Secure Computing SG570 Instrukcja Użytkownika

Secure Computing SnapGear™ User Manual Secure Computing 4810 Harwood Road San Jose, CA 95124-5206 Email: [email protected]

Local network link 10/100BaseT LAN port (SG530, SG550) 10/100BaseT 4 port LAN switch (SG300) 10/100BaseT DMZ port (SG570, SG575) 10/10

If you have multiple bridges on your network, you may want to Enable Spanning Tree Protocol. It allows the bridges to exchange information, helping e

When a packet is routed out the VLAN interface, the VLAN header is inserted and then the packet is sent out on the underlying physical interface. Whe

Interface: Select the network interface on which to add the VLAN. VLAN ID: If this VLAN interface is to participate on an existing VLAN, the

Port Based VLANs Note SG560, SG565 and SG580 only. The SG560, SG565 and SG580 have a VLAN-capable switch built in. This gives you the flexibility to

Limitations of port based VLANs There are few further limitations to keep in mind when using port based VLANs: The total bandwidth from the switch

The following settings pertain to port based VLANs: Enable port based VLANs: Check to enable port based VLANs. Default port based VLAN ID: As

The following settings are displayed: Interface: The port based VLAN capable interface on which to add the VLAN. VLAN ID: If you are adding a

Editing port based VLANs Once a VLAN has been added, you may edit the settings you entered in Adding port based VLANs by clicking its Edit icon in the

A bridged GRE tunnel is useful for transmitting packets across a VPN connection that would normally be dropped by IP routing. This includes broadcast

2. Assign unused alias IP addresses to the LAN interfaces at both ends of the tunnel. 3. Create an IPSec tunnel between the alias IP addresses, usi

Front panel LEDs The front panel contains LEDs indicating status. An example of the front panel LEDs are illustrated in the following figure and deta

Add the LAN connection to a bridge, as described in the section entitled Bridging earlier in this chapter. Give the LAN interface bridge a secondary a

GRE Tunnel Name: to_slough Remote External Address: 10.254.0.1 Local External Address: 10.254.0.2 Firewall Class: LAN Click Finish to add the in

Ensure that the remote GRE end point responds to pings. Note that by default no packets are routed across the GRE tunnel unless there is a route set

Route management Note Route management does not have full GUI configuration support. We recommend that only advanced users familiar with the Zebra ro

password zebra!password In these examples,! denotes a descriptive comment # indicates a configuration line that is currently commented out, which you

#network eth2 ! Define neighbor routers to exchange RIP with if disabling multicast above in zebra.conf, or neighbors don't have multicast enable

OSPF Note This example is adapted from the LARTC (Linux Advanced Routing & Traffic Control) dynamic routing howto, available from: http://lartc.or

The SG is configured to exchange routes with the routers named Atlantis, Legolas and Frodo. Ensure you have enabled OSPF under Route Management, then

! Uncomment and set telnet/vty passwords to enable telnet access on port 2604 #password changeme #enable password changeme ! Instruct ospfd about our

Note The AS numbers used in this example are reserved. Please get your own AS from RIPE if you set up official peerings. Ensure you have enabled BGP

Rear panel The rear panel contains a power switch and a power inlet for an IEC power cable. Additionally, the SG710+ has two gigabit Ethernet ports (

access-list local_nets deny any ! Our AS number router bgp 1 ! Our IP address bgp router-id 192.168.0.1 ! Announce our own network to other neighbors

System To configure the SnapGear unit’s network system settings, click the System tab on the Network Setup page. These settings control the SnapGear

DNS To configure the SnapGear unit’s DNS settings, click the DNS tab on the Network Setup page. These settings control the SnapGear unit’s network na

Dynamic DNS A dynamic DNS service is useful when you don’t have a static IP address, but need to remain contactable by hosts on the Internet. Dynamic

DHCP Server Note To configure your SnapGear unit as a DHCP server, you must set a static IP address and netmask on the network interface on which you

Enter the DNS Address to issue the DHCP clients. If this field is left blank, the SnapGear unit’s IP address is used. Leave this field blank for a

There is a trashcan icon to delete the address from the list of addresses to manage. You may also Free addresses that have been leased by hosts on y

Reserving IP addresses You may reserve IP addresses for particular hosts, identifying them by hostname and MAC address. These reserved hosts are also

The Subnet is the network on which DHCP server is handing out addresses. Free Addresses displays the number of remaining available IP addresses that

Web Cache Note SG565, SG575, SG580, SG635 and SG rack mount appliances only. Web browsers running on PCs on your LAN can use the SnapGear unit’s proxy

SG PCI Appliances (SG6xx Series) Note The SG PCI appliance range includes models SG630 and SG635. The SG PCI appliance is a hardware-based firewall an

If you are using a Network Share or Local Storage (recommended, see below), it is generally best to set this to 8 Megabytes. Otherwise, start with a s

Network storage share Note Network Storage share and Local Storage cannot be used at the same time. Enabling one will automatically disable the other.

Launch Windows Explorer (Start > (All) Programs > Accessories > Windows Explorer) and open up a folder or drive to dedicate as a network sha

Under the Network Share tab, check Use share. Enter the location of the network share in the format: \\HOSTNAME\sharename Enter the maximum size f

Click Advanced, Peers, then New. Tthe messages transmitted by a cache to locate a specific object are sent to Sibling caches, which are placed at the

ICAP RESPMOD server is the URL for an ICAP server's RESPMOD service. This allows an ICAP server to modify web transaction responses, i.e. to pro

Log File Rotation Time (minutes) specifies how often the logs are checked for rotation. Log File Rotations specifies how many log file rotations shoul

QoS autoshaper The Auto Traffic Shaper uses a set of inbuilt traffic shaping rules to attempt to ensure low latency on interactive connections, while

Check Enable Traffic Shaping, select a Default priority and click Submit to enable this feature. The Default priority is assigned to all network ser

IPv6 Check Enable IPv6 to enable IPv6 routing and packet filtering. Support for IPv6 is currently limited. Note You must also enable IPv6 for each c

The other is the host PC's IP address, which is configurable through the host operating system, identically to a regular NIC. This is the IP add

If you use an external SIP service such as the Gizmo Project or Skype, you typically do not need to use the SIP proxy. These services use STUN (Simpl

4. Firewall The SnapGear unit is equipped with a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing acc

Administration services The following figure shows the Administration Services page: By default the SnapGear unit runs a web administration server, a

Warning If you do want to allow administrative access on interfaces other than LAN Interfaces, there are several security precautions you should take.

Note Changing the web server port number is recommended if you are allowing Internet access to the Management Console. This may help hide the web man

Once valid SSL certificates have been uploaded or created, A valid SSL certificate has been installed is displayed. The Snap Gear administrative web

Select the appropriate Country and certificate key length from the Generate an RSA key of pull-down menu. All other fields but Host name (Common Name

Service groups A network service is defined by a protocol and port. Protocol may be either TCP, UDP, ICMP or IP, and port may be any valid network po

Addresses Addresses are a single IP address, or range of IP addresses, or a DNS hostname. Network packets may be matched by source or destination add

Adding or modifying an address is shown in the following figure: You may either add a Single Address or Range or DNS Hostname. You may also group pr

Location Activity Description Top right (Power) On Power is supplied to the SnapGear unit (top right). Bottom right (Heart beat) Flashing The Sn

Packet Filtering Packet filter rules match traffic based on a combination of the source and destination address, incoming and outgoing interface, and

The Action specifies what to do if the rule matches. Accept means to allow the traffic. Drop means to disallow the traffic. Reject means

The Outgoing Interface is the interface/network port that the SnapGear unit routes the network traffic out of. Set this to None to match traffic orig

Once you have created a packet filtering rule, you may specify rate limiting settings. These settings are useful for preventing a service from becomi

Log Prefix specifies the text to be placed at the start of the log message. This can be used to make it easier to identify which rules are being match

1-to-1 NAT is a combination of destination NAT and source NAT. Both destination NAT and source NAT rules are created for full IP address translation

Note The example shown in the screenshot above forwards the SSH (secure shell) protocol to an internal server (barry’s server). SSH allows encrypted

This rule is applied to packets that match the critera described by the next four fields. Destination Address The destination address of the request,

Port forwarding to an internal mail server The following is an example of using port forwarding to allow hosts on the Internet to send and receive mai

Check one or both of IMAP4 (E-Mail) if your server supports IMAP mail retrieval and POP3 (E-Mail) if your server supports POP3 mail retrieval. Enter

10Introduction

Leave Enable checked. Select your Internet connection in Destination Address. Enter the translated port of the packet. If you leave this blank, then t

Click Source NAT. Any rules that have already been defined are displayed, you may Edit or Disable/Enable these rules by clicking the appropriate icon

Outgoing Interface Enter the interface that the packet to masquerade behind, typically Internet. Source Address Enter the address from which the req

1-to-1 NAT This creates both a source NAT and destination NAT rule for mapping all services on an internal, private address to an external, public add

Enable Uncheck to temporarily disable this rule. Private Address Enter the private address to change. Public Address Enter the public add

The displayed options apply to the firewall classes, not to the ports with these names. That is, the LAN interface options apply to all interfaces tha

Note The port forwarding rules set up via the UPnP Gateway are temporary. The list of configured UPnP port forwarding rules is cleared should the Sna

Enter an arbitrary Description of service, the Name or IP address of the computer hosting this service on your network, the External Port number for

Note Implementations of protocols such as H.323 can vary, so if you are experiencing problems you can try disabling the module. Check Enable Connect

Intrusion Detection Note The SG300, SG530, SG550, SG560, SG570, and SG630 provide Basic Instrusion Detection and Blocking only. The SnapGear unit prov

2. Getting Started This chapter provides step-by-step instructions for installing your SnapGear unit. These instructions are identical to those in t

These attacks can potentially be detected and prevented using an intrusion detection system. Basic Intrusion Detection and Blocking (IDB) Click the ID

Warning This is a word of caution regarding automatically blocking UDP requests. Because an attacker can easily forge the source address of these req

The Basic button installs a bare bones selection of ports to monitor while still providing sufficient coverage to detect many intruder scans. The St

The primary advantage of running Snort IDS (Snort) in front of the firewall is that it sees unfiltered network traffic, and is therefore able to detec

Rule sets are sets of defined patterns or rules used for the detection of attacks. These are grouped by type such as ddos, exploit, backdoor, netbios

Sensor Name is an arbitrary string that is prepended to the log output. This may be useful if you have deployed more than one intrusion detection sys

PHPlot graph library for charts written in PHP http://www.phplot.com/BASE analysis console http://secureideas.sourceforge.net/ Snort is running as an

Access Control and Content Filtering The access control web proxy allows you to control access to the Internet based on the type of web content being

The Enable Access Control checkbox enables/disables the entire access control subsystem. This box must be checked for any access control operation t

User authentication Check Require user authentication if you want to require users to authenticate themselves before browsing the web. When attemptin

SG Gateway Appliance Quick Setup Unpack the SnapGear unit Check that the following items are included with your SnapGear unit:  Power adapter  SG CD

Note Each browser on the LAN now has to be set up to use the SnapGear unit’s web proxy. Browser setup The example given is for Microsoft Internet Exp

In the row labeled HTTP, enter your SnapGear unit’s LAN IP address in the Proxy address to use column, and 81 in the Port column. Leave the other ro

Web lists Access is denied to any web address (URL) that contains text Added under URL Block List, e.g. entering xxx blocks access to any URL containi

The top level page has a checkbox Block Unscanned Hosts which defines the behavior for a host which hasn't been scanned or is not defined to be

Script Management Click the Script Management tab for management and testing of installed NASL scripts. NASL is the part of the Nessus vulnerability s

In the Upload NASL script field, either enter or Browse… to the NASL script file you wish to upload. This file will be uploaded to the SnapGear unit a

All new content filtering subscriptions are for the Webwasher service. The old content filtering system is maintained for backwards compatibility for

Under the Categories tab, select the Blocked Categories to block access to. Under the Reports tab, enter your User name and Password and click View R

Checking Enable Cache stores recently accessed pages’ ratings locally, to lower the response time the next time the page is accessed. It is recommend

The SnapGear unit’s antivirus capabilities shield your LAN from viruses that propagate through email, the web and FTP. An antivirus subscription is n

Set up a single PC to connect to the SnapGear unit The SnapGear unit ships with initial network settings of: LAN IP address: 192.168.0.1 LAN subnet m

Check Enable. The Database mirror is the host from which the signature database is updated. Unless there is a specific host from which you want the Sn

Create a new user account: Note We recommend that you create a special user account to be used by the SnapGear unit for reading and writing to the

Begin by disabling simple file sharing for this folder. From the Tools menu, select Folder Options. Click the View tab and under the Advanced settin

Local storage Note SG565 only. Attach a USB storage device to one of the SnapGear unit’s USB ports. Under the Storage > Local Storage tab, selec

Check Transparent. If all of your internal email clients (such as Microsoft Outlook) are retrieving email from a single mail server only, enter it as

If there is no single mail server from which most of your internal email clients are retrieving email, leave Default POP server blank and check Allow

Note For each of the email clients for which to scan incoming mail, the email client’s POP3 user name setting must be in the form of [email protected]

When Inform requesting server of rejected mail is enabled the SnapGear unit rejects incoming mail that is detected to have a virus, and informs the re

FTP The SnapGear unit can scan files downloaded using FTP for viruses. Check Virus check FTP downloads. Typically there is no need to change the Pr

5. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across

Click Start > (Settings >) Control Panel and double-click Network Connections (or in 95/98/Me, double-click Network). Right-click Local Area Con

PPTP and L2TP The SnapGear unit includes a PPTP and an L2TP VPN server. These allow remote Windows clients to securely connect to the local network.

Check Enable PPTP Server. Enter the IP Addresses to give to remote hosts. This must be a free IP address, or a range of free IP addresses, from the

Select the Required Encryption Level. Access is denied to remote users attempting to connect not using this encryption level. Strong Encryption (MPP

Your Internet IP address is displayed on the Network Setup page. If your ISP has not allocated you a static IP address, consider using a dynamic DNS

Select Connect to a private network through the Internet and click Next. This displays the Destination Address window: Enter the SnapGear unit’s Int

Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to connect. Windows XP PPTP client setup Logi

Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Choose a Connection Name fo

If you have set up your computer to connect to your ISP using dial up, select Automatically dial this initial connection and your dial-up account from

Enter a user name and password added in the Configuring user accounts for VPN server section and click Connect. L2TP VPN Server To setup an L2TP/IPSe

Check Enable L2TP Server. Enter the IP addresses to give to remote hosts. This must be a free IP address, or a range of free IP addresses, from the

Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, su

Select the Required Encryption Level — access is denied to remote users attempting to connect not using this encryption level. Using Strong Encryptio

Note Only one shared secret tunnel may be added. The one shared secret is used by all remote clients to authenticate. Select x.509 Certificate Tu

If adding an x.509 Certificate Tunnel, select the Local Certificate that you have uploaded to the SnapGear unit. Enter the Client Distinguished Name;

Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Choose a Connection Name fo

If you have set up your computer to connect to your ISP using dial up, select Automatically dial this initial connection and your dial up account from

To authenticate using an x.509 Certificate Tunnel, you must first install the local certificate. The distinguished name of this local certificate

Select PPTP VPN Client or L2TP VPN Client from the VPN section of the main menu. Any existing client tunnels are displayed alongside icons to Enable/

A PPTP status icon appears in the system tray on the bottom right hand side of your computer, informing you that you are connected. You can now check

Quick Setup This section uses the Quick Setup to connect the two sites together. For more control over the configuration options, see Set Up the Bran

Fill in the Tunnel name field with your name for the tunnel. The name must not contain spaces or start with a number. In this example, enter Headquar

The quick setup wizard is displayed. Changing the Hostname is not typically necessary. Select how you would like to set up your LAN connection, then

Enter the Remote Distinguished Name, which is the list of attribute/value pairs contained in the certificate of the remote peer. The following is a li

When making a certificate based tunnel between Secure Computing SnapGear units, you can obtain the Distinguished Name of a remote device's Certif

Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitted. Configure a tunnel to connect

Note Select an interface other than the default gateway when you have more than one Internet connection or have configured aliased Internet interfaces

DNS hostname address to static IP address DNS hostname address to DNS hostname address DNS hostname address to dynamic IP address From the

In this example, select the Preshared Secret option. Click Next to configure the Local Endpoint Settings. Local endpoint settings Leave the Initiate

Note If the remote party is a SnapGear unit, the ID must have the form abcd@efgh. If the remote party is not a SnapGear unit, refer the interoperabi

Authentication Key is the ESP Authentication Key. It must be of the form 0xhex, where hex is one or more hexadecimal digits. The hex part must b

Enter the Internet IP address of the remote party in The remote party's IP address field. In this example, enter: 209.0.0.1. The Optional Endpo

OU Organizational Unit CN Common Name N Name G Given name S Surname I Initials T Personal title E E-mail Email E-mail SN Serial nu

 If you have an existing DHCP server, and wish to rely on it to automatically configure the SnapGear unit’s LAN connection settings (not recommended

Authentication Key field is the ESP Authentication Key. However, this applies to the remote party. It must be of the form 0xhex, where hex is on

The Rekeyfuzz value refers to the maximum percentage by which the Rekeymargin should be randomly increased to randomize rekeying intervals. The Key li

Local Certificate pull-down menu contains a list of the local certificates that have been uploaded for x.509 authentication. Select the required

Select a Phase 2 Proposal. Any combination of the ciphers, hashes, and Diffie Hellman groups that the SnapGear unit supports can be selected. The su

Select the Internet interface the IPSec tunnel is to go out on. In this example, select default gateway interface option. Select the type of keying f

Phase 1 settings page Set the length of time before Phase 1 is renegotiated in the Key lifetime (s) field. In this example, leave the Key Lifetime as

Tunnel List Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection field is shown. Note You may modify, delete

o IPSec is disabled. o The tunnel is disabled. o The tunnel could not be loaded due to misconfiguration. Negotiating Phase 1 indicates that IPS

Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for both Phase 1 and Phase 2 negotiat

Negotiation State reports what stage of the negotiation process the tunnel is in. In this example it has initiated and sent the first aggressive mod

Set up the SnapGear unit’s Internet connection settings Attach the SnapGear unit to your modem device or Internet connection medium. If necessary, gi

If you do not have access to certificates issued by a certificate authority (CA), you may create self-signed certificates; see Creating certificates f

openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem .. where pksc12_file is the PKCS12 file issued by the CA and local_priva

Create the CA certificate, omit the –nodes option if you want to use a password to secure the CA key: openssl req -config openssl.cnf -new -x509 -keyo

To install the new PCKS12 file, cert1.p12, on Windows XP, open up the Microsoft Management Console (Start > Run > then type mmc). Add the Certif

Certificates have time durations in which they are valid. Ensure that the certificates uploaded are valid and that the Date and Time settings have be

Keying: Aggressive mode (IKE) Local address: Static IP address Remote address: Dynamic IP address Route to remote endpoint: Internet port's gatew

Tunnel name: SecondaryLink Enable this tunnel: Unchecked Local interface: Default gateway interface Keying: Aggressive mode (IKE) Local optional endpo

Local network: 192.168.11.1/255.255.255.255 Remote network: 192.168.12.1/255.255.255.255 Phase 2 key lifetime (sec): 7200 Branch Office SG configurati

retry_delay 5 test_delay 5 test ifretry 2 5 ping -I 192.168.2.1 192.168.1.1 -c 3 connection secondarylink parent conn-eth1 start IPSec auto

Setup an IPSec tunnel between the primary Internet IP Addresses (209.0.0.1 <> 210.0.0.1). Default values are used in the configuration unless ot

Set up the SnapGear unit’s switch Note This page will only display if you are setting up the SG560, SG565 or SG580. Otherwise skip to the next step.

Local interface: DMZ port Route to remote endpoint: DMZ port's gateway The remote party's IP address: 210.0.1.1 Local network: Address of DM

GRE tunnel for primary link: GRE tunnel name: PrimaryLink Remote address: 209.0.0.1 Local address: 210.0.0.1 Firewall class: LAN GRE tunnel for second

retry_delay 5 test_delay 5 connection primary_ping parent conn-gre1 maximum_retries 2147483647 retry_delay 5 test_delay 5 test ifretry 2

parent secondary_ping start route add -net 192.168.1.0 netmask 255.255.255.0 dev gre2 stop route del -net 192.168.1.0 netmask 255.255.255.0 dev

Symptom: Tunnel is always down even though IPSec is running and the tunnel is enabled. Possible Cause: The tunnel is using Manual Keying and the e

Symptom: Tunnel goes down after a while Possible Cause: The remote party has gone down. The remote party has disabled IPSec. The remote party ha

Possible cause: Windows network browsing broadcasts are not being transmitted through the tunnel. Solution: Set up a WINS server and use it to have th

The SnapGear unit supports two kinds of port tunnels. HTTP Tunnels are port tunnels that send data using the HTTP protocol, and are not encrypted. HT

The following field is displayed for SSL Tunnel Server only: You may specify the Protocol to use when negotiating the SSL connection. Leave this

If the HTTP proxy is a buffering proxy, then enter the Proxy Buffer Size. Otherwise set this field to 0. You may also specific the timeout before sen

Connect the SnapGear unit to your LAN Review your configuration changes. Once you are satisfied, click Finish to activate the new configuration. Note

6. USB Note SG565 only. The SG565 has two USB (Universal Serial Bus) ports to which you can attach USB storage devices (e.g. hard drives, flash drive

This section describes how to set up the SnapGear unit for network attached storage. For information on using a USB mass storage device as a print sp

Browsable: Display an icon for the network when browsing the network from a Windows PC. To access the network share when this is unchecked, the user

Join a Windows workgroup The next step is to configure your SnapGear unit to join your Window workgroup or domain. Select Network Setup from the Netw

Partitioning a USB mass storage device Warning This procedure is intended for experts and power users only. The standard Linux command line tools are

Command (m for help): p Disk /dev/sda: 5 heads, 50 sectors, 1024 cylinders Units = cylinders of 250 * 512 bytes Device Boot Start End B

Repeat the process for each partition to want to create. For the last partition, the default last cylinder is generally be fine. Command (m for help)

mkfs.vfat –F 32 /dev/sda1 then mkfs.vfat –F 32 /dev/sda2 From the web management console, select Advanced from the System menu, and click Reboot. The

Select Shares from the Networking section of the main menu. Click the Printing tab. Locate the printer to share and click its Edit icon. Enter a sh

Otherwise, attach the USB mass storage device and select the device or device partition on which to store the print spool from the Spool pull-down me

 If you do not want to use a DHCP server, proceed to Manual configuration of your LAN. Automatic configuration of your LAN If you selected Manual Co

Select A network printer, or a printer attached to another computer and click Next. Select Browse for a printer and click Next. Locate the SnapGear

You may receive a warning about the SnapGear unit automatically installing print drivers on your PC. Ignore it, the SG does not install print drivers

Select your printer model and click OK. If your printer model is not listed, click Have Disk and Browse again. Drivers for several different printer

LPR / LPD setup Note This information is generally not relevant for Windows network environments. Once the print server has been set up, the SnapGear

Disable Advanced Printing Features by clicking Control Panel > Printers and Faxes > right-click printer > Properties > Advanced > and u

7. System Date and Time Note For details on how the SnapGear unit stores and retrieves the date and time between reboots, see the appendix entitled Sy

Network time Select Date and Time from the System section of the main menu, then the NTP Time Server tab. Check the Enabled box under the NTP Time Ser

Select Date and Time from the System section of the main menu, then the NTP Time Server tab. Enter the IP Address of the NTP server. Select Peer from

Remote backup/restore Click the Remote backup/restore tab. To back up your configuration, enter and confirm a Password with which to protect this fil

Enter a Description for this configuration. It is not necessary to include the time and date in the description, they are recorded automatically. Not

Automatic configuration of your LAN using an existing DHCP server  If you chose to have the SnapGear unit Obtain LAN IP address from a DHCP server o

Users This section details adding administrative users, as well as local users for PPTP, L2TP or dial-in access, or access through the access control

You may specify the following access controls for each administrative user. The Login control provides the user with telnet and ssh access to the

Warning A user with Encrypted save / restore all access can conceivably create an encrypted config file with an arbitrary root password that they can

Enter a User name (login name), an optional Description, and enter and confirm a Password. For dial-in, PPTP and L2TP users, you may also optionally

To test your configuration click the Test RADIUS tab and enter the user name and password of a valid user. A RADIUS request is sent to the server and

Management The SnapGear unit may be management remotely using Secure Computing Global Command Center (GCC), Secure Computing Centralized Management Se

Clicking Enrol allows you to register this unit with the Global Command Center server using the standard mechanism. Click Rapid Deploy to make use o

Specify the shared Authentication Key with which to authenticates this device against the CMS. This must be the same as the snmp_community configurat

Enter the name of a community that is allowed read-write access in Read-Write Community. You may optionally include an IP address or network to restri

Log output is color coded by output type. General information and debug output is black, warnings and notices are blue, and errors are red. The Displ

Enter the following details:  IP address is an IP address that is part of the same subnet range as the SnapGear unit’s LAN connection (if using the d

Enter the Remote Port on which the remote syslog server is listening for syslog messages. Typically, the default is correct. Set the Filter Level to

Specify the number of seconds to wait after recieving a system log message before sending an email in Delay to Send (s). This allows multiple system l

Advanced The following options are intended for network administrators and advanced users only. Warning Altering the advanced configuration settings m

Reset button Another method to clear the SnapGear unit’s stored configuration information is by pushing the reset button on the back panel of the Snap

There are two primary methods available for performing a flash upgrade, Netflash and Flash upgrade via HTTP. Remote upgrades may also be performed us

Note Although we recommend it, this program is not supported by Secure Computing. Download the binary image file (.sgu). Contact SG technical support

You may also create a new file by clicking New. Upload file Click Browse to locate the file on your local PC that you want to upload. You may upload

Technical support report The Technical Support Report page is an invaluable resource for the SG technical support team to analyze problems with your S

Appendix A – Terminology This section explains some of the terms that are commonly used in this document. Term Meaning ADSL Asymmetric Digital Subscr

293Term Meaning Certificates A digitally signed statement that contains information about an entity and the entity's public key, thus binding th

Contents Document Conventions ... vi 1. Introduction...

The status LEDs on the front panel provide information on the operating status of the SnapGear unit. The Power LED is ON when power is applied. H/B (h

294Term Meaning Ethernet A physical layer protocol based upon IEEE standards. Extranet A private network that uses the public Internet to securely s

295Term Meaning IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with Dynamic DNS Dy

296Term Meaning NAT Network Address Translation. The translation of an IP address used on one network to an IP address on another network. Masquera

297Term Meaning Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelligent" an

298Term Meaning x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm u

Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the SnapGear unit. The only logging that is ena

Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g. ppp0 or ppp1, a PPP session IPSe

A typical Default Deny: looks similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e

To log permitted inbound access requests to services hosted on the SnapGear unit, the rule should look something like this: iptables -I INPUT -j LOG -

iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This results in log output

Next, modify your PC’s network settings to enable it to communicate with the SnapGear unit. Click Start > (Settings >) Control Panel and double-

If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o IPSec+ Clearly there are many more

Administrative Access Logging When a user tries to log onto the web management console, one of the following log messages appears: Jan 30 03:00:18 200

Appendix C – Firmware Upgrade Practices and Precautions Prior performing any firmware upgrade, it is important that you save a back up of your existin

If you encounter any problems, reset the device to its factory default settings and reconfigure. You may wish to use your backed up old configuration

Appendix D – Recovering From a Failed Upgrade Note Please read this appendix before requesting an RMA from customer support. If the Heart beat (or H/B

The following details the steps required to perform a recovery boot using the Netflash program on a Windows PC. Attach the SnapGear unit’s LAN port or

Wait for the recovery procedure to complete and the SnapGear unit to finish reprogramming. Note It may take up to 15 minutes for your SG to finish re

Login to your PC with sufficient permissions to edit the server configuration files, and stop and start the servers. Place the firmware file and recov

Appendix E – System Clock Units with a hardware clock When the time and date is set through the management console, or retrieved from an NTP server, t

Appendix F – Null Modem Administration This section details how to enable your SnapGear unit for administration from a local PC using a null modem ser

Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, su

Select Set up an advanced connection and click Next. Select Connect directly to another computer and click Next. Select Guest and click Next. In Compu

Appendix G – Command Line Interface (CLI) This section contains the list of commands available on each of the SG models. The following table provides

316Program Name Description Supported Products br SnapGear bridge control program SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG6

317Program Name Description Supported Products cron daemon to execute scheduled commands SG565, SG575, SG580, SG635, SG710, SG810 date print or set

318Program Name Description Supported Products doc_loadipl Load an IPL into a DoC Millennium Plus SG710 dosfsck check and repair MS-DOS file systems

319Program Name Description Supported Products firewall SnapGear firewall utility SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG

320Program Name Description Supported Products gcc_get_config SnapGear utility to output config in GCC format SG300, SG550, SG560, SG565, SG570, SG5

321Program Name Description Supported Products hts httptunnel server SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG635, SG710, SG810 ht

322Program Name Description Supported Products inetd network super-server daemon SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG6

323Program Name Description Supported Products iptables-save Save IP Tables SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG635, S

The Quick Setup wizard is displayed. Changing the Hostname is not typically necessary. Select how you would like to set up your LAN connection then

324Program Name Description Supported Products lpq spool queue examination program SG565 lpr off line print SG565 lprm remove jobs from the line pr

325Program Name Description Supported Products mktemp make temporary filename (unique), SG565, SG575, SG580, SG635, SG710, SG810 modprobe program to

326Program Name Description Supported Products openssl OpenSSL command line tool SG300, SG550, SG560, SG565, SG570, SG575, SG580, SG635, SG710, SG8

327Program Name Description Supported Products pptp_callmgr PPTP Call manager for the PPTP client SG300, SG530, SG550, SG560, SG565, SG570, SG575, S

328Program Name Description Supported Products reboot safely reboot the system SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG635

329Program Name Description Supported Products reports/xmlreports.tcl SnapGear GCC tool to generate reports SG300, SG550, SG560, SG565, SG570, SG575

330Program Name Description Supported Products rtmon RTnetlink listener SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG635, SG710

331Program Name Description Supported Products smbmount mount an smbfs filesystem SG565, SG575, SG580, SG635, SG710, SG810 smbpasswd change a user&

332Program Name Description Supported Products sshd OpenSSH SSH daemon SG550, SG560, SG565, SG570, SG575, SG580, SG635, SG710, SG810 sslwrap progra

333Program Name Description Supported Products telnetd telnet protocol server SG300, SG530, SG550, SG560, SG565, SG570, SG575, SG580, SG630, SG635,

If you selected Manual configuration, some additional information is required. Otherwise, skip to the next step. Enter an IP address and Subnet Mask

334Program Name Description Supported Products unlinkd Squid unlink daemon SG565, SG575, SG580, SG635, SG710, SG810 upnpd Universal Plug and Play D

335Program Name Description Supported Products wlan SnapGear utility for configuring wireless LAN connections SG565 wlancfg wlan-ng wireless configu

Note If you have changed the SnapGear unit’s LAN connection settings, it may become uncontactable at this point. This step describes how to set up th

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP > [your network card name] if there are multiple entries) and click

Ensure all PCs on the network are set up to automatically obtain network configuration as per Automatic configuration of your LAN, then restart them.

Set up the SnapGear unit’s Internet connection settings Choose a port on the SnapGear unit for your primary Internet connection. Port C is used in th

 If you have a Direct Connection to the Internet (e.g. a leased line), enter the IP settings provided by your ISP. Note For detailed help for each o

Routes ...106 System...

SG PCI Appliance Quick Setup Unpack the SnapGear unit Check that the SG CD is included with your appliance: On the SnapGear unit is a single 10/100 ne

Set up your PC to connect to the web management console Note The following steps assume you want to set up your SnapGear unit in bridged mode, so that

Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Leave the Default gatew

Note The new password takes effect immediately. You are prompted to enter it when completing the next step. In the row labeled Bridge, click the Modi

Check DHCP assigned. Anything in the IP Address and Subnet Mask fields is ignored. Click Update. Click Start > (Settings >) Control Panel and

Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK. Attach your SnapGear unit’s Ethernet port to yo

Enter this address as the IP Address, and the subnet mask for your LAN as the Subnet mask. Ensure DHCP assigned is unchecked. You may also enter one

Enter the following details:  IP address is the second free IP address that is part of your LAN’s subnet range.  Subnet mask is you LAN’s subnet m

The SnapGear Management Console The various features of your SnapGear unit are configured and monitored using the management console. Follow the step

3. Network Setup This chapter describes the Network Setup sections of the web management console. Here you can configure each of your SnapGear unit’s

IPSec Failover ...238 IPSec Troubleshooting ...

A network interface is configured by selecting a connection type from the Change Type pull-down menu. The current configuration can be viewed or mod

Note The switches’ ports can not be configured individually; a switch is configured with a single function only (e.g., LAN switch, DMZ switch). SG560,

Direct Connection A direct connection is a direct IP connection to a network, i.e. a connection that does not require a modem to be established. This

To have your SnapGear unit obtain its LAN network settings from an active DHCP server on your local network, check DHCP assigned. Note that anything

If an Ethernet port is experiencing difficulties auto-negotiating with another device, Ethernet Speed and duplex may be set manually. On rare occasio

For aliases on interfaces that have the DMZ or Internet firewall class, you must also setup appropriate Packet Filtering and/or Port forwarding rules

Do not continue until it has reached the line sync state and is ready to connect. Note For PPPoE/PPPoA connections, ensure your DSL modem is set to op

Note If autodetection fails, it may be because your DSL modem is misconfigured for your connection type, or your DSL service has not yet been provisio

PPTP To configure a PPTP connection to your ISP, enter the PPTP Server IP Address and a Local IP Address and Netmask for the SnapGear network port thr

The latter two settings are optional, but are generally required for normal operation. Multiple DNS addresses may be entered separated by commas. Y

Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights important issu

Ethernet configuration See the section entitled Ethernet configuration under Direct Connection. Aliases See the section entitled Aliases under Direct

Ethernet configuration See the section entitled Ethernet configuration under Direct Connection. Aliases See the section entitled Aliases under Direct

Port settings If necessary, you may set the SnapGear unit’s serial port Baud rate and Flow Control. This is not generally necessary. Static addresses

If you wish, you may enter a descriptive Connection Name. In the IP Address for Dial-In Clients enter an available IP address. This IP address must

Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client passwords are tra

Connecting a dial-in client Remote users can dial in to the SnapGear unit using the standard Windows Dial-Up Networking software or similar. The foll

Select Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code

Enter a name for the connection and click Finish to complete the configuration. Check Add a shortcut to my desktop to add an icon for the remote con

Failover, Load Balancing and High Availability Note This section applies to SG gateway and rack mount appliances only. The SnapGear unit supports a wi

Note If you are using a SnapGear unit model SG560, SG565 or SG580, you may want to skip to information on establishing multiple broadband connetions.

1. Introduction This manual describes the features and capabilities of your SnapGear unit, and provides you with instructions on how to best take adva

Note Internet failover is not stateful, i.e. any network connections that were established through the failed primary connection must be re-establishe

Select a Test Type. The Ping test is usually appropriate. Ping sends network traffic to a remote host at regular intervals, if a reply is receiv

If you selected Custom, enter the custom Test Command that is used to test the connection, e.g.: myscript 5 10 ping -c 1 -I $if_netdev 15.1.2.3 No

Recall that a connection level is one or more connections. These connections may be marked as Required or Enabled. Internet connections that are mar

This returns you to the main Connection Failover page. You’ll notice that ticks and crosses are display alongside each connection, describing how the

Enabling load balancing Under the Failover & H/A tab, click Modify Levels. Check Load Balance for each connection to enable for load balancing.

VPN connections such as IPSec or PPTP tunnels are confined to a single Internet connection, as they are a single connection (that encapsulate other co

In this scenario, SnapGear unit #1 is initially the master and therefore the default gateway for the local network and SnapGear unit #2 is the slave

Later, SnapGear unit #1 comes back online as the slave. SnapGear unit #2 continues its role as the default gateway for the local network. Note Using

Note: Both devices should have identical High Availability configuration, including the list of interfaces, shared IP addresses, and the interface con

The SG565, SG560, SG570, SG575 and SG580 may also connect to a DMZ (demilitarized zone) network. A DMZ is a separate local network typically used to

By default, machines on the DMZ network have addresses in a private IP address range, such as 192.168.1.0 / 255.255.255.0 or 10.1.0.0 / 255.255.0.0.

If the servers on the DMZ servers have private IP addresses, you need to port forward the services. See the section called Incoming Access in the cha

Caution is advised before allowing machines on a Guest network direct access to the Internet, particularly in the case of Guest wireless networks. Th

Wireless Note SG565 only. The SnapGear unit’s wireless interface may be configured as a wireless access point, accepting connections from 802.11b (11

Warning We strongly recommend that the wireless interface be configured as a LAN connection only if wireless clients are using WPA based encryption/au

Security Method sic Ba ESSID: (Extended Service Set Identifier) The ESSID is a unique name that identifies a wireless network. This value is case sen

Wireless security Encryption and authentication settings for your wireless network are configured under Access Point. Fields vary based on the securi

Warning Due to flaws in the authentication protocol, this method reduces the security of the WEP key. It is recommended that you use Open System a

WPA-Enterprise Wi-Fi Protected Access uses the IEEE 802.1X protocol to provide authenticate the user and dynamically assign the encryption key via a R

Select Allow authentication for MACs in the Access Control List to disallow all but the MAC addresses you specify, or Deny authentication for MACs in

3Label Activity Description WAN Activity Flashing Network traffic on the Internet network interface. WLAN Flashing Network traffic on the Wireless

There are two common scenarios for WDS: bridging or repeating. WDS bridging is when an Access Point allows wireless clients to connect, and forwards

1. Configure the wireless settings on the Access Point tab as normal. 2. Select the WDS tab. 3. Set Mode to Automatic. 4. Click Add and enter the MA

Region: Select the region in which the access point is operating. This restricts the allowable frequencies and channels. If your region is not list

RTS incurs an overhead for transmitting, so enabling it when it is not needed decreases performance. Since the access point is in range of all wirele

Click Wireless Configuration. Enter an appropriate ESSID and select a Channel for your wireless network. Enable Bridge Between Clients to allow wir

Select Allow authentication for MACs in the Access Control List and click Apply. Select Add to add the MAC address of each wireless client you wish

Under the main table, select Bridge and click Add. Select your wired LAN connection from the Existing Interface Configuration pull-down box. This i

Alongside the wireless interface, check Bridged and select LAN from the Firewall Class pull-down menu. Click Finish. Note If your LAN interface was

Another advantage is that network traffic not usually routed by unbridged interface, such as broadcast packets, multicast packets, and any non-IP prot

If you wish to transfer the IP address settings of an existing network connection to the bridge interface, select it from the Existing Interface Confi