Professional Documents
Culture Documents
Administrator’s Guide
Supported platforms:
Microsoft Windows Server 2000
Microsoft Windows Advanced Server 2000
Microsoft Windows Server 2003 Standard Edition
Sun Solaris 8
Sun Solaris 9
Symantec™ Enterprise Firewall
Administrator’s Guide
The software described in this book is furnished under a license agreement and
may be used only in accordance with the terms of the agreement.
Documentation version 8.0
March 10, 2004
Copyright notice
Copyright 1998–2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is
the copyrighted work of Symantec Corporation and is owned by Symantec
Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS
and Symantec Corporation makes no warranty as to its accuracy or use. Any use
of the technical documentation or the information contained therein is at the
risk of the user. Documentation may include technical or other inaccuracies or
typographical errors. Symantec reserves the right to make changes without
prior notice.
No part of this publication may be copied without the express written
permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA
95014.
Trademarks
Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered
trademarks of Symantec Corporation. LiveUpdate, LiveUpdate Administration
Utility, Symantec AntiVirus, and Symantec Security Response are trademarks of
Symantec Corporation. RSA SecurID, Bellcore S/Key, and PassGo Defender are
all the trademarks or registered trademarks of their respective companies.
Other brands and product names mentioned in this manual may be trademarks
or registered trademarks of their respective companies and are hereby
acknowledged.
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support
group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product feature/
function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and Web support components that provide rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for virus definitions and security signatures that ensure
the highest level of protection
■ Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
for those customers enrolled in the Platinum Support program
■ Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security
support
Please visit our Web site for current information on Support Programs. The
specific features available may vary based on the level of support purchased and
the specific product that you are using.
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com/
techsupp/, select the appropriate Global Site for your country, then select the
enterprise Continue link. Customer Service is available to assist with the
following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec’s technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Contents
Glossary of terms
Index
8 Contents
Chapter 1
Introducing the security
gateway
This chapter includes the following topics:
■ Key features
■ Administrator roadmap
■ Logging on
■ Changing passwords
■ General administration
application level proxies, network circuit analysis, and packet filtering into the
gateway security architecture. To bar access to private networks and
confidential information, the Symantec security gateway applies full-inspection
scanning techniques that ensure that data is validated at all levels of the
protocol stack, including application proxies.
Through the Security Gateway Management Interface (SGMI), administrators
can flexibly configure scalable gateway protection for networks of any size.
With the SGMI, administrators can remotely and securely control and monitor
distributed security gateways and create configurable policies for users and user
groups. In addition to its simplified policy management, Symantec makes
installation and configuration quick and easy with pre-configured and hardened
operating system software and an array of setup wizards.
To provide high availability and to share traffic loads among multiple security
gateways, Symantec includes a high availability/load balancing (HA/LB)
component.
With its integrated, standards-based VPN component, the Symantec Enterprise
Firewall provides secure remote access to extend enterprise networks. Support
for home office and telecommuter access is available with the VPN features.
Key features
The key features of the Symantec Enterprise Firewall include:
■ Enterprise-class gateway security with full application inspection proxy
technology and automatic system hardening and monitoring
■ Full application inspection technology to provide protection against
complex blended threats and Denial of Service attacks, by default
■ Extension of networks with a proxy secured, IPsec-compliant integrated
VPN with hardware-assisted high-speed encryption
■ URL-based content filtering to block against unwanted sites
■ High availability/load balancing to extend scalability and eliminate system
downtime
■ Scalable, centralized Web-based management
■ Automated, up-to-date protection
Firewall
The Symantec Enterprise Firewall includes technologies to protect enterprise
assets and business transactions with one of the most secure, high-performance
solutions for ensuring safe connections with the Internet and between
Introducing the security gateway 11
Key features
networks. Its unique architecture delivers security and speed, providing strong
and transparent firewall protection against unwanted intrusion without slowing
the flow of approved traffic on enterprise networks. Features include:
■ Standard proxies
These proxies handle common services, such as Telnet, HTTP, FTP,
RealAudio, and others. Standard proxies offer the highest level of logging
and ease of use.
Unless specifically stated otherwise, when this manual describes how
traffic is passed, it does so using standard proxies.
■ Custom protocols
You can use the Security Gateway Management Interface (SGMI) Protocol
Properties window to configure generic services provided by the hosts
residing on either side of the security gateway. Custom or generic service
proxies include any service not supported by one of the security gateway’s
proxy server applications.
■ Address transforms
Address transforms give you the ability to control addressing, letting you
present routable addresses for connections passing through a system
interface or secure tunnel. This helps you to route connections to the
correct destination when your site has addressing overlap issues or other
routing problems.
■ Configuration reports
You can generate and print full reports for every configurable item of the
security gateway.
■ Defense against Denial of Service attacks
A Denial of Service attack prevents legitimate users from accessing Internet
services by consuming network resources with an onslaught of continuous
service requests. You can configure your security gateway to quickly
recognize this type of attack and immediately drop all packets coming from
a hostile source.
VPN
The Symantec Enterprise Firewall includes VPN technology, which lets
organizations securely extend their network perimeters beyond the enterprise
firewall by providing VPN server proxy-secured scanning and personal firewall
protection by way of the Symantec Client VPN. A completely integrated and
standards-based solution, it lets organizations establish safe, fast, and
inexpensive connections, enabling new forms of business and secure access to
information for authorized partners, customers, telecommuters, and remote
offices.
12 Introducing the security gateway
Key features
The security gateway uses VPN tunnels to send encrypted and encapsulated IP
packets over public networks securely to another VPN server. One license for
Symantec’s IPsec-compliant Symantec Client VPN 8.0 is included.
VPN features include:
■ VPN policies
The Symantec Enterprise Firewall ships with pre-configured general VPN
policies that you can apply to your secure tunnels.
For example, there are IPsec/IKE policies and IPsec/Static policies. You can
apply these policies to each IKE or IPsec/Static secure tunnel you create.
■ Support for third party IKE clients
The Symantec Enterprise Firewall supports scalable policy management for
any IKE-compliant, third party mobile client through tunnels based on
users and user groups.
Antivirus scanning
The Symantec Enterprise Firewall can provide antivirus scanning by sending
HTTP, FTP, and SMTP files to an off-box antivirus scan server running on a
Symantec Gateway Security appliance.
See “Configuring off-box antivirus scanning” on page 380.
LiveUpdate support
The Symantec Enterprise Firewall incorporates patented LiveUpdate technology
to keep your product up-to-date. The included LiveUpdate technology can now
retrieve a categorized URL database used with content filtering. You must have
a separate license to use content filtering.
Introducing the security gateway 13
Where to get more information
Advanced Manager
The Symantec Advanced Manager for Security Gateways (Group 1) v2.0 is
available as an option for customers who prefer advanced management
capabilities. The Advanced Manager can define rule sets that apply to multiple
security gateways. Configuration data can be pushed out to multiple security
gateways at the same time, thus simplifying the management of large numbers
of security gateways. Advanced Manager also handles the event logging,
alerting, and reporting. Advanced Manager is a plug-in for the SESA Console.
Event Manager
The Symantec Event Manager for Security Gateways (Group 1) v2.0 is available
as an option for customers who wish to have centralized logging, alerting, and
reporting for the security gateway. The Symantec Event Manager for Security
Gateways (Group 1) v2.0 is distributed as a plug-in to the SESA (Symantec
Enterprise Security Architecture) Console.
You will need to use all these manuals to fully configure and manage the
Symantec Enterprise Firewall.
and clicking Kill Connection. You must then log out and log back in to regain
administrative control.
16 Introducing the security gateway
The user interface
The directory structure in the left pane contains the following entries:
Location Settings Use this selection to configure network entities, users, VPN
tunnels, and authentication methods.
When configured on the SESA Console, location settings can be
shared by multiple security gateways.
Monitoring Use this selection to view system-specific alerts, log files, and
cluster status.
Each of the selections in the left pane opens a window in the right pane with
multiple tabs across the top.
Introducing the security gateway 17
The user interface
There are three ways to add an entry to a table in the right pane (for this
example, the Rules tab is displayed):
■ Select New Rule from the Table menu.
■ In the right pane, right-click an existing entry and, from the drop-down
menu, select New Rule.
■ In the right pane, click New Rule.
You must click Apply to register the new rule in the gateway configuration.
There are three ways to delete an entry from the Rules table:
■ In the right pane, right-click the entry you want to delete and, from the
drop-down menu, select Delete Rule.
■ In the right pane, highlight the entry you want to delete and, from the Table
menu, select Delete Rule.
18 Introducing the security gateway
The user interface
■ In the right pane, highlight the entry you want to delete and click Delete
Rule.
You must click Apply to register the change in the security gateway
configuration.
There are three ways to open the Properties window for a table entry (to change
the configuration):
■ In the right pane, right-click the entry you want to change and, from the
drop-down menu, select Properties.
■ In the right pane, highlight the entry you want to change and, from the
Table menu, select Properties.
■ In the right pane, highlight the entry you want to change and click
Properties.
Changes are not active in the security gateway configuration until you select
Activate Changes from the Action menu.
The check boxes at the left of the Rules table reflect the status of the Enable
check box in the Properties window of each entity in the table. You can check
these check boxes in the table without opening the Properties window.
Clicking Reset cancels any changes you have made since the last time you
clicked Apply.
Introducing the security gateway 19
The user interface
The wizards and configuration tasks that you can start with the Action menu
include the following.
Policy Wizard Use this to set up a simple Web, FTP, and Mail configuration.
See “Using the Policy Wizard” on page 75.
Gateway-to-Gateway Lets you set up local and remote tunnel endpoints and VPN
Tunnel Wizard policies for Gateway-to-Gateway VPN.
See “Using the Gateway-to-Gateway Tunnel Wizard” on
page 297.
Client-to-Gateway Lets you set up local and remote tunnel endpoints and VPN
Tunnel Wizard policies for tunnels to Symantec Client VPN users.
See “Using the Client-to-Gateway Tunnel Wizard” on page 306.
System Setup Wizard Lets you set up network interfaces, licensing information, and
system features.
See “Using the System Setup Wizard” on page 55.
Scalable Management Lets you choose between SESA management and local
management. You can also start the SESA Setup wizard using
this selection.
See “About joining SESA” on page 437.
Stop Firewall Lets you stop the security gateway. After selecting, this becomes
a Start Firewall selection, with which you can restart the security
gateway.
Activate Changes Validates and reconfigures the changes you have made to your
gateway configuration. After making changes to the security
gateway configuration, you must select Activate Changes from
the Action menu to register the changes.
See “Activating changes” on page 21.
Validation Report Lets you view a report on the most recent security gateway
configuration validation.
Remote Policy Wizard Lets you quickly set up VPN policy for multiple Symantec Client
VPN users.
See “Using the Remote Policy Wizard” on page 323.
Hotfix Apply hotfixes and patches from the Symantec Web site for the
security gateway.
See “Hotfix management” on page 80.
Activating changes
After making any change to your security gateway configuration, you must
activate the changes to the configuration. This registers the changes in the
security gateway configuration files.
To activate changes
1 In the SGMI, on the Action menu, select Activate Changes.
2 In the Activate Changes panel, click Next.
3 In the Revision Comment panel, in the Comment text box, type a comment
to help identify the changes you made to the configuration.
4 In the Activation panel, the message indicates when the activation is
complete.
5 Click Close.
Note: You cannot restore a configuration on a platform different from the one
that was backed up. For example, you cannot restore a Solaris configuration on a
Windows security gateway.
The following parts of the security gateway configuration are not restored as
part of the restore operation. You need to recreate these items following a
backup and restore operation:
■ Administrator password
■ Default gateway
■ Cluster associations
■ Static routes
3 In the Restore Configuration dialog box, in the File Path text box, type or
browse to the backup file name.
4 In the Password text box, type the password used during the backup
operation.
5 Click Restore.
A message indicates the success or failure of the restore operation.
To review any errors that may have occurred, click Validation Report.
6 When you have finished reviewing any errors in the Validation Report, close
the dialog box.
7 Click Close.
window is displayed, for example, the Table menu lets you select the type of
network entity to add to the table.
currently has focus in the GUI. Selecting About from the Help menu displays the
product title, version, and build number.
Administrator roadmap
As you set up and configure your security gateway, be aware of the common
tasks and associated workflow (dependencies) for a successful implementation
of your product. This section outlines common tasks and required workflow.
■ Identify all IP addresses, including all hosts and servers (such as SMTP,
HTTP, DNS and FTP).
■ Create a network diagram that displays as much detail as possible, and
clearly mark all IP addresses and subnet masks.
■ Collect information on network entities and fill out the network planning
worksheets located in Appendix A of the Installation Guide.
■ Complete the installation as outlined in the Symantec Enterprise Firewall
Installation Guide.
■ Migrate to a Symantec Enterprise Firewall.
If you have a previous version of a Symantec security gateway, you can
migrate your configuration to a Symantec Enterprise Firewall. For
information about migrating your existing configuration to a new security
gateway, see the Symantec Enterprise Firewall Installation Guide or the
Symantec Enterprise Firewall Release Notes.
Explanation: A security gateway at the network perimeter is the most common type of
installation. It protects internal resources from the general public.
Action: If your security gateway sits at the perimeter of your network, you must
consider the resources it protects. Most likely, the outside interface is
assigned a public IP address. In addition, you should configure interfaces
for any protected networks to which this security gateway should have
access (for example, a service network).
Ensure that the security gateway is connected to each network to which it
will have access, and use the System Setup Wizard to configure the system’s
interfaces. The System Setup Wizard will automatically launch after the
hardware has been configured for the first time.
You can also run the System Setup Wizard later if your configuration needs
and you need to setup another interface. The System Setup Wizard can be
found on the Action menu.
Action: Similar to a security gateway at the perimeter of your network, you must
determine all of the networks that this security gateway will communicate
with, and configure interfaces appropriately. Contrary to a perimeter
security gateway; however, any external interfaces will be connecting to
another internal network.
Ensure that the security gateway is connected to each network to which it
will have access, and use the System Setup Wizard to configure the system’s
interfaces. The System Setup Wizard will automatically launch after the
hardware has been configured for the first time.
You can also run the System Setup Wizard later if your configuration needs
and you need to setup another interface. The System Setup Wizard can be
found on the Action menu.
Explanation: In prior releases, you could edit several system parameters manually
through text configuration files.
Action: With this release, you should no longer edit configuration files manually.
You can configure all security gateway features through the menu
selections in the Security Gateway Management Interface.
Administrators familiar with prior releases will understand where
configuration files live, and may be used to editing these files by hand.
Although you can edit these files manually, each time the Security
Gateway Management Interface is updated, configuration files are written
out, overwriting any manual changes made. You must make all changes
through the Security Gateway Management Interface.
Explanation: Domain name service (DNS) is normally used to resolve host names into IP
addresses. You can configure the security gateway to be a primary name
server, responding to DNS requests for public and private domain names.
Action: Prior to jumping in and configuring your DNS, you should consider the
domain names for which you would like to answer requests, including any
hosts, mail servers, and name servers.
There are no prerequisites to configuring DNS. All DNS components are
found and configured from the DNS tab in the Policy window.
Note: Improper DNS configuration affects the performance of the security
gateway.
30 Introducing the security gateway
Administrator roadmap
Action: Generally, most services that pass through the security gateway require a
service group to define the type of service, and an allow rule that
incorporates that service group.
You should begin by looking at the Service Groups tab under Policy. Many
common services already have their own service group created. You
should create a service group if an appropriate group doesn’t already exist.
Once the service group has been created, you can move on to the Rules tab
under Policy, where you can create your allow rule.
Explanation: You may want to let the general public access an internal server you
operate. For example, you may have an internal Web server that hosts
your company’s Web site. You want to make this service available to the
general public without compromising your network security.
Action: You should begin by placing the server on a service network. This service
network can be an internal network, but separate it from the main
network on which your protected resources reside. Next, you will want to
determine the IP addressing scheme. You may want to have the server use
a routable IP address, and you may want to stick with an internal address
and hide its true source.
If you elect to use a publicly routable address, create a rule allowing access
to the server. If you choose to use a non-routable IP address for the server,
you must set up a service redirect, and tell the world to direct their service
requests to the security gateway. In addition, you can create rules in the
Policy window, on the Rules tab. You can create service redirects in the
Location Settings window, under the Redirected Services option of the
Advanced tab.
Introducing the security gateway 31
Administrator roadmap
Explanation: The incredible growth of the World Wide Web and the Internet has,
unfortunately, also meant an increase in the number of objectionable sites
that may be visited by employees. Your corporate policy may require that
you restrict access to this content.
Action: There are several methods that you can use to restrict access to content or
data from the Web. You can use content filtering to limit the types of pages
that appear, URL blocking to restrict specific web sites, MIME type
blocking to restrict the category and type of files, and file extensions to
limit the file types that can be downloaded. You can find each of these
areas in the Policy window, on the Content Filtering tab. Once you
establish the type of content filtering you want to use, look to the service
group and the rule for additional configuration.
Explanation: Often, a company may host their own mail server, or use a dedicated
offsite server, possibly hosted by their Internet service provider. When a
new security gateway is introduced, you must instruct it to allow mail to
flow as it did prior to its installation.
Action: You can set up mail services when the System Setup Wizard is run the first
time you connect to the box. If mail service was not established at this
time, you can run the Policy Wizard from the Action menu.
Explanation: You might want to make your network resources available to an outside
group, such as another office of the company. Instead of requiring each
user on the second network to establish their own, private secure
connection, you can create one Gateway-to-Gateway tunnel, which makes
resources on each network available to the other.
Explanation: It is not uncommon for employees to travel, and require access to company
resources. Assuming that an employee has Internet access, you may want
to enable secure access for them. Connections like this are normally
referred to as a virtual private network (VPN) connection, and usually
employ some type of client software in addition to configuration on the
security gateway.
Explanation: VPN access is normally granted to trusted individuals only. These users,
however, have contact with networks beyond the control of the security
gateway. A trusted individual may pick up a virus, and if not detected,
could transmit it through a VPN connection to the protected network.
Action: All included application proxies scan for protocol abnormalities. If you
have configured the security gateway to communicate with an off-box
antivirus solution, SMTP, FTP, and HTTP traffic will be scanned for
viruses. For normal protocol scanning, you should instruct the VPN policy
to pass traffic to the proxies. You can review your VPN policies in the
Policy window, on the VPN Policies tab.
Explanation: Your security gateway may be the target of a distributed denial of service
attack. The attacker’s goal is to significantly hamper, or completely bring
down all services the security gateway offers. Attacks of this nature are
costly in both time and revenue if the security gateway is down for any
period of time.
Action: To defend yourself against this type of attack, use filters to block packets
originating from a specific source address, and bound to a defined
destination. You can create and review filters by clicking on the Filters tab
in the Policy window.
You can also enable some specific security checks on the interfaces
themselves, including SYN flood protection, spoof protection, and port
scan detection. Configure these options in the Policy window, on the
Advanced tab, in the Logical Network Interfaces section.
Explanation: Email is often the method used to transmit viruses. The security gateway
supports scanning email for viruses when the antivirus component is
licensed and enabled.
Action: To use the antivirus scanning capabilities of the security gateway, you
must configure three separate areas. Start by configuring the antivirus
scan server information in the SMTP proxy, which is found in the Location
Settings window, on the Advanced tab, in the Proxy section. Next, enable
antivirus scanning in the service group protocol, which is found in the
Policy window, on the Service Groups tab. Finally, ensure that the
application data scanning checkbox is checked in the rule. Rules are found
in the Policy window, on the Rules tab.
Explanation: You may want to restrict when trusted users can gain access to your
corporate resources. For example, you may have an administrator
available only during normal working hours, and want to limit
connections to that time period.
Action: You can place time restrictions on all connections. You should first create
the time period in the Policy window, on the Advanced tab, under Time
Periods. There are several pre-defined time ranges, and you can use one of
these or create your own. Once the time range has been established, you
select the time restriction in the rule. Rules are found in the Policy
window, on the Rules tab.
Explanation: You can use authentication as an added layer of protection, ensuring that
only properly authorized individuals have access to services. For example,
you may delegate that a handful of people are the only ones who should
have access to FTP, reducing the possibility of accidently transferring the
wrong file to your internal network (possibly a virus or Trojan horse). By
enforcing an authentication check on these types of services, only
authorized individuals will have access.
Action: To establish any type of authentication, you must first ensure that the
authentication method has been defined. Several methods are included by
default. Some of the extended authentication methods, such as PassGo
Defender, LDAP, and RSA SecurID require additional configuration. You
can use OOBA for any authentication method that does not support
inband authentication. You can find authentication setup information in
the Locations Settings window, on the Advanced tab, under the
authentication section.
Bellcore S/Key and gateway password authentication are configured in the
user record found in the Location Settings window, on the User tab.
Configure all other authentication forms in the rule definition, which can
be found in the Location Settings window, on the Rules tab.
Action: You should periodically view the Symantec support Web site at http://
www.symantec.com/techsupp for any new hotfixes that are necessary for
your security gateway.
Explanation: Always backup your security gateway configuration. You should do this
initially when the system is configured, periodically depending on how
often changes are made to the security gateway, and prior to any major
change (such as joining SESA).
Action: Creating a backup of the system is done by selecting Backup from the
Action menu.
Action: If this is the first time running the System Setup Wizard, there is an
option to perform a restore. You can use this option only if you are
migrating a configuration from a Symantec Enterprise Firewall v7.X. If
you have a version prior to v7.X, you must first migrate from that version
to v7.X.
You can choose to restore a working security gateway with a previously
saved backup at any time by selecting Restore from the Action menu.
36 Introducing the security gateway
Logging on
Explanation: With new threats appearing daily, it is important that you frequently
update the content filtering components with the latest definitions,
signatures, and URLs.
Action: Systems that have licensed content filtering updates will regularly contact
Symantec’s LiveUpdate servers for any new updates. You can review what
licenses you currently have installed by looking in the System window, on
the Features tab. You should also review your LiveUpdate configuration in
the Location Settings window, on the Advanced tab. Here you will see
which services are scheduled to update automatically, and you can
configure the each parameter.
Logging on
To log on to the security gateway, you can use the desktop icon on the local
system, browse to the SGMI, or remotely log on (to a Solaris system) using the
secure remote login (SRL) utility.
Local logon
To log on to the security gateway, either click on the Symantec Enterprise
Firewall icon on your desktop or browse to the security gateway at https://<IP
Address>:2456/. In the Log on dialog box, type your administrator’s name and
password and click Log on.
Introducing the security gateway 37
Changing passwords
If the browser cache version is older or newer than that of the security gateway,
you may be prompted to close the browser and clear the JAR cache.
Remote logon
To use SRL to log onto the security gateway, you must first copy the client
software from the security gateway product CD. The client is in a file called
srl.zip. When unzipped on the local machine, the executable file is srlclient8.exe.
2 In the Login dialog box, in the User text box, type the user name.
3 In the Password text box, type the SRL password.
4 In the Shared Secret text box, type the shared secret.
The shared secret is configured in the Location Settings window, on the
Advanced tab, under System Parameters.
Changing passwords
To change the admin password, the root password, or the SRL shared secret on
the security gateway, use one of the following procedures.
Note: Changing the root password can only be done on Solaris security
gateways.
38 Introducing the security gateway
Changing passwords
2 In the Change Root Password dialog box, in the Current root password text
box, type the current root password.
3 In the New root password text box, type the new root password.
4 In the Verify root password text box, type the new root password again.
The shared secret appears as a string of asterisks. To view the shared secret
in the text box, click Reveal. The button then changes to a Hide button.
4 Click Apply.
Enable To enable the machine account, check Enable. This check box
is checked by default.
Address In the Address text box, type the address of the machine
account.
Password In the Password text box, type the password for the machine
account. The password appears as string of asterisk (*)
characters.
Confirm Password In the Confirm Password text box, type the machine account
password again for confirmation. The password does not
appear in clear text
Last Password In the Last Password Change text box, the date of the most
Change recent password change is displayed.
■ To let the remote machine account add entries to the Blacklist file,
check Manage Blacklist.
This check box is checked by default.
6 On the Blacklist tab, do the following:
■ In the Port text box, type the port number to use to connect to the
Blacklist.
The default is port 426.
■ In the Timeout text box, type the Blacklist timeout value in minutes.
The default is 1440 minutes (24 hours).
7 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
8 Click OK.
9 Click Apply.
10 On the Action menu, select Activate Changes.
The machine account is now configured for use.
Last password The Last password change field indicates the last time the
change password was changed. This field is read-only.
2 In the right pane, on the System Information tab, you can view information
about the security gateway, including version, installation date and time,
and system parameters.
48 Introducing the security gateway
Configuring licensed features
3 In the License Summary table, you can review the status of the various
licensed features on your security gateway.
The information displayed includes whether or not the license is in effect,
the start and expiration dates of the license, and any limitations on the
terms of the license. This License Summary table is read-only.
3 In the License Usage table, you can monitor the usage of licensed features
on your security gateway.
The information displayed includes the number of security gateway servers
and clients, the number of licensed tunnels being used, the number of
configured clusters, etc. The limits on each licensed feature are also listed.
The information in the License Usage table is read-only.
4 In the Properties window, you can view the attributes of the installed
license.
All information in this Properties window is read-only.
5 Click OK.
6 To install a new license, click Install.
The License Installation Wizard opens. The System ID is listed on the first
page. You will need this ID during the installation.
7 Click Next.
8 In the Upload License Files dialog box, click Upload File.
9 In the Upload License File dialog box, click Browse to browse to the license
file.
Introducing the security gateway 53
Configuring licensed features
3 In the System Features window, you can enable or disable the various
licensed features on the security gateway by checking the appropriate check
boxes.
The check boxes associated with features for which you have a valid license
are checked by default.
4 Click Apply.
5 On the Action menu, select Activate Changes.
The licensed features are configured for use.
General administration
This section describes the following administrative tasks:
Introducing the security gateway 55
General administration
■ Confirmation panel
This panel displays the configuration created by the System Setup Wizard
and lets you either make changes to it or activate it.
4 In the Machine Settings panel, in the Time zone drop-down list, select the
appropriate time zone.
Introducing the security gateway 57
General administration
5 To edit the system’s date and time (in the format 3/8/04), click the calendar
icon.
Note: You must set the date and time. Failing to set the date and time could
impact your product license and other product features.
8 Click OK.
58 Introducing the security gateway
General administration
9 Click Next.
11 Click Next.
15 In the Upload License File dialog box, in the File path text box, type the path
for the license file or click Browse to browse to it, and then do the following:
■ Select a license file, then click Upload File.
■ Repeat this process for all license files.
Introducing the security gateway 61
General administration
17 In the System Features panel, select the system features you want enabled
on this system.
The options are:
■ Firewall (this is always enabled and cannot be disabled)
■ Gateway-to-Gateway VPN
■ Symantec Client VPN support
■ High Availability/Load Balancing (HA/LB)
■ Content filtering
62 Introducing the security gateway
General administration
18 Click Next.
19 In the Network Interfaces panel, you must provide the security gateway
interface information.
You must specify at least one inside and one outside interface. You may
specify additional interfaces as needed. For each interface, do the following:
Interface type Select the interface type. The options are Outside or
Inside.
Heartbeat interface If you elected to enable the HA/LB option in the
previous panel, in the Heartbeat Interface drop-down
list, select Yes if this interface is the heartbeat of a
cluster.
Introducing the security gateway 63
General administration
Enable external ping To enable external pings, check Enable external ping.
By default, the ping proxy disables pings from external
hosts through the security gateway interfaces. The
setting of this check box applies to all outside
interfaces. You can also change this setting in the Ping
proxy Properties window.
20 Click Next.
21 If this is the first time running the System Setup Wizard, in the Optional
Security Gateway Configuration panel, check the appropriate check boxes to
configure:
■ SMTP mail services
■ HTTP and FTP services
If this is not the first time running the System Setup Wizard, click Next to
skip to step 27.
22 Click Next.
23 If you elected to configure SMTP mail services, in the SMTP Mail Services
panel, do the following:
64 Introducing the security gateway
General administration
Allowing multicast Generally, you should not allow multicast (UDP-based) traffic on
traffic on an interface the security gateway system interfaces. If you do not allow this
type of traffic, the security gateway will not listen for it on any
port. However, you must allow multicast traffic if the host is
running OSPF routing or some other custom application that
requires it.
Port scanning A common method for attacking a site is to connect to port after
capabilities port until a weakness is found. Port scan detection registers a
message (number 347) when an attempt is made to connect to an
unused or disallowed port (less than 1024). This message logs
the source and attempted destination of the connection.
Provide recursion and Defining the IP address of an outside interface as private will
expose private DNS allow outside hosts to access the private network topology. In
information most cases, you should not define a DNS record for your outside
interface. If a DNS record does not exist for the outside interface,
it is considered public.
66 Introducing the security gateway
General administration
2 In the right pane, on the Advances tab, click Logical Network Interfaces.
3 Below the table, click New Logical Network Interface.
Introducing the security gateway 67
General administration
7 On the Filters tab, in the Input Filter drop-down list, select a filter with
which to filter traffic entering the interface.
The selections are None, Sample_Denial-of-Service_filter, and any filters
you have pre-configured. The default is None.
8 In the Output Filter drop-down list, select a filter with which to filter traffic
leaving the interface.
The selections are None, Sample_Denial-of-Service_filter, and any filters
you have pre-configured. The default is None.
9 On the Description tab, you can add a more detailed description of the
interface than you typed on the General tab in the Caption text box.
10 Click OK.
11 In the Logical Network Interfaces window, click Apply.
12 On the Action menu, select Activate Changes.
The logical network interface is now configured for use.
Note: To configure a new network interface, run the System Setup Wizard.
See “Using the System Setup Wizard” on page 39.
4 In the Caption text box, you can type a brief description of the network
interface.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 In the Network Interfaces window, click Apply.
8 On the Action menu, select Activate Changes.
The network interface is now configured for use.
Configuring routes
You must properly configure routing on your network to let information move
from machine to machine. This section describes what routes are and tells you
how to define routes on your security gateway.
A properly constructed routing table lets your security gateway system locate
and work with other IP routers on the network. The security gateway uses the
internal routing table to find the appropriate router to which to send packets.
This table must be manually configured, as the security gateway does not
support dynamic routing protocols.
Two types of network topology can exist behind the security gateway system, a
routed network and a flat network.
72 Introducing the security gateway
General administration
■ A routed network has more than one subnet behind the security gateway
inside network, and these other networks are behind routers or security
gateways.
■ A flat network has all hosts on the same LAN as the security gateway. There
is no router or security gateway system behind it and therefore there are no
static routes.
206.7.13.20
206.7.13.23 206.7.13.22
192.168.1.62
The inside interfaces on the security gateway should not have a default gateway
specified. For a complete discussion on routing, consult the Reference Guide.
Note: For the routed network to work properly, the router or routers must be
properly configured. Use the ping command to check the ability of computers on
routed networks to successfully connect to and see machines on other networks.
You can configure static routes from the Security Gateway Management
Interface (SGMI) or from a command prompt. For the security gateway, use the
SGMI.
To configure routes
1 In the SGMI, in the left pane, click System.
74 Introducing the security gateway
General administration
3 Click Properties.
Next Hop Type the IP address of the router that serves as the
default gateway for the network. In Figure 1-1, for
example, the router at 192.168.1.62 would be the next
hop for traffic destined for the 192.168.3.x network.
Caption Type a brief description of the route.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 In the Routes window, click Apply.
8 On the Action menu, select Activate Changes.
The route is now configured for use.
6 Click Next.
7 If your security gateway is configured with more than one inside interface,
in the HTTP and FTP Services panel, in the Inside Interface drop-down list,
select the dedicated inside interface for HTTP and FTP rules.
You only get prompted for an interface selection if your security gateway is
configured with more than one inside interface.
8 Click Next.
9 In the Confirmation panel, to validate the configuration of your email,
HTTP, and FTP services, click Finish.
After a few seconds, the status of each of the tasks in the Task list will
appear in the Status list.
10 If the configuration is successful, click Close.
If the configuration is unsuccessful, click Back to revisit and correct the
invalid part of the configuration.
11 On the Action menu, select Activate Changes.
Interval between scans Specifies the number of seconds that are allowed to elapse in
between scans for active processes. The default is 10 seconds.
Increasing this default reduces the amount of CPU time
consumed for performing restart checks but increases the time it
takes to detect failed daemons.
Retry Period Specifies the number of seconds that are allowed to elapse
between the time a process restart on a daemon is first
attempted to when the restart functions stops trying to restart
the process. The default is 3600 seconds (one hour). This
parameter is used in conjunction with the Maximum number of
retries parameter to control the restart rate threshold.
Failure Log Threshold Controls the number of times the restart function logs a message
from a particular process failing to restart. The default is one.
Once a process has failed to restart this number of times, no
further messages appear in the logfile about this process not
restarting. This does not affect how many times a process that
has been successfully restarted is logged.
3 In the Services table, click Process Restart, and then click Properties.
Interval between Type the time interval (in seconds) between scans for
scans stopped processes. The default is 10 seconds.
Failure Log Type the number of times the restart function will log a
Threshold failed restart of a particular process. The default is one.
This value does not affect the number of times a
successful restart is logged.
Caption Type a brief description of the process restart service.
Use Default
80 Introducing the security gateway
General administration
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 In the Services window, click Apply.
8 On the Action menu, select Activate Changes.
Process restart is now configured for use.
Hotfix management
Periodically, Symantec issues hotfixes, which provide additional functionality
or increased performance for the security gateway. The hotfix utility lets you:
■ Install a hotfix
■ Uninstall a hotfix
■ List active hotfixes
■ List installed hotfixes
To install a hotfix
1 Download the hotfix from Symantec’c Web site (www.symantec.com/
techsupp).
2 In the SGMI, on the Action menu, select Hotfix.
Introducing the security gateway 81
General administration
■ Configuring users
For each network entity you create, in the Properties window, on the General
tab, in the Read Only text box, you can view the read/write status of the network
entity. If the display reads false, the network entity can be edited. If the display
reads true (as in the Universe network entity), the network entity is read-only
and cannot be edited.
3 Click Properties.
4 In the Properties window, in the Type drop-down list box, the network entity
type you selected is displayed.
You can change the entity type, but the default entity name remains.
5 On the General tab, do the following:
MAC address In the MAC address text box, optionally type the MAC
address of the host. Typing a MAC address associates
the IP address with a specific network adapter for added
security
6 On the Spoof Protection tab, in the Excluded interfaces list, select the
interface through which you expect to access the host and click the right-
arrow >> button to move it to the Included interfaces list.
Packets arriving on another interface will be rejected
86 Understanding security gateway concepts
About network entities
7 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
8 Click OK.
9 In the Network Entities window, click Apply.
10 On the Action menu, select Activate Changes.
The host entity is now configured for use.
4 In the Properties window, the Type drop-down list displays the network
entity type you selected.
You can change the entity type, but the entity name remains.
Understanding security gateway concepts 87
About network entities
6 On the Spoof Protection tab, in the Excluded interfaces list, select the
interface through which you expect to access the subnet and click the right-
arrow >> button to move it to the Included interfaces list.
Packets arriving on another interface will be rejected.
7 On the Description tab, you can add a more detailed description than you
typed in on the General tab the Caption text box.
8 Click OK.
9 In the Network Entities window, click Apply.
10 On the Action menu, select Activate Changes.
The subnet entity is now configured for use.
2 In the right pane, on the Network Entities tab, click New Network Entity >
Domain Name Network Entity.
3 Click Properties.
4 In the Properties window, the Type drop-down list displays the network
entity type you selected.
You can change the entity type, but the entity name remains.
5 On the General tab, do the following:
Entity name In the Entity name text box, type a name for the network
entity.
Domain name In the Domain name text box, type a name for the
domain.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Network Entities window, click Apply.
9 On the Action menu, select Activate Changes.
The domain entity is now configured for use.
Understanding security gateway concepts 89
About network entities
4 In the Properties window, the Type drop-down list displays the network
entity type you selected.
You can change the entity type, but the entity name remains.
5 On the General tab, do the following:
Name In the Name text box, type a name for the network
entity.
Address type In the Address type drop-down list, select the type of
address you want to use for the security gateway.
The choices are: Interface, VIP, IP address, and Domain
Name.
Enable IKE (Internet Key It enable the use of IKE policies on tunnels to the
Exchange/ISAKMP) security gateway, check Enable IKE (Internet Key
Exchange ISAKMP).
This feature is enabled by default.
Phase 1 ID In the Phase 1 ID text box, type the Phase 1 ID for tunnel
negotiation.
Share secret If you are using a shared secret, click Shared Secret and,
in the Shared Secret text box, type the shared secret
used for tunnel negotiations.
The shared secret must be between 20 and 63 printable
characters. Braces ({}) cannot be used. The shared secret
appears as a string of asterisks (*) unless you click
Reveal. When you click Reveal, the button becomes a
Hide button.
This option button is greyed out if you are using an
interface or VIP as the Address type
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
9 Click OK.
10 In the Network Entities window, click Apply.
11 On the Action menu, select Activate Changes.
The security gateway entity is now configured for use.
2 In the right pane, on the Network Entities tab, click New Network Entity >
Group Network Entity.
3 Click Properties.
4 In the Properties window, the Type drop-down list displays the network
entity type you selected.
You can change the entity type, but the entity name remains.
5 On the General tab, do the following:
6 On the Network Entity tab, select network entities from the Excluded
interfaces list and click the right-arrow >> button to move them into the
Included interfaces list to add them to the group entity.
7 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
8 Click OK.
9 In the Network Entities window, click Apply.
10 On the Action menu, select Activate Changes.
The group entity is now configured for use.
4 In the Properties window, the Type drop-down list displays the network
entity type you selected.
You can change the entity type, but the entity name remains.
5 On the General tab, do the following:
7 Click Add.
8 To remove a pairing from the table, highlight it, and then click Remove.
9 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
10 Click OK.
11 In the Network Entities window, click Apply.
12 On the Action menu, select Activate Changes.
The VPN security entity is now configured for use.
Configuring users
The Users tab lets you define various mechanisms to authenticate users trying
to connect directly to the security gateway or through secure tunnels.
You can define user accounts to control access to your networks by specific
users. A user is defined by a unique user name and user ID.
96 Understanding security gateway concepts
Configuring users
To configure users
1 In the SGMI, in the left pane, click Location Settings.
2 In the right pane, on the Users tab, click New User Account.
Understanding security gateway concepts 97
Configuring users
Enable To enable the user, check Enable. This check box is checked by
default.
User Type a name for the user. The name cannot contain spaces.
Full name Type the full name of the user. This entry helps you
differentiate between users with similar names.
Password Type a password for the new user. This is the passwords used
by the gateway password authentication method.
It is not required if you are using another means of
authentication. Passwords must have at least 10 characters,
and should contain upper and lowercase letters, and at least
one punctuation mark.
You can change the user and Bellcore S/Key password
requirements by clicking on System Parameters on the
Advanced tab in the Location Settings window.
Configure S/Key To enable the use of S/Key authentication with the new user,
check Configure S/Key.
Minimum number of Type the number of days before a user password must be
days between changed. The default is 0, which means the user will not need
password changes to change the password.
Maximum number of Type the number of days the user password is valid. The
days of password default is 0, which means the user password will not expire.
validity
Warning period Type the number of days prior to password expiration that the
(days) user will be warned about the expiration. The default is 0,
which means no warning will be issued.
Account expiration Select the date on which you want the user account to expire.
date The default is today’s date.
100 Understanding security gateway concepts
Configuring users
IKE enabled To make the user an IKE-enabled user, check IKE enabled.
This check box is unchecked by default. When it is checked,
the user’s computer can act as the remote endpoint of a VPN
tunnel.
Phase 1 ID If you checked IKE enabled, in the Phase1 ID text box, type a
Phase 1 ID for first key tunnel negotiations with the local
security gateway.
This entry can be the IP address of the security gateway, the
fully-qualified DNS name of the security gateway, or the user
name. It defaults to the user name. However, it must match
the Phase 1 ID used in the Security Gateway network entity
Properties window.
Understanding security gateway concepts 101
Configuring users
Reveal To display the shared secret, click Reveal. When you click
Reveal, the shared secret appears in clear text and the button
becomes a Hide button.
Password In the S/Key Setup dialog box, in the Password text box, type a
password.
S/Key passwords must be at least ten characters in length and
must contain both upper and lower case letters and should
contain at least one numeral and at least one punctuation
mark.
You can change the S/Key password requirements by clicking
on System Parameters on the Advanced tab in the Location
Settings window.
7 Click OK.
When you return to the S/Key tab, the Seed value text box contains a
randomly-generated value. For connections requiring S/Key authentication,
the security gateway prompts the user with this seed value and the iterative
count. The user enters these values, along with the password, to an S/Key
password generation program running locally. The password generator
responds with a six-word, one-time password string.
8 To clear the Seed value and Date generated text boxes, click Revoke S/Key.
104 Understanding security gateway concepts
Configuring users
9 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
10 Click OK.
11 In the Users window, click Apply.
12 On the Action menu, select Activate Changes.
The user is now configured for use.
Importing users
Using the Import Users selection on the Action menu, you can add large
amounts of user information to your configuration files from your existing
corporate database. By converting user account data into a specific format that
the security gateway understands, you can import this information without re-
keying. Importing users allows you to copy and update user passwords,
authentication keys, and mobile data from an intermediate file that you create
called pkimpuser.
Note: You must have a user group pre-configured before importing users to
include in it.
Using the example above, the following table lists the information that must
appear in each of the eight fields in the pkimpuser file. Each user entry must be
a single line.
2 In the right pane, on the Groups tab, click New User Group.
108 Understanding security gateway concepts
Configuring user groups
3 Click Properties.
Enable To enable the user group, check Enable. This check box
is checked by default.
User Group Name Type the name of the user group. The name cannot
contain spaces.
5 On the Users tab, in the Excluded users list, select the users you want to
include in the user group and click the right-arrow >> button to move them
into the Included users list.
6 To remove users from the Included users list, select them and click the left-
arrow << button to move them into the Excluded users list.
110 Understanding security gateway concepts
Configuring user groups
User Distinguished Name Type the Distinguished Name (DN) of the user group.
(DN) includes This is used for authenticating VPN clients with X.509
client certificates. When this method is used, the
security gateway first makes sure that the certificate is
valid. It then determines whether the user belongs to
the group by checking whether the certificate’s subject
contains this user DN value.
An example user DN value might be: ou=Sales,
o=Symantec, c=US.
Issuer Distinguished Name Type the Distinguished Name (DN) of the LDAP server.
(DN) includes This is used for authenticating VPN clients with X.509
client certificates. When this method is used, the
security gateway first makes sure that the certificate is
valid. It then determines whether the user belongs to
the group by checking whether the certificate’s issuer
contains this issuer DN value.
An example issuer DN value might be: o=Symantec,
c=US.
Understanding security gateway concepts 111
Configuring user groups
Enforce group binding To enforce group binding, click Enforce group binding.
This check box is unchecked by default.
DNS Primary Server Type the IP address or fully-qualified domain name of the
primary Domain Name System server.
WINS Primary Server Type the IP address or fully-qualified domain name of the
primary Windows Internet Naming Service server.
112 Understanding security gateway concepts
Configuring service groups
9 On the Description tab, you can add a more detailed description than you
typed in the on the General tab in the Caption text box.
10 Click OK.
11 In the User Groups window, click Apply.
12 On the Action menu, select Activate Changes.
The user group is now configured for use.
All <all>
FTP ftp
Mail smtp
News nntp
Telnet telnet
Web http
Understanding security gateway concepts 113
Configuring service groups
2 In the right pane, on the Service Groups tab, click New Service Group.
114 Understanding security gateway concepts
Configuring service groups
To remove a protocol, highlight it in the Included protocols list and click the
left arrow << button.
6 On the Description tab, you can add a more detailed description of the
service group than you typed on the General tab in the Caption text box.
7 Click OK.
8 On the Service Groups tab, click Apply.
9 On the Action menu, select Activate Changes.
The service group is now configured for use.
4 Click Configure.
File Reading Allowed Lets users read files or query attributes of files on a System
Message Block (SMB) server. This is useful for setting up
public directories for download purposes only.
File Printing Allowed Lets users perform print operations or connect to print
shares on an SMB server.
File Renaming Allowed Lets users and applications rename or move files on an SMB
server.
File Writing Allowed Lets users write or copy files or create directories on an
SMB server. This is useful for setting up public directories
for upload purposes only.
File Deleting Allowed Lets users and applications delete files or directories from
SMB servers.
File Access Allowed Lets users connect to file shares on an SMB server.
File Permission Change Lets users and applications change model attributes of any
Allowed file on an SMB server.
Understanding security gateway concepts 117
Configuring service groups
File Generic Access Lets users connect to any kind of shared resource not
Allowed covered by the File Printing Allowed, Pipe Use Allowed, File
Access Allowed, and COM Port Access Allowed services.
CIFS clients using generic access to connect to CIFS servers
for administrative purposes allow the server to validate
that the client machine is in the same domain. To prevent
this traffic from going through the security gateway, make
sure File Generic Access Allowed is not checked. However,
once it is disabled, if the client and server are in different
domains, file and print sharing between these machines
will not work.
File Directory Access Lets users and applications obtain directory listings.
Allowed
Pipe Use Allowed Lets applications use named pipes over an SMB connection.
Named pipes are used for a variety of applications,
including remote management, network printer sharing,
and SQL server. If this check box is not checked in your
CIFS rule, these applications cannot be passed through the
security gateway. If you don’t want your inside systems
managed remotely by outside clients, but you have CIFS
enabled in a rule that lets outside users connect to inside
CIFS servers, make sure this check box is not checked for
that rule.
COM Port Access Lets users connect to shared communication devices such
Allowed as serial ports.
SMB Operation Logged Perform an audit log of all SMB operations. This can cause
performance degradation under heavy loads. This is
unchecked by default.
6 In the Caption text box, type a brief description of the CIFS service group.
7 On the Description tab, you can add a more detailed description of the CIFS
service group.
8 Click OK.
9 In the Service Groups window, click Apply.
118 Understanding security gateway concepts
Configuring service groups
4 On the General tab, in the Caption text box, type a brief description of the
FTP service group.
5 To allow FTP put operations, check Allow FTP Puts.
This check box is checked by default.
6 To allow FTP get operations, check Allow FTP Gets.
Understanding security gateway concepts 119
Configuring service groups
2 In the right pane, on the Service Groups tab, click Web, and then click
Properties.
3 On the Protocols tab, in the Included protocols list box, highlight http, and
then click Configure.
4 On the Parameters for http Properties window, on the General tab, in the
Caption text box, type a brief description of the HTTP service group.
5 On the Protocols tab, do the following:
Allow HTTP To enable HTTP, check Allow HTTP. This check box is checked
by default. Uncheck this check box if you want to require the
use of SSL.
Allow Upload To enable HTTP post and put requests, check Allow Upload.
This check box is checked by default.
Understanding security gateway concepts 121
Configuring service groups
Allow HTTP over To enable HTTPS, check Allow HTTP over valid SSL on the
valid SSL on the following ports and select the ports to use. The choices are:
following ports
All ports (the default)
Standard ports (443/563)
Ports named in the following list
The check box is unchecked by default. To use non-standard
ports for proxied connections, type the port numbers in the
Port text box and click Add. To modify or delete a port
number, highlight it in the list box and click Modify or Delete.
While this check box applies to transparent and proxied
connections, the port options apply only to proxied
connections. They refer to the port specified in the URL that
was requested by the user.
Allow DCOM Over To enable Distributed Component Object Model (DCOM) over
HTTP HTTP, check Allow DCOM Over HTTP.
DCOM is a binary protocol layered over RPC and designed to
enable COM-based components to interoperate across
networks. This check box is unchecked by default.
For DCOM to work, the connecting client must be able to reach
the server by its actual IP address. Therefore, it is necessary to
create client-side transparency using an address transform on
the system depending on whether the DCOM connection is
incoming or outgoing (server-side transparency is exists by
default). Note that DCOM normally uses dynamic port
allocation, but because you are sending DCOM over HTTP, it
uses the designated HTTP ports.
Allow FTP protocol To enable FTP protocol conversion, check Allow FTP protocol
conversion conversion.
This check box is unchecked by default. This option allows the
system to handle FTP URLs. The same authentication that can
occur in normal HTTP requests can occur here, but file name
extensions, Java, and allowed URL filtering will have no effect
on these connections.
3 On the Protocols tab, in the Included protocols list box, highlight nntp and
click Configure.
4 On the Parameters for NNTP Properties window, on the General tab, do the
following:
Loose Filter Policy Allowed To allow cross-posted messages, check Loose Filter
Policy Allowed.
A news message is often sent to several groups at once.
This is called cross-posting. As a default, any message
that has been cross-posted to a group on your denied list
will be dropped.
When this option is enabled, any message that is posted
to at least one of your allowed newsgroup profiles is
allowed through the security gateway. This check box is
unchecked by default.
5 On the Description tab, you can add a more detailed description than you
typed in the on the General tab in the Caption text box.
6 Click OK.
7 On the Action menu, select Activate Changes.
6 In the Caption text box, type a brief description of the service group.
7 On the Description tab, you can add a more detailed description of the
service group.
8 Click OK.
9 In the Service Groups window, click Apply.
10 On the Action menu, select Activate Changes.
4 On the Parameters for smtp Properties window, on the General tab, do the
following:
Soft Recipient Limit Type the maximum number of recipients who will be
handled on a single message.
The remainder are told to retry. This entry is typically
set to the total number of users behind the security
gateway. This does not impact the SMTP protocol, but it
makes it more difficult for someone interested in
sending spam. The minimum soft limit defined in the
SMTP RFC is 100. Although it is not recommended, you
can set a lower value. The default is 0, which means no
limit.
Understanding security gateway concepts 127
Configuring service groups
Hard Recipient Limit Type the maximum number of recipients who will be
handled on a single message.
If this limit is reached, the whole message is denied.
This limit should be set higher than the soft limit and
higher than the number of recipients of an average
legitimate message. The minimum hard limit defined in
the SMTP RFC is 100. Although it is not recommended,
you can set a lower value. The default is 0, which means
no limit.
Hide Internal Domain If you want to shield your internal domain name, type
the internal domain name.
If you use this entry, the source domain of mail
messages is hidden from outside users. Received lines
which match the hide domain name are replaced by
“private information removed.” Suppression is for a
single block of received header lines.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 Click Apply.
8 On the Action menu, select Activate Changes.
130 Understanding security gateway concepts
Configuring service groups
Chapter 3
Configuring DNS
This chapter includes the following topics:
This section describes the procedure to set up the name service for the host
system using the Domain Name Service (DNS) proxy.
When one system wants to contact another system on a network, the DNS
facilitates that contact by looking up the destination IP address based on the
computer name (name resolution). It can also look up the computer name based
on the IP address (address resolution).
The DNS proxy provides name resolution for computers both inside and outside
your network without compromising the privacy of your inside systems. You
should have a thorough understanding of DNS before attempting to configure it.
Note: Symantec does not support third party DNS servers on the system. If you
use a third party product, you must contact its manufacturer for support.
After checking that the DNS proxy is enabled, you can use the DNS Record
Properties window to do the following:
■ Provide the hosts filename to address mapping statements or copy an
existing hosts file to the system.
Configuring DNS 133
About the DNS proxy
2 In the right pane, on the DNS tab, in the Table menu, click New DNS Record
and select the type of DNS record you want to create.
3 Click Properties.
The information you need to supply in the Properties window depends on
the type of DNS record you created.
domains, the term authoritative means that the outside address of the system is
registered as an authoritative DNS server for your domain.
You can make the DNS proxy authoritative for both public and private requests
as illustrated within the xyz.com domain in the example network. The domain
“xyz.com” is specified in both hosts and hosts.pub as authoritative. The DNS
proxy deals with requests within xyz.com without forwarding them.
206.7.7.14
206.7.13.20
Demo
206.7.13.23 206.7.13.22
192.168.5.0 192.168.1.17
Elaan
192.168.5.1
192.168.1.62
4 In the Properties window, in the Type drop-down list, the type of DNS record
you selected is displayed.
■ To point external mail systems to the appropriate address for your mail
server, usually the outside address of the security gateway, select
Public.
Private is the default.
8 In the IP address text box, type the IP address of the mail server.
9 In the Caption text box, type a brief description of the DNS record.
10 On the Aliases tab, you can configure aliases by typing them into the Alias
text box and clicking Add.
11 On the Domains Served tab, you can configure the domains for which the
mail server will provide service by typing the domain name in the Domain
text box and clicking Add.
12 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
13 Click OK.
14 In the DNS Records window, click Apply.
15 On the Action menu, select Activate Changes.
The DNS mail server record is now configured for use.
4 In the Properties window, in the Type drop-down list, the DNS record type
that you selected is displayed.
9 In the Caption text box, type a brief description of the DNS record.
10 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
11 Click OK.
12 In the DNS Records window, click Apply.
13 On the Action menu, select Activate Changes.
The DNS recursion is now configured for use.
6 In the Server name text box, type the fully-qualified domain name for the
DNS root server.
7 In the Accessibility text box, the Private status is displayed.
8 In the Caption text box, type a brief description of the DNS record.
9 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
10 Click OK.
11 In the DNS Records window, click Apply.
12 On the Action menu, select Activate Changes.
The DNS root server record is now configured for use.
4 In the Properties window, in the Type drop-down list, the DNS record type
that you selected is displayed.
6 On the Domains Served tab, you can configure domains by typing the
domain name in the Domain text box and clicking Add.
7 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
8 Click OK.
9 In the DNS Records window, click Apply.
10 On the Action menu, select Activate Changes.
The DNS subnet record is now configured for use.
146 Configuring DNS
Dual-level DNS configuration
Note: Symantec does not support third party DNS servers on the system. If you
use a third party product, you must contact its manufacturer for support.
Consult the following table to decide whether a dual-level DNS is appropriate for
your site.
DNS server on the Use dual-level DNS. The DNS proxy cannot act as a
security gateway secondary DNS server.
host acting as a
secondary
■ Configuring rules
■ Understanding proxies
Configuring rules
Symantec security gateways control access to and from your private networks
by a set of rules created by the administrator. Basic rules include source and
destination entities and what interface or secure tunnel in and out of the
designated security gateway.
More complex rules can further define access by using time restraints and by
designating access to specific users or groups. You can use rules to control how
protocols control access to your system, as well as requirements for user
authentication.
You can control suspicious activity monitoring through the Rule Properties
window. Using designated alert thresholds, you can configure the system to
monitor suspicious connection attempts and to send alerts at various intervals.
The authorization rules you create form the framework of your security policy.
You can write general rules to cover a wide range of common connection cases
and then further refine those rules to make them more specific according to
your security needs.
For similarly-configured rules, the following rules of precedence apply:
■ Rules that define a Time Period take precedence over those with no Time
Period.
148 Enabling access
Configuring rules
■ Rules with more explicit source addresses take precedence. For example, a
rule with a host defined as the source takes precedence over a rule with a
subnet defined as the source.
■ Rules with source interface restrictions take precedence over rules without
source interface restrictions.
■ Rules with more explicit destination addresses take precedence. For
example, a rule with a host defined as the destination takes precedence over
a rule with a subnet defined as the destination.
■ Rules with destination interface restrictions take precedence over rules
without destination interface restrictions.
■ Rules that explicitly deny traffic supersede matching rules.
■ Rules with user restrictions override those without user restrictions.
■ Rules with authentication override those without authentication.
Before writing your rules, you should have configured the network entities that
you select for your rule.
Enabling access 149
Configuring rules
To configure a rule
1 In the SGMI, in the left pane, click Policy.
3 Click Properties.
Rule name Type a name for the rule. The name cannot contain spaces.
Enable To enable the new rule, check Enable. This check box is
checked by default.
Arriving through In this drop-down list, select the security gateway interface or
VPN tunnel which serves as the entry point for the traffic
defined by this rule. To configure a network interface, run the
System Setup Wizard or use the Logical Network Interface
window.
Source In this drop-down list, select the network entity that is the
source for the traffic defined by this rule.
Destination In this drop-down list, select the network entity that is the
destination for the traffic defined by this rule.
Enabling access 151
Configuring rules
Leaving through In this drop-down list, select the security gateway interface or
VPN tunnel through which the rule’s traffic will travel on the
outbound path.
Service group In this drop-down list, select the service group which defines
the protocols that make up the traffic defined for this rule.
5 On the Time tab, in the Time range drop-down list, you can select a time
range during which the rule is valid.
The default is <ANYTIME>.
6 On the Alert Thresholds tab, to activate alert thresholds, check Log
messages if thresholds are reached.
152 Enabling access
Configuring rules
9 On the Advanced Services tab, to enter special rule services that are not
included as part of the standard services, click Add.
The syntax must be correct and you will want to consult technical support
for the exact syntax required for the special rule service you are creating.
An example of this service would be where SMTP offers several antispam
options, it does not offer less common functions as limiting the length of
lines in the body of an SMTP message. To do this, type
smtp.max_body_line_length in the Parameter text box and click Add.
10 On the Authentication tab, do the following.
Enabling access 155
Configuring rules
Included users/ In the Included users and groups list boxes, to display a list of
Included groups users or groups that can be added to the Included list, click
Add. To remove a user or group, highlight the entry and click
Remove.
Excluded users/ In the Excluded users and groups list boxes, to display a list of
Excluded groups users or groups that can be added to the Excluded list, click
Add. To remove a user or group, highlight the entry and click
Remove.
11 On the Description tab, you can add a more detailed description of the rule
than you typed on the General tab in the Caption text box.
You can also use it to keep a log of changes made to the rule.
156 Enabling access
Configuring rules
Passing traceroute
To pass traceroute through the security gateway, create a rule and select a
service group containing the ping service. In the Properties window for that
rule, on the Advanced Services tab, type ping.preserve.ttl.
To pass traceroute
1 In the SGMI, in the left pane, click Policy.
2 In the right pane, on the Rules tab, click New Rule, and then click
Properties.
3 On the General tab, in the Service group drop-down list, select a service
group containing ping.
4 On the Advanced Services tab, in the Parameter text box, type
ping.preserve.ttl.
Enabling access 157
Configuring rules
5 Click Add.
machines both inside and outside the security gateway. Its associated IP address
is 0.0.0.0.
You can use the Universe entity to write a rule that applies to anything. An
example of this is a rule that carries out the task defined in the following
statement:
“Allow the Development Host to Telnet or FTP to any system, anywhere.”
To make writing this rule easy, the Universe entity is automatically transparent
for each of the interfaces flagged as internal during the system setup. All
transparent entities can be accessed directly by systems connecting to that
interface.
The Universe entity is a permanent part of the security gateway configuration.
You cannot delete, change, or rename it.
2 In the right pane, on the Rules tab, click New Rule or select an existing rule
to add antispamming parameters to it.
3 Click Properties.
4 On the Advanced Services tab, in the Parameter text box, type one of the
SPAM prevention settings described below.
Type the string exactly as shown to cause the effect described for your rule.
smtp.cscan.<profile> The presence of this entry in a rule causes all received lines
to be suppressed. This is somewhat dangerous because it
masks the true source of a message. If someone is using
your site as a spam relay, then you lose all trace
information. For this reason, this entry is discouraged
unless absolutely necessary.
Understanding proxies
An application proxy, also known as a proxy daemon, is an application that runs
on the security gateway and acts as both a server and a client, accepting
160 Enabling access
Understanding proxies
connections from a client and making requests on behalf of the client to the
destination server. The security gateway application proxies provide full
application inspection, performing protocol-specific security checks that are not
normally implemented in the client and server software for that protocol.
The security gateway provides application proxies for most of the popular
application protocols.
The protocols listed when you click Proxies on the Advanced tab in the Location
Settings window give you access to proxies Property windows. These property
windows let you configure variables for the security gateway’s many proxies on
a global level.
Services that have configurable proxies included with the security gateway are:
■ Common Internet File System (CIFS)
■ Domain Name Service (DNS)
■ File Transfer Protocol (FTP)
■ Generic Service Proxy (GSP)
■ H.323
■ Hypertext Transfer Protocol (HTTP)
■ NetBIOS Datagram (NBDGRAM)
■ Network News Transfer Protocol (NNTP)
■ Network Time Protocol (NTP)
■ Ping
■ Remote Command (RCMD)
■ Real-Time Streaming Protocol (RTSP)
■ Simple Mail Transfer Protocol (SMTP)
■ Telnet
New proxies are added with each new security gateway release or as patches
between major releases. For services that do not currently have a predefined
proxy, you can proxy connections by using the Generic Service Proxy (GSP).
The use of many of these proxies in service groups is described in configurations
throughout this guide. For proxies that are not described elsewhere, this section
also includes some examples of proxy configuration for rules.
Additional information on proxies is provided in the Reference Guide.
Enabling access 161
Understanding proxies
Enable To enable the CIFS proxy, check Enable. This check box is
checked by default.
Timeout (seconds) Use the buttons to select the CIFS proxy timeout interval in
seconds. This is the amount of time that can pass for a remote
response to be received before timing out. The default is 300
seconds (five minutes).
Local TCP Port Use the buttons to select the CIFS port number to be used for
Number incoming SMB packets. This is the port number the VPN
driver uses to remap the usual SMB port of 1039. If some
other process is already using port 1039, use this text box to
change this port to a port number that does not conflict. For
CIFS connections to clients using Microsoft Windows 2000,
set this to port 445.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 In the Proxies window, click Apply.
8 On the Action menu, select Activate Changes.
The CIFS proxy is now configured for use. You must reboot the security
gateway before using CIFS rules.
Retry Interval Specify a retry interval (in seconds). If the secondary server
fails to reach the master name server after the refresh
interval expires, then the secondary server tries to
reconnect to the master again after the amount of time
specified here. This value is usually shorter than the
refresh interval. The default is 3600 seconds (one hour).
Default Time To Live Specify a value to represent how long lookup answers are
cached by the name servers and name clients that query
the system for DNS lookups. The configurable range is
between 600 (10 minutes) and 86400 (24 hours). The default
is 3600 seconds (one hour).
Maximum Time To Live Specify a value to represent how often DNSD refreshes its
cache entries. This way, if a host receives an answer from a
DNS server that has a Time to Live that is longer than the
value designated here, DNSD sets the answer’s actual Time
to Live to the value entered here. The configurable range is
between 900 (15 minutes) and 2678400 (31 days). The
default is 604800 (seven days).
Serial Number Format Select a serial number format. Each time the DNS database
is modified on the host, it creates a unique identifier for the
copy it makes. DNSD uses the DNS “last modified”
timestamp as its identifier or Serial Number for the
database copy. The Serial Number Format field lets you
select a format for the timestamp identifier. It can be up to
10 characters. The default is yyyymmddHHM.
Public Hostname Type the host name if this is a public host. The default
LOCAL_HOST is a keyword that will be converted to the
default system’s fully-qualified domain name internally.
This is the DNS name that the system advertises itself as to
name servers and clients on the outside network.
Private Hostname Type the host name if this is a private host. The default
LOCAL_HOST is a keyword that will be converted to the
default system’s fully-qualified domain name internally.
This is the DNS name that the system advertises itself as to
name servers and clients on the outside network.
166 Enabling access
Understanding proxies
Location of Host Files Type the path to the DNS hosts and hosts.pub files. The
default (%SYSTEM_ETC%) will find the /etc directory on
most platforms.
Allow any host to Select the check box to allow zone transfers. This check box
perform a zone transfer is unchecked by default.
This check box controls whether zone transfers of
information are permitted to all hosts. This box must be
checked for this to occur. Also the nslookup ls command is
implemented by a zone transfer. If this check box is
enabled, users running nslookup can effectively perform a
zone transfer. In that case, you want to uncheck this
feature.
Log details of failed Select the check box to log failed DNS operations. This
DNS requests check box is unchecked by default.
This option provides useful information in the logfile for
troubleshooting DNS problems.
Verbose logging Select the check box to log all DNS activity. This check box
is unchecked by default.
This option provides further logfile information.
Enabling access 167
Understanding proxies
Deny outside RFC1918 Select the check box to deny RFC1918 addresses. This check
addresses box is unchecked by default.
When this check box is checked, lookup responses received
from the outside interface that contain such addresses
(RFC1918) are denied. If you are using reserved addresses
on the outside interface of your security gateway, uncheck
this check box.
Log RFC1918 failures Select the check box to log each RFC1918 address denial.
This check box is unchecked by default.
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
9 Click OK.
10 In the Proxies window, click Apply.
11 On the Action menu, select Activate Changes.
The DNS proxy is now configured for use.
7 On the Timeout tab, in the Data Transfer Timeout for Data Connections text
box, type the timeout interval (in seconds) for FTP transfers.
This value sets a time limit on a connection if it remains inactive. After this
period of time, the connection is automatically closed. The default is 900
seconds (15 minutes).
8 On the Port Restrictions tab, select the level of FTP access by selecting one
of three option buttons:
■ Blocks data connections to ports < 1024
■ Blocks data connections to named ports < 1024
■ Allow data connections to all ports
Blocks data connections to ports < 1024 is the most restrictive setting
and is checked by default. Settings other than the default may allow
attacks based on low reserved port numbers.
9 On the Antivirus Scanning tab, configure the following:
Enabling access 169
Understanding proxies
Antivirus Scan Server Type the IP address of the remote antivirus scan server.
IP address
Antivirus Scan Server Type the port number for the antivirus scan server. The
Port default is port 1344.
Delete file if server is To delete files when the server is down, check this check
unavailable box. This check box is checked by default.
Comfort Buffer Size Type the maximum size (in KB) of the comfort buffer. The
default is 256 KB.
Comfort File Length Type the maximum length (in KB) of the comfort file. The
default is 15000 KB.
170 Enabling access
Understanding proxies
Scan Options Select the scan option. The options are Scan and Repair or
Delete and Scan and Delete. The default is Scan and Repair
or Delete. In the default state, the server only deletes files if
it cannot repair them.
If comforting is enabled on the rule, the antivirus
component will scan and delete only, regardless of this
setting.
Files to be scanned Select the files to scan for viruses. The options are All
except those in exclude list and All files. The default is All
except those in exclude list.
Exclude List To add a file type to the Exclude List, type the file type in
the File text box and click Add.
To delete or modify an entry in the Exclude List, highlight
the entry and click Delete or Modify.
To restore the Exclude List to its original state, click
Restore Default.
10 On the Description tab, you can type a more detailed description than you
typed on the General tab in the Caption text box.
11 Click OK.
12 In the Proxies window, click Apply.
13 On the Action menu, select Activate Changes.
The FTP proxy is now configured for use.
If you plan to select a GSP in a service group for any of your rules, you must
make sure that the relevant GSP service is enabled on the GSP Properties
window General tab. The four available check boxes are enabled by default.
Generally you should not have to change any existing GSP default settings.
Note: Custom or “generic” services include any service not supported by one of
the Symantec application proxies.
4 On the General tab, to enable the GSP proxy, check Enable GSP.
This check box enables TCP GSP services and is checked by default.
5 To enable TCP port ranges, check Enable TCP Port Ranges GSP.
This check box enables large port ranges (over 1000) to work when a TCP-
based GSP is selected in a rule. This check box is checked by default.
6 To enable GSP for UDP protocols, check Enable UDP GSP.
This check box enables UDP GSP services and is checked by default.
7 To enable GSP for IP Protocols, check Enable IP GSP.
This check box enables IP GSP services and is checked by default.
8 In the Caption text box, type a brief description of the GSP proxy.
172 Enabling access
Understanding proxies
9 On the Reserved Services tab, to enable the use of reserved services, check
Allow Reserved Services.
This option allows GSP to use Telnet and FTP ports. This is normally not
allowed to prevent misconfigurations. This check box is unchecked by
default.
10 On the Connection Timeout tab, in the TCP Timeout box, use the buttons to
select the GSP timeout (in seconds) for TCP connections.
This value determines the amount of inactivity time allowed for TCP-based
GSP connections before they are terminated. The default is 3600 seconds
(one hour).
11 In the UDP Timeout box, use the buttons to select the GSP timeout (in
seconds) for UDP connections.
This value determines the amount of inactivity time allowed for UDP-based
GSP connections before they are terminated. The default is 60 seconds (one
minute).
12 In the IP Timeout box, use the buttons to select the GSP timeout (in seconds)
for IP connections.
This value determines the amount of inactivity time allowed for IP-based
GSP connections before they are terminated. The default is 3600 seconds
(one hour).
13 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
14 Click OK.
15 In the Proxies window, click Apply.
Enabling access 173
Understanding proxies
Note: Data conferencing (chat, white board, and application sharing) through
the T.120 standard is fully supported.
The default is port 1720. This is the standard for H.323 requests. It should
only be changed if you have a conflict and are instructed to do so by
Symantec Technical Support.
7 In the Negotiated UDP Port Range Low box, use the buttons to select the
lower end of the port range for UDP data streams.
The default is 20000. The port range negotiated for RTP/RTCP UDP data
streams is 20000 to 30000. It should only be changed if you have a conflict
and are instructed to do so by Symantec Technical Support.
8 In the Negotiated UDP Port Range High box, use the buttons to select the
upper end of the port range for UDP data streams.
The default is 30000. The port range negotiated for RTP/RTCP UDP data
streams is 20000 to 30000. It should only be changed if you have a conflict
and are instructed to do so by Symantec Technical Support.
9 On the Security tab, select security gateway interfaces in the Strict Security
list and click the right-arrow (>>) button to move them into the Loose
Security list to allow connections without H.323 aliases.
Aliases are required to access all interfaces unless specified otherwise. A
Strict security policy, the default, will only connect the call if the h323alias
file contains the CalleeAliasName and a corresponding target hostname. A
Loose security policy allows users to supply the hostname (or IP address) of
the caller without requiring a successful lookup.
10 On the Miscellaneous tab, in the Timeout (seconds) list box, use the buttons
to select the timeout interval (in seconds) for H.323 connections.
Enabling access 175
Understanding proxies
If there is no activity for any H.323 session for this period of time, the H.323
session which has met this timeout is closed by the H.323 daemon. The
default is 300 seconds (five minutes).
11 To enable the socket linger feature, which defines how connections are
closed, check Enable Socket Linger.
Only enable in a controlled environment. This check box is unchecked by
default.
12 To enable tracing of debug information, check Enable Tracing.
Only enable in a controlled environment. This check box is unchecked by
default.
13 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
14 Click OK.
15 In the Proxies window, click Apply.
16 On the Action menu, select Activate Changes.
The H.323 proxy is now configured for use.
While several products use H.323, this section refers to two common products,
Microsoft NetMeeting and Intel Videophone. Configuration for other products
may vary.
Non-transparent connections
For non-transparent connections, you must do two things for the connection to
find its final destination:
■ Create an alias file
■ Establish an H.323 security gateway on the remote NetMeeting Client
(NetMeeting only)
In the figure below, the inside client’s address is hidden. The outside user sees
the outside interface of the host system.
NetMeeting
client
Security gateway
206.83.1.32
206.83.1.100
In this case, the connection that the external host sees is between the two
NetMeeting clients, but instead of revealing the 206.83.1.32 address of the
Enabling access 177
Understanding proxies
internal client, the security gateway provides only its own outside interface
address, that is, 206.7.7.14.
4 Click Properties.
5 In the Properties window, on the General tab, to enable H.323 aliases, check
Enable.
This check box is checked by default.
6 In the Alias Name text box, type the name of the H.323 alias.
The alias name must be all numeric for use with NetMeeting. The alias can
be an email address or alphanumeric characters for other clients.
7 In the Alias Replacement text box, type the alias to be used to replace the
name.
8 In the Destination Host text box, type the IP address or fully-qualified
domain name of the destination host.
9 In the Caption text box, type a brief description of the H.323 alias.
10 Repeat steps 6 through 9 for any additional aliases.
11 On the Description tab, you can add a detailed description of the alias
entries.
12 Click OK.
13 In the H.323 Aliases window, click Apply.
14 On the Action menu, select Activate Changes.
The H.323 alias is now configured for use.
accesses to the Internet. The address you type here applies to all HTTP
rules.
8 In the External Web Proxy Port drop-down list, select the port on which to
connect to the external Web proxy.
The default is port 8080.
9 On the Additional HTTP Connection Ports tab, type the additional ports (in
addition to the default port 80) that you want to use for HTTP connections
in the value text box and click Add to add them to the list.
To modify or delete an entry, highlight it and click Modify or Delete.
If you add additional ports, you must create a service group with the HTTP
protocol and the Use GSP check box unchecked.
10 On the Additional HTTPS Connection Ports tab, type the additional HTTPS
ports (in addition to the default port 443) that you want to use for HTTPS
connections in the Value text box and click Add to add them to the list.
To modify or delete an entry, highlight it and click Modify or Delete.
If you add additional ports, you must create a service group with the HTTP
protocol and the Use GSP check box unchecked.
11 On the Timeout tab, in the Timeout (seconds) list box, select the timeout
interval (in seconds) for HTTP connections.
182 Enabling access
Understanding proxies
If no data flows for this period of time, the connection is closed. If this field
is empty, connections will close after 600 seconds. The default is 600
seconds (ten minutes).
12 In the Keepalive drop-down list, select the keepalive timer interval (in
seconds) for HTTP connections.
This specifies the amount of time that a persistent HTTP connection will
stay open if it is idle. If a request is not made to the client during this time,
the connection is closed. The default is 120 seconds (two minutes).
13 On the Icons tab, in the URL text box, type the location of the icon directory
for the gopher and FTP protocol converters.
14 On the Default Extension tab, in the Extension text box, type the extension
you want to append to URLs when checking restrictions based on file names.
The default is .html.
15 On the Antivirus Scanning tab, do the following:
Enabling access 183
Understanding proxies
Antivirus Server Port Type the port number for the antivirus server
connection. The default is port 1344.
Comfort Buffer Size Type the maximum size (in KB) of the comfort buffer.
(KB) The default is 256 KB.
184 Enabling access
Understanding proxies
Comfort Buffer Type the maximum length (in KB) of the comfort file.
Length (KB) The default is 15000 KB.
Scan Options Select the action to take when a virus is detected. The
options are Scan and Repair or Delete and Scan and
Delete. The default is Scan and Repair or Delete. In the
default state, the antivirus server will attempt to repair
the infected file and will delete it if it cannot be
repaired.
If comforting is enabled on the rule, the antivirus
component will scan and delete only, regardless of this
setting.
Files to be scanned Select the file types that you want to scan. The options
are All except those in exclude list and All files. The
default is All except those in exclude list.
Exclude List Type a file type in the Value text box and click Add to
add it to the list. To edit or delete an entry in the
Exclude list, highlight it and click Modify or Delete.
Restore Default To restore the Exclude list to its original state, click
Restore default.
16 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
17 Click OK.
18 In the Proxies window, click Apply.
19 On the Action menu, select Activate Changes.
The HTTP proxy is now configured for use.
from the Primary Domain Controller (PDC) to the clients will not pass through
the specified tunnel, the NetBIOS Datagram proxy can resolve this problem. The
proxy inserts the IP address that needs to be seen by the PDC into the UDP
packet payload. The PDC is then able to send its response to the client using the
correct route.
8 For each of the mail slots you want to filter, check ExactMatchEnabled.
If the check box for an entry is checked, an exact match is required for entry.
If it is not checked, only a prefix match for that entry is required.
9 To add an entry to the mailslots table, click Add and type the new mailslot
name.
10 To delete a mailslot entry, highlight the entry, and then click Delete.
11 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
12 Click OK.
13 In the Proxies window, click Apply.
14 On the Action menu, select Activate Changes.
The NBDGRAM proxy is now configured for use.
The following commands are not supported by the NNTP proxy at this time:
CHECK, TAKETHIS, XINDEX, XPATH, XROVER, XTHREAD.
newsgroup for as long as this designated amount in order for the event to be
logged. The default is five seconds.
6 On the Servers tab, type the names of your internal NTP servers in the value
text box and click Add to add them to the Internal NTP Servers list.
These servers are used to synchronize the system clocks.
7 To modify or delete a server name, highlight it in the list and click Modify or
Delete.
8 To synchronize the security gateway clock, click Run Auto Configure.
This procedure may take several minutes to complete. During this process,
the security gateway must be connected to the external network.
You must point internal clients to the nearest interface of the security
gateway for NTP. They cannot query outside NTP servers. If you click Run
Auto Configure, the NTP daemon checks a list of the closest Internet NTP
servers to receive the correct time setting.
9 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
10 Click OK.
11 In the Proxies window, click Apply.
12 On the Action menu, select Activate Changes.
The NTP proxy is now configured for use.
192 Enabling access
Understanding proxies
Note: When the security gateway passes PING traffic, it does not send the
original client data payload in the echo request if the security gateway is not the
target of the ping. PINGD constructs a new echo request with a new sequence
number, time-to-live (affecting traceroute), and other new optional data so that
other protocols cannot be “tunneled” on top of the ICMP echo.
If the security gateway is the target of the ping, PINGD responds to the client
normally.
If the ping is sent through a tunnel, and you do not have that tunnel forcing
traffic through the proxies, then ping packets are sent unmodified.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Proxies window, click Apply.
9 On the Action menu, select Activate Changes.
The Ping proxy is now configured for use.
exec (rexec) You would use the exec service in a service group when you want to
permit a user to execute commands on a UNIX machine on your
network. The commands are executed from a remote machine. The
default port for this service is port 512.
login (rlogin) The login service is used when you want to allow a user to remotely
log into another UNIX machine. Typically, the login information is
based upon what is seen on the remote machine, not the local
machine. The default port for this service is port 513.
shell (rsh) The shell service in a service group corresponds to the rsh
command under UNIX. Most commonly, rsh is used to open a
remote shell to another UNIX machine, and to interact with that
machine. The default port for this service is port 514.
Note: When you create a rule for RTSP, you must define a service group which
contains both RTSP and HTTP and associate it with the rule or the protocol will
not work.
10 In the Bad sender regular expression text box, type the expression to match
against.
Any sender matching the expression you type is denied.
11 To verify that the email source is in a valid domain, check Check Sender
Domain.
This feature checks to ensure that the sender’s address is valid by checking
the format, ensuring the domain name is qualified, and checking whether a
NS address or MX record exists for the domain name. This check box is
unchecked by default.
12 To match email against known spam sites, check Use Black Hole List.
The Realtime Blackhole List (RBL) is kept by the Mail Abuse Protection
System project. It is a list of known spam originators. If you use this list, any
198 Enabling access
Understanding proxies
17 On the Smart Server tab, in the Smart Server text box, to relay outgoing mail
if the transparent server is unavailable, type the IP address of an external
Smart Server.
This is required only when you experience problems with internal mailers
not handling MX rollover.
18 On the ODMR tab, to enable the use of the Extended SMTP mail command
ATRN (authenticated turn) to provide on-demand mail relay, check Enable
On-Demand Mail Relay.
You should use this method to allow users to retrieve mail if your server uses
a dynamic IP address.
19 In the Port text box, type the TCP port on which on-demand mail relay
services are provided.
The default TCP port number 366 is the recommended port to provide on-
demand mail relay services. Do not change this port unless advised by
Symantec Technical Support.
200 Enabling access
Understanding proxies
Antivirus Server Port Type the port number to be used for virus scanning. The
default is port 1344.
Delete file if server is To delete files when the antivirus server is unavailable, check
unavailable Delete file if server is unavailable. This check box is checked
by default.
Reject invalid mail To reject invalid mail messages, click Reject invalid mail
messages messages.
Enabling access 201
Understanding proxies
Scan Options Select the action to take when an infected file is discovered.
The options are Scan and Repair or Delete or Scan and Delete.
If you select Scan and Repair or Delete (the default setting),
the antivirus server will attempt to repair the infected file and
only delete it if it cannot repair the file.
Files to be scanned Select the files to scan. The options are All except those in
exclude list or All files. The default is All except those in
exclude list.
Exclude List To add files types to the Exclude list, type the file type in the
Value text box and then click Add. To edit or delete files in the
Exclude list, highlight the file and click Modify or Delete.
Restore Default To restore the Exclude list to its original form, click Restore
default.
21 On the Description tab, you can add a more detailed description than you
typed on the Status tab in the Caption text box.
22 Click OK.
23 In the Proxies window, click Apply.
24 On the Action menu, select Activate Changes.
The SMTP proxy is now configured for use.
Note: Custom or generic services include any service not supported by one of the
Symantec application proxies.
By default, the Generic Service Proxy handles all service requests transparently.
These requests are proxied to their destinations as if the requester were directly
connected to the remote destination machine. All connections are subject to
gateway authorization rules.
Once defined, you can use generic services selected from the list in service
groups in addition to the standard services supported by the security gateway.
Like standard services (such as Telnet, FTP, and HTTP), custom generic services
appear to external hosts attempting to access them as ports on the security
gateway.
Protocols that are built in to the security gateway have their read-only property
set to true and only limited changes, such as enabling and disabling, can be
made.
User-created protocols have their read-only property set to false and all
protocol properties can be changed.
204 Enabling access
Configuring network protocols
2 In the right pane, on the Advanced tab, in the left side navigation list, click
Network Protocols.
3 Below the Network Protocols table, click New Network Protocol > IP-Based
Network Protocol.
Enabling access 205
Configuring network protocols
Protocol Name Type a name for the protocol. The name cannot contain
spaces.
Base Protocol Type Select a base protocol. The selections are TCP and UDP.
Destination Low Port Type the port number at the lower end of the range to use as
the protocol’s destination. Specifying zero here means any
port. That is the default. To specify a single port, enter a low
value here and leave the high port value at 0. To specify a port
range, specify both a low port and a high port value.
Enabling access 207
Configuring network protocols
Destination High Type the port number at the upper end of the range to be used
Port as the protocol’s destination. Specifying zero here means any
port. That is the default.
Source Low Port Type the port number at the lower end of the range to be used
as the protocol’s source. Specifying no port here means any
port. The default is port 1024.
Source High Port Type the port number at the upper end of the port range to be
used as the protocol’s source. Specifying no port here means
any port. The default is port 65535.
Read Only This field indicates whether or not the protocol can be
modified.
Use GSP To use the Generic Service Proxy to handle a protocol not
supported by the system proxies, check Use GSP. This check
box is checked by default.
Use Native Service To use the native service, check Enable Native Service.
Management requests directed at a system behind the
security gateway will come in on port 2456 by default. With
this option enabled, the security gateway changes the
destination port to 2457 before sending it up the stack. This
lets the packet pass through without being captured as a
management connection. When the new connection is created
to the true destination, both the real destination address and
port are substituted back and connection proceeds.
Native Service Port If you enabled native service, type the port number to be used.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Network Protocols window, click Apply.
9 On the Action menu, select Activate Changes.
The TCP/UDP-based protocol is now configured for use.
■ Understanding filters
■ Configuring LiveUpdate
Understanding filters
The security gateway provides packet filtering capabilities.
You can use filters to restrict the types of packets passing into or out of the host
system over a given interface or secure tunnel, based on the direction of the
transmission and the protocol being used.
You can use the Filters Properties window to create the following filtering
mechanisms:
■ Individual filters
■ Aggregations of filters or filter groups
Each filter is designated as either Allow or Deny. In general, you use Allow filters
and only add Deny filters to filter groups. This is because the purpose of Deny
filters is to refine the packet traffic allowed through an interface or tunnel. You
use a Deny filter to do this by using it in combination with an Allow filter
designed to permit a broad range of protocols.
When applied to tunnels, filters can restrict the services available, providing
finer-grained control of information distribution.
210 Controlling service access
Understanding filters
Note: Without filters, your tunnels and interfaces are wide open channels. But
once a filter is applied, unless there is an explicit allow filter, no traffic gets
through. This is because, by default, a filter denies all traffic. When you create
an allow filter, only the traffic you specifically designate is allowed. Therefore, if
you create a stand-alone deny filter that is not part of a group, it denies all
traffic, including management traffic, not just the traffic you select to deny.
Configuring a filter
The filters and filter groups you create specify an allow or a deny action and an
ordered set of match criteria. The order of filter elements is important since the
first match to any packet passing through the security gateway or the tunnel is
the only one that applies.
For example, a filter template called securemail encompasses the following:
A -> B smtp, B -> A smtp
The filter template securefiles encompasses the following:
A -> B ftp, B -> A ftp
Applying the filter group secureservers, comprised of securemail and
securefiles, to a tunnel is equivalent to applying all these filter elements as
follows:
A -> B smtp
B -> A smtp
A -> B ftp
B -> A ftp
Controlling service access 211
Understanding filters
To configure a filter
1 In the SGMI, in the left pane, click Policy.
2 In the right pane, on the Filters tab, click New Filter > Packet Filter.
212 Controlling service access
Understanding filters
3 Click Properties.
Filter Name Type a name for the filter. The name cannot contain
spaces.
5 On the Entry Directions tab, select a protocol from the Available list and
click Add to move it to the Included list.
6 To remove a protocol from the filter, highlight it in the Included list and
click Remove.
7 To rearrange the order of protocols in the Included list, highlight an entry
and click Move Up or Move Down.
8 On the Description tab, you can add a more detailed description of the filter
than you typed on the General tab in the Caption text box.
9 Click OK.
10 On the Filters tab, click Apply.
11 On the Action menu, select Activate Changes.
The filter is now configured and can be specified in a rule.
3 Click Properties.
4 In the Properties window, on the General tab, in the Type drop-down list,
select Filter Group.
Changing the value in the Type drop-down list does not change the entry in
the Filter Name text box.
5 To enable the filter group, check Enable.
This check box is checked by default.
6 In the Filter Name text box, type a name for the filter group.
7 In the Caption text box, type a brief description of the filter group.
Controlling service access 215
Understanding filters
8 On the Filter Sequence tab, select the filters you want to put in the filter
group in the Available filters list and click the right-arrow >> button to move
them to the Included filters list.
9 To rearrange the order of the filters in the sequence, highlight a filter in the
Included filters list and click Up or Down.
10 To remove a filter from the filter group, highlight it in the Included filters
list and click the left-arrow button to move it to the Available filters list.
11 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
12 Click OK.
13 On the Filters tab, click Apply.
14 On the Action menu, select Activate Changes.
The filter group is now configured and can be specified in a rule.
This feature is useful in cases when you want to allow a service through the
system that cannot be handled by one of the proxies. However, if possible, it is
recommended that you use a GSP rather than a forwarding filter.
4 Click Properties.
5 In the Properties window, on the General tab, to enable the new time range,
check Enable.
This check box is checked by default.
6 In the Name text box, type a name for the time range.
7 In the Caption text box, type a brief description of the time range.
8 On the Time Range tab, in the Timezone drop-down list, select the
appropriate time zone for the new time range.
Controlling service access 219
Configuring time periods
9 In the Time Range box, to enable the time range check Enable Time Range.
10 In the From and Through text boxes, type the starting and ending times of
the time range.
11 In the Day Range box, in the From and Through drop-down lists, select the
starting and ending days of the time range.
12 In the Date Range box, in the From and Through drop-down lists, select the
starting and ending months for the time range.
In the Day and Year text boxes, you can type in the starting and ending day
and year or use the buttons to increment and decrement them.
13 On the Description tab, you can add a more detailed description of the time
period than you typed on the General tab in the Caption text box.
14 Click OK.
15 In the Time Periods window, click Apply.
16 On the Action menu, select Activate Changes.
The time period range is now configured and can be specified in a rule.
220 Controlling service access
Configuring time periods
5 On the General tab, to enable the time period group, check Enable.
This check box is checked by default.
6 In the Period Name text box, type a name for the time period group.
7 In the Caption text box, type a brief description of the time period group.
8 On the Time Periods tab, in the excluded list, select the time period range
you want to include in the group and click the right-arrow >> button to move
it to the included list.
9 On the Description tab, you can add a more detailed description of the time
period group than you typed on the General tab in the Caption text box.
10 Click OK.
11 In the Time Periods window, click Apply.
12 On the Action menu, select Activate Changes.
The time period group is now configured and can be specified in a rule.
Controlling service access 221
Configuring content filtering
Using content filtering, you can create profiles of restricted topics in any
combination from the following list of categories.
Rating Content
Rating Content
Militant/Extremist/ Sites that display, sell, or advocate the use of weapons, including
Weapons guns, knives, and martial-arts weaponry. Also sites that advocate
independent military actions and extremist movements.
Occult/New Age Sites dedicated to occult and New Age topics including but not
limited to astrology, crystals, fortune-telling, psychic powers, tarot
cards, palm reading, numerology, UFOs, witchcraft, and Satanism.
Rating Content
2 In the right pane, on the Content Filtering tab, click Rating Profiles.
224 Controlling service access
Configuring content filtering
8 On the Categories tab, select a category from the Allowed ratings list and
click the right-arrow >> button to move it to the Disallowed ratings list.
Press and hold the Shift key while clicking to select all topics up to the one
clicked simultaneously. Press and hold the Ctrl key while clicking to select
multiple topics.
9 On the Description tab, you can add a more detailed description of the
ratings profile than you typed on the General tab, in the Caption text box.
10 Click OK.
11 In the Ratings Profile window, click Apply.
12 On the Action menu, select Activate Changes.
The ratings profile is now configured and you can specify it in a rule. To use
the ratings profile in a rule, associate the ratings profile with a new service
group and select that service group in your rule. See “Configuring service
groups” on page 112.
Note: You get a default list with the Symantec Enterprise Firewall, but you must
have a subscription license for LiveUpdate to update this list. The list is updated
frequently with information on new sites.
You can create profiles of restricted topics in any combination from a list of
categories.
You can customize your ratings lists, changing the categories to which Web sites
belong. This feature lets you adjust for special circumstances. For example,
suppose your company prohibits sites rated as Gambling. However, your
company does considerable business in the Las Vegas area and needs to refer to
a site called www.lasvegas.com, which, for whatever reason, is rated as
Gambling.
Controlling service access 227
Configuring content filtering
2 In the right pane, on the Content Filtering tab, click Rating Modifications.
3 In the Rating Modifications window, click New Ratings Modification.
228 Controlling service access
Configuring content filtering
Press and hold the Shift key while clicking to select all topics up to the one
clicked simultaneously. Press and hold the Ctrl key while clicking to select
multiple topics.
9 On the Description tab, you can add a more detailed description of the
ratings modification.
10 Click OK.
11 In the Rating Modifications window, click Apply.
12 On the Action menu, select Activate Changes.
The rating modification is now configured for use.
Note: You can set the misc.httpd.urlblacklist advanced option to true to deny
access to only the URLs included in the list. Refer to the Reference Guide for
details.
2 In the right pane, on the Content Filtering tab, click URL List.
3 In the URL List window, click New URL.
Controlling service access 231
Configuring content filtering
4 Click Properties.
5 In the Properties window, on the General tab, to enable the URL list, check
Enable.
This check box is checked by default.
6 In the URL text box, type the URL you want to allow in the form:
http://www.sample.com.
The wildcard (*) is permitted only as the first or last character in an entry
and permits any URL that matches the characters before or after it. For
example:
http://*1.2.3.4/* or http://*isp.com/*.
The default for a new URL is http://New-URL. You must include http:// (or
https://) as the first characters of the URL.
7 In the Caption text box, type a brief description of the URL list.
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
9 Click OK.
10 In the URL List window, click Apply.
11 On the Action menu, select Activate Changes.
The URL list is now configured for use.
Note: You can set the misc.httpd.mimeblacklist advanced option to false to deny
access to only the MIME types included in the list. Refer to the Reference Guide
for details.
2 In the right pane, on the Content Filtering tab, select MIME Types.
3 In the MIME Types window, click New MIME Type.
Controlling service access 233
Configuring content filtering
4 Click Properties.
5 In the Properties window, on the General tab, to enable the MIME type
restriction, check Enable.
This check box is checked by default.
6 In the MIME Type text box, type the MIME type to restrict.
Add the disallowed MIME types as type/subtype, as shown in the following
examples:
of the Properties window. This allows access only to files with the specific
extensions that you have designated.
This service limitation is very restrictive, since all file extensions not included in
the list are denied by the host system.
2 In the right pane, on the Content Filtering tab, click File Extensions.
3 In the File Extensions window, click New File Extension.
Controlling service access 235
Configuring content filtering
4 Click Properties.
5 In the Properties window, on the General tab, to enable the file extension
restriction, check Enable.
This check box is checked by default.
6 In the File Extension text box, type the file extension you are permitting.
Type the file extensions one at a time in the following format:
.gif
Any extensions not listed are then disallowed.
7 In the Caption text box, type a brief description of the file extension
restriction.
8 On the Description tab, you can optionally add a more detailed description
than you typed on the General tab in the Caption text box.
9 Click OK.
10 In the File Extensions window, click Apply.
11 On the Action menu, select Activate Changes.
The file extension list is now configured for use.
Configuring newsgroups
The security gateway offers several default newsgroup types.
The news server in the figure below is on a service network, 206.7.13.22. This
news server is intended primarily for internal users, although some users might
want to access it from home. Some newsgroups on this server are generally
available.
236 Controlling service access
Configuring content filtering
206.7.7.14
206.7.13.20
206.7.13.23 206.7.13.22
192.168.1.62
You can set up an internal news server for transparent access or as a redirected
service. In this example, this server will be configured to do the following:
■ Receive news feeds from an outside server, outside.bus.com.
■ Allow access for all external users to a limited number of groups.
To enable the news server to receive news feeds from an outside source,
first establish entities, as described in the Network entities section of this
document.
You must configure service redirection for this entity to be accessed by
outside users.
■ Establish a host entity for news (called news in this example).
■ Establish a host entity for the external server.
Controlling service access 237
Configuring content filtering
To configure a newsgroup
1 In the SGMI, in the left pane, click Policy.
4 Click Properties.
Note: To allow all newsgroups, you can create a wildcard profile. Simply create a
newsgroup called *. The asterisk acts as a wildcard character, representing every
newsgroup. You can then disallow specific newsgroups in the same profile. This
way, by default, all newsgroups are allowed.
The name of a newsgroup is usually descriptive of its content. Symantec lets you
restrict by newsgroup name. To do this, create a newsgroup profile.
Controlling service access 239
Configuring content filtering
You can use an asterisk (*) as a wildcard character in any position of the
newsgroup name. This makes it easier to restrict or permit access to different
types of newsgroups. The following are acceptable:
alt.*
*.violence.*
alt.binaries.*.*
2 In the right pane, on the Content Filtering tab, click Newsgroup Profiles.
3 Below the table, click New Newsgroups Profile.
4 Click Properties.
5 In the Properties window, on the General tab, in the Name text box, type a
name for the newsgroup profile.
240 Controlling service access
Configuring content filtering
6 In the Caption text box, type a brief description of the newsgroup profile.
7 On the Profile tab, click on newsgroups in the Available Newsgroups list and
click the right-arrow >> button to move them to the Allowed Newsgroups
list.
To allow all newsgroups, you can create a wildcard profile. Simply move the
asterisk (*) into the Allowed Newsgroups list. This acts as a wildcard
character, representing every newsgroup. Then you can disallow only
specific newsgroups in the same profile.
8 Use the Denied Newsgroups list to restrict portions of your allowed
newsgroups (if necessary).
For example, you can allow the alt.* newsgroup, but then use the Denied
Newsgroups list to restrict alt.binaries.* from the allowed list.
9 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
10 Click OK.
11 In the Newsgroup Profiles window, click Apply.
12 On the Action menu, select Activate Changes.
The newsgroup profile is now configured for use. Unless you are using a
general wildcard profile (*), any newsgroup that does not appear in the
Controlling service access 241
Configuring LiveUpdate
Allowed Newsgroups list is blocked in any service groups using the NNTP
protocol with a newsgroup profile.
Configuring LiveUpdate
You can use the LiveUpdate window to view the status of various security
gateway components. If licensed for their use, you can also configure the
schedule for LiveUpdate operations for content filtering components.
To configure LiveUpdate
1 In the SGMI, in the left pane, click Location Settings.
These systems let users authenticate with passwords that are assigned for
their user accounts on the security gateway.
■ Standard authentication protocols:
■ Radius
■ TACACs
■ LDAP
These authentication types let you add authentication mechanisms based
on servers that support them.
■ NT Domain
Security gateways that are part of an NT domain can query the Windows NT
Domain controller using Windows NT account passwords for
authentication.
■ Out of Band Authentication capability, which lets you authenticate with
proxies, such as GSP, that have not supported authentication on the security
gateway in the past.
Method Name Type a name for the Defender authentication. The default is
New_Authentication_Protocol_Defender.
250 Controlling user access
Setting up authentication systems
Shared Key Type the Defender DES key. This key must be 16 characters in
length. Pad your entry if necessary.
Read Only In this text box, you can view the status of the Defender
authentication.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Authentication Methods window, click Apply.
9 On the Action menu, select Activate Changes.
Defender authentication is now configured for use.
A group list is looked up by searching for groups where the user’s DN (or other
specified unique attribute) is a member specified in the configuration. If no
primary group attribute is specified, the first one of the group list is returned as
the primary group. Access is denied if multiple users exist with the same UID
attribute, and the denial is logged.
LDAP Server Address Type the fully-qualified DNS name or IP address of system on
which the native LDAP server application is running.
LDAP Server Port Type the TCP port number assigned to the LDAP directory
server. The default is port 389. If SSL is enabled, the default
port number is 636 for LDAP secure connections.
Alternate LDAP Type the TCP port number assigned to the alternate LDAP
Server Port directory server. The default is port 389. If SSL is enabled, the
default port number is 636 for LDAP secure connections.
7 On the Base DN tab, in the Base DN text box, type the Distinguished Name
where searches of the LDAP hierarchy will begin, typically the
Organizational Distinguished Name, which is generally the top or root of the
hierarchy. For example, o=arius.com.
8 On the Bind tab, to bind to the distinguished name and password, check
Bind by way of DN and Password.
Controlling user access 255
Setting up authentication systems
9 If you checked Bind by way of DN and Password, in the DN text box, type
the security gateway system domain name to which to bind.
This secures the connection between the security gateway and the LDAP
server.
10 In the Password text box, type the an LDAP password to secure the
connection between the security gateway and the LDAP server.
11 If you want to send the user’s password in clear text when it cannot be
retrieved and verified from the directory, check Send the user’s password in
clear text.
This check box is unchecked by default.
256 Controlling user access
Setting up authentication systems
Use Standard To use the standard Netscape V3 person class, check Use
LDAPv3 Person Class Standard LDAPv3 Person Class. The use of this class with
LDAP is described in RFC2256, which is part of the
description of LDAP v.3. This check box is checked by default.
User Object Class Type the name of the object class within the schema that
defines user and user record attributes. Within the standard
LDAP v.3-compliant schema, the default object class used for
this purpose is the person object class.
User ID Attribute Type the attribute within an object class that will be used by
the LDAP Ticket Agent to locate user records within the LDAP
database. Within the standard LDAP v.3-compliant schema,
the default user ID attribute is the uid attribute (User
Identification) defined by the person object class.
Group Object Class Type the attribute within the schema whose attributes define
user groups, group names, and group memberships. Within
the standard LDAP v.3-compliant schema, the object class
used for this purpose is the GroupOfUniqueNames object
class.
Controlling user access 257
Setting up authentication systems
Group Member Type the attribute the LDAP Ticket Agent uses to retrieve user
Attribute group membership information from within the LDAP
database. In the Standard LDAP v.3-compliant schema, the
default group member attribute used for this purpose is the
uniquemember attribute defined within the
GroupOfUniqueNames object class.
13 On the User Match Type tab, to base group membership queries on either
the user record or a value specified in the User ID Attribute text box, check
User DN or User ID Attribute.
Selecting User DN specifies the more traditional approach whereby group
memberships are determined using the attributes found within LDAP group
records. Using this approach, the DN returned during the authentication
process is used in conjunction with the values specified in the Group Object
Class, Primary Group Attribute, and Group Member Attribute text boxes to
determine user group memberships.
Selecting User ID Attribute deviates from the traditional approach. Rather
than using LDAP group records to determine user group memberships,
pseudo user groups are created (implied) by specifying an attribute found
within user records, such as the location attribute (l) or the organizational
unit attribute (ou). With this approach, group records do not actually exist in
the LDAP database, but rather users are implicitly grouped according to
attribute values listed within their user records. By specifying a User ID
Attribute, content is protected and users are granted access based upon such
attributes as location (Boston) or organizational unit (accounting) as
specified within their user record.
The default is User DN.
14 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
258 Controlling user access
Setting up authentication systems
15 Click OK.
16 In the Services window, click Apply.
17 On the Action menu, select Activate Changes.
LDAP authentication is now configured for use.
NT Domain B
NT Domain NT Domain A
NT
security gateway
NT Domain B NT Domain A
controller controller
NT Domain
In the figure above, users within NT Domain A can authenticate with NT Domain
authentication. Users in NT Domain B can authenticate using NT Domain
authentication only if Domain A trusts Domain B.
Caution: You must not use NT Domain authentication not be used over an open
network such as the Internet. NT Domain passwords are sent over the network
in clear text.
The firewall must be a member of an NT Domain when you install it on the host
system. If it has already been installed, you must uninstall it, make the computer
a member of a domain, and reinstall. Your configuration files are preserved
through the uninstall/reinstall process.
Controlling user access 259
Setting up authentication systems
On your NT Domain Controller (or the PDC of a trusted domain), create the
global groups you wish to use and populate them with the Windows users. If you
do not create groups, by default all users are placed in a group called Domain-
users.
Entrust Yes
OOBA and the proxy in use, the system continues to prompt them for data until
the correct authentication method and password have been returned.
You can configure the system to authenticate users using OOBA through a check
box in the Rules window. Create a rule as you normally would, but check the Use
Out of Band Authentication check box. Then, select the users and/or user groups
you are allowing to authenticate with OOBA.
See “Configuring rules” on page 81.
Caution: Defaults are configured for all OOBA settings except the authentication
method. You may optionally set the rest of the OOBA parameters.
6 In the Caption text box, type a brief description of the OOBA authentication.
7 On the Timeout tab, in the Inactivity Timeout boxes, use the arrow buttons
to select the timeout intervals in seconds.
This value determines how long an idle out of band authentication
connection can remain open. The default is 3600 seconds (one hour) for
HTTP and other connections.
8 In the Maximum Lifetime boxes, use the arrow buttons to select the
maximum session intervals in seconds.
This value is the lifetime limit for a created ticket before it is automatically
disabled. If the user cannot successfully authenticate within this amount of
time, the ticket expires. The default is 28800 seconds (eight hours) for HTTP
connections and 3600 seconds (one hour) for other connections.
9 In the Maximum Sessions boxes, use the arrow buttons to select the
maximum number of sessions.
This value is the maximum number of concurrent times authenticated users
can use the service before they are automatically logged out. To use this
service again, a user must log in and authenticate again. The default is
10000 for HTTP connections and 10 for other connections.
10 On the Advanced tab, to include the IP address in the ticket information as
well as the user name, check Include Client IP address for ticket
verification.
264 Controlling user access
Setting up authentication systems
When this check box is checked, a user must connect to a server from the
same IP address each time for the ticket to be valid. If you have a large
number of users connecting to a server from a network that uses load
balancing or NAT pools or any other form of dynamic addressing, you will
not want to have this feature enabled. But if this is not the case, including
the client IP address with the user name provides an extra level of security.
This check box is checked by default.
You must enter the same secret information on all systems. This secret is
used as the key which secures the HMAC-MD5 stored in the ticket. Shared
secret keys must be between 16 and 32 characters.
Note: For static Radius user authentication, users must have local accounts,
defined in the User Properties window on the security gateway. For dynamic
user authentication, users do not need to have accounts on the system.
4 Right-click the new entry in the Authentication Methods table, then select
Properties.
Method Name Type the name of the Radius authentication. The default is
New_Authentication_Protocol_Radius. The name cannot
contain spaces.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Authentication Methods window, click Apply.
9 On the Action menu, select Activate Changes.
Radius authentication is now configured for use.
268 Controlling user access
Setting up authentication systems
Note: For static RSA SecurID/Server user authentication, users must have
accounts entered in the User Properties window on the security gateway. For
dynamic user authentication, users do not need accounts on the security
gateway.
Before you can use RSA SecurID/Server, you must do the following:
■ Assign cards to users
■ Create clients on the RSA SecurID/Server, including the security gateway
and each cluster node if you are authenticating clustered systems
■ Create groups, if applicable
■ Activate cards and groups
4 Set the time zone, date, and time on the RSA SecurID/Server. Set the time
zone, date, and time on the security gateway. Make sure to sync the system
time with the RSA SecurID server time or sync them both to a common
source.
■ If you are using a UNIX RSA SecurID/Server, copy the /var/ace/
sdconf.rec file on the RSA SecurID/Server to /var/lib/sg directory on
the Symantec system.
■ If you have a Windows RSA SecurID/Server, follow client installation
procedure in the RSA SecurID documentation. Copy the
\ace\data\sdconf.rec file on the RSA SecurID/Server to the
\raptor\firewall\sg directory.
■ If you have a Linux or Solaris RSA SecurID/Server, copy the
\ace\data\sdconf.rec file to: /var/lib/sg (Linux) or /usr/adm/sg
(Solaris).
5 Optionally, perform the RSA SecurID/Client installation on the system with
the clntchk applet. Ensure that the host name and address of the master
RSA SecurID/Server are correct.
6 Test the RSA SecurID authentication mechanism with the RSA SecurID/
Client applet (Start>Settings>Control Panel>SecurID>Client).
Testing authentication downloads the node secret, making this secret
unavailable to the Symantec software. This must be corrected after testing
by using the RSA SecurID Server administration applet to reset the node
secret for the client. This is done by selecting edit client from the client
drop-down menu, selecting the system, and then unchecking the sent node
secret check box (leave the box checked for Solaris).
Note: For static TACACs user authentication, users must have accounts entered
in the User Properties window on the security gateway. For dynamic user
authentication, users do not need to have accounts on the system.
Method Name Type the name of the TACACs authentication method. The
default is New_Authentication_Protocol_TACACs. The name
cannot contain spaces.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Authentication Methods window, click Apply.
9 On the Action menu, select Activate Changes.
TACACs authentication is now configured for use.
6 On the Authentication tab, in the Service Name text box, type the name
passed to the TACACs server.
The service name is the name passed to the TACACs server during
authentication. This defaults to firewall and should only be changed if the
TACACs server does not support a firewall service.
7 In the Group Attribute Name text box, type the group attribute name.
The group attribute name is used by the TACACs service to determine the
security gateway group membership of the individual being authenticated.
This defaults to eaglegroup and should only be changed if the TACACs
server does not support that attribute.
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
9 Click OK.
10 In the Services window, click Apply.
11 On the Action menu, select Activate Changes.
TACACs authentication is now configured for use.
9 On the Method Sequence tab, you can configure the methods used in the
sequence.
Controlling user access 277
Configuring an authentication sequence
Note: Before using a new or changed authentication sequence, you must reboot
the security gateway.
278 Controlling user access
Configuring an authentication sequence
Chapter 7
Configuring VPN
This chapter includes the following topics:
■ Configuring tunnels
You can use the following pre-configured VPN policies or you can create your
own policies:
■ ike_default_crypto
■ ike_default_crypto_strong
■ ike_aes_crypto_strong
■ ike_sample_crypto_interop
■ static_default_crypto
■ static_default_crypto_strong
■ static_aes_crypto_strong
2 In the right pane, on the VPN Policies tab, click New VPN Policy > VPN
Policy for IPsec with IKE.
Configuring VPN 283
Configuring VPN policies
3 Click Properties.
Enable To enable the VPN policy, check Enable. This check box is
checked by default.
Filter Applied In the drop-down menu, select whether you want a filter
applied.
The options are Sample_Denial_of_Service_filter or None or
any filter you have previously configured. The default is None.
284 Configuring VPN
Configuring VPN policies
Data Integrity In the Data Integrity Protocol drop-down menu, select one of
Protocol the following data integrity protocols.
■ If you want to apply the algorithm to the data portion of
the packet, select Apply Integrity Preference to Data
Portion of the Packet (ESP).
This option provides integrity, authentication, and
confidentiality to the packet. It works between hosts,
between hosts and security gateways, and between
security gateways ensuring that data has not been
modified in transit. If you do not want to use this ESP
default, you can select the AH option. Note that if you
select the AH option along with a Data Privacy
Algorithm, ESP is applied to the packet as well as AH.
■ If you want to apply the algorithm to the entity packet,
select Apply Integrity Preference to Entity Packet (AH).
In this option, the authentication header (AH) holds
authentication information for its IP packets. It
accomplishes this by computing a cryptographic
function for the packets using a secret authentication
key. If you select this option, but you’ve also elected to
use a Data Privacy Algorithm (3DES, DES, or AES), ESP is
applied to the packet as well as AH.
Data Volume Limit Type the maximum number of kilobytes allowed through the
(KB) tunnel before it is rekeyed.
The default is 2100000 KB. The maximum acceptable value is
4200000. The minimum acceptable value is 1 KB.
Lifetime Timeout Type the number of minutes that a tunnel is allowed to exist
(Minutes) before it is rekeyed.
The default is 480 minutes (eight hours). The maximum
acceptable value is 2,147,483,647.
Inactivity Timeout Type the number of minutes a tunnel can remain inactive (no
(Minutes) data passing through it) before it is re-keyed.
The default is 0 (no timeout value). The maximum acceptable
value is 2,147,483,647.
Configuring VPN 285
Configuring VPN policies
Pass Traffic To If you want to proxy tunnel traffic, check Pass Traffic To
Proxies Proxies.
Enabling this check box sends the data packet up the protocol
stack for authorization. The packets are then subject to all the
address transforms and rule checking performed by the
proxies. This check box is unchecked by default.
Perfect Forward If you want perfect forward secrecy enabled, check Perfect
Secrecy Forward Secrecy.
Perfect Forward Secrecy lets administrators set up parameters
for generating keys and prevents attackers from guessing
successive keys.
If Perfect Forward Secrecy is enabled, you must also specify a
Diffie-Hellman preference. Diffie-Hellman is the standard IKE
method of establishing shared secret. Group 1 and 2 are the
Diffie-Hellman group numbers available for establishing
these IKE session keys. Group 1 is 768 bits long and group 2 is
1024 bits long. Using group 2 is more secure but it also uses
more CPU power. Using a combination of groups, 1 then 2 or 2
then 1, indicates that first one group is tried, if that is
unsuccessful, the next group is tried.
5 On the Data Privacy Preference tab, select a data privacy preference from the
Available list and click the right-arrow >> button to move it to the Included
list. The options are:
■ DES
■ Triple DES
■ AES with 16-byte key
■ AES with 24-byte key
■ AES with 32-byte key
■ No Encryption
An IPsec policy can include more than one data privacy preference. The one
that is used is negotiated by the originator of the connection. If the security
286 Configuring VPN
Configuring VPN policies
gateway is the originator, the first one in this list is requested for
connection.
6 To remove a preference, highlight it in the Included list and click the left-
arrow << button.
7 On the Data Integrity Preference tab, select a data integrity preference from
the Available list and click the right-arrow >> button to move it to the
Included list.
This dictates the type of authentication header that will be prepended to
packets sent through the tunnel. Supported types are:
■ SHA1 (slower but more secure than MD5)
■ MD5 (faster but less secure than SHA1)
■ No Checksum (specifies no authentication checksum)
The combination Data Integrity Preference = No Checksum and Data Privacy
Preference = No Encryption is not permitted. If you select a Data Integrity
Configuring VPN 287
Configuring VPN policies
8 To remove a preference, highlight it in the Included list and click the left-
arrow << button.
9 On the Data Compression Preference tab, select a data compression
preference from the Available list and click the right-arrow >> button to
move it to the Included list.
LZS compresses data by searching for redundant strings and replacing them
with special tokens that are shorter than the original string. LZS then
creates tables of these strings and replacement tokens which consist of
pointers to the previous data streams. LZS uses these pointers to remove
redundant strings from the new data streams.
288 Configuring VPN
Configuring VPN policies
10 To remove a preference, highlight it in the Included list and click the left-
arrow << button.
11 On the Diffie-Hellman Preference tab, select a group from the Available list
and click the right-arrow >> button to move it to the Included list.
Diffie-Hellman is the standard IKE method of establishing shared secrets.
Group 1 and Group 2 are the Diffie-Hellman group numbers available for
establishing these IKE session keys. Group 1 is 768 bits long and Group 2 is
1024 bits long. Using Group 2 is more secure but it also uses more CPU
Configuring VPN 289
Configuring VPN policies
12 To remove a group, highlight it in the Included list and click the left-arrow
<< button.
13 Click OK.
14 In the VPN Policies window, click Apply.
15 On the Action menu, select Activate Changes.
3 Click Properties.
Enable To enable the VPN policy, check Enable. This check box is
checked by default.
Policy Name Type a name for the VPN policy. The name cannot contain any
spaces.
Filter Applied If you want to apply a filter to the VPN policy, select it from
this drop-down list.
Pass Traffic to If you want to proxy tunnel traffic, check Pass Traffic To
Proxies Proxies. Enabling this check box sends the data packet up the
protocol stack for authorization. The packets are then subject
to all the address transforms performed by the proxies. This
check box is unchecked by default.
Configuring VPN 291
Configuring VPN policies
Data Integrity In the Data Integrity Protocol drop-down menu, select one of
Protocol the following data integrity protocols.
■ If you want to apply the preference to the data portion of
the packet, select Apply Integrity Preference to Data
Portion of the Packet (ESP).
This option provides integrity, authentication, and
confidentiality to the packet. It works between hosts,
between hosts and security gateways, and between
security gateways ensuring that data has not been
modified in transit. If you do not want to use this ESP
default, you can select the AH option.
If you select the AH option along with a Data Privacy
Algorithm, ESP is applied to the packet as well as AH.
■ If you want to apply the preference to the entity packet,
select Apply Integrity Preference to Entity Packet (AH).
In this option, the authentication header (AH) holds
authentication information for its IP packets. It
accomplishes this by computing a cryptographic
function for the packets using a secret authentication
key.
If you select this option, but you’ve also elected to use a
Data Privacy Algorithm (3DES, DES, or AES), ESP is
applied to the packet as well as AH.
Data Volume Limit Type the maximum number of kilobytes allowed through the
tunnel before it is rekeyed.
The default is 2100000 KB. The maximum acceptable value is
4200000 KB. The minimum acceptable value is 1 KB.
Lifetime Timeout Type the number of minutes that a tunnel is allowed to exist
before it is rekeyed.
The default is 480 minutes (eight hours). The maximum
acceptable value is 2,147,483,647 minutes.
Inactivity Timeout Type the number of minutes a tunnel can remain inactive (no
data passing through it) before it is rekeyed.
The default is 0 (no timeout value). The maximum acceptable
value is 2,147,483,647 minutes.
Encapsulation Mode In the this drop-down menu, select either Tunnel Mode or
Transport Mode. You should only select transport mode when
both tunnel endpoints are the same as their gateway
addresses. In that case, using transport mode saves
bandwidth. The default is Tunnel Mode.
5 On the Data Privacy Algorithms tab, select a data privacy algorithm from the
Available list and click the right-arrow >> button to move it to the Included
list. The options are:
■ No Encryption
■ DES
■ Triple DES
■ AES with 16-byte key
■ AES with 24-byte key
■ AES with 32-byte key
In a static policy, you can select only one data privacy algorithm.
6 To remove an algorithm, highlight it in the Included list and click the left-
arrow << button.
7 On the Data Integrity Preferences tab, select a data integrity preference
from the Available list and click the right-arrow >> button to move it to the
Included list.
This dictates the type of authentication header that will be prepended to
packets sent through the tunnel. Supported types are:
■ SHA1 (slower but more secure than MD5)
■ MD5 (faster but less secure than SHA1)
Configuring VPN 293
Configuring a Global IKE policy
8 Click OK.
9 In the VPN Policies window, click Apply.
10 On the Action menu, select Activate Changes.
2 In the right pane, on the Global IKE Policy tab, select global_ike_policy.
3 Click Properties.
4 On the General tab, in the Policy Name text box, the name of the global IKE
policy is displayed.
5 In the Connection Timeout text box, type an interval, in minutes, for
connection timeout.
The default is 1080 minutes (18 hours).
6 On the Data Privacy Preference tab, select the preference from the Available
list box and click the right-arrow >> button to move them to the Included list
box.
The options are:
Configuring VPN 295
Configuring a Global IKE policy
■ DES
■ Triple DES
These are the data privacy methods for packet data. You can use a
combination of these options. The one listed first is tried first. If this
method is unsuccessful, then the next method is tried.
7 To move an entry within the Included list box, highlight it and click Up or
Down.
8 On the Data Integrity Preference tab, select the preference from the
Available list box and click the right-arrow >> button to move them to the
Included list box.
The options are:
■ MD5
■ SHA1
These are the available Data Integrity Preferences used to authenticate
packets. Using a combination of methods, such as SHA1 then MD5,
indicates that first one method is tried. If that method is unsuccessful, then
296 Configuring VPN
Configuring a Global IKE policy
the next method is tried. Note that SHA1 is slower but more secure than
MD5.
9 To move an entry within the Included list box, highlight it and click Up or
Down.
10 On the Diffie-Hellman Groups tab, select the Group from the Available list
box and click the right-arrow >> button to move it to the Included list box.
Diffie-Hellman is the standard IKE method of establishing shared secrets.
Group 1 and Group 2 are the Diffie-Hellman group numbers available for
establishing these IKE session keys. Group 1 is 768 bits long and Group 2 is
Configuring VPN 297
Configuring tunnels
1024 bits long. Using Group 2 is more secure but it also uses more CPU
power.
11 To move an entry within the Included list box, highlight it and click Up or
Down.
12 Click OK.
13 In the Global IKE Policy window, click Apply.
14 On the Action menu, select Activate Changes.
The global IKE policy is now configured for use.
Configuring tunnels
The simplest way to create VPN tunnels is to use the tunnel wizards available in
the Action menu. The two wizards are:
information necessary to identify the local and remote tunnel endpoints and the
VPN policy that governs the traffic within them.
The panels in the Gateway-to-Gateway Tunnel Wizard include:
■ Welcome panel
Contains a description of the functions performed by the Gateway-to-
Gateway Tunnel Wizard.
■ Tunnel Information panel
Type a name and a brief description of the tunnel.
■ Local Security Gateway panel
Select an existing security gateway network entity to serve as the local
security gateway or you can create a new security gateway network entity.
■ Local Endpoint panel
Select an existing network entity to serve as the local tunnel endpoint or
you can elect to create a new network entity.
■ Create a New Local Endpoint panel
Specify the name and IP address of a new local tunnel endpoint network
entity.
■ Remote Security Gateway panel
Select an existing security gateway network entity to serve as the remote
security gateway or you can create a new security gateway network entity.
You can also configure user authentication in this panel.
■ Remote Endpoint panel
Select an existing network entity to serve as the remote endpoint or you can
elect to create a new network entity.
■ Create a New Remote Endpoint panel
Specify the name and IP address of a new remote VPN tunnel endpoint.
■ VPN Policy panel
Select the VPN policy to use with the tunnel.
■ Confirmation panel
Review the tunnel configuration and either validate it or go back and make
configuration changes.
4 Click Next.
5 In the Local Security Gateway Selection panel, to specify the local security
gateway, click either Use Existing Network Entity or Create New Network
Entity.
6 If you are using an existing security gateway network entity, select it from
the drop-down list.
7 If you are creating a new security gateway network entity, do the following:
■ In the Name text box, type the name of the new security gateway
network entity.
The name cannot contain any spaces.
■ In the Address Type drop-down list, to use a logical network interface,
select Interface or, to use a virtual IP address, select VIP.
■ In the IP Address drop-down list, select either a logical network
interface or a VIP address, depending on what was selected above.
Configuring VPN 301
Configuring tunnels
8 Click Next.
9 In the Local Endpoint panel, to specify the network entity that serves as the
local endpoint of the Gateway-to-Gateway tunnel, click either Use Existing
Network Entity or Create New Network Entity.
10 In the appropriate drop-down list, select the existing or new network entity.
■ If you are using an existing network entity, select it from the drop-
down list, and then click Next to proceed to step 14.
■ If you are creating a new network entity, you can select a Host, Subnet,
or Group network entity.
302 Configuring VPN
Configuring tunnels
11 Click Next.
13 Click Next.
20 Click Next.
22 Click Next.
23 In the VPN Policy panel, select a VPN policy for the new tunnel.
24 Click Next.
25 In the Confirmation panel, you can review the configuration of the new
tunnel.
If the tunnel is configured properly, click Finish. To reconfigure any aspect
of the tunnel, click Back until you reach the area that needs reconfiguration.
26 Click Close.
27 On the Action menu, select Activate Changes.
4 Click Next.
6 Click Next.
8 Click Next.
10 Click Next.
If you are using a shared secret, type it in the text box provided.
12 Click Next.
13 In the VPN Policy panel, use the drop-down list to select a VPN policy for the
new tunnel.
14 Click Next.
15 In the Confirmation panel, you can review the configuration of the new
tunnel, and then do one of the following:
■ If the tunnel is configured properly, click Finish. You will need to
activate the changes before you can use the Client-to-Gateway VPN
tunnel.
■ To reconfigure any aspect of the tunnel, click Back until you reach the
area that needs reconfiguration.
16 On the Action menu, select Activate Changes.
314 Configuring VPN
Creating tunnels manually
To create a tunnel
1 In the SGMI, in the left pane, click Location Settings.
2 In the right pane, on the Tunnels tab, click New VPN Tunnel and select the
type of tunnel you want to create.
3 Click Properties.
The information you need to supply in the Properties window depends on
the type of tunnel you configure.
network entity at the remote end of the tunnel. Your local gateway is the outside
interface of the security gateway. You must create a security gateway network
entity before you can select it for the tunnel.
The other security gateway you specify is a remote gateway. You must also
create a security gateway network entity as the remote gateway using the
Network Entities Properties window before you can select it for your tunnel.
While you will likely configure few security gateways to serve as local gateways,
you may configure several security gateways to serve as remote gateways.
Enable To enable the tunnel, check Enable. This check box is checked
by default.
Name Type a name for the tunnel. The name cannot contain spaces.
VPN Policy Select a VPN policy for use with your tunnel.
Local endpoint Select a network entity to serve as the local tunnel endpoint.
Configuring VPN 317
Creating tunnels manually
Local gateway Select a security gateway network entity to serve as the local
gateway interface for the tunnel.
5 Click OK.
6 In the VPN Tunnels window, click Apply.
7 On the Action menu, select Activate Changes.
The tunnel is now configured for use.
3 Click Properties.
Name Type a name for the tunnel. The name cannot contain any
spaces.
Local endpoint In this drop-down list, select a network entity to serve as the
local tunnel endpoint.
Remote endpoint In this drop-down list, select a user or group network entity to
serve as the remote tunnel endpoint. This must be an IKE-
enabled user.
5 Click OK.
6 In the VPN Tunnels window, click Apply.
Configuring VPN 319
Creating tunnels manually
Enable To enable the tunnel, check Enable. This check box is checked
by default.
Name Type a name for the tunnel. The name cannot contain spaces.
Local endpoint Select a network entity to serve as the local tunnel endpoint.
Local gateway Select a security gateway network entity to serve as the local
gateway interface for the tunnel.
VPN policy Select a static VPN policy. The selection you make for the
tunnel (static_default_crypto,
static_default_crypto_strong,
static_aes_crypto_strong, or any static policy that you
have created) determines what further configuration
information is needed.
Caption Type a brief description of the tunnel.
Generate Keys If you’ve chosen to use a data integrity preference in your VPN
policy, generate a set of algorithm keys by clicking Generate
Keys.
If you’ve also elected to use a data privacy algorithm, when
you click Generate Keys, Symantec generates a set of privacy
algorithm keys. If you’ve selected DES rather than 3DES as the
data privacy algorithm in your VPN policy, only one set of keys
is required instead of three.
The appropriate key fields are available according to your VPN
policy selection. It is strongly recommended that you use the
Generate Keys button rather than creating your own keys.
322 Configuring VPN
Creating tunnels manually
Local Network Entity Type the Data Integrity Key for the local entity.
Key
This dictates the type of authentication header that will be
prepended to packets sent through the tunnel. The options are
SHA1, MD5, and None. MD5 is faster but less secure than
SHA1.
Remote Network Type the Data Integrity Key for the remote entity
Entity Key
Local Network Entity Type the Data Privacy Algorithm for the local entity.
Key 1
This specifies the encapsulation security payload for packets
sent through the tunnel. Supported types are 3DES, DES, AES,
AES12, AES24, AES32, and None.
The combination Data Integrity Algorithm = None and Data
Privacy Algorithm = None is not permitted within a VPN
policy.
Remote Network Type the Data Privacy Algorithm for the remote end of the
Entity Key 2 tunnel.
Reveal Keys
Authentication Type the Security Parameter Index (SPI) for the local endpoint
Header SPIs Local of the tunnel.
Network Entity SPIs specify the tunnels on a security gateway for a given
protocol as Authentication Header (AH) or Encapsulation
Security Payload (ESP). The SPI is included in the packet
header and lets the receiver identify the tunnel to which the
packet belongs.
Authentication Type the SPI for the remote endpoint of the tunnel.
Header SPIs Remote
SPIs specify the tunnels on a security gateway for a given
Network Entity
protocol as Authentication Header (AH) or Encapsulation
Security Payload (ESP). The SPI is included in the packet
header and lets the receiver identify the tunnel to which the
packet belongs.
Encryption Header Type the SPI for the local endpoint of the tunnel.
SPIs Local Network
SPIs specify the tunnels on a security gateway for a given
Entity protocol as Authentication Header (AH) or Encapsulation
Security Payload (ESP). The SPI is included in the packet
header and lets the receiver identify the tunnel to which the
packet belongs.
Configuring VPN 323
Using the Remote Policy Wizard
Encryption Header Type the SPI for the remote endpoint of the tunnel.
SPIs Remote Network
SPIs specify the tunnels on a security gateway for a given
Entity
protocol as Authentication Header (AH) or Encapsulation
Security Payload (ESP). The SPI is included in the packet
header and lets the receiver identify the tunnel to which the
packet belongs.
6 On the Description tab, you can add a more detailed description of the
tunnel than you typed on the General tab in the Caption text box.
7 Click OK.
8 In the VPN Tunnels window, click Apply.
9 On the Action menu, select Activate Changes.
Before using the static tunnel, you must stop and restart the security
gateway.
Note: If the authentication method uses a shared secret, the shared secret is
included.
324 Configuring VPN
Using the Remote Policy Wizard
3 In the Users/user groups panel, select the users or user groups that you
want to include in the Excluded list and click the right-arrow >> button to
move them to the Included list.
Each user or user group must be the remote endpoint of a configured Client-
to-Gateway VPN tunnel. Each user in a group must have its IKE user group
defined or no remote policy files will be generated.
Configuring VPN 325
Using the Remote Policy Wizard
4 Click Next.
5 In the Password panel, in the Access password for remote policy file text
box, type a password to be used by all policy users.
The password must be at least 10 characters in length.
6 Click Next.
7 In the Confirmation panel, you can review the configuration you have
requested, and then do one of the following:
■ If the configuration is correct, click Finish.
■ To correct the configuration, click Back to revisit the configuration.
8 In the Save Remote Policy ZIP File panel, to save the remote policy ZIP file,
click Save File.
The default file name is RPadmin.zip, where admin is your logon name.
326 Configuring VPN
Using the Remote Policy Wizard
9 In the File Download panel, click Save this file to disk, and then click OK
and type a path to which to save the remote policy file.
If a password is required, the Symantec Client VPN user is prompted to enter it.
Once a policy has been opened with the install password, the Symantec Client
VPN version is checked to ensure that it is compatible with the policy. Then, the
user.dat file is updated for each gateway entry found in the remote policy. If a
gateway definition contained in the new remote policy already exists in the
configuration files, it is overwritten.
If a gateway record is found with an authentication method of certificate, a
message box tells the user that they must get a certificate from the
administrator and run raptcert.exe before connecting to that gateway. The
administrator will also need to communicate the certificate password to the
Symantec Client VPN user.
Special processing is required for a default-ike user. If the Phase 1 ID is default-
ikeuser, it means that dynamic users and user authentication are used. The
Symantec Client VPN user will be prompted for the user ID for the external
authentication server. This value is used for the Phase 1 ID for that gateway
connection. If the user does not enter an ID or cancels from the prompt, the
application generates a Phase 1 ID based on the time of the policy. This ensures
that all Phase 1 IDs are unique for each gateway.
When a policy is loaded by the Symantec Client VPN, it is logged to the client log
file. Any errors are also logged.
■ Configuring notifications
■ Understanding monitoring
■ About reports
■ Setting up reports
■ Usage reports
Configuring notifications
This section explains how to set up notifications to warn designated people of
problems on the security gateway. Notifications are sent in response to the
different levels of alert messages logged by the security gateway. You can
control the type of notification based on the level of the log message, varying in
severity from a notice to a critical alert.
Based on the type of notification, you can configure the system to send email or
an audio file, beep pagers, execute client programs, or issue SNMP traps in
response to log messages.
332 Monitoring traffic
Configuring notifications
The following table shows the information you need to supply for each
notification type.
Client program Command line Type the name of the client program. The
notify server application calls the program
as it appears in the Command-line text box
appending two arguments: the date and the
contents of the message text.
SNMP V1 Trap Host address Type the host address of the recipient.
SNMP V2 Trap Host address Type the host address of the recipient.
To configure a notification
1 In the SGMI, in the left pane, click Location Settings.
2 In the right pane, on the Notifications tab, click New Notification and select
the type of notification to configure.
3 Click Properties.
4 In the Properties window, configure the properties as required by the type of
notification you are creating, as shown in Table 1-1.
5 Click OK.
6 Click OK.
7 On the Action menu, select Activate Changes.
334 Monitoring traffic
Configuring notifications
6 On the Modem tab, in the COM Port drop-down list, select the modem port.
The choices are Serial_Port_1 and Serial_Port_2, which correspond to USB
ports 1 (top) and 2 (bottom), respectively.
7 In the Baud Rate text box, type the modem baud rate.
The default is 9600 baud.
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
9 Click OK.
10 In the Services window, click Apply.
11 On the Action menu, select Activate Changes.
The Notify daemon is now configured for use.
Monitoring traffic 335
Configuring notifications
Note: To use an audio notification, the security gateway must have a properly
installed sound card.
3 Click Properties.
Notification Name Type a name for the audio notification. The name cannot
contain spaces.
Time Period You can optionally select a time period in which the
notification will be valid. The default is <ANYTIME>, meaning
the notification is valid at all times if Enable is checked.
Triggered by: Check the appropriate check boxes to configure the severity of
the alert necessary to trigger the notification.
Audio File Name Type the name of the audio file you want to be played.
Monitoring traffic 337
Configuring notifications
Volume Level Type the volume level (0 - 100) at which you want the audio
file played.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 On the Notifications tab, click Apply.
8 On the Action menu, select Activate Changes.
Your audio notification is now configured for use.
Note: Any client program you call must exit upon completion. Multiple copies of
your program may run at once.
3 Click Properties.
Time Period Select a time period during which the notification will be
enabled. The default is <ANYTIME>, meaning the notification
will be valid at all times if Enable is checked.
Triggered by: Check the appropriate check boxes to configure the severity of
the alert necessary to trigger the notification.
Command Line Type the executable file name necessary to launch the client
program.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
Monitoring traffic 339
Configuring notifications
Time Period Select a time period during which the notification will be
enabled. The default is <ANYTIME>, meaning the notification
will be valid at all times if Enable is checked.
Triggered by: Check the appropriate check boxes to configure the severity of
the alert necessary to trigger the notification.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 On the Notifications tab, click Apply.
8 On the Action menu, select Activate Changes.
Your email notification is now configured for use.
2 In the right pane, on the Notifications tab, click New Notification >
Notification Through Pager.
3 Click Properties.
Notification Name Type a name for the notification. The name cannot contain
spaces.
Time Period Select a time period during which the notification will be
enabled. The default is <ANYTIME>, meaning the notification
will be valid at all times if Enable is checked.
Triggered by: Check the appropriate check boxes to configure the severity of
the alert necessary to trigger the notification.
342 Monitoring traffic
Configuring notifications
User Type the name of the page recipient. For numeric pagers, this
is simply an identifier. For alphanumeric pagers, type the
mailbox ID of the page recipient.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 On the Notifications tab, click Apply.
8 On the Action menu, select Activate Changes.
Your pager notification is now configured for use.
2 In the right pane, on the Notifications tab, create a New Notification >
Notification Through SNMP V1 Trap.
3 Click Properties.
Notification Name Type a name for the notification. The name cannot contain
spaces.
Time Period Select a time period during which the notification will be
enabled. The default is <ANYTIME>, meaning the notification
will be valid at all times if Enable is checked.
Triggered by: Check the appropriate check boxes to configure the severity of
the alert necessary to trigger the notification.
Community Type a text string holding a value agreed upon between the
manager and the agents that it manages.
344 Monitoring traffic
Configuring notifications
Host Address Type the host address provided by the SNMP system
administrator.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 On the Notifications tab, click Apply.
8 On the Action menu, select Activate Changes.
Your SNMP V1 notification is now configured for use.
3 Click Properties.
Click Properties.
Notification Name Type a name for the notification. The name cannot contain
spaces.
Time Period Select a time period during which the notification will be
enabled. The default is <ANYTIME>, meaning the notification
will be valid at all times if Enable is checked.
Triggered by: Check the appropriate check boxes to trigger the notification
with the desired severity of alert.
Destination Party Type the destination party OID provided by the SNMP
administrator.
Source Party Type the source party OID provided by the SNMP
administrator.
5 On the Description tab, you can optionally add a more detailed description
that you typed in the Caption text box.
6 Click OK.
7 On the Notifications tab, click Apply.
8 On the Action menu, select Activate Changes.
Your SNMP V2 notification is now configured for use.
Understanding monitoring
The Monitoring window has six tabs across the top. They include:
View Logs Provides a means of viewing the security gateway’s log files.
SESA Event Gating Provides a means of filtering the log files that are sent to the
SESA Manager.
The Monitoring window lets you view several aspects of security gateway
activity, including recent and current traffic, log files, cluster status, and the
events that are bring logged to the SESA Manager. The Monitoring window also
introduces four new icons to the SGMI user interface:
■ Refresh with current data
Refreshes the window with currently-active data.
Monitoring traffic 347
Understanding monitoring
2 In the right pane, on the Summary tab, in the Connection Summary table,
right-click an entry and select Properties.
3 In the Properties window, you can view the following properties of the
selected connection.
All fields in the Properties window are read-only. To change the columns
displayed, right-click the entry and select Show Columns.
Bytes Received You can view the number of bytes that have been received
over the connection since it opened.
Bytes Sent You can view the number of bytes that have been sent over the
connection.
2 In the right pane, on the Active Connections tab, in the Active Connections
table, right-click an entry and select Properties.
Note: You cannot kill the SGMI connection over which you are managing
the security gateway.
500 - 599 Alert A security rule has been triggered. This could
mean that someone is attempting to violate your
network security. You should investigate these
messages.
700 - 799 Emergency The security gateway is not operational and the
system will no longer allow traffic through.
To configure logging
1 In the SGMI, in the left pane, click Location Settings.
2 In the right pane, on the Advanced tab, click Services.
3 In the Services table, click Logging Service, and then click Properties.
4 On the General tab, you can configure or view the following parameters.
Text Log Creation To enable text logging as well as binary logging, check Text
Enabled Log Creation Enabled.
This check box is unchecked by default. Checking this check
box can adversely affect system performance. A less
performance-intensive method of creating backup logs is to
use the flatten8 utility on the binary logs.
Old Log Directory The old logging directory is displayed. This is a read-only field
that indicates the directory in which the old log files are
stored. The current log is stored in the sg directory.
354 Monitoring traffic
Viewing log files
Maximum Log File Select the maximum size (in KB) for your logging file. The
Size (kilobytes) default is 204800 KB (200 MB). A new log file is created when
this maximum size is reached.
Low Disk Threshold Select the threshold (in KB) at which to warn about the log file
(kilobytes) size. The default is 100 KB. If a machine tends to do a lot of
logging, this number might be increased so you have more
time to archive log files.
Consolidation Use the arrows to select the size of the window the
Window (seconds) consolidator uses. The default is five seconds. If, in this
amount of time, more than a threshold of the same messages
are seen, a special consolidated log message is generated. If
the message has not been seen in this amount of time, it is
removed from the tree.
Maintainer Sleep Use the arrows to select the amount of time (in seconds) the
Time (seconds) maintainer will sleep between trips through the consolidation
tree. The default is 1.
Log Request Port Use the arrows to select the port number on which logserviced
Number is listening for log requests. The default is port 6868.
Translation Request Use the arrows to select the port number on which logserviced
Port Number is listening for requests from services to translation log
messages (this is rarely used by the services). The default is
port 6867.
Rollover Request Port Use the arrows to select the port number on which logserviced
Number is listening for requests to roll over the logfile. The default is
port 6866.
Auto delete old To automatically delete old logfiles rather than suspend
logfiles logging when there is no additional space, check Auto delete
old logfiles. This check box is unchecked by default.
Monitoring traffic 355
Viewing log files
Minimum number of Use the arrows to select the minimum time (in hours) to keep
hours to keep logfile old log files. The default is 24. If Auto delete is enabled, this
ensures that log files will not be deleted if they are less than
24 hours old. If this condition is reached, the security gateway
stops.
Command to run Type the command to execute when the log file reaches the
when diskspace size threshold. The security gateway’s binary directory (/usr/
exhausted raptor/bin) is prepended to any entry you make here.
5 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
6 Click OK.
7 In the Services window, click Apply.
8 On the Action menu, select Activate Changes.
The logging service is now configured for use.
2 In the right pane, on the View Logs tab, right-click an entry in the Log
Entries table, and then click Properties.
Monitoring traffic 357
Viewing log files
3 In the Properties window, you can view the following log information:
Event severity An icon and legend indicate the severity of the event.
Time stamp The time and date at which the event occurred.
System Name Host name of the system on which the event occurred.
Message Text Further log entry details. In the Message Text box, Resource
can refer to a variety of things, depending on the context.
This opens a new log file and archives the old one.
3 In the Open Archived Log File dialog box, select the log file for the day you
want and click OK.
The dialog box closes and the log file you selected from the archive is now
displayed on the View Logs tab.
4 To view the properties of a log file, click on the file, and then click
Properties.
5 To delete a log file, highlight the log file, and then click Delete File.
6 To backup a log file, highlight the log file, and then click Backup.
7 To close the Archived Log File dialog box, click OK or Cancel.
Monitoring traffic 359
Viewing log files
3 On the Event Filter tab, under Time, set the starting and ending times for
the logfile event filter by checking From and To and setting the start and
end times in the associated text boxes.
The defaults for both are 12:00 AM.
4 Under Event Types, check the check boxes associated with each type of
event you want to filter from the log.
All check boxes are unchecked by default. In the default case, all event types
are displayed. To clear all check boxes, click Clear.
5 On the System Names tab, you can filter log messages according to the
machine from which they were generated.
360 Monitoring traffic
Viewing log files
To do this, type the system name in the Enter value text box and click Add.
To modify or delete a system name, highlight the name in the list and click
Modify or Delete.
6 On the Components tab, you can filter log messages according to the
component of the security gateway that generated them.
To do this, select the component from the Excluded list and click the right
arrow >> button to move it to the Included list.
Monitoring traffic 361
Viewing log files
7 On the Parameters tab, you can filter log messages according to various
parameters contained in the messages themselves.
To do this, select a parameter from the Excluded list and click the right
arrow >> button to move it to the Included list.
8 On the Process IDs tab, to filter log messages by the Process IDs associated
with the messages, do the following:
■ In the Enter value text box, type the process ID and then click Add.
362 Monitoring traffic
Viewing log files
■ To modify or delete a process ID, highlight it in the list and then click
Modify or Delete.
9 On the Message Numbers tab, to filter log messages according to the
message numbers, do the following:
■ In the Enter value text box, type the message number and then click
Add.
■ To modify or delete a message number, highlight it in the list and then
click Modify or Delete.
Monitoring traffic 363
SESA event gating
10 On the Text Patterns tab, to filter log messages by text pattern matches
within the log messages, do the following:
■ In the Enter value text box, type the text pattern and then click Add.
■ To modify or delete a text pattern, highlight it in the list and then click
Modify or Delete.
11 Click OK.
2 In the right pane, on the SESA Event Gating tab, click the check boxes
corresponding to the events you want to log to the SESA Manager.
Keep in mind that saving changes can slow security gateway performance
significantly. You must make changes during periods of low usage.
3 Click Apply.
4 On the Action menu, select Activate Changes.
The SESA event filters are now configured for use.
Monitoring traffic 365
About reports
About reports
The Reports windows let you prepare two types of reports on the security
gateway. You can create configuration reports, which contain information about
the current configuration of system components, or usage reports, which reflect
the usage of those components.
Setting up reports
The Reports Setup window lets you set up the format for the output of security
gateway reports.
To set up reports
1 In the SGMI, in the left pane, click Reports.
366 Monitoring traffic
About configuration reports
2 In the right pane, on the Reports Setup tab, select one of the following
report file formats:
■ To prepare reports in PDF format, click Save and print reports in PDF
format.
This is the default condition and requires that you have Adobe Acrobat
installed on your system.
■ To prepare reports in HTML format, click Save and print reports in
HTML format.
3 Select one of the following report page formats:
■ For letter size (8.5 x 11 inch) paper, click Letter.
This is the default setting.
■ For legal size (8.5 x 14 inch) paper, click Legal.
■ For executive size (11 x 17 inch) paper, click Executive.
■ For ISO standard A4 size (210 x 297 mm) paper, click A4.
■ For ISO standard A3 size (297 x 420 mm) paper, click A3.
Global IKE Policy report All configured Global IKE policy information
Monitoring traffic 367
About configuration reports
Logical Network Interface report All configured logical network interface information
Time Period report All configured time period and group information
Virtual Private Network report All configured VPN policy and tunnel information
The configuration reports can be refreshed and you can print them at any time.
Refer to the Reference Guide for details of each report.
2 In the right pane, in the list at the left of the Configuration Reports tab,
select the type of report you want to view.
Monitoring traffic 369
Usage reports
3 To view the report, scroll up and down and left and right within the
Configuration Reports tab.
You can also use the arrow buttons to scroll a page at a time (single arrows)
or to the first or last page (double arrows).
4 To print the report, click Print.
The report prints in the format you selected in the Reports Setup window.
5 To refresh the report with up-to-date information, click Refresh.
Usage reports
The Usage Reports tab lets you prepare reports on the usage of various security
gateway components. The information in the usage report includes user counts,
connection and connection attempt statistics, and error messages.
370 Monitoring traffic
Usage reports
2 In the right pane, on the Usage Reports tab, click on the report you want to
configure.
3 To view the usage report, click the arrow buttons to scan page by page (single
arrows) or to the first or last page (double arrows).
You can also use the scroll bars to scroll within an individual page of the
report.
4 To print the usage report, click Print.
The usage report appears in a new window in the format you selected on the
Reports Setup tab.
5 To refresh the report with up-to-date information, click Refresh.
Monitoring traffic 371
Usage reports
Defining filters
The security gateway includes filters that can be used to check each arriving
packet against specified criteria to allow or deny access.
You can use filters to restrict the types of packets passing into or out of the host
system over a given interface, based on the direction of the transmission and the
protocol being used.
You can use the Filters Properties window to create the following filtering
mechanisms:
■ Individual filters
■ Aggregations of filters or filter groups
See “Understanding filters” on page 209.
Allow multicast (UDP- Generally, you should not allow multicast traffic on security
based) traffic gateway interfaces. However, you may need to allow it if a host
system is running OSPF routing or another application that
requires it.
Port scanning A common method for attacking a site is to connect to port after
capabilities port until a weakness is found. Port scan detection registers a
message (number 347) when an attempt is made to connect to an
unused or disallowed well known port on an interface. This
message logs the source and attempted destination of the
connection.
Provide recursion and By default, DNS queries to the inside interface will provide
expose private DNS private DNS information. DNS queries to the outside interface
information will not provide private DNS information. You can override the
default behavior with this check box.
2 In the right pane, on the Advanced tab, click Logical Network Interfaces.
Interface Name Type a name for this logical network interface. The name
cannot contain any spaces.
Enable Port Scan To enable port scan detection, check Enable Port Scan
Detection Detection. This check box is checked by default on outside
interfaces and unchecked by default on inside interfaces. Port
scan detection registers a message when an attempt is made
to connect to an unused or disallowed port on an interface.
The message logs the source and attempted destination of the
connection.
Enable SYN Flood To enable SYN flood protection on the interface, check Enable
Protection SYN Flood Protection. This check box is unchecked by
default. SYN flooding, a denial of service attack, occurs in
TCP/IP communications when the lack of an ACK response
results in half-open connection states. SYN flooding
protection resets half-open connections.
SYN flood protection impacts security gateway performance.
You should use this feature only when you suspect you are
under attack and only on an outside interface.
Suppress Reset and To put the interface into stealth mode, check Suppress Reset
ICMP error message and ICMP error message. This check box is unchecked by
default.
7 On the Filters tab, in the Input Filter drop-down list, select a filter with
which to filter traffic entering the interface.
The selections are None, Sample_Denial-of-Service_filter, and any filters
you have pre-configured. The default is None.
8 In the Output Filter drop-down list, select a filter with which to filter traffic
leaving the interface.
The selections are None, Sample_Denial-of-Service_filter, and any filters
you have pre-configured. The default is None.
9 On the Description tab, you can add a more detailed description of the
interface than you typed on the General tab in the Caption text box.
10 Click OK.
11 In the Logical Network Interfaces window, click Apply.
380 Preventing attacks
Understanding basic firewall protection settings
Note: You can use some scanning and blocking policy settings during a virus
outbreak to further protect your network. Once you have information on the
characteristics of a new virus, you can use this information to block the infected
attachment or email immediately, before virus definitions for the new virus
have been posted. You can also scan all file types rather than limiting the file
types that are scanned for viruses for maximum coverage.
Antivirus Server Port Type the port number over which to connect to the antivirus
server. The default is port 1344.
Delete file if server is To delete files if the antivirus server is unavailable, check
unavailable Delete file if server is unavailable.
Comfort Buffer Size Type the buffer size to be used for comforting. The default is
(KB) 256 KB.
You must check the Enable Antivirus comforting check box on
the Service Groups Parameters Antivirus tab for this
parameter to take effect.
Comfort Buffer Type the buffer length to be used for comforting. The default
Length (KB) is 15000 KB.
You must check the Enable Antivirus comforting check box on
the Service Groups Parameters Antivirus tab for this
parameter to take effect.
Scan Options In this drop-down list, select the scanning algorithm to use.
The choices are Scan and Repair or Delete and Scan and
Delete. The default is Scan and Repair or Delete.
Files to be scanned In this drop-down list, select the type of files to scan. The
choices are All except those in exclude list or All files. The
default is All except those in exclude list.
Exclude List Select the file extension types you want to exclude from
antivirus scanning.
To add an extension, type it into the Value text box and click
Add. To remove an extension from the Exclude list, select the
entry and click Delete. To restore the default exclude list, click
Restore Default.
6 Click OK.
7 In the Proxies window, click Apply.
8 On the Action menu, select Activate Changes.
Remember that the default addressing scheme of the system, for connections
passing through outside interfaces, is to overwrite packets with the gateway’s
own source address for outgoing connections. The default addressing scheme of
the system for connections passing through secure tunnels is to leave packet
source and destination addresses untouched, revealing client addresses. The
Address Transforms Properties window lets you manipulate these default
addressing schemes.
Note: If you are using NAT for address hiding with secure tunnels, you must
have ESP selected in your VPN policy. NAT does not work with secure tunnels
when AH is selected.
Note: When configuring address transforms using NAT, you must select a server
entity or outgoing interface for which the NAT address is valid and routable
back to the system. (For example, using <ANY> and Universe could be a
problem, since a NAT address will not be valid across all interfaces.)
Name Type a name for the address transform. The name cannot
contain any spaces.
Destination In the Destination drop-down list, select the server entity that
is communicating with the client entity.
Preventing attacks 387
Understanding basic firewall protection settings
6 On the Source Address Transform tab, to have the real packet source address
overwritten by the security gateway address for the connection, click Use
Gateway Address.
This is the default addressing scheme for outgoing connections, except in
the case of VPN tunnels. In VPN tunnels, actual source addresses are applied
to incoming and outgoing packets, unless this option button is selected.
7 To prevent the security gateway system from overwriting the real source
address for the connection, effectively applying source side transparency to
the connection, click Use Original Source Address.
You cannot select Use Original Source Address if you have selected the same
security gateway system interface for both the Entering and Leaving fields.
When the same interface is used for both, the security gateway address is
automatically used to correctly route the connection.
388 Preventing attacks
Redirecting services
Redirecting services
This section explains how to configure service redirection on the security
gateway. Service redirection involves defining a virtual address on which a service
is available and redirecting connections for that address to a non-published
destination.
Configuring service redirection lets you give outside users the appearance of
transparent access to information on systems behind the security gateway
without disclosing the systems’ addresses.
Note: If you are configuring a service redirection for the Common Internet File
System (CIFS) service, the hosts.pub file on the security gateway you are
configuring must have an entry for both the client (Requested Address) and the
target (Redirected Address) machines. The host entry for the target machine must
be the actual IP address of the system, not the Virtual IP (VIP) address.
Note: You cannot specify ports with address transforms, but you can with
service redirection, by changing the destination port. For service redirection,
traffic must be routed through the proxy system.
Note: If you are using a service in your configured redirection that is not
supported by an existing proxy (for example, finger), you must create a GSP for
that service and use the GSP in your service group and apply it to a rule. You can
then select the protocol in the Redirected Services Properties window. All
redirected services are subject to authorization rules and logging. You can
redirect requests to the same virtual address, but different servers, for different
applications. For example, a single address that is published on an outside
interface can be redirected to one server for FTP requests and to a different
system for Web requests.
203.34.56.2
Virtual host 206.141.1.1
203.34.57.2 External host
Support database
203.34.57.1
203.34.57.0 203.34.56.1
Requested Address Type the address mask of the request. You can use the
Mask Requested Address Mask to redirect a network. For example if
you map 203.34.56.0 to 203.34.57.0 (mask 255.255.255.0),
when you connect to 203.34.56.10 you will be redirected to
203.34.57.10.
Redirected Port Type the port to which to redirect the traffic. Providing a
specific port number for the redirected service is required
only if you want to redirect services to a port other than the
one which is usually used by the service. If you do not provide
a port number, the default port for that service is used.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the Redirected Services window, click Apply.
9 On the Action menu, select Activate Changes.
The service redirect is now configured for use.
For example, 203.34.57.2 (the address of the virtual host never appears in
any of the system rules).
6 Click OK.
Note: To redirect a custom service, create a service group containing that service
and use it in the rule.
Note: If you are using NAT for address hiding with VPN tunnels, you must pass
the VPN traffic through the proxies and have ESP selected in your VPN policy.
NAT does not work with VPN tunnels when AH is selected.
For further information on address transforms through the system, refer to the
Symantec Security Gateways Reference Guide.
Note: If you are using a protocol that includes the IP address as application data
without an application-specific proxy, the IP address cannot be modified using
NAT. In this case, you must select Use Original Client Address to correctly route
the connection. For example, you are using a GSP.
Enable To enable NAT pools, check Enable. This check box is checked
by default.
NAT Pool Name Type a name for the NAT pool. The name cannot contain any
spaces.
Real Subnet In the Real Subnet drop-down list, select the subnet entity
that is the real subnet source or destination of the connection.
NAT Subnet In the NAT Subnet drop-down list, select the subnet entity
that appears to be the source or destination of the connection.
If necessary, create a new subnet entity to serve this purpose.
See “Configuring a subnet network entity” on page 86.
6 On the Description tab, you can add a more detailed description of the NAT
pool.
7 Click OK.
8 In the NAT Pools window, click Apply.
9 On the Action menu, select Activate Changes.
The static NAT pool is now configured for use in an address transform.
If you are using a protocol or application that requires the client’s original IP
address in the payload, you must select Use Original Client Address to correctly
route the connection. For example, you are using a GSP.
Enable To enable NAT pools, check Enable. This check box is checked
by default.
NAT Pool Name Type a name for the NAT pool. The name cannot contain any
spaces.
Preventing attacks 399
NAT pool addressing
Starting IP address Type the start address of the NAT pool address range. It is
suggested that you use a range of addresses reserved in RFC
1918. The addresses specified in RFC 1918 are as follows
(these ranges are inclusive):
■ 10.0.0.0 through 10.255.255.255
■ 172.16.0.0 through 172.31.255.255
■ 192.168.0.0 through 192.168.255.255
These are not Internet routable addresses. You must configure
your router to route these addresses to your host security
gateway.
When allocating an entire network of addresses for a NAT
pool, exclude all 0s and 1s in subnet broadcast addresses. For
example, allocate 192.168.1.1 through 192.168.1.254 for a
range and not 192.168.1.0 through 192.168.1.255.
Do not create an address pool using your existing network or
subnet IP addresses. You can, however, create an address pool
using a subset of real network addresses. This subset should
consist of an unassigned range of addresses on the internal
network that is directly attached to the security gateway
system. An external client’s address can then be translated to
one of the addresses in the NAT pool. When the connection is
terminated, the address goes back into the pool.
Ending IP address Type the ending address of the NAT pool address range. The
same recommendations for starting addresses apply to ending
addresses as well.
6 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
7 Click OK.
8 In the NAT Pools window, click Apply.
9 On the Action menu, select Activate Changes.
The dynamic NAT pool is now configured for use.
Note: If you are using NAT pool addressing with VPN tunnels, you must
check the Pass Traffic to Proxies check box on the General tab of the VPN
policy you are using. You must also configure address transforms.
See “Configuring address transforms” on page 383.
400 Preventing attacks
NAT pool addressing
wkst1
203.34.57.1
203.34.57.0 203.34.56.1
Creating a virtual client lets you use the address of a virtual host as the source
for any connection originating from the Support database.
Note: For virtual clients, you must set up the entry as a one-to-one address
mapping.
Enable To enable the NAT pool, check Enable. This check box is
checked by default.
NAT Pool Name Type a name for the NAT pool. The name cannot contain
spaces.
Real Subnet Select the real address of the host initiating the connection. In
this example, it is the Support database.
NAT Subnet Select the address of the virtual host. This is the address that
will be seen on the packet when it reaches its destination. In
this example, it is the Virtual host.
5 Click OK.
6 On the Action menu, select Activate Changes.
Name Type a name for the address transform. The name cannot
contain spaces.
402 Preventing attacks
NAT pool addressing
5 On the Source Address Transform tab, click Use NAT Pool and select the new
NAT pool from the drop-down list.
6 Click OK.
7 On the Action menu, select Activate Changes.
Name Type a name for the rule. The name cannot contain spaces.
Enable To enable the rule, check Enable. This check box is checked by
default.
4 Click OK.
5 On the Action menu, select Activate Changes.
Preventing attacks 403
Network security best practices
Other replication To enable the propagation of configuration files from one security
gateway to another. Security gateway configuration information is
stored in the var/lib/sg/management/<version>/xml directory. When
you activate a configuration change, the xml files are automatically
propagated; all files from that security gateway’s /xml directory are
copied to the /xml directories of enabled members of the cluster on a
secure SSL connection. This lets all members of the cluster appear as
one security gateway, with the same users, network entities, rules,
and all other properties.
After you have created a cluster, you can run the Cluster Wizard again with
different menu selections to modify, delete, or reboot cluster members.
You can use the Cluster tab in the System window of the SGMI to configure
cluster member settings.
See “Configuring cluster members” on page 417.
406 Ensuring availability
Using the Cluster Wizard
To monitor the status of a cluster, click the Cluster Status tab in the Monitoring
window.
See “Viewing cluster status” on page 426.
Every security gateway you add to a cluster must meet the following
prerequisites:
■ All members must have the same number of configured interfaces with the
same case-sensitive logical names.
■ All members must run the same operating system and version.
■ All members must be running on the same platform. You cannot mix
operating systems in the same cluster.
■ The network configuration of all cluster members must match; every cluster
member must have IP addresses on the same subnets as the other cluster
members.
■ All members must be in the same time zone. To specify the time zone, run
the System Setup Wizard.
See “Using the System Setup Wizard” on page 55.
■ Each security gateway must have a different system name.
■ HA/LB must be licensed and enabled on all members.
■ A heartbeat interface must be defined. It is highly recommended that the
heartbeat interface is on a dedicated network used only for cluster
management.
Before creating a cluster, you will be prompted to log on so you can use the
preset password. The passwords do not have to be identical for all cluster nodes;
the propagation does this for you.
The IP address and DNS entries are merged with the reference system and the
passwords are propagated from the reference system to all members of the
cluster, ensuring that all passwords are the same.
For further information on clusters in support of high availability/load
balancing, refer to the Reference Guide.
Type a name and a brief description of the new cluster. You can also enable
Hot Standby mode.
■ Configure Global Settings panel
Select the load-balancing algorithm and the processes to monitor.
■ Configure the VIP Addresses panel
Specify virtual IP addresses (VIPs) for the cluster’s interfaces.
■ Add the Reference Machine panel
View cluster member information and specify the member’s load weight.
■ Add a Second Member panel
Add a new member to the cluster by typing the IP address, user name, and
password.
■ Configure Local Machine Settings panel
View cluster member identification information and specify the member’s
load weight.
■ Configure Second Machine Settings panel
View cluster member identification information and specify the load weight
for subsequent cluster members.
■ Confirmation panel
View the cluster configuration and either validate it or go back and make
corrections.
3 In the Create A New Cluster panel, in the Cluster name text box, type the
name of the cluster.
Do not include spaces in the cluster name.
4 In the Cluster description text box, type a brief description of the cluster.
5 If you want this cluster member to be in Hot Standby mode, check Use Hot
Standby.
In hot standby mode, only one node is active. The other nodes are in standby
mode for fail-over purposes. If the active node fails, the node in hot standby
mode becomes active.
Ensuring availability 409
Using the Cluster Wizard
6 In the Configure Global Settings panel, in the Load balance algorithm drop-
down list, select the load balancing algorithm.
The options are Least Load, Random, and Round Robin. The default is Round
Robin. In Least Load, the node with the lowest traffic load is selected. In
Random mode, nodes are chosen arbitrarily. In Round Robin mode, nodes
are used alternately.
7 In the Monitor Process(es) drop-down list, select the processes to monitor,
and then click Add to add them to the list.
You can also type processes that are not in the drop-down list directly into
the edit box. To remove a process from the list, highlight it and click
Remove.
410 Ensuring availability
Using the Cluster Wizard
8 Click Next.
9 In the Configure the VIP Addresses for Cluster panel, do the following:
■ In the Interfaces table, select an interface.
■ In the VIP address text box, type a Virtual IP Address (VIP) to associate
with the interface, and then click Add.
The VIP address is used to represent the identity of the cluster to
outside machines and routes. You must assign at least one VIP to each
system interface. You may assign up to a total of 64 VIPs minus the
number of network segments that participate in the cluster.
There is no benefit to assigning more VIPs than there are nodes in the
cluster. The optimal configuration is to have the same number of VIPs
as there are nodes in the cluster.
■ To remove a VIP, highlight it in the list, and then click Remove.
Ensuring availability 411
Using the Cluster Wizard
10 Click Next.
12 Click Next.
13 In the Add a Second Member panel, add a member to the cluster by doing
the following:
■ In the IP address text box, type the IP address of the new cluster
member.
■ In the User name text box, type the name of the admin user on the new
cluster member.
■ In the Password text box, type the password for the admin user of the
new cluster member.
■ Click Next.
The Cluster Wizard will check to see if it can connect with the new
cluster member before proceeding.
14 Repeat step 13 for any additional cluster members.
Ensuring availability 413
Using the Cluster Wizard
15 Click Next.
16 In the Configure Service Group Settings panel, in the Service Groups text
box, type the service group for the new cluster, and then click Add.
17 To remove a service group, highlight the service group, and then click
Remove.
414 Ensuring availability
Using the Cluster Wizard
18 Click Next.
Modifying a cluster
You can use the Cluster Wizard to modify a cluster. You can add, delete, or
change cluster member parameters such as IP address and load weight.
Ensuring availability 415
Using the Cluster Wizard
To modify a cluster
1 In the SGMI, on the Action menu, select Cluster > Modify Cluster.
2 In the Modify Cluster Members panel, you can add or delete cluster
members by clicking Add or Delete.
3 To change the IP address of a cluster member, highlight it in the Cluster
Members table and type the new address in the IP Address text box.
4 To change the load weight of a cluster member, highlight the cluster
member and select the load weight in the Weight drop-down list.
5 Click Next.
6 In the Confirmation panel, review your configuration changes and click
Finish, and then do one of the following:
■ If the configuration is successful, click Close.
■ If the configuration is unsuccessful, click Back to revisit and correct
the configuration.
416 Ensuring availability
Using the Cluster Wizard
Rebooting a cluster
You can use the Cluster Wizard to reboot a cluster. This procedure reboots all
cluster members simultaneously.
To reboot a cluster
1 In the SGMI, on the Action menu, select Cluster > Reboot Cluster.
2 In the Confirmation panel, review the cluster members you want to reboot
and click Finish.
3 Click Close.
Removing a cluster
You can use the Cluster Wizard to remove a cluster. The Remove option deletes
all cluster members. To remove an individual cluster member, use the Modify
option.
To remove a cluster
1 In the SGMI, on the Action menu, select Cluster > Remove Cluster.
2 In the Delete Cluster Configuration panel, to remove the cluster and restore
the security gateways to their pre-cluster configuration, click Restore
Previous Configuration.
3 To use the existing configuration without the cluster, click Use Existing
Configuration without Cluster Information.
Ensuring availability 417
Configuring cluster members
4 Click Next.
5 In the Confirmation panel, review the changes you have made and click
Finish, and then do one of the following:
■ If the configuration is successful, click Close.
■ If the configuration is unsuccessful, click Back to revisit and correct
the configuration.
3 In the Cluster Settings table, you can view member ID, member address, and
certificate fingerprint of each cluster member.
To configure clusters
1 In the SGMI, in the left pane, click System.
Ensuring availability 419
Configuring cluster members
3 On the General tab, to place the cluster in Hot Standby mode, check Hot
Standby.
In Hot Standby mode, only one node is active. The other nodes are in
standby mode for fail-over purposes. If the active node fails, the node in Hot
Standby mode becomes active. This check box is unchecked by default.
4 In the Load balancing algorithm drop-down list, select the load balancing
algorithm.
420 Ensuring availability
Configuring cluster members
The choices are Round Robin, Least Load, and Random. The default is Round
Robin.
5 On the VIPs tab, in the drop-down list, select an interface to associate with
each cluster VIP.
Ensuring availability 421
Configuring cluster members
Each interface must have at least one VIP associated with it. You can assign
a maximum of 64 VIPs to a system.
6 On the Watchlist tab, in the Monitor Process(es) box, use the right-arrow >>
and left-arrow << buttons to move processes into or out of the Monitor
Processes list.
7 To add a new process to the Monitor Processes list, click Add.
8 In the New Watched Process dialog box, type the new process to watch, and
then click OK.
9 In the Configuration window, click Apply.
422 Ensuring availability
Configuring cluster members
Ping Group Name Type the name of the Ping group. The name cannot contain
spaces.
Cluster ID Type the name of the cluster. The name cannot contain
spaces.
Frequency Select the frequency (in seconds) of ping attempts. The default
is every five seconds.
Timeout Select the Timeout value (in seconds). The default is five
seconds.
6 On the Addresses tab, in the Ping Monitor Address list box, type an entry in
the Value text box and, to add it to the list box, click Add.
7 To edit or delete an entry in the Ping Monitor Address list box, highlight it,
and then click Modify or Delete.
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
9 Click OK.
10 In the Ping Groups window, click Apply.
Ensuring availability 425
Configuring cluster members
7 Click OK.
8 In the NIC Monitoring window, click Apply.
9 On the Action menu, select Activate Changes.
NIC Monitoring is now configured on the new cluster interface.
2 In the right pane, on the Cluster Status tab, you can view the IP addresses,
VIPs, and status of all the members of the cluster.
When a cluster member goes off-line the green display representing it
disappears and the green display at the top turns to red with the legend All
nodes are not up.
Ensuring availability 427
Viewing cluster status
determine the reason for poor system performance. The value is in seconds.
There is no default. A timeout value of 0 disables the logging.
Parameter Description
Parameter Description
3 In the Advanced Options table, click New Advanced Option, and then click
Properties.
4 On the General tab, in the Option Name text box, type the name of the
option.
The syntax must be exactly as listed in the table above.
5 In the Caption text box, type a brief description of the option.
6 On the Value tab, in the Value text box, type a value and click Add to add it to
the list box.
You may enter only one value per option. Typing more than one value can
cause configuration problems.
7 To edit or delete an entry in the list, highlight it and click Modify or Delete.
8 On the Description tab, you can add a more detailed description than you
typed on the General tab in the Caption text box.
Advanced system settings 435
About advanced system settings
9 Click OK.
10 Click Apply.
11 On the Action menu, select Activate Changes.
The advanced option is now configured.
■ Joining SESA
If you are joining multiple security gateways for centralized management, you
must meet these additional prerequisites:
■ Ensure that the number of network interfaces is identical.
■ Configure the logical network interfaces to be named the same on each
security gateway.
Generally, policies reference logical network interface names, and if they do
not match on each security gateway, the validation fails.
■ Configure network entities the same.
If you are joining your security gateways for scalable management, you should
also identify how your security gateways will be logically grouped (region,
organization, and so on) and determine that they can share both the same policy
and location settings.
Joining SESA
Joining SESA lets you configure your security gateways from the SESA Console.
Before you join SESA:
■ Determine the join SESA option that you will use.
■ For all options, contact your SESA administrator for the following
information, which you will need to complete the wizard:
■ SESA Manager IP address or fully qualified domain name
■ Thumbprint of the SESA Manager’s certificate
■ SESA logon name
■ SESA password
security gateway with SESA, how you will manage the security gateway from
SESA, and the part the security gateway plays in your overall security strategy.
Configuration and event Export Local When you join a single, non-clustered security gateway to
management Configuration and SESA, this option pushes the security gateways policy and
Associate with Firewall location settings to SESA, where they are automatically
Requires Symantec
Advanced Manager for associated with the security gateway.
Security Gateways. You should use this option if you are new to security
gateway management through SESA.
See “Exporting the local security gateway configuration to
SESA” on page 442.
Use selected This option lets you select an organizational unit and
organizational unit import the policy and location settings that are associated
configurations with it to the local security gateway.
This overwrites the policy and location settings on the
local security gateway.
To use this option, your network resources must be
parallel to those defined in the location settings you will
import.
See “Importing an existing policy and location settings
from SESA” on page 445.
Cluster management Cluster Configuration When you join a cluster member to SESA, this option lets
panel you specify the organizational unit that will represent the
Requires Symantec
cluster in SESA.
Advanced Manager for
Security Gateways The policy and location settings of the cluster member are
automatically associated with the organizational unit.
Other cluster members are automatically joined to SESA
using the same organizational unit and configurations.
See “Joining a cluster to SESA” on page 448.
Event management only Not applicable. This option lets you join individual and clustered security
gateways to SESA for event management.
Use Symantec Event When you join SESA for
Manager for Security event management only, You use the SESA Console to view the events, and create
Gateways you cannot configure the alerts and reports.
or Symantec Event security gateway from
See “Joining SESA for event management only” on
Manager for Security SESA.
page 453.
Gateways
442 Joining security gateways to SESA
Joining SESA
■ Click Next.
If the connection fails, the wizard prompts you again for the logon
credentials. The wizard lets you try three times before aborting. If the login
fails three times, you must run the wizard again to connect.
7 In the Security Gateway Configurations panel, do the following:
Export Local Select this option to export your local configuration to SESA.
Configuration and
Associate with
Firewall
SESA Policy Type a unique name under which your local policy will be
stored in SESA.
Spaces are not allowed. If you enter a name that is already in
use, you are warned of the conflict.
SESA Location Type a unique name under which your local location settings
Settings will be stored in SESA.
Spaces are not allowed. If you enter a name that is already in
use, you are warned of the conflict.
Joining security gateways to SESA 445
Joining SESA
8 Click Next.
9 In the Confirmation panel, click Finish.
The Task and Status columns show the progress of the Join SESA Wizard.
When all steps are completed, the Finish button changes to a Close button.
10 Click Close.
If the connection fails, the wizard prompts you again for the logon
credentials. The wizard lets you try three times before aborting. If the login
fails three times, you must run the wizard again to connect.
7 In the Security Gateway Configurations panel, do the following:
Organizational units From the drop-down list, select the organizational unit from
which you want to import the configuration.
Use selected Select this option to import the policy and location settings
organizational unit that are associated with the organizational unit.
configuration Warning: Using an organizational unit’s configuration
overwrites your current policy and location settings on the
local security gateway, including DNS settings.
8 Click Next.
448 Joining security gateways to SESA
Joining SESA
The Task and Status columns show the progress of the Join SESA Wizard.
When all steps are completed, the Finish button changes to a Close button.
10 Click Close.
■ Click Next.
If the connection fails, the wizard prompts you again for the logon
credentials. The wizard lets you try three times before aborting. If the logon
fails three times, you must run the wizard again to connect.
Organizational unit Specifies the name of the cluster, based on the current name
of the cluster.
You can specify another name
SESA Policy Type a unique name under which the cluster policy will be
stored in SESA.
Spaces are not allowed. If you enter a name that is already in
use, you are warned of the conflict.
SESA Location Type a unique name under which the cluster location settings
Settings will be stored in SESA.
Spaces are not allowed. If you enter a name that is already in
use, you are warned of the conflict.
8 Click Next.
452 Joining security gateways to SESA
Joining SESA
The Task and Status columns show the progress of the Join SESA Wizard.
When all steps are completed, the Finish button changes to a Close button.
10 Click Close.
To change the name of the cluster’s organizational unit after you join SESA
1 In the SESA Console, on the System view tab, create a new organizational
unit.
2 On the Configuration view tab, right click Security gateways (Group 1) and
then click Show All Gateways.
3 In the Show All Gateways dialog box, on the Organizational Units tab, select
the new organizational unit, and then click Associate.
4 Use the Associate Wizard to associate the policy and location settings of the
old organizational unit with the new organizational unit.
5 On the System view tab, move the computers that represent the cluster
members to the new organizational unit.
Joining security gateways to SESA 453
Joining SESA
In rare cases, the Join SESA Wizard succeeds but the security gateway does not
appear to be joined to SESA. If either of the following occurs, reboot the local
security gateway machine:
■ If you log on to the SESA Console and do not see the security gateway as
joined.
■ If, in the SGMI, the homepage does not indicate that the security gateway
has joined.
Leave SESA Completely remove the SESA Setup (runs the Join SESA
registration of the security Wizard)
gateway from SESA.
456 Joining security gateways to SESA
Returning to local management
3 Click OK.
Joining security gateways to SESA 457
Returning to local management
■ Troubleshooting overview
■ Important reminders
■ Isolating a problem
■ Reserved ports
■ Troubleshooting utilities
Troubleshooting overview
This chapter is a self-help section to help you resolve issues you may encounter
with the installation and operation of the security gateway. If the suggestions in
this chapter do not help you to resolve an issue, please try our customer support
Web pages. The Web site address is:
http://www.symantec.com
Click Support in the top option bar, and then click Enterprise. On the Enterprise
Service and Support page, select the product and version you are using.
The Web site is frequently updated and offers assorted troubleshooting
information for administrators, including:
■ A Knowledge Base of Frequently Asked Questions (FAQs)
460 Troubleshooting and problem solving
Important reminders
Important reminders
■ Once installed, the security gateway shuts off the majority of the
networking services on your machine. This is done to make sure that you
fully understand what is and is not allowed through the security gateway. If
your network setup relied on those services, your network will no longer
operate as you expect.
■ You must understand how your client programs work and what they expect
back when connecting to your security gateway.
■ Some news servers need to see a client’s actual address, not the security
gateway address, as the default. If NNTP is not working because of this, the
problem may be difficult to identify, since all other connectivity is working.
■ Your internet service provider might filter some services. Make sure you
understand your Internet connection settings.
■ Address processing interacts with filters, rules, and tunnels. Address
confusion can magnify a simple problem.
■ Log files contain a great deal of information. If you have one serious log
message, look around it for subsidiary informational messages.
■ Many problems right after installation come from basic connectivity
glitches. Use the verification procedure in the Symantec Enterprise Firewall
Installation Guide to test your basic connectivity.
Isolating a problem
To solve a problem, it is important to locate it. If you cannot get to a Web site on
the Internet with a browser from a computer on one of your private networks,
the problem could be:
■ Inside router not working
■ Inside name service not working
■ Inside security gateway interface not working
Troubleshooting and problem solving 461
Isolating a problem
Using an IP addresses
Using IP addresses instead of host names or URLs will tell you whether the
problem is a name service problem.
If you can access a service using its IP address, you know that the server is
available and the service is working. You know that your basic network
connectivity with respect to that service is working. The problem is name
service.
If using an IP address does not help, you cannot reach the service.
206.7.7.7
206.7.7.14
Boxprime
192.168.1.17 www.xyz.com
206.7.7.9
Router
192.168.3.85
wkst1 wkst2 wkst3
192.168.1.1 192.168.1.2 192.168.1.3
Using Figure C-1, suppose a user cannot connect to an FTP site. The steps to try
are:
■ Sit down at Boxprime, the security gateway machine. Open a browser and
attempt to connect to the FTP site, first using the IP address and then the
host name or URL.
If you cannot connect to the FTP site, you could have a routing problem, a
DNS problem, or your ISP could be filtering the protocol you are trying to
use (very unlikely for FTP, however).
Troubleshooting and problem solving 463
Reserved ports
If you can connect to the service, you could have an inside name service
problem, an incorrectly configured rule, or an inside routing problem.
■ If you can connect to the service from the security gateway machine, sit
down at wkst3 and attempt to connect to the service.
If you cannot reach the service, check your configuration. Since you can
reach the service from the security gateway but not from immediately
behind the security gateway, your problem could be a missing default route,
a problem in the routing table, or the lack of a rule allowing the service.
■ If you can reach the service from wkst3, try it from wkst12, behind the
router. If you cannot reach it from there, you may have routing problems.
Each step in the progression tests a part of the network through which the
connection must be made. As soon as something fails, it localizes the problem to
the network between two points.
This kind of step-by-step testing is vital in testing transparency. If you are
attempting to make a transparent connection through the security gateway, test
each part of the connection. If you can establish the connection non-
transparently (that is, first by connecting to the security gateway address) the
problem is probably in your security gateway configuration. If you can’t
establish the connection, localize the problem and fix it. Once you can establish
the connection non-transparently, try again transparently.
Reserved ports
A problem may arise when you try to create a GSP or service running on a port
already in use by the security gateway. Check to make sure that you have not
chosen a port already in use.
7 TCP echo
7 UDP echo
9 TCP discard
9 UDP discard
11 systat
13 TCP daytime
13 UDP daytime
464 Troubleshooting and problem solving
Reserved ports
15 netstat
19 TCP chargen
19 UDP chargen
23 TCP telnetd
25 TCP smtpd
43 whois
49 TCP tacacsd
53 TCP dns
53 UDP dns
53
69 tftp
79 finger
80 TCP http
88 kerberos
102 iso_tsap
109 POP 2
110 POP 3
152 bftp
161 snmp
162 snmptrap
500 UDP
512 biff
512 exec
513 login
513 who
514 shell
514 syslog
515 printer
520 rip
540 uucp
554 rtsp
466 Troubleshooting and problem solving
Understanding DNS proxy issues
600 pcserver
1024 biff_rev
1024 chargen_udp_rev
1024 daytime_udp_rev
1024 dns_udp_rev
1024 kerberos_udp_rev
1024 lockd_udp_rev
1024 nfsd_udp_rev
1024 echo_udp_rev
1025 esm_rev_install
1503 t120
1731 netmeeting
who do. If you do not have much hands-on experience implementing DNS, get
someone who does.
Make sure that your inside server has a forwarders record pointing to the
security gateway machine and make sure reverse lookups are turned off in the
Advanced Configuration window.
Are you using DNSd as your name server?
Check that the hosts file has your internal DNS information.
Check that the security gateway machine is using localhost (the loopback
address: 127.0.0.1) for its name service.
Finally, remember that your inside machines have to point to the security
gateway for their name resolution.
Note: If you do not have a whole network outside your security gateway, you
need to use CIDR addressing. If you don’t want to use CIDR addressing, a work-
around would be to use your ISP’s name server to provide name service for your
outside network.
Troubleshooting and problem solving 469
Troubleshooting VPN connections
Tunnel traffic
Initial troubleshooting steps should begin with an examination of the host
running the Symantec Client VPN software. Items to check include the
following:
■ Do you have all of the necessary information on either your modem or
network interface card? Often, if technical support determines that the
problem with the network interface card, they will want to capture the card
information so that information can be forwarded to the engineering team.
■ Have you verified that your Internet connection works? This is most often
done by opening up a program like Internet Explorer or Netscape
Communicator and trying to surf to a few different Web sites.
■ Can you ping the security gateway you are trying to connect to? Host
Unreachable, Network Unreachable, or Connection timed out messages
indicate basic connectivity problems that must be addressed before
continuing.
■ Are you entering the user name and shared secret in exactly? Both the user
name and shared secret are case sensitive.
■ Is your host directly connected to your Internet connection, or does it sit
behind an intermediary device? An intermediate device is any device such as
a router, hub, switch, or firewall. If the host does sit behind one of these
intermediary devices, ensure that the device is permits UDP 500 and
protocols 50 (ESP) and 51 (AH) to pass.
■ For static IPsec tunnels, have you checked both keys to ensure that they are
the same?
■ Can you ping the inside interface of the security gateway you’re attempting
to connect to? If you receive a response back, the tunnel has to be connected
and passing traffic correctly. Before passing packets to the inside interface,
all packets must first be decrypted and decapsulated. This is only done when
traffic exits a tunnel. Therefore, if a response is returned from the inside
470 Troubleshooting and problem solving
Troubleshooting VPN connections
Troubleshooting utilities
This section provides details on utility programs that are shipped with the
security gateway. These utilities let you perform command line troubleshooting
and diagnostic tasks. You must have solid networking background to use these
utilities. If necessary, contact Symantec Technical Support before using the
utilities described in this section.
Flatten8
The flatten8 utility formats the message logfile to allow it to be more easily read
and processed by a third-party database management system or by operating
system utilities.
Listlicense
The listlicense utility displays the names or addresses of systems which are
holding user licenses and are being counted for licensing purposes. Each system
listed (one per line) has either client or server after it.
If a system has client listed after it, it initiated a connection. If a system has
server listed after it, it was the destination of a connection.
472 Troubleshooting and problem solving
Troubleshooting utilities
Rlogger
The rlogger utility sends log messages to your system logfile. This is useful for
testing, as well as logging from third-party applications/scripts running on the
security gateway (for example, a UPS watcher program/script may want to log a
power out for xxx minutes, shutting machine down message).
The command to execute rlogger is:
rlogger [-is] [-h host] [-f file] [-p priority] [-t tag]
[message]
All arguments for rlogger are optional. Without arguments, rlogger reads from
the standard input stream and logs to the local machine with a default priority
of Notice and a tag consisting of the username of the user/process invoking it.
Flags are:
■ -i
Log process ID in message (normally not logged).
■ -s
If supported on the platform, log to standard error as well. This is mainly
useful for debugging, but only if the platform supports it.
■ -h
Log to a remote host (not supported on NT).
Troubleshooting and problem solving 473
Online troubleshooting help
■ -f
Read messages to log from the given file (rather than from standard input
stream).
■ -p
Priority to log with. Can be either a numeric level (corresponds to systems'
syslog levels) or a name like alert.
■ -t
Tag to use instead of user name.
Undocumented flags are:
■ -d
Write directly to the logfile, bypassing syslogd. Cannot be used with -h.
tcpdump
The tcpdump utility prints out the headers of packets on a network interface
that match a boolean expression.
Under SunOS with nit or bpf, you must have read access to /dev/nit or /dev/bpf*.
Under Solaris with dlpi, you must have read access to the network pseudo
device, for example, /dev/le.
The command to execute tcpdump is:
tcpdump [-adflnNOqStvx] [-c count] [-F file] [-i interface] [-H
ipaddress] [-r file] [-s snaplen] [-T type] [-w file] [expression]
For tcpdump usage information, refer to the file tcpdump.pdf.
4 Under enterprise product support, from the Select a product pull-down list
in step 1, select your product name.
5 In step 2, from the Select a version pull-down list, select your version
number.
6 In step 3, click Continue.
7 In the middle of the Support Solutions screen, in the solve a technical issue
section, click Knowledge Base to see articles, tips, and tricks for your
product.
You can search or browse the knowledge base for troubleshooting
information using the directions provided on the Knowledge Base page.
8 In the middle of the Support Solutions screen, in the solve a technical issue
section, click Release and Updates to download current patches and
hotfixes for your product.
9 In the middle of the Support Solutions screen, in the solve a technical issue
section, click Manuals and Documentation to download documents for
your product, including the latest Release Notes.
10 In the middle of the Support Solutions screen, in the solve a technical issue
section, click Contact Customer Support to open a support incident using
the Internet, email, or telephone.
Before opening a call, make sure to have your product license and serial
number available. If you have a maintenance agreement with an authorized
reseller or channel partner, and not directly with Symantec, you need to
contact them for support.
Glossary
Glossary of terms
access control The mechanisms and policies that restrict access to computer resources. An access control
list (ACL), for example, specifies what operations different users can perform on specific
files and directories.
access sharing The act of permitting two or more users simultaneous access to file servers or devices.
activation The process of making a configuration available for download and notifying all associated
security gateways that it is there. Successful validation is a required piece of the activation
process.
ActiveX The name that Microsoft has given to a set of strategic object-oriented program
technologies and tools. ActiveX is Microsoft's answer to the Java technology from Sun
Microsystems in that an ActiveX control is roughly equivalent to a Java applet. The main
thing that you create when writing a program to run in the ActiveX environment is a
component, a self-sufficient program that can be run anywhere in your ActiveX network
(currently a network consisting of Windows and Macintosh systems). This component is
known as an ActiveX control.
address book An automated email address directory that allows you to address your messages easily.
Generally, an address book has both personal and public versions.
address transforms A process that lets you present routable addresses to the Symantec Enterprise Firewall
(SEF) system for packets passing through an SEF interface or secure tunnel. This allows
you to correctly forward connections that present routing problems on your network.
alert threshold A rule that monitors suspicious activity based on access attempts and time intervals. You
can customize or disable the default threshold according to your needs.
anti-replay service A service in which each IP packet passing within the secure association is tagged with a
sequence number. On the receiving end, each packet's sequence number is checked to see
if it falls within a specified range. If an IP packet tag number falls outside of the range, the
packet is blocked.
API (application The specific methodology by which a programmer writing an application program can
programming interface) make requests of the operating system or another application.
476 Glossary of termsGlossary
application gateway A gateway that looks at data at the application layer of the protocol stack and serves as a
proxy for outside users, intercepting packets and forwarding them to the application.
Thus, outside users never have a direct connection to anything beyond the firewall. The
fact that the firewall looks at this application information means that it can distinguish
among such things as Telnet, File Transfer Protocol (FTP), or Lotus Notes traffic. Because
the application gateway understands these protocols, it provides security for each
application that it supports. Also called application-level firewall.
archive A collection of computer files that have been packaged together for backup, to transport to
some other location, for saving away from the computer so that more hard disk storage
can be made available, or for some other purpose. An archive can include a simple list of
files or files organized under a directory or catalog structure (depending on how a
particular program supports archiving).
ARP (Address A protocol for mapping an Internet Protocol (IP) address to a physical computer address
Resolution Protocol) that is recognized in the local network. When an interface on one computer needs to talk
to another interface, it will ARP (that is, send out a broadcast) asking for a response from
the interface that matches the IP address. The response contains the hardware address of
the interface that has the corresponding IP address.
asymmetric encryption A type of encryption that is based on the concept of a key pair. Also called public key
cryptography. Each half of the pair (one key) can encrypt information so that only the
other half (the other key) can decrypt it. One part of the key pair, the private key, is known
only by the designated owner; the other part, the public key, is published widely but is still
associated with the owner.
attachment A file that a user adds to an email message to transfer it to another user.
authentication The process of determining the identity of a user attempting to access a network.
Authentication occurs through challenge/response, time-based code sequences, or other
techniques. Authentication typically involves the use of a password, certificate, PIN, or
other information that can be used to validate identity over a computer network. See also
CHAP (Challenge Handshake Authentication Protocol), PAP (Password Authentication
Protocol).
authentication token A portable device used for authenticating a user. Authentication tokens operate by
challenge/response, time-based code sequences, or other techniques. This may include
paper-based lists of one-time passwords.
authentication tool A software or handheld hardware key or token that is used during the user authentication
process. See also key, token.
authorization The process of determining the type of activities or access that is permitted on a network.
Usually used in the context of authentication: once you have authenticated a user, the user
can be authorized to have access to a specific service.
back door An entry point to a program or a system that is hidden or disguised, often created by the
software's author for maintenance. A certain sequence of control characters permits
access to the system manager account. If the back door becomes known, unauthorized
users (or malicious software) can gain entry and cause damage.
Glossary of termsGlossary 477
backup regime A group of settings that determines which computer to include in a backup task and other
details, such as scheduling.
bandwidth The amount of data transmitted or received per unit time. In digital systems, bandwidth is
proportional to the data speed in bits per second (bps). Thus, a modem that works at
57,600 bps has twice the bandwidth of a modem that works at 28,800 bps.
bastion host A specific host that is used to intercept packets entering or leaving a network. Also, the
system that any outsider must ordinarily connect with to access a system or service that is
inside the network's firewall. Typically the bastion host must be highly secured because it
is vulnerable to attack due to its placement. See also dual-homed gateway.
boot partition A hidden partition on a client computer that contains the necessary software to allow
communication with the Console and the execution of Console tasks. A boot partition is
usually created as a Ghost image boot package by the Ghost Boot Wizard.
buffer overflow attack An attack that works by exploiting a known bug in one of the applications running on a
server. This then causes the application to overlay system areas, such as the system stack,
thus allowing the attacker to gain administrative rights. In most cases, this gives the
attacker complete control over the system. Also called stack overflow.
CA (Certificate A trusted third-party organization or company that issues digital certificates that are used
Authority) to create digital signatures and public-private key pairs. The role of the CA in this process
is to guarantee that the entity granting the unique certificate is, in fact, who it claims to
be. This means that the CA usually has an arrangement with the requesting entity to
confirm a claimed identity. CAs are a critical component in data security and electronic
commerce because they guarantee that the two parties exchanging information are really
who they claim to be.
CGI (Common Gateway A denial of service attack that is aimed at the Common Gateway Interface (CGI). CGI is a
Interface) exploit standard way for a Web server to pass a Web user's request to an application program and
to receive data back to forward to the user. It is part of the Web's Hypertext Transfer
Protocol (HTTP).
CHAP (Challenge An authentication technique in which a server sends a challenge to the requester after the
Handshake link has been established. The requester responds with a value obtained by using a one-
Authentication way hash function. The server checks the response by comparing it to its own calculation
Protocol) of the expected hash value. If the values match, the authentication is acknowledged. If the
values do not match, the connection is usually terminated.
checksum A count of the number of bits in a transmission unit that is included with the unit so that
the receiver can check to see whether the same number of bits arrived. If the counts
match, it is assumed that the complete transmission was received. Also called hash.
circuit-level gateway A gateway that runs proxy applications at the session layer instead of the application
layer. It can't distinguish different applications that run on the same protocol stack.
However, this gateway doesn't need a new module for every new application either. A
circuit-level gateway is a firewall feature that can, when needed, serve as an alternative to
packet filtering or application gateway functionality.
478 Glossary of termsGlossary
client A requesting program or user in a client/server relationship. For example, the user of a
Web browser is effectively making client requests for pages from servers all over the Web.
The browser itself is a client in its relationship with the computer that is getting and
returning the requested HTML file.
combined evaluation A method of using proxy and state or filter evaluations as allowed by an administrator.
communications server Procedures designed to ensure that telecommunications messages maintain their
integrity and are not accessible by unauthorized individuals.
configuration The relationship between a policy and a location that are both applied to the same target.
association Also called policy-location association.
content blocking The ability to block network traffic based on actual packet content.
content scanning or The ability to review the actual information that an end user sees when using a specific
screening Internet application, for example, the content of email messages.
content virus A virus that is commonly protected against with a virus scanner. See also data-driven
attack.
daemon A program that runs continuously and exists for the purpose of handling periodic service
requests that a computer system expects to receive. The daemon forwards the requests to
other programs (or processes) as appropriate. A typical example of a daemon can be seen
on Web servers. Each server has a Hypertext Transfer Protocol Daemon (HTTPD) that
continually waits for requests to come in from Web clients and their users.
data-driven attack A form of intrusion in which the attack is encoded in seemingly innocuous data. It is
subsequently executed by a user or other software to actually implement the attack.
decode To convert encoded text to plain text through the use of a code.
dedicated device A special-purpose device. Although it is capable of performing other duties, it is assigned
to only one.
defense in-depth The security approach in which each system on the network is secured to the greatest
possible degree. This can be used in conjunction with firewalls.
denial of service (DoS) A type of attack in which a user or program takes up all of the system resources by
attack launching a multitude of requests, leaving no resources and thereby denying service to
other users. Typically, denial of service attacks are aimed at bandwidth control.
deployment The installation of a network of SESA security products, collectors, and the SESA
management components (SESA Manager, SESA DataStore, SESA Directory, and SESA
Agents) to form the enterprise security environment.
DES (Data Encryption A widely-used method of data encryption using a private (secret) key that was judged so
Standard) difficult to break by the U.S. government that it was restricted for exportation to other
countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption
keys that can be used. For each given message, the key is chosen at random from among
this enormous number of keys. Like other private key cryptographic methods, both the
sender and the receiver must know and use the same private key.
digital certificate A digital certificate is an electronic credit card that establishes a user's credentials when
doing business or other transactions on the Web. It is issued by a Certificate Authority
(CA). It contains the user's name, a serial number, expiration dates, a copy of the
certificate holder's public key (used for encrypting and decrypting messages and digital
signatures), and the digital signature of the certificate-issuing authority so that a
recipient can verify that the certificate is real.
digital signature An electronic rather than a written signature that can be used by someone to authenticate
the identity of the sender of a message or of the signer of a document. It can also be used
to ensure that the original content of the message or document that has been conveyed is
unchanged. Additional benefits to the use of a digital signature are that it is easily
transportable, cannot be easily repudiated, cannot be imitated by someone else, and can
be automatically time-stamped.
distribute To inform a designated set of computers of the existence of new configurations. The
computers then contact the SESA Manager to receive the configurations.
distribution target An object to which a configuration can be applied. This includes computers and
organizational units.
DMZ (de-militarized A network added between a protected network and an external network to provide an
zone) additional layer of security. Sometimes called a perimeter network.
DNS (Domain Name An intermediary between a workstation user and the Internet that allows the enterprise to
Server) proxy ensure security and administrative control.
DNS (Domain Name A hierarchical system of host naming that groups TCP/IP hosts into categories. For
System) example, in the Internet naming scheme, names with .com extensions identify hosts in
commercial businesses.
DNS server A repository of addressing information for specific Internet hosts. Name servers use the
Domain Name System (DNS) to map IP addresses to Internet hosts.
DNS spoofing The act of breaching the trust relationship by assuming the Domain Name System (DNS)
name of another system. This is usually accomplished by either corrupting the name
service cache of a victim system or by compromising a Domain Name Server for a valid
domain.
480 Glossary of termsGlossary
domain A group of computers or devices that share a common directory database and are
administered as a unit. On the Internet, domains organize network addresses into
hierarchical subsets. For example, the .com domain identifies host systems that are used
for commercial business.
domain entity A group of computers sharing the network portion of their host names, for example,
raptor.com or miscrosoft.com. Domain entities are registered within the Internet
community. Registered domain entities end with an extension such as .com, .edu, or .gov
or a country code such as .jp (Japan).
downstream post office A post office that communicates with a mail server through another post office or other
post offices.
DSX (Dynamic Security A proprietary technology that is patented and works in the following way. The operating
Extension) system has a system call (or vector) table that contains memory address pointers for each
system call. These pointers point to a location in memory where the actual kernel code of
the system calls resides. DSX stores the address pointers for the security-sensitive system
calls and then redirects these pointers to the corresponding SECURED system call code,
which is located elsewhere in memory.
dual-homed gateway A system that has two or more network interfaces, each of which is connected to a
different network. In firewall configurations, a dual-homed gateway usually acts to block
or filter some or all of the traffic trying to pass between the networks.
e-business The conducting of business on the Internet, not only buying and selling but also servicing
customers and collaborating with business partners. e-business is short for electronic
business.
e-commerce The buying and selling of goods and services on the Internet, especially the World Wide
Web. In practice, this term and e-business are often used interchangeably. For online retail
selling, the term e-tailing is sometimes used.
email bomb A code that, when executed, sends many messages to the same address(es) for the purpose
of using up disk space or overloading an email or Web server.
email client An application from which users can create, send, and read email messages.
email server An application that controls the distribution and storage of email messages.
encryption A method of scrambling or encoding data to prevent unauthorized users from reading or
tampering with the data. Only those who have access to a password or key can decrypt and
use the data. The data can include messages, files, folders, or disks.
end-to-end encryption The process of using encryption at the point of origin in a network, followed by decryption
at the destination.
ESP (Encapsulated A standard that provides confidentiality for IP datagrams or packets by encrypting the
Security Payload) payload data to be protected. Datagrams and packets are the message units that the
Internet Protocol deals with and that the Internet transports.
Glossary of termsGlossary 481
Ethernet A local area network (LAN) protocol developed by Xerox Corporation in cooperation with
DEC and Intel in 1976. Ethernet uses a bus or star topology and supports data transfer
rates of 100 Mbps.
Extended MAPI An interface developed by Microsoft that provides messaging functions including
(Messaging Application addressing, sending, receiving, and storing messages.
Programming Interface)
extranet The extension of the LAN via remote or Internet access to partners outside of your
organization, such as frequent suppliers and purchasers. Such relationships should be
over authenticated links to authorized segments of the LAN and are frequently encrypted
for privacy.
fault tolerance A design method that ensures continued systems operation in the event of individual
failures by providing redundant system elements.
FDDI (Fiber Distributed A set of ANSI protocols used for sending digital data over fiber optic cable. FDDI networks
Data Interface) are token-passing networks and support data rates of up to 100 Mb (100 million bits) per
second. FDDI networks are typically used as backbones for wide area networks.
filter A program or section of code that is designed to examine each input or output request for
certain qualifying criteria and then process or forward it accordingly.
firewall A program that protects the resources of one network from users from other networks.
Typically, an enterprise with an intranet that allows its workers access to the wider
Internet will want a firewall to prevent outsiders from accessing its own private data
resources.
firewall hardware/ A physical or virtual boundary to secure a network or network segment. A firewall can
software identify and permit or block network traffic based on multiple criteria including
originating domain, network port number, and originating network IP address.
flooding program A program that contains code that, when executed, will bombard the selected system with
requests in an effort to slow down or shut down the system.
forward filter A filter that you configure and then apply to all incoming and outgoing packets arriving at
any Symantec Enterprise Firewall (SEF) system interface. If a packet matches the chosen
filter, it is not sent up the protocol stack for authentication. Instead, it is allowed through
the SEF host, bypassing normal security checks.
FTP (File Transfer The simplest way to exchange files between computers on the Internet. Like the Hypertext
Protocol) Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the
Simple Mail Transfer Protocol (SMTP), which transfers email, FTP is an application
protocol that uses the Internet's TCP/IP protocols.
482 Glossary of termsGlossary
gateway A network point that acts as an entrance to another network. In a company network, a
proxy server acts as a gateway between the internal network and the Internet. A gateway
can also be any computer or service that passes packets from one network to another
network during their trip across the Internet.
generic service filters A filter that transparently handles all generic or customer services not supported by one
of the Symantec Enterprise Firewall (SEF) proxy server applications. Requests are proxied
to their destinations as if the requester were directly connected to the remote destination
computer. All connections are subject to SEF's authorization rules.
generic utilities General purpose code and devices, for example, screen grabbers and sniffers that look at
data and capture information such as passwords, keys, and secrets.
global security The ability of an access control package to permit protection across a variety of mainframe
environments, providing users with a common security interface to all.
group entity A collection of other network entities, such as hosts, domains, and subnets.
hack A program in which a significant portion of the code was originally another program.
hacker A term used by some to mean a clever programmer and by others, especially journalists or
their editors, to mean someone who tries to break into computer systems.
hijacking The control of a connection taken by the attacker after the user authentication has been
established.
host entity A single computer. It can be either inside or outside of the Symantec Enterprise Firewall
system host. A host is specified using its IP address in fully qualified dotted quad format.
host-based security The technique of securing an individual system from attack. Host-based security is
operating system-dependent and version-dependent.
HTML (Hypertext A standard set of commands used to structure documents and format text so that it can be
Markup Language) used on the Web.
HTTP (Hypertext The set of rules for exchanging files (text, graphic images, sound, video, and other
Transfer Protocol) multimedia files) on the World Wide Web. Similar to the TCP/IP suite of protocols (the
basis for information exchange on the Internet), HTTP is an application protocol.
hybrid gateway An unusual configuration with routers that maintain the complete state of the TCP/IP
connections or examine the traffic to try to detect and prevent attack (this may involve the
bastion host). If very complicated, it is difficult to attach, and difficult to maintain and
audit.
Glossary of termsGlossary 483
IKE (Internet Key A key management protocol standard that is used in conjunction with the IPSec standard.
Exchange) IPSec is an IP security feature that provides robust authentication and encryption of IP
packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing
additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a
hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside
of the Internet Security Association and Key Management Protocol (ISAKMP) framework.
ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.
information systems The protection of information assets from accidental or intentional but unauthorized
technology disclosure, modification, or destruction, or the inability to process that information.
intrusion detection A security service that monitors and analyzes system events for the purpose of finding
and providing real-time, or near real-time, warning of attempts to access system resources
in an unauthorized manner.
IP (Internet Protocol) The method or protocol by which data is sent from one computer to another on the
Internet. Each computer (known as a host) on the Internet has at least one address that
uniquely identifies it to all other computers on the Internet.
IP hijacking An attack in which an active, established session is intercepted and taken over by the
attacker. This attack may take place after authentication has occurred, which allows the
attacker to assume the role of an already authorized user.
IP number A unique number (also called a dotted quad) consisting of 4 parts separated by dots (for
example, 199.171.33.46). Every computer on the Internet has a unique IP number. If a
computer does not have an IP number, it is not really on the Internet. Most computers also
have one or more domain names that are easier for people to remember.
IP sniffing The stealing of network addresses by reading the packets. Harmful data is then sent
stamped with internal trusted addresses.
IP spoofing An attack in which someone intercepts and co-opts an active, established session. IP
spoofing is also an attack method by which IP packets are sent with a false source address,
which may try to circumvent firewalls by adopting the IP address of a trusted source. This
fools the firewall into thinking that the packets from the hacker are actually from a
trusted source. IP spoofing can also be used simply to hide the true origin of an attack.
IPSec (Internet Protocol A developing standard for security at the network or packet-processing layer of network
Security) communication. IPSec provides two choices of security service: Authentication Header
(AH), which essentially allows authentication of the sender of data, and Encapsulating
Security Payload (ESP), which supports both the authentication of the sender and
encryption of data as well. IPSec is widely used with virtual private networks.
484 Glossary of termsGlossary
ISP (Internet service An organization or company that provides dial-up or other access to the Internet, usually
provider) for money.
Java A programming language expressly designed for use in the distributed environment of the
Internet. It was designed to have the look and feel of the C++ language, but it is simpler to
use than C++ and enforces a completely object-oriented view of programming. Java can be
used to create complete applications that can run on a single computer or be distributed
among servers and clients in a network. It can also be used to build small application
modules or applets for use as part of a Web page. Applets make it possible for a Web page
user to interact with the page.
key A variable value in cryptography that is applied (using an algorithm) to a string or block of
unencrypted text to produce encrypted text. A key is also a series of numbers or symbols
that are used to encode or decode encrypted data.
key management The establishment and enforcement of message encryption and authentication
procedures to provide privacy-enhanced mail (PEM) services for electronic mail transfer
over the Internet.
L2F (Layer Two A protocol that supports the creation of secure virtual private dial-up networks over the
Forwarding) Protocol Internet.
LAN (local area A group of computers and other devices in a relatively limited area (such as a single
network) building) that are connected by a communications link that enables any device to interact
with any other device on the network.
LDAP (Lightweight A software protocol that enables anyone to locate organizations, individuals, and other
Directory Access resources such as files and devices in a network, whether on the Internet or on a corporate
Protocol) intranet. LDAP is a lightweight (smaller amount of code) version of Directory Access
Protocol (DAP), which is part of X.500, a standard for directory services in a network.
least privilege The process of designing operational aspects of a system to operate with a minimum
amount of system privilege. This reduces the authorization level at which various actions
are performed and decreases the chance that a process or user with high privileges can
perform unauthorized activity resulting in a security breach.
litigation protection The review and recording of Internet, intranet, and extranet communications that is done
to avoid litigation or the documentation of the communications parties and content in the
event of litigation.
logging The process of storing information about events that occurred on the firewall or network.
MAC (Media Access On a network, a computer's unique hardware number. The MAC address is used by the
Control) Media Access Control sublayer of the Data Link Control (DLC) layer of telecommunication
protocols. There is a different MAC sublayer for each physical device type. The data-link
layer is the protocol layer in a program that handles the moving of data in and out across a
physical link in a network.
manipulation The insertion of arbitrary streams of data without the user noticing.
Glossary of termsGlossary 485
MAPI (Messaging An interface developed by Microsoft that provides messaging functions including
Application addressing, sending, receiving, and storing messages. Simple MAPI includes some of these
Programming Interface) functions. Extended MAPI includes all of these functions.
MIME (Multipurpose A protocol used for transmitting documents with different formats via the Internet.
Internet Mail
Extensions)
mobile code A program downloaded from the Internet that runs automatically on a computer with
little or no user interaction.
multiuser Of, or pertaining to, the ability of multiple, concurrent users to log on and run applications
from a single server.
NAR (Network Address A simplified IP addressing capability that eliminates the need to establish an intermediate
Retention) IP address between a router and a firewall. Sometimes called Proxy-ARP. This feature
allows the implementation of a firewall into an existing network without having to
establish a new IP address scheme.
NAT (Network Address A firewall technique that allows a LAN to be represented to the Internet as a single IP
Translation) address. That is, the external network only sees the IP address of the NAT server, so that it
cannot locate the individual computers.
NAT (Network Address A set of addresses that are designated as replacement addresses for client IP addresses.
Translation) pool You can use this NAT pool addressing capability to conserve IP addresses, resolve address
conflicts, and create virtual clients.
NCSA (National An organization with the mission to continually improve commercial computer security
Computer Security through certification of firewalls, antivirus products, and Web sites. NCSA also shares and
Association) disseminates information concerning information security.
network entity A host or group of hosts on the Internet or on your private networks. Supported Symantec
Enterprise Firewall entities include: host, domain, subnet, and group.
network service access A high-level, issue-specific policy that defines those services that will be allowed or
policy explicitly denied from a restricted network, the way in which these services will be used,
and the conditions for exceptions to the policy.
network worm A program or command file that uses a computer network as a means for adversely
affecting a system's integrity, reliability, or availability. A network worm can attack from
one system to another by establishing a network connection. It is usually a self-contained
program that does not need to attach itself to a host file to infiltrate network after
network.
network-level firewall A firewall in which traffic is examined at the network protocol packet level.
NNTP (Network News The predominant protocol used by computers (servers and clients) for managing the notes
Transfer Protocol) posted on newsgroups. NNTP replaced the original Usenet protocol, UNIX-to-UNIX.
486 Glossary of termsGlossary
ODBC (Open Database A standard or open application programming interface (API) for accessing a database. By
Connectivity) using ODBC statements in a program, you can access files in a number of different
databases, including Access, dBase, DB2, Excel, and Text. In addition to the ODBC
software, a separate module or driver is needed for each database to be accessed.
one-time password In network security, a password that is issued only once as a result of a challenge-response
authentication process. This cannot be stolen or reused for unauthorized access.
OOBA (out-of-band A one-size-fits-all authentication sequence for protocols that require transparency or
authentication) have their own authentication. OOBA allows you to authenticate with proxies, such as
HTTP, SQLnet, and h323, that have not supported authentication on the firewall in the
past.
packet A unit of data that is formed when a protocol breaks down messages that are sent along
the Internet or other networks. Messages are broken down into standard-sized packets to
avoid overloading lines of transmission with large chunks of data. Each of these packets is
separately numbered and includes the Internet address of the destination. Upon arrival at
the recipient computer, the protocol recombines the packets into the original message.
packet filter A filter that keeps out certain data packets based on their source and destination
addresses and service types. You can use packet filters to block connections from or to
specific hosts, networks, or ports. Packet filters are simple and fast, but they make
decisions based on a very limited amount of information.
packet sniffing The interception of packets of information (for example, a credit card number) that are
traveling across a network.
PAP (Password A procedure used to validate a connection request. After the link is established, the
Authentication requester sends a password and an ID to the server. The server either validates the request
Protocol) and sends back an acknowledgement, terminates the connection, or offers the requester
another chance.
password-based attack An attack in which repetitive attempts are made to duplicate a valid logon or password
sequence.
perimeter-based The technique of securing a network by controlling access to all entry and exit points of
security the network.
PGP (Pretty Good A freeware (for non-commercial users) encryption program that uses the public key
Privacy) approach: messages are encrypted using the publicly available key, but the intended
recipient can only decipher them via the private key. PGP is perhaps the most widely used
encryption program.
PIN (personal In computer security, a number used during the authentication process that is known only
identification number) to the user.
Glossary of termsGlossary 487
PKI (public key An infrastructure that enables users of a basically nonsecure public network (such as the
infrastructure) Internet) to exchange data and money securely and privately through the use of a public
and a private cryptographic key pair that is obtained and shared through a trusted
authority.
platform attack An attack that focuses on vulnerabilities in the operating system that is hosting the
firewall.
policy 1. A document (hardcopy or electronic) that outlines specific requirements or rules that
must be met. 2. The activities or states that are allowed, required, or forbidden within a
specific environment.
POP3 (Post Office An email protocol used to retrieve email from a remote server over an Internet connection.
Protocol 3)
PPP (Point-to-Point A protocol used for communication between two computers. This is most commonly seen
Protocol) with dial-up accounts to an ISP. However, Point-to-Point Protocol over Ethernet (PPPoE)
has now become more popular with many DSL providers.
private key A part of asymmetric encryption that uses a private key in conjunction with a public key.
The private key is kept secret, while the public key is sent to those with whom a user
expects to communicate. The private key is then used to encrypt the data, and the
corresponding public key is used to decrypt it. The risk in this system is that if either party
loses the key or the key is stolen, the system is broken.
protocol A set of rules for encoding and decoding data so that messages can be exchanged between
computers and so that each computer can fully understand the meaning of the messages.
On the Internet, the exchange of information between different computers is made
possible by the suite of protocols known as TCP/IP. Protocols can be stacked, meaning that
one transmission can use two or more protocols. For example, an FTP session uses the FTP
protocol to transfer files, the TCP protocol to manage connections, and the IP protocol to
deliver data.
proxy server A server that acts on behalf of one or more other servers, usually for screening, firewall, or
caching purposes, or a combination of these purposes. Also called a gateway. Typically, a
proxy server is used within a company or enterprise to gather all Internet requests,
forward them out to Internet servers, and then receive the responses and in turn forward
them to the original requester within the company.
public key A part of asymmetric encryption that operates in conjunction with the private key. The
sender looks up the public key of the intended recipient and uses the public key to encrypt
the message. The recipient then uses his or her private key, which is not made public, to
decrypt the message.
488 Glossary of termsGlossary
QoS (quality of service) On the Internet and in other networks, the idea that transmission rates, error rates, and
other characteristics can be measured, improved, and, to some extent, guaranteed in
advance. QoS is of particular concern for the continuous transmission of high-bandwidth
video and multimedia information.
RA (Registration An authority in a network that verifies user requests for a digital certificate and tells the
Authority) Certificate Authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a
networked system that enables companies and users to exchange information and money
safely and securely.
RAS (remote access A feature built into Windows NT that enables users to log on to an NT-based LAN using a
server) modem, X.25 connection, or WAN link. RAS works with several major network protocols,
including TCP/IP, IPX, and NetBEUI.
remote access The use of programs that allow access over the Internet from another computer to gain
information or to attack or alter your computer.
RIP (Routing The oldest routing protocol on the Internet and the most commonly used routing protocol
Information Protocol) on local area IP networks. Routers use RIP to periodically broadcast the networks that they
know how to reach.
risk analysis The analysis of an organization's information resources, existing controls, and computer
system vulnerabilities. Risk analysis establishes a potential level of damage in dollars or
other assets.
rogue program Any program intended to damage programs or data (such as malicious Trojan horses).
routing agent A program on the Internet that gathers information or performs some other service
without your immediate presence and on some regular schedule. Typically, an agent
program, using parameters that you have provided, searches all or some part of the
Internet, gathers information you're interested in, and presents it to you on a daily or
other periodic basis. Also called an intelligent agent.
RSA (Rivest-Shamir- One of the fundamental encryption algorithms or series of mathematical actions
Adleman) developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is
the most commonly used encryption and authentication algorithm and is included as part
of the Web browsers from Netscape and Microsoft.
RSACi (Recreational A computer software ratings system of Web site content developed by RSAC in response to
Software Advisory the passage of U.S. federal legislation prohibiting the transmittal of offensive, or indecent,
Council on the Internet) materials over the Internet. RSACi was developed with the express intent of providing a
simple yet effective rating system for Web sites, which protects both children, by
providing and empowering parents with detailed information about site content, and the
rights of free speech of everyone who publishes on the World Wide Web.
rule A logical statement that lets you respond to an event based on predetermined criteria.
S/MIME (Secure/ An email security protocol that was designed to prevent the interception and forgery of
Multipurpose Internet email by using encryption and digital signatures. S/MIME builds security on top of the
Mail Extensions) MIME protocol and is based on technology originally developed by RSA Data Security, Inc.
Glossary of termsGlossary 489
screened host gateway A host on a network that is behind a screening router. The degree to which a screened host
may be accessed depends on the screening rules in the router.
screened subnet An isolated subnet created behind a screening router to protect the private network. The
degree to which the subnet can be accessed depends on the screening rules in the router.
screening router A router configured to permit or deny traffic based on a set of permissions or rules
installed by the administrator.
security gateway A new network entity that defines the gateway that serves as the point of decryption and
encryption for the network.
server A computer or software that provides services to other computers (known as clients) that
request specific services. Common examples are Web servers and mail servers.
SESA (Symantec The centralized, scalable management architecture that is used by Symantec's security
Enterprise Security products.
Architecture)
session In communications, the time during which two computers maintain a connection and,
usually, are engaged in transferring information.
Session Shadowing A feature of Citrix WinFrame and MetaFrame that allows administrators and technical
support staff to remotely join or take control of a user's session for diagnosis, support, and
training.
SGMI (Symantec The local management interface that is used to configure and manage an individual
Gateway Management Symantec security gateway.
Interface)
shared POP3 mailbox A mailbox that stores messages for an entire domain and that allows organizations with
part-time Internet connections to exchange mail.
SLIP (Serial Line A TCP/IP protocol used for communication between two computers that have been
Internet Protocol) previously configured for communication with each other.
smart card A plastic card about the size of a credit card that has an embedded microchip that can be
loaded with data, used for telephone calling, electronic cash payments, and other
applications, and then periodically recharged for additional use. Smart cards are currently
used to establish identity when logging on to an Internet access provider.
SMF (Standard Message A message file format established by Novell and used by many email applications.
Format)
SMTP (Simple Mail The protocol that allows email messages to be exchanged between mail servers. Then,
Transfer Protocol) clients retrieve email, typically via the POP or IMAP protocol.
490 Glossary of termsGlossary
SMTP Wizard A tool that assists you in setting up Simple Mail Transfer Protocol (SMTP) for your mail
server. The wizard will prompt you by requesting data and walking you through the
specific setup procedure.
SNMP (Simple Network The protocol governing network management and the monitoring of network devices and
Management Protocol) their functions.
social engineering An attack based on tricking or deceiving users or administrators into revealing passwords
or other information that compromises a target system's security. Social engineering
attacks are typically carried out by attackers who telephone users or operators and
pretend to be authorized users.
source-route attack A form of spoofing in which the routing, as indicated in the source routed packet, is not
coming from a trusted source and therefore the packet is being routed illicitly.
source-routed IP Packets with additional information in the header that specifies the route the packet
packets should take. This additional routing is specified by the source host, hence the name
source-routed. Normal IP packets have only source and destination addresses in their
headers, leaving the actual route taken to the routers in between the source and the
destination.
SPI (Security Parameter An Authentication Header (AH) SPI number between 1 and 65535 that you assign to each
Index) tunnel endpoint when using AH in a VPN policy.
spoofing The act of establishing a connection with a forged sender address. This normally involves
exploiting a trust relationship that exists between source and destination addresses or
systems.
Spool File A report that has been sent to the printer control software on the AS400, to be disposed of
by the printer agent. Spool File is similar to Print Manager on Windows.
stateful inspection The analysis of data within the lowest levels of the protocol stack and comparing the
current session to previous ones to detect suspicious activity. Unlike application-level
gateways, stateful inspection uses business rules defined by the user and therefore does
not rely on predefined application information. Stateful inspection also takes less
processing power than application-level analysis. Stateful inspection firewalls do not
recognize specific applications and thus are unable to apply different rules to different
applications.
STOP (Stack Overflow A simple and transparent protection approach that renders stack or buffer overflow
Protection) attacks unsuccessful. Stack or buffer overflow attacks continue to be a favorite technique
used by hackers to break into servers. STOP reallocates the location of the system stack
(the area to which the attacker is trying to have the data overflow). This is like reshuffling
the cards in a deck, making it very difficult for the attacker to predict the location for the
overflow data.
suffix A code appended to the end of a telephone number for billing purposes, for example, a
calling card number.
symmetric encryption An encryption method involving a single secret key for both encryption and decryption.
The sender of the encrypted message must give that key to the recipient before the
recipient can decrypt it. Although this method of encryption is efficient, there is a danger
that if the secret key is intercepted, the message can be read by an unintended audience.
SYN attack A type of attack. When a session is initiated between the Transmission Control Program
(TCP) client and server in a network, a very small buffer space exists to handle the
handshaking (often referred to as the three-way handshake) or exchange of messages that
sets up the session. The session establishing includes a SYN field that identifies the
sequence in the message exchange. An attacker can send a number of connection requests
very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer
so that other, legitimate connection requests can't be accommodated. Although the packet
in the buffer is dropped after a certain period of time without a reply, the effect of many of
these bogus connection requests is to make it difficult for legitimate requests for a session
to get established. In general, this problem depends on the operating system providing
correct settings or allowing the network administrator to tune the size of the buffer and
the time-out period.
target association For security gateways, the relationship between a target and the policy-location pair that
is applied to it upon activation.
TCP/IP (Transmission The suite of protocols that allows different computer platforms using different operating
Control Protocol/ systems (such as Windows, MacOS, or UNIX) or different software applications to
Internet Protocol) communicate. Although TCP and IP are two distinct protocols, each of which serves a
specific communicational purpose, the term TCP/IP is used to refer to a set of protocols,
including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail
Transfer Protocol (SMTP), Post Office Protocol (POP), and many others. This set of
protocols allows computers on the Internet to exchange different types of information
using different applications.
Telnet The main Internet protocol for creating an interactive control connection with a remote
computer. Telnet is the most common way of allowing users a remote connection to a
network, as with telecommuters or remote workers.
thin client A low-cost computing device that works in a server-centric computing model. Thin clients
typically do not require state-of-the-art, powerful processors and large amounts of RAM
and ROM because they access applications from a central server or network. Thin clients
can operate in a server-based computing environment.
token An authentication tool or a device used to send and receive challenges and responses
during the user authentication process. Tokens can be small, handheld hardware devices
similar to pocket calculators or credit cards.
492 Glossary of termsGlossary
token ring A type of computer network in which all of the computers are arranged schematically in a
circle. A token, which is a special bit pattern, travels around the circle. To send a message,
a computer catches the token, attaches a message to it, and then lets it continue traveling
around the network.
tracking The logging of inbound and outbound messages based on a predefined criteria. Logging is
usually done to allow for further analysis of the data at a future date or time.
Trojan horse A rogue program that disguises itself as a legitimate file to lure users to download and run
it. It takes the identity of a trusted application to collect confidential user information or
avoid detection. A Trojan horse neither replicates nor copies itself, but causes damage and
compromises the security of an infected computer.
tunnel A process that allows a company to securely use public networks as an alternative to using
its own lines for wide-area communications.
tunneling router A router or system capable of routing traffic by encrypting it and encapsulating it for
transmission across an untrusted network, for eventual de-encapsulation and decryption.
two-factor A type of authentication that is based on something a user knows (factor one) plus
authentication something the user has (factor two). In order to access a network, the user must have both
factors (in the same way that a user must have an ATM card and a personal identification
number [PIN] to retrieve money from a bank account). In order to be authenticated during
the challenge/response process, the user must have this specific (private) information.
UDP (User Datagram A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP
Protocol) provides very few error recovery services, offering instead a direct way to send and receive
datagrams over an IP network. UDP is used primarily for broadcasting messages over a
network.
universe entity A permanent host entity created when Symantec Enterprise Firewall or Symantec
Enterprise VPN Server is installed. The universe entity is similar to a wildcard and
specifies the set of all computers both inside and outside of the Symantec Enterprise
Firewall system. The universe entity's associated IP address is 0.0.0.0.
UPS (uninterruptible A device that allows your computer and firewall equipment to run for a short time after a
power supply) power failure. This allows you to power the device down in an orderly manner. A UPS also
provides protection in the event of a power surge.
URL (Uniform Resource The standard addressing system for the World Wide Web. A URL consists of two parts: The
Locator) first part indicates the protocol to use (for example http://), and the second part specifies
the IP address or the domain name and the path where the desired information is located
(for example www.securityfocus.com/glossary).
URL blocking The tracking and denying of user access to undesirable Web sites based on predefined site
content.
user authentication A process that verifies a user's identity to ensure that the person requesting access to the
private network is, in fact, that person to whom entry is authorized.
Glossary of termsGlossary 493
user identification The process by which a user is identified to the system as a valid user (as opposed to
authentication, which is the process of establishing that the user is indeed that user and
has a right to use the system).
UUCP (UNIX-to-UNIX A set of UNIX programs for copying (sending) files between different UNIX systems and
Copy) for sending commands to be executed on another system.
uuencode A data encoding standard developed to translate or convert a file or email attachment (an
image, text file, or program) from its binary or bit-stream representation into the 7-bit
ASCII set of text characters.
validation The process of checking a configuration for completeness, ensuring that all values are
valid, and determining if all logical and physical references can be resolved.
vandal An executable file (usually an applet or an ActiveX control) associated with a Web page
that is designed to be harmful, malicious, or at the very least inconvenient to the user.
Because these applets or application programs can be embedded in any HTML file, they
can also arrive as an email attachment or automatically as the result of being pushed to
the user. Vandals can be viewed as viruses that can arrive over the Internet stuck to a Web
page. Vandals are sometimes referred to as hostile applets.
virtual network A network that appears to be a single protected network behind firewalls, but which
perimeter actually encompasses encrypted virtual links over untrusted networks.
virus A piece of programming code inserted into other programming to cause some unexpected
and, for the victim, usually undesirable event. Viruses can be transmitted by downloading
programming from other sites or present on a diskette. The source of the file you are
downloading or of a diskette you have received is often unaware of the virus. The virus lies
dormant until circumstances cause the computer to execute its code. Some viruses are
playful in intent and effect, but some can be harmful, erasing data or causing your hard
disk to require reformatting.
virus scanner A program that searches files (including email and attachments) for possible viruses.
VPN (virtual private A network that has characteristics of a private network such as a LAN, but which is built
network) on a public network such as the Internet. VPNs allow organizations to implement private
networks between geographically separate offices and remote or mobile employees by
means of encryption and tunneling protocols.
VPN workgroup A new network entity that is a collection of security gateway/network entity (host, subnet,
and group entity) pairs. It combines preconfigured network entity/security gateway
pairings that become included in the definition of a virtual private network (VPN) tunnel.
By combining entities together into workgroups, you can define fewer tunnels on the
Symantec Enterprise Firewall system for those entities.
WAP (Wireless An open global standard for communications between a mobile handset and the Internet
Application Protocol) or other computer applications as defined by the WAP forum.
Web attack An attack from the outside that is aimed at Web server vulnerabilities.
494 Glossary of termsGlossary
Web browser A client program that uses the Hypertext Transfer Protocol (HTTP) to make requests of
Web servers throughout the Internet on behalf of the browser user.
Web denial of service A denial of service attack that specifically targets a Web server.
wizard A tool that makes configuration tasks faster and easier. The wizard will prompt the user by
requesting data and walking the user through the specific set procedure. From the first
Wizard screen, users have the option of closing the Wizard and working from the
appropriate Property Pages.
workgroup An entity that you define for use in Secure Tunnels that use IKE authentication. A
workgroup combines preconfigured entity/security gateway pairings. By combining
entities together into workgroups, you are able to define fewer tunnels for those entities.
X.509 The most widely used standard for defining digital certificates. X.509 is actually an ITU
Recommendation, which means that it has not yet been officially defined or approved. As
a result, companies have implemented the standard in different ways. For example, both
Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and
browsers. But an X.509 certificate generated by Netscape may not be readable by Microsoft
products, and vice versa.
Index
bind by way of DN and password 254 FTP service group parameters 118
Blackhole List 197 Gateway-to-Gateway VPN tunnel 315
global IKE policy 293
GSP proxy 170
C GWPassword authentication 251
CIFS H.323 aliases 175
service group parameters 115 H.323 proxy 173
CIFS proxy 161 HTTP proxy 179
CIFS service group parameters 115 HTTP service group parameters 119
CIFS, redirected services 388 ICMP-based protocols 207
clearing the JAR cache 37 IP-based protocols 204
client program notification 332 LDAP authentication 252, 253
client program notifications 337 LiveUpdate 241
Client VPN local administrators 42
configuring user groups 106 logging service 352
Client-to-Gateway VPN Tunnel Wizard 20, 32, 297, logical network interfaces 65
306 MIME types 231
Client-to-Gateway VPN tunnels 317 NAT pools 395
Cluster Wizard 21, 405, 406, 414, 416, 448 NBDGRAM proxy 184
clusters 417 newsgroup profiles 238
creating 406 NNTP proxy 186
deleting 416 NNTP service group parameters 122
joining SESA 448, 449 notifications 331
modifying 414, 417 Notify daemon 334
NIC monitoring 425 NT Domain authentication 258
ping groups 423 NTP proxy 190
rebooting 416, 417 off-box antivirus scanning 380
removing 416 OOBA authentication 261, 265
viewing settings 417 pager notifications 340
weight 422 PassGo Defender authentication 249
configuration reports 11, 366 Ping proxy 192
configuring proxies 159
advanced options 432 Radius authentication 266
advanced system settings 432 rating modifications 225
audio notifications 335 ratings profiles 221
authentication sequence 275 RCMD proxy 193
Bellcore S/Key authentication 271 RealAudio service group parameters 124
CIFS proxy 161 redirected services 388
CIFS service group parameters 115 RSA SecurID authentication 268
client program notifications 337 RTSP proxy 194
Client VPN tunnel 317 rules 147
clusters 417 service groups 112
content filtering 221 service redirection 388
DNS proxy 163 SMTP proxy 196
DNS records 131 SMTP service group parameters 125
email notifications 339 SNMP notifications 342
Entrust authentication 250 system parameters 435
file extensions 233 TACACs authentication 272
filters 209 TCP-based protocols 205
FTP proxy 167
Index 497
J
H JAR cache 37
H.323 alias file 177 Join SESA Wizard 20, 437, 442, 446
H.323 aliases 175 options 440
H.323 proxy 173 tasks performed 438
HA/LB 12, 417
hide internal domain 127
high availability/load balancing 12, 152 L
host names in log files 431 LDAP authentication 252, 253
host network entity 84 License Installation Wizard 52, 55, 59
Index 499
N P
NAT pools 394 packet filters 209
dynamic 394 allow 209
static 394 creating 210
virtual clients 400 defining 210
native service 207 deny 209
NBDGRAM proxy 184 network protocols 203
NetBIOS Datagram proxy 184 packet headers
network entities removing 157
domain 87 pager notifications 332, 334, 340
group 91 PassGo Defender authentication 249
host 84 passing traceroute 156
security gateway 89 password
subnet 86 Bellcore S/Key 103
Universe 157 remote policy 326
VPN security 93 S/Key 103
500 Index