Intrusion Detection and Analysis for Active Response - Version 1.2. Installation Guide

Intrusion Detection and Analysis for Active Response - Version 1.2 Installation Guide

Copyright 2001 2005 Stonesoft Corp. Stonesoft Corp. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Stonesoft Corporation. Stonesoft Corporation Stonesoft Inc. Stonesoft Corporation Itälahdenkatu 22 A 1050 Crown Point Parkway, 90 Cecil Street, #13-01 FI-00210 Helsinki Suite 900 069531 Singapore Finland Atlanta, GA 30338 USA Trademarks and Patents The products described in this documentation are protected by one or more of U.S. Patents and European Patents: U.S. Patents no. 6,650,621 and 6,856,621, European patents no. 1065844, 1289183, 1289202, and 1326393; and may be protected by other US patents, foreign patents, or pending applications. Stonesoft, the Stonesoft logo, and StoneGate are trademarks or registered trademarks of Stonesoft Corporation in the United States and/or other countries. Multi-link technology, multi-link VPN, and the StoneGate clustering technology--as well as other technologies included in StoneGate--are protected by patents or pending patent applications in the U.S. and other countries. Sun, Sun Microsystems, the Sun Logo, Solaris, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. Windows and Microsoft are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds. IBM, Redbooks, zseries and z/vm are trademarks or registered trademarks of the International Business Machines Corporation in the United States and/or other countries. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: SGIIG_20050606

Table of Contents GETTING STARTED CHAPTER 1 Using StoneGate IPS Documentation 9 Objectives and Audience 10 Overview of the StoneGate IPS Installation Guide 10 How to Use This Guide 10 Example Network Scenario 10 Typographical Conventions 11 StoneGate IPS Documentation Map 11 Guide Books 12 Support Documentation 12 Contact Information 13 Technical Support 13 Security Related Questions and Comments 13 Product Sales 14 Documentation Comments 14 CHAPTER 2 Quick Start Instructions 15 Requirements for the Installation 16 Quick Installation 17 CHAPTER 3 Planning StoneGate IPS Installation 23 Overview to the Installation Procedure 24 Important to Know Before Installation 24 System Components and Supported Platforms 25 StoneGate IPS System Components 25 Supported Platforms 25 Checking the File Integrity 25 Checking the Surrounding Network Environment 26 Switch SPAN Ports and Hubs 26 Network TAPs 27 System Installation 27 Example Network Scenario 28 StoneGate Management Center 29 Combined Sensor-Analyzer 29 Sensor Cluster 30 Single Sensor 30 Analyzer 31 INSTALLING THE MANAGE- MENT CENTER CHAPTER 4 Installing the Management Center 35 Installing the Management Center 36 Checking File Integrity 36 Installing the Management Center Components 36 Starting the Installation 36 Installing the Management Server 40 Installing the Log Server 42 Installing the Monitoring Server 46 Installing the GUI Client 47 Starting the StoneGate Management Center 49 Starting the Management Server 49 Starting the GUI Client 49 Installing StoneGate IPS Licenses 50 Starting the Log Server 51 Starting the Monitoring Server 51 StoneGate IPS Installation Guide 3

Non-graphical Installation 52 Uninstalling the Management Center 54 Uninstalling in Non-graphical Mode 55 CHAPTER 5 Defining Sensors and Analyzers 57 Element Configuration Overview 58 Importing Dynamic Updates 58 Defining an Analyzer 59 Defining the Network Interfaces 60 Defining a Sensor Cluster 62 Defining the Cluster Network Interfaces 63 Defining the Node Specific Properties 66 Adding a Node to the Cluster 67 Defining a Single Sensor 68 Defining the Network Interfaces 69 Defining a Combined Sensor-Analyzer 72 Defining the Network Interfaces 73 Configuring Routing 75 Saving the Initial Configuration 77 Configuring IP Addressing for NAT 79 Defining Locations 79 Sensor and Analyzer Contact Addresses 80 Management Server Contact Address 82 INSTALLING SENSORS AND ANALYZERS CHAPTER 6 Installing Sensors and Analyzers 87 Installing the Sensor or Analyzer Engine 88 Checking the File Integrity 88 Booting From the CD-ROM 88 Configuring the Sensor or Analyzer 90 Selecting the Configuration Method 90 Configuring the Operating System Settings 90 Configuring the Network Interfaces 93 Contacting the Management Server 94 Installing in Expert Mode 96 Checking the File Integrity 97 Booting From the CD-ROM 97 Partitioning the Hard Disk Manually 98 Allocating Partitions 99 CHAPTER 7 Installing Policies 103 Installing the System Policies 104 UPGRADING STONEGATE IPS CHAPTER 8 Upgrading And Updating 109 Getting Started with Upgrading StoneGate 110 Configuration Overview 110 Checking File Integrity 111 Upgrading or Generating Licenses 112 Generating a New License 112 Upgrading Licenses Under One Proof Code 113 Upgrading Licenses Under Multiple Proof Codes 114 Installing Licenses 115 Upgrading the Management Center 116 Upgrading the Log Database 118 Upgrading Engines Remotely 119 Upgrading Engines Locally 121 Upgrading StoneGate IPS 121 Installing IPS Dynamic Updates 122 4

APPENDICES APPENDIX A Command Line Tools 127 APPENDIX B StoneGate IPS Ports 135 Software and License Information 139 Index 153 StoneGate IPS Installation Guide 5

6

GETTING STARTED

CHAPTER 1 Using StoneGate IPS Documentation Welcome to Stonesoft Corporation s StoneGate IPS Intrusion Detection and Response System for Intelligent Analysis. This chapter describes how to use the StoneGate IPS Installation Guide and related documentation. It also provides directions for obtaining technical support and how to give feedback about the documentation. The chapter contains the following sections: Objectives and Audience, on page 10 Overview of the StoneGate IPS Installation Guide, on page 10 Typographical Conventions, on page 11 StoneGate IPS Documentation Map, on page 11 Contact Information, on page 13. StoneGate IPS Installation Guide 9

Chapter 1: Using StoneGate IPS Documentation Objectives and Audience This StoneGate IPS Installation Guide describes step by step how to complete installation of the StoneGate Management Center and the StoneGate IPS Sensors and Analyzers. This Guide is intended for technical people who administrate and implement StoneGate IPS installations. The tasks are illustrated by using an example network scenario. If you need a more comprehensive explanation on the functionality and operation of StoneGate IPS, please see the StoneGate IPS Administrator s Reference. For more information on other related StoneGate IPS documentation, see section StoneGate IPS Documentation Map, on page 11. Overview of the StoneGate IPS Installation Guide How to Use This Guide This guide is organized in chapters explaining the installation of the StoneGate IPS tasks in a step-by-step format. Each chapter focuses on one area of StoneGate IPS installation. The chapters are organized following the StoneGate IPS installation steps, as explained in Overview to the Installation Procedure, on page 24. For detailed information on managing StoneGate IPS, please refer to the StoneGate IPS Administrator s Guide. Example Network Scenario To illustrate the installation tasks, this Guide uses an example network scenario presented in section Example Network Scenario, on page 28. The network scenario is also presented in the front of the book, before the Table of Contents. 10

Typographical Conventions Typographical Conventions The following typographical conventions are used throughout this guide: TABLE 1.1 Typographical Conventions Formatting Normal text GUI elements References, terms Command line User input Command parameters This is normal text. Informative Uses Interface elements (buttons, menus, icons) and any other interaction with the user interface are in boldface. Cross-references and the described acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is monospaced bold-face. Command parameter names are in monospaced italics. In addition, we use the following icons to indicate important or additional information. Note Notes provide important information that may help you complete a task. Caution Cautions provide cautionary or critical information that you should take into account before performing an action or implementing a feature. Tip: Tips provide information that is not crucial, but may still be helpful. StoneGate IPS Documentation Map StoneGate IPS technical documentation is divided into two main categories: Guide Books and Support Documentation. We will next describe the different types of documents. StoneGate IPS Installation Guide 11

Chapter 1: Using StoneGate IPS Documentation Guide Books The StoneGate IPS Guide books are the primary resource of technical information. The Guide books provide comprehensive guidelines on using and configuring StoneGate IPS, as well as descriptions of its operation and features. To locate the StoneGate IPS Guide that provides the information you need, see Table 1.2. TABLE 1.2 Description of Guide Books Guide Administrator s Reference Installation Guide Administrator s Guide Online Help Description Describes comprehensively the operation and features of StoneGate IPS. Demonstrates the steps required for planning, installing, and upgrading a StoneGate IPS system. Describes how to configure and manage a StoneGate IPS system. Uses detailed step-by-step examples. Explains the management GUI client s buttons, fields, etc. (Accessible from the GUI client s Help menu and by using the Help button in the GUI windows.) The StoneGate IPS Guides are available as printed versions in the StoneGate IPS product kit. The PDF versions are available on the StoneGate IPS CD-ROM and Stonesoft s Web site at http://www.stonesoft.com/products/stonegate/. Support Documentation The StoneGate IPS support documentation provides additional and late-breaking technical information on StoneGate IPS and related issues. These documents are supportive information resources to be used in conjunction with the StoneGate IPS Guide books. 12

Contact Information The support documentation is further divided into several document types. To locate the support document that provides the information you need, see Table 1.3. TABLE 1.3 Description of Support Documentation Documentation Release Notes Technical Knowledge Base Technical Notes How-To Guidelines Description Describe the release specific information. Contains new features, fixes and enhancements, software version information, system requirements, and other StoneGate IPS version specific information. Answers simple recurrent topics concerning StoneGate IPS. Describe related technical information not necessarily limited to StoneGate IPS software. For example, related third-party products, technologies, and standards. Describe certain special cases of StoneGate IPS system configuration and possible related third-party products. The latest StoneGate IPS support documentation is available on the Stonesoft Web site at http://www.stonesoft.com/support/. Contact Information For general information about StoneGate IPS and Stonesoft Corporation, please visit our Web site at http://www.stonesoft.com/. Technical Support Stonesoft offers global technical support for Stonesoft s product families. For more information on the technical support services, please visit the Stonesoft s Web site at http://www.stonesoft.com/support/. Security Related Questions and Comments You can send any questions or comments relating to StoneGate IPS and network security to security-alert@stonesoft.com. A PGP key is available at ftp:// download.stonesoft.com/web/support/stonesoft%20security%20alert.asc. StoneGate IPS Installation Guide 13

Chapter 1: Using StoneGate IPS Documentation Product Sales For sales questions or other information or comments on the StoneGate IPS product, please send e-mail to info@stonesoft.com. Documentation Comments Your input is essential in order for the StoneGate IPS documentation to better server your needs. Let us know of any errors you find, as well as suggestions for future editions, comments, etc. by e-mail: documentation@stonesoft.com. 14

CHAPTER 2 Quick Start Instructions These quick start instructions will guide you through setting up a basic StoneGate IPS system with a default configuration. For detailed instructions, please see the referred chapters. This chapter contains the following sections: Requirements for the Installation, on page 16 Quick Installation, on page 17. StoneGate IPS Installation Guide 15

Chapter 2: Quick Start Instructions Requirements for the Installation The prerequisites for this quick installation setup are described below. TABLE 2.1 Requirements for the Quick Installation Item Hardware: Management Center Hardware: Sensor Hardware: Analyzer Network: Ethernet cabling Network: traffic capturing Network: IP addressing Software: StoneGate IPS Software: latest update packages License: StoneGate IPS and Management Center Description Two machines with Windows, Linux, or Solaris installed for the Management Server and the Log Server. One NIC required on each machine. The GUI client can be installed on either or both of these machines. (Alternatively, all Management Center components can be installed on the same machine.) See the system requirements in the Release Notes at http://www.stonesoft.com/ download/. One Intel compatible machine with at least two NICs. (At least three NICs are required if wire TAP is used.) The Sensor uses an integrated operating system. See the technical requirements at http://www.stonesoft.com/products/stonegate/ Technical_Requirements/. One Intel compatible machine with at least one NIC. The Analyzer uses an integrated operating system. (Alternatively, combined Sensor-Analyzer can run on the same machine.) See the technical requirements at http://www.stonesoft.com/products/stonegate/ Technical_Requirements/. Ethernet cabling is needed to network the StoneGate Management Center, the Sensor, and the Analyzer for intercommunications. One switch SPAN port (port mirroring), a wire TAP device, or a Hub is needed for capturing the traffic on the Sensor. All the machines require an IP address reachable from the connecting StoneGate IPS or Management Center machines. This may require routing if the machines are not in the same network. The StoneGate IPS and the Management Center software, documentation, and the Release Notes can be ordered on a CD-ROM or downloaded at http:// www.stonesoft.com/download/. The latest dynamic update packages for StoneGate IPS can be downloaded at http:// www.stonesoft.com/download/. The StoneGate IPS and Management Center evaluation licenses can be ordered from the Stonesoft License Center at http://www.stonesoft.com/licenses/. 16

Quick Installation Quick Installation These instructions will guide you through setting up a basic StoneGate IPS system with a default configuration. For detailed instructions, please see the referred chapters. The installation proceeds as follows: 1. Set up the networking environment, on page 17 2. Install the Management Server, on page 17 3. Install the Log Server, on page 18 4. Install the GUI client, on page 18 5. Start up the Management Center, on page 18 6. Load Dynamic Updates, on page 18 7. Define the Analyzer element, on page 19 8. Install the Analyzer, on page 19 9. Define the Sensor element, on page 20 10. Install the Sensor, on page 21 11. Install Policies, on page 21 12. Browse the logs, on page 22. Set up the networking environment (see Planning StoneGate IPS Installation, on page 23) 1. Select the IP addresses for the Management Server, Log Server, Analyzer and Sensor. 2. Configure the related network devices, including switches, routers, SPAN ports, wire TAPs. 3. Connect the StoneGate IPS machines to the network. Install the Management Server (see Installing the Management Center, on page 35) 1. Run setup.exe (on Windows) or setup.sh (on Linux/Unix) from the StoneGate Management Center CD-ROM. 2. Select the Custom installation type, and select Management Server and the GUI client to be installed on the Management Server machine. (You can also install the Log Server on the same machine if desired.) 3. Define the Management Center superuser account. 4. Define the IP address for the Management Server. StoneGate IPS Installation Guide 17

Chapter 2: Quick Start Instructions 5. Select Install as a service. 6. Complete the Management Server installation. Install the Log Server (see Installing the Management Center, on page 35) 1. Run setup.exe (on Windows) or setup.sh (on Linux/Unix) from the StoneGate Management Center CD-ROM. 2. Select the Custom installation type, and select Log Server from the list. 3. Define the IP address for the Log Server. 4. Define the Management Server s IP address. 5. Select Certify the Log Server during the installation. 6. Select Install as a service. 7. In Certificate Generation window, log in with the Superuser account to establish a connection to the Management Server. 8. Complete the Log Server installation. Install the GUI client (see Installing the Management Center, on page 35) 1. Run setup.exe or setup.sh from the StoneGate Management Center CD-ROM. 2. Select the Administration Client Only installation type. 3. Define the Management Server s IP address. 4. Complete the GUI client installation. Start up the Management Center (see Defining Sensors and Analyzers, on page 57) 1. Start the GUI client and log in with the Superuser account. 2. Import and activate the StoneGate IPS license from the.jar license file. 3. Start the Log Server service from the Windows Control Panel or by running the init script on Linux/Unix. Load Dynamic Updates 1. In the GUI client, select File System Tools Import Update Packages from the menu. 2. Import the latest.jar update package. 18

Quick Installation 3. Activate the update package right-clicking on the package and selecting Activate. 4. Optionally, you can enable automatic update checking in File System Tools Configure Updates. The Management Server checks then periodically Stonesoft s Web site and issues an alert when new updates are available. Define the Analyzer element (see Defining an Analyzer, on page 59) 1. In the GUI client, open a Configuration window by clicking the toolbar icon or selecting Configuration StoneGate Configuration from the menu. 2. Create a new Analyzer element from File New IPS Element. 3. Select the Log Server from the drop-down list. 4. Click Add Interface and define NIC ID 0 with the IP address for the Analyzer. Select all the following options for the interface: Control IP Address Primary Log/Analyzer connection source IP address. 5. Click OK to create the Analyzer element. 6. Create a Router element for the Analyzer s default gateway. 7. Select Configuration Routing/Antispoofing to open the Routing view. 8. Drag and drop the default gateway Router element on the Analyzer s directlyconnected network in the Routing view. 9. Drag an ddrop the Any Network element on the Analyzer s default gateway Router element. 10. In the StoneGate Administration Client, right-click on the Analyzer and select Save Initial Configuration and save it on a floppy disk. Write down the displayed one-time password for the Analyzer installation. Install the Analyzer (see Installing Sensors and Analyzers, on page 87) 1. Boot up the Analyzer machine from the StoneGate IPS engine CD-ROM. 2. Select Full Install. 3. Accept the automatic hard drive partitioning by typing YES. 4. When prompted, remove the CD-ROM and reboot the machine. 5. In the Configuration Wizard, insert the floppy disk with the initial configuration and select Import, or configure the engine manually by selecting Next. StoneGate IPS Installation Guide 19

Chapter 2: Quick Start Instructions 6. In OS Settings, define the keyboard layout, timezone, hostname and the root user password. 7. In network interfaces, click Add and select the driver for the NIC. 8. Select the NIC for management connections in the Mgmt column. (NIC ID must be the same that was defined in Define the Analyzer element.) 9. In Prepare for Management Contact, select Switch to initial configuration and define the IP address and default gateway for the Analyzer (if not automatically defined). 10. Select Contact Management Server, and type in the Management Server s IP address and the one-time password in the initial configuration (if not automatically defined). 11. Select Install Analyzer and complete the installation. 12. In the GUI client, click on the Analyzer and check that the Info view displays Connected indicating a successful initial configuration. Define the Sensor element (see Defining a Single Sensor, on page 68) 1. In the GUI client, open a Configuration window by selecting Configuration StoneGate Configuration from the menu. 2. Create a new Sensor element from File New IPS Element. 3. Select the Analyzer and the Log Server from the drop-down lists. 4. Click Add Interface and select Node Dedicated Interface for the NIC ID 0. Define the IP address for the Sensor. Select all the following options for the interface: Control IP Address Primary Log/Analyzer connection source IP address. 5. Click Add Interface and select Capture Interface for the NIC ID 1. Select Span Port mode for a switch or hub, or Wire Tap mode for a wire Tap device. If you are using wire Tap, define NIC ID 2 with identical settings for the other direction of the captured traffic. 6. For a Sensor Cluster, you need to define one more interface for the Heartbeat between the cluster nodes. 7. Click OK to create the Sensor element. 8. Create a Router element for the Sensor s default gateway. 20

Quick Installation 9. In the Routing view, drag and drop the default gateway Router element on the Sensor s directly-connected network. 10. Drag and drop the Any Network element on the Sensor s default gateway Router element. 11. In the StoneGate Administration Client, right-click the Sensor and select Save Initial Configuration and save it on a floppy disk. Write down the displayed onetime password for the Sensor installation. Install the Sensor (see Installing Sensors and Analyzers, on page 87) 1. Boot up the Sensor machine from the StoneGate IPS engine CD-ROM. 2. Select Full Install. 3. Accept the automatic hard drive partitioning by typing YES. 4. When prompted, remove the CD-ROM and reboot the machine. 5. In the Configuration Wizard, insert the floppy disk with the initial configuration and select Import, or configure the engine manually by selecting Next. 6. In OS Settings, define the keyboard layout, timezone, hostname and the root user password. 7. In network interfaces, click Add and select the driver for the NIC. 8. Select the NIC for management connections in the Mgmt column for the same NIC ID that was defined in the GUI. 9. In Prepare for Management Contact, select Switch to initial configuration and define the IP address and default gateway for the Sensor (if not automatically defined). 10. Select Contact Management Server, and type in the Management Server s IP address and the one-time password in the initial configuration (if not automatically defined). 11. Select Install Sensor and complete the installation. 12. In the GUI client, click on the Sensor and check that the Info view displays Connected indicating a successful initial configuration. Install Policies 1. Open the Analyzer policies by clicking on the Policies icon in the toolbar and selecting Analyzer Policy from the contextual menu that opens. StoneGate IPS Installation Guide 21

Chapter 2: Quick Start Instructions 2. Right-click on the default Analyzer policy and select Install. Install the policy on the Analyzer. 3. Right-click on the default Sensor policy and select Install. Install the policy on the Sensor. 4. In the GUI client, right-click the Sensor node and select Command Go Online to start the traffic inspection. Browse the logs 1. Open the Log Browser by selecting Monitoring Logs and Alerts IPS Current Logs. For detailed introduction to the StoneGate IPS features and their use, please refer to the StoneGate IPS Administrator s Guide and the Administrator s Reference. 22

CHAPTER 3 Planning StoneGate IPS Installation This chapter provides general information about the installation, hardware and software prerequisites, and other important information to take into account before the actual StoneGate IPS installation can be performed. This chapter includes the following sections: Overview to the Installation Procedure, on page 24 Important to Know Before Installation, on page 24 System Components and Supported Platforms, on page 25 Checking the Surrounding Network Environment, on page 26 System Installation, on page 27 StoneGate IPS Installation Guide 23

Chapter 3: Planning StoneGate IPS Installation Overview to the Installation Procedure This Guide provides step-by-step instructions on how to install the StoneGate Management Center, a Sensor, and an Analyzer. Installation is straight-forward, consisting of the following steps: 1. Plan the installation of the StoneGate IPS Sensors, Analyzers, and the Management Center as explained in this chapter. 2. Configure the physical network environment as explained in this chapter. 3. Check the integrity of the StoneGate IPS installation files using the file checksums. See Checking the File Integrity, on page 25. 4. Install and configure the Management Center and the GUI client. See Installing the Management Center, on page 35. 5. Define the Sensor and Analyzer elements and other necessary elements in the Management Center. See Defining Sensors and Analyzers, on page 57. 6. Generate the initial configuration for the Sensors and Analyzers. See Saving the Initial Configuration, on page 77. 7. Install and configure the Sensors and Analyzers. See Installing Sensors and Analyzers, on page 87. 8. Test that the installed system operates as planned. The installation and configuration procedure is explained in detail in the following chapters. Important to Know Before Installation Before you start the installation, you need to plan carefully the site that you are going to install. Check that your operating system and hardware are supported. Check the surrounding network components and their configuration. Please, see the StoneGate IPS Release Notes for further information. When planning StoneGate IPS installation, please see the StoneGate IPS Administrator s Reference for detailed information on the operation of StoneGate IPS. 24

System Components and Supported Platforms System Components and Supported Platforms StoneGate IPS System Components A StoneGate IPS system consists of the Management Center, one or more Sensors, and an Analyzer. The StoneGate Management Center consists of the following components: the Management Server one or more Log Servers one or more graphical user interface (GUI) clients. The StoneGate IPS Sensors and Analyzers can be distributed as follows: a combined Sensor-Analyzer with these two components on a single machine. a single node Sensor. a Sensor cluster which consists of 2 to 16 machines with Sensors called cluster nodes or nodes for short. an Analyzer which is required for the Sensors. Supported Platforms For detailed information on the supported platforms, please see the StoneGate IPS Hardware Requirements available at http://www.stonesoft.com/. The Sensors and Analyzers have an integrated, hardened Linux operating system and therefore they require no separate operating system installation. The integrated operating system simplifies upgrading the Sensors and Analyzers significantly, as they can be upgraded as a whole without having to separately upgrade the operating system and the StoneGate IPS software. Checking the File Integrity Before installing StoneGate IPS, check the installation file integrity using the MD5 or SHA-1 file checksums. The checksums can be found on the StoneGate IPS installation CD-ROM and from the product-specific download page at the Stonesoft Web site at http://www.stonesoft.com/download/. For more information on MD5 and SHA-1 algorithms, please see RFC1321 and RFC3174, respectively. The RFCs can be obtained from http://www.rfc-editor.org/. Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available. StoneGate IPS Installation Guide 25

Chapter 3: Planning StoneGate IPS Installation To check MD5 or SHA-1 file checksum 1. Obtain the checksum from Stonesoft Web site at http://www.stonesoft.com/ download/. 2. Change to the directory that contains the file(s) to be checked. 3. Generate a checksum of the file using the command md5sum filename or sha1sum filename, where filename is the name of the installation file. ILLUSTRATION 3.1 Checking the File Checksums $ md5sum sg_engine_1.0.0.1000.iso 869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso 4. Compare the displayed output to the checksum on the Web site. Caution Do not use files that have invalid checksums. Checking the Surrounding Network Environment StoneGate IPS can be connected to a switch SPAN port, a network TAP, or a hub to capture network traffic. The considerations for these connection methods are explained below. For more specific information on compatibility of different network devices and StoneGate IPS, please refer to the Stonesoft Web site at http://www.stonesoft.com/ support/. Switch SPAN Ports and Hubs A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a switch. This is also known as port mirroring. The capturing is done passively, so it does not interfere with the traffic. With a hub, no special configuration such as a SPAN port is needed as all the traffic going through the hub is directed to all ports. A StoneGate IPS capturing interface can be connected directly to a SPAN port of a switch. Then, all the traffic to be monitored need to be copied to this SPAN port. The SPAN mode capturing interface is also used when connecting the capture interface to a hub, although using a hub might not be suitable because of network performance reasons. 26

System Installation Network TAPs A Test Access Port (TAP) is a passive device located at the network wire between network devices. The capturing is done passively, so it does not interfere with the traffic. With a network TAP, the two directions of the network traffic is divided to separate wires. For this reason, StoneGate IPS needs two capturing interfaces for a network TAP; one capture interface for each direction of the traffic. The two related capturing interfaces are handled in StoneGate IPS as one logical interface that combines the traffic of these two interfaces for inspection. System Installation The StoneGate IPS system consists of the Management Center, the Sensors, and the Analyzers. The StoneGate Management Center (SMC) components can be installed separately on different machines or on the same machine, depending on your requirements. The Management Center can manage one or more StoneGate IPS Sensors and Analyzers. The same SMC can also be used for managing StoneGate Firewall/VPN solutions. The StoneGate IPS Analyzer can be either installed on a separate machine, or combined with a Sensor on a single machine as a combined Sensor-Analyzer. The combined Sensor- Analyzer is mainly aimed for small environments, whereas the separate Analyzer machine should be used where higher performance is required. The three basic types of StoneGate IPS Sensor installations are as follows: Single Sensor installation. A single Sensor has only one node. It does not support load balancing or high availability. Instructions on defining a single Sensor element is covered in Defining a Single Sensor, on page 68. Sensor cluster installation. A StoneGate IPS Sensor cluster supports up to 16 nodes functioning as a single virtual entity. Each node of the cluster uses the same security policy configuration defined through the GUI client. A cluster can be configured for dynamic load balancing or as a hot standby solution. Instructions on defining a Sensor cluster element is covered in Defining a Sensor Cluster, on page 62. Combined Sensor-Analyzer installation. A combined Sensor-Analyzer is similar to Single Sensor but it also has the Analyzer on the same physical machine. This installation does not support load balancing or high availability. Instructions on defining a combined Sensor-Analyzer element is covered in Defining a Combined Sensor- Analyzer, on page 72. For more information, please see the StoneGate IPS Administrator s Reference and the StoneGate IPS Administrator s Guide. StoneGate IPS Installation Guide 27

Chapter 3: Planning StoneGate IPS Installation Example Network Scenario Three example Sensor installations are described in this Guide: a combined Sensor-Analyzer a single Sensor a Sensor cluster installation. The two different Analyzer installations are illustrated with a combined Sensor-Analyzer an Analyzer on a separate machine. The network scenario for these installations is based on the example network in Figure 3.1. The scenario illustration can also be found in the front of the book. Please, see the StoneGate IPS Administrator s Reference for more information on deploying the StoneGate IPS components. FIGURE 3.1 Example Network Scenario 28

System Installation StoneGate Management Center The SMC of the example scenario is described in Table 3.1. TABLE 3.1 SMC in the Example Scenario SMC Component Management Server HQ Log Server Branch Office Log Server GUI client Description The Management Server in the Headquarters Management Network with the IP address 192.168.10.200. This Management Server manages all the StoneGate IPS Sensors, Analyzers, and Log Servers of the example network. This server is located in the Headquarters Management Network with the IP address 192.168.10.201. This Log Server receives alerts and log data from the HQ Analyzer. This server is located in the Branch Office Intranet with the IP address 172.16.2.201. This Log Server receives alerts and log data from the Branch Office Sensor-Analyzer. The GUI client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple GUI clients in different locations. In this example, the GUI client is located in the Headquarters Management Network. Combined Sensor-Analyzer In the example scenario, the Branch Office Sensor-Analyzer in the Branch Office network is a combined Sensor-Analyzer. TABLE 3.2 Combined Sensor-Analyzer in the Example Scenario Network Interface Capture Interfaces NDIs Description The Branch Office Sensor-Analyzer has two Capture Interfaces that are connected to a network TAP in a Branch Office Intranet: one interface for each direction of the traffic. All the traffic in this network segment is forwarded to the network TAP for inspection The Branch Office Sensor-Analyzer has one NDI that is connected to the Branch Office Intranet using the IP address 172.16.2.41. This NDI is used for: control connections from the Management Server sending log data and alerts to the Branch Office Log Server for TCP connection termination (by the Sensor) StoneGate IPS Installation Guide 29

Chapter 3: Planning StoneGate IPS Installation Sensor Cluster In the example scenario, HQ Sensor Cluster is a cluster located in the Headquarters network. The cluster consists of two Sensor nodes: Node 1 and Node 2. TABLE 3.3 Sensor Cluster in the Example Scenario Network Interface Capture Interfaces NDIs Heartbeat interfaces Description The HQ Sensor Cluster s Capture Interface on each node is connected to a SPAN port in the Headquarters Intranet switch. All the traffic in this network segment is forwarded to the SPAN ports for inspection. The NDI on each node is connected to the Headquarters Intranet with Node 1 s IP address 172.16.1.41 and Node 2 s address 172.16.1.42. This NDI is used for: control connections from the Management Server sending events to the HQ Analyzer for TCP connection termination. The nodes have heartbeat interfaces connected to the dedicated heartbeat network 10.42.1.0/24 as follows: Node 1 uses the IP address 10.42.1.41 and Node 2 uses the IP address 10.42.1.42. Single Sensor In the example scenario, the DMZ Sensor in the Headquarters DMZ network is a single Sensor. TABLE 3.4 Single Sensor in the Example Scenario Network Interface Capture Interfaces NDIs Description The DMZ Sensor s Capture Interface is connected to a SPAN port in the Headquarters DMZ Network. All the traffic in this network segment is forwarded to the SPAN port for inspection. The NDI is connected to the DMZ network using the IP address 192.168.1.41. This NDI is used for: control connections from the Management Server sending event information to the HQ Analyzer for TCP connection termination. 30

System Installation Analyzer In the example scenario, the HQ Analyzer is located in the Headquarters Management network. TABLE 3.5 Analyzer in the Example Scenario NDIs Network Interface Description The HQ Analyzer s NDI is connected to the Headquarters Management Network using the IP address 192.168.10.61. This NDI is used for: control connections from the Management Server receiving event information from the HQ Sensor Cluster and the DMZ Sensor sending log data and alerts to the HQ Log Server sending IP Blacklists to the defined firewalls. StoneGate IPS Installation Guide 31

Chapter 3: Planning StoneGate IPS Installation 32

INSTALLING THE MANAGEMENT CENTER

CHAPTER 4 Installing the Management Center This chapter instructs how to install the StoneGate Management Center components on the supported platforms. The following sections are included: Installing the Management Center, on page 36 Starting the StoneGate Management Center, on page 49 Non-graphical Installation, on page 52 Uninstalling the Management Center, on page 54. StoneGate IPS Installation Guide 35

Chapter 4: Installing the Management Center Installing the Management Center Before you begin installing, you need to log in to the system with correct administrative rights to be able to modify certain files. In Windows, you need to log in with administrator rights. In Linux and Solaris you have to log in as root to install the software. Note If the operating system is an international (non-english) version of Windows, there might be some complications with running the Management Center on this platform. Checking File Integrity Before installing StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking the File Integrity, on page 25. Installing the Management Center Components The Management Center installation proceeds as follows: 1. Install the operating system with the latest patches. 2. Install the Management Server. (You can also install the Log Server and GUI client on the same machine if desired.) 3. Install the Log Server(s). 4. Install the GUI client(s). 5. (Optional) Install the Monitoring Server. After installing the SMC components, proceed to Starting the StoneGate Management Center, on page 49. Starting the Installation The steps described here are the same for the installation of Management Server, Log Server, and the GUI client. Note The Management Center installation requires at least 350 MB of available disk space in the system s temporary directory for extracting the installation files. To start the Management Center installation 1. Insert the StoneGate IPS installation CD-ROM and run the setup executable: 36

Installing the Management Center In Windows, run CD-ROM\Windows\setup.bat. In Linux and Solaris Bourne-compatible shells (e.g., sh, ksh): 1.1 If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with mount /dev/cdrom /mnt/cdrom and in Solaris with mount /cdrom. 1.2 Change to the CD-ROM/Linux/ or CD-ROM/Solaris/ directory according to the platform used. 1.3 Run the command./setup.sh to start the installation. If you are using Linux or Solaris and want to use the graphical installation, make sure that X windowing system has been started before launching the StoneGate IPS setup. Alternatively, please see Non-graphical Installation, on page 52. In Linux and Solaris, the installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at the uninstallation. 2. First, the Java Runtime Environment (JRE) is installed for StoneGate IPS. ILLUSTRATION 4.1 Accepting the License Agreement 3. Read carefully through the license agreement. To accept the license agreement, select the corresponding radio button and click Next. StoneGate IPS Installation Guide 37

Chapter 4: Installing the Management Center ILLUSTRATION 4.2 Defining the Destination Directory 4. Define the directory where the Management Center is installed and click Next. Note When installing the server as a service, define a directory path that does not contain spaces. TABLE 4.1 Management Server Default Installation Paths Platform Windows Linux Solaris Default directory C:\Stonesoft\StoneGate\ /usr/local/stonegate/ /opt/stonegate/ 38

Installing the Management Center ILLUSTRATION 4.3 Creating Shortcuts 5. In Windows, select the location for the shortcut icons and click Next. By default, the shortcut icons are located in Start Programs StoneGate. ILLUSTRATION 4.4 Choosing the Installation Type 6. Select the installation type as follows: Select Typical to install all Management Center components on the machine. Continue in Installing the Management Server, on page 40. If you want to install the Monitoring Server, you need to select the Custom installation mode. Select Administration Client Only to install just the GUI client. Continue in Installing the GUI Client, on page 47. Select Custom to decide which Management Center components to install on the machine. Continue to the step below. StoneGate IPS Installation Guide 39

Chapter 4: Installing the Management Center ILLUSTRATION 4.5 Selecting the System Components for Custom Installation 7. Illustration 4.5 is displayed for Custom installation. Select the Management Center components to be installed. The components can be on the same machine or on separate machines. To install the Management Server, proceed to Installing the Management Server, on page 40. To install the Log Server, proceed to Installing the Log Server, on page 42. To install the Monitoring Server, proceed to Installing the Monitoring Server, on page 46. To install the GUI client, proceed to Installing the GUI Client, on page 47. Installing the Management Server To install the Management Server 1. Click Next in the installation type selection. A screen like Illustration 4.6 is displayed. 40

Installing the Management Center ILLUSTRATION 4.6 Creating a Superuser Account 2. Create the default StoneGate Management Center Superuser account by defining a user name and password, then click Next to continue. Note The account specified here is the only account that can be used to log in to the Management Center after the installation has finished. More administrator accounts can be defined in the GUI as explained in the Administrator s Guide. ILLUSTRATION 4.7 Configuring the Management Server 3. Enter the IP address of the Management Server. This is the IP address used for communication with the other system components. 4. Enter the IP address of the Alert Server. This is the IP address of the Log Server you want to use for handling alerts. StoneGate IPS Installation Guide 41

Chapter 4: Installing the Management Center 5. Click Next to continue. 6. If you want to install the Management Server as a service, select the Install as a service checkbox. When the server is run as a service, it is started automatically and run in the background after the system s reboot. Otherwise, the server needs to be started manually after every reboot. 7. If you selected that the Log Server is also installed at the same time on the same machine, go to the configuration steps in Installing the Log Server, on page 42. 8. Otherwise, click Next and the Ready to Install window is displayed. 9. Click Install to start the installation. 10. To start the Management Server, please see Starting the StoneGate Management Center, on page 49. Installing the Log Server Before installing the Log Server, the Management Server needs to be installed. This is required for establishing a trust relationship between the Management and the Log Server during the Log Server installation by using certificates. If the Log Server is installed simultaneously on the same machine with the Management Server, the Log Server certificate is generated automatically. Note The screens may differ slightly when installing the Log Server simultaneously with the Management Server on the same machine. To install the Log Server 1. Click Next. The Configure Log Server window is displayed. 42

Installing the Management Center ILLUSTRATION 4.8 Configure Log Server 2. Define the IP address for the Log Server or select the address from the Existing IP addresses list. 3. Define the Management Server s IP address in its field. This IP address is used for contacting the Management Server from the Log Server during normal operation and when requesting the certificate for the Log Server. 4. Select the Certify the Log Server during the installation checkbox to request a certificate for the Log Server from the Management Server. (The Log Server certificate is generated automatically if installed at the same time with the Management Server.) If the Log Server certificate is not retrieved during the installation, the certificate has to be retrieved manually later on. To request a certificate for the Log Server manually after the installation, stop the Server and proceed as follows: In Windows, select Start Programs StoneGate Request Log Server Certificate. In Linux and Solaris, run the script <SGHOME>/bin/sgCertifyLogSrv.sh. In the opened authentication window, log in using a Superuser-level StoneGate administrator account, for example, the account created during Management Server installation. 5. Define a port number for the Log Server in its field. The default port used is 3020. If you want to use a different port number, please see the Administrator s Guide for instructions. 6. If you want the Log Server to be installed as a service, select the Install as a service checkbox. When the server is run as a service, it is started automatically StoneGate IPS Installation Guide 43

Chapter 4: Installing the Management Center and run in the background after the system s reboot. Otherwise, the server needs to be started manually after every reboot. Note When installing the Log Server as a service, use an installation directory path that does not contain spaces. 7. Click Next to continue. ILLUSTRATION 4.9 Defining the Directory for the Log Server Database 8. Specify a directory for the Log Server database. Click Next to continue. If the defined directory does not exist, you are prompted for accepting the directory to be created. ILLUSTRATION 4.10 Logging into the Management Server for the Certificate Generation 9. When the Log Server certificate is requested during the installation, you need to log in to the Management Server using a Superuser privileged account. (If the Log 44

Installing the Management Center Server is installed simultaneously with the Management Server, continue in Step 10.) 9.1 Type in the user name and the password. Click OK to continue. ILLUSTRATION 4.11 Checking the CA Certificate Fingerprint 9.2 Compare the presented certificate fingerprint of the Certificate Authority to the certificate s fingerprint on the Management Server. To check the certificate fingerprint of the Certificate Authority: In Windows, select Start Programs StoneGate Show Fingerprint on the Management Server. In Linux and Solaris, run the script <SGHOME>/bin/ sgshowfingerprint.sh on the Management Server. 9.3 Click Accept Certificate if the fingerprint is correct. ILLUSTRATION 4.12 Log Server Selection 9.4 To create a certificate for the Log Server: If the Log Server element is already defined on the Management Server, select Certify again an existing log server and select the Log Server from the list. StoneGate IPS Installation Guide 45