Document Version 10.04.5.007-20/12/2013 Document version 7400-1.0-16/11/2005 Document version 7400-1.0-16/11/2005 Document version 7400-1.0-16/11/2005
General Information Technical Assistance If you have problems with your system, contact customer support using one of the following methods: Email id: support@cyberoam.com Telephonic support (Toll free) APAC/EMEA: +1-877-777-0368 Europe: +44-808-120-3958 India: 1-800-301-00013 USA: +1-877-777-0368 Please have the following information available prior to contacting support. This helps to ensure that our support staff can best assist you in resolving problems: Description of the problem, including the situation where the problem occurs and its impact on your operation Product version, including any patches and other software that might be affecting the problem Detailed steps on the methods you have used to reproduce the problem Any error logs or dumps Additional Resources Visit following links for more information to configure Cyberoam Technical Documentation - http://docs.cyberoam.com Cyberoam Knowledge Base - http://kb.cyberoam.com Cyberoam Security Center - http://csc.cyberoam.com Cyberoam Upgrades - http://customer.cyberoam.com Page 2 of 34 10.04.5.007-20131220
Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. User s License Use of this product document is subject to acceptance of the terms and condition of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/eula.html and the Warranty Policy for Cyberoam UTM Appliances can be found in http://ikb.cyberoam.com. Restricted Rights Copyright 1999-2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd. Corporate Headquarters Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com Page 3 of 34 10.04.5.007-20131220
Contents Cyberoam - Future-ready Unified Threat Management... 6 Deploy Cyberoam... 8 Create a Customer Account and Register Appliance... 8 Access Cyberoam... 8 Verify Configuration... 10 Synchronize Licenses... 11 Configure Mail and Web server access... 12 Identity-based Security... 12 User Authentication... 12 Create Identity-based Security policy... 12 Identity-based Reporting... 13 Cyberoam Building Blocks... 13 Configure Network Access rules... 14 Default Firewall Rules... 16 Firewall Rule processing order... 16 NAT (Network Address Translation)... 16 Web Filter... 16 Filter traffic based on Domain Names... 16 Block Facebook a social networking service... 17 Block Category NewsAndMedia for group of users Trainees... 17 Application Filter... 17 Update Application Filter Policy DenyProxy to Block Proxies... 17 Allow Yahoo Instant Messenger (IM) only and block all other IMs... 18 Block P2P applications for a user John Pitt... 18 Web Application Firewall (WAF)... 18 Protect Domain www.test.com publicly hosted on Web Server 202.134.168.208... 18 Manage Bandwidth... 19 Prioritize Application bandwidth usage... 19 Control bandwidth (single user/group)... 19 Virtual Private Network... 19 Configure Site-to-Site IPSec VPN connection... 19 Configure remote access VPN on Cyberoam... 19 Configure VPN failover... 20 Configure SSL VPN... 20 Data Leakage Prevention... 20 Prevent data loss over Web and Internet mail (Single/Group of users)... 20 Email data leakage prevention... 21 IM Controls... 21 Data Loss Prevention through Regular Expression (RegEx)... 22 Virus and Spam scanning... 23 Managing Spam... 23 Actions for Spam mails... 23 Block/Allow mails using White lists and Black lists... 24 Quarantine management... 24 Quarantine Digest... 24 Release Quarantined Spam Mails... 25 Intrusion Prevention System (IPS)... 25 Create Identity-based IPS Policy... 25 Signature-based Protocol Anomaly Detection... 25 Configure Multiple Gateways... 26 Add Gateway... 26 Define gateway weight for load balancing... 26 Configure Source based routing... 26 Configure Outbound Load balancing... 26 Configure Gateway Failover... 27 Gateway Failback... 27 Configure Wireless WAN (3G/4G/LTE USB modem)... 27 Page 4 of 34 10.04.5.007-20131220
Virtual LAN (VLAN)... 27 Dynamic Routing... 28 On-Appliance Reports... 28 Dashboard... 28 User-wise - Threats detected... 28 Access On-Appliance Reports... 29 Analytical Reports... 30 Search Engine Report... 31 Compliance reports... 32 Data Leakage reports... 32 Troubleshooting... 33 Page 5 of 34 10.04.5.007-20131220
Preface Thank you for purchasing the award-winning, future-ready Cyberoam UTM. Welcome to Cyberoam Reviewer s Guide! This document is designed to ensure that you are able to use the basic features of Cyberoam. It contains configuration guidelines on what is to be done after Cyberoam appliance is up and running in your network and addresses the most common use-case scenarios. In addition to this guide, you can access online help by clicking More Options > Help located on the right most corner of every page of GUI. The entire Cyberoam documentation set is available in http://docs.cyberoam.com and http://kb.cyberoam.com. The configuration given in the document is to be performed from Web Admin Console (GUI) of Cyberoam unless specified. Cyberoam - Future-ready Unified Threat Management Cyberoam s NG Series of UTM appliances offer high-speed security to organizations through their unique, user identity-based policy controls. They enable organizations to keep stride with the current and future IT trends which include data moving at 100 times the current speeds, super-fast wireless connections, critical business applications and services moving to the Web, Internet access devices multiplying per user and a tremendous increase in data usage. The gargantuan performance leap in Cyberoam ensures that while a company s growth and productivity increases in leaps and bounds, its security follows close at their heels. This Reviewer s Guide has been written with respect to CR 200iNG-XP, which is part of Cyberoam s NG Series. It brings with it a whole new range of features: an intuitive next-generation GUI, detachable I/O slots and a revamped reporting mechanism. The all-new Firmware CyberoamOS: The NG series appliances are based on CyberoamOS the most intelligent and powerful Cyberoam firmware till date. The new firmware tightly integrates with the hardware for network and crypto acceleration to deliver high performance. The CyberoamOS also extracts the highest level of performance from a multi-core platform, along with offering minimum latency and improved processing speed with use of optimized Interrupt Rates and Fast Path technology. Its Next Generation security features offer protection against newly evolving threats. FleXi Ports: The FleXi Ports (XP) available in the XP series of appliances offer flexible network connectivity with I/O slot that allows additional Copper/Fiber 1G/10G ports on the same security appliance. To organizations who want to shift to Fiber 1GbE/10GbE connectivity, FleXi Ports give freedom from forced purchase of higher end security appliances to get desired I/O interfaces. FleXi Ports consolidate the number of devices in a network, offering benefits of power efficiency, reduced network complexity and reduced OPEX. Powerful Hardware: Cyberoam comes with a powerful hardware consisting of Gigahertz processors for nanosecond security processing along with Gigabit Ethernet ports and high port density. A complete overhaul of the appliance design has resulted in an unmatched performance gain with Next Generation memory and more storage capacity. Superior Quality: The unique design and robust components used in the Cyberoam support high speed I/O throughputs for better performance as well as protect against tough environmental conditions, including power surge and fluctuations. Next Generation GUI: Cyberoam s state-of-the-art GUI leverages Web 2.0 technology to minimize security errors and simplify navigation. It is aimed at removing the clutter from managing Unified Threat Page 6 of 34 10.04.5.007-20131220
Management (UTM) appliances. Feature inputs include accordion menus and tabs, easy access top panel, static status bar, unsubscribed modules visibility, direct appliance actions for reboot and shutdown, Web 2.0 pop-ups and the use of TAB and SPACE keys for easy and effective navigation. Extensible Security Architecture: Cyberoam s extensible security architecture has been designed to grow with the future security needs of an organization without degrading system performance, in order to support newer feature enhancements with minimum effort. This is in sharp contrast to fixed configuration ASIC architecture-based appliances whose capability cannot be upgraded as quickly. IPv6 Ready: Cyberoam further holds up its future-ready claim by being IPv6 Ready. Cyberoam UTM has been awarded the IPv6 Ready Gold Logo. Enhanced Feature Set More bang for the buck: Cyberoam consists of the full Cyberoam UTM feature set which delivers great value-for-money. Firewall delivers effective protection with stateful and deep packet inspection, access control, user authentication, Network and Application layer protection. IPS, with its large signature database, as well as support for custom signatures, delivers intelligent protection against DoS attacks, backdoor activity, blended threats and more. Web Application Firewall (WAF) secures websites and web-based applications in organizations against Application Layer (Layer 7) attacks like SQL injection, cross-site scripting (XSS), URL parameter tampering, session hijacking, buffer overflows, and more. Anti Virus and Anti Spyware offers protection from viruses, worms, spyware and more across the web, Email protocols (HTTP, FTP, SMTP, POP3, IMAP) and IM traffic. Anti Spam with signature-less RPD technology, delivers content-agnostic spam protection from both inbound as well as outbound spam. This is on top of a user-based spam digest and Virus Outbreak Detection technology. Cyberoam s VPN offerings allow secure, remote connectivity across IPSec, PPTP and L2TP along with SSL VPN. 3G/4G/WiMax support offers secure high-speed continuous connectivity with failover and load balancing capabilities. Multi-link Management maximizes connectivity and reliability by managing Internet traffic over multiple ISP links, while supporting failover. Cyberoam s content filtering controls indiscriminate surfing with a highly comprehensive and rapidlyupdated URL categorization database with 89+ categories. Instant Messenger (IM) Management allows archiving and customized security control over Yahoo and Windows Live Messenger. Application Layer Management manages applications based on user, time and bandwidth to control their availability to users. It also offers benefits of productivity and cost containment by optimizing bandwidth consumed within the organization. Bandwidth optimization is further strengthened with best-of-breed Bandwidth Management/QoS. Revamped Cyberoam iview Reporting Tool: Cyberoam has an integrated Cyberoam iview logging and reporting tool to offer visibility into activities within the organization for ensuring security, data confidentiality and regulatory compliance. Its bifurcated dashboard facilitates better presentation of reports with one dashboard displaying all traffic-related information while the other displays securityrelated alerts. Cyberoam has also introduced enhancements in the form of Chart Preferences, Records per Page Control, Inline Charts, Animated Charts and Report Group Dashboard to increase visibility and improve the presentation of the reports. Data Leakage Prevention: Put together, Cyberoam s Content Filtering, Application Layer Management, WAF and Instant Messenger Control features form a powerful data leakage prevention suite against insider threats. Page 7 of 34 10.04.5.007-20131220
Quick Deployment and Easy Setup: Cyberoam is very simple to operate and readily deployable in any networking environment. While the Quick Start Guide gives step-by-step deployment instructions, the Getting Started manual gives initial configuration guidelines on Cyberoam s Web Admin Console (GUI). Customer Support and Documentation: Cyberoam appliances offer several levels of paid customer support, as shown in http://www.cyberoam.com/mcontracts.html. All of them include Web, Telephone, Email and Chat Support along with firmware upgrades, hardware warranty and RMA fulfillment. They also include access to the knowledge base (kb.cyberoam.com), Customer Support Portal (http://customer.cyberoam.com) and the Cyberoam Security Center (www.cyberoamsecuritycenter.com). The Cyberoam Product Documentation website http://docs.cyberoam.com provides the latest documentation for all Cyberoam products. Also, Cyberoam s Knowledge Database, http://kb.cyberoam.com/ contains an exhaustive array of information related to upgrades and troubleshooting guidelines. Deploy Cyberoam If Cyberoam is not already deployed in your network, refer to the Quick Start Guide to get step-by-step deployment help. Create a Customer Account and Register Appliance A Customer Account is required for Appliance registration. If you have not created an account or registered your appliance already, refer to Registration and Subscription Guide, which provides a walkthrough of the entire process. Access Cyberoam Web Admin Console Cyberoam supports Web 2.0 based easy-to-use graphical interface - Web Admin Console, to configure and manage your Cyberoam appliance. While many of the GUI elements display the embedded information tool tip on mouse hover, the Status bar at the bottom of each window displays the status of actions executed in the Web Admin Console. Cyberoam appliances are shipped with two Administrator Users as: Username Password Console Access Privileges admin admin Web Admin console CLI console cyberoam cyber Web Admin console only Full privileges for both the consoles i.e. read-write permission for the entire configuration performed through either of the consoles. Full privileges i.e. read-write permission for the entire configuration performed through Web Admin console We recommend you to change the password of both the users immediately on deployment. If you are accessing Cyberoam appliance for the first time after deployment and have not changed the default IP scheme, browse to http://172.16.16.16, else http://<lan IP address of Cyberoam>, and log on with default credentials. LAN IP Address of Cyberoam is the IP Address configured through the Network Configuration Wizard at the time of deployment. Page 8 of 34 10.04.5.007-20131220
Screen - Login The Dashboard is displayed upon successful authentication to the appliance. The Dashboard provides a quick and fast overview of all the important parameters of Cyberoam Appliance including the current operating status of the appliance. It groups the information in drag-anddrop doclets, which makes it easy to re-position, navigate and locate the required information. Dashboard displays automatically upon successful authentication to a Cyberoam Appliance, and can be viewed at any time by pressing F10 key or clicking Dashboard icon in the topmost icon bar. This icon bar on the upper rightmost corner of every page provides access to several commonly used functions like: Dashboard Click to view the Dashboard Wizard Network Configuration Wizard guides you through a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your appliance. Reports Redirects to the Integrated Logging and Reporting solution Cyberoam iview, which offers a wide spectrum of unique user identity-based reports across applications and protocols, and provides in-depth network visibility to help organizations take corrective and preventive measures. Console It provides immediate access to Command Line Interface (CLI) by initiating a Telnet connection with CLI without closing Web Admin Console. Logout Click to log out from the Web Admin Console. More Options Click to view all the other options available for assistance. On clicking, the following menu is displayed. Page 9 of 34 10.04.5.007-20131220
The available options are: Support is used to open the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue. About Product is used to open the appliance registration information page. Help is used to open the context sensitive help for the page. Each appliance includes a Webbased online help, which can be viewed from any of the page of Web Admin Console. It is deployed automatically with the software. Reset Dashboard is used to reset the Dashboard to factory default settings. Lock is used to lock the Web Admin Console. Cyberoam automatically locks the Web Admin Console if the appliance is in an inactive state for more than 3 minutes. Provide administrator credentials to unlock the Web Admin Console. By default, Lock functionality is disabled. Enable Admin Session Lock from System > Administration > Settings. Reboot Appliance is used to reboot the appliance. Shutdown Appliance is used to shutdown the appliance. Note CLI Console can be accessed via remote login utility TELNET or SSH client. Verify Configuration Verify configuration done through Network Configuration Wizard from Dashboard. Confirm: subscription of all the modules from the License Information section deployment mode from Appliance Information section status of the default gateway from Gateway Status section Page 10 of 34 10.04.5.007-20131220
Screen Dashboard Synchronize Licenses Navigate to System > Maintenance > Licensing and click Synchronize to synchronize licenses. This fetches the license details from the Cyberoam Registration Server and updates the Appliance. Page 11 of 34 10.04.5.007-20131220
Configure Mail and Web server access To configure Cyberoam for providing access to internal resources such as mail and web server hosted in LAN, you need to create: Virtual Host from (Firewall > Virtual Host > Add) WAN to LAN Firewall Rule for the respective Virtual Host to allow the inbound traffic (when servers are hosted in LAN) WAN to DMZ Firewall Rule for respective Virtual Host to allow the inbound traffic (when servers are hosted in DMZ) Refer Configure one-to-one IP address mapping to access devices on Internal network for step-by-step configuration. Identity-based Security User Authentication Configure user authentication from Identity > Authentication. For Cyberoam to authenticate users, one needs to add users and configure user group membership. Refer to article How To Register User for more details on how to add users. User level authentication can be performed using the local user database, RADIUS, LDAP, Active Directory or any combination of these. Cyberoam also provides Single Sign On (SSO) capability and SSO can be used in conjunction with Active Directory. SSO authentication mechanisms available are: Clientless SSO authentication in Active Directory (AD) Provides transparent user authentication mechanism without installing SSO client on workstations. Refer to article Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment for more details. SSO authentication in Active Directory (AD) Provides transparent user authentication mechanism that needs SSO client on individual workstations. Refer to article Implement Single Sign On Authentication with Active Directory for more details. NT LAN Manager (NTLM) in Active Directory (AD) Provides browser-initiated authentication mechanism in which clients get authenticated without sending the password over the wire. It is used as a failback authentication method if any of the above authentication methods fail. Refer to article How To Configure NTLM in Cyberoam for more details. Generate Reports with user names You need to configure the Appliance with any of the authentication methods mentioned above to generate reports with user names. It is easy to monitor user activity and identify the source and destination of the traffic with user name rather than with IP Address. Create Identity-based Security policy Cyberoam identity-based security appliances combine the network security and centralized security management solution to quickly respond to threats and bandwidth shortages. It focuses on monitoring and applying rules to specific users and applications, hence providing much needed visibility and control into network traffic which most of the enterprises are struggling for. It improves network security by eliminating excess privilege on the network while also providing identitybased auditing of user activity. Page 12 of 34 10.04.5.007-20131220
Cyberoam identifies every network user and applies security policies on his/her identity, thus the security policies follows the user everywhere. Cyberoam allows defining following identity-based security policies: Firewall Rule IPS policy Content Filtering policy block applications, web categories QoS policy Data Leakage Prevention policy block mail attachments through Web mails and Email clients Identity-based Reporting Cyberoam integrated with a Web-based Reporting tool Cyberoam iview, offers 1200+ unique user identity-based reports across applications and protocols. It also provides in-depth network visibility to help organizations take corrective and preventive measures. It provides network administrators with the much-needed information to enable the best protection and security for their networks against attacks and vulnerabilities. As all the reports are user-wise, it is possible to monitor and identify who is surfing what and when. Productivity being a major issue, identifying who is surfing what and when, helps in fine-tuning the Internet access policy to improve the productivity. Cyberoam Building Blocks The basic building blocks in Cyberoam are Zones, Interfaces and Objects (Network/Address). This structure is used for defining firewall rules to allow or deny access to specific Internet traffic. Zone - logical grouping of Interfaces, each with its own set of usage rules, services and policies that includes: predefined zones - LAN, WAN, DMZ, LOCAL, VPN custom zones LOCAL zone is the grouping of the entire set of physical ports on the Cyberoam Appliance, including their configured aliases. In other words, IP Addresses assigned to all the ports fall under the LOCAL zone. To create an additional LAN, DMZ and VPN zone types, refer Cyberoam User Guide. Interface actual physical Ethernet interfaces or ports, Port A through Port F (additional ports if FleXi port is used) subinterfaces VLAN PPPoE interfaces interface aliases Objects - logical building blocks of the firewall rule, which includes: Host - IP and MAC Addresses, Fully Qualified Domain Name (FQDN) and Country. Services which represent specific protocol and port combination e.g. DNS service for TCP protocol on port 53 Schedule to control when the rule will be in effect e.g. All Days, Work Hours Certificates File Types Page 13 of 34 10.04.5.007-20131220
Configure Network Access rules Firewall Rule is a centralized network management tool that allows defining inbound and outbound access policy and configuring the entire set of security policies of the Cyberoam security appliance. The Firewall Rule page is a sort-able rule management interface designed to make rule management a simpler and more intuitive process. With the new interface, you do not have to navigate from page-topage to create all the components referenced by firewall before configuring the firewall rule. You can simply create and manage following firewall rule components from this single page itself: Entire set of Cyberoam security policies Virus and Spam scanning, IPS, Web filter policy, Application filter policy, Web Application Firewall policy, IM control policy, QoS policy and routing policy. All the Objects IP Address, MAC Address, Virtual Host, FQDN and Country hosts, services, schedule By default, Cyberoam allows all communication from the LAN to the Internet, and blocks all traffic from the Internet to the LAN. To manage firewall rule, go to Firewall > Rule > Rule. Page 14 of 34 10.04.5.007-20131220
Screen Firewall Rule Page 15 of 34 10.04.5.007-20131220
Screen List of Firewall Rules Default Firewall Rules Cyberoam automatically creates two default firewall rules based on the Internet access configured through Network Configuration Wizard at the time of deployment. Refer to Cyberoam User Guide for more details. Firewall Rule processing order Cyberoam processes firewall rules from top to bottom and the first suitable matching rule found is applied. When a matching rule is found, traffic is immediately dropped or forwarded without being tested by the rest of the rules in the list. While adding multiple firewall rules, make sure specific rules are placed above the general rules. If general rule is placed above the specific rule, the general rule will allow the traffic for which you have defined the deny rule later in the list. NAT (Network Address Translation) NAT policy changes the source IP Address of the packet i.e. the IP Address of the connection initiator is changed. Apply NAT rule whenever it is required to send the outgoing traffic with a specific IP Address. For example, there are two public IP Addresses for Cyberoam WAN port - 202.134.168.202, 202.134.168.208. To route the traffic from a group of users through 202.134.168.208 only, you need to create NAT policy for them. Web Filter Use Web filtering to limit the access to the contents available to the user based on a combination of categories, keywords, URLs, domain names and file types. Cyberoam filters incoming web traffic based on categories and policies. Fine-tune the default policies for controlling access as per your requirement. Filter traffic based on Domain Names If enabled, users will not be able to bypass and access sites using URL translation or HTTP proxy sites. In other words, Cyberoam will block any attempts to bypass the web content filtering and sites hosted on SSLv2, SSLv3 and TLS protocols. Page 16 of 34 10.04.5.007-20131220
Block Facebook a social networking service Facebook (www.facebook.com) is a social networking website categorized in SocialNetworking category. Therefore, to block the site you need to deny access to the category. Go to Web Filter > Policy > Policy > Add and create a new custom web filter policy based on the template Allow All. Update the policy, select SocialNetworking Web Category and Deny in the Action field. Now apply this policy to the firewall rule. Above configuration will not allow any users to access Facebook. Block Category NewsAndMedia for group of users Trainees Step 1: Create a custom policy named DenyNews from Web Filter > Policy > Policy > Add based on the template Allow All. Update DenyNews policy to add rule for: Category to be blocked - NewsAndMedia Action - Deny Schedule - Work hours (5 Day week). Step 2: Go to Identity > Groups > Group > Add, add a group Trainees and apply web filter policy created in step 1 Step 3: Create Identity-based Firewall rule from Firewall > Rule > Rule > Add Source: LAN, Any Host Click Check Identity to enable Identity-based Firewall rule and select the user group Trainees Destination: WAN, Any Host Service: All Services With the above configuration, all the users who are members of the group Trainees will not be able to access any of the sites categorized under NewsAndMedia during the time specified in the schedule. Similarly, you can also deny or allow access to an individual user. Application Filter Application Filter Policy controls access to applications and specifies which user can access which applications. Fine-tune the default policy for controlling access as per your requirement. Update Application Filter Policy DenyProxy to Block Proxies Create a custom policy named DenyProxy from Application Filter > Policy > Policy > Add based on the template Allow All. Update DenyProxy policy to add a rule: Category - specify category to be blocked e.g. Proxy Application Freegate, Ultrasurf Action Deny Schedule Work hours (5 Day week) When the above policy is applied to a firewall rule, all the users will be denied access to Freegate and Ultrasurf during the working hours. Page 17 of 34 10.04.5.007-20131220
Allow Yahoo Instant Messenger (IM) only and block all other IMs Step 1: Create a custom policy AllowYahoo from Application Filter > Policy > Policy > Add based on the template Allow All. Update policy to add a rule: Category - IM Application Select all the Applications except Yahoo Messenger Action Deny Schedule All the Time Step 2: Create LAN to WAN firewall rule and apply AllowYahoo policy (updated in step 1) With the above policy applied through firewall rule, all the users will be able to access Yahoo Messenger while all other IMs in the category will be denied. Block P2P applications for a user John Pitt Step 1: Create a custom policy BlockP2P from Application Filter > Policy > Policy > Add based on the template Allow All. Update policy to add a rule with the following parameters: Category - P2P Applications Select All Action - Deny Schedule All the Time Step 2: Go to Identity > Users > User, edit the details of user John Pitt and attach Application Filter Policy created in step 1. Step 3: Create Identity-based Firewall Rule from Firewall > Rule > Add Source: LAN, Any Host Click Check Identity to enable Identity-based Firewall rule and select the user John Pitt Destination: WAN, Any Host Service: All Services With the above configuration, User John Pitt will not be able to access any of the P2P Applications included in the category during the time specified in the schedule. Web Application Firewall (WAF) WAF Module is available as a subscription on Cyberoam UTM appliances. Use WAF to protect your Web Servers from Application Layer (Layer 7) attacks such as SQL injection, cross-site scripting (XSS), URL parameter tampering. Protect Domain www.test.com publicly hosted on Web Server 202.134.168.208 Configure Web Server in Cyberoam from WAF > Web Servers > Web Server > Add according to following parameters: Zone: DMZ Web Server Hosted On: Public IP/FQDN Public IP/FQDN: 202.134.168.208 Domains To Protect: Specific Domains Hosted On 202.134.168.208 Domain: www.test.com Page 18 of 34 10.04.5.007-20131220
Manage Bandwidth Prioritize Application bandwidth usage A Company dealing in stocks and shares can give highest priority to the trading application as: Create Firewall rule based QoS policy from QoS > Policy > Policy > Add. Set the priority as required. Priority can be set from 0 (highest) to 7 (lowest). For example, set priority of SSH traffic to zero. Add a firewall rule from Firewall > Rule > Add and select service and QoS policy created in above step Control bandwidth (single user/group) Group of Employees monitoring sites related to stocks and shares in a company dealing in stocks and shares needs higher bandwidth than the rest of the employees in the company Create User based QoS policy from QoS > Policy > Policy > Add Create a user group from Identity > Groups > Group > Add and attach the QoS policy to the group Create Identity-based firewall rule from Firewall > Rule > Add and select the user group created in above step Virtual Private Network Cyberoam can be used to establish VPN connection and supports following protocols to authenticate and encrypt traffic: Internet Protocol Security (IPSec) Layer Two Tunneling Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) Secure Socket Layer (SSL) Configure Site-to-Site IPSec VPN connection To make VPN connection configuration task easier, Cyberoam provides six preconfigured VPN policies for the frequently used VPN deployment scenarios: DefaultL2TP DefaultHeadOffice DefaultBrachOffice AES128_MD5 Default Policy The administrator can directly use DefaultHeadOffice or DefaultBrachOffice default policies for the most common scenario to establish site-to-site connection using preshared key to authenticate peers. For step-by-step configuration, refer to Establish Site-to-Site IPSec Connection using Preshared key. Configure remote access VPN on Cyberoam This is commonly called a "road warrior" configuration, because the client is typically a laptop, PDA, Mobile Phone or Tablet being used from remote locations, and connected over the Internet using service providers and dialup connections. Cyberoam provides clients for Windows, Linux, Macintosh platforms as well as inbuilt clients. The most common use of this scenario is when you are at home or on the road and want access to the corporate network. For step by step configuration, refer to Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key. If you are using Cyberoam IPSec VPN Client for the first time, download Client from http://www.cyberoam.com/vpnhelp.html. Page 19 of 34 10.04.5.007-20131220
Configure VPN failover You will need to configure VPN failover condition to keep your VPN connection always ON. Cyberoam allows you to configure failover conditions at the time of creating IPSec connection. Alternately, configure connection failover as follows: Create Connection Group from VPN > IPSec > Failover Group > Add. Failover Group is the grouping of all the connections that are to be used for failover. The order of connections in the Group defines fail over priority of the connection. Define Failover condition in the Group Your primary VPN connection will failover to the next active Connection in the Group if Connection Group is created including the primary connection. For example, if the connection established using 4 th Connection in the Group is lost then 5th Connection will take over provided the 5 th Connection is active. Configure SSL VPN SSL (Secure Socket Layer) VPN allows access to the organization network from anywhere, anytime and provides the ability to create point-to-point encrypted tunnels between remote employees and company s internal network, requiring a combination of SSL certificates and a username/password for authentication to enable access to the internal resources. For details on how to configure SSL VPN, refer to SSL VPN User Guide. Data Leakage Prevention Cyberoam data leakage prevention solution provides features like granular policy enforcement, real-time user identification and visibility, destination control to give visibility and control over where the data is sent. It stops the leakage of critical corporate data, intellectual property, private information of employees from a corporate network by sitting at the edge of the network and monitoring all the outgoing traffic. There are many ways in which confidential data can leave an organization. The most common communication channels are Email, Web, IM. This data-in-motion can be controlled by blocking the file transfer through mail attachments, IM and files uploaded through HTTP. Cyberoam also archives the entire Email communication much needed for the compliance purpose. A large number of small offices handle sensitive data which when leaked by insiders, can have severe financial implications. This could be related to stock information in stock trading companies, tender specifications, manufacturing or product design specifications and more. Hence data leakage must be given as much importance as virus infections and dealt with proactively. Prevent data loss over Web and Internet mail (Single/Group of users) HTTP upload protection It blocks any uploading of files to the web. For example, it does not allow uploading of attachments in web-based Emails, or uploading of images or video on social networking sites like Facebook. Step 1: Create a custom policy DenyUpload from Web Filter > Policy > Policy > Add based on the template Allow All. Update policy to add a rule with following parameters: Category - HTTPUpload Action - Deny Schedule All the Time Step 2. Go to Identity > Users > User, edit user details and attach policy created in step 1. Page 20 of 34 10.04.5.007-20131220
Step 3. Define Identity-based Firewall Rule from Firewall > Rule > Rule > Add Zone/Network: Source: LAN, Any Host Destination: WAN, Any Host Attach Identity - Click Select to enable Identity-based Firewall rule Identity: Select the user whose access is to be denied Service: All Services With the above configuration, User selected in step 3 will not be allowed to upload any files to the web via HTTP. Email data leakage prevention Block Mail Attachments (Individual/Group Email Addresses) Create SMTP scanning rule for individual or group of Email Addresses from Anti Virus > Mail > SMTP Scanning Rules > Add and select attachments to be blocked. IM Controls Instant Messaging (IM) allows configuring and managing of restrictions on instant messaging services provided by the Yahoo and MSN messengers. IM rules provide: Identity-based controls for Yahoo messenger and Windows Live Messenger Malware scanning Logs and controls over o o o o Access Conversation File transfer Voice/Webcam For example to block the file transfer between users - Jessica and Andrew: Step 1: Add IM contacts from IM > IM Contact > Add, add Email Addresses Jessica@yahoo.com and Andrew.smith@msn.com Step 2: Go to IM > IM Rules > File Transfer > Add and add rule with following parameters: o o o Between User/IM Contacts - Jessica@yahoo.com and Andrew.smith@msn.com Action Deny Logging - Enable With the above configuration, when Jessica and Andrew try to exchange file, the file is blocked and a message similar to the following deny message is displayed. Page 21 of 34 10.04.5.007-20131220
Screen File Transfer Declined To view the IM logs, go to Logs & Reports > Log Viewer and select module IM Data Loss Prevention through Regular Expression (RegEx) Using Regular Expressions, detect and prevent specific data leakage including: Social Security Numbers (SSN) Credit Card Numbers (CCN) ABN Routing Numbers To block chat content with credit card number between Jessica and Andrew: Step 1: Go to IM > Content Filter and add the RegEx for a credit card number Step 2: Go to IM > IM Rules > Conversation > Add and add a rule with following parameters: Between User/IM Contacts - Jessica@yahoo.com and Andrew.smith@msn.com One-to-One Conversation - Allow Group Conversation Allow Content Filter - Enable Logging - Enable Screen RegEx Settings Page 22 of 34 10.04.5.007-20131220
Virus and Spam scanning Cyberoam scans incoming and outgoing HTTP, HTTPS, FTP, IMAP, POP3, and SMTP traffic, and blockes malicious programs at the gateway itself. Action Enable HTTP virus scanning Enable SMTP/FTP virus scanning when Mail server/ftp server deployed in LAN Enable SMTP/FTP virus scanning when Mail server/ftp server deployed in DMZ Fine tune virus scanning parameters Fine tune spam scanning parameters Block password protected attachments (for all the recipients) Configuration Firewall > Rule > Rule Enable scanning from LAN to WAN firewall rule Firewall > Rule > Rule Enable SMTP/FTP scanning from WAN to LOCAL firewall rule Firewall > Rule > Rule Enable SMTP/FTP scanning from WAN to LOCAL firewall rule and LAN to DMZ firewall rule Anti Virus > Mail > Configuration Anti Spam > Mail > Configuration Add new rule from Anti Virus > Mail > SMTP Scanning Rules > Add. Specify sender and recipient for which rule is created. Specify All for Block File Types For Protected Attachment, select Don t Deliver as Receiver Action and Notify Administrator Managing Spam Actions for Spam mails Cyberoam tags suspected incoming and outgoing spam mails as Probable Spam and actual Spam mails as Spam. Spam policy defines different actions for: Spam and Probable spam mails SMTP and POP3/IMAP spam mails You can reject, drop, or accept mail, change the mail recipient or add a prefix to the mail subject and forward the spam mails. Spam actions can be specified from Spam policy. Page 23 of 34 10.04.5.007-20131220
Screen Spam Policy Block/Allow mails using White lists and Black lists You can customize how the Anti-Spam engine treats Emails from selected IP Addresses. You can White List certain IP addresses such that all Emails from those addresses reach users inboxes without interference. On the other hand, you can Black List IPs such that any mail received from those IPs is directly rejected. Refer to the article Allow and Block Spam mails using White or Black list for details. Quarantine management Cyberoam quarantines virus infected and SMTP Spam mails. If you are Network Administrator, you can view quarantined mails from: Anti Virus > Quarantine Anti Spam > Quarantine As a Network Administrator, you can also educate your network users to view and manage their own quarantine space. Individual network user can log on to User My Account and go to Quarantine Mails option to view the list of their quarantined mails. Quarantine Digest Quarantine digest is an Email containing a list of quarantined spam messages filtered by Cyberoam and stored in the user quarantine area. If configured, Cyberoam mails the Quarantine Digest every day to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action. Digest service can be configured globally for all the users or for individual users from Anti Spam > Quarantine > Quarantine Digest Settings. Page 24 of 34 10.04.5.007-20131220
Release Quarantined Spam Mails Either Administrator or user himself can release the quarantined spam mails. Administrator can release the quarantined spam mails from Quarantine Area while user can release from his My Account. Released quarantined spam mails are delivered to the intended recipient s inbox. The Administrator can access Spam Quarantine Area from Anti Spam Quarantine Quarantine Area while user can logon to My Account and access Spam Quarantine Area from Quarantine Mails Spam Quarantine Emails. Intrusion Prevention System (IPS) To reduce the chances of excessive false positives and the number of alerts, Cyberoam s IPS Policy Tuner allows creation of perfect-fit IPS scanning policy.the administrator can fine-tune the default policies or create custom policies to reduce the false positives. By disabling the IPS scanning for the traffic of the applications not in use allows to reduce network load. Create Identity-based IPS Policy In order to provide a high level of granularity, Cyberoam allows implementing IPS scanning for individual user also. This additionally reduces the network load as the traffic for the rest of the users will not be scanned. To configure Identity-based IPS Policy: Step 1: Define IPS policy from IPS > Policy > Add Step 2: Configure Firewall Rule for the user and attach IPS Policy created in step 1 Signature-based Protocol Anomaly Detection Step 1: Go to IPS > Policy > Policy and update the default generalpolicy policy. Step 2: Click network attacks and anomaly category to view signatures included in this category. Step 3: Select Allow Packet, Drop Packet, Drop Session, Reset, Bypass Session as required for the appropriate signatures. Page 25 of 34 10.04.5.007-20131220
Configure Multiple Gateways Multiple gateways can be configured in Cyberoam only if Cyberoam is deployed in Gateway mode. Add Gateway Add a physical Interface in WAN zone to add gateway. Define gateway weight for load balancing Assign weight to the Gateway if load balancing is required. Cyberoam distributes traffic across the links in proportion to the ratio of weights assigned to the individual link. This weight determines how much traffic will pass through a particular link relative to the other link. Set weight as 0 (zero) to disable load balancing and pass the traffic through the default gateway Set same weight to all the gateways to distribute traffic equally among all the links Set different weights to various gateways to distribute traffic in the ratio of the proportions of the weight set Configure Source based routing Configure source based routing to route traffic of a particular network/subnet from the specific gateway. Go to Network > Static Route > Source Route > Add and select the gateway and specify Network IP Address and netmask for which the source based routing is to be defined. Configure Outbound Load balancing Load balancing is a mechanism that enables balancing traffic between various links. It distributes traffic among various links, optimizing utilization of all the links to accelerate performance and cut operating costs. Configure links in active-active setup by defining a gateway as Active Assign appropriate weight to each gateway. Cyberoam distributes traffic across the links in proportion to the ratio of the weights assigned to the individual link. Page 26 of 34 10.04.5.007-20131220
Configure Gateway Failover Gateway failover provides link failure protection. When the active link goes down, the traffic is switched over to the backup link. This safeguard helps provide uninterrupted Internet connectivity to users. The transition is seamless and transparent to the user with no disruption in service and no downtime. To achieve WAN failover between multiple links: Configure links in Active-Backup Define Active gateway Define Backup gateway traffic through this link is routed only when the active interface is down Define failover rule In the event of link failure, traffic will automatically be routed through the Backup gateway without administrator intervention. If more than one backup gateway is configured, traffic is distributed among the gateways in the ratio of the weights assigned to them. On fail over, Backup gateway will either inherit the parent gateway s (Active gateway) weight or the configured weight. Gateway Failback During a link failure, Cyberoam regularly checks the health of a given connection, assuring fast reconnection when Internet service is restored. When the connection is restored and gateway is up again, without administrator s intervention, traffic is again routed through the Active gateway. In other words, the backup gateway fails back on Active gateway. Configure Wireless WAN (3G/4G/LTE USB modem) Wireless WAN (WWAN) can be configured in Cyberoam only if it is deployed as a Gateway. To configure WWAN: 1. Enable WWAN from CLI with the command: cyberoam wwan enable 2. Re-login to the Web Admin Console 3. Configure WWAN Initialization string and gateway from Network > Wireless WAN > Settings Once WWAN is enabled from CLI, a default interface named WWAN1 is created with the default IP address 0.0.0.0 and is the member of the WAN zone. As WWAN interface is a member of WAN zone: all the services enabled for the WAN zone from the Appliance Access page are automatically applicable on WWAN1 connection too and all the firewall rules applied on WAN zone will be applied on WWAN interface. WWAN1 gateway is added as a backup gateway and can participate in load balancing and failover. For more details on WWAN configuration, refer to the article How To Configure Wireless WAN. Virtual LAN (VLAN) Virtual LANs are useful in different network scenarios where an administrator needs to increase the number of interfaces or when traffic filtering is required between different VLANs in an organization. Cyberoam follows the IEEE 802.1Q specification for VLAN and allows the definition of one or more VLAN subinterfaces to be associated with a particular physical interface. These are then considered to be logical interfaces and are treated like physical interfaces in firewall rule sets. For step-by-step creation and implementation of VLAN, refer to How To Configure VLAN. Page 27 of 34 10.04.5.007-20131220
Dynamic Routing Cyberoam supports following dynamic routing protocols: Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Additionally, a LAN to LOCAL or WAN to LOCAL firewall rule is to be configured for the zone for which the BGP and OSPF traffic is to be allowed. On-Appliance Reports Dashboard Dashboard serves the purpose of a ready-reference providing instant visibility into network resource usability as well as alerts providing attack vs. user information without in-depth search. Screen - Dashboard Drag-and-Drop Dashboard doclets can be minimized or repositioned to appropriately place doclets that require special attention for managing Cyberoam. Press F10 key to view the Dashboard from any of the pages. User-wise - Threats detected Dashboard - Recent IPS Alerts doclet User-based IPS Alerts The administrator can get the information of threat origin even in DHCP environment as username is included in the IPS alerts. In DHCP environment, where IP Address is assigned dynamically, without username it is practically impossible to track the threat origin. Page 28 of 34 10.04.5.007-20131220
Screen Recent IPS Alerts Doclet Dashboard - Recent Web Viruses detected doclet User-wise Web Virus detection Alert Screen Recent Web Viruses Detected Doclet Dashboard - Recent Mail Viruses detected doclet User-wise Mail Virus detection Alert Screen Recent Mail Viruses Detected Doclet Access On-Appliance Reports You can access On-Appliance reports in 3 ways: Go to Logs and Reports View Reports from Web Admin Console. Click the Report icon on the upper right hand corner of the screen. Directly login to Cyberoam iview On-Appliance Reports from Cyberoam Login Screen. On the Login Screen, provide Administrator credentials and select Reports under Log on to. Page 29 of 34 10.04.5.007-20131220
Screen Login to On-Appliance Reports Analytical Reports Analytical reports provide details on each and every activity of your network including senders and receipients of virus and spam mails, attackers and victims of IPS attacks. Additionally, extensive reports that can help to analyze all the User activities like sites surfed, amount of data transferred and surfing time, carried out by user, group and so on are also provided to take the corrective actions by tuning the policies based on the user behavior. Want to know Does Joe receive SMTP Spam mails? Total number of Web viruses received by the user Abraham IPS attack victims Is Margaret Chatting? Users are attempting to access blocked sites Top 10 Categories accessed across enterprise Applications are accessed through host 172.168.2.59 Commonly used applications Mail applications generating most of the Email traffic Frequently used applications for launching attacks Top Email users List of top Email viruses Where to find Reports > Spam > Top Spam Recipients Dashboard > Custom Dashboard Username Criteria Abraham > Top Web Viruses widget Reports > Attacks >Top Victims Dashboard > Custom Dashboard Username Criteria Margaret > Top Web Categories widget Search web categories column by keyword Chat Reports > Blocked Web Attempts > Top Denied Web Users Drill down from username to view the list of blocked categories, sites, hosts and the URL wise attempt details that a user has tried to access. Reports > Web Usage > Top Categories Drill down from Category name to view the list of domains, contents and users. Dashboard > Custom Dashboard Source Host Criteria 172.168.2.59 Top Application Groups widget Drill down from the application group to view the list of applications accessed through 172.168.2.59 Reports > Application > Top Applications Reports > Mail Usage > Top Mail Applications Reports > Attacks >Top Applications used by Attacks Reports > Mail Usage >Top Mail Users Reports > Virus > Mail Viruses Page 30 of 34 10.04.5.007-20131220
Sample Blocked Categories report View report from Reports > Blocked Web Attempts > Top Denied Categories and drill down by denied categories to view user based reports Screen Blocked Categories Reports Search Engine Report Google and Yahoo Search Engine Report displays the keywords searched by using Google and Yahoo search engines respectively. It displays username, date, time and search keyword. View search engine reports from Reports > Search Engine. Screen Search Engine Report Page 31 of 34 10.04.5.007-20131220
Compliance reports Many businesses and organizations require protection of their critical applications as well as customer data. For this, they need to meet regulatory requirements such as HIPAA, GLBA, SOX, FISMA and PCI. Cyberoam provides 45+ compliance reports and can be accessed from Compliance Reports. HIPAA - Health Insurance Portability & Accountability Act for Health care Industry regulations i.e. healthcare providers and insurance companies. GLBA - The Gramm-Leach-Bliley Act regulations for financial institutions including banks, mortgage brokers, lenders, credit unions, insurance and real-estate companies. SOX - Sarbanes-Oxley for publicly held companies. PCI - Payment Card Industry regulations for organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. FISMA The Federal Information Security Management Act regulations for all information systems used or operated by a US Government federal agency or by a contractor or other organization on behalf of a US Government agency. Sample Admin Events Reports for Compliance Purpose Screen Admin Events Report Data Leakage reports Data leakage reveals the data loss resulting from employee behavior like lack of awareness, lack of diligence or deliberate action from the disgruntled employees, which poses a much more extensive threat than Enterprise can realize. The report provides files uploaded by the employees. User-wise HTTP Upload View report from Reports > Web Usage > Top File Upload Screen User-wise HTTP Upload Report Page 32 of 34 10.04.5.007-20131220
User-wise FTP Upload View from FTP Usage > Top FTP Users(Upload) Screen User-wise FTP Upload Report Troubleshooting Cyberoam provides Diagnostic Tools, System Graphs, Connection List, and Packet Capture logs to check the health of the System. They are used for troubleshooting and diagnosing problems found in the system. Cyberoam also provides the facility to generate a Consolidated Troubleshooting Report which consists of the system s current status file and log files System Graphs System Graphs provide a periodic health check up that helps to identify the impending System related problems. After identifying the problem, appropriate actions can be taken to solve the problems and keep the System running smoothly and efficiently. Go to System > Diagnostics > System Graphs to view graphs for different system resources including CPU utilization, interface and memory info. You can also gauge the load average on the system with the Load Average graphs. These graphs help you to understand the overall health of the system and thereby help you make changes into the system. Packet Capture System > Diagnostics > Packet Capture provides a Dropped Packet log, which can be to monitor the dropped packet. Refer to Monitor dropped packets on how to view and interpret the dropped packet log. Diagnostic Tools Diagnostic Tools such as Ping, Trace Route, Name Lookup and Route Lookup can be used to diagnose connectivity problems, network problems and to test network communications. These assist in troubleshooting issues such as packet loss, connectivity, discrepancies in the network. Connection List Connection list provides current or a live connection snapshot of your appliance in the list form. Apart from the connection details, it also provides information like Firewall Rule id, userid, connection id per connection. It is also possible to filter the connections list as per the requirement and delete the connection. Page 33 of 34 10.04.5.007-20131220
Points to remember If you are integrating Cyberoam with Active Directory for authentication, use Active Directory as your DNS. You are required to define Active Directory as DNS both in Cyberoam as well as all the desktops. If you have configured Cyberoam as DHCP server for leasing IP Addresses, make sure DHCP server is enabled for autostart. If not, then IP Address will be leased only after rebooting Cyberoam. Page 34 of 34 10.04.5.007-20131220