version 1.0 Installation Guide

version 1.0 Installation Guide

Copyright 2001 2004 Stonesoft Corp. Stonesoft Corp. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Stonesoft Corporation. Stonesoft Corporation Stonesoft Inc. Stonesoft Corporation Itälahdenkatu 22 A South Terraces, Suite 1000 90 Cecil Street, #13-01 FIN-00210 Helsinki 115 Perimeter Center Place 069531 Singapore Finland Atlanta, GA 30346 USA Trademarks The products described in this documentation are protected by one or more of U.S. Patents and European Patents: U.S. Patent No. 6,650,621, European Patents No. 1065844, 1289202, and may be protected by other U.S. Patents, foreign patents, or pending applications. Stonesoft, the Stonesoft logo, StoneBeat, FullCluster, ServerCluster, StoneGate, and WebCluster are trademarks or registered trademarks of Stonesoft Corporation in the United States and/or other countries. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. Sun, Sun Microsystems, the Sun Logo, Solaris, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. Windows, Windows NT, and Microsoft are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds. IBM, Redbooks, zseries and z/vm are trademarks or registered trademarks of the International Business Machines Corporation in the United States and/or other countries. Syntax is a registered trademark of Linotype-Hell AG and/or its subsidiaries. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: SGIIG_100_20040528

Example Network Scenario

Table of Contents GETTING STARTED CHAPTER 1 Using StoneGate IPS Documentation............. 13 Objectives and Audience....................................... 14 Overview of the StoneGate IPS Installation Guide................. 14 How to Use This Guide......................................... 14 Example Network Scenario...................................... 14 Typographical Conventions..................................... 15 StoneGate IPS Documentation Map............................. 15 Guide Books................................................. 16 Support Documentation........................................ 16 Contact Information........................................... 17 Technical Support............................................. 17 Security Related Questions and Comments.......................... 17 Product Sales................................................. 18 Documentation Comments...................................... 18 CHAPTER 2 Quick Start Instructions................................ 19 Requirements for the Installation................................ 20 Quick Installation.............................................. 21 CHAPTER 3 Planning StoneGate IPS Installation............... 29 Important to Know Before Installation........................... 30 System Components and Supported Platforms.................... 30 StoneGate IPS Installation Guide 5

StoneGate IPS System Components................................ 30 Supported Platforms........................................... 30 Checking the File Integrity....................................... 31 Checking the Surrounding Network Environment................. 31 Switch SPAN Ports and Hubs..................................... 32 Network TAPs................................................ 32 System Installation............................................. 32 Example Network Scenario...................................... 33 StoneGate Management Center................................. 34 Combined Sensor/Analyzer.................................... 35 Sensor Cluster.............................................. 35 Single Sensor............................................... 36 Analyzer................................................... 37 Overview to the Installation Procedure........................... 37 INSTALLING THE MANAGEMENT CENTER CHAPTER 4 Installing the Management Center.................41 Installing the Management Center............................... 42 Installing the Solaris Patches..................................... 42 Checking File Integrity.......................................... 42 Installing the Management Center Components...................... 42 Starting the Installation....................................... 42 Installing the Management Server............................... 46 Installing the Log Server....................................... 48 Installing the GUI Client....................................... 52 Non-graphical Installation....................................... 54 Uninstalling the Management Center............................ 56 Uninstalling in Non-graphical Mode............................... 57 6

CHAPTER 5 Defining Sensors and Analyzers.................... 59 Starting the StoneGate Management Center..................... 60 Starting the Management Server.................................. 60 Starting the GUI Client......................................... 60 Installing StoneGate IPS Licenses.................................. 62 Starting the Log Server......................................... 62 Defining an Analyzer........................................... 63 Defining the Network Interfaces.................................. 64 Defining Logical Interfaces...................................... 66 Defining a Sensor Cluster....................................... 67 Defining the Cluster Network Interfaces............................ 68 Defining the Node Specific Properties.............................. 71 Adding a Node to the Cluster.................................... 73 Defining a Single Sensor........................................ 73 Defining the Network Interfaces.................................. 74 Defining a Combined Sensor/Analyzer........................... 77 Defining the Network Interfaces.................................. 78 Configuring Routing........................................... 81 Configuring IP Addressing for NAT.............................. 83 Sensor and Analyzer Contact Addresses............................ 84 Management Server Contact Address.............................. 86 Log Server Contact Address..................................... 88 Saving the Initial Configuration................................. 89 INSTALLING SENSORS AND ANALYZERS CHAPTER 6 Installing Sensors and Analyzers.................... 95 StoneGate IPS Installation Guide 7

Installing the Sensor or Analyzer................................. 96 Checking the File Integrity....................................... 96 Booting From the CD-ROM...................................... 96 Configuring the Sensor or Analyzer.............................. 97 Selecting a Configuration Method................................. 97 Configuring the Operating System Settings.......................... 98 Configuring the Network Interfaces............................... 100 Contacting the Management Server.............................. 102 Installing in Expert Mode...................................... 104 Checking the File Integrity...................................... 104 Booting From the CD-ROM..................................... 104 Partitioning the Hard Disk Manually.............................. 105 Allocating Partitions........................................... 107 UPGRADING STONEGATE IPS CHAPTER 7 Upgrading StoneGate IPS.............................111 APPENDICES Upgrading StoneGate Management Center..................... 112 Checking the File Integrity...................................... 112 Obtaining Licenses........................................... 112 Upgrading StoneGate Management Center......................... 112 Upgrading the Sensors and Analyzers Remotely.................. 116 Upgrading Sensors and Analyzers Locally........................ 116 APPENDIX A Command Line Tools...................................121 APPENDIX B StoneGate IPS Ports....................................129 8

Software and License Information................ 133 Index........................................................ 157 StoneGate IPS Installation Guide 9

10

GETTING STARTED

CHAPTER 1 Using StoneGate IPS Documentation Welcome to Stonesoft Corporation s StoneGate IPS Intrusion Detection and Response System for Intelligent Analysis. This chapter describes how to use the StoneGate IPS Installation Guide and related documentation. It also provides directions for obtaining technical support and how to give feedback about the documentation. The chapter contains the following sections: Objectives and Audience, on page 14 Overview of the StoneGate IPS Installation Guide, on page 14 Typographical Conventions, on page 15 StoneGate IPS Documentation Map, on page 15 Contact Information, on page 17. StoneGate IPS Installation Guide 13

Chapter 1: Using StoneGate IPS Documentation Objectives and Audience This StoneGate IPS Installation Guide describes step by step how to complete installation of the StoneGate Management Center and the StoneGate IPS Sensors and Analyzers. This Guide is intended for technical people who administrate and implement StoneGate IPS installations. The tasks are illustrated by using an example network scenario. If you need a more comprehensive explanation on the functionality and operation of StoneGate IPS, please see the StoneGate IPS Administrator s Reference. For more information on other related StoneGate IPS documentation, see section StoneGate IPS Documentation Map, on page 15. Overview of the StoneGate IPS Installation Guide How to Use This Guide This guide is organized in chapters explaining the installation of the StoneGate IPS tasks in a step-by-step format. Each chapter focuses on one area of StoneGate IPS installation. The chapters are organized following the StoneGate IPS installation steps, as explained in Overview to the Installation Procedure, on page 37. For detailed information on managing StoneGate IPS, please refer to the StoneGate IPS Administrator s Guide. Example Network Scenario To illustrate the installation tasks, this Guide uses an example network scenario presented in section Example Network Scenario, on page 33. The network scenario is also presented in the front of the book, before the Table of Contents. 14

Typographical Conventions Typographical Conventions The following typographical conventions are used throughout this guide: TABLE 1.1 Typographical Conventions Formatting Normal text GUI elements References, terms Command line User input Command parameters This is normal text. Informative Uses Interface elements (buttons, menus, icons) and any other interaction with the user interface are in boldface. Cross-references and the described acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is monospaced bold-face. Command parameter names are in monospaced italics. In addition, we use the following icons to indicate important or additional information. Note Notes provide important information that may help you complete a task. Caution Cautions provide cautionary or critical information that you should take into account before performing an action or implementing a feature. Tip: Tips provide information that is not crucial, but may still be helpful. StoneGate IPS Documentation Map StoneGate IPS technical documentation is divided into two main categories: Guide Books and Support Documentation. We will next describe the different types of documents. StoneGate IPS Installation Guide 15

Chapter 1: Using StoneGate IPS Documentation Guide Books The StoneGate IPS Guide books are the primary resource of technical information. The Guide books provide comprehensive guidelines on using and configuring StoneGate IPS, as well as descriptions of its operation and features. To locate the StoneGate IPS Guide that provides the information you need, see Table 1.2. TABLE 1.2 Description of Guide Books Guide Administrator s Reference Installation Guide Administrator s Guide Online Help Description Describes comprehensively the operation and features of StoneGate IPS. Demonstrates the steps required for planning, installing, and upgrading a StoneGate IPS system. Describes how to configure and manage a StoneGate IPS system. Uses detailed step-by-step examples. Explains the management GUI client s buttons, fields, etc. (Accessible from the GUI client s Help menu and by using the Help button in the GUI windows.) The StoneGate IPS Guides are available as printed versions in the StoneGate IPS product kit. The PDF versions are available on the StoneGate IPS CD-ROM and Stonesoft s Web site at http://www.stonesoft.com/products/stonegate/. Support Documentation The StoneGate IPS support documentation provides additional and late-breaking technical information on StoneGate IPS and related issues. These documents are supportive information resources to be used in conjunction with the StoneGate IPS Guide books. 16

Contact Information The support documentation is further divided into several document types. To locate the support document that provides the information you need, see Table 1.3. TABLE 1.3 Description of Support Documentation Documentation Release Notes Technical Knowledge Base Technical Notes How-To Guidelines Description Describe the release specific information. Contains new features, fixes and enhancements, software version information, system requirements, and other StoneGate IPS version specific information. Answers simple recurrent topics concerning StoneGate IPS. Describe related technical information not necessarily limited to StoneGate IPS software. For example, related third-party products, technologies, and standards. Describe certain special cases of StoneGate IPS system configuration and possible related third-party products. The latest StoneGate IPS support documentation is available on the Stonesoft Web site at http://www.stonesoft.com/support/. Contact Information For general information about StoneGate IPS and Stonesoft Corporation, please visit our Web site at http://www.stonesoft.com/. Technical Support Stonesoft offers global technical support for Stonesoft s product families. For more information on the technical support services, please visit the Stonesoft s Web site at http://www.stonesoft.com/support/. Security Related Questions and Comments You can send any questions or comments relating to StoneGate IPS and network security to security-alert@stonesoft.com. A PGP key is available at ftp:// download.stonesoft.com/web/support/stonesoft%20security%20alert.asc. StoneGate IPS Installation Guide 17

Chapter 1: Using StoneGate IPS Documentation Product Sales For sales questions or other information or comments on the StoneGate IPS product, please send e-mail to info@stonesoft.com. Documentation Comments Your input is essential in order for the StoneGate IPS documentation to better server your needs. Let us know of any errors you find, as well as suggestions for future editions, comments, etc. by writing to Stonesoft Corporation Documentation Itälahdenkatu 22A FIN-00210 Helsinki Finland or, by e-mailing to documentation@stonesoft.com. 18

CHAPTER 2 Quick Start Instructions These quick start instructions will guide you through setting up a basic StoneGate IPS system with a default configuration. For detailed instructions, please see the referred chapters. This chapter contains the following sections: Requirements for the Installation, on page 20 Quick Installation, on page 21. StoneGate IPS Installation Guide 19

Chapter 2: Quick Start Instructions Requirements for the Installation The prerequisites for this quick installation setup are described below. TABLE 2.1 Requirements for the Quick Installation Item Hardware: Management Center Hardware: Sensor Hardware: Analyzer Network: Ethernet cabling Network: traffic capturing Network: IP addressing Software: StoneGate IPS Software: latest update packages License: StoneGate IPS and Management Center Description Two machines with Windows, Linux, or Solaris installed for the Management Server and the Log Server. One NIC required on each machine. The GUI client can be installed on either or both of these machines. (Alternatively, all Management Center components can be installed on the same machine.) See the system requirements in the Release Notes at http://www.stonesoft.com/ download/. One Intel compatible machine with at least two NICs. (At least three NICs are required if wire TAP is used.) The Sensor uses an integrated operating system. See the technical requirements at http://www.stonesoft.com/products/stonegate/ Technical_Requirements/. One Intel compatible machine with at least one NIC. The Analyzer uses an integrated operating system. (Alternatively, Sensor and Analyzer can be combined on the same machine.) See the technical requirements at http://www.stonesoft.com/products/stonegate/ Technical_Requirements/. Ethernet cabling is needed to network the StoneGate Management Center, the Sensor, and the Analyzer for intercommunications. One switch SPAN port (port mirroring), a wire TAP device, or a Hub is needed for capturing the traffic on the Sensor. All the machines require an IP address reachable from the connecting StoneGate IPS or Management Center machines. This may require routing if the machines are not in the same network. The StoneGate IPS and the Management Center software, documentation, and the Release Notes can be ordered on a CD-ROM or downloaded at http:// www.stonesoft.com/download/. The latest dynamic update packages for StoneGate IPS can be downloaded at http:// www.stonesoft.com/download/. The StoneGate IPS and Management Center evaluation license can be ordered from the Stonesoft License Center at http://www.stonesoft.com/licenses/. 20

Quick Installation Quick Installation These instructions will guide you through setting up a basic StoneGate IPS system with a default configuration. For detailed instructions, please see the referred chapters. The installation proceeds as follows: 1. Set up the networking environment, on page 21 2. Install the Management Server, on page 22 3. Install the Log Server, on page 22 4. Install the GUI client, on page 23 5. Start up the Management Center, on page 23 6. Define the Analyzer element, on page 23 7. Install the Analyzer, on page 24 8. Define the Sensor element, on page 25 9. Install the Sensor, on page 26 10. Load Dynamic Updates, on page 26 11. Install Policies, on page 27 12. Browse the alerts and logs, on page 27. Set up the networking environment (Planning StoneGate IPS Installation, on page 29) 1. Select the IP addresses for StoneGate IPS: TABLE 2.2 IP addresses for StoneGate IPS StoneGate IPS component Management Server Log Server Analyzer Sensor IP Addressing Notes 2. Configure the related network devices: switches, routers, SPAN ports, wire TAPs and so on. 3. Connect the StoneGate IPS machines to the network. StoneGate IPS Installation Guide 21

Chapter 2: Quick Start Instructions Install the Management Server (Installing the Management Center, on page 41) TABLE 2.3 Management Server Configuration Configuration Item Superuser account Management Server IP address Value Notes 1. Run setup.exe or setup.sh from the StoneGate Management Center CD-ROM. 2. Select the Custom installation type, and select Management Server and the GUI client to be installed on the Management Server machine. 3. Define Management Center superuser account. 4. Define the IP address for the Management Server. 5. Select Install as a service. 6. Complete the Management Server installation. Install the Log Server (Installing the Management Center, on page 41) TABLE 2.4 Log Server Configuration Configuration Item Log Server IP address Value Notes 1. Run setup.exe for Windows or setup.sh for Linux/Unix from the StoneGate Management Center CD-ROM. 2. Select the Custom installation type, and select Log Server from the list. 3. Define the IP address for the Log Server. 4. Define the Management Server s IP address. 5. Select Certify the Log Server during the installation. 6. Select Install as a service. 22

Quick Installation 7. In Certificate Generation window, log in with the Superuser account to establish a connection to the Management Server. 8. Complete the Log Server installation. Install the GUI client (Installing the Management Center, on page 41) 1. Run setup.exe or setup.sh from the StoneGate Management Center CD-ROM. 2. Select the Administration Client Only installation type. 3. Define the Management Server s IP address. 4. Complete the GUI client installation. Start up the Management Center (Defining Sensors and Analyzers, on page 59) 1. Start the GUI client and log in with the Superuser account. 2. Import and activate the StoneGate IPS license from the.jar license file. 3. Start the Log Server service from the Windows Control Panel or by running the init script in Linux/Unix. Define the Analyzer element (Defining an Analyzer, on page 63) TABLE 2.5 Analyzer Element Definition Configuration Item Value Notes Network Interface Default gateway IP address: IP address: One-time password 1. In the GUI client, open the Resource Manager by clicking the toolbar icon or selecting Manage Resource Manager from the menu. 2. Create a new Analyzer element. 3. Select the Log Server from the drop-down list. StoneGate IPS Installation Guide 23

Chapter 2: Quick Start Instructions 4. Click Add Interface and define NIC ID 0 with the IP address for the Analyzer. Select all the following options for the interface: Control IP Address Primary Log/Analyzer connection source IP address. 5. Click OK to create the Analyzer element. 6. Create a Router element for the Analyzer s default gateway. 7. In the Resource Manager Routing view, drag the default gateway Router element on the Analyzer s directly-connected network. 8. Drag the Any Network element on the Analyzer s default gateway Router element. 9. In the StoneGate Control Panel, right-click on the Analyzer and select Save Initial Configuration and save it on a floppy disk. Write down the displayed onetime password for the Analyzer installation. Install the Analyzer (Installing Sensors and Analyzers, on page 95) 1. Boot up the Analyzer machine from the StoneGate IPS engine CD-ROM. 2. Select Full Install. 3. Accept the automatic hard drive partitioning by typing YES. 4. When prompted, remove the CD-ROM and reboot the machine. 5. In the Configuration Wizard, insert the floppy disk with the initial configuration and select Import, or configure the engine manually by selecting Next. 6. In OS Settings, define the keyboard layout, timezone, hostname and the root user password. 7. In network interfaces, click Add and select the driver for the NIC. 8. Select the NIC for management connections in the Mgmt column. 9. In Prepare for Management Contact, select Switch to initial configuration and define the IP address and default gateway for the Analyzer (if not automatically defined). 10. Select Contact Management Server, and type in the Management Server s IP address and the one-time password in the initial configuration (if not automatically defined). 11. Select Install Analyzer and complete the installation. 24

Quick Installation 12. In the GUI client Control Panel, double-click on the Analyzer and check that the Connection field displays Connected, indicating a successful initial configuration. Define the Sensor element (Defining a Single Sensor, on page 73) TABLE 2.6 Sensor Element Definition Configuration Item Capture Interface NDI Default gateway One-time password Value Capture mode: SPAN or TAP NID ID(s): NIC ID: IP address: IP address: Notes 1. In the GUI client, open the Resource Manager by selecting Manage Resource Manager from the menu. 2. Create a new Single Sensor element. 3. Select the Analyzer and the Log Server from the drop-down lists. 4. Click Add Interface and select Node Dedicated Interface for the NIC ID 0. Define the IP address for the Sensor. Select all the following options for the interface: Control IP Address Primary Log/Analyzer connection source IP address. 5. Click Add Interface and select Capture Interface for the NIC ID 1. Select Span Port mode for a switch or hub, or Wire Tap mode for a wire Tap device. If you are using wire Tap, define NIC ID 2 with identical settings for the other direction of the captured traffic. 6. Click OK to create the Sensor element. 7. Create a Router element for the Sensor s default gateway. 8. In the Resource Manager Routing view, drag the default gateway Router element on the Sensor s directly-connected network. StoneGate IPS Installation Guide 25

Chapter 2: Quick Start Instructions 9. Drag the Any Network element on the Sensor s default gateway Router element. 10. In the StoneGate Control Panel, right-click on the Sensor and select Save Initial Configuration and save it on a floppy disk. Write down the displayed one-time password for the Sensor installation. Install the Sensor (Installing Sensors and Analyzers, on page 95) 1. Boot up the Sensor machine from the StoneGate IPS engine CD-ROM. 2. Select Full Install. 3. Accept the automatic hard drive partitioning by typing YES. 4. When prompted, remove the CD-ROM and reboot the machine. 5. In the Configuration Wizard, insert the floppy disk with the initial configuration and select Import, or configure the engine manually by selecting Next. 6. In OS Settings, define the keyboard layout, timezone, hostname and the root user password. 7. In network interfaces, click Add and select the driver for the NIC. 8. Select the NIC for management connections in the Mgmt column for the same NIC ID that was defined in the GUI. 9. In Prepare for Management Contact, select Switch to initial configuration and define the IP address and default gateway for the Sensor (if not automatically defined). 10. Select Contact Management Server, and type in the Management Server s IP address and the one-time password in the initial configuration (if not automatically defined). 11. Select Install Sensor and complete the installation. 12. In the GUI client Control Panel, double-click on the Sensor and check that the Connection field displays Connected, indicating a successful initial configuration. Load Dynamic Updates 1. I the GUI client, open the Dynamic Update Manager by selecting Manage Admin Tools. 2. Import the latest.jar update packages by clicking the toolbar icon or by selecting File Import Update Packages from the menu. 26

Quick Installation 3. Activate the update packages in numerical order by right-clicking on the package and selecting Activate. Install Policies 1. Open the Policy Manager by selecting Manage Security Policies. 2. Right-click on the default Analyzer policy and select Install. Install the policy on the Analyzer. 3. Right-click on the default Sensor policy and select Install. Install the policy on the Sensor. 4. In the GUI client Control Panel, right-click on the Sensor node and select Command Go Online to start the traffic inspection. Browse the alerts and logs 1. Open the Alert Browser by selecting Manage Logs and Alerts Alert Browser. 2. Open the Log Browser by selecting Manage Logs and Alerts Log Browser. For detailed introduction to the StoneGate IPS features and their use, please refer to the StoneGate IPS Administrator s Guide and the Administrator s Reference. StoneGate IPS Installation Guide 27

Chapter 2: Quick Start Instructions 28

CHAPTER 3 Planning StoneGate IPS Installation This chapter provides general information about the installation, hardware and software prerequisites, and other important information to take into account before the actual StoneGate IPS installation can be performed. This chapter includes the following sections: Important to Know Before Installation, on page 30 System Components and Supported Platforms, on page 30 Checking the Surrounding Network Environment, on page 31 System Installation, on page 32 Overview to the Installation Procedure, on page 37. StoneGate IPS Installation Guide 29

Chapter 3: Planning StoneGate IPS Installation Important to Know Before Installation Before you start the installation, you need to plan carefully the site that you are going to install. Check that your operating system and hardware are supported and familiarize yourself with the surrounding network components. Please, see the StoneGate IPS Release Notes for further information. When planning StoneGate IPS installation, please see the StoneGate IPS Administrator s Reference for detailed information on the operation of StoneGate IPS. System Components and Supported Platforms StoneGate IPS System Components A StoneGate IPS system consists of the Management Center, one or more Sensors, and an Analyzer. The StoneGate Management Center consists of the following components: the Management Server one or more Log Servers one or more graphical user interface (GUI) clients. The StoneGate IPS Sensors and Analyzers can be distributed as follows: a combined Sensor/Analyzer with these two components on a single machine. a single node Sensor. a Sensor cluster which consists of 2 to 16 machines with Sensors called cluster nodes or nodes for short. an Analyzer which is required for the Sensors. An Analyzer located on a combined Sensor/Analyzer can also be used by other Sensors. Supported Platforms For detailed information on the supported platforms, please see the StoneGate IPS Hardware Requirements available at http://www.stonesoft.com/. The Sensors and Analyzers have an integrated, hardened Linux operating system and therefore they require no separate operating system installation. The integrated operating system simplifies upgrading the Sensors and Analyzers significantly, as they can be upgraded as a whole without having to separately upgrade the operating system and the StoneGate IPS software. 30

Checking the Surrounding Network Environment Checking the File Integrity Before installing StoneGate IPS, check the installation file integrity using the MD5 or SHA-1 file checksums. The checksums can be found on the StoneGate IPS installation CD-ROM and from the product-specific download page at the Stonesoft Web site at http://www.stonesoft.com/download/. For more information on MD5 and SHA-1 algorithms, please see RFC1321 and RFC3174, respectively. The RFCs can be obtained from http://www.rfc-editor.org/. Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available. To check MD5 or SHA-1 file checksum 1. Obtain the checksum from Stonesoft Web site at http://www.stonesoft.com/ download/. 2. Change to the directory that contains the file(s) to be checked. 3. Generate a checksum of the file using the command md5sum filename or sha1sum filename, where filename is the name of the installation file. ILLUSTRATION 3.1 Checking the File Checksums $ md5sum sg_engine_1.0.0.1000.iso 869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso 4. Compare the displayed output to the checksum on the Web site. Caution Do not use files that have invalid checksums. Contact Stonesoft technical support to resolve the issue. Checking the Surrounding Network Environment StoneGate IPS can be connected to a switch SPAN port, a network TAP, or a hub to capture network traffic. The considerations for these connection methods are explained below. For more specific information on compatibility of different network devices and StoneGate IPS, please refer to the Stonesoft Web site at http://www.stonesoft.com/ support/. StoneGate IPS Installation Guide 31

Chapter 3: Planning StoneGate IPS Installation Switch SPAN Ports and Hubs A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a switch. This is also known as port mirroring. The capturing is done passively, so it does not interfere with the traffic. With a hub, no special configuration such as a SPAN port is needed as all the traffic going through the hub is directed to all ports. A StoneGate IPS capturing interface can be connected directly to a SPAN port of a switch. Then, all the traffic to be monitored need to be copied to this SPAN port. The SPAN mode capturing interface is also used when connecting the capture interface to a hub, although using a hub might not be suitable because of network performance reasons. Network TAPs A Test Access Port (TAP) is a passive device located at the network wire between network devices. The capturing is done passively, so it does not interfere with the traffic. With a network TAP, the two directions of the network traffic is divided to separate wires. For this reason, StoneGate IPS needs two capturing interfaces for a network TAP; one capture interface for each direction of the traffic. The two related capturing interfaces are handled in StoneGate IPS as one logical interface that combines the traffic of these two interfaces for inspection. System Installation The StoneGate IPS system consists of the Management Center, the Sensors, and the Analyzers. The StoneGate Management Center (SMC) components can be installed separately on different machines or on the same machine, depending on your requirements. The Management Center can manage one or more StoneGate IPS Sensors and Analyzers. The same SMC can also be used for managing StoneGate firewall and VPN solutions. The StoneGate IPS Analyzer can be either installed on a separate machine, or combined with a Sensor on a single machine as a combined Sensor/Analyzer. The combined Sensor/ Analyzer is mainly aimed for small environments, whereas the separate Analyzer machine should be used where higher performance is required. The three basic types of StoneGate IPS Sensor installations are as follows: Single Sensor installation. A single Sensor has only one node. It does not support load balancing or high availability. Instructions on defining a single Sensor element is covered in Defining a Single Sensor, on page 73. 32

System Installation Sensor cluster installation. A StoneGate IPS Sensor cluster supports up to 16 nodes functioning as a single virtual entity. Each node of the cluster uses the same security policy configuration defined through the GUI client. A cluster can be configured for dynamic load balancing or as a hot standby solution. Instructions on defining a Sensor cluster element is covered in Defining a Sensor Cluster, on page 67. Combined Sensor/Analyzer installation. A combined Sensor/Analyzer is similar to Single Sensor but it also has the Analyzer on the same physical machine. This installation does not support load balancing or high availability. Instructions on defining a combined Sensor/Analyzer element is covered in Defining a Combined Sensor/Analyzer, on page 77. For more information, please see the StoneGate IPS Administrator s Reference and the StoneGate IPS Administrator s Guide. Example Network Scenario Three example Sensor installations are described in this Guide: a combined Sensor/Analyzer a single Sensor a Sensor cluster installation. The two different Analyzer installations are illustrated with a combined Sensor/Analyzer an Analyzer on a separate machine. The network scenario for these installations is based on the example network in Figure 3.1. The scenario illustration can also be found in the front of the book. StoneGate IPS Installation Guide 33

Chapter 3: Planning StoneGate IPS Installation FIGURE 3.1 Example Network Scenario StoneGate Management Center The SMC of the example scenario is described in Table 3.1. TABLE 3.1 SMC in the Example Scenario SMC Component Management Server HQ Log Server Branch Office Log Server Description The Management Server in the Headquarters Management Network with the IP address 192.168.10.200. This Management Server manages all the StoneGate IPS Sensors, Analyzers, and Log Servers of the example network. This server is located in the Headquarters Management Network with the IP address 192.168.10.201. This Log Server receives alerts and log data from the HQ Analyzer. This server is located in the Branch Office Intranet with the IP address 172.16.2.201. This Log Server receives alerts and log data from the Branch Office Sensor/Analyzer. 34

System Installation TABLE 3.1 SMC in the Example Scenario (Continued) SMC Component GUI client Description The GUI client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple GUI clients in different locations. In this example, the GUI client is located in the Headquarters Management Network. Combined Sensor/Analyzer In the example scenario, the Branch Office Sensor/Analyzer in the Branch Office network is a combined Sensor/Analyzer. TABLE 3.2 Combined Sensor/Analyzer in the Example Scenario Network Interface Capture Interfaces NDIs Description The Branch Office Sensor/Analyzer has two Capture Interfaces that are connected to a network TAP in a Branch Office Intranet: one interface for each direction of the traffic. All the traffic in this network segment is forwarded to the network TAP for inspection The Branch Office Sensor/Analyzer has one NDI that is connected to the Branch Office Intranet using the IP address 172.16.2.41. This NDI is used for: control connections from the Management Server sending log data and alerts to the Branch Office Log Server for TCP connection termination (by the Sensor) Sensor Cluster In the example scenario, HQ Sensor Cluster is a cluster located in the Headquarters network. The cluster consists of two Sensor nodes: Node 1 and Node 2. TABLE 3.3 Sensor Cluster in the Example Scenario Network Interface Capture Interfaces Description The HQ Sensor Cluster s Capture Interface on each node is connected to a SPAN port in the Headquarters Intranet switch. All the traffic in this network segment is forwarded to the SPAN ports for inspection. StoneGate IPS Installation Guide 35

Chapter 3: Planning StoneGate IPS Installation TABLE 3.3 Sensor Cluster in the Example Scenario (Continued) NDIs Network Interface Heartbeat interfaces Description The NDI on each node is connected to the Headquarters Intranet with Node 1 s IP address 172.16.1.41 and Node 2 s address 172.16.1.42. This NDI is used for: control connections from the Management Server sending events to the HQ Analyzer for TCP connection termination. The nodes have heartbeat interfaces connected to the dedicated heartbeat network 10.42.1.0/24 as follows: Node 1 uses the IP address 10.42.1.41 and Node 2 uses the IP address 10.42.1.42. Single Sensor In the example scenario, the DMZ Sensor in the Headquarters DMZ network is a single Sensor. TABLE 3.4 Single Sensor in the Example Scenario Network Interface Capture Interfaces NDIs Description The DMZ Sensor s Capture Interface is connected to a SPAN port in the Headquarters DMZ Network. All the traffic in this network segment is forwarded to the SPAN port for inspection. The NDI is connected to the DMZ network using the IP address 192.168.1.41. This NDI is used for: control connections from the Management Server sending event information to the HQ Analyzer for TCP connection termination. 36

Overview to the Installation Procedure Analyzer In the example scenario, the HQ Analyzer is located in the Headquarters Management network. TABLE 3.5 Analyzer in the Example Scenario NDIs Network Interface Description The HQ Analyzer s NDI is connected to the Headquarters Management Network using the IP address 192.168.10.61. This NDI is used for: control connections from the Management Server receiving event information from the HQ Sensor Cluster and the DMZ Sensor sending log data and alerts to the HQ Log Server sending IP Blacklists to the defined firewalls. Overview to the Installation Procedure This Guide provides step-by-step instructions on how to install the StoneGate Management Center, a combined Sensor/Analyzer, Single Sensor, a Sensor cluster, and an Analyzer. Installation is straight-forward, consisting of the following steps: 1. Plan the installation of the StoneGate IPS Sensors, Analyzers, and the Management Center. See Planning StoneGate IPS Installation, on page 29. 2. Configure the physical network environment as planned. See Planning StoneGate IPS Installation, on page 29. 3. Check the integrity of the StoneGate IPS installation files using the file checksums. See Checking the File Integrity, on page 31. 4. Install and configure the Management Center and the GUI client. See Installing the Management Center, on page 41. 5. Define the Sensor and Analyzer elements and other necessary elements in the Management Center. See Defining Sensors and Analyzers, on page 59. 6. Generate the initial configuration for the Sensors and Analyzers. See Saving the Initial Configuration, on page 89. 7. Install and configure the Sensors and Analyzers. See Installing Sensors and Analyzers, on page 95. 8. Test that the installed system operates as planned. The installation and configuration procedure is explained in detail in the following chapters. StoneGate IPS Installation Guide 37

Chapter 3: Planning StoneGate IPS Installation 38

INSTALLING THE MANAGEMENT CENTER

CHAPTER 4 Installing the Management Center This chapter instructs how to install the StoneGate Management Center components on the supported platforms. The following sections are included: Installing the Management Center, on page 42 Non-graphical Installation, on page 54 Uninstalling the Management Center, on page 56. StoneGate IPS Installation Guide 41

Chapter 4: Installing the Management Center Installing the Management Center Before you begin installing, you need to log in to the system with correct administrative rights to be able to modify certain files. In Windows, you need to log in with administrator rights. In Linux and Solaris you have to log in as root to install the software. Note If the operating system is an international (non-english) version of Windows, there might be some complications with running the Management Center on this platform. In this case, please contact Stonesoft support. Installing the Solaris Patches If you are running the StoneGate Management Center on Solaris, you first need to install certain patches to Solaris for the Java Runtime Environment (JRE). Requirements and explanation on how to install the patches can be found from the Sun Microsystems Web site at http://java.sun.com/j2se/1.3/install-solaris-patches.html. Checking File Integrity Before installing StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. Installing the Management Center Components Starting the Installation The steps described here are the same for the installation of Management Server, Log Server, and the GUI client. Note The Management Center installation requires at least 350 MB of available disk space in the system s temporary directory for extracting the installation files. To start the Management Center installation 1. Insert the StoneGate IPS installation CD-ROM and run the setup executable: In Windows, run CD-ROM\Windows\setup.bat. In Linux and Solaris Bourne-compatible shells (e.g., sh, ksh): 1.1 If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with mount /dev/cdrom /mnt/cdrom and in Solaris with mount /cdrom. 42

Installing the Management Center 1.2 Change to the CD-ROM/Linux/ or CD-ROM/Solaris/ directory according to the platform used. 1.3 Run the command./setup.sh to start the installation. If you are using Linux or Solaris and want to use the graphical installation, make sure that X windowing system has been started before launching the StoneGate IPS setup. Alternatively, please see Non-graphical Installation, on page 54. In Linux and Solaris, the installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at the uninstallation. 2. First, the Java Runtime Environment (JRE) is installed for StoneGate IPS. ILLUSTRATION 4.1 Accepting the License Agreement 3. Read carefully through the license agreement. To accept the license agreement, select the corresponding radio button and click Next. StoneGate IPS Installation Guide 43

Chapter 4: Installing the Management Center ILLUSTRATION 4.2 Defining the Destination Directory 4. Define the directory where the Management Center is installed and click Next. Note When installing the server as a service, define a directory path that does not contain spaces. TABLE 4.1 Management Server Default Installation Paths Platform Windows Linux Solaris Default directory C:\Stonesoft\StoneGate\ /usr/local/stonegate/ /opt/stonegate/ 44

Installing the Management Center ILLUSTRATION 4.3 Creating Shortcuts 5. In Windows, select the location for the shortcut icons and click Next. By default, the shortcut icons are located in Start Programs StoneGate. ILLUSTRATION 4.4 Choosing the Installation Type 6. Select the installation type as follows: Select Typical to install all Management Center components on the machine. Continue in Installing the Management Server, on page 46. Select Administration Client Only to install just the GUI client. Continue in Installing the GUI Client, on page 52. Select Custom to decide which Management Center components to install on the machine. Continue to the step below. StoneGate IPS Installation Guide 45

Chapter 4: Installing the Management Center ILLUSTRATION 4.5 Selecting the System Components for Installation 7. Illustration 4.5 is displayed for Custom installation. Select the Management Center components to be installed. The components can be on the same machine or on separate machines. To install the Management Server, proceed to Installing the Management Server, on page 46. To install the Log Server, proceed to Installing the Log Server, on page 48. To install the GUI client, proceed to Installing the GUI Client, on page 52. Installing the Management Server To install the Management Server 1. Click Next in the installation type selection. A screen like Illustration 4.6 is displayed. 46

Installing the Management Center ILLUSTRATION 4.6 Creating a Superuser Account 2. Create the default StoneGate Management Center Superuser account by defining a user name (e.g., admin ) and password, then click Next to continue. Note The account specified here is the only account that can be used to log in to the Management Center after the installation has finished. More administrator accounts can be defined in the GUI as explained in the Administrator s Guide. ILLUSTRATION 4.7 Configuring the Management Server 3. Enter the IP address of the Management Server.This is the IP address used for communication with the other system components. StoneGate IPS Installation Guide 47

Chapter 4: Installing the Management Center 4. Enter the IP address of the Alert Server. This is the IP address of the Log Server you want to use for handling alerts. 5. Click Next to continue. 6. If you want to install the Management Server as a service, select the Install as a service checkbox. When the server is run as a service, it is started automatically and run in the background after the system s reboot. Otherwise, the server needs to be started manually after every reboot. 7. If you selected that the Log Server is also installed at the same time on the same machine, go to the configuration steps in Installing the Log Server, on page 48. 8. Otherwise, click Next and the Ready to Install window is displayed. 9. Click Install to start the installation. 10. To start the Management Server, please see Starting the Management Server, on page 60. Installing the Log Server Before installing the Log Server, the Management Server needs to be installed. This is required for establishing a trust relationship between the Management and the Log Server during the Log Server installation by using certificates. If the Log Server is installed simultaneously on the same machine with the Management Server, the Log Server certificate is generated automatically. Note The screens may differ slightly when installing the Log Server simultaneously with the Management Server on the same machine. To install the Log Server 1. Click Next. The Configure Log Server window is displayed. 48