Deployment Guide: Transparent Mode March 15, 2007 Deployment and Task Overview Description Follow the tasks in this guide to deploy the appliance as a transparent-firewall device on your network. This guide assumes you want to perform the initial configuration first in a predeployment environment, and then move the appliance to the live production network. Important: For information on routing mode deployments, SiteProtector deployments, VPN deployments, or high availability deployments, see the other deployment guides located at http://www.iss.net/support/documentation/ docs.php?product=38&family=12. Tasks This deployment requires the following tasks: Task Verify Requirements on page 3 Connect to Proventia Setup Assistant on page 6 Initialize the System with Proventia Setup Assistant on page 7 Connect to Proventia Manager on page 9 Install Licenses on page 10 Install Updates on page 11 Create Full System Backup on page 15 Configure Appliance Access on page 16 Configure Management Settings on page 18 Configure Firewall Access Policies on page 19 Table 1: Tasks for deploying in transparent mode on a single network segment 2007 Internet Security Systems, Inc. All rights reserved worldwide. 1
Task Deploy Antispam, Antivirus, and Web Filter Protection on page 21 Save Policies and Move to Live Production Network on page 22 Table 1: Tasks for deploying in transparent mode on a single network segment (Continued) 2
Verify Requirements Verify Requirements PC requirements You will need a PC to download your product licenses from ISS and to access the firsttime setup utility on your new appliance. The PC must have Internet Explorer 6 or later and be configured to obtain its IP configuration automatically. Detailed instructions on how to check your PC s IP configuration are included in this topic. License requirements If you have not already done so, obtain your product licenses as described the Welcome Kit and Order Confirmation Email you received from ISS or go directly to the License Registration Web site for instructions: https://www1.iss.net/cgi-bin/lrc Important: Once you have your product licenses, save them to an easily accessible location such as your PC or a removable USB drive. Keep in mind that the PC will not have access to network shares once connected to the appliance. If you need further assistance with licenses, contact our license support center: Email: licenses@iss.net Online: www.iss.net/support Network connection requirements You will need to connect the appliance to a network connection that provides Internet access and supports automatic IP configuration. The appliance uses the connection to get important initial updates from ISS. You can use the same network connection you used to obtain your licenses. Important: If your network connection does not support automatic IP configuration or if you are deploying the appliance in transparent mode, then you must provide the appliance with the following settings to use the network connection: IP address subnet mask default gateway nameserver DNS suffix Note: You can use the same settings assigned to your PC or contact your network administrator for the settings. DNS suffix requirements You will need the DNS suffixes used on your network connection. Cable requirements You will need the following cables for initial configuration: Red Ethernet crossover cable (included) Power cable (included) Standard Ethernet crossover cable (not included) 3
Deployment Guide: Transparent Mode Detailed instructions Follow the steps below to verify that your PC and network connection support automatic IP configuration and to gather the required DNS suffixes you will need during initial setup: Note: If your PC and network connection do not support automatic IP configuration, record your static IP settings as described in this task. Note: Exact steps vary depending on your Windows version and display settings. The steps listed are for Windows Classic interface. 1. On the PC, select Start Settings Network Connections. 2. Right-click Local Area Connection, and then click Properties. 3. Double-click Internet Protocol (TCP/IP). 4. If your screen looks like Figure 1, then go to Step 5. If your screen looks like Figure 2, then write down your specific IP address, subnet mask, default gateway, and preferred DNS nameserver. Next, select Obtain an IP address automatically and Obtain DNS server address automatically. Go to Step 5. Figure 1: Automatic IP configuration Figure 2: Static IP configuration 4
Verify Requirements 5. Click the Advanced button. 6. Select the DNS tab, and then write down the DNS suffixes listed under Append these suffixes (in order). Figure 3: DNS search path settings 7. Click OK to close Advanced TCP/IP Settings. 8. Click OK to close Internet Protocol (TCP/IP) Properties. 9. Close network connections. 5
Deployment Guide: Transparent Mode Connect to Proventia Setup Assistant Introduction The Proventia Setup Assistant is a Web-based utility that gives you access to the system for the first time and helps you configure the new appliance. It is typically used one time only for initial configuration. You will perform all other appliance configuration and administration in Proventia Manager or in SiteProtector once the device is deployed. Procedure To connect to Proventia Setup Assistant: 1. Connect the red Ethernet cable from the Internal port to your PC. 2. Connect the standard Ethernet cable from the External port to your Internet connection. 3. Connect the power cable from the power port to a power outlet. 4. Switch on the appliance. 5. Wait for the appliance to fully boot. 6. Start Internet Explorer. 7. Type the default IP address of the appliance, and press ENTER: https://192.168.123.123 8. When the security alert appears, click Yes. Tip: Click Run, Yes, or Accept on any other alerts or messages that appear. 9. At the Proventia Local Management Interface login prompt, type admin for the username and admin for the password, and then click OK. 10. Wait while the setup utility is loaded. When you see the Welcome screen, you are connected to Proventia Setup Assistant and ready to start the initial configuration. 6
Initialize the System with Proventia Setup Assistant Initialize the System with Proventia Setup Assistant Procedure To initialize the system with Proventia Setup Assistant: Note: Keep the default settings where indicated. If you are unsure about how to configure a specific setting, click Cancel to stop the process. For more information on the policies described in this topic and instructions on how to customize the policies once the appliance is deployed, see the Policy Configuration Guide. 11. On the Welcome screen, click Next. 12. On the End User License Agreement screen, select I Accept, and then click Next. 13. On the Linux End User License Agreement screen, select I Accept, and then click Next. 14. On the Mode screen, select Transparent, and then click Next. 15. On the Transparent Mode Configuration screen, review the settings overview, and then click Next. 16. On the Hostname screen, enter the hostname, and then click Next. 17. On the Management Address screen, type a management-only IP address, netmask, and default gateway, and then click Next. Tip: This IP address is used only to access the system s configuration and management. 18. On the Name Servers screen, provide the IP address for at least one (primary) nameserver, and then click Next. 19. On the DNS Search Path screen, enter the DNS suffices used by your network, and then click Next. 20. On the Appliance Management Access screen, keep the default setting, and then click Next. 21. On the Time Zone screen, select your time zone, and then click Next. 22. On the Date and Time screen, type the date and time, and then click Next. 23. On the Root Password screen, set the password, and then click Next. 24. On the Administrator Password screen, set the password, and then click Next. Tip: Select Same As Root. 25. On the Proventia Manager Password, set the password, and then click Next. Tip: Select Same As Root. 26. On the Bootloader screen, select Disable, and then click Next. Tip: Enable the bootloader password if you want to require users to enter the root password before they can change boot settings. 27. On the Settings Review screen, scroll through and review the settings, and then click Finish. 28. When you see the Setup Complete window, click End Assistant Session, and then click Yes. 29. Close Internet Explorer. 7
Deployment Guide: Transparent Mode 30. Wait while the appliance applies the settings and fully reboots. When the appliance reboots, you are ready to connect to Proventia Manager where you can finish the initial configuration process. 8
Connect to Proventia Manager Connect to Proventia Manager Repairing or resetting the connection Before you can connect to Proventia Manager, you must repair or reset the connection between the PC and the appliance as described: If your PC normally has... Then Automatic IP configuration Static IP configuration 1. Select Start Settings Network Connections. 2. Right-click the Local Area Connection, and then select Repair. 1. Select Start Settings Network Connections. 2. Right-click the Local Area Connection, and then select Properties. 3. Double-click Internet Protocol (TCP/IP). 4. Select Use the following IP address, and then enter your static settings. 5. Select Use the following DNS server addresses, and then enter your static nameserver addresses. 6. Click OK to close Internet Protocol (TCP/IP) Properties. 7. Close network connections. Table 2: How to repair or reset your connection Connecting to Proventia Manager To connect to Proventia Manager: Note: After some configuration tasks in this guide, the appliance will automatically reboot and end your session. Use this procedure to reconnect to Proventia Manager. 1. On the PC connected to the appliance, start Internet Explorer. 2. Type the default IP address of the appliance, and then press ENTER: https://192.168.123.123 3. When the security alert appears, click Yes. Tip: Click Run, Yes, or Accept on any other alerts or messages that appear. 4. At the login, type admin for the username, type your Proventia Manager password, and then click OK. 5. On the Welcome screen, select No, continue without the Getting Started Help., and then click Next. When you see the Home page in Proventia Manager, you are connected. 9
Deployment Guide: Transparent Mode Install Licenses Procedure To install your product license keys: 1. In the upper-right corner of Proventia Manager, find the Important System Message, and then click Install License: 2. Click Browse, select the license file, click Open, and then click Upload. Tip: Licenses are issued as xml files. 3. Repeat Step 2 to upload each license. Tip: The licenses might not appear on the Licensing page until after you have uploaded all of your license keys. 10
Install Updates Install Updates Procedure To install important security updates that were released since your appliance was shipped: Important: Install the updates in the order listed in this procedure. Note: This procedure assumes the appliance has Internet access. 1. In Proventia Manager, select Maintenance Updates Status. 2. Click the Find Updates button. 3. Wait while the system contacts ISS for updates. 4. When the Update Status page displays, click Download Updates. 5. Wait while the system downloads the updates to the appliance. 11
Deployment Guide: Transparent Mode 6. Click Install Now for Intrusion Prevention. 7. Wait while the system installs the update. 8. When the Update Status page reappears, click Install Now for Antivirus. 9. Wait while the system installs the update. 10. When the Update Status page reappears, click Install Now for Firmware. 11. At the confirmation prompt, click OK. 12. When you see the following alert, close Internet Explorer. If you have multiple instances of Internet Explorer running, close them all. This action ends your session 12
Install Updates with Proventia Manager. You will need to reconnect to Proventia Manager after the firmware update is finished. 13
Deployment Guide: Transparent Mode Configure Automatic Updates Procedure To configure automatic product updates: 1. In Proventia Manager, select Maintenance Updates Automatic Settings. 2. Select the Update Settings tab. 3. In the Security Updates section, select Automatically Download and Automatically Install. Tip: These settings force the system to automatically install antivirus and intrusion prevention updates which are released often to address the latest security threats. These updates run in the background and do not take the system offline. 4. In the Web Filter & Antispam Database Updates section, select Automatically Update Web Filter and Antispam Database. Tip: Enable automatic database updates only if are going to deploy Antispam and Web filter protection. Database updates run in the background and do not take the system offline. 5. In the Firmware Updates section, select Automatically Download. Tip: These settings do not force the system to automatically install firmware updates, but the system will download firmware updates as they become available. After downloading a firmware update, the system will alert you and give you the option to install or disregard the firmware update. 6. Click Save Changes. 14
Create Full System Backup Create Full System Backup Procedure To create a full system backup: Note: The full system backup is a complete image of the system, including all the updates you have installed and settings you have configured. The full system backup is similar to a system restore point and provides an easy way to restore the system without having to reinstall all the initial updates. Keep in mind that you can store only one full system backup on the appliance at a time. 1. In Proventia Manager, select Maintenance Backup and Recovery. 2. Select the Full Backup tab, and then click Create System Backup. 3. Follow the onscreen instructions to end your session and close Internet Explorer. 15
Deployment Guide: Transparent Mode Configure Appliance Access Important By default, you can access the appliance from any computer with an IP address on the same subnetwork as the appliance s management interface. If this setting meets your requirements, then you can skip this task. Otherwise, follow the steps in this procedure to configure appliance access settings based on your requirements. Procedure To configure appliance access: Recommendation: Do not delete the default SysTransmgmtRange setting. 1. In Proventia Manager, select Configuration System Appliance Access. 2. On the Appliance Access Configuration page, click the Add icon. 3. Type a Comment (description), and then define the addresses or networks that can access the appliance as described: If you want to allow access from a... Static IP address Address name Dynamic address name Then... 1. Select Single IP Address, and then select Static Address. 2. Type the IP address, and then click OK. 1. Select Single IP Address, and then select Address Name. 2. Select an entry, and then click OK. 1. Select Dynamic Address Name. 2. Select an entry, and then click OK. 16
Configure Appliance Access If you want to allow access from a... Range of static IP addresses Address range name Dynamic address range name Then... 1. Select Address Range, and then select Static Address Range. 2. Type the IP address range, and then click OK. 1. Select Address Range, and then select Address Name Range. 2. Select an entry, and then click OK. 1. Select Address Range, and then select Dynamic Address Range Name. 2. Select an entry, and then click OK. 4. Do not save changes yet, but go to the next task. 17
Deployment Guide: Transparent Mode Configure Management Settings Procedure To configure the management settings for deployment: Important: Do not save your changes until instructed to do so later in this guide. 1. In Proventia Manager, select Configuration System Network Interfaces. 2. Select the Management tab. 3. In the first section, change the following settings as needed to match your deployment environment: Host Name IP Address Subnet Mask Gateway Primary DNS Server Secondary DNS Server Tertiary DNS Server 4. In the DNS Search Path section, verify that the DNS suffixes listed are correct. To add a DNS suffix, click the Add icon, and enter the domain name. 5. Do not save changes yet, but go to the next task. 18
Configure Firewall Access Policies Configure Firewall Access Policies Introduction This topic explains how to configure firewall access policies. Default firewall access policies The appliance comes with the following default firewall access policies enabled. These policies are appropriate for most deployments: Note: You can edit the policies or add customize policies at any time in Proventia Manager or in SiteProtector. Allow all outbound traffic from SELF. Allow all traffic through the box. Allow all Broadcast traffic through the box. All ICMP Ping to Self from Mgmt network. Silently Reject all Broadcast traffic to the box. Configuring firewall access policies To configure firewall access policies: 1. In Proventia Manager, select Configuration Firewall. 2. Select the Access Policy tab. 3. Click the Add icon. 4. Set the Rule Order. 5. Verify the Rule Guid. 6. Verify the Enabled option is selected. 7. Select the Action (Allow or Reject). 8. Select the Type (Unicast or Broadcast). 9. Select Log Enabled to log events associated with this rule. 10. Type a Comment (description) for the rule. 19
Deployment Guide: Transparent Mode 11. Select the following tabs, and then complete them as needed: Tab Protocol Source Address Source Port Destination Address Destination Port Description Select one of the following: Any Protocol Name Protocol Number Select one of the following: Any Self Single IP Address Address Range Network Address / Network Bits (CIDR) Specify Network Objects Tip: Click the Add icon to create a network object. Select one of the following: Any Single Port Port Range Select one of the following: Any Self Single IP Address Address Range Network Address / Network Bits (CIDR) Specify Network Objects Tip: Click the Add icon to create a network object. Select one of the following: Any Single Port Port Range Specify Network Objects Tip: Click the Add icon to create a network object. 12. Do not save changes yet, but go to the next task. 20
Deploy Antispam, Antivirus, and Web Filter Protection Deploy Antispam, Antivirus, and Web Filter Protection Introduction This topic explains how to deploy basic antispam, antivirus, and Web filter protection. It does not explain how to customize or tune policies for these modules. For that information, see the Multi-Function Security Policy Configuration Guide. Note: Antispam, antivirus, and Web filter are optional. Deploying antispam, antivirus, and Web filter To deploy antispam, antivirus, and Web filter protection: 1. In Proventia Manager, select Configuration Antispam. 2. Select the Protection Settings tab, and then select Spam Detection Enabled. 3. Select Configuration Antivirus. 4. On the Basic Configuration tab, select the Antivirus Module Enabled checkbox. 5. Select Configuration Web Filter Web Filter Settings. 6. On the Protection Settings tab, select the Web Filter Module Enabled checkbox. 7. Do not save changes yet, but go to the next task. 21
Deployment Guide: Transparent Mode Save Policies and Move to Live Production Network Saving policies It is important to understand that once you save your policies you will not be able to access the appliance again until you physically move it to the live production network, connect the cables, and boot the system. To save your policies, click Save Changes in Proventia Manager. This action will end your session with Proventia Manager and lock you out of the appliance temporarily until the appliance is operational on the production network. Moving the appliance into production The physical move to the live production network will require some network downtime, so schedule the move to occur during a low usage time and factor in time to rack mount the appliance if needed. To move the appliance to production: 1. Switch off the appliance. 2. Disconnect the appliance and cables from your setup or configuration environment as described: Disconnect the red Ethernet cable from the Internal port to your PC. Disconnect the standard Ethernet cable from the External port to your Internet connection. Disconnect the power cable from the power port to a power outlet. 3. Move the device to its location on the production network and rack mount the device if needed. 4. Reconnect the cables as described: Connect a standard Ethernet cable from the Internal port to your internal network. Connect a standard Ethernet cable from the External port to your Internet connection. Connect additional standard Ethernet cables from the internal ports to your internal networks including your DMZ if needed. Connect the power cable from the power port to a power outlet. 5. Switch on the appliance. Tuning policies and routine maintenance See the following publications for additional assistance: For information on how to customize policies, see the Policy Configuration Guide. For information on how to perform routine maintenance such as backups, see the Administrator Guide. 22
23
Deployment Guide: Transparent Mode 24