Innominate mguard Version 7.0 Configuration Examples

Innominate mguard Version 7.0 Configuration Examples mguard smart mguard centerport mguard blade mguard industrial RS mguard PCI mguard delta Innominate Security Technologies AG Rudower Chaussee 13 12489 Berlin, Germany Phone: +49 (0)30-921028 0 Fax: +49 (0)30-921028 020 contact@innominate.com http://www.innominate.com

Table of Contents 1 Disclaimer 5 2 Introduction 6 3 Factory Default Settings and Access to the Web Interface 6 3.1 Windows Vista/Windows 7 and the command arp s 7 4 Purpose of the different Network Modes (Stealth, Router, PPPoE/PPTP, Modem) 8 4.1 Stealth Modes (autodetect, static, multiple clients) 8 4.2 Router Mode 9 4.3 PPPoE/PPTP Mode 9 4.4 Modem Mode 9 5 mguard operating in Stealth Mode 10 5.1 Management IP 11 5.2 Static Routes 11 5.3 DNS Server 12 6 mguard operating in PPPoE Mode 13 6.1 Configuring the Interfaces 13 6.2 Network Address Translation (NAT) / IP Masquerading 14 6.3 DNS Server 15 6.4 DynDNS Registration 15 6.5 Required IP Settings on the Clients 15 7 mguard operating in Router Mode 16 7.1 Configuration of the Clients in the Internal Network 16 7.2 Configuration of the mguard 17 7.2.1 Configuring the Interfaces 17 7.2.1.1 Additional internal/external Routes 18 7.2.2 Network Address Translation (NAT) / IP Masquerading 18 7.2.3 DHCP Configuration 19 7.2.4 DNS Sever 20 7.3 Configuration to access the Clients in the internal Network from the external Network 21 7.3.1 Configuring the incoming Firewall 21 7.3.2 Possibility 1: Additional internal Routes on the Gateway 22 7.3.3 Possibility 2: Port Forwarding 23 7.3.4 Possibility 3: 1:1 NAT 24 7.4 Configuration to access the Clients in the external Network from the internal Network 26 7.4.1 Possibility 1: Additional internal Routes on the Gateway 26 7.4.2 Possibility 2: Network Address Translation (NAT) / IP Masquerading 26 7.4.3 Possibility 3: 1:1 NAT 27 Document ID: UG207002110-024 Page 2 of 106

8 Firewall 28 8.1 Incoming/Outgoing Firewall 28 8.1.1 Example of a wrongly configured Firewall 29 8.2 Sets of Rules 30 8.3 MAC Filtering 32 8.3.1 Basic Rules to set up MAC filtering 32 8.3.2 Examples MAC Filter Configuration 33 8.3.2.1 Restricted IPv4 Access 33 8.3.2.2 Allowing access for other Protocols than IPv4 (e.g. Novell IPX) 33 8.4 1:1 NAT 34 8.4.1 1:1 Mapping of IP addresses 35 8.4.2 1:1 Mapping of Networks 36 8.5 User Firewall 37 8.5.1 Configuring Remote Users 37 8.5.2 RADIUS Servers 38 8.5.3 Access 38 8.5.4 Configuring the User Firewall 39 8.5.4.1 General Settings 39 8.5.4.2 Template Users 39 8.5.4.3 Firewall Rules 40 8.5.5 Activating the User Firewall 40 9 Firewall Redundancy 41 9.1 Router Mode 41 9.2 Multi-Stealth Mode 43 9.3 ICMP Checks 45 10 Quality of Service (Egress QoS) 46 11 CIFS Integrity Monitoring 48 11.1 Importable Shares 49 11.2 CIFS Integrity Checking 50 11.2.1 Integrity Database Certificate 50 11.2.2 Filename Patterns 50 11.2.3 Integrity Check Settings 52 11.2.4 Initialize the Integrity Database 53 11.3 CIFS Antivirus (AV) Scan Connector 54 12 Modem Support 56 12.1 Connecting an external Modem to the mguard 56 12.2 Dial-in Configuration 56 12.2.1 General Modem Settings 57 12.2.2 Configuring the Dial-in Connection on the mguard 58 12.2.3 Enabling HTTPS Remote Access 58 12.2.4 Required changes on the remote entity 59 12.3 Dial-out Configuration 60 12.3.1 General Modem Settings 60 12.3.2 Configuring the Dial-out Connection on the mguard 61 Document ID: UG207002110-024 Page 3 of 106

13 IPsec VPN 62 13.1 Introduction 62 13.1.1 mguard behind NAT Router 63 13.1.1.1 VPN initiating mguard behind NAT Router 63 13.1.1.2 VPN responding mguard behind NAT Router 63 13.1.1.3 Both mguards behind NAT Router 64 13.1.2 Authentication (PSK or Certificates) 65 13.1.3 Limitations 67 13.2 Import of the Machine Certificate 68 13.3 VPN Configuration 69 13.3.1 General Settings 69 13.3.1.1 VPN Transport Connection between two mguards in Stealth Mode 70 13.3.1.2 VPN Tunnel between two mguards in Router/PPPoE Mode 71 13.3.1.3 VPN Tunnel between two mguards, Single Stealth and Router/PPPoE Mode 73 13.3.1.4 VPN Tunnel between two mguards, Multi Stealth and Router/PPPoE Mode 76 13.3.1.5 VPN 1:1 NAT for the local Network 78 13.3.1.5.1 VPN Tunnel between two Sites with the same internal Network 78 13.3.1.5.2 VPN Tunnel to different Locations with the same internal Networks 80 13.3.1.6 VPN Masquerading (VPN NAT) 82 13.3.1.7 VPN 1:1 NAT for the remote Network 85 13.3.1.8 Hub & Spoke 88 13.3.1.8.1 Example: Branch Offices 89 13.3.1.8.2 Example: Remote Maintenance 90 13.3.2 Authentication 92 13.3.2.1 Pre-Shared Secret Key (PSK) 92 13.3.2.2 X.509 Certificates 93 13.3.3 VPN Firewall 94 13.3.4 IKE Options 95 13.3.4.1 ISAKMP SA/IPsec SA Lifetime 96 13.3.4.2 Dead Peer Detection (DPD) 96 13.4 TCP Encapsulation 97 13.5 VPN Tunnel Groups 99 13.5.1 Import of the CA Certificate 100 13.5.2 Tunnel Settings 100 13.5.3 Authentication 101 13.6 URL to start, stop and retrieve the Status of a VPN Connection 102 13.7 mguard industrial RS: Activating a VPN Tunnel through an external push Button or on/of Switch 103 13.8 Windows L2TP/IPSec Connection to the mguard 104 14 Secondary External Interface 105 14.1 VPN Fallback through a Phone Line 105 Document ID: UG207002110-024 Page 4 of 106

1 Disclaimer Innominate Security Technologies AG March 2010 Innominate and mguard are registered trademarks of the Innominate Security Technologies AG. All other brand names or product names are trade names, service marks, trademarks, or registered trade marks of their respective owners. mguard technology is protected by the German patents #10138865 and #10305413. Further national and international patent applications are pending. No part of this documentation may be reproduced or transmitted in any form, by any means without prior written permission of the publisher. All information contained in this documentation is subject to change without previous notice. Innominate offers no warranty for these documents. This also applies without limitation for the implicit assurance of scalability and suitability for specific purposes. In addition, Innominate is neither liable for errors in this documentation nor for damage, accidental or otherwise, caused in connection with delivery, output or use of these documents. This documentation may not be photocopied, duplicated or translated into another language, either in part or in whole, without the previous written permission of Innominate Security Technologies AG. Document ID: UG207002110-024 Page 5 of 106

2 Introduction This guide should help getting familiar with the configuration of the mguard. It explains on a basis of several examples how to configure the mguard for different scenarios. 3 Factory Default Settings and Access to the Web Interface The following table lists the factory default settings of the different products: Product Network mode Internal IP address Access from the internal network through mguard smart Stealth (autodetect) - https://1.1.1.1 mguard PCI Stealth (autodetect) - https://1.1.1.1 mguard industrial RS Stealth (autodetect) - https://1.1.1.1 mguard blade Stealth (autodetect) - https://1.1.1.1 mguard blade control unit Router 192.168.1.1 https://192.168.1.1 mguard delta Router 192.168.1.1 https://192.168.1.1 mguard centerport Router 192.168.1.1 https://192.168.1.1 The firewall drops all incoming (except VPN) and allows all outgoing connections by default. SSH/HTTPS access from the internal network is allowed but not from the external network. The default passwords are: User = root Password = root User = admin Password = mguard Note: Before trying to access the device from the web browser ensure that the web browser does not use a proxy and that a default gateway is defined on the client. Stealth mode (autodetect): The web interface of the mguard can be accessed through https://1.1.1.1 under the condition that a network is connected to the external interface of the mguard and that the default gateway, defined on the client, is reachable. The easiest way to obtain this is to interconnect the mguard in-between a client and the network. If the default gateway is not reachable because it does not really exist or because the external interface of the mguard is not connected to the network, proceed as follows to obtain access to the web interface (please refer to the next chapter when using Windows Vista or Windows 7): Assign static IP settings to the client if the client is configured to obtain the IP settings from a DHCP server, as for example IP = 192.168.1.2, Subnet mask = 255.255.255.0, Default Gateway = 192.168.1.1. Assign a static MAC address to the IP address of the default gateway. To send packets to the IP address 1.1.1.1 the client will send an ARP request for the IP address of the default gateway first because 1.1.1.1 does not belong to the network in which the client is located. This ARP request will never be answered if the default gateway is not reachable and therefore the client will never send packets directed to 1.1.1.1 to the network. If the client already knows the MAC address of the default gateway, even if it is a fictitious one, it will send the packets directly to the network without issuing an ARP request first. The mguard will catch those packets directed to 1.1.1.1 and will send the response back to the client. Follow these steps to assign a static MAC address to the IP address of the default gateway: Open a command prompt. Type the command ipconfig to obtain the IP address of the default gateway. Execute the command: arp s <IP of the default gateway> 00-aa-aa-aa-aa-aa A ping to the IP address 1.1.1.1 should be answered. Now the web interface of the mguard can be accessed from the client through https://1.1.1.1. Router mode: The following static IP settings must be assigned to the client: The IP address must belong to the network 192.168.1.0/24, e.g. 192.168.1.100 Subnet mask = 255.255.255.0 Default gateway = 192.168.1.1 Now the web interface of the mguard can be accessed through https://192.168.1.1. Document ID: UG207002110-024 Page 6 of 106

3.1 Windows Vista/Windows 7 and the command arp s With Windows Vista and Windows 7 it is not possible anymore to assign a static MAC address to the IP address of the default gateway using the arp program. Use netsh from a command shell with administrator rights instead. At first determine the name of the corresponding interface (e.g. Local Area Connection) as it is displayed when executing the command ipconfig /all. Then use the following command to assign a static MAC address to the IP address of the default gateway. The static entry will be valid until the next reboot or until the next restart of the network connection due to the argument store=active. If this argument is not specified, the default value is store=persistent. netsh interface ipv4 set neighbors [interface=]string [address=]ipv4address [neighbor=]<string> [store=]active Example: netsh interface ipv4 set neighbors interface= Local Area Connection address=192.168.1.254 neighbor=00-aa-aa-aa-aa-aa store=active or in short netsh interface ipv4 set neighbors Local Area Connection 192.168.1.254 00-aa-aa-aa-aa-aa active The static assignment can be verified either with the command arp a or with the command netsh interface ipv4 show neighbors <interface name>. Use the following command to delete a static assigned MAC address: netsh interface ipv4 delete neighbors [name=]string [address=]ipv4address Example: netsh interface ipv4 delete neighbors name= Local Area Connection address=192.168.1.254 or in short netsh interface ipv4 delete neighbors Local Area Connection 192.168.1.254 Document ID: UG207002110-024 Page 7 of 106

4 Purpose of the different Network Modes (Stealth, Router, PPPoE/PPTP, Modem) 4.1 Stealth Modes (autodetect, static, multiple clients) In Stealth mode, simply interconnect the mguard in between the client(s) to be protected and the network. Reconfiguring the IP settings of the clients or applying other IP changes to the network is not required. All processes which are listening on ports are hidden to the network and will not be detected by a port scanner. The mguard works completely transparent. Stealth - autodetect and static The Stealth modes autodetect or static are used if the mguard should protect one single system (e.g. server) and if the NIC of the system has only one IP address. Otherwise multiple clients Stealth mode must be used. In autodetect Stealth mode, the mguard detects the client s IP address automatically by analyzing the outgoing traffic and adopts the IP and MAC address of the client. Some entities do not generate traffic by themselves (e.g. server, webcam). In this case the mguard will never get its IP settings and the static Stealth mode must be used. In this mode at least the clients IP address must be specified on the mguard. These modes are also called Single Stealth mode because only one single entity can be protected. Stealth - multiple clients Use this mode to protect multiple clients or if the NIC of the system has more than one IP address. This mode is also called Multi Stealth mode. Document ID: UG207002110-024 Page 8 of 106

4.2 Router Mode In Router mode the mguard acts as router between two different networks. The external network could also be the Internet, if the Internet Service Provider supplies an Ethernet line. The internal and external interfaces must be configured. The external interface may use static IP settings or receive them from a DHCP server. The mguard may act as DHCP server for the internal and/or external network. 4.3 PPPoE/PPTP Mode In PPPoE mode the mguard works as DSL router between the internal network and the Internet. The external interface of the mguard needs to be connected to a DSL modem. The mguard will receive its external IP settings from the Internet Service Provider (ISP). The internal interface needs to be configured. The mguard may act as DHCP server for the internal network. PPTP is an equivalent to PPPoE, used to get access to the Internet in certain countries as for example in Austria. 4.4 Modem Mode The Modem mode can be used to access machines of the internal network or for sending data from the internal network through a phone line. This mode requires either an external modem connected to the serial port of the mguard or an mguard industrial RS with built-in analog modem or ISDN terminal adapter. All traffic directed to the WAN port is redirected to the internal serial port of the mguard and from there either through the external serial port (external modem) or through the built-in analog modem or ISDN terminal adaptor (mguard industrial RS, when equipped). Document ID: UG207002110-024 Page 9 of 106

5 mguard operating in Stealth Mode The major advantage of using the Stealth mode is that it is not required to reconfigure the IP settings of the clients or to apply other IP changes to the network. Using the mguard in Stealth mode is like Plug-and-Play. By default, a brand new mguard is in Stealth autodetect mode (except mguard delta and mguard blade control unit). Simply interconnect the mguard in between the network and the entities which should be protected, but keep the following in mind: The network modes Stealth autodetect and Stealth static can only be used to protect one single entity with one (and only one) IP address. In Stealth autodetect mode the mguard analyzes the outgoing traffic and adapts the IP and MAC address of the client. If the client does not generate traffic by its own the Stealth static mode must be used by specifying at least the clients IP address on the mguard. If more than one client should be protected by the mguard or if one single client has more than one IP address, the Stealth multiple clients mode must be used. Single Stealth Mode Multi Stealth Mode The web interface of the mguard can be accessed from the internal client(s) through https://1.1.1.1. HTTPS remote access must be enabled on the mguard to access it from the external network. In Single Stealth mode the mguard can be accessed through the IP address of the client. In Multi Stealth mode a Management IP must be assigned to the mguard. Document ID: UG207002110-024 Page 10 of 106

5.1 Management IP Note: Using a Management IP is supported for all Stealth modes (autodetect, static and multiple clients). After assigning a Management IP to the mguard, accessing the mguard is only possible through https://<management IP> and no longer through https://1.1.1.1 (except in Stealth autodetect mode). A Management IP must be assigned to the device if the mguard is operated in Multi Stealth mode and if the device should be accessible from the external network through HTTPS/SSH or if the mguard should establish a VPN connection to a remote VPN gateway. Select Network >> Interfaces, tab General. The Management IP must belong to the network in which the mguard is located and must not be used by any other entity. Also the network subnet mask and its default gateway must be specified. 5.2 Static Routes Static routes can be used to send data through another gateway than the default gateway of the network. Static routes are only used for actions initiated by the mguard, as for example establishing VPN connections or executing an online firmware update. Document ID: UG207002110-024 Page 11 of 106

5.3 DNS Server The mguard uses a predefined list of publicly available DNS servers (Servers to query = DNS Root Servers) by default. If the mguard is located within a private network, accessing those servers may fail if the firewall of the gateway to the Internet does not allow DNS queries or if the Internet is not accessible. This would have an impact on actions initiated by the mguard where a DNS name must be resolved, as for example an online firmware update or establishing a VPN connection to a remote VPN gateway, specified by a DynDNS name. These actions may also be delayed if the responses of the publicly available DNS servers take too long. If the mguard is located within a private network it is recommend to set Servers to query = User defined and to enter the IP address of the DNS server. Select Network >> DNS, tab DNS Server. Network >> DNS, tab DNS server DNS Servers to query Select User defined. User defined name servers Enter the IP address of the DNS server. Document ID: UG207002110-024 Page 12 of 106

6 mguard operating in PPPoE Mode In this example, the mguard is operated in PPPoE mode and should act as gateway to the Internet. The following diagram illustrates the machines and addresses involved in the connection. The clients in the internal network must use the internal IP address of the mguard (192.168.1.254) as Default Gateway to get access to the Internet. The external interface of the mguard is connected to a DSL modem. 6.1 Configuring the Interfaces Select Network >> Interfaces, tab General. Document ID: UG207002110-024 Page 13 of 106

Network >> Interfaces, tab General Network Mode PPPoE Internal Networks Secondary External Interface Network Mode Router Mode PPPoE Login PPPoE Password Request PPPoE Service Name / PPPoE Service Name Automatic Re-connect? / Re-connect daily at IP Netmask Not required for this setup. Select Router. Select PPPoE. Enter the user name provided by the Internet Service Provider (ISP). Enter the password provided by the Internet Service Provider (ISP). Enable this option if the DSL modem is used to connect to more than one Internet Service Provider. In this case enter the corresponding PPPoE Service Name to connect to the desired Internet Service Provider. If enabled, the mguard will reconnect to the ISP every day at the specified time. This feature allows moving the 24 hour interruption of the DSL line outside the office hours. Using this feature requires that the system time was either entered manually or synchronized with an NTP server. Enter the internal IP address of the mguard, in this example 192.168.1.254. Enter the corresponding subnet mask, in this example 255.255.255.0. After applying the changes, the mguard can be accessed through https://<internal IP of the mguard>, in this example through https://192.168.1.254. 6.2 Network Address Translation (NAT) / IP Masquerading Network Address Translation (NAT) must be activated to gain access to the Internet. Select Network >> NAT, tab Masquerading. Network >> NAT, tab Masquerading Network Address Translation Outgoing on Interface From IP Select External. Enter the network and the appropriate subnet mask in CIDR-notation (e.g. 255.255.0.0 = 16, 255.255.255.0 = 24, 255.255.255.255 = 32). A value of 0.0.0.0/0 means that all internal IP addresses will have access to the Internet (assuming an outgoing firewall rule allows the access). If only a special subnet should have access to the Internet, enter this subnet and the appropriate subnet mask (e.g. 192.168.1.0/24). If only one client should have access to the Internet, enter its IP address and the value 32 as subnet mask (e.g. 192.168.1.100/32). 1:1 NAT Not required for this setup. Document ID: UG207002110-024 Page 14 of 106

6.3 DNS Server Select Network >> DNS, tab DNS Server. Network >> DNS, tab DNS server DNS Local Resolving of Hostnames Servers to query User defined name servers Not required for this setup. Select Provider defined. In PPPoE mode the mguard receives the IP address of a DNS server from the Internet Service Provider. Not required for this setup. 6.4 DynDNS Registration If the mguard has a dynamic public IP address, it could be necessary that the mguard registers its current public IP address with a fixed name at a DynDNS service. This could be required: To gain remote HTTPS/SSH access to the mguard. If a VPN connection should be established to the mguard. If Pre-Shared Key (PSK) should be used for authentication in the VPN configuration. In the following screenshot, the mguard registers its public IP address under the name mguard at the DynDNS service dyndns.org. Select Network >> DNS, tab DynDNS. 6.5 Required IP Settings on the Clients If the clients use static IP settings, the internal IP of the mguard must be specified as default gateway, in this example 192.168.1.254. Otherwise the DHCP server must provide this value. Document ID: UG207002110-024 Page 15 of 106

7 mguard operating in Router Mode The mguard shall be used as router between two different networks. The following diagram illustrates the machines and addresses involved in this configuration. The examples used in this chapter are taken from this setup. 7.1 Configuration of the Clients in the Internal Network The clients in the internal network may either use static IP settings or receive them from the DHCP server of the mguard. The clients must use the internal IP address of the mguard as default gateway (in this example 192.168.1.254) to gain access to the external network. Document ID: UG207002110-024 Page 16 of 106

7.2 Configuration of the mguard 7.2.1 Configuring the Interfaces Select Network >> Interfaces, tab General. Network >> Interfaces, tab General Network Mode External Networks Internal Networks Secondary External Interface Network Mode Router Mode Select Router. If the mguard receives its external IP settings from a DHCP server, select DHCP. Otherwise select static. This section is only displayed when using static external IP settings (Router Mode = static). External IPs Additional External Routes IP of default gateway Internal IPs Additional Internal Routes Not required for this setup. Enter the external IP address of the mguard and the Netmask, in this example 10.1.0.64/255.255.0.0. Will be explained in the next chapter. Enter the IP address of the default gateway of the external network. Enter the internal IP of the mguard and the Netmask, in this example 192.168.1.254/255.255.255.0. This IP address should be specified as default gateway on every client in the internal network. Will be explained in the next chapter. Document ID: UG207002110-024 Page 17 of 106

7.2.1.1 Additional internal/external Routes If another network is reachable through a router in the internal network of the mguard, the mguard must know to which gateway packets directed to this network need to be forwarded. This is achieved with the option Additional Internal Routes. In this example an additional internal route needs to be defined for the network 192.168.2.0/24 with the gateway 192.168.1.1. Note: Do never specify an additional internal route with a gateway located in the external network or vice versa. This could cause routing problems on the mguard. 7.2.2 Network Address Translation (NAT) / IP Masquerading Activate NAT if required. NAT needs to be activated for example if the route to the internal network of the mguard is unknown to the external network. Select Network >> NAT, tab Masquerading. Network >> NAT, tab Masquerading Network Address Translation Outgoing on Interface From IP 1:1 NAT Not required for this setup. Select External. Enter the network and the appropriate subnet mask in CIDRnotation (e.g. 255.255.0.0 = 16, 255.255.255.0 = 24, 255.255.255.255 = 32). A value of 0.0.0.0/0 means that all internal IP addresses will be masqueraded when sending data to the external network. If only a special subnet should be masqueraded, enter this subnet and the appropriate subnet mask (e.g. 192.168.1.0/24). If only the IP address of one client should be masqueraded, enter its IP address and the value 32 as subnet mask (e.g. 192.168.1.100/32). Document ID: UG207002110-024 Page 18 of 106

7.2.3 DHCP Configuration The internal DHCP service (menu Network >> DHCP, tab Internal DHCP) needs to be configured if the clients in the internal network should receive their IP settings from the mguard. Network >> DHCP, tab Internal DHCP Mode DHCP mode Select Server. DHCP Server Options Enable dynamic IP address pool Enable this option if the clients should receive their IP address from the IP address pool DHCP range start to DHCP range end. Disable this option if the assignment should be done statically only, based on the MAC address (refer to Static Mapping). DHCP lease time DHCP range start / DHCP range end Local netmask Broadcast address Default gateway DNS server WINS server Static Mapping Validity of the assigned IP settings in seconds. Start and end of the IP address range from which IP addresses are assigned to the clients dynamically. Subnet mask to be used by the clients. Broadcast address of the network. IP address of the default gateway used by the clients. Usually this is the internal IP address of the mguard. IP address of the Domain Name Service (DNS) server which shall be used by the clients to resolve hostnames into IP addresses and vice versa. Enter the internal IP address of the mguard if the DNS service of the mguard shall be used. IP address of the WINS server which shall be used by the clients to resolve hostnames into IP addresses and vice versa, using the Windows Internet Naming Service (WINS). Use Static Mapping to assign fixed IP addresses to clients depending on their MAC address. When doing this, consider the following: Statically assigned IP addresses have a higher priority than the dynamic IP address pool. Static IP addresses and pool addresses must not overlap. Do not assign the same IP address to several MAC addresses. Note: The mguard may act as DHCP server for the external network. In this case configure the tab External DHCP accordingly. If the DHCP server for the internal network is located in the external network of the mguard, use the option DHCP Relay in the tab Internal DHCP and specify the IP address of the DHCP server. If the DHCP server for the external network is located in the internal network of the mguard, use the option DHCP Relay in the tab External DHCP and specify the IP address of the DHCP server. Document ID: UG207002110-024 Page 19 of 106

7.2.4 DNS Sever A DNS server needs to be specified if: The mguard itself needs to resolve hostnames, as it is the case for: o Applying online updates. o Requesting licenses from the device online. o Online license reload. o Resolving DynDNS names to establish VPN connections. o Resolving a DNS name of an NTP server for time synchronization. The clients in the internal network have the internal IP address of the mguard specified as DNS server. Select Network >> DNS, tab DNS Server. Network >> DNS, tab DNS server DNS Local Resolving of Hostnames Servers to query User defined name server Not required for this setup. Select User defined. Enter the IP address of the DNS server of the external network. Document ID: UG207002110-024 Page 20 of 106

7.3 Configuration to access the Clients in the internal Network from the external Network The mguard acts as router between the external network 10.1.0.0/16 and the internal network 192.168.1.0/24. The external IP of the mguard is 10.1.0.1/16, the internal IP 192.168.1.254/24. The mguard should be configured to allow access to the web interface (HTTP protocol) of the machine 192.168.1.10 from the external network. Apart of this it should also be possible to ping this machine. There exist three different possibilities to configure the mguard to achieve this: 1) Additional internal routes on the gateway 2) Port forwarding 3) 1:1 NAT Before starting with the configuration ensure that the target machine uses the internal IP address of the mguard (192.168.1.254) as default gateway. 7.3.1 Configuring the incoming Firewall According incoming firewall rules must be specified on the mguard (menu Network Security >> Packet Filter, tab Incoming Rules) when using the possibilities 1:1 NAT or additional internal routes on the gateway to allow the incoming traffic. This is not required when using port forwarding because the mguard will forward data packets directly to the destination IP without sending them through the firewall. The following firewall rules (menu Network Security >> Packet Filter, tab Incoming Rules) allow incoming TCP packets directed to the http port and incoming ICMP packets. All other packets will be dropped by the firewall. The fields From IP and To IP can be used to restrict the access for special networks/machines only. Document ID: UG207002110-024 Page 21 of 106

7.3.2 Possibility 1: Additional internal Routes on the Gateway The target machine (192.168.1.10) does not belong to the network in which the sending entity is located (10.1.0.0/16). Therefore the sending entity will send packets directed to the 192.168.1.10 to its default gateway (10.1.0.254). The gateway must know where to forward those packets. Therefore a route must be configured on the gateway (10.1.0.254), specifying the external IP of the mguard (10.1.0.1) as gateway and the target network (192.168.1.0/24). For testing purposes this route can be added locally on the machine (10.1.0.100). If this is a Windows system, open a command prompt and enter the command router add 192.168.1.0 mask 255.255.255.0 10.1.0.1. Now the computer will send packets directed to the network 192.168.1.0/24 directly to the mguard. Now it is possible to access the target directly through its IP address: http://192.168.1.10, ping 192.168.1.10. Advantages: The machine can be accessed directly by its IP address. Disadvantages: Additional routes must be specified on the gateway. This is not applicable if several mguards are connected to the external network, some or all of them using the same internal network (192.168.1.0/24). Document ID: UG207002110-024 Page 22 of 106

7.3.3 Possibility 2: Port Forwarding When using port forwarding (menu Network >> NAT, tab Port Forwarding), the mguard will forward received data packets directly to the specified IP address and port. Note: Port forwarding can only be used for port based protocols (UDP/TCP). ICMP is not a port based protocol. Therefore it is not possible to ping the target machine from the external network. Network >> NAT, tab Port Forwarding Port Forwarding Protocol From IP From Port Incoming on IP Incoming on Port Redirect to IP Redirect to Port Comment Log Select the corresponding protocol, either TCP or UDP. 0.0.0.0/0 means from all IP addresses. The rule may be restricted to the sender s network (10.1.0.0/16) or IP address (10.1.0.100/32). The rule may be restricted to the sender s port. This is not applicable for http access because web browser uses a varying port greater or equal 1024. %extern will automatically take the current external IP address of the mguard. Alternatively the external IP address of the mguard may be entered. Enter the original destination port number or the corresponding service name (e.g. http for TCP port 80). Specify the IP address where to the data packets should be forwarded. Specify the port number or service name where to the data packets should be forwarded. Usually this value corresponds to the value of Incoming on Port but there exists also the possibility to redirect the packets to another port. This feature must be used if the web interface of several machines located in the internal network should be assessable from the external network: Incoming on Port Redirect to IP Redirect to Port 8000 192.168.1.10 http 8001 192.168.1.17 http 8002 192.168.1.21 http 8003 192.168.1.37 http Enter a comment if desired. Enable logging if desired. Now it is possible to access the target through http://10.1.0.1 but a ping will not work. Advantages: Easy to configure for a small number of targets. Document ID: UG207002110-024 Page 23 of 106

Disadvantages: Only port based protocols (UDP/TCP) can be forwarded. The target machine is accessible through the external IP of the mguard. If the same port of several machines in the internal network must be accessible, a kind of mapping table must be maintained to know which port must be used to access a specific machine (e.g. http://10.1.0.1:8000 for 192.168.1.10, http://10.1.0.1:8001 for 192.168.1.17). This may get confusing, especially if several mguards connect different machine networks to the external network and web access is required to all machines. 7.3.4 Possibility 3: 1:1 NAT 1:1 NAT (menu Network >> NAT, tab Masquerading) maps IP addresses of the internal network to IP addresses of the external network. Depending on the specified subnet mask in the 1:1 NAT configuration, also subnets of the internal network or the complete network can be mapped to the external site. When using 1:1 NAT, no changes need to be applied to the external network. The ARP demon of the mguard will reply to ARP requests of the external network for the mapped IP addresses. The mapped IP addresses must not be used by any other entity of the external network. When performing 1:1 NAT, the network part of the IP address is mapped and the host part is kept unchanged. The network part of the IP address is defined by the specified subnet mask. Examples of 1:1 NAT rules and the resulting IP mapping: Local External Netmask Mapped IP addresses internal <-> external 192.168.1.10 10.1.0.34 32 192.168.1.10 <-> 10.1.0.34 192.168.1.0 10.1.0.0 28 192.168.1.0 <-> 10.1.0.0 192.168.1.1 <-> 10.1.0.1 192.168.1.14 <-> 10.1.0.14 192.168.1.15 <-> 10.1.0.15 192.168.1.0 10.1.0.0 24 192.168.1.0 <-> 10.1.0.0 192.168.1.1 <-> 10.1.0.1 192.168.1.254 <-> 10.1.0.254 192.168.1.255 <-> 10.1.0.255 Note: It is not possible to use the same subnet mask as it is used by the external network to map the internal network to the external site. In this case the mguard would reply to all ARP requests of the external network which will make this network inoperable. In this example, the IP address of the target (192.168.1.10) should be mapped to the external IP address 10.1.0.210 which is not used by any other entity. The 1:1 NAT configuration for this setup looks as follows: Now it is possible to access the target through its mapped IP address: http://10.1.0.210, ping 10.1.0.210. Document ID: UG207002110-024 Page 24 of 106

Advantages: No changes need to be applied to the external network. Each target is accessible through an IP address of the external network. The target can be accessed using protocols and ports according to the specified incoming firewall rules. Connecting several mguards to the external network, some or all of them having the same internal network (e.g. 192.168.1.0/24), is not a problem anymore. If for example the external network has a subnet mask of 16 and the systems in this network only use IP addresses from the range 10.1.0.1 10.1.0.254, the networks 10.1.1.0/24, 10.1.2.0/24, 10.2.3.0/24, etc. can be used to map the internal networks to IP addresses of the external network. Disadvantages: A reasonable amount of unused IP addresses of the external network is required to perform the mapping. Refer to chapter 1:1 NAT to get further information about 1:1 NAT. Document ID: UG207002110-024 Page 25 of 106

7.4 Configuration to access the Clients in the external Network from the internal Network The mguard acts as router between the internal network 192.168.1.0/24 and the external network 10.1.0.0/16. The internal IP address of the mguard (192.168.1.254) must be specified as default gateway on the clients in the internal network. Otherwise accessing the external network will not be possible. Let us take a look at what happens if a client in the internal network (192.168.1.10) wants to access a target located in the external network (10.1.0.100). When data packets are sent from the client (192.168.1.10) to a target located in the external network (10.1.0.100), the client will send the packets to its default gateway (192.168.1.254) because the IP address of the target is located in a different network. The mguard takes care of forwarding the packets to the destination. When the packets arrive at the target (10.1.0.100), the sender s IP address (192.168.1.10) belongs to a different network. Therefore the target will send its response to its default gateway (10.1.0.254) and there the transfer stops because the gateway does not know where to send packets directed to the network 192.168.1.0/24. There exist the following three possibilities to get the response of the target back to the sender: 1) Additional internal routes on the gateway 2) NAT 3) 1:1 NAT (refer to the previous chapter) 7.4.1 Possibility 1: Additional internal Routes on the Gateway Add an additional route on the gateway of the external network (10.1.0.254), specifying as network 192.168.1.0/24 and as gateway the external IP address of the mguard (10.1.0.1). This way the gateway knows where to send packets directed to the network 192.168.1.0/24. This required change on the gateway could sometimes not be applicable. The most common way is to activate Network Address Translation (NAT) on the mguard, described in the next chapter. 7.4.2 Possibility 2: Network Address Translation (NAT) / IP Masquerading When activating NAT on the mguard, the mguard will masquerade the senders IP address by its own external IP address. In other words, the mguard will replace in the data packets the sender s IP address (192.168.1.10) by its own external IP address (10.1.0.1). When the packets arrive at the target, the sender s IP address (10.1.0.1) is located in the same network and the target will send the response directly back to the mguard. The mguard will undo the NAT changes and forward the response back to the original sender. Especially if the external network is the Internet, NAT must be activated. Otherwise accessing any site will not be possible. Document ID: UG207002110-024 Page 26 of 106

Select Network >> NAT, tab Masquerading. Network >> NAT, tab Masquerading Network Address Translation Outgoing on Interface From IP 1:1 NAT Not required for this setup. Select External. Enter the network and the appropriate subnet mask in CIDRnotation (e.g. 255.255.0.0 = 16, 255.255.255.0 = 24, 255.255.255.255 = 32). A value of 0.0.0.0/0 means that all internal IP addresses will be masqueraded when sending data to the external network. If only a special subnet should be masqueraded, enter this subnet and the appropriate subnet mask (e.g. 192.168.1.0/24). If only one client should be masqueraded, enter its IP address and the value 32 as subnet mask (e.g. 192.168.1.10/32). 7.4.3 Possibility 3: 1:1 NAT Refer to chapter Possibility 3: 1:1 NAT. Document ID: UG207002110-024 Page 27 of 106

8 Firewall 8.1 Incoming/Outgoing Firewall The incoming and outgoing firewall is configured through the menu Network Security >> Packet Filter, tabs Incoming Rules and Outgoing Rules. Outgoing rules are applied to packets from the internal (trusted) network directed to the external (untrusted) network, incoming rules to packets from the external (untrusted) to the internal (trusted) network. The mguard s firewall is a stateful packet inspection firewall. If the outgoing firewall allows TCP packets directed to port 80, the response from the target will also pass the incoming firewall even if the incoming firewall is configured to block all packets. Configuring the incoming firewall is not required to allow the responses to come through. Keep the following guidelines in mind when setting up the firewall: The specified firewall rules will be checked one by one, starting with the first rule. If one rule matches the criteria, no matter whether the action is Reject, Accept or Drop, the subsequent rules will not be considered. Specified ports ( From Port and To Port ) are only considered if protocol is set to TCP or UDP. Network Security >> Packet Filter, tab Outgoing Rules Outgoing Protocol From IP From Port To IP To Port Action Comment Log Select the protocol to which the rule should be applied (TCP, UDP, ICMP or All). The sender s IP address. 0.0.0.0/0 means all IP addresses. The rule may be restricted to a subnet (e.g. 192.168.1.0/24) or to an IP address (e.g. 192.168.1.100/32). If no subnet mask was specified, the mguard treats the entered value as IP address. Only applicable if Protocol=TCP or UDP. The port from which the packets are sent. Either the port number or the corresponding service name (e.g. http for TCP port 80) can be entered. Entering a port range (e.g. <start port>:<end port>) is also supported. If the port varies from which the packets are sent, as it is the case when accessing the Internet from a web browser, enter any. The target IP address (refer to From IP). Only applicable if Protocol=TCP or UDP. The destination port to which the packets are sent (refer to From Port). Action applied to a packet which matches the rule. This could be Accept, Drop, Reject or the name of a Set Of Rules (refer to Sets of Rules). Enter a comment if required. Enables the logging for the rule. Document ID: UG207002110-024 Page 28 of 106

8.1.1 Example of a wrongly configured Firewall In this example, only access to HTTP servers should not be granted from the internal network. The rules above contain a couple of errors: Rule 1: The specified firewall rules will be checked one by one, starting with the first rule. If one rule matches the criteria, no matter whether the action is Reject, Accept or Drop, the subsequent rules will not be considered. The first rule will match for every packet. Therefore the second rule will never be checked removing it would have the same effect. The order of the two rules needs to be changed. Rule 2: HTTP requests issued by a web browser use a varying sending port greater or equal 1024 and send their requests to port number 80. This rule will never match due to From Port=80. In this case From Port=any and To Port=80 must be specified. The correct configuration would be: Document ID: UG207002110-024 Page 29 of 106

8.2 Sets of Rules Sets of rules, which summarize firewall rules, are configured through the menu Network Security >> Packet Filter, tab Sets of Rules. A Set of Rules can be specified as Action when configuring the incoming and/or outgoing firewall. Let us take a look at the following example: The incoming firewall should allow ftp, telnet and https access only to the servers 192.168.1.1, 192.168.1.23 and 192.168.1.145. Without using Set of Rules nine incoming firewall rules (one per service and target machine) need to be configured. Using a Set of Rules, which summarizes either the allowed protocols or the IP addresses of the target machines, will result in three firewall rules. Example 1: Set of Rules summarizing the IP addresses of the target machines The set is called Servers and allows the access to the target machines only (column To IP). The incoming firewall rules define the access for the specified services (column To Port) and refer to the Set of Rules with the name Servers (Action = Servers) which grants the access to the target machines. Document ID: UG207002110-024 Page 30 of 106

Example 2: Set of Rules summarizing the allowed services The set is called Services and allows the access for the specified services (column To Port). The incoming firewall rules define the access to the target machines (column To IP) and refer to the Set of Rules with the name Services (Action = Services) which grants the access for the specified services. Document ID: UG207002110-024 Page 31 of 106

8.3 MAC Filtering Note: MAC filtering is only supported for the Stealth mode. MAC filtering is configured through the menu Network Security >> Packet Filter, tab MAC Filtering. 8.3.1 Basic Rules to set up MAC filtering The MAC filter is stateless in contrast to the IPv4 stateful inspection firewall. This means that rules must be defined for both directions, incoming and outgoing. If no MAC filter rules are applied, IPv4 and ARP frames are allowed to pass in both directions. All other Ethernet frames are dropped. IPv4 frames are always filtered additionally according to the IPv4 stateful inspection firewall rules defined for incoming and outgoing traffic. If the MAC filter allows other Ethernet frames than IPv4 and ARP, no filtering except for the MAC address will take place. All ARP and IPv4 frames will pass the MAC filter by default. If the MAC filter should restrict the access for specific MAC addresses, a final rule for IPv4 needs to be specified which rejects everything else. If not using statically configured ARP tables on devices, all IP traffic will require ARP address resolution first, this may as well include the administrative access to the mguard. Therefore, restrictions to ARP traffic should be used with special care. xx is used as wildcard: º xx:xx:xx:xx:xx:xx means all MAC addresses. º 00:0c:be:xx:xx:xx means all MAC addresses which start with 00:0c:be. Document ID: UG207002110-024 Page 32 of 106

8.3.2 Examples MAC Filter Configuration 8.3.2.1 Restricted IPv4 Access In the following example the access through the IPv4 protocol should be allowed only for machines of the external network which MAC addresses start with 00:0c:be. The MAC filter is stateless in contrast to the IP firewall. Therefore incoming and outgoing rules need to be defined. Only MAC addresses from the external network which start with 00:0c:be should be granted access to the internal network. Specify 00:0c:be:xx:xx:xx as Source MAC for the incoming rule and as Destination MAC for the outgoing rule. The restriction should be applied for the IPv4 protocol. IPv4 needs to be entered as Ethernet Protocol. All ARP and IPv4 frames will pass the MAC filter by default. That s why a second incoming and outgoing rule must be specified, which drops IPv4 packets from all other MAC addresses. If a packet was sent from a MAC address starting with 00:0c:be, the first rule will match and the access to the internal network is granted (assuming, that there is also an incoming firewall rule defined which does not block the packet). If the packet was sent by any other MAC address, the second rule will match and drop the packet. 8.3.2.2 Allowing access for other Protocols than IPv4 (e.g. Novell IPX) In the following example Novell IPX protocol should pass the mguard. The MAC filter is stateless in contrast to the IP firewall. Therefore, incoming and outgoing rules need to be defined to allow the traffic in both directions. Source MAC = Destination MAC = xx:xx:xx:xx:xx:xx: No restriction on the MAC address should be applied. The hexadecimal value of the Novell IPX protocol is 8137, which needs to be entered as Ethernet Protocol. Document ID: UG207002110-024 Page 33 of 106

8.4 1:1 NAT Note: 1:1 NAT is not supported for the Stealth mode. 1:1 NAT (menu Network >> NAT, tab Masquerading) is used to connect several internal networks with the same network IPs (e.g. 192.168.1.0/24) to the external network. 1:1 NAT maps IP addresses of the internal network to IP addresses of the external network. Systems in the internal network can be reached directly through their mapped IP addresses from the external network. Depending on the specified subnet mask in the 1:1 NAT configuration, also subnets of the internal network or the complete network itself can be mapped to the external site. The ARP demon on the mguard will respond to ARP requests for the mapped IP addresses issued by the external network. Therefore no IP changes must be applied to the external network. The mapped IP addresses must not be used by any other entity in the external network. When performing 1:1 NAT, the network part of the IP address is mapped and the host part is kept unchanged. The network part of the IP address is given by the specified subnet mask. Examples of 1:1 NAT rules and the resulting IP mapping: Local External Netmask Mapped IP addresses internal <-> external 192.168.1.10 10.1.0.34 32 192.168.1.10 <-> 10.1.0.34 192.168.1.0 10.1.0.0 28 192.168.1.0 <-> 10.1.0.0 192.168.1.1 <-> 10.1.0.1 192.168.1.14 <-> 10.1.0.14 192.168.1.15 <-> 10.1.0.15 192.168.1.0 10.1.0.0 24 192.168.1.0 <-> 10.1.0.0 192.168.1.1 <-> 10.1.0.1 192.168.1.254 <-> 10.1.0.254 192.168.1.255 <-> 10.1.0.255 Note: The same subnet mask as it is used by the external network can not be used to map the internal network to the external site. In this case the mguard would reply to all ARP requests of the external network which will make this network inoperable. The specified subnet mask must be less than the one used by the external network and the mapped IP addresses must not be used by any other entity in the external network. Apart of the 1:1 NAT configuration the incoming/outgoing firewall (menu Network Security >> Packet Filter, tabs Incoming Rules and Outgoing Rules) must be configured according to the allowed traffic. Document ID: UG207002110-024 Page 34 of 106