version 1.0 Installation Guide

version 1.0 Installation Guide

Copyright 2001 2004 Stonesoft Corp. Stonesoft Corp. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Stonesoft Corporation. Stonesoft Corporation Stonesoft Inc. Stonesoft Corporation Itälahdenkatu 22 A South Terraces, Suite 1000 90 Cecil Street, #13-01 FIN-00210 Helsinki 115 Perimeter Center Place 069531 Singapore Finland Atlanta, GA 30346 USA Trademarks The products described in this documentation are protected by one or more of U.S. Patents and European Patents: U.S. Patent No. 6,650,621, European Patents No. 1065844, 1289202, and may be protected by other U.S. Patents, foreign patents, or pending applications. Stonesoft, the Stonesoft logo, StoneBeat, FullCluster, ServerCluster, StoneGate, and WebCluster are trademarks or registered trademarks of Stonesoft Corporation in the United States and/or other countries. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. Sun, Sun Microsystems, the Sun Logo, Solaris, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. Windows, Windows NT, and Microsoft are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds. IBM, Redbooks, zseries and z/vm are trademarks or registered trademarks of the International Business Machines Corporation in the United States and/or other countries. Syntax is a registered trademark of Linotype-Hell AG and/or its subsidiaries. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: SGIIG_100_20040528

Example Network Scenario

Table of Contents GETTING STARTED CHAPTER 1 Using StoneGate IPS Documentation............. 13 Objectives and Audience....................................... 14 Overview of the StoneGate IPS Installation Guide................. 14 How to Use This Guide......................................... 14 Example Network Scenario...................................... 14 Typographical Conventions..................................... 15 StoneGate IPS Documentation Map............................. 15 Guide Books................................................. 16 Support Documentation........................................ 16 Contact Information........................................... 17 Technical Support............................................. 17 Security Related Questions and Comments.......................... 17 Product Sales................................................. 18 Documentation Comments...................................... 18 CHAPTER 2 Quick Start Instructions................................ 19 Requirements for the Installation................................ 20 Quick Installation.............................................. 21 CHAPTER 3 Planning StoneGate IPS Installation............... 29 Important to Know Before Installation........................... 30 System Components and Supported Platforms.................... 30 StoneGate IPS Installation Guide 5

StoneGate IPS System Components................................ 30 Supported Platforms........................................... 30 Checking the File Integrity....................................... 31 Checking the Surrounding Network Environment................. 31 Switch SPAN Ports and Hubs..................................... 32 Network TAPs................................................ 32 System Installation............................................. 32 Example Network Scenario...................................... 33 StoneGate Management Center................................. 34 Combined Sensor/Analyzer.................................... 35 Sensor Cluster.............................................. 35 Single Sensor............................................... 36 Analyzer................................................... 37 Overview to the Installation Procedure........................... 37 INSTALLING THE MANAGEMENT CENTER CHAPTER 4 Installing the Management Center.................41 Installing the Management Center............................... 42 Installing the Solaris Patches..................................... 42 Checking File Integrity.......................................... 42 Installing the Management Center Components...................... 42 Starting the Installation....................................... 42 Installing the Management Server............................... 46 Installing the Log Server....................................... 48 Installing the GUI Client....................................... 52 Non-graphical Installation....................................... 54 Uninstalling the Management Center............................ 56 Uninstalling in Non-graphical Mode............................... 57 6

CHAPTER 5 Defining Sensors and Analyzers.................... 59 Starting the StoneGate Management Center..................... 60 Starting the Management Server.................................. 60 Starting the GUI Client......................................... 60 Installing StoneGate IPS Licenses.................................. 62 Starting the Log Server......................................... 62 Defining an Analyzer........................................... 63 Defining the Network Interfaces.................................. 64 Defining Logical Interfaces...................................... 66 Defining a Sensor Cluster....................................... 67 Defining the Cluster Network Interfaces............................ 68 Defining the Node Specific Properties.............................. 71 Adding a Node to the Cluster.................................... 73 Defining a Single Sensor........................................ 73 Defining the Network Interfaces.................................. 74 Defining a Combined Sensor/Analyzer........................... 77 Defining the Network Interfaces.................................. 78 Configuring Routing........................................... 81 Configuring IP Addressing for NAT.............................. 83 Sensor and Analyzer Contact Addresses............................ 84 Management Server Contact Address.............................. 86 Log Server Contact Address..................................... 88 Saving the Initial Configuration................................. 89 INSTALLING SENSORS AND ANALYZERS CHAPTER 6 Installing Sensors and Analyzers.................... 95 StoneGate IPS Installation Guide 7

Installing the Sensor or Analyzer................................. 96 Checking the File Integrity....................................... 96 Booting From the CD-ROM...................................... 96 Configuring the Sensor or Analyzer.............................. 97 Selecting a Configuration Method................................. 97 Configuring the Operating System Settings.......................... 98 Configuring the Network Interfaces............................... 100 Contacting the Management Server.............................. 102 Installing in Expert Mode...................................... 104 Checking the File Integrity...................................... 104 Booting From the CD-ROM..................................... 104 Partitioning the Hard Disk Manually.............................. 105 Allocating Partitions........................................... 107 UPGRADING STONEGATE IPS CHAPTER 7 Upgrading StoneGate IPS.............................111 APPENDICES Upgrading StoneGate Management Center..................... 112 Checking the File Integrity...................................... 112 Obtaining Licenses........................................... 112 Upgrading StoneGate Management Center......................... 112 Upgrading the Sensors and Analyzers Remotely.................. 116 Upgrading Sensors and Analyzers Locally........................ 116 APPENDIX A Command Line Tools...................................121 APPENDIX B StoneGate IPS Ports....................................129 8

Software and License Information................ 133 Index........................................................ 157 StoneGate IPS Installation Guide 9

10

GETTING STARTED

CHAPTER 1 Using StoneGate IPS Documentation Welcome to Stonesoft Corporation s StoneGate IPS Intrusion Detection and Response System for Intelligent Analysis. This chapter describes how to use the StoneGate IPS Installation Guide and related documentation. It also provides directions for obtaining technical support and how to give feedback about the documentation. The chapter contains the following sections: Objectives and Audience, on page 14 Overview of the StoneGate IPS Installation Guide, on page 14 Typographical Conventions, on page 15 StoneGate IPS Documentation Map, on page 15 Contact Information, on page 17. StoneGate IPS Installation Guide 13

Chapter 1: Using StoneGate IPS Documentation Objectives and Audience This StoneGate IPS Installation Guide describes step by step how to complete installation of the StoneGate Management Center and the StoneGate IPS Sensors and Analyzers. This Guide is intended for technical people who administrate and implement StoneGate IPS installations. The tasks are illustrated by using an example network scenario. If you need a more comprehensive explanation on the functionality and operation of StoneGate IPS, please see the StoneGate IPS Administrator s Reference. For more information on other related StoneGate IPS documentation, see section StoneGate IPS Documentation Map, on page 15. Overview of the StoneGate IPS Installation Guide How to Use This Guide This guide is organized in chapters explaining the installation of the StoneGate IPS tasks in a step-by-step format. Each chapter focuses on one area of StoneGate IPS installation. The chapters are organized following the StoneGate IPS installation steps, as explained in Overview to the Installation Procedure, on page 37. For detailed information on managing StoneGate IPS, please refer to the StoneGate IPS Administrator s Guide. Example Network Scenario To illustrate the installation tasks, this Guide uses an example network scenario presented in section Example Network Scenario, on page 33. The network scenario is also presented in the front of the book, before the Table of Contents. 14

Typographical Conventions Typographical Conventions The following typographical conventions are used throughout this guide: TABLE 1.1 Typographical Conventions Formatting Normal text GUI elements References, terms Command line User input Command parameters This is normal text. Informative Uses Interface elements (buttons, menus, icons) and any other interaction with the user interface are in boldface. Cross-references and the described acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is monospaced bold-face. Command parameter names are in monospaced italics. In addition, we use the following icons to indicate important or additional information. Note Notes provide important information that may help you complete a task. Caution Cautions provide cautionary or critical information that you should take into account before performing an action or implementing a feature. Tip: Tips provide information that is not crucial, but may still be helpful. StoneGate IPS Documentation Map StoneGate IPS technical documentation is divided into two main categories: Guide Books and Support Documentation. We will next describe the different types of documents. StoneGate IPS Installation Guide 15

Chapter 1: Using StoneGate IPS Documentation Guide Books The StoneGate IPS Guide books are the primary resource of technical information. The Guide books provide comprehensive guidelines on using and configuring StoneGate IPS, as well as descriptions of its operation and features. To locate the StoneGate IPS Guide that provides the information you need, see Table 1.2. TABLE 1.2 Description of Guide Books Guide Administrator s Reference Installation Guide Administrator s Guide Online Help Description Describes comprehensively the operation and features of StoneGate IPS. Demonstrates the steps required for planning, installing, and upgrading a StoneGate IPS system. Describes how to configure and manage a StoneGate IPS system. Uses detailed step-by-step examples. Explains the management GUI client s buttons, fields, etc. (Accessible from the GUI client s Help menu and by using the Help button in the GUI windows.) The StoneGate IPS Guides are available as printed versions in the StoneGate IPS product kit. The PDF versions are available on the StoneGate IPS CD-ROM and Stonesoft s Web site at http://www.stonesoft.com/products/stonegate/. Support Documentation The StoneGate IPS support documentation provides additional and late-breaking technical information on StoneGate IPS and related issues. These documents are supportive information resources to be used in conjunction with the StoneGate IPS Guide books. 16

Contact Information The support documentation is further divided into several document types. To locate the support document that provides the information you need, see Table 1.3. TABLE 1.3 Description of Support Documentation Documentation Release Notes Technical Knowledge Base Technical Notes How-To Guidelines Description Describe the release specific information. Contains new features, fixes and enhancements, software version information, system requirements, and other StoneGate IPS version specific information. Answers simple recurrent topics concerning StoneGate IPS. Describe related technical information not necessarily limited to StoneGate IPS software. For example, related third-party products, technologies, and standards. Describe certain special cases of StoneGate IPS system configuration and possible related third-party products. The latest StoneGate IPS support documentation is available on the Stonesoft Web site at http://www.stonesoft.com/support/. Contact Information For general information about StoneGate IPS and Stonesoft Corporation, please visit our Web site at http://www.stonesoft.com/. Technical Support Stonesoft offers global technical support for Stonesoft s product families. For more information on the technical support services, please visit the Stonesoft s Web site at http://www.stonesoft.com/support/. Security Related Questions and Comments You can send any questions or comments relating to StoneGate IPS and network security to security-alert@stonesoft.com. A PGP key is available at ftp:// download.stonesoft.com/web/support/stonesoft%20security%20alert.asc. StoneGate IPS Installation Guide 17

Chapter 1: Using StoneGate IPS Documentation Product Sales For sales questions or other information or comments on the StoneGate IPS product, please send e-mail to info@stonesoft.com. Documentation Comments Your input is essential in order for the StoneGate IPS documentation to better server your needs. Let us know of any errors you find, as well as suggestions for future editions, comments, etc. by writing to Stonesoft Corporation Documentation Itälahdenkatu 22A FIN-00210 Helsinki Finland or, by e-mailing to documentation@stonesoft.com. 18

CHAPTER 2 Quick Start Instructions These quick start instructions will guide you through setting up a basic StoneGate IPS system with a default configuration. For detailed instructions, please see the referred chapters. This chapter contains the following sections: Requirements for the Installation, on page 20 Quick Installation, on page 21. StoneGate IPS Installation Guide 19

Chapter 2: Quick Start Instructions Requirements for the Installation The prerequisites for this quick installation setup are described below. TABLE 2.1 Requirements for the Quick Installation Item Hardware: Management Center Hardware: Sensor Hardware: Analyzer Network: Ethernet cabling Network: traffic capturing Network: IP addressing Software: StoneGate IPS Software: latest update packages License: StoneGate IPS and Management Center Description Two machines with Windows, Linux, or Solaris installed for the Management Server and the Log Server. One NIC required on each machine. The GUI client can be installed on either or both of these machines. (Alternatively, all Management Center components can be installed on the same machine.) See the system requirements in the Release Notes at http://www.stonesoft.com/ download/. One Intel compatible machine with at least two NICs. (At least three NICs are required if wire TAP is used.) The Sensor uses an integrated operating system. See the technical requirements at http://www.stonesoft.com/products/stonegate/ Technical_Requirements/. One Intel compatible machine with at least one NIC. The Analyzer uses an integrated operating system. (Alternatively, Sensor and Analyzer can be combined on the same machine.) See the technical requirements at http://www.stonesoft.com/products/stonegate/ Technical_Requirements/. Ethernet cabling is needed to network the StoneGate Management Center, the Sensor, and the Analyzer for intercommunications. One switch SPAN port (port mirroring), a wire TAP device, or a Hub is needed for capturing the traffic on the Sensor. All the machines require an IP address reachable from the connecting StoneGate IPS or Management Center machines. This may require routing if the machines are not in the same network. The StoneGate IPS and the Management Center software, documentation, and the Release Notes can be ordered on a CD-ROM or downloaded at http:// www.stonesoft.com/download/. The latest dynamic update packages for StoneGate IPS can be downloaded at http:// www.stonesoft.com/download/. The StoneGate IPS and Management Center evaluation license can be ordered from the Stonesoft License Center at http://www.stonesoft.com/licenses/. 20

Quick Installation Quick Installation These instructions will guide you through setting up a basic StoneGate IPS system with a default configuration. For detailed instructions, please see the referred chapters. The installation proceeds as follows: 1. Set up the networking environment, on page 21 2. Install the Management Server, on page 22 3. Install the Log Server, on page 22 4. Install the GUI client, on page 23 5. Start up the Management Center, on page 23 6. Define the Analyzer element, on page 23 7. Install the Analyzer, on page 24 8. Define the Sensor element, on page 25 9. Install the Sensor, on page 26 10. Load Dynamic Updates, on page 26 11. Install Policies, on page 27 12. Browse the alerts and logs, on page 27. Set up the networking environment (Planning StoneGate IPS Installation, on page 29) 1. Select the IP addresses for StoneGate IPS: TABLE 2.2 IP addresses for StoneGate IPS StoneGate IPS component Management Server Log Server Analyzer Sensor IP Addressing Notes 2. Configure the related network devices: switches, routers, SPAN ports, wire TAPs and so on. 3. Connect the StoneGate IPS machines to the network. StoneGate IPS Installation Guide 21

Chapter 2: Quick Start Instructions Install the Management Server (Installing the Management Center, on page 41) TABLE 2.3 Management Server Configuration Configuration Item Superuser account Management Server IP address Value Notes 1. Run setup.exe or setup.sh from the StoneGate Management Center CD-ROM. 2. Select the Custom installation type, and select Management Server and the GUI client to be installed on the Management Server machine. 3. Define Management Center superuser account. 4. Define the IP address for the Management Server. 5. Select Install as a service. 6. Complete the Management Server installation. Install the Log Server (Installing the Management Center, on page 41) TABLE 2.4 Log Server Configuration Configuration Item Log Server IP address Value Notes 1. Run setup.exe for Windows or setup.sh for Linux/Unix from the StoneGate Management Center CD-ROM. 2. Select the Custom installation type, and select Log Server from the list. 3. Define the IP address for the Log Server. 4. Define the Management Server s IP address. 5. Select Certify the Log Server during the installation. 6. Select Install as a service. 22

Quick Installation 7. In Certificate Generation window, log in with the Superuser account to establish a connection to the Management Server. 8. Complete the Log Server installation. Install the GUI client (Installing the Management Center, on page 41) 1. Run setup.exe or setup.sh from the StoneGate Management Center CD-ROM. 2. Select the Administration Client Only installation type. 3. Define the Management Server s IP address. 4. Complete the GUI client installation. Start up the Management Center (Defining Sensors and Analyzers, on page 59) 1. Start the GUI client and log in with the Superuser account. 2. Import and activate the StoneGate IPS license from the.jar license file. 3. Start the Log Server service from the Windows Control Panel or by running the init script in Linux/Unix. Define the Analyzer element (Defining an Analyzer, on page 63) TABLE 2.5 Analyzer Element Definition Configuration Item Value Notes Network Interface Default gateway IP address: IP address: One-time password 1. In the GUI client, open the Resource Manager by clicking the toolbar icon or selecting Manage Resource Manager from the menu. 2. Create a new Analyzer element. 3. Select the Log Server from the drop-down list. StoneGate IPS Installation Guide 23

Chapter 2: Quick Start Instructions 4. Click Add Interface and define NIC ID 0 with the IP address for the Analyzer. Select all the following options for the interface: Control IP Address Primary Log/Analyzer connection source IP address. 5. Click OK to create the Analyzer element. 6. Create a Router element for the Analyzer s default gateway. 7. In the Resource Manager Routing view, drag the default gateway Router element on the Analyzer s directly-connected network. 8. Drag the Any Network element on the Analyzer s default gateway Router element. 9. In the StoneGate Control Panel, right-click on the Analyzer and select Save Initial Configuration and save it on a floppy disk. Write down the displayed onetime password for the Analyzer installation. Install the Analyzer (Installing Sensors and Analyzers, on page 95) 1. Boot up the Analyzer machine from the StoneGate IPS engine CD-ROM. 2. Select Full Install. 3. Accept the automatic hard drive partitioning by typing YES. 4. When prompted, remove the CD-ROM and reboot the machine. 5. In the Configuration Wizard, insert the floppy disk with the initial configuration and select Import, or configure the engine manually by selecting Next. 6. In OS Settings, define the keyboard layout, timezone, hostname and the root user password. 7. In network interfaces, click Add and select the driver for the NIC. 8. Select the NIC for management connections in the Mgmt column. 9. In Prepare for Management Contact, select Switch to initial configuration and define the IP address and default gateway for the Analyzer (if not automatically defined). 10. Select Contact Management Server, and type in the Management Server s IP address and the one-time password in the initial configuration (if not automatically defined). 11. Select Install Analyzer and complete the installation. 24

Quick Installation 12. In the GUI client Control Panel, double-click on the Analyzer and check that the Connection field displays Connected, indicating a successful initial configuration. Define the Sensor element (Defining a Single Sensor, on page 73) TABLE 2.6 Sensor Element Definition Configuration Item Capture Interface NDI Default gateway One-time password Value Capture mode: SPAN or TAP NID ID(s): NIC ID: IP address: IP address: Notes 1. In the GUI client, open the Resource Manager by selecting Manage Resource Manager from the menu. 2. Create a new Single Sensor element. 3. Select the Analyzer and the Log Server from the drop-down lists. 4. Click Add Interface and select Node Dedicated Interface for the NIC ID 0. Define the IP address for the Sensor. Select all the following options for the interface: Control IP Address Primary Log/Analyzer connection source IP address. 5. Click Add Interface and select Capture Interface for the NIC ID 1. Select Span Port mode for a switch or hub, or Wire Tap mode for a wire Tap device. If you are using wire Tap, define NIC ID 2 with identical settings for the other direction of the captured traffic. 6. Click OK to create the Sensor element. 7. Create a Router element for the Sensor s default gateway. 8. In the Resource Manager Routing view, drag the default gateway Router element on the Sensor s directly-connected network. StoneGate IPS Installation Guide 25

Chapter 2: Quick Start Instructions 9. Drag the Any Network element on the Sensor s default gateway Router element. 10. In the StoneGate Control Panel, right-click on the Sensor and select Save Initial Configuration and save it on a floppy disk. Write down the displayed one-time password for the Sensor installation. Install the Sensor (Installing Sensors and Analyzers, on page 95) 1. Boot up the Sensor machine from the StoneGate IPS engine CD-ROM. 2. Select Full Install. 3. Accept the automatic hard drive partitioning by typing YES. 4. When prompted, remove the CD-ROM and reboot the machine. 5. In the Configuration Wizard, insert the floppy disk with the initial configuration and select Import, or configure the engine manually by selecting Next. 6. In OS Settings, define the keyboard layout, timezone, hostname and the root user password. 7. In network interfaces, click Add and select the driver for the NIC. 8. Select the NIC for management connections in the Mgmt column for the same NIC ID that was defined in the GUI. 9. In Prepare for Management Contact, select Switch to initial configuration and define the IP address and default gateway for the Sensor (if not automatically defined). 10. Select Contact Management Server, and type in the Management Server s IP address and the one-time password in the initial configuration (if not automatically defined). 11. Select Install Sensor and complete the installation. 12. In the GUI client Control Panel, double-click on the Sensor and check that the Connection field displays Connected, indicating a successful initial configuration. Load Dynamic Updates 1. I the GUI client, open the Dynamic Update Manager by selecting Manage Admin Tools. 2. Import the latest.jar update packages by clicking the toolbar icon or by selecting File Import Update Packages from the menu. 26

Quick Installation 3. Activate the update packages in numerical order by right-clicking on the package and selecting Activate. Install Policies 1. Open the Policy Manager by selecting Manage Security Policies. 2. Right-click on the default Analyzer policy and select Install. Install the policy on the Analyzer. 3. Right-click on the default Sensor policy and select Install. Install the policy on the Sensor. 4. In the GUI client Control Panel, right-click on the Sensor node and select Command Go Online to start the traffic inspection. Browse the alerts and logs 1. Open the Alert Browser by selecting Manage Logs and Alerts Alert Browser. 2. Open the Log Browser by selecting Manage Logs and Alerts Log Browser. For detailed introduction to the StoneGate IPS features and their use, please refer to the StoneGate IPS Administrator s Guide and the Administrator s Reference. StoneGate IPS Installation Guide 27

Chapter 2: Quick Start Instructions 28

CHAPTER 3 Planning StoneGate IPS Installation This chapter provides general information about the installation, hardware and software prerequisites, and other important information to take into account before the actual StoneGate IPS installation can be performed. This chapter includes the following sections: Important to Know Before Installation, on page 30 System Components and Supported Platforms, on page 30 Checking the Surrounding Network Environment, on page 31 System Installation, on page 32 Overview to the Installation Procedure, on page 37. StoneGate IPS Installation Guide 29

Chapter 3: Planning StoneGate IPS Installation Important to Know Before Installation Before you start the installation, you need to plan carefully the site that you are going to install. Check that your operating system and hardware are supported and familiarize yourself with the surrounding network components. Please, see the StoneGate IPS Release Notes for further information. When planning StoneGate IPS installation, please see the StoneGate IPS Administrator s Reference for detailed information on the operation of StoneGate IPS. System Components and Supported Platforms StoneGate IPS System Components A StoneGate IPS system consists of the Management Center, one or more Sensors, and an Analyzer. The StoneGate Management Center consists of the following components: the Management Server one or more Log Servers one or more graphical user interface (GUI) clients. The StoneGate IPS Sensors and Analyzers can be distributed as follows: a combined Sensor/Analyzer with these two components on a single machine. a single node Sensor. a Sensor cluster which consists of 2 to 16 machines with Sensors called cluster nodes or nodes for short. an Analyzer which is required for the Sensors. An Analyzer located on a combined Sensor/Analyzer can also be used by other Sensors. Supported Platforms For detailed information on the supported platforms, please see the StoneGate IPS Hardware Requirements available at http://www.stonesoft.com/. The Sensors and Analyzers have an integrated, hardened Linux operating system and therefore they require no separate operating system installation. The integrated operating system simplifies upgrading the Sensors and Analyzers significantly, as they can be upgraded as a whole without having to separately upgrade the operating system and the StoneGate IPS software. 30

Checking the Surrounding Network Environment Checking the File Integrity Before installing StoneGate IPS, check the installation file integrity using the MD5 or SHA-1 file checksums. The checksums can be found on the StoneGate IPS installation CD-ROM and from the product-specific download page at the Stonesoft Web site at http://www.stonesoft.com/download/. For more information on MD5 and SHA-1 algorithms, please see RFC1321 and RFC3174, respectively. The RFCs can be obtained from http://www.rfc-editor.org/. Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available. To check MD5 or SHA-1 file checksum 1. Obtain the checksum from Stonesoft Web site at http://www.stonesoft.com/ download/. 2. Change to the directory that contains the file(s) to be checked. 3. Generate a checksum of the file using the command md5sum filename or sha1sum filename, where filename is the name of the installation file. ILLUSTRATION 3.1 Checking the File Checksums $ md5sum sg_engine_1.0.0.1000.iso 869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso 4. Compare the displayed output to the checksum on the Web site. Caution Do not use files that have invalid checksums. Contact Stonesoft technical support to resolve the issue. Checking the Surrounding Network Environment StoneGate IPS can be connected to a switch SPAN port, a network TAP, or a hub to capture network traffic. The considerations for these connection methods are explained below. For more specific information on compatibility of different network devices and StoneGate IPS, please refer to the Stonesoft Web site at http://www.stonesoft.com/ support/. StoneGate IPS Installation Guide 31

Chapter 3: Planning StoneGate IPS Installation Switch SPAN Ports and Hubs A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a switch. This is also known as port mirroring. The capturing is done passively, so it does not interfere with the traffic. With a hub, no special configuration such as a SPAN port is needed as all the traffic going through the hub is directed to all ports. A StoneGate IPS capturing interface can be connected directly to a SPAN port of a switch. Then, all the traffic to be monitored need to be copied to this SPAN port. The SPAN mode capturing interface is also used when connecting the capture interface to a hub, although using a hub might not be suitable because of network performance reasons. Network TAPs A Test Access Port (TAP) is a passive device located at the network wire between network devices. The capturing is done passively, so it does not interfere with the traffic. With a network TAP, the two directions of the network traffic is divided to separate wires. For this reason, StoneGate IPS needs two capturing interfaces for a network TAP; one capture interface for each direction of the traffic. The two related capturing interfaces are handled in StoneGate IPS as one logical interface that combines the traffic of these two interfaces for inspection. System Installation The StoneGate IPS system consists of the Management Center, the Sensors, and the Analyzers. The StoneGate Management Center (SMC) components can be installed separately on different machines or on the same machine, depending on your requirements. The Management Center can manage one or more StoneGate IPS Sensors and Analyzers. The same SMC can also be used for managing StoneGate firewall and VPN solutions. The StoneGate IPS Analyzer can be either installed on a separate machine, or combined with a Sensor on a single machine as a combined Sensor/Analyzer. The combined Sensor/ Analyzer is mainly aimed for small environments, whereas the separate Analyzer machine should be used where higher performance is required. The three basic types of StoneGate IPS Sensor installations are as follows: Single Sensor installation. A single Sensor has only one node. It does not support load balancing or high availability. Instructions on defining a single Sensor element is covered in Defining a Single Sensor, on page 73. 32

System Installation Sensor cluster installation. A StoneGate IPS Sensor cluster supports up to 16 nodes functioning as a single virtual entity. Each node of the cluster uses the same security policy configuration defined through the GUI client. A cluster can be configured for dynamic load balancing or as a hot standby solution. Instructions on defining a Sensor cluster element is covered in Defining a Sensor Cluster, on page 67. Combined Sensor/Analyzer installation. A combined Sensor/Analyzer is similar to Single Sensor but it also has the Analyzer on the same physical machine. This installation does not support load balancing or high availability. Instructions on defining a combined Sensor/Analyzer element is covered in Defining a Combined Sensor/Analyzer, on page 77. For more information, please see the StoneGate IPS Administrator s Reference and the StoneGate IPS Administrator s Guide. Example Network Scenario Three example Sensor installations are described in this Guide: a combined Sensor/Analyzer a single Sensor a Sensor cluster installation. The two different Analyzer installations are illustrated with a combined Sensor/Analyzer an Analyzer on a separate machine. The network scenario for these installations is based on the example network in Figure 3.1. The scenario illustration can also be found in the front of the book. StoneGate IPS Installation Guide 33

Chapter 3: Planning StoneGate IPS Installation FIGURE 3.1 Example Network Scenario StoneGate Management Center The SMC of the example scenario is described in Table 3.1. TABLE 3.1 SMC in the Example Scenario SMC Component Management Server HQ Log Server Branch Office Log Server Description The Management Server in the Headquarters Management Network with the IP address 192.168.10.200. This Management Server manages all the StoneGate IPS Sensors, Analyzers, and Log Servers of the example network. This server is located in the Headquarters Management Network with the IP address 192.168.10.201. This Log Server receives alerts and log data from the HQ Analyzer. This server is located in the Branch Office Intranet with the IP address 172.16.2.201. This Log Server receives alerts and log data from the Branch Office Sensor/Analyzer. 34

System Installation TABLE 3.1 SMC in the Example Scenario (Continued) SMC Component GUI client Description The GUI client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple GUI clients in different locations. In this example, the GUI client is located in the Headquarters Management Network. Combined Sensor/Analyzer In the example scenario, the Branch Office Sensor/Analyzer in the Branch Office network is a combined Sensor/Analyzer. TABLE 3.2 Combined Sensor/Analyzer in the Example Scenario Network Interface Capture Interfaces NDIs Description The Branch Office Sensor/Analyzer has two Capture Interfaces that are connected to a network TAP in a Branch Office Intranet: one interface for each direction of the traffic. All the traffic in this network segment is forwarded to the network TAP for inspection The Branch Office Sensor/Analyzer has one NDI that is connected to the Branch Office Intranet using the IP address 172.16.2.41. This NDI is used for: control connections from the Management Server sending log data and alerts to the Branch Office Log Server for TCP connection termination (by the Sensor) Sensor Cluster In the example scenario, HQ Sensor Cluster is a cluster located in the Headquarters network. The cluster consists of two Sensor nodes: Node 1 and Node 2. TABLE 3.3 Sensor Cluster in the Example Scenario Network Interface Capture Interfaces Description The HQ Sensor Cluster s Capture Interface on each node is connected to a SPAN port in the Headquarters Intranet switch. All the traffic in this network segment is forwarded to the SPAN ports for inspection. StoneGate IPS Installation Guide 35

Chapter 3: Planning StoneGate IPS Installation TABLE 3.3 Sensor Cluster in the Example Scenario (Continued) NDIs Network Interface Heartbeat interfaces Description The NDI on each node is connected to the Headquarters Intranet with Node 1 s IP address 172.16.1.41 and Node 2 s address 172.16.1.42. This NDI is used for: control connections from the Management Server sending events to the HQ Analyzer for TCP connection termination. The nodes have heartbeat interfaces connected to the dedicated heartbeat network 10.42.1.0/24 as follows: Node 1 uses the IP address 10.42.1.41 and Node 2 uses the IP address 10.42.1.42. Single Sensor In the example scenario, the DMZ Sensor in the Headquarters DMZ network is a single Sensor. TABLE 3.4 Single Sensor in the Example Scenario Network Interface Capture Interfaces NDIs Description The DMZ Sensor s Capture Interface is connected to a SPAN port in the Headquarters DMZ Network. All the traffic in this network segment is forwarded to the SPAN port for inspection. The NDI is connected to the DMZ network using the IP address 192.168.1.41. This NDI is used for: control connections from the Management Server sending event information to the HQ Analyzer for TCP connection termination. 36

Overview to the Installation Procedure Analyzer In the example scenario, the HQ Analyzer is located in the Headquarters Management network. TABLE 3.5 Analyzer in the Example Scenario NDIs Network Interface Description The HQ Analyzer s NDI is connected to the Headquarters Management Network using the IP address 192.168.10.61. This NDI is used for: control connections from the Management Server receiving event information from the HQ Sensor Cluster and the DMZ Sensor sending log data and alerts to the HQ Log Server sending IP Blacklists to the defined firewalls. Overview to the Installation Procedure This Guide provides step-by-step instructions on how to install the StoneGate Management Center, a combined Sensor/Analyzer, Single Sensor, a Sensor cluster, and an Analyzer. Installation is straight-forward, consisting of the following steps: 1. Plan the installation of the StoneGate IPS Sensors, Analyzers, and the Management Center. See Planning StoneGate IPS Installation, on page 29. 2. Configure the physical network environment as planned. See Planning StoneGate IPS Installation, on page 29. 3. Check the integrity of the StoneGate IPS installation files using the file checksums. See Checking the File Integrity, on page 31. 4. Install and configure the Management Center and the GUI client. See Installing the Management Center, on page 41. 5. Define the Sensor and Analyzer elements and other necessary elements in the Management Center. See Defining Sensors and Analyzers, on page 59. 6. Generate the initial configuration for the Sensors and Analyzers. See Saving the Initial Configuration, on page 89. 7. Install and configure the Sensors and Analyzers. See Installing Sensors and Analyzers, on page 95. 8. Test that the installed system operates as planned. The installation and configuration procedure is explained in detail in the following chapters. StoneGate IPS Installation Guide 37

Chapter 3: Planning StoneGate IPS Installation 38

INSTALLING THE MANAGEMENT CENTER

CHAPTER 4 Installing the Management Center This chapter instructs how to install the StoneGate Management Center components on the supported platforms. The following sections are included: Installing the Management Center, on page 42 Non-graphical Installation, on page 54 Uninstalling the Management Center, on page 56. StoneGate IPS Installation Guide 41

Chapter 4: Installing the Management Center Installing the Management Center Before you begin installing, you need to log in to the system with correct administrative rights to be able to modify certain files. In Windows, you need to log in with administrator rights. In Linux and Solaris you have to log in as root to install the software. Note If the operating system is an international (non-english) version of Windows, there might be some complications with running the Management Center on this platform. In this case, please contact Stonesoft support. Installing the Solaris Patches If you are running the StoneGate Management Center on Solaris, you first need to install certain patches to Solaris for the Java Runtime Environment (JRE). Requirements and explanation on how to install the patches can be found from the Sun Microsystems Web site at http://java.sun.com/j2se/1.3/install-solaris-patches.html. Checking File Integrity Before installing StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. Installing the Management Center Components Starting the Installation The steps described here are the same for the installation of Management Server, Log Server, and the GUI client. Note The Management Center installation requires at least 350 MB of available disk space in the system s temporary directory for extracting the installation files. To start the Management Center installation 1. Insert the StoneGate IPS installation CD-ROM and run the setup executable: In Windows, run CD-ROM\Windows\setup.bat. In Linux and Solaris Bourne-compatible shells (e.g., sh, ksh): 1.1 If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with mount /dev/cdrom /mnt/cdrom and in Solaris with mount /cdrom. 42

Installing the Management Center 1.2 Change to the CD-ROM/Linux/ or CD-ROM/Solaris/ directory according to the platform used. 1.3 Run the command./setup.sh to start the installation. If you are using Linux or Solaris and want to use the graphical installation, make sure that X windowing system has been started before launching the StoneGate IPS setup. Alternatively, please see Non-graphical Installation, on page 54. In Linux and Solaris, the installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at the uninstallation. 2. First, the Java Runtime Environment (JRE) is installed for StoneGate IPS. ILLUSTRATION 4.1 Accepting the License Agreement 3. Read carefully through the license agreement. To accept the license agreement, select the corresponding radio button and click Next. StoneGate IPS Installation Guide 43

Chapter 4: Installing the Management Center ILLUSTRATION 4.2 Defining the Destination Directory 4. Define the directory where the Management Center is installed and click Next. Note When installing the server as a service, define a directory path that does not contain spaces. TABLE 4.1 Management Server Default Installation Paths Platform Windows Linux Solaris Default directory C:\Stonesoft\StoneGate\ /usr/local/stonegate/ /opt/stonegate/ 44

Installing the Management Center ILLUSTRATION 4.3 Creating Shortcuts 5. In Windows, select the location for the shortcut icons and click Next. By default, the shortcut icons are located in Start Programs StoneGate. ILLUSTRATION 4.4 Choosing the Installation Type 6. Select the installation type as follows: Select Typical to install all Management Center components on the machine. Continue in Installing the Management Server, on page 46. Select Administration Client Only to install just the GUI client. Continue in Installing the GUI Client, on page 52. Select Custom to decide which Management Center components to install on the machine. Continue to the step below. StoneGate IPS Installation Guide 45

Chapter 4: Installing the Management Center ILLUSTRATION 4.5 Selecting the System Components for Installation 7. Illustration 4.5 is displayed for Custom installation. Select the Management Center components to be installed. The components can be on the same machine or on separate machines. To install the Management Server, proceed to Installing the Management Server, on page 46. To install the Log Server, proceed to Installing the Log Server, on page 48. To install the GUI client, proceed to Installing the GUI Client, on page 52. Installing the Management Server To install the Management Server 1. Click Next in the installation type selection. A screen like Illustration 4.6 is displayed. 46

Installing the Management Center ILLUSTRATION 4.6 Creating a Superuser Account 2. Create the default StoneGate Management Center Superuser account by defining a user name (e.g., admin ) and password, then click Next to continue. Note The account specified here is the only account that can be used to log in to the Management Center after the installation has finished. More administrator accounts can be defined in the GUI as explained in the Administrator s Guide. ILLUSTRATION 4.7 Configuring the Management Server 3. Enter the IP address of the Management Server.This is the IP address used for communication with the other system components. StoneGate IPS Installation Guide 47

Chapter 4: Installing the Management Center 4. Enter the IP address of the Alert Server. This is the IP address of the Log Server you want to use for handling alerts. 5. Click Next to continue. 6. If you want to install the Management Server as a service, select the Install as a service checkbox. When the server is run as a service, it is started automatically and run in the background after the system s reboot. Otherwise, the server needs to be started manually after every reboot. 7. If you selected that the Log Server is also installed at the same time on the same machine, go to the configuration steps in Installing the Log Server, on page 48. 8. Otherwise, click Next and the Ready to Install window is displayed. 9. Click Install to start the installation. 10. To start the Management Server, please see Starting the Management Server, on page 60. Installing the Log Server Before installing the Log Server, the Management Server needs to be installed. This is required for establishing a trust relationship between the Management and the Log Server during the Log Server installation by using certificates. If the Log Server is installed simultaneously on the same machine with the Management Server, the Log Server certificate is generated automatically. Note The screens may differ slightly when installing the Log Server simultaneously with the Management Server on the same machine. To install the Log Server 1. Click Next. The Configure Log Server window is displayed. 48

Installing the Management Center ILLUSTRATION 4.8 Configure Log Server 2. Define the IP address for the Log Server or select the address from the Existing IP addresses list. 3. Define the Management Server s IP address in its field. This IP address is used for contacting the Management Server from the Log Server during normal operation and when requesting the certificate for the Log Server. 4. Select the Certify the Log Server during the installation checkbox to request a certificate for the Log Server from the Management Server. (The Log Server certificate is generated automatically if installed at the same time with the Management Server.) If the Log Server certificate is not retrieved during the installation, the certificate has to be retrieved manually later on. To request a certificate for the Log Server manually after the installation, stop the Server and proceed as follows: In Windows, select Start Programs StoneGate Request Log Server Certificate. In Linux and Solaris, run the script SG_HOME/bin/sgCertifyLogSrv.sh. In the opened authentication window, log in using a Superuser-level StoneGate administrator account, for example, the account created during Management Server installation. 5. Define a port number for the Log Server in its field. The default port used is 3020. If you want to use a different port number, please see the Administrator s Guide for instructions. 6. If you want the Log Server to be installed as a service, select the Install as a service checkbox. When the server is run as a service, it is started automatically StoneGate IPS Installation Guide 49

Chapter 4: Installing the Management Center and run in the background after the system s reboot. Otherwise, the server needs to be started manually after every reboot. Note When installing the Log Server as a service, use an installation directory path that does not contain spaces. 7. Click Next to continue. ILLUSTRATION 4.9 Defining the Directory for the Log Server Database 8. Specify a directory for the Log Server database. Click Next to continue. If the defined directory does not exist, you are prompted for accepting the directory to be created. ILLUSTRATION 4.10 Logging into the Management Server for the Certificate Generation 9. When the Log Server certificate is requested during the installation, you need to log in to the Management Server using a Superuser privileged account. (If the Log 50

Installing the Management Center Server is installed simultaneously with the Management Server, continue in Step 10.) 9.1 Type in the user name and the password. Click OK to continue. ILLUSTRATION 4.11 Checking the CA Certificate Fingerprint 9.2 Compare the presented certificate fingerprint of the Certificate Authority to the certificate s fingerprint on the Management Server. To check the certificate fingerprint of the Certificate Authority: In Windows, select Start Programs StoneGate Show Fingerprint on the Management Server. In Linux and Solaris, run the script SG_HOME/bin/sgShowFingerPrint.sh on the Management Server. 9.3 Click Accept Certificate if the fingerprint is correct. ILLUSTRATION 4.12 Log Server Selection 9.4 To create a certificate for the Log Server: StoneGate IPS Installation Guide 51

Chapter 4: Installing the Management Center If the Log Server element is already defined on the Management Server, select Certify again an existing log server and select the Log Server from the list. If the Log Server element is not defined on the Management Server, select Create a new log server and type in a name for the Log Server element. 10. To start the Log Server, please see Starting the Log Server, on page 62. Installing the GUI Client Multiple GUI clients can be installed for managing StoneGate products. The GUI client needs to be able to connect to the Management Server. Access to the Log Server is also needed for managing the logs and alerts. To install the Administration client 1. If necessary, click Next to continue to the Configure GUI Client window. ILLUSTRATION 4.13 Configure GUI client 2. Type in the IP address of the Management Server to which the GUI client is going to connect. Click Next to continue. 52

Installing the Management Center ILLUSTRATION 4.14 Check the Installation Information 3. The installation summary window is displayed. Click Install to start the installation. ILLUSTRATION 4.15 Installation Completed 4. The installation has been finished successfully. Click Done to quit the installation. To proceed with the configuration, continue in Defining Sensors and Analyzers, on page 59. StoneGate IPS Installation Guide 53

Chapter 4: Installing the Management Center Non-graphical Installation In Linux and Solaris, the Management Center can also be installed on the command line. Before installing the Management Center, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. To run the non-graphical installation 1. Open a Bourne-compatible shell (e.g., sh, ksh). 2. If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with mount /dev/cdrom /mnt/cdrom and in Solaris with mount /cdrom. 3. Change to the CD-ROM/StoneGate_SW_Installer/Linux/ directory in Linux or in Solaris to the CD-ROM/StoneGate_SW_Installer/Solaris/ directory. 4. Run the command./setup.sh -nodisplay to start the installation. In Linux and Solaris, the installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted after the uninstallation. ILLUSTRATION 4.16 Accepting the License Agreement DO YOU ACCEPT THE TERMS OF THE LICENSE AGREEMENT? (Y/N) 5. Read the licence agreement and accept it by typing Y and pressing Enter. ILLUSTRATION 4.17 Defining the Installation Directory Choose Install Directory ------------------------ Select a directory for installing StoneGate. This directory path name must not contain space character. Where would you like to install? Default Install Folder: /usr/local/stonegate ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT: 54

Non-graphical Installation 6. Type the full path for the installation directory or press ENTER to install to the default directory. ILLUSTRATION 4.18 Choosing the Link Location Choose Link Location ------------- Where would you like to create links? ->1 - Default:/StoneGate 2 - In your home folder 3 - Choose another location... 4 - Don t create links ENTER THE NUMBER OF AN OPTION ABOVE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT: 7. Press ENTER to create the StoneGate links in the default directory or select one of the other options. ILLUSTRATION 4.19 Choosing the Installation Options Choose StoneGate Components ----------------- Please choose the Install Set to be installed by this installer. ->1 - Typical 2- Administration Client Only 3- Customize... ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT THE DEFAULT : 8. Select the StoneGate components you want to install. Press ENTER to install all Management Center components on the machine. Press 2 to install only the Administration Client. Press 3 to select which components to install. 9. The installation steps for the Management Center components are comparable to the graphical installation. For the instructions, proceed as follows: StoneGate IPS Installation Guide 55

Chapter 4: Installing the Management Center To install a Management Server, see Installing the Management Server, on page 46. To install a Log Server, see Installing the Log Server, on page 48. To install a GUI client, see Installing the GUI Client, on page 52. 10. To proceed with the configuration, reboot the machine or restart the services and continue in Defining Sensors and Analyzers, on page 59. Uninstalling the Management Center To uninstall the Management Center in Windows 1. Stop the Management Server, Log Server, and the GUI client on the machine before you start the uninstallation. 2. Go to Start Settings Control Panel Add/Remove Programs or alternatively run the SG_HOME\uninstall\uninstall.exe program. 3. In the Add/Remove Programs window, Select StoneGate from the list of currently installed programs and click the Change/Remove button. ILLUSTRATION 4.20 Uninstalling the StoneGate IPS Components 4. Click Uninstall to remove the installed StoneGate Management Center components from the system. 5. The GUI client uses a.stonegate directory in the user s home directory (usually c:\documents and Settings\username on Windows 2000 and XP, c:\winnt\profiles\username on Windows NT). The directory contains the GUI client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation. 56

Uninstalling the Management Center To uninstall the Management Center in Linux and Solaris 1. Stop the Management Center components on the machine before starting uninstallation. 2. Run the SG_HOME/uninstall/uninstall.sh script. 3. The GUI client uses a.stonegate directory in the user s home directory (usually /home/username in Linux or Solaris). This directory contains the GUI client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation. Uninstalling in Non-graphical Mode You can also uninstall the Management Center in a non-graphical mode in Linux and Solaris. To uninstall in non-graphical mode 1. In Linux and Solaris Bourne-compatible shells (e.g., sh, ksh), change to the SG_HOME/uninstall/ directory. 2. Run the command./uninstall.sh -nodisplay. In Linux and Solaris, the sgadmin account is deleted during the uninstallation. 3. The GUI client uses a.stonegate directory in the user s home directory (in Linux and Solaris, usually /home/username). The directory contains the GUI client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation. StoneGate IPS Installation Guide 57

Chapter 4: Installing the Management Center 58

CHAPTER 5 Defining Sensors and Analyzers This chapter contains the steps needed to complete the Sensor and Analyzer configuration procedure necessary for a StoneGate IPS installation. For instructions on how to install the Sensors and Analyzers, please refer to their respective chapters. This chapter includes the following sections: Starting the StoneGate Management Center, on page 60 Defining an Analyzer, on page 63 Defining Logical Interfaces, on page 66 Defining a Sensor Cluster, on page 67 Defining a Single Sensor, on page 73 Defining a Combined Sensor/Analyzer, on page 77 Configuring Routing, on page 81 Configuring IP Addressing for NAT, on page 83 Saving the Initial Configuration, on page 89. StoneGate IPS Installation Guide 59

Chapter 5: Defining Sensors and Analyzers Starting the StoneGate Management Center When starting the StoneGate Management Center for the first time, the following steps need to be completed: 1. Start the Management Server as instructed in Starting the Management Server, on page 60. 2. Activate the StoneGate IPS licenses in the GUI client as instructed in Starting the GUI Client, on page 60 and Installing StoneGate IPS Licenses, on page 62. 3. Start the Log Server as instructed in Starting the Log Server, on page 62. Starting the Management Server If the Management Server has been installed as a service, the server is started during the operating system boot process. In Windows, the StoneGate Management Server service can be started and stopped manually from Control Panel Services in Windows NT or Control Panel Administrative Tools Services in Windows 2000. To start the Management Server manually In Windows, start the Management Server by selecting Start Programs StoneGate Management Server. The management database is started automatically by the Management Server. In Linux and Solaris, start the Management Server by running the script SG_HOME/bin/sgStartMgtSrv.sh. The management database is started automatically by the Management Server. Starting the GUI Client For configuring StoneGate IPS, the GUI client is used for connecting to the Management Center. To start the GUI client 1. Start the GUI client: In Windows, select Start Programs StoneGate Administration Client. In Linux and Solaris, run the script SG_HOME/bin/sgClient.sh. 60

Starting the StoneGate Management Center ILLUSTRATION 5.1 GUI Client Login 2. Log in using a Superuser level administrator account specified during the installation and connect to the Management Server s IP address. ILLUSTRATION 5.2 Checking the CA Certificate Fingerprint 3. During the first login, the Management Server is authenticated with a certificate. Compare the presented certificate fingerprint of the Certificate Authority to the certificate s fingerprint on the Management Server. To check the certificate fingerprint of the Certificate Authority: In Windows, select Start Programs StoneGate Show Fingerprint on the Management Server. In Linux and Solaris, run the script SG_HOME/bin/sgShowFingerPrint.sh on the Management Server. 4. Click Accept Certificate if the fingerprint is correct. StoneGate IPS Installation Guide 61

Chapter 5: Defining Sensors and Analyzers Installing StoneGate IPS Licenses To configure StoneGate IPS, the licenses need to be installed and activated. After receiving the license ID and the proof-of-license from your StoneGate reseller, the StoneGate IPS licenses can be obtained from Stonesoft Web site at http:// www.stonesoft.com/licenses/. Evaluation licenses can also be requested from this Web site. To install StoneGate IPS licenses 1. In the StoneGate Control Panel, open the Admin Tools by selecting Manage Admin Tools from the menu or clicking on the Admin Tools icon in the toolbar. ILLUSTRATION 5.3 Admin Tools Import License(s) button 2. Import the licenses from a.jar license file by selecting File Import Licence(s) from the menu or by clicking the Import Licence(s) icon on the toolbar. 3. Check the displayed license information. 4. Right-click on a licence to open a contextual menu and select Activate. Starting the Log Server If the Log Server has been installed as a service, the server is started during the operating system boot process. In Windows, the StoneGate Log Server service can be started and stopped manually from Control Panel Services. 62

Defining an Analyzer Note Running the Log Server requires a valid license. First, install the license as explained in Installing StoneGate IPS Licenses, on page 62. To start the Log Server manually In Windows, select Start Programs StoneGate Log Server. In Linux and Solaris, run the SG_HOME/bin/sgStartLogSrv.sh script. Defining an Analyzer Before creating Sensor elements, an Analyzer element needs to be created. This section covers the basic configuration of an Analyzer element. For complete instructions on configuring Analyzer properties, please see the StoneGate IPS Administrator s Guide. In the following tasks, we will refer to the example network s Headquarters Analyzer settings to exemplify how to configure an Analyzer. Please refer to the Example Network Scenario, on page 33. Related Topics! To configure a combined Sensor/Analyzer, please see Defining a Combined Sensor/Analyzer, on page 77. To define an Analyzer element 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Click the New icon in the toolbar and select Network Element Analyzer from the contextual menu that opens (or follow the corresponding path in the File New menu). The Analyzer Properties dialog opens. StoneGate IPS Installation Guide 63

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.4 Analyzer Properties 3. In the Name field, enter a name for the Analyzer. 4. Select the Log Server for the Analyzer from the drop-down menu. 5. Continue defining the network interfaces as explained below. Defining the Network Interfaces To define a network interface for an Analyzer 1. In the Analyzer Properties window, select the Single Node tab and click Add Interface. 64

Defining an Analyzer ILLUSTRATION 5.5 Network Interface Properties 2. To use the interface for the Management Server initiated control connections, select Control IP Address. To define the primary control IP address, select Primary. Only one IP address can be selected as primary for the control connections. To define the IP address used for control connections if the primary address is unavailable, select Backup. There can be multiple backup control IP addresses defined for different interfaces. 3. To use the interface for communication with the Log Server, select Log/Analyzer communication source IP address. 4. Select the NIC ID from the drop-down menu. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Analyzer installation. 5. Enter the IP address for this interface. 6. Enter the appropriate Netmask. 7. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Analyzer or between the Sensors and the Analyzer. See Configuring IP Addressing for NAT, on page 83. 8. Click OK to save the interface configuration. 9. After configuring the network interfaces, write down the networks to which each NIC ID is connected. This information is needed during the Analyzer installation when mapping the actual physical network interfaces to NIC IDs. You can use the Installation Worksheet, on page 109 for writing down the NIC ID information. StoneGate IPS Installation Guide 65

Chapter 5: Defining Sensors and Analyzers 10. Click OK to apply the changes or continue with the Analyzer element configuration. Related Topics! Configuring Routing, on page 81! Configuring IP Addressing for NAT, on page 83! Saving the Initial Configuration, on page 89 For detailed instructions on configuring the Analyzer, please see StoneGate IPS Administrator s Guide. Defining Logical Interfaces The captured traffic is directed from the Capture Interfaces to Logical Interfaces. The Logical Interface is then used in the Sensor rule base as an entry point for the traffic to be inspected. Each Capture Interface has a defined Logical Interface: for SPAN port mode, each Capture Interface has its own Logical Interface. for wire TAP mode, the two related Capture Interfaces have the same Logical Interface. With Capture Interfaces in network TAP mode, the two directions of the network traffic is divided to separate wires. For this reason, the two Capture Interfaces are defined for a network TAP: one Capture Interface for each direction of the traffic. The two related Capture Interfaces are handled as one Logical Interface that combines the traffic of these two interfaces for inspection. Before being able to define Capture Interfaces for Sensor elements, you first need to define Logical Interfaces for them. To define a Logical Interface 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Click the New icon in the toolbar and select Intrusion Detection Logical Interface from the contextual menu that opens (or follow the corresponding path in the File New menu). The Logical Interface Properties dialog opens. 66

Defining a Sensor Cluster ILLUSTRATION 5.6 Logical Interface Properties 3. In the Name field, enter a name for the logical interface (e.g., HQ DMZ ). 4. Click OK to accept the changes. This defined Logical Interface can now be used for defining the Sensors Capture Interfaces. The Logical Interface is then used as an entry point for the inspected traffic in the Sensor policy. Defining a Sensor Cluster This section covers the basic configuration of a Sensor cluster element. For complete instructions on configuring the Sensor cluster, please see StoneGate IPS Administrator s Guide. In the following tasks, we will refer to the example network s Headquarters Sensor cluster settings to illustrate how to configure a Sensor cluster. Please refer to the Example Network Scenario, on page 33. To define a Sensor Cluster 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Click the New icon in the toolbar and select Network Element Sensor Cluster from the contextual menu that opens (or follow the corresponding path in the File New menu). The Sensor Cluster Properties dialog opens. StoneGate IPS Installation Guide 67

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.7 Sensor Cluster Properties 3. In the Name field, enter a name for the Sensor cluster. 4. Select Analyzer for the Sensor cluster from the list. 5. Continue with the network interface configuration as explained below. Defining the Cluster Network Interfaces To define an NDI for a Sensor cluster 1. In the Cluster tab, click Add Interface. 68

Defining a Sensor Cluster ILLUSTRATION 5.8 Cluster-Level Properties of a Node Dedicated Interface 2. For the Type, select Node Dedicated Interface. 3. For the NDI Mode, there are three optional settings. To use the NDI for heartbeat, select Heartbeat. If the NDI is used as the primary heartbeat interface, select Primary. If the NDI is used for backing up the primary heartbeat interface, select Backup. Note Heartbeat and state synchronization (which takes place on the same interface) are time-critical communications, and network latency from other traffic may interfere with them. Therefore, it is recommended that the heartbeat network is dedicated only for this purpose. 4. To use the interface for Management Server initiated control connections, select Control IP Address. To define the primary control IP address, select Primary. Only one interface can be selected as primary for the control connections. To define the IP address used for control connections if the primary address is unavailable, select Backup. There can be multiple backup control IP addresses defined for different interfaces. 5. To use the interface for communication with the Analyzer, select Log/Analyzer communication source IP address. 6. Select the NIC ID for the NDI. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor installation. 7. Click OK to accept the interface settings. 8. Continue defining the Capture Interfaces as explained below. StoneGate IPS Installation Guide 69

Chapter 5: Defining Sensors and Analyzers To define Capture Interfaces for a Sensor cluster 1. In the Sensor Cluster Properties window, select Cluster tab and click Add Interface. Note Logical Interfaces need to be defined before being able to define Capture Interfaces: see Defining Logical Interfaces, on page 66. ILLUSTRATION 5.9 Capture Interface Properties 2. For the Type, select Capture Interface. 3. Select the Capture Interface Mode according to your network environment as follows (see Checking the Surrounding Network Environment, on page 31): 3.1 For Capture Interface mode, select either SPAN port or Wire TAP, according to the corresponding network connection of the interface. Note For Wire TAP mode, two Capture Interfaces need to be defined for the same Logical Interface: one Capture Interface for each direction of the traffic. 3.2 For Logical Interface, link the Capture Interface to the selected Logical Interface. 3.3 Optionally, define which Reset Interface this capture interface uses for TCP connection termination, if any. 4. Select the NIC ID for the Capture Interface. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor installation. The IP address, Netmask, and MAC address for an NDI are defined on the node specific properties of each node as described below. 70

Defining a Sensor Cluster Defining the Node Specific Properties After defining your network interfaces at the cluster level, continue the Sensor cluster configuration by defining the node specific properties. By default, the Cluster Properties window displays two nodes in the Nodes tab. In case you have more than two nodes in your cluster, you need to add more nodes to the cluster properties as described Adding a Node to the Cluster, on page 73. To define an NDI for a node 1. In the Sensor Cluster Properties window, select the Nodes tab. ILLUSTRATION 5.10 Sensor Cluster Node Properties 2. On the Nodes list, click on the row of the node to be configured. 3. Define a name for the node by clicking on the cell in the Name column (Node 1 and Node 2 by default). 4. After selecting the node from the Nodes list, double-click on the line of the interface to be configured in the lower Interfaces list. StoneGate IPS Installation Guide 71

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.11 Node Dedicated Interface Properties 5. In the Interface Properties window, define the IP Address for the interface. 6. Define the corresponding Netmask for the interface. 7. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Sensor. See Configuring IP Addressing for NAT, on page 83. 8. Complete the above steps for all NDIs in each of the nodes. 9. After configuring the network interfaces, write down the networks to which each NIC ID is connected. This information is needed during the Sensor installation when mapping the actual physical network interfaces to NIC IDs. You can use the Installation Worksheet, on page 109 for writing down the NIC ID configuration. 10. Click OK to validate the cluster s interface configuration. 11. Continue in Configuring Routing, on page 81. Related Topics! Configuring Routing, on page 81! Configuring IP Addressing for NAT, on page 83! Saving the Initial Configuration, on page 89 For instructions on configuring other necessary settings such as the Sensor policy, please see the StoneGate IPS Administrator s Guide. 72

Defining a Single Sensor Adding a Node to the Cluster By default, the Cluster Properties window displays two nodes in the Nodes tab. In case you have more than two nodes in your cluster, you need to add more nodes to the cluster properties as described below. StoneGate IPS supports up to 16 nodes in one Sensor cluster. After adding the required nodes, you can define the node specific properties as described in Defining the Node Specific Properties, on page 71. To add a node to the cluster 1. In the Sensor Cluster Properties window, select the Nodes tab. 2. To add a node to the cluster, click Add Node. 3. Define a name for the node by clicking on the cell in the Name column. 4. Define the node specific properties as described in Defining the Node Specific Properties, on page 71. Defining a Single Sensor This section covers the basic configuration of the Single Sensor element. A single Sensor does not have the load balancing and high availability features of a Sensor cluster. For complete instructions on configuring the single Sensor, please see the StoneGate IPS Administrator s Guide. In the following tasks, we will refer to the example network s Headquarters DMZ Sensor settings to illustrate how to configure a single Sensor. Please refer to the Example Network Scenario, on page 33. To define a single Sensor 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Click the New icon in the toolbar and select Network Element Single Sensor from the contextual menu that opens (or follow the corresponding path in the File New menu). The Single Sensor Properties dialog opens. StoneGate IPS Installation Guide 73

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.12 Single Sensor Properties 3. In the Name field, enter a name for the Sensor (e.g., HQ DMZ Sensor ). 4. Select the Analyzer for the Sensor from the list (e.g., HQ Analyzer ). 5. Continue defining the network interfaces as explained below. Defining the Network Interfaces Note Logical Interfaces need to be defined before being able to define Capture Interfaces: see Defining Logical Interfaces, on page 66. To define an NDI for a single Sensor 1. In the Single Sensor Properties window, select the Single Node tab and click Add Interface. 74

Defining a Single Sensor ILLUSTRATION 5.13 Network Interface Properties 2. In the Type drop-down menu, select Node Dedicated Interface. 3. To use the interface for Management Server initiated control connections, select Control IP Address. To define the primary control IP address, select Primary. Only one IP address can be selected as primary for the control connections. To define the IP address used for control connections if the primary address is unavailable, select Backup. There can be multiple backup control IP addresses defined for different interfaces. 4. To use the interface for communication with the Analyzer, select Log/Analyzer communication source IP address. 5. Select the NIC ID from the drop-down menu. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor installation. 6. Enter the unicast IP address for this interface. 7. Enter the appropriate Netmask. 8. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Sensor. See Configuring IP Addressing for NAT, on page 83. 9. After configuring the network interfaces, write down the networks to which each NIC ID is connected. This information is needed during the Sensor installation when mapping the actual physical network interfaces to NIC IDs. You can use the Installation Worksheet, on page 109 for writing down the NIC ID information. 10. Click OK apply the changes. 11. Continue defining the Capture Interfaces as explained below. StoneGate IPS Installation Guide 75

Chapter 5: Defining Sensors and Analyzers To define Capture Interfaces for a single Sensor 1. In the Single Sensor Properties window, select the Single Node tab and click Add Interface. ILLUSTRATION 5.14 Capture Interface Properties 2. For the Type, select Capture Interface. 3. Select the Capture Interface Mode according to your network environment as follows (see Checking the Surrounding Network Environment, on page 31): 3.1 For Capture Interface mode, select either SPAN port or Wire TAP, according to the corresponding network connection of the interface. Note For Wire TAP mode, two Capture Interfaces need to be defined for the same Logical Interface: one Capture Interface for each direction of the traffic. 3.2 For Logical Interface, link the Capture Interface to the selected Logical Interface. 3.3 Optionally, define which Reset Interface this capture interface uses for TCP connection termination, if any. 4. Select the NIC ID for the Capture Interface. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor installation. 76

Defining a Combined Sensor/Analyzer 5. Continue in Configuring Routing, on page 81. Related Topics! Configuring Routing, on page 81! Configuring IP Addressing for NAT, on page 83! Saving the Initial Configuration, on page 89 For instructions on configuring other necessary settings such as the rule base, please see the StoneGate IPS Administrator s Guide. Defining a Combined Sensor/Analyzer A combined Sensor/Analyzer is a special case of StoneGate IPS installation for small network environments, where the Sensor and Analyzer are located on the same machine. This section covers the basic configuration of the element. For complete instructions on configuring the combined Sensor/Analyzer, please see the StoneGate IPS Administrator s Guide. In the following tasks, we will refer to the example network s Branch Office Sensor/Analyzer settings to exemplify how to configure a combined Sensor/Analyzer. Please refer to the Example Network Scenario, on page 33. To define a combined Sensor/Analyzer 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Click the New icon in the toolbar and select Network Element Combined Sensor-Analyzer from the contextual menu that opens (or follow the corresponding path in the File New menu). The Combined Sensor-Analyzer Properties dialog opens. StoneGate IPS Installation Guide 77

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.15 Combined Sensor-Analyzer Properties 3. In the Name field, enter a name for the Sensor/Analyzer. 4. Select an Log Server for the combined Sensor/Analyzer. 5. Continue defining network interfaces as explained below. Defining the Network Interfaces To define an NDI for a combined Sensor/Analyzer 1. In the Single Sensor Properties window, select the Single Node tab and click Add Interface. 78

Defining a Combined Sensor/Analyzer ILLUSTRATION 5.16 Network Interface Properties 2. In the Type drop-down menu, select Node Dedicated Interface. 3. To use the interface for the Management Server initiated control connections, select Control IP Address. To define the primary control IP address, select Primary. Only one IP address can be selected as primary for the control connections. To define the IP address used for control connections if the primary address is unavailable, select Backup. There can be multiple backup control IP addresses defined for different interfaces. 4. To use the interface for communication with the Log Server, select Log/Analyzer communication source IP address. 5. Select the NIC ID from the drop-down menu. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor/Analyzer installation. 6. Enter the unicast IP address for this interface. 7. Enter the appropriate Netmask. 8. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Sensor/Analyzer. See Configuring IP Addressing for NAT, on page 83. 9. Click OK apply the changes. 10. Continue defining the Capture Interfaces as explained below. To define Capture Interfaces for a combined Sensor/Analyzer 1. In the Combined Sensor/Analyzer Properties window, select the Single Node tab and click Add Interface. StoneGate IPS Installation Guide 79

Chapter 5: Defining Sensors and Analyzers Note Logical Interfaces need to be defined before being able to define Capture Interfaces: see Defining Logical Interfaces, on page 66. ILLUSTRATION 5.17 Capture Interface Properties 2. For the Type, select Capture Interface. 3. Select the Capture Interface Mode according to your network environment (see Checking the Surrounding Network Environment, on page 31) as follows: 3.1 For Capture Interface mode, select either SPAN port or Wire TAP, according to the corresponding network connection of the interface. Note For Wire TAP mode, two Capture Interfaces need to be defined for the same Logical Interface: one Capture Interface for each direction of the traffic. 3.2 For Logical Interface, link the Capture Interface to the selected Logical Interface. 3.3 Optionally, define which Reset Interface this capture uses for TCP connection termination, if any. 4. Select the NIC ID for the Capture Interface. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor/Analyzer installation. After configuring the network interfaces, write down the networks to which each NIC ID is connected. This information is needed during the combined Sensor/Analyzer installation when mapping the actual physical network interfaces to NIC IDs of 80

Configuring Routing StoneGate IPS. You can use the Installation Worksheet, on page 109 for writing down the NIC ID information. Related Topics! Configuring Routing, on page 81! Configuring IP Addressing for NAT, on page 83! Saving the Initial Configuration, on page 89 For instructions on configuring other necessary settings such as the rule base, please see StoneGate IPS Administrator s Guide. Configuring Routing In order to configure routing for Sensors and Analyzers, you must first define Router elements. A Router element represents a gateway used for routing. Routing for StoneGate IPS Sensors and Analyzers is defined in the Routing view as in Illustration 5.18. ILLUSTRATION 5.18 Routing View StoneGate IPS Installation Guide 81

Chapter 5: Defining Sensors and Analyzers As an example in Illustration 5.18, the HQ DMZ default GW element (IP address 192.168.1.1) is used as the default gateway for the HQ DMZ Sensor by using the Any Network element. For more information about routing, please see the StoneGate IPS Administrator s Reference. To define a route for Sensor or Analyzer 1. Create a Router element for the gateway: 1.1 Click the New icon in the toolbar and select Network Element Router from the contextual menu that opens (or follow the corresponding path in the File New menu). The Router Properties dialog opens. ILLUSTRATION 5.19 Router Element Properties 1.2 Enter a name for the router (e.g. HQ DMZ gateway ). 1.3 Enter the router s IP address used as the next hop address for routing in the Sensor or Analyzer (e.g., 192.168.1.1). 1.4 Click OK. 2. Define a route for the Sensor or Analyzer: 2.1 In the Resource Manager, check that the Routing tab is activated in the right panel. 82

Configuring IP Addressing for NAT ILLUSTRATION 5.20 Defining Routing 2.2 In the Routing view, select the router that will act as the gateway (e.g., HQ DMZ gateway ). 2.3 Drag the Router to the correct network connection of a Sensor or Analyzer in the Routing view (e.g., HQ DMZ Sensor/Interface0/192.168.1.0). 2.4 Expand the Network Elements Network tree view in the left panel. The Any Network element appears in the lower part of the left panel. 2.5 Drag the Any Network element onto the Router element in the Routing view (e.g., Any Network element on the HQ DMZ Sensor/Interface0/ 192.168.1.0/HQ DMZ router) to define the default route. 2.6 Continue in Saving the Initial Configuration, on page 89. The routing configuration changes are taken into use with the other configuration information when uploading the policy on the Sensor or Analyzer. Configuring IP Addressing for NAT The StoneGate IPS components need to know the IP addresses of the other components for communication purposes. If there is Network Address Translation (NAT) between the communicating components, then the NATed IP addresses need to be StoneGate IPS Installation Guide 83

Chapter 5: Defining Sensors and Analyzers defined. These NATed contact addresses are then contacted to reach the targeted component. Note A contact address needs to be defined only if there is a NAT device between the communicating StoneGate components. For example, the Sensor needs to know the Analyzer s IP address to send event information on the inspected network traffic. If the Analyzer is reachable by its real IP address defined in the Analyzer element, then no contact address needs to be defined. But if the is NAT between the Sensor and the Analyzer, then the NATed address needs to be configured. This NATed address is defined for the Analyzer s corresponding network interface as a contact address for this Sensor. Communications between the StoneGate components are explained in the StoneGate IPS Administrator s Reference. Sensor and Analyzer Contact Addresses A contact address is needed only if there is a NAT device between the Management Server and the Sensor or Analyzer (used for management connections), or between the Sensors and the Analyzer (used for transferring event information), so that they cannot connect directly to the IP address defined for the interface. An interface with contact addresses is indicated with an asterisk (*) in the element s network interface address. To define a contact address for a Sensor or an Analyzer 1. In the Resource Manager, open the Sensor or Analyzer element for which you want to define the contact addresses. 84

Configuring IP Addressing for NAT ILLUSTRATION 5.21 Element Properties 2. In the Sensor or Analyzer Properties window, select the network interface and click Edit Interface to define a contact address for it. ILLUSTRATION 5.22 Network Interface Properties 3. In the Contact Addresses box, click Edit. StoneGate IPS Installation Guide 85

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.23 Sensor or Analyzer Contact Addresses 4. In Default field, define a contact IP address which is used if there is no specific contact address (Point of View) defined for the contacting machine. 5. In the Contact Address column, define the IP address which the machine in the Point of View column should contact instead of the interface s real IP address. For example, if the Sensor/Analyzer (172.16.2.41) in the network scenario is NATed as 172.17.17.41 when connecting from the headquarters, the Management Server needs to connect to the NATed contact address as in Illustration 5.23. 6. Click OK to accept the contact addresses and click OK to accept the interface properties. Management Server Contact Address In the Management Center, the Local Management Server element is provided for defining contact addresses to the Management Server. A contact address is needed during the Sensor s (or Analyzer s) initial contact to the Management Server only if there is a NAT device between the Sensor (Analyzer) and the Management Server. The Management Server contact address is saved in the initial configuration files (see Saving the Initial Configuration, on page 89). To define the Management Server contact address 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Expand the Network Elements tree and select Servers. 86

Configuring IP Addressing for NAT 3. Right-click on the Local Management Server element in the lower part of the left panel and select Properties from the contextual menu that opens. The Local Management Server Properties dialog opens. ILLUSTRATION 5.24 Management Server Properties 4. In the Contact Addresses box, click Edit. ILLUSTRATION 5.25 Management Server Contact Addresses 5. In the Default field, define a contact IP address which is used if there is no specific contact address (Point of View) defined for the contacting machine. StoneGate IPS Installation Guide 87

Chapter 5: Defining Sensors and Analyzers 6. In the Contact Address column, define the IP address which the machine in the Point of View column should contact instead of the Management Server s real IP address. Click OK. 7. Click OK to validate the changes for the element. Log Server Contact Address A contact address is needed for the Log Server if there is a NAT device between the Analyzer and the Log Server, so that the Analyzer cannot connect directly to the IP address defined for the Log Server. To define the Log Server contact address 1. In the GUI client, open the Resource Manager from Manage Resource Manager or by clicking its icon in the toolbar. 2. Expand the Network Element tree and select Servers. 3. Right-click on the Log Server element in the lower part of the left panel and select Properties from the contextual menu that opens. The properties dialof for the Log Server opens. ILLUSTRATION 5.26 Log Server Properties 4. In the Contact Addresses box, click Edit. 88

Saving the Initial Configuration ILLUSTRATION 5.27 Log Server Contact Addresses 5. In the Default field, define a contact IP address which is used if there is no specific contact address (Point of View) defined for the contacting machine. 6. In the Contact Address column, define the IP address which the machine in the Point of View column should contact instead of the Log Server s real IP address. Click OK. 7. Click OK to validate the changes for the element. Saving the Initial Configuration After defining the Sensor and Analyzer element properties, the configuration information is saved to be used when installing the Sensor and Analyzer machines. The Management Center creates the required configuration files that are needed during the machine installation. One-time passwords are also generated which are used during the engine installation to establish a trust relationship between the engine and the Management Server. To save the initial configuration 1. In the GUI Control Panel, right-click on the Sensor or Analyzer element you just defined. StoneGate IPS Installation Guide 89

Chapter 5: Defining Sensors and Analyzers ILLUSTRATION 5.28 Saving the Initial Configuration 2. In the contextual menu that appears, choose Save Initial Configuration, as shown in Illustration 5.28. ILLUSTRATION 5.29 Generated Initial Configuration 90

Saving the Initial Configuration 3. Select a directory to save the configuration files. Often it is easiest to save the configuration on a floppy. ILLUSTRATION 5.30 Generated Initial Configuration 4. The generated configuration file names and one-time passwords are displayed. Click OK to close the dialog box. The Sensors and Analyzers can also be configured manually during the installation without the initial configuration files. In this case, the one-time passwords and the Management Server certificate fingerprint must be written down as they are needed during the installation. Caution As the initial configuration files include the one-time password for establishing trust relationship between the Management Server and the engine, these files must be handled securely. You are now ready to install the StoneGate IPS engine(s). Please see Installing Sensors and Analyzers, on page 95. StoneGate IPS Installation Guide 91

Chapter 5: Defining Sensors and Analyzers 92

INSTALLING SENSORS AND ANALYZERS

CHAPTER 6 Installing Sensors and Analyzers This chapter instructs how to install a StoneGate IPS Sensor or an Analyzer on any standard Intel or Intel compatible platform. This chapter includes the following sections: Installing the Sensor or Analyzer, on page 96 Configuring the Sensor or Analyzer, on page 97 Installing in Expert Mode, on page 104. StoneGate IPS Installation Guide 95

Chapter 6: Installing Sensors and Analyzers Installing the Sensor or Analyzer After installing the Management Center and creating the initial configuration, the Sensor and Analyzer engines can be installed. The installation steps for Sensor, Analyzer, and combined Sensor/Analyzer are similar, as the node type is only selected at the end of the installation. Note The machines running the Sensors or Analyzers are dedicated for the IPS functionality, so they should not run any other software. Note Check that the Automatic Power Management (APM) and Advanced Configuration and Power Interface (ACPI) settings are disabled in BIOS. Otherwise, the engine may not start after installation or may shut down unexpectedly. The following step-by-step instructions provide an example of a typical Sensor or Analyzer installation. The screens appearing during the installation may differ slightly during your installation depending on your system configuration. Checking the File Integrity Before installing StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. Booting From the CD-ROM To install StoneGate IPS engine from a CD-ROM 1. To begin, insert the StoneGate IPS installation CD-ROM into the drive and reboot the machine from the CD-ROM. Accept the license agreement to continue. ILLUSTRATION 6.1 Selecting the Install Mode 96

Configuring the Sensor or Analyzer 2. After accepting the license agreement, you will be prompted to choose between two types of installations: Full Install and Full Install in expert mode. Choose 1 for the normal full install mode. Installing StoneGate IPS in expert mode is explained in Installing in Expert Mode, on page 104. ILLUSTRATION 6.2 Automatic Partitioning 3. To accept automatic hard disk partitioning, type YES. For modifying the hard disk partitioning manually, please see Installing in Expert Mode, on page 104. Caution Partitioning deletes all the existing data on the hard disk. ILLUSTRATION 6.3 Installation Finished 4. The automatic installation process is started. When the installation is finished, you will be prompted to remove the installation CD-ROM. Press ENTER to reboot the machine and proceed to Configuring the Sensor or Analyzer, on page 97. Configuring the Sensor or Analyzer After the installation, the machine is rebooted and the StoneGate IPS configuration wizard is displayed. During this initial configuration, the operating system settings, network interfaces, and the Management Server connection are defined. Selecting a Configuration Method To configure the installed Sensor or Analyzer 1. After the installation, the machine is rebooted and the StoneGate IPS configuration wizard is displayed. StoneGate IPS Installation Guide 97

Chapter 6: Installing Sensors and Analyzers ILLUSTRATION 6.4 Importing the Configuration from a Disk 2. The initial configuration can be imported from a floppy disk. Otherwise, the configuration needs to be entered manually. To import the configuration from a floppy: 2.1 Insert the configuration floppy disk which was created on the Management Server in Saving the Initial Configuration, on page 89. 2.2 Select Import. 2.3 Browse the floppy for the configuration file directory. 3. Select Next and press ENTER to continue. Configuring the Operating System Settings To configure the operating system settings 1. After selecting the installation method, the Configure OS Settings window is displayed. ILLUSTRATION 6.5 Configuring the Operating System Settings 98

Configuring the Sensor or Analyzer 2. Configure the keyboard layout by highlighting the Keyboard layout field using the arrow keys. Press ENTER to continue. ILLUSTRATION 6.6 Selecting the Keyboard Layout 3. Highlight the appropriate layout and press ENTER. 4. In the Configure OS Settings window, highlight the Local timezone line and press ENTER. ILLUSTRATION 6.7 Selecting the Timezone 5. Select the timezone and press ENTER. StoneGate IPS Installation Guide 99

Chapter 6: Installing Sensors and Analyzers ILLUSTRATION 6.8 Defining the Host Name and the Root User Password 6. Type a host name for the engine in the Host name field. 7. In the Password field, enter a password for the root user and re-enter the password for confirmation in the second field. 8. You will then need to decide whether to enable the SSH daemon for SSH connections to the engine. By default this feature is disabled. To enable SSH daemon, highlight the line and press SPACEBAR to select it. An asterisk (*) appears to indicate that the SSH daemon is enabled. 9. Select Next and press ENTER to continue. Configuring the Network Interfaces To configure the network interfaces 1. The Configure Network Interfaces window is displayed. ILLUSTRATION 6.9 Configure the Network Interfaces 2. To add a network interface, highlight Add and press ENTER. 100

Configuring the Sensor or Analyzer ILLUSTRATION 6.10 Add a Device Driver 3. Select a driver for the network interface by highlighting the driver and pressing ENTER. ILLUSTRATION 6.11 Assigning Network Interfaces 4. The interfaces that use the selected driver are displayed. Define NIC IDs to the network interfaces by typing the NIC ID number in the field on front of each network interface. (The NIC IDs were defined in the Sensor or Analyzer element in Defining Sensors and Analyzers, on page 59.) Tip: The Sniff option can be used for troubleshooting the network interfaces. Select Sniff on an interface to run network sniffer on that interface. Press ENTER to exit the sniffer. 5. To define more network interfaces, select Add again. 6. To define the Management interface, highlight the interface s Mgmt column and press SPACEBAR to select it. An asterisk (*) appears to indicate the management interface. 7. Highlight Next and press ENTER to continue. StoneGate IPS Installation Guide 101

Chapter 6: Installing Sensors and Analyzers Contacting the Management Server To contact the Management Server 1. Next, the Prepare for Management Contact window opens. If the initial configuration was imported using a floppy disk, most of this information is already defined. ILLUSTRATION 6.12 Preparing for the Management Contact 2. Select the Switch to initial configuration checkbox to activate an initial configuration. If you run the sg-reconfigure command later, you can choose to: switch to an initial configuration by selecting the checkbox. use the current configuration by unselecting the checkbox. In this case, the currently active policy will remain active. All other changes (host name, time zone, SSH daemon, NIC mapping, management contact, etc.) will take effect after clicking Finish. 3. Define the IP address used for the management connections to this machine. The IP address must be the same as specified control IP address in the Sensor (or Analyzer) element on the Management Server. 4. Next, define the netmask for the IP address used for the management connections to this machine (e.g., 255.255.255.0). 5. Define the address of the default gateway needed for this machine to contact the Management Server. If the Management Server are on the same network, you can leave this line empty. ILLUSTRATION 6.13 Management Server Contact Information 102

Configuring the Sensor or Analyzer 6. Highlight Contact Management Server and press SPACEBAR to enable the initial connection to the Management Server. During this contact, the trust relationship is established between this machine and the Management Server. An asterisk (*) indicates that the option is active. If the configuration was imported from a floppy disk created in Saving the Initial Configuration, on page 89, the Management Server contact information is automatically filled in. 6.1 In the IP address field, enter the Management Server s IP address. (If the Management Server is behind a NAT, define the NATed address to be contacted.) 6.2 In the One-time password field, enter the password for contacting the Management Server. The password is engine-specific and can be used only for one initial connection to the Management Server. 6.3 Optionally, enter the Management Server certificate s fingerprint for verification. ILLUSTRATION 6.14 StoneGate IPS Engine Type 7. Select the StoneGate IPS engine type by highlighting the correct line and pressing SPACEBAR. An asterisk (*) indicates the selected engine type. 8. To complete the configuration, highlight Finish and press ENTER. 9. If the initial Management Server contact was selected, the engine tries to connect to the Management Server. If the initial management contact fails for some reason, the configuration can be started again with the sg-reconfigure command. Note If the engine cannot communicate with the Management Server and you receive a connection refused error message, ensure that the one-time password is correct and the Management Server IP address is reachable from this machine. 10. After a successful Management Server contact, the engine installation is complete and ready for policy upload from the Management Server. This is displayed in the GUI Control Panel; the node s status has changed from Unknown to Policy Not StoneGate IPS Installation Guide 103

Chapter 6: Installing Sensors and Analyzers Installed, and the connection state is Connected indicating that the Management Server is able to connect to this engine. For more information on creating and installing a policy, please see the StoneGate IPS Administrator s Guide. Installing in Expert Mode Installation of the StoneGate IPS Sensor or Analyzer in expert mode is essentially the same as the normal full install described in Installing the Sensor or Analyzer, on page 96. The difference is that in expert mode, the administrator makes the partitions on the hard disk manually rather than having it done automatically by the installation. If you are unfamiliar with partitioning hard disks in Linux, it is recommended that you use the normal installation process as outlined in Installing the Sensor or Analyzer, on page 96. Note The machines running the Sensors and Analyzers are dedicated for the IPS functionality. Therefore, these machines should not run any other software. Note Check that the Automatic Power Management (APM) and Advanced Configuration and Power Interface (ACPI) settings are disabled in BIOS. Otherwise, the engine may not start after installation or may shut down unexpectedly. The following step-by-step instructions provide an example of a typical engine installation on an unpartitioned hard disk. The screens appearing during the installation differ slightly depending on your system configuration. Checking the File Integrity Before installing StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. Booting From the CD-ROM To install StoneGate IPS Sensor or Analyzer from a CD-ROM 1. To begin, insert the StoneGate IPS engine installation CD-ROM into the drive and reboot the machine from the CD-ROM. Accept the license agreement to continue. 104

Installing in Expert Mode ILLUSTRATION 6.15 Selecting the Install Mode 2. After accepting the license agreement, choose 2 for Full install in expert mode and press ENTER. 3. For partitioning the hard disk, proceed to Partitioning the Hard Disk Manually, on page 105. Partitioning the Hard Disk Manually Typically, you need five partitions for the StoneGate IPS Sensor or Analyzer as explained in Table 6.1. TABLE 6.1 StoneGate IPS Partitions Partition Recommended size Description Engine root A 200 MB The bootable root partition for the StoneGate IPS engine. Engine root B Swap Data 200 MB Twice the physical memory 500 MB or more Alternative root partition for the StoneGate IPS engine. Used for the engine upgrade. Swap partition for the StoneGate IPS engine. Used for the boot configuration files and the root user s home directory. Spool Rest of free disk space Used for spooling The partitions are allocated in two phases. First, disk partitions are created and second, the partitions are allocated for their use purposes. Caution Partitioning deletes all the existing data on the hard disk. StoneGate IPS Installation Guide 105

Chapter 6: Installing Sensors and Analyzers To partition the hard disk 1. If you are asked whether you want to create an empty partition table, type y to continue. ILLUSTRATION 6.16 Starting Partitioning 2. Press ENTER to continue. ILLUSTRATION 6.17 Defining the Partition Table 3. Create the partitions for the engine as follows: 3.1 For engine root A: 200 MB, bootable, Primary, Linux partition 3.2 For engine root B: 200 MB, Primary, Linux partition 3.3 For swap: twice the size of physical memory, Logical, Linux swap partition. To change the partition type to Linux swap, select Type and enter 82 as the file system type. 3.4 For data: 500 MB or more, Logical, Linux partition 3.5 For spool: allocate rest of the free disk space, Logical, Linux partition. 4. Check that the partition table information is correct. 5. Select Write to commit the changes and confirm by typing yes. 106

Installing in Expert Mode 6. Select Quit and press ENTER. Allocating Partitions After partitioning the hard disk, the partitions are allocated for the StoneGate IPS engine. To allocate the partitions ILLUSTRATION 6.18 Checking the Partition Table 1. Check that the partition table is correct. Type YES to continue. ILLUSTRATION 6.19 Allocating Partitions 2. Using the partition numbers of the partition table (see Illustration 6.18), assign the partitions for the engine, for example: 2.1 For the engine root A partition, type 1. 2.2 For the engine root B partition, type 2. 2.3 For the swap partition, type 5. 2.4 For the data partition, type 6. StoneGate IPS Installation Guide 107

Chapter 6: Installing Sensors and Analyzers 2.5 For the spool partition, type 7. ILLUSTRATION 6.20 Accepting the Partition Allocation 3. Check the partition allocation and type YES to continue. ILLUSTRATION 6.21 Installation Finished 4. The StoneGate IPS engine installation process is started. When installation is complete, remove the CD-ROM from the machine and press ENTER to reboot. 5. Continue the configuration as described in Configuring the Sensor or Analyzer, on page 97. 108

UPGRADING STONEGATE IPS

CHAPTER 7 Upgrading StoneGate IPS This chapter instructs how to upgrade both the StoneGate Management Center, and the Sensors and Analyzers. The following sections are included: Upgrading StoneGate Management Center, on page 112 Upgrading the Sensors and Analyzers Remotely, on page 116 Upgrading Sensors and Analyzers Locally, on page 116. StoneGate Installation Guide 111

Chapter 7: Upgrading StoneGate IPS Upgrading StoneGate Management Center The upgrade procedure for a StoneGate IPS system is as follows: 1. Obtain the installation files and licenses and check the installation file integrity. 2. Upgrade the Management Server, the Log Servers, and the GUI clients. The operation of StoneGate IPS Sensors or Analyzers is not interrupted even if the Management Center is offline. 3. Upgrade the Sensors and the Analyzers one by one. Confirm that the upgraded machine operates normally before upgrading the next machine. StoneGate IPS operates normally during the upgrade process, even if there are two versions of the different system components running at the same time. For full functionality, all the system components should be upgraded to the same version as soon as possible. This section describes how to upgrade the StoneGate Management Center components: the Management Server, the Log Server, and the GUI client. Upgrade of the Sensors and the Analyzer is described later in this chapter. Checking the File Integrity Before upgrading, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. Obtaining Licenses Before upgrading the StoneGate Management Center, you will first need to obtain new licenses. License of a previous version will not work with the later versions of StoneGate IPS. For new licenses, please visit Stonesoft Web site at: http://www.stonesoft.com/ license/. After obtaining the new licenses, install the licenses as described in section Installing StoneGate IPS Licenses, on page 62. Once the new licenses are activated, you will be ready to continue with the upgrade process. Upgrading StoneGate Management Center To upgrade the StoneGate Management Center, use the installation program as described in Installing the Management Center, on page 42. There is no need to uninstall the previous version. The install program will detect the components that need to be upgraded. 112

Upgrading StoneGate Management Center Caution It is recommended to make a backup of the Management Server before upgrading it. You are also prompted during an upgrade process for making an automatic backup of the Management Server data. For more information on backups, please refer to the StoneGate IPS Administrator s Guide. To upgrade the Management Center components 1. Check that the Management Server and the Log Server processes (services) are stopped and that the GUI client is not running on the machine. 2. Insert the installation CD-ROM and run the setup executable as described in section Installing the Management Center, on page 42. ILLUSTRATION 7.1 Defining Installation Directory 3. After accepting the license agreement, StoneGate IPS will automatically detect directory location of the previous installation. Click Next to accept this location. StoneGate Installation Guide 113

Chapter 7: Upgrading StoneGate IPS ILLUSTRATION 7.2 Components to be Upgraded 4. The installed Management Center components are displayed. Click Next to upgrade the components. ILLUSTRATION 7.3 Backing Up Management Server Data 5. When upgrading the Management Server, you are prompted for backing up the current Management Server data. Select Yes to create a backup of the Management Server data. The backup is stored in the SG_HOME/backups/ directory. Click Next to continue. 114

Upgrading StoneGate Management Center ILLUSTRATION 7.4 Check the Installation Information 6. The installation summary window is displayed. Click Install to start the installation. ILLUSTRATION 7.5 Installation Completed 7. The installation has been finished successfully. Click Done to quit the installation. StoneGate Installation Guide 115

Chapter 7: Upgrading StoneGate IPS Upgrading the Sensors and Analyzers Remotely The StoneGate IPS Sensors and Analyzers can be upgraded remotely from the Management Server. When upgrading a Sensor cluster, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. Before upgrading StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. To upgrade StoneGate IPS engine remotely 1. Copy the upgrade file to the directory SG_HOME/data/engineimages/ on your Management Server. 2. From the StoneGate IPS Control Panel, right-click on the Sensor or Analyzer you wish to upgrade and select Go Offline to command the machine offline. 3. Right-click on the machine you wish to upgrade and select Upgrade Software. In the notification window that opens, click Yes to accept that the node is rebooted after the upgrade is finished. 4. The engine upgrade window opens, showing you a list of the engine images in SG_HOME/data/engineimages/ directory that are available for installation. Choose the correct engine version and select Upgrade Node. Note The time it takes to upgrade your node varies depending on the performance of your machines and the network environment. 5. Select View Upgrade Monitoring on the Control Panel to follow the upgrade process. Once the engine is successfully upgraded, the machine is automatically rebooted and the upgraded engine is brought up to offline state. 6. From the StoneGate IPS Control Panel, right-click on the upgraded engine node and select Go Online to command the engine node online. 7. If upgrading a Sensor cluster, continue the upgrade on the next Sensor node from Step 2 after the upgraded node is brought online and operational. StoneGate IPS can operate normally with two different versions of the Sensor engines online during the upgrade process. Upgrading Sensors and Analyzers Locally In addition to upgrading the Sensors and Analyzers remotely from the Management Server, it is possible to upgrade them locally on the machine. During a Sensor cluster 116

Upgrading Sensors and Analyzers Locally upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. Before upgrading StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 31. To upgrade a Sensor or an Analyzer locally 1. Log in to the Sensor (or Analyzer) machine as root. 2. Insert the StoneGate IPS installation CD-ROM into the drive. 3. There are two ways to upgrade the machine: Normal upgrade: type the command sg-upgrade to start the upgrade process. When notified that the machine is ready for reboot, remove the CD-ROM and confirm the reboot. Continue in Step 7. Upgrade with configuration options: reboot the machine from the CD-ROM with command reboot. The upgrade is done using the installation wizard. Continue in Step 4. 4. If the machine is rebooted from the CD-ROM, the four installation options are presented: Upgrade existing installation: choose this option to upgrade the previous installation. Re-install using configuration from existing installation: choose this option to reinstall the engine using the existing configuration files (please, see Installing Sensors and Analyzers, on page 95). Full re-install: choose this option to reinstall completely the engine by removing the current configuration (please, see Installing Sensors and Analyzers, on page 95). Full re-install in expert mode: choose this option to reinstall the engine in expert mode by removing the current configuration (please see Installing Sensors and Analyzers, on page 95). 5. Select 1 to upgrade the previous installation and press ENTER to continue. The upgrade process starts. 6. When you are prompted, remove the CD-ROM and press ENTER to reboot. 7. From the Control Panel, right-click on the upgraded engine node and select Go Online to command the engine node online. The node can also be put online with command sg-cluster online on the node. 8. If upgrading a Sensor cluster, continue the upgrade on the next Sensor node from Step 1 after the upgraded node is brought online and operational. StoneGate IPS StoneGate Installation Guide 117

Chapter 7: Upgrading StoneGate IPS can operate normally with two different versions of the Sensor engines online during the upgrade process. 118

APPENDICES

APPENDIX A Command Line Tools This appendix describes the command line tools for StoneGate Management Center and the engines. Using the GUI client is the recommended configuration method, as most of the same tasks can be done through it. The following sections are included: Management Center Commands, on page 122 Engine Commands, on page 127 StoneGate IPS Installation Guide 121

Appendix A: Command Line Tools Management Center Commands The Management Server and the Log Server commands are found in the SGHOME/bin/ directory. In Windows, the command line tools are *.bat script files. In Linux and Unix, the files are *.sh scripts. Note Using the GUI client is the recommended configuration method, as most of the same tasks can be done through it. TABLE A.1 Management Center Command Line Tools Command sgarchiveexport [-v] [-c -x] [-o EXPORT_FILE] [-f FILTER -e EXPRESSION] [-l [FW IPS ALERT] ARCHIVES] sgbackuplogsrv Description Exports logs from the log archive files or directly as they are received by the Log Server. This command is available only on the Log Server. -v option displays verbose output on the command execution. -c option exports the data in comma-separated (CSV) format. -x option exports the data in XML format. -o EXPORT_FILE option defines the destination file where the logs will be exported. If the option is not used, the output is displayed on screen. -f FILTER option defines the filter file used for filtering the log data for exporting. Filters can be saved in the GUI client s Filter Expression Editor. -e EXPRESSION option defines the filtering expression used for filtering the log data for exporting. The filter expressions can be viewed in the GUI client s Filter Expression Editor. -l [FW IPS ALERT] option exports the firewall, IPS, or alert data directly from the Log Server instead of log archive files. ARCHIVES option is a list of the log archive files and/or the directories to be exported. Creates a backup of all Log Server configuration and log data. The backup file is stored in the SGHOME/backups/ directory by default. To use other location, define the path in the SGHOME/data/ LogServerConfiguration.txt file: LOG_BACKUP_DIR=PATH. You can restore the entire backup (the log database and/or configuration files) using the sgrestorelogbackup command. You can restore just the log database using the sgrecoverlogdatabase command. 122

TABLE A.1 Management Center Command Line Tools Command sgbackupmgtsrv sgcertifylogsrv sgcertifymgtsrv sgchangemgtiponlogsrv NEW_IP_ADDR sgchangemgtiponmgtsrv NEW_IP_ADDR sgclient Description Creates a backup of all Management Server configuration and database data. The backup file is stored in the SGHOME/backups/ directory. To use other location, define the path in the SGHOME/data/ SGConfiguration.txt file: SG_BACKUP_DIR=PATH. You can restore the entire backup (the Management Server database and/or configuration files) using the sgrestoremgtbackup command. You can restore just the Management Server database using the sgrecovermgtdatabase command. Certifies the Log Server on the Management Server. This certificate is required to allow secure communication between the Log Server and the Management Server. Recreates the Management Server s certificate. The Management Server certificate is required for secure communications between the StoneGate system components, as well as for the VPN connections that use the certificate authentication. Changes the Management Server s IP address on the Log Server. Use this command to configure a new Management Server s IP address on the Log Server. Restart the Log Server after this command. NEW_IP_ADDR is the new Management Server s IP address. Changes the Management Server s IP address. Use this command when you want to change the Management Server s IP address to reflect changes made in the operating system. Restart the Management Server after this command. NEW_IP_ADDR is the new Management Server s IP address Starts the StoneGate Management Center GUI client. StoneGate IPS Installation Guide 123

Appendix A: Command Line Tools TABLE A.1 Management Center Command Line Tools sgconvertarchive [-v] [-delete] ARCHIVE_DIR ARCHIVES sgconvertlogdatabase [-v] [-delete] ARCHIVE_DIR [-resume] sgcreateadmin Command sgexport -file FILE -type TYPE [-rb RULEBASE] Description Converts archived logs from StoneGate 2.x format to StoneGate Management Center s archive file format. This command is available only on the Log Server. -v option displays verbose output on the command execution. -delete option removes the StoneGate 2.x archive files after conversion to free the disk space. The log entries are removed after the conversion process is completed. ARCHIVE_DIR is the number of the archive directory (0 31) where the converted logs will be located. By default, only archive directory 0 is defined. The archive directories can be defined in the SGHOME/data/ LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH. ARCHIVES is a list of the archive files and/or the directories to be converted. Converts logs from StoneGate 2.x database to StoneGate Management Center s archive file format. This command is available only on the Log Server. The conversion process can be stopped at any time. The conversion will continue from the latest converted log entry when resuming the process. -v option displays verbose output on the command execution. -delete option removes the converted logs from the StoneGate 2.x database to free the disk space. The log entries are removed after the conversion process is completed. ARCHIVE_DIR is the number of the archive directory (0 31) where the converted logs will be located. By default, only archive directory 0 is defined. The archive directories can be defined in the SGHOME/data/ LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH. -resume option continues a previously interrupted conversion from the latest converted log entry. Creates a superuser administrator account. The Management Server needs to be stopped before running this command. Exports StoneGate Management Center database elements to an XML file. This command can export network elements, service definitions, rule bases, and individual rules. Run the command without arguments to display the syntax. FILE is the file for the exported elements. TYPE is the element types to be exported: nw=network elements, sv=services, r=rules, al=alerts. RULEBASE (optional) specifies the name of the rulebase to be exported. 124

TABLE A.1 Management Center Command Line Tools Command sgimport -file FILE sginfo sgrecoverlogdatabase sgrecovermgtdatabase SgRecreateLogDatabase sgrestorearchive ARCHIVE_DIR sgrestorecertificate Description Imports StoneGate Management Center database elements from an XML file. This command can import network elements, service definitions, rule bases, and individual rules. Run the command without arguments to display the syntax. FILE is the file from which the elements are imported. The file must be in the same directory with the StoneGate DTD files in SGHOME/data/. It can be defined whether the imported objects should overwrite the existing elements in the Management Center. By default, the existing elements are not overwritten. This is configured in the Management Server s SGHOME/ data/sgconfiguration.txt file as follows: To keep the existing objects (the default setting), set: SG_SKIP_DURING_IMPORT=true To overwrite the existing objects with the imported objects, set: SG_SKIP_DURING_IMPORT=false Creates a ZIP file that contains copies of configuration files and the system trace files containing logs on problem situations. The ZIP file is stored in the user s home directory. The file location is displayed on the last line of screen output. Provide the generated file to Stonesoft support for troubleshooting purposes. Restores a Log Server database from the most recent backup copy. Use this tool only if the Log Server database becomes corrupted. Restores the Management Server s database from the most recent backup copy in the SGHOME/backups/ directory. Use this tool only if the Management Server database becomes corrupted. Creates a new Log Server database. Use this tool only if the Log Server database becomes corrupted. Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0 31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the SGHOME/data/ LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH. Restores the Certificate Authority (CA) or the Management Server certificate from a backup file. The certificates can be backed up in the GUI client s Control Panel: File Save Certificates. StoneGate IPS Installation Guide 125

Appendix A: Command Line Tools TABLE A.1 Management Center Command Line Tools sgrestorelogbackup sgrestoremgtbackup sgshowfingerprint sgstartlogdatabase sgstartlogsrv sgstartmgtdatabase sgstartmgtsrv Command sgstoplogdatabase sgstopmgtdatabase sgstopremotemgtsrv [-host HOST] [-port PORTNUM] [-login LOGINNAME] [-pass PASSWORD] Restores the Log Server (logs and/or configuration files) from a backup file in the SGHOME/backups/ directory. Restores the Management Server (database and/or configuration files) from a backup file in the SGHOME/backups/ directory. Displays the CA certificate s fingerprint on the Management Server. Starts the Log Server s database. Starts the Log Server and its database. Description Starts the Management Server s database. (The Management Server s database is started and stopped automatically when starting/stopping the Management Server service.) Starts the Management Server and the Management Server s database. Stops the Log Server s database. (The Log Server s database is started and stopped automatically when starting/stopping the Log Server service.) Stops the Management Server s database. (The Management Server s database is started and stopped automatically when starting/stopping the Management Server service.) Stops the local Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server. HOST is the Management Server s host name if not localhost. PORT is the Management Server s GUI client port number (by default, 8902) LOGINNAME is a StoneGate administrator account for the login. PASSWORD is the password for the administrator account. 126

Engine Commands StoneGate IPS engine commands can be run from the command line on the Sensor or Analyzer. TABLE A.2 StoneGate Engine Command Line Tools Command Description sg-cluster sg-contact-mgt sg-logger sg-reconfigure sg-upgrade sg-version Displays status of each node. You can also use it to change the status of a node. Run the command without arguments to display the syntax. Connects to the Management Server to establish a trust relationship. Can be used in scripts to create log messages. Used for reconfiguring the node manually. Upgrades the node from a CD-ROM. Alternatively, the node can be upgraded remotely using the GUI client or by rebooting from the installation CD-ROM. Displays the software version and build number on the node. StoneGate IPS Installation Guide 127

Appendix A: Command Line Tools 128

APPENDIX B StoneGate IPS Ports StoneGate IPS uses SSL/TLS-secured TCP connections between the system components. The connections and the TCP ports used are illustrated below. StoneGate IPS Installation Guide 129

Appendix B: StoneGate IPS Ports ILLUSTRATION B.1 TCP Connections Between the StoneGate IPS Components In Illustration B.1, the listening TCP ports are indicated in the boxes next to each system component. The connections are established in the direction of the arrows. The dashed arrows indicate the one-time connections during the initial configuration of the system components when they establish a trust relationship with the Management Server. After a successful initial connection, all the communications between the components take place as indicated by the arrows with the solid lines. 130

The following table lists the ports used in communication between the StoneGate IPS components. TABLE B.1 StoneGate IPS Ports Listening hosts Port/ Protocol Contacting hosts Service description Sensor, Analyzer 4950/tcp Management Server Remote upgrade from the Management Server Sensor 18888/tcp Management Server Analyzer 18889/tcp Management Server Analyzer 18890/tcp Sensor, Analyzer Control connections, status monitoring, and policy upload Control connections, status monitoring, and policy upload Event data sent from the Sensors or other Analyzers. Analyzer 514/udp syslog Syslog messages forwarded to Analyzer Log Server 3020/tcp Analyzer, Sensor Log and alert messages from Analyzers and recording file trasnfers from Sensors Log Server 8914-8918/tcp GUI GUI connections to the Log Server Log Server 8987, 8990, 8995 / TCP Management Server Management Server connections to the Alert Server. Management Server 3021/tcp Sensor, Analyzer Initial contact from Sensor or Analyzer during installation Management Server 5936/tcp Log Server Initial contact from Log Server during installation Management Server 8902-8913/tcp GUI, Log Server GUI and Log Server connections to the Management Server StoneGate IPS Installation Guide 131

Appendix B: StoneGate IPS Ports 132

Software and License Information Licenses Stonesoft products are sold pursuant to their relevant End-User License Agreements. By installing or otherwise using Stonesoft products in any way, endusers agree to be bound by such agreement(s). Please see Stonesoft's Website, www.stonesoft.com for further details. If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense ( DoD ), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations ( DFAR ) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations ( FAR ). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions. Product Export Restrictions The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities. StoneGate IPS Installation Guide 133

Software and License Information Patent Notice Multi-Link, Multi-Link VPN, and the StoneGate clustering technology as well as other technologies included in StoneGate are protected by pending patent applications in the U.S. and other countries. Additional Software Licensing Information The StoneGate software includes several open source or third-party software packages to support certain features. This section provides the appropriate software licensing information for those products. 134

GNU General Public License Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. StoneGate IPS Installation Guide 135

Software and License Information 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special 136

exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. StoneGate IPS Installation Guide 137

Software and License Information 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. 138

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouseclicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program Gnomovision (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries- -of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. StoneGate IPS Installation Guide 139

Software and License Information For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. 140

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. StoneGate IPS Installation Guide 141

Software and License Information 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 142

4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an StoneGate IPS Installation Guide 143

Software and License Information executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/ or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your 144

acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided StoneGate IPS Installation Guide 145

Software and License Information by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OROTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFYAND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the library's name and a brief idea of what it does.> Copyright (C) <year> <name of author> This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. 146

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. <signature of Ty Coon>, 1 April 1990 Ty Coon, President of Vice That's all there is to it! OpenSSL Toolkit This software includes the OpenSSL toolkit. LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------- Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF StoneGate IPS Installation Guide 147

Software and License Information MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young, (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License ----------------------- Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape s SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) The word cryptographic can be left out if the rouines from the library being used are not cryptographic related:-). If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com) THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] 148

OpenLDAP This software includes the OpenLDAP client developed by The OpenLDAPFoundation. Original version of the OpenLDAP client can be downloaded from http://www.openldap.org This software includes the OpenLDAP server. The OpenLDAP Public License Version 2.7, 7 September 2001 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use the Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. OpenLDAP is a trademark of the OpenLDAP Foundation. Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distributed verbatim copies of this document is granted. libradius1 This software includes the libradius1 package. Copyright (C) 1995,1996,1997,1998 Lars Fenneberg <lf@elemental.net> Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copy ight and permission notice appear on all copies and supporting documentation, the name of Lars Fenneberg not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Lars Fenneberg. Lars Fenneberg makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ------------------------------------------------------------------------------ Copyright 1992 Livingston Enterprises, Inc. Livingston Enterprises, Inc. 6920 Koll Center Parkway Pleasanton, CA 94566 StoneGate IPS Installation Guide 149

Software and License Information Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Livingston Enterprises, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Livingston Enterprises, Inc. Livingston Enterprises, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ------------------------------------------------------------------------------ [C] The Regents of the University of Michigan and Merit Network, Inc. 1992, 1993, 1994, 1995 All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies of the software and derivative works or modified versions thereof, and that both the copyright notice and this permission and disclaimer notice appear in supporting documentation. THIS SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. The Regents of the University of Michigan and Merit Network, Inc. shall not be liable for any special, indirect, incidental or consequential damages with respect to any claim by Licensee or any third party arising from use of the software. ------------------------------------------------------------------------------ Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the RSA Data Security, Inc. MD5 Message-Digest Algorithm in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided as is without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. TACACS+ Client This software contains TACACS+ client. Copyright (c) 1995-1998 by Cisco systems, Inc. Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies of the software and supporting documentation, the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that modification, copying and distribution is by permission of Cisco Systems, Inc. Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 150

MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the RSA Data Security, Inc. MD5 Message-Digest Algorithm in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided as is without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. libwww This software contains libwww software. Copyright 1995-1998 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved. This program is distributed under the W3C's Intellectual Property License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See W3C License http://www.w3.org/consortium/legal/ for more details. ------------------------------------------------------------------------------ Copyright 1995 CERN. "This product includes computer software created and made available by CERN. This acknowledgment shall be mentioned in full in any product which includes the CERN computer software included herein or parts thereof." W3C SOFTWARE NOTICE AND LICENSE http://www.w3.org/consortium/legal/2002/copyright-software-20021231 This work (and included software, documentation such as READMEs, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions. Permission to copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications: 1. The full text of this NOTICE in a location viewable to users of the redistributed or derivative work. 2. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, the W3C Software Short Notice should be included (hypertext is preferred, text is permitted) within the body of any redistributed or derivative code. 3. Notice of any changes or modifications to the files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.) THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. StoneGate IPS Installation Guide 151

Software and License Information COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION. The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders. This formulation of W3C's notice and license became active on December 31 2002. This version removes the copyright ownership notice such that this license can be used with materials other than those owned by the W3C, reflects that ERCIM is now a host of the W3C, includes references to this specific dated version of the license, and removes the ambiguous grant of "use". Otherwise, this version is the same as the previous version and is written so as to preserve the Free Software Foundation's assessment of GPL compatibility and OSI's certification under the Open Source Definition. Please see our Copyright FAQ for common questions about using materials from our site, including specific terms and conditions for packages like libwww, Amaya, and Jigsaw. Other questions about this notice can be directed to site-policy@w3.org. Joseph Reagle <site-policy@w3.org> Last revised by Reagle $Date: 2003/01/16 15:01:10 $ Last revised by Reagle $Date: 2003/01/16 15:01:10 $ XML-RPC C Library License This software contains software covered by the XML-RPC C Library License. Copyright (C) 2001 by First Peer, Inc. All rights reserved. Copyright (C) 2001 by Eric Kidd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 152

Expat License This software contains software covered by the Expat License. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ABYSS Web Server License This software contains software covered by the ABYSS Web Server License Copyright (C) 2000 by Moez Mahfoudh <mmoez@bigfoot.com>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Python 1.5.2 License This software contains software covered by the Python 1.5.2 License. Copyright 1991, 1992, 1993, 1994 by Stichting Mathematisch Centrum, Amsterdam, The Netherlands. All Rights Reserved StoneGate IPS Installation Guide 153

Software and License Information Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of Stichting Mathematisch Centrum or CWI or Corporation for National Research Initiatives or CNRI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. While CWI is the initial source for this software, a modified version is made available by the Corporation for National Research Initiatives (CNRI) at the Internet address ftp://ftp.python.org. STICHTING MATHEMATISCH CENTRUM AND CNRI DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM OR CNRI BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The Apache Software License, Version 1.1 This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Copyright (C) 1999 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that thefollowing conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. 4. The names "log4j" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org. 5. Products derived from this software may not be called Apache, nor may Apache appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>. 154

Bouncy Castle notice and license. Copyright (c) 2000 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software ), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. StoneGate IPS Installation Guide 155

Software and License Information 156

Index A Advanced Configuration and Power Interface (ACPI), 96, 104 Analyzer defining, 63 Automatic Power Management (APM), 96, 104 B BIOS settings, 96, 104 booting from CD-ROM, 96 C Capture Interface defining for combined Sensor/Analyzer, 79 defining for Sensor cluster, 70 defining for single Sensor, 76 certificate creating for Log Server, 50 Log Server, 49 checking CA fingerprint, 51, 61 checksum, 31 cluster adding Sensor node, 73 commands command line, 121 engine, 127 Log Server, 122 Management Server, 122 compatibility network device, 31 components system, 30 configuring engine, 97 contact address Analyzer, 65, 72, 75, 79 Management Server, 86, 88 contacting Management Server, 102 D database path for Log Server, 50 driver for NIC, 101 F file integrity checking, 31 fingerprint StoneGate IPS Installation Guide 157

checking, 51, 61 G GUI client login, 61 starting, 60 I initial configuration activating, 102 saving, 89 installation path for Management Center, 44 installation procedure, 37 installing engine, 96 engine in expert mode, 104 Management Center, 41 K Keyboard layout configuring, 99 L license installing, 62 Log Server starting, 62 Logical Interface defining, 66 M Management Server starting, 60 Management Server element, 86 MD5 checksum, 31 mounting CD-ROM, 42 N NDI defining for Analyzer, 64, 84 defining for Sensor Cluster, 68 defining for Sensor/Analyzer, 78 defining for single Sensor, 74 network interface defining for Analyzer, 64 defining for Sensor cluster, 68 defining for Sensor/Analyzer, 78 defining for single Sensor, 74 NIC driver configuring, 101 O one-time password, 89 P partitioning hard disk manually, 105 password one-time, 89 path Management Center, 44 platforms supported, 30 port mirroring, 32 port number default for Log Server, 49 R restart engine configuration, 103 routing 158

configuring, 81 S Sensor (single) defining, 73 Sensor cluster defining, 67 Sensor/Analyzer (combined) defining, 77 service Log Server, 49 Management Server, 48 sgadmin user account, 43 SHA-1 checksum, 31 sniffing network traffic, 101 Solaris patches for JRE, 42 SPAN port, 32 SSH daemon enabling, disabling, 100 starting GUI client, 60 Log Server, 62 Management Server, 60 superuser account creating, 47 T TAP, 32 timezone configuring, 99 typographical conventions, 15 U uninstalling Management Center, 56 upgrading engine manually, 116 engine remotely, 116 Management Center, 112 W wire TAP, 32 StoneGate IPS Installation Guide 159

160