefully designed, and there are no loopholes or back doors. Firewalls can only control traffic that actually passes through them; even the most carefully planned firewall system is undermined by a single back door say, a modem connection from the intranet to the Internet that allows traffic to circumvent the firewall. See Appendix G, Guidelines for Building Network Security for background information on designing network security. The Role of the Firewall 23

24 Example Solution Figure 3.1 illustrates an example scenario where the demilitarized zone (DMZ) contains a publicly available pool of servers protected by a firewall. Other firewalls guard particularly sensitive networks within the company intranet, such as those of the Research and Development, Human Resources, and Accounting departments. This multi-layer protection is called defense in depth. Illustration 3.1 An Example Firewall Deployment in a Corporate Network This type of solution means there is no direct access from the Internet into the internal network. Anyone trying to access internal resources from the Internet would have to pass through at least one firewall. For example, a company mail server can be located on the firewall-protected DMZ, allowing SMTP-based traffic to that machine but not to the protected intranet. Firewall Technologies On the firewall market there is a wide range of both software-based and hardwarebased firewall solutions from lightweight, personal firewalls to scalable enterprise-wide systems. Software-based solutions are usually installed on standard hardware, whereas hardware-based appliances are typically proprietary in nature. Either way, the firewalls can be categorized by the way they handle network traffic. In this section we give an overview of the existing firewall technologies, and show you how StoneGate fits on that map. Traditionally, firewalls can be divided into three main groups: packet filtering firewalls application-level proxy firewalls stateful inspection firewalls. Next, we will briefly compare each technology, and bring out their fortes and drawbacks. 24 Chapter 3: General Firewall Principles

25 Packet Filters The packet filtering firewall, based on the header information of the packets it receives, allows or denies access to or from the network that it is guarding. Packet filtering firewalls check each packet and can be implemented by most common routing devices. Packet filters typically contain access control lists (ACLs) to monitor the following header data: source IP address destination IP address source port destination port ICMP message type protocol packet size various header flags. By combining these parameters, complex policies can be enforced by the packet filter. Packet filters tend to have high performance, because their inspection involves very simple parameters at the network layer of the TCP/IP stack. They typically only inspect up to the network layer, as show in Figure 3.2. With more complex environments, however, the performance of packets filters drops significantly as every packet of every connection is checked against the access control rules. Illustration 3.2 Packet Filtering Model In conclusion, packet filtering is neither very flexible nor generally very secure because the network layer lacks the context of each packet. This type of filtering can be easily fooled with techniques such as fragmented packets, or bogus or invalid IP address Firewall Technologies 25

26 information. Packet filters cannot protect against malicious contents in higher levels of the protocol stack, or examine the actual data portion. Thus, they are often used in combination with application-level proxies. Packet filtering is commonly used also in routers at the network perimeters. Proxy Firewalls Proxy firewalls are firewalls running application proxy services. This means that the server establishes a second, different connection to the destination network on behalf of the host from the source network if the packet meets the security policy criteria for it to pass through. In other words, proxy firewalls mediate communications between two different devices located on different networks. This type of firewall is fully application-aware, and therefore very secure, but at the same time there s a trade-off in performance due to the additional overhead required to maintain separate connections and to inspect packets up to the application layer. Illustration 3.3 Proxy Firewall Model Proxy firewalls can cache information, such as HTML pages, to increase the performance somewhat, but the application layer awareness still continues to affect performance. Firstly, application level checking and duplicate connections can drain system resources, affecting firewall performance. Secondly, the number of services used by a proxy firewall is an issue. Since every service needs its own proxy, the proxy list is always in some sense incomplete, and new applications and services are hard to keep up with. Traffic inspection takes place at the highest layer of the TCP/IP stack. The necessity of inspecting every layer before returning back down to the physical layer can cause bottlenecks in busy networks. 26 Chapter 3: General Firewall Principles

27 Stateful Inspection Stateful inspection technology was developed to overcome the limitations of packet filtering firewalls. Stateful inspection firewalls use additional criteria, such as historical data about the connection, in determining whether to allow or deny access. They track the established connections and their states in dynamic state tables and ensure that the connections comply with the security policies. By applying connection status and context information to current connections and packets, some packets are denied access before being further inspected at a higher level, which increases performance. Furthermore, since stateful inspection understands the context of connections (and therefore can relate the returning packets to appropriate connections), connections already determined to be secure can be allowed without further examination. This is especially important with services such as telnet and FTP. Stateful inspection operates just beneath the network layer (in practice, the inspection takes place between the data link layer and network layer). Stateful inspection firewalls have a rather limited capability to inspect data at the application layer. Stateful inspection systems also try to keep state tables for every connection protocol, whether it is conceivable or not. Illustration 3.4 Stateful Inspection Model Firewall Technologies 27

28 StoneGate and Multi-Layer Inspection With StoneGate, Stonesoft introduces a new firewall technology called Multi-Layer Inspection. Like stateful inspection, StoneGate uses state tables to track connections and judge whether a packet is a part of an established connection or not. However, it also features application-layer inspection by implementing specific Protocol Agents, when necessary, for enhanced security. Thus, StoneGate can inspect data all the way up to the application layer to decide whether a packet is granted access or not. Moreover, StoneGate can also act as a packet filter for types of connections that do not require the security considerations of stateful inspection. Illustration 3.5 Multi-layer Inspection Model The state of connections provides valuable information for assessing incoming packets. Any packet must be either accepted directly by the policy, be a part of a previously accepted connection, or of a related connection. Whenever packets arrive, the firewall checks them against active connections before proceeding through the rules of the security policy. If a connection has a registered state, all the packets following the opening packet can pass the firewall securely without having to traverse the policy. By default, most rules in StoneGate security policies implement stateful inspection methods, but the administrator can flexibly configure rules with simple packet filtering for certain types of traffic. For example, SNMP traps from server systems and network devices can pass through the firewall to a management network on the basis of simple packet filtering in case there is no need to enforce a more strict inspection. This kind of flexibility enhances the firewall performance. Additionally, application level security can be applied to specific rules in the security policy when needed. Multi-Layer Inspection is capable of providing this type of security without the performance degradation of conventional proxy firewalls. StoneGate can 28 Chapter 3: General Firewall Principles

29 implement application level inspection without the need to handle two separate connections. This is achieved with the Protocol Agents, which can be assigned to certain types of traffic. Protocol Agents are also used to handle complex connections (e.g., Oracle or FTP), to redirect traffic to content inspection servers, to enforce protocol standards, and to modify data payload if necessary. The FTP Protocol Agent, for example, can inspect the control connection and only allow packets containing valid FTP commands. It can also be configured to redirect traffic to a CIS for content screening and to modify IP addresses in the payload in case network address translation is required. The Protocol Agents are covered in more detail in Protocol Agents, on page 161. In brief, StoneGate Multi-Layer Inspection combines application layer inspection, stateful inspection, and packet filtering technologies flexibly for added security without adversely affecting system performance. The different functions these firewall technologies can perform will be discussed in the next section. Firewall Functions A firewall can have several different functions on a network. Although their main function is to control network access, firewalls can typically be configured for other basic network security tasks and even for more complex monitoring and filtering functions. Access Control The primary task of any firewall is to control access to data resources, so that only authorized connections are allowed. Access control is enforced in access rules, which are combined into policies. The rules collected into policies reflect the corporate network security policy. Monitoring and Logging Firewalls can be used to measure and monitor traffic load and attributes. A very important firewall feature is the ability to log monitored traffic. Properly recorded log data can be used to detect intruders and establish evidence to use against attackers. That kind of forensic evidence may prove to be invaluable in case hacking leads to lawsuits. More commonly, logging is used to track the use of network resources, building a case for required services or hardware. Logging also helps administrators detect and troubleshoot network misconfigurations or failures. Firewall Functions 29

30 Network Address Translation (NAT) Network address translation (NAT) is a feature that enables the firewall to modify the IP headers of packets it forwards. It was originally created to alleviate the problem of the rapidly diminishing IP address space. Changing the network address of the originating (internal) network has an added benefit; the private IP addresses of hosts and the structure of an internal network can be concealed by a firewall. In fact, NAT enables even hiding an entire network behind a single public IP address. As handy as NAT can be in terms of scarce public IP addresses and security, it is important to understand that NAT is not primarily a security feature. It is simply a method of modifying packets that lends itself to security applications. For more information on network address translation, See Network Address Translation (NAT) Rules, on page 145. Authentication Firewalls are often used to authenticate users accessing network resources from other locations. The various authentication methods ensure that the users trying to connect really are who they claim to be. These methods may involve a third party authentication service based on standard protocols like RADIUS or TACACS+, but it can also be based on the originating IP address or other parameters, such as usernames and passwords. For more information on authentication, see User Authentication, on page 177. Virtual Private Networks (VPN) Virtual private networks (VPN) conceal and encrypt traffic between end-points to establish a virtual, secure tunnel through an insecure, typically public, network. Firewalls are used at the tunnel end-points as security gateways (SGW) to encrypt and decrypt data passing between them, creating a gateway-to-gateway VPN. VPNs can also be established between a client machine, such as a remote laptop and the firewall. Figure 3.6 illustrates a simple gateway-to-gateway VPN. Illustration 3.6 Simple VPN Example As seen in the illustration, when traffic (a Hello! message) leaves Site A, it is encrypted by the firewall. Anyone who intercepts this traffic in transit can only see the encrypted messages. Once the traffic reaches the Site B gateway, the packet is 30 Chapter 3: General Firewall Principles