Astaro Security Gateway V7

Astaro Certified Engineer

Courseware Version EN-V7.00-0.16

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 1

DISCLAIMER

All rights reserved. This product and related documentation are protected by copyright and distribution under licensing
restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,
or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief
quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other
purpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or
omissions and makes no explicit or implied claims to the validity of this information. This document and features described
herein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither
Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,
loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
© Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
© Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
© Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
© Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective
companies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a
term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product
manuals for complete trademark information.

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 2

Before we start over …
/ Let’s introduce each other!

Your Name, Company,
Responsibility
Your Knowledge
(Networking, Security, Linux,
Astaro Security Gateway)

Your Expectations for the
course

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 3

Agenda - ACE
DAY ONE

DAY TWO

DAY THREE

ASG Overview

User Authentication

Refresher SSL-VPN

Available Products

Users

ASG System Architecture

Groups

IPSec Policy Management

ASG Security Features

Authentication

RSA Site to Site VPN

Introduction to ACC

IPSec VPN

Web Security

X.509 Site to Site VPN

Purpose

HTTP Profiles

Certificate Management

Feature Overview

Proxy User

Remote Access with ASC

Refresher ACA
Networking

Authentication Setup
E-mail Security

VLAN, Link Aggregation

SMTP Proxy

Bridging, Uplink Failover

Certificates

Policy Routing & OSPF

E-mail Encryption

Network Security

High Availability

Server Load Balancing

Active/Passive HA

Quality of Service

Clustering

Generic-, Socks-,
Ident Proxy
VoIP Security
H.323
SIP
Intrusion Protection
Configuration
Implementation Guideline

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 4

m.00-0.m.m. – about 05:00 p. – about 04:00 p.16 Astaro Security Gateway V7 . Prerequisites Training setup / LAB environment Location Facilities Parking Restrooms Smoking Breaks.m. Lunch.Before we start over … / Course Layout Hands-On-Training-Scheme Introduction Configuration Training Hours Day One: Day Two & Three: Summary LAB Review 10:00 a.Astaro Certified Engineer – Page 5 . 09:00 a. Drinks Internet Access © Astaro 2007 / ACE_V7.

Before we start over … / ACE Exam ACE Certificates & Exams What is the designation of an Astaro Certified Engineer? ACE certification signifies that an individual has: Achieved ACE certification Passed the ACE web-based exam Demonstrated knowledge required to implement and configure Astaro Security Gateway with extended features How to become an Astaro Certified Engineer? By passing a web-based exam.16 Astaro Security Gateway V7 .00-0. 45 questions randomly generated must be answered within 60 min Training participants have one free trial to pass the ACE Exam To login you will receive a voucher via e-mail short after the training ACE Exam site is available at https://my.com/training/ How to prepare for the ACE exam? Actively participate in the training Study the ACE-Courseware Work through the Astaro Security Gateway Manual Configure and test the discussed scenarios in practice © Astaro 2007 / ACE_V7.astaro.Astaro Certified Engineer – Page 6 .

ASG System Overview Architecture Open Source Components Configuration Workflow © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 7 .16 Astaro Security Gateway V7 .00-0.

16 Astaro Security Gateway V7 . proprietary and OEM technology.00-0.Astaro Certified Engineer – Page 8 . combined to create an all-in-one device that runs as the perimeter security gateway on a network Astaro Security Gateway is built on an integrated management platform that makes it easy to install and administer a complete security solution © Astaro 2007 / ACE_V7.ASG System Overview / Architecture Astaro Security Gateway is blend of open-source.

provides a complete package of 9 perimeter security applications.Astaro Certified Engineer – Page 9 .16 Astaro Security Gateway V7 .00-0. Web Security E-mail Security Network Security • Spyware Protection • Intrusion Protection • Virus Protection • Virus Protection for e-mail • Content Filtering • Anti-Spam/Phishing • VPN-Gateway • SPI-Firewall and Proxies • E-mail Encryption © Astaro 2007 / ACE_V7.ASG System Overview / Security Features Astaro Security Gateway. based on Astaro's award-winning Astaro Security Linux.

000.000 60.ASG System Overview / Available Appliances Users Environments Astaro Security Gateway 110/120 Astaro Security Gateway 220 Astaro Security Gateway 320 Astaro Security Gateway 425 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted Home office.000 1200 265 450 1.000 400.16 Astaro Security Gateway V7 . branch office Medium business.000 3000 400 750 2.000.000 420 200 180 1.000 700.200.000 (without Mail-Security) Concurrent Connections © Astaro 2007 / ACE_V7. enterprise division Large enterprise headquarters Large enterprise Core networks Astaro Security Gateway 525 System Network ports 3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps 8 x 10/100/1000 Mbps 10 x 10/100/1000 Mbps Security Co-Processor Security Co-Processor 4 x 10/100/1000 Mbps Performance Throughput (Mbps) Firewall VPN IPS/IDS E-mails/day 100 30 55 350.000 >1.500.00-0.000 550. small office Small business.000 260 150 120 500.Astaro Certified Engineer – Page 10 .

06.. automating and simplifying the deployment of network security rules.Introduction / Astaro Configuration Manager . © Astaro 2007 / ACE_V7. resolves complex and costly network security problems by unifying..2007 . is the Configuration Manager that provides a centralized visual command center where security policies for all Astaro firewall and VPN devices are graphically designed and their corresponding configurations automatically generated and uploaded. ..16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 11 .00-0.. combines the popular NP™ management tools from Solsoft with Astaro's comprehensive security offerings... End of Life: 30.

00-0.7 With advanced attack and event analysis. Excel.Introduction / Astaro Report Manager The Astaro Report Manager is a centralized reporting engine which gives you the ability to collect and analyze log data from one or more ASG installations The Report Manager allows you to create robust drill down reports in a variety of output formats like Word.16 Astaro Security Gateway V7 . users can create rulesbased alerts which can notify administrators when user defined thresholds have been passed © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 12 . HTML and PDF Currently not supported by ASG V.

00-0.Introduction / Astaro Secure Client Astaro Secure Client is an easy-to-use remote working software based on the latest VPN technology The software provides smooth integration with a remote network and may be used with any popular IPSeccompliant gateway The Astaro Secure Client software provides strong and transparent authentication and AES encryption to your network traffic.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 13 . © Astaro 2007 / ACE_V7.

ASG is built upon a number of Open Source Projects.16 Astaro Security Gateway V7 . © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 14 . many of those are actively developed in cooperation with Astaro. others are sponsored by Astaro.ASG System Overview / Architecture ASG is based on Novell/SUSE® Linux Enterprise 10 ASG comes with its own hardened and compiled 2.6x kernel SLES10 RPMs are used but completely new compiled All major processes including WebGUI run in chrootenvironments.00-0.

00-0.Architecture / Open Source Module Open source software is distributed with the source code freely available for alteration and customization Collective work of many programmers Resulting software can become more useful and free of holes and bugs Astaro leverages the flexibility and innovation of Linux and Open Source © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 15 .16 Astaro Security Gateway V7 .

Astaro Certified Engineer – Page 16 .00-0.Configuration / Administration Workflow Every function can be configured and controlled via the Web-Admin interface.16 Astaro Security Gateway V7 . There is no need to interact with any of the other components or the Command Line Interface (CLI) using a shell like Bash. © Astaro 2007 / ACE_V7.

00-0.Astaro Certified Engineer – Page 17 .Refresher ACA This chapter provides a brief refresher for: Interfaces NAT Packet Filtering DNS © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 .Refresher ACA / Setting up Ethernet Interfaces An Ethernet interface is a standard 10/100/1000 Mbit network card Things to remember: Set the correct IP address for each interface with the correct netmask Only define one default gateway Make sure that each interface has a unique address range in your environment © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 18 .00-0.

• mangle • filter • ips incoming packets PRE ROUTING • dnat • conntrack • mangle • spoofdrop Routing INPUT FORWARD outgoing packets Routing • conntrack • mangle • filter • ips OUTPUT OUTPUT POST ROUTING • masquerading • snat • conntrack • mangle • ips • conntrack • mangle • dnat © Astaro 2007 / ACE_V7.16 PPTP IPSEC BIND SOCKS SQUID SSHD Filter NAT EXIM Tables: Apache Local Processes Astaro Security Gateway V7 .6 Linux kernel.00-0.Astaro Certified Engineer – Page 19 .Refresher ACA / Packetfiltering architecture ASG uses the stateful packet filtering capabilities of the 2.

Astaro Certified Engineer – Page 20 .16 Public IP Astaro Security Gateway V7 . RFC 1918-IP © Astaro 2007 / ACE_V7.Refresher ACA / Network Address Translation: Masquerading Used if one (or multiple) internal networks should be hidden behind one official IP address.00-0. Especially useful if private IP address ranges are used.

Astaro Certified Engineer – Page 21 . Ensure your packet filtering rules have the translated address as the destination © Astaro 2007 / ACE_V7. but allows more granular settings Note: DNAT occurs before packet filtering takes place.16 Astaro Security Gateway V7 .Refresher ACA / DNAT & SNAT Destination Network Address Translation (DNAT) is used if an internal resource should be accessible via an IP address assigned to the firewall Source Network Address Translation (SNAT) is used like masquerading.00-0.

16 Astaro Security Gateway V7 .Configuration Principles (1) You only need to maintain one table of filter rules. OUTPUT or FORWARD chain as necessary. ASG automatically creates correct entries in the INPUT.Refresher ACA / Packet Filter .00-0. The rules in the table are ordered. Possible actions are: Allow Drop Reject Any action allows optional Logging If no filter rule matches . © Astaro 2007 / ACE_V7. The first rule to match decides what is done with the packet.the packet is dropped and logged! Astaro Security Gateway starts with an empty table but keeps implicit internal rules for all services it is using itself.Astaro Certified Engineer – Page 22 .

Astaro Certified Engineer – Page 23 .16 Astaro Security Gateway V7 .Configuration Principles (2) Default View Source Action and Destination Service Enable/Disable Description (optional) Order Groupname Edit or delete © Astaro 2007 / ACE_V7.00-0.Refresher ACA / Packet Filter .

Configuration Principles (3) To create new or edit existing rules: Assign or create a group Name: Name for the rule Move rule to a specific position The sources: The service: The destinations: What to do: When to do: Log Packets: Comment: © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 24 . Drop or Reject The time Yes or No Whatever helps Astaro Security Gateway V7 .16 IP or Group TCP/UDP/IP IP or Group Allow.00-0.Refresher ACA / Packet Filter .

your AD-Servers.00-0.g.Refresher ACA / DNS . this server could be used as an alternate server to resolve DNS which should not be resolved by DNS forwarders.g.16 Astaro Security Gateway V7 . clients in smaller networks) Forwarders Forwards DSN requests of ASG to e.Astaro Certified Engineer – Page 25 . Provider DNS servers Request Routing When ASG should be able to resolve the hostnames of an internal domain hosted on your own internal DNS server. internal networks (e.Configuration Global: Accepts DNS Requests from allowed. Static Entries Handles static mappings of hostnames to IP addresses © Astaro 2007 / ACE_V7.

Introduction to ACC In this chapter you will see: Astaro Command Center © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 26 .00-0.16 Astaro Security Gateway V7 .

0 technologies like AJAX (Asynchronous JavaScript And XML) Tracking of critical system parameters in real-time detected threats license status software updates resource usage No license needed!! It‘s free!!! © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Astaro Command Center / Overview Centralized and efficient management configuring applications monitoring actual device states updating of device software.00-0. Using state-of-the-art Web 2.Astaro Certified Engineer – Page 27 .

network interfaces.Astaro Certified Engineer – Page 28 .00-0. memory.16 Astaro Security Gateway V7 .Astaro Command Center / Features Inventory management provides comprehensive information about each device (CPU. hard disk. software version and more) All Astaro Security Gateway devices are automatically organized into device groups Single-sign-on eases configuration management Central update management enables the possibility of updating multiple devices through a single click Role-based multiadministrative support © Astaro 2007 / ACE_V7.

This option allows to connect a specific device to a specific ACC for future usage.Astaro Certified Engineer – Page 29 .00-0.Astaro Command Center / ASG Configuration (1) Astaro Command Center allows to manage and monitor ASG devices.16 Astaro Security Gateway V7 . The connection between ASG and ACC is SSL encrypted using port 4433 Packet filter rules to allow this communication are created automatically © Astaro 2007 / ACE_V7.

Astaro Command Center / ASG Configuration (2) Up2Date packages can also be fetched from a cache that can be configured here Specify a host serving as a cache If the ASG is monitored by an ACC server.00-0.Astaro Certified Engineer – Page 30 . this ACC can act as an Up2Date cache ACC stores Up2Date packages for the devices connected to it by default © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

00-0.Astaro Certified Engineer – Page 31 .16 Astaro Security Gateway V7 .Astaro Command Center Review Questions © Astaro 2007 / ACE_V7.

Is it possible to cache the Up2Date packages for multiple ASGs? © Astaro 2007 / ACE_V7. What features does ACC offer? 3. What port is used for communication between ACC and ASG? 4. Which technology is ACC built upon? 2.Astaro Certified Engineer – Page 32 .00-0. Is the traffic encrypted? 5.16 Astaro Security Gateway V7 .Astaro Command Center / Review Questions 1.

16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 33 .Networking In this chapter you will learn about: VLAN Link Aggregation Bridging Policy Routing OSPF © Astaro 2007 / ACE_V7.00-0.

A VLAN switch plus a VLAN capable network interface simulate a number of physical interfaces plus cabling. Every segment is identified by a "tag“ (an integer number). PC3. Adding a VLAN interface will create a virtual hardware device.Astaro Certified Engineer – Page 34 .20 T b4 Switch b Router b1 Switch a Port Host6 b2 Switch b © Astaro 2007 / ACE_V7. Example PC1 and PC2 on the first floor and PC4 on the second floor will be connected together on VLAN 10. 20 T 2 (PC1) 10 U 2 (PC4) 10 U 3 (PC2) 10 U 3 (PC5) 20 U 4 (PC3) 20 U 4 (PC6) 20 U 5 10. 20 T 1 10. Both VLAN can communicate through ASGs Rulebase.00-0. Switch a Host4 b3 VLAN Tag tagged/ untagged Port VLAN Tag tagged/ untagged 1 10.16 Host5 a2 a3 a5 a1 a4 Firewall Host1 Host2 Host3 Astaro Security Gateway V7 .Networking / VLAN (1) Virtual LAN (VLAN) technology allows a network to be separated in multiple smaller network segments on the Ethernet level (layer 2). PC5 and PC6 will be connected together on VLAN 20.

- PPPoE and PPPoA devices cannot be run over VLAN virtual hardware.00-0.16 Astaro Security Gateway V7 .Networking / VLAN (2) VLAN segments are distinguished by a tag (integer value). When you add a VLAN interface.It is essential to check HCL for ensuring VLAN capable NIC’s are supported. allowing up to 4095 virtual LANs. - Make sure you have installed a VLANcapable NIC or refer to the HCL. you will create a virtual hardware device that can be used to add additional interfaces (aliases) too.Astaro Certified Engineer – Page 35 . NOTES: . a 12-bit number. © Astaro 2007 / ACE_V7.

Networking / Uplink Fail-Over Usage: If a primary connection goes down to the Internet.16 DSL Connection Backup Astaro Security Gateway V7 . a secondary connection will take over.Astaro Certified Engineer – Page 36 . MPLS Connection Primary LAN © Astaro 2007 / ACE_V7.00-0. Requirements: Additional NIC in the firewall Additional connection to the Internet Restrictions: Will only be allowed on interfaces where there is a default gateway.

NOTES: – – – In a HA-Environment. Link partners must support IEEE 802.3ad Link Aggregation Link aggregation (LA. Aggregated ports appear as a single IP address.Astaro Certified Engineer – Page 37 .00-0. also known as "port trunking" or "NIC bonding") allows to aggregate multiple Ethernet network ports into one virtual interface. LA and Bridging cannot be combined. © Astaro 2007 / ACE_V7. Failover is completely transparent to the system using the connection. Ethernet connections can even be on different HA units.16 Astaro Security Gateway V7 .3ad. Link aggregation is useful to increase the link speed beyond the speed of any one single NIC to provide basic failover and fault tolerance by redundancy All traffic routed over the failed port or switch is automatically re-routed to remaining ports or switches. LA cannot work with DSL.Networking / Overview IEEE 802. Link Aggregation Control Layer (LACL) controls the distribution of the data stream to the different ports communication via Link Aggregation Control Protocol (LACP).

16 Astaro Security Gateway V7 .Networking / Link Aggregation using ASG Link aggregation allows to have: Trunking two links for speed and Two links in redundancy mode Requirement: The link partner needs to support Link Aggregation © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 38 .00-0.

Astaro Certified Engineer – Page 39 .Networking / Link Aggregation – Configuration (1) IEEE 802.3ad Link Aggregation Link Trunking (for speed) Link Redundancy (for high availability) Combination of both To enable Link Aggregation: Add Links to the group Astaro Supports up to 4 Link Aggregation Groups © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .

Networking
/ Link Aggregation – Configuration (2)
Up to four different link aggregation groups with a maximum of four
Ethernet interfaces per group possible.
To create a link aggregation group (LAG), proceed as follows:
1. Select the interfaces you want to convert into a link
aggregation group.
2. Select check box for each unconfigured interface you
want to add to the LAG.
3. Enable LAG

On top of the bonding interface you can create one of the following:
Ethernet Standard
Cable Modem (DHCP)
Ethernet VLAN
Alias interfaces

To disable a LAG, clear the check boxes of the interfaces that make up the LAG
and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced /
Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG
will be used for all other NICs within the LAG.
© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 40

Networking
/ Bridging – Overview (1)
Bridging occurs at the link layer (OSI
layer 2)
The link layer controls data flow,
handles transmission errors, provides
physical (as opposed to logical)
addressing, and manages access to the
physical medium
Bridges analyze incoming frames,
make forwarding decisions based on
information contained in the frames,
and forward the frames toward the
destination

NOTE: Bridging does not require
splitting a network in two subnets
to integrate ASG into an existing
network.

© Astaro 2007 / ACE_V7.00-0.16

Split Subnet

Keep Subnet

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 41

Networking
/ Bridging – Overview (2)
A bridge transparently relays traffic between multiple network
interfaces.
Basically, a bridge connects two or more physical networks
together to form one bigger (logical) network.
How it works:
The default gateway for
172.16.1.2 and 172.16.1.4 is
172.16.1.1
172.16.1.1 is the bridge
interface br0 with ports eth1 and
eth2

NOTE: All devices must have the
same maximum packet size (MTU)
since the bridge doesn't fragment
packets.
© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 42

Networking
/ Bridging – Overview (3)
The idea is that traffic between 172.16.1.4 and 172.16.1.2 is
bridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to a
bridge, then become a part of the
br0 interface
The Linux 2.6 kernel has built-in
support for bridging via the ebtables
project
Ebtables has very basic IPv4
support
Bridge-nf is the infrastructure that
enables iptables/netfilter to see
bridged IPv4 packets and do
advanced things like transparent IP
NAT
It forces bridged IP frames/packets
go through the iptables chains

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 43

Networking / Bridging – Configuration (1) Configuration Example: © Astaro 2007 / ACE_V7.00-0.Astaro Certified Engineer – Page 44 .16 Astaro Security Gateway V7 .

ARP broadcasts are not allowed to pass across the bridged interfaces If needed.16 Astaro Security Gateway V7 .Networking / Bridging – Configuration (2) There two advanced options available: Allow ARP Broadcasts Ageing timeout By default. we need to specify when to remove an entry due to in activity.Astaro Certified Engineer – Page 45 .00-0. enable the Allow ARP Broadcasts option As the network can change. © Astaro 2007 / ACE_V7. this is the Ageing timeout.

Prov.00-0. A Prov. in addition to normal routing which is based on the destination IP address. source port and destination port.Astaro Certified Engineer – Page 46 . It provides a more flexible mechanism for routing packets.16 LAN 1 Astaro Security Gateway V7 . complementing the existing mechanism provided by routing protocols. DMZ 1 SMTP Example: ERP LAN 2 Route ERP traffic from Finance to MPLS Provider Route SMTP traffic from DMZ to DSL Provider interface = any service = SAP source = Finance target = Provider A interface = 2 service = SMTP source = DMZ1 target = Provider B © Astaro 2007 / ACE_V7.Networking / Policy Based Routing (1) Policy-based routing provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators. B DSL MPLS Router Router Packets can now be routed based on source IP address.

00-0.Astaro Certified Engineer – Page 47 .16 Astaro Security Gateway V7 .Networking / Policy Based Routing (2) Policy based routing will route by selectors: Destination Source Service Source Interface Policy based routing will route to targets: An interface A host Limitations: It is not possible to select all traffic and route it as this would be a default gateway Policy routes have an order which is evaluated in the same way as the packet filter (top to bottom) Only user defined policy routes are possible Network groups in policy routes are not possible The following benefits can be achieved by implementing policy-based routing in the networks: Load Sharing Cost Savings Source-Based Transit Provider Selection Quality of Service (QoS) © Astaro 2007 / ACE_V7.

developed by IETF ASG supports OSPF version 2. RFC 2328 (using the Quagga package.net) Interior Gateway Protocol (IGP) for routing within one autonomous System (AS) OSPF uses cost as its routing metric (e.Astaro Certified Engineer – Page 48 . http://www. Open standard.quagga. The cost of an interface is inversely proportional to the bandwidth of that interface. © Astaro 2007 / ACE_V7.00-0. A link state database is constructed of the network topology which is identical on all routers in the area.g. by dividing 10^8 through the bandwidth of the interface in bits per second) The cost of an OSPF-enabled interface is an indication of the overhead required to send packets across a certain interface.OSPF / Overview OSPF = Open Shortest Path First Link-state hierarchical routing protocol Uses Dijkstra‘s SPF Algorithm to calculate the shortest path tree. OSPF guarantees loop-less routing.16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 . dimensionless metric Load Balancing for paths with equal costs Special reserved multicast addresses reduce impact at non-OSPF devices Authentication External Route Tags TOS-Routing possible Fast database reconciliation after topology changes Support for large networks Low susceptibility for fault routing information © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 49 .OSPF / Features & Benefits Area concepts for hierarchical topologies and reduction of CPU – and memory consumption of routers Independent from IP subnet classes Arbitrary.00-0.

Astaro Certified Engineer – Page 50 .00-0.12.11.12.1.1.1. No.11.12.12.1.12.1 10.1.16 Link State ID Adv.3 10.6 10.1.1.5 10.11.1.1. Router 10. Age 0x9b47 0x219e 0x6b53 0xe39a 0xd2a6 0x05c3 0x80000006 0x80000007 0x80000003 0x8000003a 0x80000038 0x80000005 0 1618 1712 20 18 1680 Astaro Security Gateway V7 .4 10.OSPF / Operating Mode Router identify their neighbors during integration into network Conciliation of Link State Database (LSDB) with neighbors by reliable flooding Periodical keep-alives for maintaining of neighborhood Periodical Link State Updates for keeping LSDB consistent Flooding of LSA‘s when topology changes occur Example for a LSDB: LS-Type Router-LSA Router-LSA Router-LSA Router-LSA Router-LSA Router-LSA © Astaro 2007 / ACE_V7.2 10.4 10.6 Checksum Seq.2 10.5 10.11.3 10.1.11.1.1 10.1.12.11.

2 10.12.11.5 Point-To-Point Connections Costs for each connection := 1 Databases are synchronized Each router knows shortest path to each other router 10.12.11.6 X 10.11.16 Astaro Security Gateway V7 .12.12.12.4 fails LSA‘s will flooded over the whole network After LSDB-Sync.1 10.4 10.3 10.11.00-0.11.12.11.11.6 Assume the connection between 10.OSPF / Example LDSB & Principles 10. only one shortest path will remain © Astaro 2007 / ACE_V7.1 has two equal routes with identical costs to 10.11.2 and 10.Astaro Certified Engineer – Page 51 .11.12.12.12.12.11.

Astaro Certified Engineer – Page 52 . connects also to the main backbone network. used to distribute routes received from other ASs throughout its own AS. typically also run a non-IGP routing protocol. keeps multiple copies of the link-state database in memory. Internal router (IR) A router is called an internal router if it has only OSPF adjacencies with routers in the same area.16 Astaro Security Gateway V7 . such as BGP.OSPF / Router Types & Principles (1) Area border router (ABR) connect to routers or networks in more than one OSPF area. Autonomous system boundary router (ASBR) a router that is connected to more than one AS and that exchanges routing information with routers in other AS's. one for each area.00-0. maintain an LSDB for each area of which they are a part. © Astaro 2007 / ACE_V7. is considered a member of all areas it is connected to.

OSPF / Router Types & Principles (2) Backbone Routers (BR) are part of the OSPF backbone. © Astaro 2007 / ACE_V7. but a backbone router is not necessarily an area border router. If two or more routers tie with the highest priority setting.  An area border router is always also a backbone router. that means it can NEVER become a DR or BDR (Backup Designated Router). The BDR is the OSPF router with second highest priority at the time of the last election. When a DR fails and the BDR takes over Sending the Hello packets with the highest priority. .Astaro Certified Engineer – Page 53 .00-0.16 Astaro Security Gateway V7 . is elected based on the following default criteria: If priority setting on a OSPF router is set to 0. with a higher value increasing its Backup designated router A backup designated router (BDR) is a router that becomes the designated router if the current designated router fails. Designated router (DR) is the router elected among all routers on a particular multi-access network segment. the router sending the Hello with the highest RID (Router ID) wins. Usually the router with the second highest priority number becomes the BDR The range of priority values range from 1 – 255 chances of becoming DR or BDR.

16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 54 .OSPF / OSPF Packets IP Header (Protocol #89) OSPF Paket Header OSPF Paket OSPF Paket Data 5 types of packets Hello Database Description Link State Request Link State Update Link State Acknowledgement Transmission via IP. Protocol #89 Transfer direct to neighbor or using multicast addresses OSPF packets are only exchanged between neighbors within the network – never being routed outside of the network they originate from (TTL=1) © Astaro 2007 / ACE_V7.

00-0. Length Astaro Security Gateway V7 .16 Auth. Sequence Number © Astaro 2007 / ACE_V7.OSPF / Header Format 32 Bits 8 Version 8 Typ 8 8 Lenght Router ID Area ID Checksum AuType Authentication *) Authentication *) Packet Data *) if AuType = 2: 0x0000 Key ID Cryptogr.Astaro Certified Engineer – Page 55 .

00-0. but cannot receive AS external routes from the backbone or other areas.Astaro Certified Engineer – Page 56 . AS External LSA‘s are not transferred to stub areas Routing to external destinations via default routes no ASBR‘s & no virtual links NSSA‘s (Not-So-Stubby Area ) Type of stub area that can import autonomous system (AS) external routes and send them to the backbone.16 Astaro Security Gateway V7 . which does not receive external routes. Extension to Stub Areas small number of external routes allowed will be translated at the NSSA-border into AS-External LSA‘s NSSA-Border is One-Way-Road for external routing information © Astaro 2007 / ACE_V7.OSPF / Area Types AS External LSA‘s are flooded over area borders Additionally ASBR Summary LSA‘s are distributed within their areas by ABR‘s Different area types are used to minimize LSDB’ Stub Areas s Area.

OSPF / ASG Configuration – OSPF-ID The OSPF-Id is a unique ID to the router device.Astaro Certified Engineer – Page 57 .x. This can be the official Address It is denoted in x.x format © Astaro 2007 / ACE_V7.00-0.x.16 Astaro Security Gateway V7 .

OSPF / ASG Configuration – OSPF Area Before you can enable the OSPF function. Areas are identified by a 32-bit ID in dot-decimal notation similar to the notation of IP addresses.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 58 .00-0. © Astaro 2007 / ACE_V7. you must have at least one OSPF area configured.

OSPF / ASG Configuration – OSPF Interfaces (1) The OSPF interface defines Interfaces that can be used to announce OSPF networks.Astaro Certified Engineer – Page 59 .00-0.16 Astaro Security Gateway V7 . © Astaro 2007 / ACE_V7.

00-0.Astaro Certified Engineer – Page 60 .16 Astaro Security Gateway V7 .OSPF / ASG Configuration – OSPF Interfaces (2) The OSPF interface must be added to the area that will be announced © Astaro 2007 / ACE_V7.

© Astaro 2007 / ACE_V7. in pop-up windows.Astaro Certified Engineer – Page 61 .OSPF / ASG Configuration – OSPF Interfaces (3) The OSPF debug section gives information about the current state of OSPF operations.16 Astaro Security Gateway V7 . It shows neighbors. routes interfaces etc.00-0.

Astaro Certified Engineer – Page 62 .00-0.Networking Review Questions © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

How will ARP broadcasts being handled in terms of bridged interfaces? 3. Is it possible to combine bridging and routing on ASG? 6. What are the two major benefits of Link aggregation at ASG? 4. What must be configured before you can enable the OSPF function on ASG? © Astaro 2007 / ACE_V7.00-0. Which transmission protocol is used for OSPF? 9. How can VLAN segments being distinguished? How many virtual LANs can be distinguished by ASG? 2. What are the route selectors in Policy Routing? 7.Astaro Certified Engineer – Page 63 . What router and area types do you know and how do they interfere each other? 10. On which OSI layer bridging occurs? 5. 8.Networking / Review Questions 1.16 Astaro Security Gateway V7 . Name 5 benefits of OSPF.

Network Security In this chapter you will learn about: Server Load Balancing Quality of Service Generic Proxy Socks Proxy Ident Proxy © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 64 .

16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 65 .00-0.Network Security / Server Load Balancing (1) Used if the traffic going to one IP address should be split or "balanced" between multiple servers © Astaro 2007 / ACE_V7.

16 Astaro Security Gateway V7 . Which traffic on which port (The Balancing Service) on which IP address (The Pre-Balance target host) will be distributed to which servers (The Post-Balance target host) © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 66 .Network Security / Server Load Balancing (2) Configuration for Server Load Balancing contains three options: Service to Balance The Pre-Balance Target A Group of Target Hosts These parameters describe exactly the situation from the last slide.00-0.

© Astaro 2007 / ACE_V7. Inbound traffic is optimized internally by various techniques such as Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED).Quality of Service / Working Principle Quality of Service (QoS) can reserve guaranteed bandwidths for certain types of outbound network traffic passing between two points in the network. ASG left ASG right Headquarter Branch Office With traffic shaping.Astaro Certified Engineer – Page 67 . Without traffic shaping.16 Astaro Security Gateway V7 .00-0.

NIC Works per Interface Works per Subnet/Host Works per Service © Astaro 2007 / ACE_V7.00-0.Quality of Service / Features and Benefits QoS allows to Define traffic directions carefully: Limit available bandwidth Guarantee minimum bandwidth and Ext. NICs view Astaro Security Gateway V7 .Astaro Certified Engineer – Page 68 . NIC HTTP & FTP Download from ANY => outbound from the ext.16 downstream Upstream  shape Int.

Quality of Service / Configuration Status The Status tab lists the interfaces for which QoS can be configured. Bandwidth Pools can also specify upper bandwidth limits. © Astaro 2007 / ACE_V7.00-0. QoS is disabled for each interface. By default.16 Traffic Selectors A traffic selector can be regarded as a QoS definition for a certain type of network traffic. Internal & External Bandwidth Pool describe the bandwidth shared by multiple sources. Astaro Security Gateway V7 .Astaro Certified Engineer – Page 69 .

00-0. Define the guaranteed uplink and downlink bandwidth for any Interface.Quality of Service / Configuration: Status Overview Display all available interfaces Define the available.Astaro Certified Engineer – Page 70 .g. the DSL line. physical bandwidth. By default.16 Astaro Security Gateway V7 . QoS is disabled for each interface © Astaro 2007 / ACE_V7. e.

16 Astaro Security Gateway V7 . It is possible to build groups of Traffic Selectors. its destination and its service.Astaro Certified Engineer – Page 71 .00-0.Quality of Service / Configuration: Traffic Selectors Traffic Selectors describe what traffic needs to be accounted. The description contains details about the source of the traffic. © Astaro 2007 / ACE_V7. TOS/DSCP allows to pay respect to „Type of Service“ and „DiffServ“ flags in the traffic.

Quality of Service / Configuration: Bandwidth Pools Bandwidth Pools They describe the available and guaranteed bandwidth for the available interfaces © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 72 .

16 SOCKS is an internet protocol to allow clients to use the services of a firewall transparently and is short for „SOCKetS“ The Ident Protocol is specified in RFC 1413 and helps identifying users of particular TCP connection.00-0. Astaro Security Gateway V7 .Astaro Certified Engineer – Page 73 .Network Security / Advanced The Generic Proxy is another option when private networks are being used © Astaro 2007 / ACE_V7.

In contrast to DNAT.Network Security / Generic Proxy Works as a port forwarder Combines features of DNAT and Masquerading Forwarding all incoming traffic for a specific service to an arbitrary server. source IP address is replaced with the IP of the interface of the ASG for outgoing connections It is possible to change target port number also © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 74 .

00-0.Astaro Certified Engineer – Page 75 .Network Security / SOCKS What is it used for? Can build TCP and UDP connections for client applications Can provide incoming ports to listen on Used with systems that incorporate NAT Where is it used? IM clients such as ICQ. AIM Socks FTP RealAudio Astaro Security Gateway supports SOCKSv5 User authentication can be used © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

Network Security / IDENT Relay IDENT is an older protocol Allows external users to associate a username with a TCP connection Not very secure because the connection isn't encrypted Necessary for some services like IRC and some mail servers Astaro will respond with the string that you specify as the default response Hence the configuration is rather simple.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 76 . it offers: Configuration of the string to answer with Optionally the possibility to forward Ident requests to the internal clients (which is not always possible) © Astaro 2007 / ACE_V7.00-0.

00-0.Astaro Certified Engineer – Page 77 .Network Security Review Questions © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

With which technology is it realized? 3.Astaro Certified Engineer – Page 78 .16 Astaro Security Gateway V7 . For which kinds of traffic is Quality of Service suitable? 4. What does Server Load Balancing do? 2. What does the Socks Proxy do? 6. What can the Ident Proxy do? © Astaro 2007 / ACE_V7. What is the Generic Proxy used for? 5.Network Security / Review Questions 1.00-0.

VoIP Security In this chapter you will learn how SIP and H.323 security work © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 79 .

00-0. “RINGING” or “HANGUP”. The actual voice connection takes place on a dynamic port. PORT-S INVITE Cory@IP-B C = IN IP4 IP-A M = audio 2000 RTP/AVP 0 To IP-A. Audio stream to IP-B. Astaro’s VoIP Security uses special connection tracking helper modules for monitoring the control channel to determine which dynamic ports are being used and then only allowing these ports to pass traffic when the control channel is busy.16 Astaro Security Gateway V7 .VoIP Security / SIP/H. 4000 Time © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 80 .323 are so called “Signaling” protocols. client and server network definitions need to be made. like “INVITE”. 2000 To configure VoIP Security. These signals contain information about the state of the connection. Rick Cory To IP-B.323 Security SIP and H. PORT-S 200 OK C = IN IP4 IP-B M = audio 4000 RTP/AVP 3 Audio stream to IP-A. which are designed to notify communication partners in telephony like connections.

and multimedia conferences.com Rick SIP Proxy Cory SIP Registrar Astaro Security Gateway V7 . RFC 3261) A good starting point for reading about SIP is at http://en. and terminating sessions with one or more participants.org/wiki/Session_Initiation_Protocol © Astaro 2007 / ACE_V7.00-0.VoIP Security / SIP – Session Initiation Protocol Session Initiation Protocol is is an application-layer control (signaling) protocol for creating. modifying. These sessions include Internet telephone calls.wikipedia." (cit. multimedia distribution.16 INVITE cory@astaro.Astaro Certified Engineer – Page 81 .

323 was originally created to provide a mechanism for transporting multimedia applications over LANs but it has rapidly evolved to address the growing needs of VoIP networks. Currently real-time applications such as NetMeeting and Ekiga (the latter using the OpenH323 implementation) use H323.00-0.323 is an umbrella recommendation from the ITU Telecommunication Standardization Sector (ITU-T).Astaro Certified Engineer – Page 82 . that defines the protocols to provide audio-visual communication sessions on any packet network. H.wikipedia. A good link to get started with readings about is at http://en.VoIP Security / H323 – Session Initiation Protocol H.16 Astaro Security Gateway V7 .org/wiki/H323 © Astaro 2007 / ACE_V7.

16 Astaro Security Gateway V7 .323 Security To configure H.VoIP Security / SIP/H.323 or SIP Security.Astaro Certified Engineer – Page 83 .00-0. Both modules are rather easy to configure. Each module can be activated individually. simply add the allowed clients to the SIP or H.323 configuration and configure one or more SIP servers or H. go to the VoIP Security Menu.323 gatekeeper. © Astaro 2007 / ACE_V7.

00-0.Astaro Certified Engineer – Page 84 .VoIP Security Review Questions © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

Which parts do you need to configure for SIP/H323 security? 3.VoIP Security / Review Questions 1.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 85 .00-0. What are the ports SIP is normally making use of? © Astaro 2007 / ACE_V7. 4. Explain how SIP works. What does SIP stand for? 2.

16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 86 .Intrusion Protection In this chapter you will learn about: Statefulness Configuration Ruleset Advanced © Astaro 2007 / ACE_V7.00-0.

Another benefit of inline mode is.Intrusion Protection / Working Principle Astaro Security Gateway‘s IPS operates in inline mode It is placed logically between external.16 Astaro Security Gateway V7 . which is a modified version of SNORT (open source module).Astaro Certified Engineer – Page 87 . e. that all packets must pass the Astaro Security Gateway – and no packets can be missed. internal and DMZ networks.sourceforge.00-0.g. due to high network load. located on one single machine. Astaro uses Inline Snort (http://snort-inline.net) as IPS. Inline SNORT lets Astaro Security Gateway perform detection and prevention at the same time. © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 88 .Intrusion Protection / Fundamentals 1 3 Inline 4 2 Sensor Placement Options 1 In front of the Firewall 2 Within the DMZ 3 Between Firewall and LAN-Switch 4 Within the LAN © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .

16 POST ROUTING Routing • mangle • filter • ips INPUT outgoing packets Filter NAT Astaro Security Gateway V7 .o) • Table has lowest priority in the netfilter hierarchy.g.Astaro Certified Engineer – Page 89 . of using the proxies and also in case of an exploit to a Linux module on Astaro Security Gateway itself) incoming packets PRE ROUTING • • • • Routing FORWARD dnat conntrack mangle (empty) spoofdrop • • • • conntrack mangle filter ips OUTPUT • New netfilter module „ips“ (kernel module iptable_ips.Intrusion Protection / Working Principle • Each packet runs through the IPS only ONCE: 1. Packet from local machine to Network (e.00-0. OUTPUT • • • • • masquerading snat conntrack mangle ips • conntrack • mangle • dnat PPTP Tables: IPSEC BIND SOCKS SQUID SSHD EXIM Apache Local Processes © Astaro 2007 / ACE_V7. Packet from Network to Network 3. Packet from Network to the local machine 2.

Astaro Certified Engineer – Page 90 .g.323.16 Astaro Security Gateway V7 .. Even invalid packets may pass through No detection of application-layer attacks Protocols using multiple ports are hard to handle by firewalls (e. Depending on the security level to be achieved. hacker tools make attacks easier and are available for everybody The level of sophistication of attacks is growing © Astaro 2007 / ACE_V7.00-0. such countermeasures alone might not be enough. MMS.Intrusion Protection / Limitations of Firewalls and Virus-Scanners (1) A robust firewall policy can minimize the exposure of many networks.) Proxies (Application Level Gateways) have application layer awareness Can filter unwanted header types or malformed ones Would be able to detect protocol anomalies Will not be able to detect higher level attacks (e. Packet Filter Firewalls inspect on a „per packet“ basis. PPTP. FTP.. H. CGI script attacks) Therefore IDS are necessary to fulfill higher security requirements Additionally.g. .

Blaster spread independently Only detectable after infection Example: SQL-Slammer Buffer Overflow in Microsoft SQL-Server UDP-Packet to Port 1434.00-0.»high-speed worm« © Astaro 2007 / ACE_V7. Size: 376 Byte (!) In RAM only Spreads to random IP-Addresses Very fast infection rates .Astaro Certified Engineer – Page 91 .Intrusion Protection / Limitations of Firewalls and Virus-Scanners (2) Firewalls inspect for viruses and worms in: E-mails & Attachments SMTP. POP3 and HTTP-Streams Virus Scanners are unable to monitor data by analyzing the traffic within a network.16 Astaro Security Gateway V7 . Worms like SQL-Slammer or MS.

© Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 92 .00-0.Intrusion Detection / Configuration Global Attack Patterns Anti-DoS / Flooding AntiPortscan Exceptions Advanced General Settings for Intrusion Protection Enable or disable the categories of attacks that can be recognized Configure the Denial of Service and Flood Protection here.16 Astaro Security Gateway V7 . Portscan detection configuration is in here Of course the configuration can be limited to certain hosts and networks Modified Rules and IP address information about dedicated servers is here.

Intrusion Detection / Configuration: Global The global settings contain a list of networks. IDS/IPS also offers a live log. that are protected by intrusion prevention If attacks from the local networks should be detected. which can be viewed with the „Live Log“ button. Of course. This can default to „Drop“ or „Reset“ packets.Astaro Certified Engineer – Page 93 . it is important NOT to add them to this list! Depending on the traffic between the LAN segments a major impact on the performance of the ASG is possible The global configuration also contains settings for the IDS/IPS policy.16 LAN2 LAN3 Astaro Security Gateway V7 . LAN1 © Astaro 2007 / ACE_V7.00-0.

if packets are detected matching rules of this group. Astaro Security Gateway V7 .00-0. © Astaro 2007 / ACE_V7.16 Notify: Send an e-mail to the admin-address. that are for information only Astaro supports roughly 7000 different rules.Astaro Certified Engineer – Page 94 .Intrusion Protection System / Configuration: Attack Patterns Per Group settings: Action: What to do with packets matching this group. which are again separated. if detected Add extra warning: Activate extra rules. Those are made up in 40 different groups.

00-0.16 Server Astaro Security Gateway V7 .Intrusion Protection / Refresher: How SYN Floods work • SYN Attack: Sends a stream of SYN packets with attacking host (spoofing) source IP-address (to be that of a currently unreachable host).Astaro Certified Engineer – Page 95 . Attacking Host IP of Unreachable Host #1 SYN SYN IP of Unreachable Host #2 SYN SYN IP of Unreachable Host #3 SYN SYN SYN Server SYN/ACK Unreachable Host #1 SYN/ACK Unreachable Host #2 SYN/ACK Unreachable Host #3 © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 96 .00-0. This works for sender and recipients in the protocols TCP.Intrusion Protection System / Anti-DoS / Flooding Anti Flooding allows to limit the number of packets per time. only SYN Packets are taken into account. In the case of TCP flood protection. © Astaro 2007 / ACE_V7. UDP and ICMP.16 Astaro Security Gateway V7 .

00-0.Astaro Certified Engineer – Page 97 .16 Astaro Security Gateway V7 .Intrusion Protection System / Anti-Portscan / Exceptions / Advanced Anti Portscan: Detects Portscans Can have exceptions Exceptions: Advanced: Skip these checks: Intrusion Protection Modified Rules Performance Tuning Anti-Portscan Anti-DoS/Flooding TCP Anti-DoS/Flooding UDP Anti-DoS/Flooding ICMP Performance Tuning For source and destination networks © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 98 .16 Astaro Security Gateway V7 .Intrusion Protection Review Questions © Astaro 2007 / ACE_V7.00-0.

How does Intrusion Protection work? 2.16 Astaro Security Gateway V7 . How does it integrate with the Packetfilter framework? 5. Where is Astaro Intrusion Detection placed? 4.Intrusion Protection / Review Questions 1.Astaro Certified Engineer – Page 99 . What is the improvement over Firewalls or Anti-Virus Products? 3. Which detection methods are applied to traffic? © Astaro 2007 / ACE_V7.00-0.

16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 100 .User Authentication In this chapter you will learn about: Users Groups Authentication © Astaro 2007 / ACE_V7.

from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic.User Authentication / Purpose Authentication (Greek: αυθεντικός = real or genuine.00-0. In computer security. a computer itself or a computer program.16 Astaro Security Gateway V7 . The sender being authenticated may be a person using a computer. Authentication depends upon one or more authentication factors. authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. that is. whereas authenticating a person often consists of verifying their identity. that claims made by or about the thing are true.Astaro Certified Engineer – Page 101 . Authenticating an object may mean confirming its provenance. © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 102 .Local Authentication © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.

This menu is structured to manage: Users – local or remote Groups .local or remote Remote Authentication Methods © Astaro 2007 / ACE_V7.00-0. the web interface offers the „Users“ menu.Astaro Certified Engineer – Page 103 . To manage local and remote authentication services.User Authentication / User Management User management is necessary to allow or forbid services to certain users or user groups.16 Astaro Security Gateway V7 .

© Astaro 2007 / ACE_V7.00-0. To create a local authenticated user.User Authentication / Local User Management The User Management in Astaro allows to administer local users and user groups. See there. No external authentication service is queried to authenticate these users.Astaro Certified Engineer – Page 104 .16 Astaro Security Gateway V7 . select “Authentication: Local” NOTE: The additional e-mailaddresses influence the behavior of the Anti Spam Reports. Here you can create user profiles local to the firewall.

Astaro Certified Engineer – Page 105 .16 Astaro Security Gateway V7 .00-0.Remote Authentication © Astaro 2007 / ACE_V7.

partly LDAP based Active Directory Microsoft.500. later RFC TACACS+ Terminal Access Controller Access-Control System Plus Cisco.00-0. X. now RFC Lightweight Directory Access Protocol © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 106 .16 Astaro Security Gateway V7 .Remote Authentication / Available Methods Astaro has many options for remote user authentication: eDirectory Novell. now RFC LDAP – OSI. partly LDAP based RADIUS Remote Access Dial-In User Service Livingston Enterprises.

16 Astaro Security Gateway V7 . Web security capabilities of ASG are applied to traffic flows based on the user. © Astaro 2007 / ACE_V7.Remote Authentication / Novell eDirectory With ASG V7 eDirectory SSO. user-. without the need for further authentication at the browser level. virus and spam attacks.00-0. Once authenticated. Novell users will only need to authenticate once at initial client login to gain web access to the Internet. groupand/or container-based access control and content inspection profiles are assigned. Based on the ASG V7 SSO authenticated user.Astaro Certified Engineer – Page 107 . including prevention of phishing.

© Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 108 .00-0.Remote Authentication / Novell eDirectory When creating Groups from the Novell eDirectory.16 Astaro Security Gateway V7 . • Currently ASG V7 does not support containers and multiple root nodes in eDir. ASG offers a very convenient eDirectory Browser It allows you to select usergroups directly in the Web Admin Interface NOTE: • SSO in eDir does not work on machines where more than one users are logged in.

00-0.Astaro Certified Engineer – Page 109 . NOTE: Ensure that the Netbios name is an unique name on the network! The Netbios name is derived from the Hostname in the Basic System Settings! (see there) © Astaro 2007 / ACE_V7.Remote Authentication / Active Directory (1) Can be used to implement single sign on with Astaro Security Gateway when using the HTTP Proxy NTLM uses a challengeresponse authentication scheme Active Directory allows to have all users centrally managed in groups of users.16 Astaro Security Gateway V7 .

Create as much users as you need in your Active Directory. To add the user. Grand full read privileges to your defined user. (Right click CN:  properties) 5. Steps to perform: 1. right click on your Domain Controller to define a new user.16 Astaro Security Gateway V7 . Add the AD “Users and Computers Snap Inn” in the MS Management Console to define it.Astaro Certified Engineer – Page 110 . 3. Create an AD user with read privileges. 4. All of theses users are able to authenticate.Remote Authentication / Active Directory (2) Using Surf-Protection with Active Directory Authentication requires a running Windows Server and AD services.00-0. The name has to be unique within the directory. Active Directory Service manages the users of a Windows Domain. © Astaro 2007 / ACE_V7. (applied by ASG to query the AD service) 2. LDAP uses the Distinguished Name (DN) of an user for identification.

often used by Internet Service Providers for the purpose of network. router and internet access Only the password is encrypted NOTE: Since the passwords are transferred over the network using a weak encryption. you should place the server in a trusted network which cannot be sniffed.00-0.Remote Authentication / RADIUS Remote Access Dial-In User Service (RADIUS) Uses UDP port 1813 or 1645 to send queries for authentication Uses external directory for large installations.Astaro Certified Engineer – Page 111 . © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

authentication and authorization. Whole datagram is encrypted Despite the name.Astaro Certified Engineer – Page 112 .16 Astaro Security Gateway V7 .Remote Authentication / TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) Uses TCP port 49 to send queries for authentication and is therefore more reliable than RADIUS Also uses external directory for large installations.00-0. often used by Internet Service Providers TACACS+ separates. TACACS+ does not have too much in common with TACACS (without the „+“) © Astaro 2007 / ACE_V7. unlike RADIUS.

Remote Authentication / LDAP LDAP (Lightweight Directory Access Protocol) is an information model and a protocol for querying and manipulating tree-like directories.16 Astaro Security Gateway V7 .500. LDAP's overall data and namespace model is essentially that of X. The authentication by querying an LDAP Server requires an active DNS Proxy with valid entries.00-0. Astaro Security Gateway can connect to LDAP-based directories such as: Sun Identity Server Open LDAP Netscape Directory But also these are based on LDAP: Active Directory Novell eDirectory Control of Proxy-usage on a per-user basis! Bind-DN and password are used for login to a LDAP server Base-DN specifies location of user database in LDAP-tree © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 113 .

00-0. © Astaro 2007 / ACE_V7. you can force them to use complex passwords with these settings. This is important if the same user exists in different directories.Astaro Certified Engineer – Page 114 .Remote Authentication / Advanced Advanced Configuration Backend query order Defines in which order all the configured backends for authentication are queried. Password complexity When users change their password in the Astaro End-User Portal.16 Astaro Security Gateway V7 .

User Authentication
Configuration Example

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 115

Authentication
/ Local Users (1)
To add yourself to the local user directory,
first go to the Users/Users Menu.
This menu offers you to view existing or add
new user:

When adding a new user, you will need to
fill out the following form, which contains:
a username
the real name
e-mail address
additional e-mail addresses
(optional)
authentication is local

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 116

Authentication
/ Local Users (2)
When you have finished and saved the entry, you should find
the following user in the list:

Every entry has two buttons which allow you to
Edit the entry and bring you back to the
user-add dialog
or
Delete the entry

The rest of the line contains information about the user, his
eMail-Address, the authentication source and a comment

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 117

Authentication
/ Remote User-Authentication: NTLM (1)
Before NTLM/SSO becomes available, you
need to setup the Active Directory
configuration.
Active Directory takes only
few parameters:
the server itself
Use an existing or newly created definition here

the Port to connect to
predefined to 389 (the default)

SSL
encrypt or not

The authentication information:
the Bind User Distinguished Name
The user that connects to the directory (read-only)

the authentication password
A (valid) password for this user.

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 118

you need to “join” your ASG into your Windows Domain This works exactly as it would with a Windows PC – you need an adminstrative account to approve the join. To do so. NTLM/SSO becomes available and can be configured.Astaro Certified Engineer – Page 119 .16 Astaro Security Gateway V7 .Authentication / Remote User-Authentication: NTLM (2) Once the Active Directory Configuration is setup.00-0. NOTE: Ensure that the Netbios name is an unique name on the network! The Netbios name is derived from the Hostname in the Basic System Settings! (see there) © Astaro 2007 / ACE_V7. Simply enter the Domain Name and the credentials and hit apply.

Astaro Certified Engineer – Page 120 . © Astaro 2007 / ACE_V7. This example limits the membership to the local group “Active Directory” to members of the remote AD group “http_users“ (which exists in the Active Directory). to use whole groups on the remote Active Directory.00-0. you may want to create an assignment of remote user groups to local user groups: To do so.16 Astaro Security Gateway V7 . go to the Users/groups menu and create a new user group The group should be of group-type „Backend Membership“ with the backend „Active Directory“.Authentication / Remote User Groups Finally.

User Authentication Review Questions © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 121 .

User Authentication / Review Questions 1. How are Users and Groups structured? 2.Astaro Certified Engineer – Page 122 . Which Authentication Methods are supported by Astaro? 3.00-0. How is SSO activated when using Active Directory? © Astaro 2007 / ACE_V7. What’s the benefit of using NTLM Authentication? 4.16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 .00-0.Web Security In this chapter you will learn about: HTTP Profiles HTTP Authentication © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 123 .

16 Astaro Security Gateway V7 .Web Security / HTTP Proxy – Overview (1) The HTTP Proxy allows to do User Authentication Content Filtering HTTP Protocol Enforcement The content filter works with SurfControl Astaro AV Clam AV © Astaro 2007 / ACE_V7.00-0.Astaro Certified Engineer – Page 124 .

Web Security / HTTP Proxy – Overview (2) The HTTP Proxy relays HTTP. FTP and WebDAV queries HTTP and FTP queries are cached in disk and memory FTP HTTP HTTP HTTPS FTP/HTTP Proxy & Cache © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 125 .00-0. HTTPS.16 Astaro Security Gateway V7 .

Astaro Certified Engineer – Page 126 . © Astaro 2007 / ACE_V7. Each Profile holds a combination of options and settings.00-0.16 Astaro Security Gateway V7 .Workflow Flexible configuration is possible through so called Proxy Profiles and Filters.Web Security / HTTP Proxy .

Astaro Certified Engineer – Page 127 . and can even analyze colored type or transparent text on any background. Logo and Object Recognition This module searches for logos. it is even possible to search for individual persons. This module supports a wide range of type fonts.00-0. Pornography and Recognition of Nudity This module identifies nudity by analyzing the qualities of human skin and individual skin tones. symbols and other graphical elements in photos.Web Security / Content Classification Text Classification Text is categorized using Bayes' statistic methodology and vector machine algorithms. hue and texture. © Astaro 2007 / ACE_V7. intranets or in e-mail messages. Digital Fingerprint This module characterizes and labels images and data for later identification on the Internet. Variations in size.16 Astaro Security Gateway V7 . Face Recognition This module recognizes faces. Optical Character Recognition (OCR) OCR recognizes text in graphics and images. color and rotation are taken into consideration. including color. sizes and rotations. colors. With high-quality images.

Astaro Certified Engineer – Page 128 .16 Astaro Security Gateway V7 .HTTP Proxy Configuration Overview © Astaro 2007 / ACE_V7.00-0.

Astaro Certified Engineer – Page 129 .Web Security / HTTP Proxy (1) HTTP Proxy – Global Configuration © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.

00-0.Astaro Certified Engineer – Page 130 .Web Security / HTTP Proxy (2) Operational Modes Standard Proxy listens on port 8080 Allows any network listed in Allowed Networks to connect Client browser must be configured HTTP proxy service requires a valid Domain Name Server (DNS) Transparent Proxy handles all traffic on port 80 Client doesn’t need to touch browser configuration Proxy cannot handle FTP and HTTPS Packetfilter must allow port 21 and 443 No HTTP on other than port 80 Clients must be able to resolve hostnames © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

Web Security / HTTP Proxy (3) Operational Modes with User Authentication: Basic Enabling User Authentication will bring up a User/Group selection dialog Active Directory Novell eDirectory © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 131 .00-0.

16 Astaro Security Gateway V7 . Drag and Drop the allowed Users and Groups to this box.Astaro Certified Engineer – Page 132 .Web Security / HTTP Proxy (4) Configuring User Authentication for HTTP: When you have selected one of the userauthentication operation modes. a „User/Groups“ selection box pops up.00-0. Drag & Drop the allowed Users © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 133 . if available. Disallow Downloads by file-extension © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 . the Hardware Scan-Engine Virus-Scan files up to this size.Web Security / Anti Virus HTTP Anti Virus Enable/Disable Virus scanning Use one or both Virus scanner and.00-0.

00-0.Web Security / Content Filter (1) HTTP Content Filter: Default profile Operation mode: Black or Whitelist Categories to block or allow Black-/White-list these URLs Activate Spyware Protection Control Active Content removal © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 134 .

00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 135 . Name of Category Assigned Subcategories Modify Name and Assignment © Astaro 2007 / ACE_V7.Web Security / Content Filter (2) HTTP Content Filter Category assignment The Number of Categories is fixed Names and Contents can be edited.

e.g.com Skip individual checks.Astaro Certified Engineer – Page 136 .00-0. like: Authentication Anti Virus Content Filter for selected Hosts © Astaro 2007 / ACE_V7.Web Security / Content Filter (3) HTTP Content Filter Exceptions Content Filter Exceptions.16 Astaro Security Gateway V7 . windowsupdate.

Astaro Certified Engineer – Page 137 . The configuration is done by linking Proxy Profiles and Filter Actions through Filter Assignments © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .Web Security / Content Filter Profiles (1) HTTP Content Filter Profiles Content Filter Profiles allow to treat different user(-groups) and network-areas differently.

Web Security / Content Filter Profiles (2) HTTP Content Filter Profiles A Proxy Profile combines Source Networks Filter Assignments and Authentication Methods They are processed in order © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 138 .

00-0.16 Astaro Security Gateway V7 .Web Security / Content Filter Profiles (3) HTTP Content Filter Profiles A Filter Assignment combines Users and Usergroups Access times and Filter Actions © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 139 .

Astaro Certified Engineer – Page 140 .00-0.Web Security / Content Filter Profiles (4) HTTP Content Filter Profiles Filter Actions Work either as Black or Whitelist Contain the things to block or allow: Blacklisted/Allowed Sites Categories or uncategorized Spyware Content Virus © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

Authentication Methods Proxy Profile Users.Web Security / HTTP Content Filter Working Principle Networks.16 Filter Actions Categories Anti-Virus Content Removal Astaro Security Gateway V7 . Action WWW Filter Assignment © Astaro 2007 / ACE_V7.00-0. Groups Time.Astaro Certified Engineer – Page 141 .

If integrated in a proxy hierarchy.Web Security / HTTP Proxy Advanced Options Skip Hosts and Networks for Transparent Proxying The port to listen for client requests Write “Access-Log file” at all? Care for those services outside.Astaro Certified Engineer – Page 142 .00-0. use this parent.16 Astaro Security Gateway V7 . The parent proxy takes username and password as configuration if authentication is necessary. © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 143 .00-0.16 Astaro Security Gateway V7 .Web Security Review Questions © Astaro 2007 / ACE_V7.

00-0. What happened when downloading eicar. What do you need to consider when using NTLM Authentication if your PC is not assigned to the domain ASLLAB? 2. Trading and Gambling during working hours but allowing it after 6 p. What happens if you have time-based profiles for groups during the working hours created but nothing defined for after hours? 4.Astaro Certified Engineer – Page 144 .16 Astaro Security Gateway V7 . What might be reasons if NTLM is not working correctly? 6. What is the purpose of different profiles? 7.Web Security / Review Questions 1. What would you recommend if servers will download larger patches automatically over the http proxy and Virus-scanning is enabled? © Astaro 2007 / ACE_V7.? 3.com from the Internet? 8. What is the default Profile meant for? 5.m. Is it possible to limit access to Entertainment.

16 Astaro Security Gateway V7 .00-0.Refresher: SMTP Proxy Upon completion of this chapter you will be able to perform the following: Explain the SMTP proxy architecture © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 145 .

malicious.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 146 . and unwanted messages Can relay incoming and outgoing mails Scans mails for viruses and other malicious data Deals with SPAM NOTES: The SMTP proxy also supports subdomains To use the SMTP proxy correctly. a valid name server (DNS) must be configured © Astaro 2007 / ACE_V7.00-0.SMTP Proxy / Overview Simple Mail Transfer Protocol SMTP relay shields your internal mail server from malformed.

00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 147 .SMTP Proxy / Relaying Incoming / Outgoing e-mail Define the domains the security system should be responsible for You should have an DNS MX record for every domain pointing to the security system Specify the internal server to which e-mails should be forwarded to Decide whether you want to scan the content of outgoing e-mails Define which networks and hosts are allowed to send outgoing e-mail using the security system (never use “ANY”) Optionally you can switch on authenticated relaying for single users Define a smarthost if outgoing e-mail is not delivered to the recipient directly © Astaro 2007 / ACE_V7.

worms and other malware Astaro Security Gateway features several anti-virus engines for best security Single Scan provides maximum performance Dual Scan uses two different scan engines for an extra level of security Optionally activate the Hardware accelerated scanner (only supported with hardware applicances ASG425/ASG525) Messages containing malicious content will be blocked and stored in the e-mail quarantine or instantly removed Unwanted file attachments can be blocked by file extensions End users can review and release their quarantined messages either through the Astaro End User Portal or the daily End User Spam Report Using the Pattern Up2Date.SMTP Proxy / Anti-Virus Anti-Virus scanning checks every message for viruses. you will always be protected against the latest threats © Astaro 2007 / ACE_V7.00-0.Astaro Certified Engineer – Page 148 .16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 149 .00-0.SMTP Proxy / Anti-Spam: Overview Provides many "arrows for the quiver" in fighting unwanted e-mails from entering the network Users can consult with real-time blackhole lists and allow certain senders or networks to be exempt from many of the checks Expression (keyword) filtering can take action on messages that contain certain patterns in the subject line or message body Astaro Security Gateway features several techniques to reduce Spam: Realtime Blackhole Lists Advanced heuristic analysis Greylisting SPF record checks BATV reverse path signing © Astaro 2007 / ACE_V7.

SMTP Proxy Refresher Review Questions © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 150 .00-0.16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 . Is it possible to configure more than one SMTP route? 3. What are possible configuration options to avoid SPAM? 4. What is the fundamental precondition that the SMTP proxy will handle incoming e-mails? 2.Astaro Certified Engineer – Page 151 . What happens if BATV is turned on? © Astaro 2007 / ACE_V7.00-0. What is User spam releasing? 5. What happens to SPAM messages sent from hosts listed in Allowed Networks? 6. Does VirusProtection also checks outgoing e-mails? 7. What are the options to handle unwanted e-mails? 8.SMTP Proxy / Review Questions 1.

E-mail Encryption Upon completion of this chapter you will be able to perform the following: Configure & test e-mail encryption using S/MIME or OpenPGP © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 152 .00-0.

f sdf.E-mail Encryption / Motivation Still one of the most used services Over 95% of all e-mails are sent as plain text! Would You sent your tax declarations on a postcard? ‘s.aknmffdsa g Dsfg sdfgdsfgfdg Fdsg fgsdfgsdfgdsf Sfdgsdfdsfgsdf Fg fdsgdsfgsdfg Dfgdfsgfdsgfdsg dslaskhddfsgdsfg Protect your intellectual property and privacy! Business Requirements Industry espionage Formal/Legal Requirements Data Protection Secure cooperation Basel II Cost effectiveness HIPAA Sarbanes-Oxley Industry Initiatives © Astaro 2007 / ACE_V7.00-0.Astaro Certified Engineer – Page 153 .16 Astaro Security Gateway V7 .

CA) © Astaro 2007 / ACE_V7. Confidentiality Encryption: only recipient who possess the correct private key can decrypt and read content of e-mail 2.Astaro Certified Engineer – Page 154 . Authenticity/Non-Repudiation Digital Signatures: endorses that the content is sent by a specific user Digital Certificate: public/private key pair actually belongs to a specific user.00-0.16 Astaro Security Gateway V7 . Integrity Hashes: assures that content has not been altered during transport over the internet 3. issued by a trusted third party (Certificate Authority.E-mail Encryption / Goals What objective want to be achieved using secure e-mail? 1.

RSA. Lotus Notes. they are not compatible with each other! © Astaro 2007 / ACE_V7. MD5. 3DES. V3. Thunderbird. PGP.16 Astaro Security Gateway V7 . 3DES. RFC 3850-52) Uses X. RFC 2440) Uses public/private keys for securing e-mails (and other content) within a „web of trust“ No central certificate authority -> keys are signed by other users Used by commercial and open source software (GnuPG.509 digital certificates for securing MIME-encapsulated e-mails Implemented by MS-Outlook. … Algorithms: RSA.Astaro Certified Engineer – Page 155 . MD5. SHA-1. …) Algorithms: DSA/ElGamal. SHA-1. AES OpenPGP (Pretty Good Privacy. AES.1. CAST5 Both standards provide e-mail encryption and digital signing via similar public key mechanisms However.E-mail Encryption / Standards S/MIME (Secure / Multipurpose Internet Mail Extensions.00-0.

16 External users S/MIME E-mail Encryption & Digital Signing Management of Keys & Certificates OpenPGP S/MIME E-mail Server Astaro Security Gateway V7 .Astaro Certified Engineer – Page 156 .E-mail Encryption / E-mail Encryption & Content Scanning Encryption SW on Client NO additional SW on Client Encryption SW on Gateway Internal users OpenPGP ‘snmffdsa g Dsfg sdfgdsfgfdg Fdsg fgsdfgsdfgdsf Sfdgsdfdsfgsdf Fg fdsgdsfgsdfg Dfgdfsgfdsgfdsg dslsgdsfg ‘snmffdsa g Dsfg sdfgdsfgfdg Fdsg fgsdfgsdfgdsf Sfdgsdfdsfgsdf Fg fdsgdsfgsdfg Dfgdfsgfdsgfdsg dslsgdsfg ‘snmffdsa g Dsfg sdfgdsfgfdg Fdsg fgsdfgsdfgdsf Sfdgsdfdsfgsdf Fg fdsgdsfgsdfg Dfgdfsgfdsgfdsg dslsgdsfg Content Scanning/ Virus Protection SMTP E-mail Server © Astaro 2007 / ACE_V7.00-0.

16 Astaro Security Gateway V7 . Activate e-mail encryption on WebAdmin 2.00-0.Astaro Certified Engineer – Page 157 . Import public key or certificate of external recipients Done  © Astaro 2007 / ACE_V7. Accept or change Default Policy 3.E-mail Encryption / Configuration in a few steps Configuration of e-mail encryption is easy and done in a few simple steps: 1. Enter e-mail addresses of internal users 4.

16 NOTE: You have to configure the SMTP-Proxy properly! Astaro Security Gateway V7 .Astaro Certified Engineer – Page 158 .00-0.E-mail Encryption / Activate e-mail Encryption Enable e-mail encryption Fill in organization details Save and create e-mail CA © Astaro 2007 / ACE_V7.

00-0.E-mail Encryption / Generate CA certificate and postmaster (1) Automatic generation of S/MIME certificate authority (CA) Automatic generation of OpenPGP postmaster © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 159 .

00-0.E-mail Encryption / Generate CA certificate and postmaster (2) Unique fingerprint for verification © Astaro 2007 / ACE_V7. Astaro Security Gateway V7 .Astaro Certified Engineer – Page 160 .16 Download public CA certificate and send it to your recipients.

user certificates can automatically be extracted and imported from incoming e-mails © Astaro 2007 / ACE_V7.00-0.E-mail Encryption / Define default policy By default. if provided If the foreign CA certificate exists on the security system. and encrypted using the recipient's certificate (S/MIME) or public key (OpenPGP). automatically signed.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 161 . outgoing messages from internal users will be scanned.

509 certificates or let the security system generate them automatically Upload of X.16 Astaro Security Gateway V7 .E-mail Encryption / Create internal users (1) Create a new entry for every user who should encrypt outgoing e-mails Use the default policy or set individual options Import existing OpenPGP keys and X.509 certificates with private keys requires the PKCS#12 format with a passphrase The OpenPGP public and private key have to be provided in a single file without any pass phrase © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 162 .00-0.

00-0. if desired Download the public keys and certificates and provide them to your e-mail recipients © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 163 .16 Astaro Security Gateway V7 .E-mail Encryption / Create internal users (2) Keys and certificates are generated automatically by the security system.

E-mail Encryption / Import public OpenPGP-keys To create recipients using OpenPGP.16 Astaro Security Gateway V7 .00-0. just import a keyring file with one or multiple public keys Every imported key is trusted and an entry with the first e-mail address on this key is created E-Mails for recipients listed here are automatically encrypted © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 164 .

messages from the e-mail address associated with this certificate are always trusted without the need to import the appropriate CA certificate! The source is always trusted! © Astaro 2007 / ACE_V7.00-0.Astaro Certified Engineer – Page 165 .E-mail Encryption / Import public X.509 certificates you can import a public certificate for every single recipient or you can import a CA certificate and let the security system extract the public certificates from incoming signed e-mails (see next step) If you import a X.509 user certificate manually.509 certificates To create recipients using S/MIME with X.16 Astaro Security Gateway V7 .

+3. 1. Internal client sends plain e-mail to ASG user1@extern. SMTP Astaro Security Gateway mail.net SMTP 1.509 cert or OpenPGP key for recipient user1@extern. S/MIME or OpenPGP 5.corp 2.corp POP3 Client 4.g.Astaro Certified Engineer – Page 166 . ‘snmffdsa g Dsfg sdfgdsfgfdg Fdsg fgsdfgsdfgdsf Sfdgsdfdsfgsdf Fg fdsgdsfgsdfg Dfgdfsgfdsgfdsg dslsgdsfg 2. Mozilla Thunderbird) © Astaro 2007 / ACE_V7. Recipient fetches e-mail from server and decrypts using client software (e.corp in local database 3.extern. ASG searches for X. Deliver encrypted e-mail to mail server of recipient 5.00-0.16 Astaro Security Gateway V7 .E-mail Encryption / Use case: Send encrypted e-mail Decrypt on Client ‘snmffdsa g Dsfg sdfgdsfgfdg Fdsg fgsdfgsdfgdsf Sfdgsdfdsfgsdf Fg fdsgdsfgsdfg Dfgdfsgfdsgfdsg dslsgdsfg E-mail Server hs@asllab. According to policy e-mail is encrypted and signed 4.

de) S-TRUST (http://www.E-mail Encryption / Advanced Topics: S/MIME authorities Import a public CA certificate to achieve multiple objectives Every incoming e-mail signed by a certificate issued by this CA is verified valid (if the content is not altered during transport) If “Automatic extraction of S/MIME certificates“ is enabled.16 Astaro Security Gateway V7 .s-trust.verisign.Astaro Certified Engineer – Page 167 .com) Verisign (http://www.de) Thwate (http://www.trustcenter.509 user certificates attached to a signed S/MIME message issued by this CA are extracted and imported Astaro Security Gateway ships several public keys of commercial Certification Authorities: Trustcenter (http://www.thawte.00-0.com) and more… © Astaro 2007 / ACE_V7. X.

16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 168 .E-mail Encryption Review Questions © Astaro 2007 / ACE_V7.

16 Astaro Security Gateway V7 . Which information has to be provided to start S/MIME CA certificate and OpenPGP Postmaster generation? 5.Astaro Certified Engineer – Page 169 .E-mail Encryption / Review Questions 1. What objective want to be achieved using secure e-mail? 2. Which algorithms are supported by S/MIME Symmetric encryption/Signatures Asymmetric encryption Hashes 3.00-0. Do you have to import the public S/MIME CA of external recipients before you can send them encrypted e-mails? © Astaro 2007 / ACE_V7. For which standard automatic extraction of foreign certificates or keys is supported? 8. Which algorithms are supported by OpenPGP Symmetric encryption/Signatures Asymmetric encryption Hashes 4. Do your need a passphrase for internal OpenPGP keys? 9. Which file types are supported to import S/MIME certificates or OpenPGP keys for internal users? 7. Which options can be set for the default policy? 6. Which steps are needed to send and receive encrypted e-mails to and from external recipients 10.

16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 170 .High Availability & Clustering In this chapter you will learn about: High Availability High Performance Working Principle © Astaro 2007 / ACE_V7.00-0.

High Availability & Clustering / Overview No more single point of failure! redundant switches redundant links redundant Hardware LAN Internet := Aggregated Links © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 171 .16 Astaro Security Gateway V7 .00-0.

Astaro Certified Engineer – Page 172 .00-0.High Availability & Clustering / HA Modes Active-Passive HA (Standby) This has been there before Only the Master is active Passive (Slave) takes over in case of failure Configuration and operating states are synchronized This includes IP-connection states and e-mail Active-Active HA (Cluster) New in Version 7! Offers High Availability AND Load balancing All appliances are working If one unit fails.16 Astaro Security Gateway V7 . all other units take over Load is actively balanced © Astaro 2007 / ACE_V7.

High Availability & Clustering / Feature Overview Active-Active HA (Cluster) Increased Appliance Performance Faster handling of performance intensive tasks using Accelerator Card Needs an additional PCI slot Other appliances in cluster mode Only one port and cable One logical FW unit (cluster) Increases availability Increased Network Performance Link Aggregation Logical Interface © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 173 .

16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 174 .00-0. SPF-Connections (IPConntrack) and quarantined objects are synchronized Stateful Failover < 2sec © Astaro 2007 / ACE_V7.High Availability & Clustering / Hot Standby Mode Hot Standby Mode Master Status & Config Synchronisation Slave All tunnels.

except HTTP which is session based. IPS. FTP. SMTP. © Astaro 2007 / ACE_V7. Slave Master Cluster Nodes Scalable 1 Gigabit/sec VPN.High Availability & Clustering / Active-Active-Mode High Availability (Active/Active) (loadbalancing) Active/Active Mode Master runs Packet Filtering & distributes the load.00-0. AV for HTTP. POP3 IPSec IPS Cluster Distribution is round robin. AV.Astaro Certified Engineer – Page 175 . AS LAN Fully meshed Note: Packet Filtering runs on the Master only Balanced Services are: Internet Fully meshed Slave and cluster nodes handle the load.16 Astaro Security Gateway V7 . POP3 AS for SMTP.

16 Astaro Security Gateway V7 . only the Master needs to be configured to „Cluster Mode“ Appliances: HA interface eth3 (HA port) Master HA port (eth3) Slave © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 176 .High Availability & Clustering / Auto Configuration (1) Automatic Configuration = Default Configuration Both devices configure themselves upon connection through the HA-Port To configure an Active/Active Cluster.00-0.

© Astaro 2007 / ACE_V7. Status will look like this.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 177 .00-0.High Availability & Clustering / Auto Configuration (2) Step 1: Activate HA (if necessary) Default setting for appliances (HA-Port) If HA is active.

16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 178 . the system switches to active/passive operation automatically: © Astaro 2007 / ACE_V7.High Availability & Clustering / Auto Configuration (3) Step 2: Connect other HA device Make sure the cabling is correct Start the device If everything is correct.

00-0.Astaro Certified Engineer – Page 179 .16 Astaro Security Gateway V7 . © Astaro 2007 / ACE_V7.High Availability & Clustering / Disabling Master-Slave Disabling Master/Slave: Switch back Operation mode To „Off“ The slave device will perform a factory reset and shuts down.

Astaro Certified Engineer – Page 180 .High Availability & Clustering / ASG Cluster Configuration (1) Cluster Configuration: For the Master System: Set Operation Mode to „Cluster“ Configure NIC Configure Device name. 2.g. Node1 Select Node ID (1. e. 3…) Configure an encryption Key © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .00-0.

It will display „Operation Mode: Cluster“ © Astaro 2007 / ACE_V7. if not sure) Make sure cabling is correct Power on the device Once the slave is working.High Availability & Clustering / ASG Cluster Configuration (2) Cluster Configuration: For the Slave System: The slave system is still configured to auto configuration on eth2 from before (check.Astaro Certified Engineer – Page 181 . you can see the HA status.16 Astaro Security Gateway V7 .00-0.

High Availability Review Questions © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 182 .

Astaro Certified Engineer – Page 183 .High Availability / Review Questions 1. How is the load distributed between the cluster nodes? © Astaro 2007 / ACE_V7. What are the requirements for Active / Passive? Cluster Mode? 4.16 Astaro Security Gateway V7 . Which HA options are supported by Astaro? 2.00-0. Which device corresponds with the “HA Port” in the Appliances? 5. Which applications are balanced to other nodes in cluster mode? 6. How many nodes are supported in Cluster Mode? 3.

16 Astaro Security Gateway V7 . test and maintain: Remote Access using SSL-VPN © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 184 .00-0.Refresher: SSL-VPN In this chapter you will learn to configure.

many possible failures The most secure protocol (if correctly configured) Access not always possible from each network (if ports blocked by firewalls) L2TP (over IPSec) Used by Microsoft Tunnels all layer 3 protocols SSL De facto standard for online-shops (optimized for remote access) (like PPTP) Easy to install and use More secure than PPTP Passes through most firewalls (using IPSec security mechanisms) (even through proxies. DNS/WINS/domain) © Astaro 2007 / ACE_V7.00-0. uses only one port) Adds another layer of complexity to IPSec Network configuration automatically updated (VPN networks.Astaro Certified Engineer – Page 185 .Remote Access / Brief Technology Comparism PPTP Developed by Microsoft Based on PPP protocol Included in MS-Windows Easy to install and use Weak security session key dependant on password IPSec De-facto standard for VPNs today optimized for site-to-site VPN Many alternative mechanisms complex protocol.16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 . private Internet connections Transparent to transported protocols FTP Telnet Optimized for HTTP Security measures Encryption Source authentication Message authentication TLS Handshake Protocol provides: Peer identity verification Uses public keys Shared key negotiation TLS Record Protocol provides: Privacy via symmetric encryption (DES. RC4) Keys generated during TLS handshake Reliability via HMAC mechanisms (SHA.00-0.SSL-based Remote Access / Technology and Terminology (1) Secure. MD5) © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 186 .

Astaro Certified Engineer – Page 187 . typically a Web server Includes organization name and fully qualified domain name Client certificate Electronic driver’s license Contains identifying information about the holder of the certificate CA root certificates The CAs vouch for the validity of the information contained within the certificate The browser or server trusts the certificate because it trusts the CA © Astaro 2007 / ACE_V7.00-0.SSL-based Remote Access / Technology and Terminology (2) Digital passport Describes an entity—can be a machine or a person Contains identifying information Must be issued (and signed) by a certification authority Server certificate Describes the server.16 Astaro Security Gateway V7 .

00-0.the real world Browser based (clientless) remote access only for web based applications Allows remote access from internet cafes. temporary files and browser history) And what about hidden trojans and keyloggers installed on the PC? SSL offers solid security. although not as paranoid as IPSec © Astaro 2007 / ACE_V7. caches.Astaro Certified Engineer – Page 188 .16 Astaro Security Gateway V7 .Remote Access / The promise of SSL VPNs The promise of SSL VPNs Easy to “install“ Does not require a client (uses SSL mechanisms integrated into each browser) Allows remote access from anywhere including internet cafes. cookies. hot spots … Sufficient security Also supporting certificates SSL VPNs . but do you really want to use an unknown PC for accessing sensitive company data? Think about the traces that you will leave behind on the PC (through autocomplete.

Remote Access / SSL VPN native application support “Webifier“ Transforms native applications into web-based applications Usage is not as comfortable as with native applications (different GUI) Often out of action due to complex protocol transformation Requires much processing power on SSL VPN gateway Port forwarding Applet on client forwards traffic for each server/application through SSL tunnel to SSL gateway Typically requires admin rights on client ActiveX controls within browser ActiveX-Agent forwards all traffic through SSL tunnel Real network access through virtual network interface Dependant on OS and browser (MS-Windows/IE only) SSL client Offers the same benefits as ActiveX controls (full network access) Platform independent © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 189 .

Remote Access / Astaro “One Click VPN“ Complete Remote Access VPN functionality Feature rich clients for SSL and IPSec Astaro SSL VPN Client Astaro Secure Client “One Click Installation“ With the new self service user portal. download complete individual client packages with just one mouse click Client software Client configuration Keys & certificates © Astaro 2007 / ACE_V7.00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 190 .

MacOS X..Remote Access / Astaro SSL VPN Client Based on OpenVPN Client Uses latest SSL version (TLS) Proven technology Used for all internet applications Offers Secure and stable authentication and encryption Easy installation and configuration Platform independant Windows. Linux. FreeBSD. UMTS.00-0. OpenBSD. Using dynamic IP addresses… © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 191 . NetBSD… Accessible from anywhere Via NAT. DSL.16 Astaro Security Gateway V7 .. Solaris. GPRS.

feature rich remote access and an easy to use “One“One-Click “ installation capability © Astaro 2007 / ACE_V7.SSL-based Remote Access / Conclusion SSL VPNs are a great alternative to current remote access technology Clientless SSL VPNs only offer limited capability You will require some form of client for complete transparent remote access Client based solutions do not have to be complex in any case Astaro‘s VPN solutions provide an industryindustry-unique combination of secure.16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 192 .

SSL-based Remote Access
/ Configuration Steps in detail (1)
Define the user account
for the remote host:
Open <Users>  Users
page
Define a new user
account for the remote
client.

With remote access via
SSL this user account is
necessary for accessing
the Astaro End User
Portal and for VPN. Use static remote access IP: With
a Remote Access via SSL it is not
possible to assign a static IP
address to the user. Leave this
option deactivated if the user uses
only the remote access via SSL.

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 193

SSL-based Remote Access
/ Configuration Steps in detail (2)
Configure the SSL remote
access:
Open the <Remote
Access>  SSL page.
On the Global tab enable
the SSL re-mote access
by clicking Enable.

Pool network: The default settings assign addresses
from the private IP space 10.242.2.x/24. This network is
called the VPN Pool (SSL). If you wish to use a different
network, simply change the definition of the VPN Pool
(SSL) on the Definitions  Networks page.
Local certificate: In order to authenticate for
VPN clients, the SSL server needs a local
certificate (in this example: Local X.509 Cert
- this certificate is automatically preset).

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 194

SSL-based Remote Access
/ Configuration Steps in detail (3)
Configure the advanced SSL remote access
settings: Open the Remote Access  SSL 
Advanced tab.

You must define this packet filter rule if you have
disabled the Automatic packet filter rule function during
the configuration of the SSL remote access in step 3.
Override hostname: The value in this dialog box is used
as the target hostname for client VPN connections and is
by default the hostname of the firewall. Only change the
default if the system's regular hostname (or DynDNS
hostname) cannot be reached under this name from the
Internet.

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 195

SSL-based Remote Access
/ Configuration Steps in detail (4)
Configure Packet Filter for SSL-based Remote
Access:
Open the Network Security >> Packet Filter 
Rules tab.
Source: Remote host or user (in this example:
amertz).
Service: Set the service.
Destination: The allowed internal network (in
this example: Internal (Network)).
Action: Allow.
Also enable which host/network should be able
to send traffic back!

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 196

Astaro Certified Engineer – Page 197 . © Astaro 2007 / ACE_V7. Activate the proxies (optional): If remote employees shall access URL services via the remote access you may con-figure the required proxies on ASG (DNS and HTTP).SSL-based Remote Access / Configuration Steps in detail (5) Define the masquerading rule (optional): Masquerading is optional for remote users.00-0.16 Astaro Security Gateway V7 . who have only private IP addresses so that they can surf on the Internet with an official IP address.

SSL-based Remote Access / Configuration Steps in detail (6) Enable End User Portal Define Allowed Networks & Users Configuration of the Remote Client Users may open Open browser and enter the management address of the Astaro End User Portal (https://IP address will be redirected) Download Software and Certificates © Astaro 2007 / ACE_V7.00-0.Astaro Certified Engineer – Page 198 .16 Astaro Security Gateway V7 .

SSL-based Remote Access / Configuration Steps in detail (7) SSL VPN contains software and keys for SSL-Client with 3 options: A complete software package with the pertinent key for a new installation A config update for a an already installed SSL VPN client with new keys.exe Astaro Security Gateway V7 . A ZIP archive for the configuration of SSL VPN on Linux. © Astaro 2007 / ACE_V7. MacOS X. BSD and Solaris.00-0.Astaro Certified Engineer – Page 199 .16 Next Unpack the installation package and launch the file setup.

00-0.SSL-based Remote Access / Configuration Steps in detail (8) Installing the SSL VPN Client Software The installation wizard copies all needed files to the client system.Astaro Certified Engineer – Page 200 .16 Astaro Security Gateway V7 . Since the relevant driver is not certified by Microsoft. A virtual network card will be installed during the installation process. © Astaro 2007 / ACE_V7. a caution message will appear but can be ignored.

Astaro Certified Engineer – Page 201 . © Astaro 2007 / ACE_V7.SSL-based Remote Access / Configuration Steps in detail (9) Using the SSL Client Login in with Username and Password Connection dialogue box allows to monitor the set-up of the connection. SSL VPN Remote Access can be disconnected by clicking <Disconnect>.00-0.16 Astaro Security Gateway V7 .

16 Astaro Security Gateway V7 .SSL-based Remote Access / Configuration Steps in detail (10) Connectivity Testing Login in with Username and Password Connection dialogue box allows to monitor the setup of the connection.00-0.Astaro Certified Engineer – Page 202 . © Astaro 2007 / ACE_V7. SSL VPN Remote Access can be disconnected by clicking <Disconnect>.

Astaro Certified Engineer – Page 203 .509 certificates How to establish IPSec Connections with certificate-based authentication of VPN partners How to find and solve typical VPN-related problems © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Site-to-Site VPN using certificates Upon completion of this chapter you will learn: About IPSec protocols from a more detailed perspective How to create and manage X.00-0.

Encapsulating Security Payload AH.Site-to-Site VPN / Supported Protocols & Parameters (1) IPSec provides two security functions at the IP (Internet Protocol) level: Authentication Encryption This requires a higher-level protocol (IKE) for the setup of the IP-level services (ESP. RFC 2407). Internet Key Exchange Encrypts and/or authenticates data Provides a packet authentication service Negotiates connection parameters. ASG V7 is using StrongSwan – the most stable Linux implementation of IPSec.16 Astaro Security Gateway V7 . Authentication Header IKE. AH). © Astaro 2007 / ACE_V7.00-0. the IPsec Domain of Interpretation (DOI.Astaro Certified Engineer – Page 204 . including keys IKE (Internet Key Exchange) is defined in RFC 2409 and is based on the Internet Security Association and Key Management Protocol (ISAKMP. Three protocols are used in an IPsec implementation: ESP. OAKLEY (RFC 2412) and SKEME (Secure Key Exchange Mechanism). RFC 2408).

00-0. Tunneling Mode Most secure and flexible is ESP Tunneling mode. IP packets are encapsulated in other IP packets using protocol ESP. two protocols and two modes exist: ESP vs.Astaro Certified Engineer – Page 205 . AH Transport Mode vs. New IP Header Original IP header is not changed IP Header IP packets are encapsulated in other IP packets.16 Astaro Security Gateway V7 .Site-to-Site VPN / Supported Protocols & Parameters (2) In IPSec. ESP Tunneling Mode encrypts and authenticates single IP packets. ESP Header IPSec is a non-proprietary and open standard. Packet Data mnhjbfv09WERRrnoim37QTW Encrypted Authenticated © Astaro 2007 / ACE_V7. TCP or UDP Header The complete original IP packet is encrypted and authenticated. UDP and ICMP. ESP is a new protocol type on the same level as TCP. Astaro Security Gateway only supports this mode.

using Preshared Keys (PSK) or certificates (X.Astaro Certified Engineer – Page 206 . Security Association) for the key exchange (ISAKMP) using the Aggressive Mode or Main Mode Create an SA for IPsec using Quick Mode A Security Association is a set of parameters which are established between two communicating partners of a connecetion and consists of: Identification.16 Astaro Security Gateway V7 .00-0.509) Encryption algorithms used to secure the IPsec connection From which (IP-) network the IPsec connection starts In which (IP-) network the connection ends Period of time after which both partners have to re-authenticate each other Period of time after which all IPsec keys have to be negotiated again © Astaro 2007 / ACE_V7.Site-to-Site VPN / Supported Protocols & Parameters (3) IKE happens in two phases: Negotiate parameters (SA.

Site-to-Site VPN
/ ISAKMP and IPsec SA
Initiator
IKE
ISAKMP SA
Header
Proposal

Responder

1
2

IKE
Header

IKE
Header

DH Key
Exchange

Ni

encrypted

4

IDi Certi Sigi

5

GW1 and GW2 agree on IKE-Connection
Parameters such as Encryption Algorithm
and Authentication Method

3 + 4

A common symmetric key is generated
by using the Diffie-Hellman-Algorithm

5 + 6

Identification and Authentication
of the connection partners

ISAKMP SA
Response

IKE
Header

DH Key
Exchange

3
Nr

encrypted
IKE
Header

6
1 + 2

IKE
Header


IDr Certr Sigr

IKE uses UDP port 500
Quick Mode – 3 messages

In cooperation Prof. Dr. A. Steffen / ZHW

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 207

Site-to-Site VPN
/ Diffie-Hellman Key-Exchange Algorithm (1)

Alice’s
Private
Key

Alice’s
Public
Key

Alice

1

Bob’s
Public
Key

Bob’s
Private
Key

Bob

Diffie-Hellmann Key
Calculation Engine

3

2

4
Shared Secret Key
(Session Key)

© Astaro 2007 / ACE_V7.00-0.16

1. Alice & Bob exchange public keys
2. Using Diffie-Hellmann, Alice combines her
private key with Bob’s public key to generate
the shared secret key (s = gab mod n).
3. vice versa
4. Alice and Bob can be replaced by firewall A and
firewall B, whereas the shared key is used to
verify and decrypt the encrypted packet. It is
mathematically impossible to derive the private
key from the public key.
5. The result K is equal for both parties and can
be used as a key to encrypt the ongoing
communication between Alice and Bob
Performance of asymmetric cryptography is
1000 times slower than symmetric
cryptography - therefore it is typically used to
encrypt small amounts of data, such as keys for
symmetric cryptography.
Diffie-Hellman Key-Exchange is not secure if an
attacker is able to intercept the communication
and alters the messages. This can be avoided
using MAC (Message Authentication Codes).

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 208

Site-to-Site VPN
/ Diffie-Hellman Key-Exchange Algorithm (2)
1. Alice and Bob agree on a large prime modulus n, a primitive element g
and the one-way function y = f(x) = gx mod n.
2. The integers n and g are not secret and can be published.
3. Alice chooses a large random integer a and sends Bob
A = ga mod n
4. Bob chooses a large random integer b and sends Alice
B = gb mod n
5. Alice computes
s = Ba mod n = gba mod n
6. Bob computes
s = Ab mod n = gab mod n
7. Alice and Bob share now the secret key s = gab mod n
8. Since computing the inverse x = f-1(y) is extremely difficult, no one
listening to the key-exchange can compute the secret key s from the
values A, B, n and g.

© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 209

Site-to-Site VPN
/ Supported Protocols & Parameters (3)
Possible parameters of IPSec tunnels (Security Association SA):
IKE Parameters
Encryption algorithms
DES, 3DES (168bit), AES (Rijndael) (128bit, 192bit, 256bit), Blowfish (128bit), Twofish
(128bit), Serpent (128bit)

Authentication algorithms
MD5 (128bit), SHA-1 (160bit), SHA-256 (256bit), SHA-512 (512bit)

IPSec Parameters
Encryption algorithms
Null, DES, 3DES (168bit), AES (Rijndael) (128bit, 192bit, 256bit), Blowfish (128bit),
Twofish (128bit), Serpent (128bit)

Authentication algorithms
MD5 (128bit), SHA-1 (160bit), SHA-256 (256bit), SHA-512 (512bit)

SA lifetime
60s … 86400s, default value = 7800 sec.

Perfect Forward Secrecy (PFS group)
Groups 1,2,5,14,15,16 - MODP768 … MODP4096

Strict policy
Accept only exactly the parameters specified.

Compression

NOTES:
PFS is not fully interoperable
with all vendors.
MODP768 (DH Group 1) is
considered weak and only
supported for interoperability
reasons.

enable/disable IPCOMP
© Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 210

16 Rounds Based on modified Blowfish Serpent (Ross Anderson / Eli Biham / Lars Knudsen) Substitution Permutation Network .20 Rounds Based on modified RC5 Twofish (Bruce Schneier) Feistel Network .32 Rounds Based on bit-slice operations AES-Rijndael (Joan Daemen / Vincent Rijmen) Modified Substitution Permutation Network 10 Rounds Based on Square © Astaro 2007 / ACE_V7.32 Rounds Based on mixed structure DES RC6 (RSA) Feistel Network .16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 211 .00-0.Site-to-Site VPN / Symmetric Encryption Algorithms Performance Issues MARS (IBM) Modified Feistel Network .

Astaro Certified Engineer – Page 212 .1.1.16 Astaro Security Gateway V7 .astaro.9.00-0. Steffen / ZHW © Astaro 2007 / ACE_V7.Site-to-Site VPN / ISAKMP and IPsec SA 09:00 #1 ISAKMP SA rightid=@vpn_gw.0/22 #5 IPsec SA 10:50 rightsubnet=10. A.0/24 #4 IPsec SA 10:05 rightsubnet=10.9. Dr.com 09:00 #2 IPsec SA 09:10 rightsubnet=10.1.1.0/22 #3 IPsec SA 09:50 rightsubnet=10.1.0/24 #6 IPsec SA ikelifetime=3h keylife=1h 11:00 #7 IPsec SA 11:40 #8 ISAKMP SA 9 10 11 12 In cooperation Prof.1.

Organization or Data Algorithm: mathematical calculation used to produce a numerical result (RSA. SHA) Smart Card: Plastic card with a built-in.00-0. DES. guaranteed to be unreproducible by a third party that can be used to sign a transaction Registration Authority (RA): Body that registers entities on behalf of the CA Entity: Person. 3DES.Site-to-Site VPN / PKI . software and hardware Certification Authority (CA): Body that issues digital certificates Digital certificate: Unique certificate assigning a digital signature to an entity Digital signature: Unique signature. programmable chip © Astaro 2007 / ACE_V7.Important terms Public Key Infrastructure: technology. processes.Astaro Certified Engineer – Page 213 .16 Astaro Security Gateway V7 .

16 Time Stamp Service (TSS) Astaro Security Gateway V7 . ---- Personal Data Registration Authority (RA) Database Internal Clock Verification Service © Astaro 2007 / ACE_V7.00 till 07. Inf. X.Site-to-Site VPN / PKI – Big Picture Name: John Doe Valid : from 01.02 Public Key Public Key Issuer CA Signature Certificate Name: John Doe Age: 27 Country: Germany Directory (LDAP.00-0.Astaro Certified Engineer – Page 214 .500Server) Title: Dipl.

00-0. Configure firewall rules 15.Site-to-Site VPN / Authentication by X.509 Certificates. 4. 5.509V3 Certificates (1) Scenario & Configuration Example The authentication of the tunnel end points must be done by using X. The headquarter CA is trusted and will be used as signing CA for all branch offices. Start the connection 14. Test it © Astaro 2007 / ACE_V7. Configure a new VPN connection 11. Create Host Certificate for branch ASG Export Host Certificate for branch ASG as PKCS#12 container Configure a new VPN connection 8.Astaro Certified Engineer – Page 215 .16 Astaro Security Gateway V7 . Install Host Certificate ASG as local key 10. 2. 6. Define Network Entities Create IKE/IPSec-Policy 13. Define Network Entities Create IKE/IPSec-Policy 3. Start the connection 12. Configure firewall rules 7. ASGleft #1 A-L CA #0 ASG-T CA ASG-L CA ASGright #2 A-L CA #0 ASG-T CA ASG-L CA LAN left LAN right ASG left ASG right Headquarter Branch Office Configuration steps on ASG left Configuration steps on ASG right 1. Import PKCS#12 file 9.

16 Astaro Security Gateway V7 . It is possible to upload multiple Verification CAs © Astaro 2007 / ACE_V7.00-0.509V3 Certificates (2) Scenario & Configuration Example The Signing CA is automatically generated when the WebAdmin is opened for the first time.Astaro Certified Engineer – Page 216 . Only one signing CA can be configured for the Astaro Security Gateway.Site-to-Site VPN / Authentication by X. The signing CA is used to verify the certificate requests.

© Astaro 2007 / ACE_V7. one using DN as VPN identifier.Astaro Certified Engineer – Page 217 . e.16 Astaro Security Gateway V7 .Site-to-Site VPN / Authentication by X.00-0. The verification through the signing CA is done automatically.g.509V3 Certificates (3) Scenario & Configuration Example Create the Certificates For each gateway (local and remote) a host certificate will be generated. The certificate for the local VPN gateway is automatically generated when the WebAdmin is opened for the first time ( Certificates tab) It is possible to replace the local. default certificate by any other.

509V3 Certificates (4) Scenario & Configuration Example Create the host certificate for the branch office Download this certificate as PKCS#12 file File contains Root CA.00-0.Astaro Certified Engineer – Page 218 . Host Certificate & Private Key 1 2 3 4 © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Site-to-Site VPN / Authentication by X.

509V3 Certificates (5) Scenario & Configuration Example Import Host Certificate as local key on the remote ASG (branch office) Finally.Site-to-Site VPN / Authentication by X.00-0.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 219 . on both gateways Start the connection Configure firewall rules Test if the tunnel comes up and carries encrypted traffic © Astaro 2007 / ACE_V7.

00-0.509 Certificates / Cross Site Certification (1) Task: The scenario is the same as in the previous example with one exception: Both communication partners run their own CA.Site-to-Site VPN / Authentication by X.Astaro Certified Engineer – Page 220 .509V3 Certificates (6) New Example: Net2Net X. ASGleft #1 A-L CA ASGright #1 #0 ASG-T CA A-R CA ASG-L CA LAN left A-R CA ASG left #0 ASG-T CA ASG-R CA LAN right #0 ASG-R CA A-L CA Exchange ! #0 ASG-L CA ASG right Differences in the configuration steps: Own Root CA Certificate on both sides Host Certificates must be issued by the Root CA on each site Additional Verification CAs from other side must be exchanged © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

Astaro Certified Engineer – Page 221 .16 #0 ASG-T CA ASG-R CA LAN right #0 ASG-R CA A-L CA Exchange ! #0 ASG-L CA ASG right Astaro Security Gateway V7 .Site-to-Site VPN / Authentication by X.509V3 Certificates (7) New Example: Net2Net X.00-0.509 Certificates / Cross Site Certification (2) ASGleft #1 A-L CA ASGright #1 #0 ASG-T CA A-R CA ASG-L CA LAN left A-R CA ASG left © Astaro 2007 / ACE_V7.

Site-to-Site VPN Review Questions © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 222 .16 Astaro Security Gateway V7 .00-0.

16 Astaro Security Gateway V7 . What are the VPN-IDs you can select from? What happens if you install certificates issued with identical e-mail addresses as VPN-ID? 8. What is the possible range of IPSec SA lifetime in seconds? What is a reasonable value? Why? 3. Explain a typical use case for automatic CRL fetching. Is it possible to import multiple Verification CAs? When would it be useful? What about multiple Signing CAs? 6. 4. 9. Name the IPSec encryption algorithm options you can choose from at ASG V7. 2. What does ASG perform in IPSec when enabling PFS? 5. What means <Parsing> in the IPSec debug options? Why wouldn‘t it be a good idea to run IPSec debugging in an operational stage? © Astaro 2007 / ACE_V7. In which format the public key of each signing CA can be downloaded? 7.00-0.Site-to-Site VPN / Review Questions 1. Explain the term <Allow Path MTU Discovery>.Astaro Certified Engineer – Page 223 . What is the default MTU size in byte when using ESP.

16 Astaro Security Gateway V7 .00-0. © Astaro 2007 / ACE_V7.IPSec Remote Access Upon completion of this chapter you will learn: About IPSec protocols from a more detailed perspective How to create and manage X.Astaro Certified Engineer – Page 224 .509V3 user certificates How to establish IPSec based Remote Access using ASC and certificate-based authentication How to troubleshoot ASC and solve typical VPN-related problems.

With NAT-Traversal enabled. that the IPSec packet is wrapped inside a UDP/IP header. allowing NAT devices to change IP or port addresses without modifying the IPsec packet.00-0.Astaro Certified Engineer – Page 225 .Remote Access IPSec / Important Aspects: NAT Traversal Problem AH and ESP verify integrity of a TCP packet by recalculating the checksum/hash value. Solution NAT-Traversal detects one or more NATTING devices between IPsec peers It uses UDP encapsulation of the IPsec packets to establish IPSec tunnels through NAT devices. the check will fail. UDP encapsulation is only used if NAT is detected between the two IPSec peers. UDP encapsulation works the way. Otherwise normal ESP packets are sent. © Astaro 2007 / ACE_V7. you are able to place the ASG or an ASC behind a NATing router and still establish an IPSec tunnel.16 Remote Clients NAT-ing Router LAN Branch Office VPN Gateway NAT-ing Router VPN-Tunnel Intranet VPN Gateway Central Office Astaro Security Gateway V7 . If the headers get changed due to NAT/NAPT.

Astaro Certified Engineer – Page 226 . for which zero is an invalid value. client-to-gateway and client-to-client. UDP encapsulated ESP on this same port (avoids drilling new holes in the firewall). Because only peers that agree will ever send UDP-encapsulated ESP packets. Peers must support the same method of UDP ESP encapsulation.16 Astaro Security Gateway V7 . These bytes overlap the IKE Initiator Cookie field. ESP-protected packets are exchanged between IKE peers: gateway-to-gateway. implementations can use these bytes to discriminate between IKE and UDP-encapsulated ESP arriving on port 500. The solution works only for IPsec ESP using Tunnel Mode Encapsulation always requires de-capsulation. © Astaro 2007 / ACE_V7. Working principle: The sender indicates that an encapsulated packet follows by setting the first 8 bytes of the UDP payload to zero.Remote Access IPSec / Important Aspects: NAT Traversal Since IKE peers already communicate over UDP port 500. NOTE: Using NAT-T you need to configure VIPs for remote access.00-0. backward compatibility is not an issue. Thus.

Define Rules / Security Policy ASG-GW #1 ASG-CA VPN Gateway ASG-CA #0 6. Install configuration file in ASC & test it © Astaro 2007 / ACE_V7.00-0. Create / Edit IPSec Pools 4. Configure & activate the connection at the IPSec gateway VPN-Tunnel 5.Remote Access IPSec / Configuration: Host to Gateway Major Configuration Steps Remote Users ASG-CA #0 1.Astaro Certified Engineer – Page 227 . Download of certificates / ASC configuration file from End User Portal 7. Create / Edit a predefined IPSec Policy 3.16 ASG-CA Intranet Central Office Astaro Security Gateway V7 . Create Root CA and Certificates for the gateway itself and the remote clients ASG-CA RemUser #2 NATT-ing Router ASG-CA 2.

00-0.Astaro Certified Engineer – Page 228 .16 2 Astaro Security Gateway V7 .Remote Access IPSec / Configuration – Step 1+2 1 © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 229 .Remote Access IPSec / Configuration – Step 4 + 5 4 © Astaro 2007 / ACE_V7.00-0.16 5 Astaro Security Gateway V7 .

ini-file The configuration file (.00-0.ini) can be opened with an editor allowing a closer look to the ASC configuration automatically created by ASG.Remote Access IPSec / Configuration – Step 6 From End User Portal.12. the user can download the certificate as p.file and also the ASC configuration file as .16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 230 . © Astaro 2007 / ACE_V7.

© Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .Astaro Certified Engineer – Page 231 .Remote Access IPSec / Configuration – Step 7 You can import the ASC configuration file by using the Profile Import Assistant.00-0.

2 1 3 © Astaro 2007 / ACE_V7. starting with the wizard right after installing ASC.Remote Access IPSec / ASC manual configuration (1) Alternatively it is be possible to setup the ASC configuration manually step by step.16 4 Astaro Security Gateway V7 . The next slides show a configuration example using X509 certificates.Astaro Certified Engineer – Page 232 .00-0.

16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 233 .Remote Access IPSec / ASC manual configuration (2) 5 6 8 7 © Astaro 2007 / ACE_V7.

Remote Access IPSec / ASC manual configuration (3) 9 10 11 © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 234 .00-0.16 12 Astaro Security Gateway V7 .

16 14 … and check connection and log file … Astaro Security Gateway V7 .Remote Access IPSec / ASC manual configuration (4) 13 Connect … © Astaro 2007 / ACE_V7.Astaro Certified Engineer – Page 235 .00-0.

16 Astaro Security Gateway V7 .00-0.Astaro Certified Engineer – Page 236 .IPSec VPN Review Questions © Astaro 2007 / ACE_V7.

Astaro Certified Engineer – Page 237 . What it the benefit of using DN as authentication type instead of PSK or certificates? 5. How can you avoid split tunneling at ASC? 6.00-0. How can DNS and WINS servers information be provided for the use of remote access clients while establishing a connection to the ASG? 3. Does ASG support XAUTH? 8. 2. Explain NAT-Traversal.Remote Access IPSec / Review Questions 1. What methods offers ASC for troubleshooting IPSec issues? 7. What are the possible options to download user certificates? 4. How can you establish a granular access policy? © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .

00-0. Questions & Answers. © Astaro 2007 / ACE_V7.16 Astaro Security Gateway V7 .THE END.Astaro Certified Engineer – Page 238 .