ACE Engineer

Welcome to the training! Astaro Certified Engineer V7

Courseware Version EN-V7.4

© Astaro 2004/ ACE_V7.4

Astaro Security Gateway V7 - Astaro Certified Engineer – Page 1

DISCLAIMER

All rights reserved. This product and related documentation are protected by copyright and distribution under licensing restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means, or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other purpose is in violation of copyright laws. While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or omissions and makes no explicit or implied claims to the validity of this information. This document and features described herein are subject to change without notice. This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability, loss or damage caused or alleged to have been caused directly or indirectly by this book. Trademarks: © Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG. © Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG. © Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG. © Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice. All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product manuals for complete trademark information.



Agenda - ACE DAY ONE

DAY TWO

DAY THREE

Astaro Product Overview

VoIP Security

Additional Products

Available Products

H.323

ACC

AXG System Architecture

SIP

Astaro Report Manager

Refresher ACA Troubleshooting Networking VLAN

WebGui Command Line

Link Aggregation Bridging Policy Routing OSPF Quality of Service



Before we start … / ACE Exam ACE Certificates & Exams ACE certification signifies that an individual has: Achieved ACE certification Passed the ACE web-based exam Demonstrated knowledge required to implement and configure Astaro Security products with extended features

How do you become an Astaro Certified Engineer? By passing a web-based exam. 45 questions randomly generated must be answered within 60 min Training participants have one free trial to pass the ACE Exam To login you will receive a voucher via e-mail short after the training ACE Exam site is available at https://my.astaro.com/training/

How should you prepare for the ACE exam? Actively participate in the training Study the ACE-Courseware Work through the Astaro product Manuals Configure and test the discussed scenarios in practice



Before we start … / Course Objective Upon Completion of this course you should be:

„Get together is the beginning work together is the success.“

Familiar with the Astaro product line

Able to configure Astaro products

Able to troubleshoot common problems on Astaro products

Henry Ford



Astaro Product Overview



Product Overview The Astaro product portfolio features easy-to-use “all-in-one” security gateways that enable IT managers to effectively protect their network from malicious Internet-based threats. Additional management tools support Astaro’s Gateway products with centralized management and reporting facilities. All Astaro Gateway products with the exception of the Astaro Report Manager are based upon the same architecture. During the training we will use the term ‘AXG’ whenever we are referring to the common architecture. The specific product abbreviation (ASG,AWG) will be used whenever we are discussing a particular product.



Available Products /Astaro Security Gateway Astaro Security Gateway is blend of open-source, proprietary and OEM technology, combined to create an all-in-one device that runs as the perimeter security gateway on a network Astaro Security Gateway is built on an integrated management platform that makes it easy to install and administer a complete security solution



ASG Overview / Security Features Astaro Security Gateway, based on Astaro's award-winning Astaro Security Linux, provides a complete package of 9 perimeter security applications.

Web Security

E-mail Security

Network Security

• Spyware Protection

• Intrusion Protection

• Virus Protection

• Virus Protection for e-mail

• Content Filtering

• Anti-Spam/Phishing

• VPN-Gateway

• SPI-Firewall and Proxies

• E-mail Encryption © Astaro 2004/ ACE_V7.4


ASG Overview / Available Appliances

Users

Environments

Astaro Security Gateway 110/120

Astaro Security Gateway 220a

Astaro Security Gateway 320

Astaro Security Gateway 425a

10/Unrestricted

Unrestricted

Unrestricted

Unrestricted

Unrestricted

Home office, small office

Small business, branch office

Medium business, enterprise division

Large enterprise headquarters

Large enterprise Core networks

Astaro Security Gateway 525

System Network ports

3x 10/100 Mbps

8 x 10/100 Mbps

4 x 10/100 Mbps

8 x 10/100/1000 Mbps

10 x 10/100/1000 Mbps

4 x 10/100/1000 Mbps

Performance Throughput (Mbps) Firewall VPN IPS/IDS E-mails/day

100 30 55 350,000

260 150 120 500,000

420 200 180 1,000,000

1200 265 450 1,500,000

3000 400 750 2,200,000

60,000

400,000

550,000

700,000

>1,000,000

(without Mail-Security)

Concurrent Connections



Product Overview /Astaro Web Gateway Effective “all-in-one” web security for your network: Single, cost effective and easy to use point solution Detects and blocks malicious code in HTTP or FTP traffic Granular control of web site access and use of IM/P2P applications Deploys as hardware, software, or virtual appliance Web Interface is the same as the ASG but with less features



AWG System Overview / Available Appliances Astaro Web Gateway 1000

Astaro Web Gateway 2000



Astaro Web Gateway Virtual Appliance

Recommended Users

100

250

750

2000

Unrestricted

Environments

Small Networks

Medium Networks

Medium Networks

Large Networks

Small to Large networks

2x 10/100 /1000 Mbps

2 x 10/100 / 1000 Mbps

50 20 100 req./s

80 40 375 req./s


Performance Throughput (Mbps) In-line throughput Antivirus/Web User Requests


3 x 10/100 /1000 Mbps

150 80 120 req./s

3 x 10/100 /1000 Mbps

250 130 3000 req./s

*Depends on hardware platform used.


Product Overview /Astaro Email Gateway Effective “all-in-one” Email security for your network: Single, cost effective and easy to use point solution Detects and blocks malicious code and SPAM in SMTP or POP3 traffic Provides end user Quarantine management through secure portal and daily SPAM reports Provides Email Encryption Web Interface is the same as the ASG but with less features



AMG System Overview / Available Appliances Astaro Mail Gateway 1000

Astaro Mail Gateway 2000



Astaro Mail Gateway Virtual Appliance

Recommended Users

100

250

750

2000

Unrestricted

Environments

Small Networks

Medium Networks

Medium Networks

Large Networks


2x 10/100 /1000 Mbps

2 x 10/100 / 1000 Mbps

50 20 100 req./s

80 40 375 req./s


Performance Throughput (Mbps) In-line throughput Antivirus/Web User Requests


3 x 10/100 /1000 Mbps

150 80 120 req./s

3 x 10/100 /1000 Mbps

250 130 3000 req./s



Product Overview / Astaro Report Manager Data collection and reporting solution for internal security analysis: Centralized collection, correlation and analysis of syslog data Documentation of security infrastructure effectiveness More than 800 tailored security and activity reports Real-time monitoring dashboard for instant security incident visibility



Product Overview / Astaro Report Manager The Astaro Report Manager is a centralized reporting engine which gives you the ability to collect and analyze log data from one or more ASG installations The Report Manager allows you to create robust drill down reports in a variety of output formats like Word, Excel, HTML and PDF With advanced attack and event analysis, users can create rule-based alerts which can notify administrators when user defined thresholds have been passed



Product Overview / Astaro Compliance Reporter The Astaro Compliance Reporter for PCI is an automated service what allows organizations operating under Payment Card Industry (PCI) regulation to easily conduct a formal risk assessment, as required by the PCI Data Security Standard.



Product Overview / Astaro Command Center Provides Centralized Management of Large Astaro Gateway Deployments. Dashboard views display the most important system parameters for all selected devices. List views offer detailed information about specific parameters, such as detected threats or resources in use. The world map makes it simple to localize Astaro Security Gateways within a large global network and enables a quick overview of the security status. A complete hardware inventory of all Astaro Security Gateways is available via a single mouse click.

Astaro Command Center is available free of charge! Based on the same architecture and management components as the Astaro Security Gateway, the Command Center employs similar flexible deployment options.



System Architecture



AXG System Overview / Architecture AXG is based on Novell/SUSE® Linux Enterprise 10 AXG comes with its own hardened and compiled 2.6x kernel SLES10 RPMs are used but completely new compiled

All major processes including WebGUI run in chrootenvironments. AXG is built upon a number of Open Source Projects; many of those are actively developed in cooperation with Astaro, others are sponsored by Astaro.

© Astaro 2008/ ACA_V7.3


Architecture / Open Source Module Open source software is distributed with the source code freely available for alteration and customization Collective work of many programmers Resulting software can become more useful and free of holes and bugs Astaro leverages the flexibility and innovation of Linux and Open Source



Configuration / Administration Workflow

Every function can be configured and controlled via the Web-Admin interface. There is no need to interact with any of the other components or the Command Line Interface (CLI) using a shell like Bash.



Refresher ACA This chapter provides a refresher of key areas covered during the ACA course



Refresher ACA / Setting up Ethernet Interfaces An Ethernet interface is a standard 10/100/1000 Mbit network card Things to remember: Set the correct IP address for each interface with the correct netmask Only define one default gateway unless you are using Uplink Balancing Make sure that each interface has a unique address range in your environment



Refresher ACA Network Settings / Additional IPs on an Interface Additional IPs are typically referred to as aliases and follow the same rules as “Standard Ethernet” interfaces. This feature allows administrators to assign multiple IP addresses to one physical Ethernet interface. Commonly used with NAT (Network Address Translation) Limited to 100 aliases per interface. Restrictions No DHCP address assignment No accounting and monitoring No IPSec tunnel endpoint © Astaro 2004/ ACE_V7.4

NOTE: An IP alias should from the same IP network range as the primary address of the interface to prevent possible problems such as IP spoofing. Nevertheless addresses from other ranges are allowed. Astaro Security Gateway V7 - Astaro Certified Engineer – Page 25

Refresher ACA Network Settings / Uplink (WAN) balancing Allows for ‘bonding’ of multiple internet connections. Two modes offered: Active/Passive (Failover) where second internet connection only becomes active when primary goes down Active/Active (Multipath) where all internet connections are active and traffic is balanced across them. Traffic automatically fails over to other available links in the event of an outage. After adding interfaces to Uplink group a new definition called Uplink Interfaces will be automatically created and used by any packet filter and DynDNS rules. Once Uplink balancing is enabled each interface can be configured with its own default gateway and will have its own routing table. © Astaro 2004/ ACE_V7.4


Refresher ACA /Network Settings / Multipath Rules Allows administrators to specify which internet connection traffic should use. This is different from policy routing since the rules benefit from being able to use other connections if the desired Interface is down. Ability to create sticky or persistant connections by: Combination of source and destination By connection By source OR destination By interface


NOTE: In the Site-to-Site VPN section, there is now a new choice for the “local interfaces” drop-down box, which allows you to select “Uplink Interfaces” which resolves to the first available interface in the available interfaces box, increasing the redundancy available to site-site VPN’s. Astaro Security Gateway V7 - Astaro Certified Engineer – Page 27

Refresher ACA / Network Address Translation / Masquerading Used if one (or multiple) internal networks should be hidden behind one official IP address. Especially useful if private IP address ranges are used.

RFC 1918-IP


Public IP


Refresher ACA /Network Address Translation / DNAT & SNAT Destination Network Address Translation (DNAT) is used if an internal resource should be accessible via an IP address assigned to the firewall, e.g. server in a DMZ Source Network Address Translation (SNAT) is used like masquerading, but allows more granular settings

Note: DNAT occurs before packet filtering takes place. Ensure your packet filtering rules have the translated address as the destination or use the ‘Automatic Packet Filter rule’ option. © Astaro 2004/ ACE_V7.4


Refresher ACA / Packet filtering Architecture ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel. • mangle • filter • ips

incoming packets PRE ROUTING • dnat • conntrack • mangle • spoofdrop

Routing

INPUT

FORWARD

outgoing packets Routing

• conntrack • mangle • filter • ips

OUTPUT

OUTPUT

POST ROUTING • masquerading • snat • conntrack • mangle • ips

• conntrack • mangle • dnat


PPTP

IPSEC

BIND

SOCKS

SQUID

SSHD

Filter NAT

EXIM

Tables:

Apache

Local Processes


Refresher ACA / Packet Filter - Configuration Principles (1) You only need to maintain one table of filter rules. ASG automatically creates correct entries in the INPUT, OUTPUT or FORWARD chain as necessary. The rules in the table are ordered. The first rule to match decides what is done with the packet. Possible actions are: Allow Drop Reject

Any action allows optional Logging If no filter rule matches - the packet is dropped and logged!

Astaro Security Gateway starts with an empty table but keeps implicit internal rules for all services it is using itself. © Astaro 2004/ ACE_V7.4


Refresher ACA / Packet Filter - Configuration Principles (2)

Default View Source

Action and

Destination

Service Enable/Disable Description (optional)

Order Groupname Edit or delete



Refresher ACA / Packet Filter - Configuration Principles (3) To create new or edit existing rules:

Assign or create a group Name: Name for the rule Move rule to a specific position The sources: The service: The destinations: What to do: When to do: Log Packets: Comment: © Astaro 2004/ ACE_V7.4

IP or Group TCP/UDP/IP IP or Group Allow, Drop or Reject The time Yes or No Whatever helps Astaro Security Gateway V7 - Astaro Certified Engineer – Page 33

Refresher ACA / DNS - Configuration Global: Accepts DNS Requests from allowed, internal networks (e.g. your AD-Servers, clients in smaller networks)

Forwarders Forwards DSN requests of ASG to e.g. Provider DNS servers

Request Routing When ASG should be able to resolve the hostnames of an internal domain hosted on your own internal DNS server, this server could be used as an alternate server to resolve DNS which should not be resolved by DNS forwarders.

Static Entries Handles static mappings of hostnames to IP addresses



Refresher ACA High Availability & Clustering / Overview

No more single point of failure!

redundant switches redundant links

redundant Hardware

LAN

Internet

:= Aggregated Links



Refresher ACA High Availability & Clustering / HA Modes Active-Passive HA (Standby)

Only the Master is active Passive (Slave) takes over in case of failure Configuration settings and operational states are synchronized Each ASG requires it’s own base license. Only 1 set of subscriptions are necessary for both units.

Active-Active HA (Cluster)

Offers High Availability AND Load balancing All appliances are active at the same time Application traffic is actively balanced across the cluster of nodes A maximum of 10 units can be added to the cluster. Each unit in the cluster requires the same licenses for both base and subscriptions.



Refresher ACA High Availability & Clustering / Hot Standby Mode

Hot Standby Mode

Master

Status & Config Synchronisation

Slave All tunnels, SPF-Connections (IPConntrack) and quarantined objects are synchronized

Stateful Failover < 2sec



Refresher ACA High Availability & Clustering / Active-Active-Mode High Availability (Active/Active) (loadbalancing)

Active/Active Mode

Slave

Master

Master runs Packet Filtering & distributes the load.

Cluster Nodes

Scalable 1 Gigabit/sec VPN, IPS, AV, AS

LAN

Note:

Fully meshed

Packet Filtering runs on the Master only Balanced Services are: AV for HTTP, FTP, SMTP, POP3 AS for SMTP, POP3 IPSec IPS

Internet

Fully meshed

Slave and cluster nodes handle the load.

Cluster Distribution is round robin, except HTTP which is session based. © Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 38

Refresher ACA High Availability & Clustering / Auto Configuration (1) Automatic Configuration = Default Configuration Both devices configure themselves upon connection through the HA-Port To configure an Active/Active Cluster, only the Master needs to be configured to „Cluster Mode“ Appliances: HA interface eth3 (HA port)

Master

HA port (eth3)

Slave



Refresher ACA High Availability & Clustering / Auto Configuration (2) Step 1:

Activate HA (if necessary)

Default setting for appliances (HA-Port) If HA is active, Status will look like this.



Refresher ACA High Availability & Clustering / Auto Configuration (3) Step 2:

Connect other HA device Make sure the cabling is correct Start the device

If everything is correct, the system switches to active/passive operation automatically:



Refresher ACA High Availability & Clustering / Disabling Master-Slave Disabling Master/Slave: Switch back Operation mode To „Off“ The slave device will perform a factory reset and shuts down.



Refresher ACA High Availability & Clustering / ASG Cluster Configuration (1) Cluster Configuration:

For the Master System:

Set Operation Mode to „Cluster“ Configure NIC Configure Device name, e.g. Node1 Select Node ID (1, 2, 3…) Configure an encryption Key By default the Master will configure any new devices (Optional) Configure a backup interface which will be used if dedicated NIC fails. © Astaro 2004/ ACE_V7.4


Refresher ACA High Availability & Clustering / ASG Cluster Configuration (2) Cluster Configuration: For the Slave System:

The slave system is still configured to auto configuration on eth2 from before (check, if not sure) Make sure cabling is correct Power on the device

Once the slave is working, you can see the HA status. It will display „Operation Mode: Cluster“



Refresher ACA /User Authentication / Groups

The Users>>Groups section on the AxG allows the administrator to create and manage local and/or remote user groups Common Group Types: Local Groups will consist of static members which are user accounts located on the AxG. These accounts can either be locally or remotely authenticated. Backend membership groups may be dynamically updated and modified by making changes to the group object on the remote authentication server (an example would an AD security group) Use the Limit to backend group(s) membership checkbox to specify a specific security group or container on your remote authentication server Use the built in LDAP browser to view the remote server tree if using eDirectory or Active Directory



Refresher ACA /Remote Authentication / Available Methods Astaro has the following options for remote user authentication:

eDirectory Novell, partly LDAP based

Active Directory Microsoft, partly LDAP based

RADIUS Remote Access Dial-In User Service Livingston Enterprises, later RFC

TACACS+ Terminal Access Controller Access-Control System Plus Cisco, now RFC

LDAP – OSI, X.500, now RFC Lightweight Directory Access Protocol © Astaro 2004/ ACE_V7.4


Refresher ACA /Remote Authentication / Global Settings When using remote authentication the AxG can be configured to automatically add user accounts when users successfully authenticate against: HTTP Proxy End User Portal SSL VPN WebAdmin

NOTE: Automatically creating user accounts for HTTP Proxy users in large environments (eDirectory) is not suggested and will have an adverse effect on the AxG performance.



Refresher ACA /Remote Authentication / Novell eDirectory With AxG V7 eDirectory SSO, Novell users will only need to authenticate once at initial client login to gain web access to the Internet. Once authenticated, Web security capabilities of AxG are applied to web surfing based on the user or group without the need for further authentication at the browser level. Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an administrator to verify their BIND User DN settings as well as verify individual user account credentials.



Refresher ACA /Remote Authentication / Novell eDirectory Advanced options let you set the synch interval which is how often the AxG will query (Poll) the eDirectory server for updated account information relating to relevant information such as logins/logouts, and group changes. Prefetching of user accounts can be done on the fly or may be scheduled. As of version 7.400 the AxG software also supports Event Based eDirectory synchronization. This new feature is an eDirectory option which requires version 8.7 or higher. Event Based synchronization replaces the existing Polling method which will be used if the eDirectory server does not support this feature. Event Based synchronization will instruct the eDirectory server to send notifications of any changes such as logins or logouts. Event Based synchronization can help to significantly reduce the network load between the AxG and the eDirectory server.



Refresher ACA /Remote Authentication / Novell eDirectory When creating Groups from the Novell eDirectory, ASG offers a very convenient eDirectory Browser It allows you to select user groups directly through the Web Admin Interface

NOTE:

• SSO in eDir does not work on machines where more than one user is logged in. (Terminal Servers)



Refresher ACA /Remote Authentication / Active Directory With AxG V7 Active Directory SSO, domain users will only need to authenticate once at initial client login to gain web access to the Internet. Based on the AxG V7 SSO authenticated user, user/group based access control and content inspection profiles can be assigned. AD SSO requires either Kerberos or NTLMv2 for authentication Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an administrator to verify their BIND User DN settings, verify a user account is active, and to see what group they belong to. Administration is eased via the built in LDAP browser Prefetching of user accounts can be done on the fly or by schedule. © Astaro 2004/ ACE_V7.4


Refresher ACA /Remote Authentication / Active Directory As of version 7.400 the AxG software now supports Windows Server 2008 Native mode. To enable AD SSO you must: Verify that the time, and time zone settings are the same on both the AxG and on the AD server. Create a DNS ‘A’ record on the AD server that matches the FQDN hostname you have assigned to the AxG Configure the AxG to use the AD server as a DNS forwarder OR you must create a DNS request route for the AD domain which points to the AD DNS server When configuring the AD SSO section the domain must be complete (ASTARO.COM), and should be entered in ALL CAPS. Use the same admin username that you had used in the BIND DN section



Refresher ACA /Web Security / Overview Astaro’s Web Security is offered as a subscription on the ASG and as a solution on the Astaro Web Gateway (AWG). Astaro Web Security provides a complete solution to protect users against malicious content, and allows an organization to enforce their web usage policy through flexible policies Firewall’s only pass HTTP/S traffic and are unable to scan for malware such as viruses, adware, sypware, and root kits HTTP/S proxies ensure client pc’s never directly connect to outside resources Web Security allows administrators to block anonymous proxies, port forwarding sites and applications, and block/control IM/P2P applications



Refresher ACA /Proxies / Theory A Proxy (or Application Level Gateway) acts as a relay between a client and a server. It plays the roles of client and server at the same time. It speaks one or a few application specific protocols.

HTTP/S Request

HTTP/S Request

Server

Client Proxy

HTTP/S Response


HTTP/S Response


Refresher ACA Web Security / HTTP/S Proxy – Overview The HTTP/S Proxy provides: Different proxy modes including user Authentication Antivirus/malware scanning Extension/MIME type blocking Content Filtering HTTP/S Protocol Enforcement Local content caching The ability to create different profiles for different users, groups, or networks



Refresher ACA /Web Security / HTTP/S Global Configuration Networks that are listed in the ‘Allowed Networks’ section will be allowed to use the proxy HTTPS (SSL) traffic can also be proxied and scanned. To do this the AxG will need to create maintain the chain of trust between the client and the web server. This is done via a system of certificate exchanges. The HTTP/S live log will provide detailed information on connections and the ability to filter on specific users or IP addresses Information found in Live Log includes Date, Time, Source IP, Username, Status of connection (Pass, Fail, Timed Out, Target Service Not Allowed), URL



Refresher ACA Web Security/ / HTTP/S Global Configuration HTTPS Proxy configuration

To establish the chain of trust the HTTPS proxy uses Verification CA’s and a Signing CA A new tab in Web Security called HTTPS CA’s contains the major Global Verification CA’s which are in use today and the Signing CA

NOTE: It is also possible to upload your own Verification CA if necessary. Under most circumstances though it will not be necessary to make changes on this tab.



Refresher ACA Web Security / HTTP/S Global Configuration HTTPS Proxy configuration/testing To use the HTTPS proxy the client browsers will need to import or “Trust” the Proxy CA that exists on their AxG. There are 3 ways administrators can deploy this to their users: Have the users sign in to the UserPortal, select the “HTTPS Proxy” tab, and import the proxy CA certificate. Select all option-boxes and select “OK”, and the import will finish. Note that you should do this for all browsers you use. Publish the CA using an Active Directory Group Policy. As the administrator, navigate to Web SecurityHTTP/S and select the “HTTPS CAs” tab. From there, click the “Download” Button at the top in the “Signing CA” section, and use Active Directory to distribute it to your network users. Have the users directly download it via a special URL directly from the Astaro Device, by navigating to https://passthrough.fwnotify.net/cacert.pem in their browser, and then selecting all the checkboxes on the import dialog box, and selecting “Ok” to complete the process. Once deployed the HTTPS scanning can be verified by using a test file from a site that vendors use. This file will be reported as “malware/virus” though it is in fact harmless and designed just for this type of testing. https://secure.eicar.org/eicar_com.zip. © Astaro 2004/ ACE_V7.4


Refresher ACA /Web Security / HTTP/S Operational ModesStandard Proxy listens on port 8080 Allows any network listed in Allowed Networks to connect Client browser must be configured HTTP proxy service requires a valid Domain Name Server (DNS) Transparent Proxy handles all traffic on port 80 Client doesn’t need to touch browser configuration Proxy cannot handle FTP and HTTPS Packetfilter must allow port 21 and 443 No HTTP on other than port 80 Clients must be able to resolve DNS hostnames themselves! *Full transparent mode preserves the original source IP of the client machine instead of replacing it with the proxy IP © Astaro 2004/ ACE_V7.4


Refresher ACA /Web Security / HTTP/S Operational Modes Active Directory and eDirectory modes transparently authenticate users but require that the client browser has been configured to use a proxy server These settings can be configured manually in the browser or pushed out by a group policy A popular alternative for environments with laptop users is to use a proxy configuration file which can be configured to first check the local network before applying proxy settings. More information and examples can be found at the following URL http://en.wikipedia.org/wiki/Proxy_auto-config



Refresher ACA /Web Security / Content Filter Profiles HTTP Content Filter Profiles

HTTP/S Profiles allow you to create different permissions for different users, groups, and/or networks. The configuration is done by linking Proxy Profiles and Filter Actions through Filter Assignments



Refresher ACA /Web Security / Content Filter Profiles Flexible configuration is possible through Proxy Profiles and Filters. Each Profile holds a combination of options and settings. Allows for time, user and user group based filtering The suggested way to create profiles is to work from the right to the left. First create your Filter Actions, then create your Filter Assignments, and then create your Proxy Profiles © Astaro 2004/ ACE_V7.4


Refresher ACA / Email Security Mail Manager / Overview/Global tab The Mail Manager allows you to view and manage the Quarantined SMTP and POP3 messages for all users. Additionally you can view the SMTP log which contains a record of all messages that have been handled by the AxG. Statistics are shown on the Global tab listing e-mails Waiting for Delivery, Quarantined, and Rejected. The Mail Manager Utility is reached by clicking the Open Mail Manager in New Window button.

HINT: Notice that only the administrator can release all type of messages held in quarantine. End users can only release Spam using the User Portal or the Quarantine Report © Astaro 2004/ ACE_V7.4


Refresher ACA / Email Security Mail Manager /SMTP Quarantine The SMTP Quarantine Option lets the Administrator view all SMTP mails being held in Quarantine, and provides information on why it was not delivered. Filters are available to sort mails by type (Malware, SPAM, Expression…) Search by Sender/Subject, Date or any phrase Global actions for cleanup and release are available

HINT: SPAM false positives that are incorrectly quarantined by the Heuristic engine can be automatically released and reported back to Commtouch.



Refresher ACA / Email Security Mail Manager /SMTP Spool/ Tips The SMTP Spool Option lets the Administrator view all SMTP mails processed but not delivered. The AxG Mail Manager also features Tips which can offer guidance or explain terms.



Refresher ACA / Email Security Mail Manager /SMTP Log

The SMTP Log Section displays an entry for all emails processed by the AxG. Messages can be sorted by Reason or Result.



Refresher ACA /Remote Access / Astaro SSL VPN Client Based on OpenVPN 32 bit version. For 64 bit operating system support download the latest OpenVPN client and configure per the following KB article http://portal.knowledgebase.net/article.asp?article=299973&p=5956 Uses latest SSL version (TLS) Proven technology Used for all internet applications Offers Secure and stable authentication and encryption Easy client installation and configuration Platform independent client application Windows, Linux, Mac OS X, Solaris, OpenBSD, FreeBSD, NetBSD… Accessible from anywhere Via NAT, UMTS, GPRS, DSL,.. Using dynamic IP addresses…



Refresher ACA SSL-based Remote Access / Configuration/Global Enable the SSL Remote Access status Drag and Drop the Users or Group objects Drag and Drop the Local Networks that users should be able to access If you unclick Automatic Packet Filter rules you will have to manually create PF rules in the Network Security>>Packet Filter section.



Refresher ACA SSL-based Remote Access / Configuration/ Settings The Server Settings allows you to choose the protocol (TCP or UDP) to be used. Note that UDP will be much quicker though may not work with all applications. The port number (443 by default). This can be changed if you already use 443 for a NAT rule. The Override hostname field must use a valid IP or hostname that clients can resolve! Pool network: The default settings assign addresses from the private IP space 10.242.2.x/24. This network is called the VPN Pool (SSL). If you wish to use a different network, simply change the definition of the VPN Pool (SSL) on the Definitions Networks page. Duplicate CN allows multiple users with the same common account name to connect



Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows Installing the SSL VPN Client Software The installation wizard copies all needed files to the client system. A virtual network card will be installed during the installation process. Since the relevant driver is not certified by Microsoft, a caution message will appear but can be ignored.



Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows Using the SSL Client Login in with Username and Password Connection dialogue box allows to monitor the set-up of the connection. SSL VPN Remote Access can be disconnected by clicking .



Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows Connectivity Testing Login in with Username and Password Connection dialogue box allows to monitor the set-up of the connection. SSL VPN Remote Access can be disconnected by clicking .



Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows

Configuration analysis & troubleshooting provides all details regarding to authentication, encryption, routing, etc. shows details log information depending on



Refresher ACA /SSL-based Remote Access / Configuring logon Scripts to run automatically There are three different scripts that the SSL VPN GUI can execute to help with different tasks like mapping network drives automatically. Preconnect: If a file named "***_pre.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN tunnel is established. Connect: If a file named "***_up.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed AFTER the OpenVPN tunnel is established. Disconnect: If a file named "***_down.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN tunnel is closed.

Note that the ‘config’ directory may be named something like '[email protected]' and to use the _up.bat you must rename both this directory and the OpenVPN configuration file that is contained within to something without special characters such as '@'. So you could rename this directory and the associated OpenVPN config file to 'userdomain.com'. Once this is done you can simply put your 'userdomain_up.bat' file into this directory and it will launch when you run the SSL VPN application.



Network In this chapter you will learn about features not covered by the ACA course: VLAN Link Aggregation Bridging Policy Routing OSPF QOS © Astaro 2004/ ACE_V7.4


Networking / VLAN (1) Virtual LAN (VLAN) technology allows a network to be separated in multiple smaller network segments on the Ethernet level (layer 2). A VLAN switch plus a VLAN capable network interface simulate a number of physical interfaces plus cabling. Every segment is identified by a "tag“ (an integer number). Adding a VLAN interface will create a virtual hardware device.

Example PC1 and PC2 on the first floor and PC4 on the second floor will be connected together on VLAN 10. PC3, PC5 and PC6 will be connected together on VLAN 20. Both VLAN can communicate through ASGs Rulebase. Switch a

Host4

b3

VLAN Tag

tagged/ untagged

Port

VLAN Tag

tagged/ untagged

1

10, 20

T

1

10, 20

T

2 (PC1)

10

U

2 (PC4)

10

U

3 (PC2)

10

U

3 (PC5)

20

U

4 (PC3)

20

U

4 (PC6)

20

U

5

10,20

T

b4

Switch b

Router

b1 Switch a

Port

Host6

b2

Switch b


Host5

a2

a3

a5 a1 a4 Firewall

Host1

Host2

Host3


Networking / VLAN (2) VLAN segments are distinguished by a tag (integer value), a 12-bit number, allowing up to 4095 virtual LANs. When you add a VLAN interface, you will create a virtual hardware device that can be used to add additional interfaces (aliases) too. NOTES: - It is essential to check HCL for ensuring VLAN capable NIC’s are supported. -

PPPoE and PPPoA devices cannot be run over VLAN virtual hardware.

-

Make sure you have installed a VLANcapable NIC or refer to the HCL.



Networking / Overview IEEE 802.3ad Link Aggregation Link aggregation (LA, also known as "port trunking" or "NIC bonding") allows to aggregate multiple Ethernet network ports into one virtual interface. Link Aggregation Control Layer (LACL) controls the distribution of the data stream to the different ports communication via Link Aggregation Control Protocol (LACP).

Aggregated ports appear as a single IP address. Link aggregation is useful to increase the link speed beyond the speed of any one single NIC to provide basic failover and fault tolerance by redundancy All traffic routed over the failed port or switch is automatically re-routed to remaining ports or switches. Failover is completely transparent to the system using the connection. NOTES: – – –

In a HA-Environment, Ethernet connections can even be on different HA units. Link partners must support IEEE 802.3ad. LA and Bridging cannot be combined. LA cannot work with DSL.



Networking / Link Aggregation using ASG Link aggregation allows to have: Trunking two links for speed and Two links in redundancy mode

Requirement: The link partner needs to support Link Aggregation



Networking / Link Aggregation – Configuration (1) IEEE 802.3ad Link Aggregation Link Trunking (for speed) Link Redundancy (for high availability) Combination of both

To enable Link Aggregation: Add Links to the group Astaro Supports up to 4 Link Aggregation Groups



Networking / Link Aggregation – Configuration (2) Up to four different link aggregation groups with a maximum of four Ethernet interfaces per group possible. To create a link aggregation group (LAG), proceed as follows: 1. Select the interfaces you want to convert into a link aggregation group. 2. Select check box for each unconfigured interface you want to add to the LAG. 3. Enable LAG

On top of the bonding interface you can create one of the following: Ethernet Standard Cable Modem (DHCP) Ethernet VLAN Alias interfaces

To disable a LAG, clear the check boxes of the interfaces that make up the LAG and click Update This Group. The status of the bonding interface is shown on the Support / Advanced / Interfaces Table tab. Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG will be used for all other NICs within the LAG. © Astaro 2004/ ACE_V7.4


Networking / Bridging – Overview (1) Bridging occurs at the link layer (OSI layer 2) The link layer controls data flow, handles transmission errors, provides physical (as opposed to logical) addressing, and manages access to the physical medium Bridges analyze incoming frames, make forwarding decisions based on information contained in the frames, and forward the frames toward the destination

NOTE: Bridging does not require splitting a network in two subnets to integrate ASG into an existing network.


Split Subnet

Keep Subnet


Networking / Bridging – Overview (2) A bridge transparently relays traffic between multiple network interfaces. Basically, a bridge connects two or more physical networks together to form one bigger (logical) network. How it works: The default gateway for 172.16.1.2 and 172.16.1.4 is 172.16.1.1 172.16.1.1 is the bridge interface br0 with ports eth1 and eth2

NOTE: All devices must have the same maximum packet size (MTU) since the bridge doesn't fragment packets. © Astaro 2004/ ACE_V7.4


Networking / Bridging – Overview (3) The idea is that traffic between 172.16.1.4 and 172.16.1.2 is bridged, while the rest is routed, using masquerading. How it works: When ethX interfaces are added to a bridge, then become a part of the br0 interface The Linux 2.6 kernel has built-in support for bridging via the ebtables project Ebtables has very basic IPv4 support Bridge-nf is the infrastructure that enables iptables/netfilter to see bridged IPv4 packets and do advanced things like transparent IP NAT It forces bridged IP frames/packets go through the iptables chains



Networking / Bridging – Configuration (1) Configuration Example:



Networking / Bridging – Configuration (2) There two advanced options available: Allow ARP Broadcasts Ageing timeout

By default, ARP broadcasts are not allowed to pass across the bridged interfaces If needed, enable the Allow ARP Broadcasts option

As the network can change, we need to specify when to remove an entry due to in activity, this is the Ageing timeout.



Networking / Policy Based Routing (1) Policy-based routing provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators. It provides a more flexible mechanism for routing packets, complementing the existing mechanism provided by routing protocols.

Prov. A

Prov. B

DSL

MPLS

Router

Router

Packets can now be routed based on source IP address, source port and destination port, in addition to normal routing which is based on the destination IP address.

DMZ 1

SMTP

Example:

ERP LAN 2

Route ERP traffic from Finance to MPLS Provider

Route SMTP traffic from DMZ to DSL Provider

interface = any service = SAP source = Finance target = Provider A

interface = 2 service = SMTP source = DMZ1 target = Provider B


LAN 1


Networking / Policy Based Routing (2) Policy based routing will route by selectors: Destination Source Service Source Interface

Policy based routing will route to targets: An interface A host

Limitations: It is not possible to select all traffic and route it as this would be a default gateway Policy routes have an order which is evaluated in the same way as the packet filter (top to bottom) Only user defined policy routes are possible Network groups in policy routes are not possible

The following benefits can be achieved by implementing policy-based routing in the networks: Load Sharing Cost Savings Source-Based Transit Provider Selection Quality of Service (QoS)



OSPF / Overview OSPF = Open Shortest Path First Link-state hierarchical routing protocol Uses Dijkstra‘s SPF Algorithm to calculate the shortest path tree. Open standard, developed by IETF ASG supports OSPF version 2, RFC 2328 (using the Quagga package, http://www.quagga.net) Interior Gateway Protocol (IGP) for routing within one autonomous System (AS) OSPF uses cost as its routing metric (e.g. by dividing 10^8 through the bandwidth of the interface in bits per second) The cost of an OSPF-enabled interface is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface.

A link state database is constructed of the network topology which is identical on all routers in the area. OSPF guarantees loop-less routing.



OSPF / Features & Benefits Area concepts for hierarchical topologies and reduction of CPU – and memory consumption of routers Independent from IP subnet classes Arbitrary, dimensionless metric Load Balancing for paths with equal costs Special reserved multicast addresses reduce impact at non-OSPF devices Authentication External Route Tags TOS-Routing possible Fast database reconciliation after topology changes Support for large networks Low susceptibility for fault routing information



OSPF / ASG Configuration – OSPF-ID

The OSPF-Id is a unique ID to the router device. This can be the official Address It is denoted in x.x.x.x format



OSPF / ASG Configuration – OSPF Area

Before you can enable the OSPF function, you must have at least one OSPF area configured. Areas are identified by a 32-bit ID in dot-decimal notation similar to the notation of IP addresses.



OSPF / ASG Configuration – OSPF Interfaces (1)

The OSPF interface defines Interfaces that can be used to announce OSPF networks.




The OSPF interface must be added to the area that will be announced




The OSPF debug section gives information about the current state of OSPF operations. It shows neighbors, routes interfaces etc. in pop-up windows.



Quality of Service / Working Principle Quality of Service (QoS) can reserve guaranteed bandwidths for certain types of outbound network traffic passing between two points in the network. Inbound traffic is optimized internally by various techniques such as Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED).

Without traffic shaping.

ASG left

ASG right

Headquarter

Branch Office

With traffic shaping.



Quality of Service / Features and Benefits QoS allows to

Define traffic directions carefully:

Limit available bandwidth Guarantee minimum bandwidth

and Ext. NIC

Works per Interface Works per Subnet/Host Works per Service


downstream

Upstream shape Int. NIC

HTTP & FTP Download from ANY => outbound from the ext. NICs view


Quality of Service / Configuration

Status The Status tab lists the interfaces for which QoS can be configured. By default, QoS is disabled for each interface.


Traffic Selectors A traffic selector can be regarded as a QoS definition for a certain type of network traffic.

Internal & External Bandwidth Pool describe the bandwidth shared by multiple sources. Bandwidth Pools can also specify upper bandwidth limits.


Quality of Service / Configuration: Status Overview

Display all available interfaces Define the available, physical bandwidth. Define the guaranteed uplink and downlink bandwidth for any Interface, e.g. the DSL line. By default, QoS is disabled for each interface



Quality of Service / Configuration: Traffic Selectors

Traffic Selectors describe what traffic needs to be accounted. The description contains details about the source of the traffic, its destination and its service. TOS/DSCP allows to pay respect to „Type of Service“ and „DiffServ“ flags in the traffic. It is possible to build groups of Traffic Selectors.



Quality of Service / Configuration: Bandwidth Pools Bandwidth Pools They describe the available and guaranteed bandwidth for the available interfaces



Networking Review Questions



Networking / Review Questions 1. How many VLAN’s can you create on an ASG interface? You can create up to 4095 VLAN’s on each interface.

2. What are two major benefits of Link aggregation? LAG can be used to increase the link speed beyond the speed of any one single NIC, and to provide basic failover and fault tolerance by redundancy.

3. On which OSI layer does bridging occur? Bridging occurs at the link layer (OSI layer 2)

4. Name some of the benefits of using OSPF. OSPF guarantees loop-less routing. Support for very large network. Low susceptibility for fault routing information Load Balancing for paths with equal costs

5. What are the two major benefits to using QOS? Limit available bandwidth Guarantee minimum bandwidth



Network Security In this chapter you will learn about the network security features not covered by the ACA course: Full NAT Generic Proxy Socks Proxy Ident Proxy



Network Security / NAT/ Full NAT A full NAT is a NAT rule that alters both the source and destination information of a single packet traversing the ASG. A Full NAT does not make traffic initiated on either side of the ASG possible with one rule -- You still need a DNAT and an SNAT for this! A full NAT rule is generally used in a network in which the routes on the internal network would prevent a packet's return traffic from being routed back to the ASG. There are two common topologies that will require the use of a full NAT: Two Gateways on the Network Routes Do Not Allow Return Traffic



Network Security / NAT/ Two Gateways on the Network In this example, there are two gateways that the host is using. The default gateway is set to the other router. Notice that without the NAT rule, the packet will go out the default gateway. A) traffic is initiated from the internet to an internal host B) The ASG DNATs the packet to the internal server, note that the public source IP of the packet is intact C) The server sends the return traffic to its default gateway D) The packet is sent back and may be received, but the session is broken as a result.



Network Security / NAT/ Routes Do Not Allow Return Traffic In this example, there is a switch that connects a host and a server. If the host attempts to connect to the server's external IP address, the session is dropped unless the 1) PC Sends request to Internal Server's public IP address 2) ASG DNATs The Packet 3) ASG routes the packet to the proper server 4) Server has a proper route directly to the host, breaking the session 4a) If you use a Full NAT, the server will reconnect with the ASG 4b) The ASG will the route the packet normally and the session is intact



Network Security / Advanced

The Generic Proxy is another option when private networks are being used


SOCKS is an internet protocol to allow clients to use the services of a firewall transparently and is short for „SOCKetS“

The Ident Protocol is specified in RFC 1413 and helps identifying users of particular TCP connection.


Network Security / Generic Proxy Works as a port forwarder Combines features of DNAT and Masquerading Forwarding all incoming traffic for a specific service to an arbitrary server. The difference to standard DNAT, however, is that a generic proxy also replaces the source IP address of a request with the IP address of the ASG interface for outgoing connections. In addition, the destination (target) port number can be changed as well.



Network Security / SOCKS What is it used for? Can build TCP and UDP connections for client applications Can provide incoming ports to listen on Used with systems that incorporate NAT Where is it used? IM clients such as ICQ, AIM

Socks

FTP RealAudio Astaro Security Gateway supports SOCKSv5 User authentication can be used



Network Security / IDENT Relay IDENT is an older protocol Allows external users to associate a username with a TCP connection Not very secure because the connection isn't encrypted Necessary for some services like IRC and some mail servers Astaro will respond with the string that you specify as the default response Hence the configuration is rather simple, it offers: Configuration of the string to answer with Optionally the possibility to forward Ident requests to the internal clients (which is not always possible)



Network Security / Review Questions 1. Why would you use a FULL NAT rule? Full NAT is generally used in two scenarios: when there are Two Gateways on the Network, and the existing routes Do Not Allow Return Traffic.

2. What is the difference between DNAT and the generic proxy? DNAT replaces the destination IP of a connection while the generic proxy also replaces the source IP with the IP of the ASG interface for outgoing connections.

3. What version of SOCKS does the ASG support? ASG support SOCKS v5.

4. What is a major disadvantage to IDENT? IDENT connections are not encrypted



VoIP Security In this chapter you will learn how SIP and

H.323 security work



VoIP Security / SIP/H.323 Security SIP and H.323 are so called “Signaling” protocols, which are designed to notify communication partners in telephony like connections. These signals contain information about the state of the connection, like “INVITE”, “RINGING” or “HANGUP”. The actual voice connection takes place on a dynamic port. Astaro’s VoIP Security uses special connection tracking helper modules for monitoring the control channel to determine which dynamic ports are being used and then only allowing these ports to pass traffic when the control channel is busy.

Rick

Cory To IP-B, PORT-S

INVITE Cory@IP-B C = IN IP4 IP-A M = audio 2000 RTP/AVP 0 To IP-A, PORT-S

200 OK C = IN IP4 IP-B M = audio 4000 RTP/AVP 3 Audio stream to IP-A, 2000

To configure VoIP Security, client and server network definitions need to be made.

Audio stream to IP-B, 4000

Time © Astaro 2004/ ACE_V7.4


VoIP Security / SIP – Session Initiation Protocol Session Initiation Protocol is is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences." (cit. RFC 3261)

A good starting point for reading about SIP is at http://en.wikipedia.org/wiki/Session_Initiation_Protocol


INVITE [email protected]

Rick

SIP Proxy

Cory

SIP Registrar


VoIP Security / H323 – Session Initiation Protocol H.323 is an umbrella recommendation from the ITU Telecommunication Standardization Sector (ITU-T), that defines the protocols to provide audio-visual communication sessions on any packet network. H.323 was originally created to provide a mechanism for transporting multimedia applications over LANs but it has rapidly evolved to address the growing needs of VoIP networks. Currently real-time applications such as NetMeeting and Ekiga (the latter using the OpenH323 implementation) use H323. A good link to get started with readings about is at http://en.wikipedia.org/wiki/H323



VoIP Security / SIP/H.323 Security

To configure H.323 or SIP Security, go to the VoIP Security Menu. Each module can be activated individually.

Both modules are rather easy to configure, simply add the allowed clients to the SIP or H.323 configuration and configure one or more SIP servers or H.323 gatekeeper.



General WebAdmin Troubleshooting



General WebAdmin Troubleshooting Most troubleshooting can be done via the WebAdmin GUI Webadmin dashboards that show real time statistics, reports, and logs will point to problems and errors Real time resource indicators such as high CPU usage can indicate problems with running processes RAM usage depends on applications being used and hardware installed Swap will increase if system runs out of RAM Growing log disks may indicate logging errors



General WebAdmin Troubleshooting Network Statistics can identify most active source hosts, services, concurrent connections, and total traffic.



General WebAdmin Troubleshooting Real time logs in the Logging section will show real time information. If CPU Usage has been running high error messages may be in the System Messages or Self monitoring logs. System messages should be checked for errors relating to the databases. If found a support ticket should be opened with Astaro. Self monitoring log should not show many process restarts



General WebAdmin Troubleshooting Incorrectly Binding a host to a specific interface can prevent packet filter and NAT rules from working



General WebAdmin Troubleshooting Incorrectly written NAT rules are common issues. Some common problems are trying to translate ‘Any’ service to a specific port. Not using the ‘Automatic Packet’ filter rule option can prevent many rules from working.



Command Line Troubleshooting Guide



CLI / Linux skills Command Line or Shell access is not needed during normal operation of the AxG product line All configuration can and should be done via the WebAdmin GUI Shell access is used for more in depth and quicker troubleshooting Shell configuration changes are made at your own risk and can void support. Basic Linux skills will be needed for shell Google searches will return plenty of information about Linux http://www.linux.org/lessons/ offers some free easy beginner courses



CLI/ First steps When first logging into the Shell some quick things to check are: System Load Top processes Log directories to see which log files are being written to Disk space utilization System load and top processes are checked using the ‘top’ command which shows the processor activity in real time.



CLI/ First steps Top shows information such as uptime, load average, memory, swap, and processes running. Load average depends on the hardware installed and will be displayed via WedAdmin as CPU Usage. If CPU is running high then load will be high. To determine which process is using the most CPU look at the %CPU column or sort by pressing the ‘C’ key To kill a process press the ‘K’ key and enter the PID #. If no ‘signal’ is chosen the TERM signal is sent. If the process does not stop try specifying the ‘KILL’ by using the number ‘9’ when prompted.



CLI/ First steps The /var/log directory holds logs for both the current day as well as directories for past dates. Logs can be sorted according to time to see which was last written to by using the ‘ll –tr’ command. Logs can be viewed by using utilities such as ‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log as it updates in real time. ‘Grep’ can be used filter on specific information such as usernames or IP addresses.



CLI/ First steps The /var/log directory holds logs for both the current day as well as directories for past dates. Additional debug and .lock files are found in the /tmp directory. Logs can be sorted according to time to see which was last written to by using the ‘ll –tr’ command. Logs can be viewed by using utilities such as ‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log as it updates in real time. ‘Grep’ can be used filter on specific information such as usernames or IP addresses.



CLI / Packetfiltering basics (1) ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel. Incoming packets PRE ROUTING •dnat •conntrack •mangle •spoofdrop

•mangle •filter •ips Routing

INPUT

FORWARD

Outgoing packets Routing

•conntrack •mangle •filter •ips

OUTPUT

OUTPUT

POST ROUTING •masquerading •snat •conntrack •mangle •ips

•conntrack •mangle •dnat


PPTP

IPSEC

BIND

HTTP Proxy

NAT

SSHD

Filter

EXIM

Tables:

Apache

Local Processes


CLI / Packetfiltering basics (2) Verify packet filter rules using the command line interface (CLI) or Shell Packet filter rules can be reviewed using the command iptables –L –nv on the CLI. With this command the table filter with all its chains and sub-tables will be shown by default. The available tables can be seen with the command cat /proc/net/ip_tables_names. Important chains within the table filter are: AUTO_INPUT – contains rules that have one of the ASG IP addresses as destination and are configured as a service within the WebAdmin (e.g. DNS to the ASG) AUTO_FORWARD – contains rules that are forwarded through the ASG and are configured as a service within the WebAdmin (e.g. ping through firewall) USR_FORWARD – contains packet filter rules that are configured by the Administrator manually in the menu “Packet filter” and do not use an IP address of the ASG itself as source or destination address.

Note: Manual changes to the packet filter with the command iptables will be overridden when a change is done using the WebAdmin. © Astaro 2004/ ACE_V7.4


CLI / Packet filter example (1) Scenario 1: The administrator has locked out himself from the WebAdmin The admin has locked himself out by mistake. A network/host was removed from the list of „Allowed networks“. SSH is activated and the ASG is accessible with SSH. Verify with: iptables -L AUTO_INPUT -nv |grep 4444 Chain AUTO_INPUT (1 references) pkts bytes target prot opt in 0 0 LOGACCEPT tcp -- *

out *

3

*

180

LOGDROP

tcp

--

*

source destination 192.168.140.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:4444 LOGMARK match 60006 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:4444 LOGMARK match 60005

There is only the network 192.168.140.0/24 allowed for the WebAdmin, all other networks will be blocked and logged by default. Add a network: iptables -I INPUT -j ACCEPT --source 172.16.65.0/24 -p tcp --dport 4444 Verify with: iptables -L INPUT -nv |grep 4444 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out 0 0 ACCEPT tcp -- * *

source 172.16.65.0/24

destination 0.0.0.0/0 tcp dpt:4444

Once the WebAdmin is accessible, the according network should be added to the “Allowed networks“ and saved with apply. All manually configurations will be deleted after a restart of the middleware/ASG.



CLI / Packet filter example (2) Scenario 2: A packet filter rule for VPN doesn’t work, the VPN itself is working correctly. A few packet filter rules where configured for communication with the branch office using the WebAdmin. The access with HTTP in rule 3 isn’t working.

Verify with: iptables -L USR_FORWARD -nv |grep 172.16.67.2 Chain USR_FORWARD (1 references) pkts bytes target prot opt in 0 0 LOGACCEPT tcp -- *

out eth1

source 172.16.55.0/24

destination 172.16.67.2 tcp spts:1:65535 dpt:80 LOGMARK match 3

Solution: The network definition (type: host) for the webserver is bound to interface eth1 (WAN), but the tunnel uses interface ipsec0. That is why this rule isn’t working and all packets will be dropped by the „Default drop“.

These errors are hard to find with the WebAdmin and the packet filter table. They are easier to find with the command iptables using the CLI.



CLI / Stateful packet filtering Scenario 3: Outgoing FTP connections are not working, the packet filter entries are correct. The Astaro Security Gateway writes every connection to the connection tracking table. The administrator wants to verify if the FTP connection is visible in this table. Verify with: conntrack –L| grep 192.168.140.213 Working connection: tcp 6 103 TIME_WAIT src=172.16.55.55 dst=192.168.140.213 sport=1114 dport=4045 packets=4 bytes=168 src=192.168.140.213 dst=192.168.140.225 sport=4045 dport=1114 packets=4 bytes=279 [ASSURED] mark=0 use=1 tcp 6 431987 ESTABLISHED src=172.16.55.55 dst=192.168.140.213 sport=1113 dport=21 packets=15 bytes=696 src=192.168.140.213 dst=192.168.140.225 sport=21 dport=1113 packets=16 bytes=1171 [ASSURED] mark=0 use=3

Not working connection (only one entry): tcp 6 431982 ESTABLISHED src=172.16.55.55 dst=192.168.140.213 sport=1192 dport=21 packets=9 bytes=419 src=192.168.140.213 dst=192.168.140.225 sport=21 dport=1192 packets=9 bytes=686 [ASSURED] mark=0 use=1

Background: FTP works with a second connection for data transfer on different ports. These ports are negotiated dynamically for every FTP conneciton. The Astaro Security Gateway has to relate this second connection to the allowed FTP connection on port 21. Solution: The connection tracking helper for FTP has to be activated. This is done using Network Security -> Packetfilter -> Advanced and is activated by default.



Networking



CLI / Network problems (1) Scenario 1: Slow connections between different networks. (1) The ASG is connected with multiple switches on different interfaces. Users report slow connections from one network to an other one. In this case the connections between the internal network (eth0) and the DMZ (eth2) are very slow. The administrator wants to verify the according interfaces. Verify with: ifconfig eth0, ifconfig eth2 ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:15:E2:DA inet addr:172.16.55.225 Bcast:172.16.55.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3095 errors:120 dropped:30 overruns:0 frame:0 TX packets:13426 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:233056 (227.5 Kb) TX bytes:19608084 (18.6 Mb) Interrupt:177 Base address:0x1424

RX = number of received packets, errors = receiving, dropped = dropped packets when receiving, overruns =, frame = received Frames TX = number of transmitted packets, errors = errors when sending, dropped = dropped packets when sending, overruns = packets that are bigger than the allowed MTU size, carrier = errors on connection (mostly a broken network cable)

Note: If there is a problem with the connection and the speed and duplex settings are not correct, errors are mostly shown here. Always check both sides of the connection, like the switches on the other side of the cable.



CLI / Network problems (2) Scenario 2: Slow connections between different networks. (2) There are errors on the interface. The administrator wants to check the speed and duplex settings for the interfaces. Auto-negotiation is configured on both sides. Verify with: mii-diag eth2 fw:/root # mii-diag eth2 Basic registers of MII PHY #1: 3000 782d 02a8 0154 05e1 c1e1 0009 0000. The autonegotiated capability is 01e0. The autonegotiated media type is 100baseTx-FD. Basic mode control register 0x3000: Auto-negotiation enabled. You have link beat, and everything is working OK. Your link partner advertised c1e1: 100baseTx-FD 100baseTx 10baseT-FD 10baseT. End of basic transceiver information.

There are sometimes network cards (like in VMWare) that are not mii-compatible. For these network cards the ethtool is useful to see nearly the same information. In this scenario the verification has shown us that the settings on the ASG and the settings on the switch are not the same (100baseT/Full vs. 10baseT/Half). Solution: The configuration for the interfaces can be changed in the WebAdmin menu Network -> Interfaces -> Hardware. It is possible to configure a fixed speed and duplex mode.



CLI / Network tools Tools to test the connectivity Check if a host is accessible: ping at the command line or Support -> Tools -> Ping Check in the WebAdmin PING 172.16.55.56 (172.16.55.56) 56(84) bytes of data. 64 bytes from 172.16.55.56: icmp_seq=1 ttl=128 time=2.45 ms 64 bytes from 172.16.55.56: icmp_seq=2 ttl=128 time=0.320 ms 64 bytes from 172.16.55.56: icmp_seq=3 ttl=128 time=1.12 ms

Check a path to a server on the internet: traceroute at the command line or Support -> Tools -> Traceroute in the WebAdmin traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets 1 port-87-234-47-9.static.qsc.de (87.234.47.9) 2.865 ms 5.489 ms 3.428 ms … 5 DE-CIX2.de.lambdanet.net (80.81.192.74) 22.012 ms 20.533 ms 22.377 ms 6 Telemaxx.FRA-1-eth0-145.de.lambdanet.net (217.71.110.42) 19.606 ms 20.851 ms 7 sw4ch.ka.telemaxx.net (213.144.4.134) 24.037 ms 25.553 ms 22.330 ms 8 85.115.22.4 (85.115.22.4) 19.359 ms 19.362 ms 18.378 ms

19.337 ms

Discover duplicate IP addresses within your network: arping ARPING 172.16.55.56 from 172.16.55.225 eth0 Unicast reply from 172.16.55.56 [00:0C:29:68:40:72] Unicast reply from 172.16.55.56 [00:0C:29:68:40:72] Unicast reply from 172.16.55.56 [00:0C:29:68:40:72]

4.687ms 0.845ms 1.794ms

Note: When the same IP address is configured on different hosts this output shows different MAC addresses.



CLI / Network tools/ Tcpdump Tcpdump is a packet sniffer utility that allows an administrator to intercept and display traffic traversing a network interface. With tcpdump network traffic can be analyzed for problems and either displayed on the screen in real time or saved into a file which can then be viewed by programs such as ‘Wireshark’. Parameters can be specified to filter on specific interfaces, ports, and IP networks or addresses. Basic examples are: tcpdump -i eth0 port 25 (the ‘i’ specifies which interface to use) tcpdump -i eth0 port 25 –w test.pcap (the ‘w’ specifies a file name) tcpdump -i eth0 host 10.10.12.12 and port 25



CLI / Network tools/ Iftop Iftop can be used to display bandwidth usage on an interface by host Common parameters which can be used are: -i = specify the interface to use. -n = will not resolve IP’s to DNS names -P = will show ports as well as IP’s



IM/P2P Security



CLI IM/P2P Security / Logging (1) With version 7.200 the Astaro Security Gateway and the Astaro Web Gateway introduced the service Astaro Flow Classifier for IM/P2P control. This service is logging to the file /var/log/afc.log. The log-file can be browsed with the WebAdmin or via command line. For troubleshooting the AFC, it is necessary to understand the log format correctly. Aan example line from an AFC log file is shown here (Bittorrent): 2008:11:19-15:33:27 (none) ulogd[2517]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="60202" outitf="eth2" srcip="79.213.68.225" dstip="192.168.99.101" proto="6" length="57" tos="0x00" prec="0x00" ttl="115" srcport="57389" dstport="18710" tcpflags="ACKPSH“ Log-Entry id="2017"

Meaning The ID shows the kind of log-entry, 2017 is only logging 2018 is for file transfer block and 2019 blocks completely

name="AFC Alert" action="log"

name and action, corresponding to the ID

fwrule="60202"

shows the kind of protocol, 60202 stands for „P2P/Bittorrent“

srcip="79.213.68.225“ dstip="192.168.99.101“

source and destination IP address of the packet

srcport="57389" dstport="18710"

source and destination port of the packet

Important for troubleshooting are always the ID, action and the fwrule.

The particular values for ID, action and fwrule are explained in detail in the Astaro knowledge base article 290351.



CLI IM/P2P Security / Logging (2) Here is another example for skype blocking, noticeable with the fwrule (Skype) and the ID (Block completly): 2008:11:19-15:36:41 (none) ulogd[2517]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="60103" outitf="eth0" srcip="192.168.99.3" dstip="62.214.209.43" proto="6" length="124" tos="0x00" prec="0x00" ttl="127" srcport="1238" dstport="21510" tcpflags="ACKPSH"

Scenario 1: High logging impact when activating IM/P2P control with all protocols When activating logging for Instant Messaging and Peer-to-Peer protocols and a high volume of data is processed by the Astaro Security Gateway, there is a lot of logging traffic and this could possibly fill up the log-partition. Solution: Using IM/P2P -> Settings –> Advanced it is possible to configure a logging limit.

There are four options to choose from: Off – deactivates logging completely; there is no reporting for IM/P2P any more. Limit all 5/sec – there will be only 5 log entries per second for all hosts alltogether. Limit host 1/sec – there is a limit of one log entry per second per host. (default) Log all – the complete traffic will be logged (Attention!)



High Availability & Clustering © Astaro 2004/ ACE_V7.4


CLI High Availability & Clustering / HA-Status Scenario 1: The administrator wants to check the HA status. The actual status for a ha-cluster can be seen in the WebAdmin. A more detailed view can be shown using the CLI. Verify with: ha_utils on the command line - Status ----------------------------------------------------------------------Current mode: HA MASTER with id 1 in state ACTIVE -- Nodes ----------------------------------------------------------------------MASTER: 1 Node1 198.19.250.1 7.302 ACTIVE since Mon Nov 3 09:17:46 2008 SLAVE: 2 Node2 198.19.250.2 7.302 ACTIVE since Mon Nov 3 09:18:44 2008 -- Load -----------------------------------------------------------------------Node 1: [1m] 0.50 [5m] 0.41 [15m] 0.39 Node 2: [1m] 0.08 [5m] 0.10 [15m] 0.09 - Kernel ----------------------------------------------------------------------Current mode: enabled master interface: eth3 Local ID: 198.19.250.1 debug: off verbose: off tso: off ppp sync: off - Ctsyncd ---------------------------------------------------------------------MASTER -IPSec -----------------------------------------------------------------------000 #1460: "S_REF_RxrkmFZPsh_0" [email protected] [email protected]; tunnel […] - PostgreSQL -----------------------------------------------------------------------reporting: […] pop3: […]

This output shows a HA-configuration with 2 Nodes in active-passive mode. Under IPSec the messages for active tunnels are displayed.



CLI High Availability & Clustering / Connection to slave system Scenario 2: The administrator wants to view the log files from the HA-slave. Two ASGs are connected within a HA-configuration and the formerly master has done a reboot. Because of the failover the log files from the old master are now on the “new” slave and are not accessible through the WebAdmin. An administrator wants to access the log files from the old master (now slave) and save these files for troubleshooting. Access to the slave via: ha_utils ssh (only as root from the master ASG) A SSH connection to the slave will be established, the administrator doesn’t need to know the IP address of the slave. This connection is only possible when the SSH daemon is configured on the default Port 22.

The log files can be found in /var/log/ and can be display by the standard linux tools like tail, less and grep. The log files can be copied to the master via SCP.

Example for copying the high-availability.log from the slave to the master: asg:/var/log # scp high-availability.log [email protected]:/home/login/high-availability.log.node2



CLI High Availability & Clustering / Connection problems Scenario 3: The front panel of the ASG shows »MTU ERROR« and the appliance is shutdown completely. Solution: The HA-cluster interface uses a MTU of 2000 Byte when connecting via a gigabit interface. The connected switch should support Jumbo Frames, and this feature should be activated on the switch. When the switch doesn’t support Jumbo Frames, the interface configuration should be configured to fixed 100 Mbit/s full-duplex (= MTU 1500) to avoid problems with the ha-cluster interface.

Scenario 4: The link status from one or more interfaces shows »down« frequently, whereby a failover is initiated over and over again. Where can more detailed information about a link lost for all interfaces be found? Solution: Check the kernel log using the WebAdmin or on the command line in the file /var/log/kernel.log There is detailed information of the interface status provided in this file. For more information about the interfaces have a look at the networking chapter.



User Authentication



CLI User Authentication / Overview (1) This diagram demonstrates the different work flows for the three authentication methods Active Directory, eDirectory and LDAP. Within Active Directory and eDirectory there is a differentiation between basic authentication and Single Sign On. It is discernable which attributes are synced between the different directory services and the local user database of the Astaro Security Gateway.



CLI User Authentication / Overview (2) The authentication messages are logged into the file /var/log/aua.log and can be reviewed via command line or the WebAdmin. 2008:11:19-16:26:17 (none) aua[5534]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip=“172.16.65.2" user=“berlin" caller="portal" engine="adirectory“ Log-Entry

Meaning

sub="auth" name="Authentication successful“

Authentication successful

srcip=„172.16.65.2“

Client IP

user=„berlin“

Authenticated user

caller="portal"

Calling system process: WebAdmin, User Portal or HTTP Proxy

engine="adirectory“

Authentication method

If this information is not enough for troubleshooting authentication problems it is possible to activate the debug mode for the aua daemon. This is done on the command line with: killall –USR2 aua.bin. There is a lot of information provided in the aua.log file in debug mode. To disable the debug mode for the aua daemon just use the command killall -USR2 aua.bin again. Attention: Passwords can be seen in clear text in the debug log. Note: When having problems with authentication in conjunction with the HTTP proxy it is possible to start the HTTP process in debug mode.



CLI User Authentication / Active Directory (1) Scenario 1: The administrator wants to check if the AD connection is working properly. Verify with: Click the button „Test Server“ Possible Answer 1: Connection to ldap://192.168.140.215:389 failed Solution 1: The IP address of the AD server is not correct or the LDAP service is not accessible. (Maybe a firewall between AD server and ASG is blocking the connection. Missing packet filter rule on this firewall?)

Possible Answer 2: Server exists and accepts connections, but bind to ldap://192.168.140.213:389 failed with this Bind DN and Password Solution 2: The LDAP service can be accessed but the Bind User DN or the password is not correct.

Scenario 2: Joining the domain with Active Directory Single-Sign-On (SSO) fails. Joining the domain failed. Solution: The following premises have to be fulfilled to join a domain: The ASG needs a FQDN (e.g. firewall.mydomain.local), which can be resolved in the local AD domain. The time difference between the DC and the ASG must not be more than 5 minutes. The following DNS entries have to be resolvable by the ASG: $host -t SRV _kerberos._udp.MYDOMAIN.LOCAL $host -t SRV _ldap._tcp.dc._msdcs.MYDOMAIN.LOCAL When this is not the case a DNS request route can be configured under: Networking » DNS » Request Routing Example: Domain: MYDOMAIN.LOCAL ->Target Servers: Active Directory Server



CLI User Authentication / Active Directory (2) Active Directory SSO

There is a tool wbinfo on the command line to see detailed information about the Active Directory SSO connection. Active Directory users and groups can be displayed.

Examples: Command wbinfo –u

Meaning Shows all AD users

wbinfo –g

Shows all AD groups

wbinfo –r

Shows all groups for a specific user (Note: it shows only group IDs, not the name!)

wbinfo -D

Shows information about a specific AD domain

Detailed information for the tool can be seen with the command wbinfo –-help.



CLI User Authentication / eDirectory There is a test tool provided in the WebAdmin for Novell eDirectory to test single users. (see Microsoft Active Directory) Detailed information for Novell eDirectory can be seen in the aua.log file when activating the debug mode for the responsible processes. This can be done on the cli using the command killall –USR2 aua.bin aua_edirsync.plx. Scenario 3: The administrator wants to check if an eDirectory user is in the cache of the ASG. Verify with: Bring both processes into debug mode (see above) and check the aua.log. 2008:10:27-12:25:30 (none) aua_edir_sync[23466]: Writing cache entry for dn cn=testuser,ou=FW,ou=Support,o=Karlsruhe 2008:10:27-12:25:28 (none) aua[1293]: id="3007" severity="debug" sys="System" sub="auth" name="SSO: adding IP address 172.26.3.17 to cache“

Scenario 4: The administrator wants to check which eDirectory groups are imported for one user. Verify with: Both processes are in debug mode, check the aua.log. 2008:10:27-12:25:30 2008:10:27-12:25:30 2008:10:27-12:25:30 2008:10:27-12:25:30 2008:10:27-12:25:30 […] 2008:10:27-12:25:30 2008:10:27-12:25:30 2008:10:27-12:25:30


(none) (none) (none) (none) (none) ], (none) (none) (none)

aua_edir_sync[23466]: 'attrs' => { aua_edir_sync[23466]: 'modifytimestamp' => [ aua_edir_sync[23466]: aua_edir_sync[23466]: 'cn' => [ aua_edir_sync[23466]: aua_edir_sync[23466]: 'groupmembership' => [ aua_edir_sync[23466]: aua_edir_sync[23466]:

'20081027112505Z‘], 'testuser',

'ou=FW,ou=Support,o=Karlsruhe' ],


Web Security



CLI Web Security / Categorization Since Version 7.302 the Astaro Security Gateway includes the content filter product SmartFilter XL from Secure Computing. Scenario 1: The administrator wants to check in which category a particular web site is included. Verify with: Start the browser and open the web page: http://www.astaro.com/support/support_resources and click the link “Astaro Web Filtering Site Test”.

It is possible to send an optional suggestion for a different category.

All filter categories are described in detail in the Astaro Knowledgebase article 297586.



CLI Web Security / Details of Content Filter Log On this slide the important fields of the http proxy log file are described for a detailed troubleshooting. 2008:11:18-18:42:46 (none) httpproxy[1729]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip=„172.16.65.2" user="user1" statuscode="200" cached="0" profile="profile_0" filteraction="action_REF_DefaultHTTPCFFAction„ size="6835" time="782 ms" request="0xb385b88" url="http://www.google.de/" error="" category="145" categoryname="Search Engines" content-type="text/html“ Log-Entry sub="http" name="http access" action="pass"

Meaning Access allowed

srcip=„172.16.65.2“

Client IP

user=„user1“

Logged in user at the http proxy

statuscode="200"

HTTP status code »OK«

cached="0"

The web page was not loaded from the cache

profile="profile_0"

First profile in Web Security » HTTP Profiles

filteraction="action_REF_DefaultHTTPCFFAction"

Used filter action, the reference can be resolved in the WebAdmin using Support » Advanced » Resolve REF_.

size="6835" time="782 ms"

Size and download time for this request

url="http://www.google.de/"

Requested URL

category="145"

Secure Computing SmartFilter XL category ID

categoryname="Search Engines"

Category name

content-type="text/html“

MIME type



CLI Web Security / HTTP Proxy in Debug Mode Common problems with the HTTP proxy can be solved with an in depth log analysis or are in conjunction with authentication problems (see there). More detailed information is provided when activating the debug mode for the HTTP proxy. Solution: Changing the debug level for the HTTP proxy The debug level can only be configured by editing the file: /var/chroot-http/etc/httpproxy.ini [global] » debug= … Debug level none

Explanation Debugging is deactivated

dns

DNS resolution debugging

profile

Detailed profile parsing and matching

auth

Authentication debugging (NTLM, Basic, E-Dir, etc)

conn

connection debugging

hdr

HTTP header debugging

scan

Content scanning debugging

ssl

SSL communication debugging

cache

Hard disk cache debugging

Attention: All debug levels are only active until the next change or restart of the http proxy © Astaro 2004/ ACE_V7.4


E-Mail Security



CLI E-mail Security / SMTP Log (1) The MailManager provides a SMTP Log whree the administrator can easily see the results of the mail processing and can filter these messages by different filter criteria.

More information about the MailManager can be found in the courseware in the according chapter. A new window with more information about an e-mail and the Message ID for this e-mail will be opened with a double click on an entry in the log view.

The Message ID can be used to find more information about this particular e-mail in the actual SMTPLog. For an advanced search the last two parts of the ID are necessary to find all information about the e-mail in the log file. For example 0002EF-2t is used to find every log line for this particular e-mail.

This advanced search can be done in the WebAdmin using Logging -> Search Log Files or on the command line in the file /var/log/smtp.log.



CLI E-mail Security / SMTP Log (2) Scenario 1:

An administrator wants to see all log entries for a particular e-mail.

Verify with:

Click on the entry in the MailManager log view, type in the command grep "0002EF-2t" /var/log/smtp.log on the command line

2008:11:20-12:04:50 (none) exim[8571]: 2008-11-20 12:04:50 1L37L7-0002EF-2t <= [email protected] H=([192.168.140.158]) [192.168.140.158]:2198 P=esmtp S=682 [email protected] 2008:11:20-12:04:51 (none) smtpd[4015]: QMGR[4015]: 1L37L7-0002EF-2t moved to work queue 2008:11:20-12:05:01 (none) smtpd[8573]: SCANNER[8573]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="192.168.140.158" from="[email protected]" to="[email protected]" subject="Standardtestmail an den Trainer" queueid="0z2kWS-0002EF-2t" size="102" 2008:11:20-12:05:01 (none) exim[8592]: 2008-11-20 12:05:01 0z2kWS-0002EF-2t => [email protected] R=static_route_hostlist T=static_smtp H=192.168.140.213 [192.168.140.213]:25 2008:11:20-12:05:01 (none) exim[8592]: 2008-11-20 12:05:01 0z2kWS-0002EF-2t Completed

Scenario 2:

The information provided by the SMTP log is not enough for troubleshooting.

Solution:

The debug mode for the SMTP proxy can be activated like this: Change the following line the file /var/mdw/scripts/smtp: chroot $CHROOT /bin/smtpd.bin $WORKER into chroot $CHROOT /bin/smtpd.bin $WORKER –debug and restart the SMTP proxy with /var/mdw/scripts/smtp restart.

Note:


The SMTP proxy in debug mode generates a lot of logging messages which can cause a flooded log partition! The debug mode should only be activated for a short period and deactivated after troubleshooting with the same procedure. Astaro Security Gateway V7 - Astaro Certified Engineer – Page 160

CLI E-mail Security / Greylisting Scenario 3: An urgent e-mail was sent by an external partner and the administrator wants to check if the e-mail was delayed by Greylisting. Solution:

Inspection of the log file on the command line. Attention: The message can not bee seen in the MailManager and has to be searched manually.

2008:11:20-12:24:21 (none) exim[9364]: 2008-11-20 12:24:21 1L37e0-0002R2-2s Greylisting: Greylisted 192.168.140.158 2008:11:20-12:24:21 (none) exim[9364]: [1\19] 2008-11-20 12:24:21 1L37e0-0002R2-2s H=([192.168.140.158]) [192.168.140.158]:2397 F= temporarily rejected after DATA: Temporary local problem, please try again! 2008:11:20-12:24:21 (none) exim[9364]: [2\19] Envelope-from: 2008:11:20-12:24:21 (none) exim[9364]: [3\19] Envelope-to: 2008:11:20-12:24:21 (none) exim[9364]: [4\19] P Received: from [192.168.140.158] (port=2397) 2008:11:20-12:24:21 (none) exim[9364]: [5\19] by asg225.asllab.net with esmtp (Exim 4.69) 2008:11:20-12:24:21 (none) exim[9364]: [6\19] (envelope-from ) 2008:11:20-12:24:21 (none) exim[9364]: [7\19] id 1L37e0-0002R2-2s […] ---------------------------------------------------------------------------------------------------------2008:11:20-12:32:02 (none) exim[9630]: 2008-11-20 12:32:02 1L37lS-0002VK-1Y Greylisting: Successful greylist retry from 192.168.140.158 (original host was 192.168.140.158/32) […] 2008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 12:32:13 0zJj0D-0002VK-1Y => [email protected] R=static_route_hostlist T=static_smtp H=192.168.140.213 [192.168.140.213]:25 2008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 12:32:13 0zJj0D-0002VK-1Y Completed

In this example above Greylisting rejects temporarily the message first. The second part of this log extract shows the successful retry to deliver the message. Please note that a new message ID is generated when the message is received for the second time. © Astaro 2004/ ACE_V7.4


Reporting



CLI Reporting / Overview (1) Since version 7.300 all Reporting data is stored in the new PostgreSQL database.

To generate all kind of reports the ASG uses three different data sources: RRD files to create the graphs ACCU files with absolute values of the last 30 days PostgreSQL for long-time data storage for up to 6 month Furthermore there are 7 reporters for different scopes which can be configured in the WebAdmin separately: Websec reporter Mailsec reporter VPN reporter IPS reporter Pfilter reporter Admin reporter System reporter



CLI Reporting / Overview (2) The administrator can check if all database processes and all reporter processes are running properly using the command line. Verify with: ps -ef |grep postgres on the command line ps -ef |grep postgres postgres 2939 1 postgres 2948 2939 postgres 2949 2939 postgres 2950 2939 postgres 2951 2939 postgres 14097 2939 postgres 14333 2939 postgres 7043 2939

0 0 0 0 0 0 0 0

Nov17 Nov17 Nov17 Nov17 Nov17 Nov18 Nov18 00:15

? ? ? ? ? ? ? ?

00:00:09 00:00:03 00:00:01 00:00:01 00:00:12 00:00:04 00:00:02 00:00:52

/usr/bin/postgres -D /var/storage/pgsql/data postgres: writer process postgres: wal writer process postgres: autovacuum launcher process postgres: stats collector process postgres: reporting reporting [local] idle postgres: postgres smtp 127.0.0.1(36013) idle postgres: postgres smtp 127.0.0.1(58014) idle

PID 2939 is the postgres main process and the processes 2948-2951 are copying data within the database. Furthermore there are two processes for the SMTP database visible for storing e-mails in the quarantine. Verify with: ps -ef |grep reporter under the command line ps -ef |grep reporter root 4805 2508 root 4806 2508 root 4807 2508 root 4808 2508 root 4809 2508 root 4810 2508

0 0 0 0 0 0

00:00 00:00 00:00 00:00 00:00 00:00

? ? ? ? ? ?

00:00:01 00:00:03 00:00:00 00:00:01 00:00:01 00:00:01

/usr/bin/perl /usr/bin/perl /usr/bin/perl /usr/bin/perl /usr/bin/perl /usr/bin/perl

/usr/local/bin/reporter/websec-reporter.pl /usr/local/bin/reporter/mailsec-reporter.pl /usr/local/bin/reporter/vpn-reporter.pl /usr/local/bin/reporter/ips-reporter.pl /usr/local/bin/reporter/pfilter-reporter.pl /usr/local/bin/reporter/admin-reporter.pl

These lines show the running reporter processes that are collecting data from logging (syslog-ng) and are writing this information in the three databases RRD, ACCU, PostgreSQL.



CLI Reporting / Logging & Storage All database errors can be found in the file /var/log/system.log and can be reviewed via WebAdmin or the command line. In case of problems with the database or the reporting, the administrator should search the log file for postgreSQL entries. If there are messages like the following found in the log file, the administrator is requested to open a support call to restore the database with the help of the Astaro support. ERROR: invalid page header in block 7002 of relation "accounting“ ERROR: could not open relation 17747/16519/18546: No such file or directory PANIC: right sibling 1672 of block 110 is not next child of 3 in index "websec_bud_dayidx“ FATAL: bogus data in lock file "/var/run/postgresql/.s.PGSQL.5432.lock": "#

Note:

The database files are not included in the backup file and can not be restored after a database restore.

Scenario1: The reporting is not working any more, the administrator wants to check if the storage partition is full. Verify with: at the command line df -h /var/storage/pgsql/data Filesystem /dev/disk/by-label/storage

Size 745M

Used 208M

Avail Use% Mounted on 499M 30% /var/storage

Attention: The database files are stored under /var/storage/pqsql/data but this is only a subfolder of the storage partition /var/storage in which in addition the HTTP proxy cache, the SMTP quarantine emails and more is stored. When this partition is full it is not necessarily a database problem, but it could be as well a problem with the HTTP cache or the SMTP proxy. © Astaro 2004/ ACE_V7.4


Site-To-Site VPN using certificates © Astaro 2004/ ACE_V7.4


CLI Site-To-Site VPN using certificates / General Scenario 1: The administrator wants to check if the IPSec connection is established successfully. Verify with: Check in the WebAdmin with a click on „Site-to-Site VPN“ or on the command line using the command cat /proc/net/ipsec_eroute asg225:/root # cat /proc/net/ipsec_eroute 14 172.16.55.0/24 -> 192.168.150.0/24

=> [email protected]

When all lights are green the connection is established with both phases. The output on the command line shows in addition the number of packets sent through the established tunnel. The following lines should be (similar to these) in the log file for an established tunnel: 2008:11:20-12:00:31 (none) 2008:11:20-12:00:31 (none) PSK+ENCRYPT+TUNNEL+UP 2008:11:20-12:00:31 (none) 2008:11:20-12:00:31 (none)

pluto[13925]: "S_REF_iYeXsYhyWs_0" #273: ISAKMP SA established pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: initiating Quick Mode pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: Dead Peer Detection (RFC 3706) enabled pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: sent QI2, IPsec SA established

There you can see that both phases are established successfully. The administrator should check the log file after the first build-up of the tunnel. This log file can be found under /var/log/ipsec.log. Note: If the tunnel is fully established in both phases but no packets pass through the tunnel, the packet filter log and the packet filter rules should be checked. © Astaro 2004/ ACE_V7.4


CLI Site-To-Site VPN using certificates/ Connection problems (1) Scenario 1: The tunnel can not be established. cannot respond to IPsec SA request because no connection is known for 172.16.55.0/24===192.168.140.225...192.168.140.226===192.168.150.0/24

Solution 1: Check the network definitions on both sides of the tunnel. The „Local Networks“ on one side have to be configured as “Remote Networks” on the other site and vice versa.

Scenario 2: The tunnel can not be established. packet from 192.168.140.226:500: initial Main Mode message received on 192.168.140.225:500 but no connection has been authorized with policy=PSK

Solution 2: Check the policy configuration on both gateways. This is important especially in case of different gateway vendors. Note: All default policies on the ASG have „strict policy“ disabled. If you see the error message above, it is possible that a connection is established but with different policy settings than specified in the policy. In this case the ASG tries to establish a connection using “higher” security credentials. In case of activated „strict policy“ on both gateways the following messages will appear in the log file: 2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #309: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused due to strict flag 2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #309: no acceptable Oakley Transform 2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #309: sending notification NO_PROPOSAL_CHOSEN to 192.168.140.226:500 2008:11:20-12:50:25 (none) pluto[13925]: packet from 192.168.140.226:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN



CLI Site-To-Site VPN using certificates/ Connection problems (2) Scenario 3: The tunnel can not be established. 2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #494: byte 2 of ISAKMP Identification Payload must be zero, but is not 2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #494: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet 2008:11:20-14:41:25 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #492: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Solution 3: Check the preshared keys on both gateways. These messages indicate different keys.

Scenario 4: The tunnel can not be established. 2008:11:20-15:04:43 2008:11:20-15:04:43 2008:11:20-15:04:43 @asg226.asllab.net)

(none) (none) (none) failed

pluto[13925]: pluto[13925]: pluto[13925]: (wrong key?);

"S_REF_iYeXsYhyWs_0" #520: issuer cacert not found "S_REF_iYeXsYhyWs_0" #520: X.509 certificate rejected "S_REF_iYeXsYhyWs_0" #520: Signature check (on tried *AwEAAdhkV

Solution 4: In this case the authentication was done with certificates and the branch office still use the old local self signed certificate configured using the option “Local X509 Certificate” and not the certificate provided by the head quarter. Check the certificate configuration. Note: A good overview of the actual tunnel configuration is given in the file /var/chrootipsec/etc/ipsec.conf. The entries stating “left” are for the local ASG, the entries stating “right” are for the remote gateway. The file is dynamically created when activating a tunnel and changes to this file are discarded and ignored.



Miscellaneous issues



CLI CLI /Lost passwords Scenario WebAdmin password has been forgotten or lost. If the ‘Root & Login’ user passwords are known:

Use SSH or use connect a monitor and keyboard directly to the AxG to login to the shell: Once at the shell prompt enter the configuration utility by following the directions below: dot10:/root # cc 127.0.0.1 MAIN >RAW 127.0.0.1 RAW >system_password_reset 127.0.0.1 RAW >Ctrl c (keys) Log back into the WebGui and a set password prompt will appear.



CLI Miscellaneous issues/ Lost passwords Scenario All passwords have been forgotten or lost (1)

Reset the console passwords with a Linux LiveCD In order to reset the password to a system that you can not access, you will need to download a Linux LiveCD. There are many distributions and if you have one, it will likely work. The distribution that was used to test this article was Ubuntu Linux. The iso image can be found here: http://mirror.cs.umn.edu/ubuntu-releases/intrepid/ubuntu-8.10-desktop-i386.iso What that you will need: *Physical access to the ASG *Keyboard *Mouse (optional, depending on the distribution you are using) *Monitor *Suitable CD ROM drive (USB for appliances, various types for software based systems). *PC with network access and a CD burner (or access to a LiveCD) Download a suitable Linux LiveCD. the latest Ubuntu Linux distribution is confirmed to work. Burn the iso image to a CD. Attach the peripherals to the ASG. You should see a command prompt that says 'login:' on screen. Insert the LiveCD into the CD ROM and reboot the system. You should now be booting into the LiveCD. Depending on the LiveCD, you may need to choose options to boot into the system.



CLI Miscellaneous issues/ Lost passwords Scenario All passwords have been forgotten or lost (2)

Once booted, enter the console. gain root privileges, this is done with the 'su' commad in most distributions. For Ubuntu, it is 'sudo su'. Run the following, commands that must be typed are in bold. Linux> su Linux# mkdir /mnt/asg Linux# mount LABEL=root /mnt/asg Linux# chroot /mnt/asg /bin/bash Linux# passwd loginuser Changing password for user loginuser Password:Retype Password: Linux# passwd Changing password for user root Password:Retype password: Linux# exit Linux# umount /mnt/asg Now take the CD out of the CD ROM and reboot the ASG. Once you have rebooted the ASG, you can now sign in as root on the console of the system using your new root password. Reset the admin password from the ASG's console: Log into the ASG via console and enter the following commands that are in BOLD. dot10:/root # cc 127.0.0.1 MAIN >RAW 127.0.0.1 RAW >system_password_reset 127.0.0.1 RAW >Ctrl c (keys)



CLI Miscellaneous issues/ Up2date troubleshooting (1) Scenario System up2dates when applied in WebAdmin do not up2date the system to latest version. Simulation of RPM installs Simulation of an up2date install is useful for determining why a particular up2date may be failing such as no connection to the Up2date servers. The output will appear in the standard /var/log/up2date.log file or for an individual test by sending to a file will make examination easier. From the shell run the commands in BOLD. dot10:/root # auisys.plx –simulation Or to pipe the output to a specific file such as ‘up2datetest.log’ dot10:/root # auisys.plx --simulation >>up2datetest.log Scenario Up2date to a specific version is desired This is useful for up2dating to a specific version rather than all the way to the latest in particular with up2dates making large changes as noted by our feature releases of 7.100, 7.200, 7.300, 7.400. Prior to up2dating completely it is usually useful and causes less problems to first up2date to the latest in the series prior to a feature release. As an example up2date only to 7.202 first, then up2date to 7.30x latest after the system reboots with a running 7.202 version. dot10:/root # auisys.plx --upto 7.300



CLI Miscellaneous issues/ Up2date troubleshooting (2) Scenario A ‘Force’ of an up2date is required For up2date issues the combination of the --rpmargs and --force will have the greatest effect on loading all current up2dates. In addition these can be combined with the --upto version in order to create a powerful up2date order. This command is standard to run to effectively force all up2dates present to load on a system despite previous up2date failures which may be triggered by customized RPM packages having been loaded on the system previously. dot10:/root # auisys.plx --rpmargs –force Or combined with ‘upto’ version dot10:/root # auisys.plx --rpmargs --force --upto 7.300 Scenario A downloaded up2date appears corrupt and must be downloaded again. Sometimes a new download or removal of an up2date will be required to resolve an issue if an up2date has been corrected on the up2date servers or is otherwise corrupted on a customer system. Remove any affected system up2dates from the AxG and run a new download: dot10:/root # cd /var/up2date/sys dot10:/var/up2date/sys # rm u2d-sys-7.301* (or whatever up2date you wish to remove) dot10:/var/up2date/sys # audld.plx (Triggers a new download) If the download cannot communicate or authenticate to a server the download can be pulled directly from the Astaro ftp servers into the /var/up2date/sys directory with a wget command such as: dot10:/root # cd /var/up2date/sys dot10:/var/up2date/sys # wget http://ftp.astaro.com/ASG/v7/up2date/u2d-sys-7.300.tgz.gpg



CLI Miscellaneous issues/ Restore a Backup from SSH Scenario WebAdmin access is unavailable but shell access is and there are backups stored on the AxG. In the event that webadmin access is unavailable it is possible to restore a currently saved backup file from ssh or direct console. 1) Login to ssh: login: loginuser password: loginuser password root access: su password: root password 2) Identify the backup file needed: cd /var/confd/var/storage/snapshots ls -l Files will appear as example: cfg_21707_1200723302 3) Restore the backup file /usr/local/bin/backup.plx -i /var/confd/var/storage/snapshots/cfg_21707_1200723302



Introduction to ACC

In this chapter you will see: Astaro Command Center



Astaro Command Center / Overview Centralized and efficient management of multiple Astaro Gateway’s Central threat-level monitoring IPSec VPN Tunnel creation and monitoring Central Up2date cache Using state-of-the-art Web 2.0 technologies like AJAX (Asynchronous JavaScript And XML) Tracking of critical system parameters in real-time detected threats license status software updates resource usage

No license needed!! It‘s free!!! © Astaro 2004/ ACE_V7.4


ACC System Overview / Available Appliances

Max Gateways supported Administrators* Clients*

Astaro Command Center 1000




Astaro Command Center Virtual Appliance

20

50

100

200

Unrestricted

1 4

2 10

3 20

4 40


2x 10/100 /1000 Mbps

2 x 10/100 / 1000 Mbps

30 GB

30 GB

30 GB

60 GB

40 GB

40 GB

40 GB

80 GB


3 x 10/100 /1000 Mbps

3 x 10/100 /1000 Mbps

System Storage

Log/Reporting


*Admin with full-access, clients with access to an average of 5 Gateways and 1/3 of the clients simultaneously logged in.



Astaro Command Center / Features Inventory management provides comprehensive information about each device (CPU, hard disk, memory, network interfaces, software version and more) All Astaro Security Gateway devices are automatically organized into device groups Single-sign-on eases configuration management Central update management enables the possibility of updating multiple devices through a single click Role-based multiadministrative support



Astaro Command Center / ASG Configuration

AxG’s must be configured with the IP/Hostname of the ACC Server and shared secret. The connection between ASG and ACC is SSL encrypted using port 4433 Packet filter rules to allow this communication are created automatically



Astaro Command Center / ACC Configuration (1) ACC has an ‘Administrative’ GUI and a ‘Gateway Manger’ GUI The Administrative GUI is accessed via port 4444 just like the other AxG products Look and feel is the same with sections for Management, Network settings, etc.



Astaro Command Center / ACC Configuration (2) Gateway Manager submenu controls access for Administrators, Clients, and Networks



Astaro Command Center / Gateway Manager Gateway Manager access is via port 4422 by default Different Monitoring views display information on connected Gateways such as: Threats Licenses Versions Resources Services Availability



Astaro Command Center / Gateway Manager Maintenance shows Inventory information and allows for scheduled operations on individual Gateways. Options are to: Reboot Shutdown Prefetch Up2dates Install Firmware Install Patters



Astaro Command Center / Gateway Manager Management allows for selective control of which Gateways can connect via the Registration submenu Access Control allows for role based access for Users



Astaro Command Center / Gateway Manager Configuration offers a Site to Site VPN configuration wizard. Easily create and monitor VPN connections between Astaro Security Gateways Additional configuration options such as Centralized Object creation and management will be available in later releases



Astaro Command Center Review Questions



Astaro Command Center / Review Questions 1. Which technology is ACC built upon? 2. What features does ACC offer? 3. What port is used for communication between ACC and ASG? 4. Is the traffic encrypted? 5. Is it possible to cache the Up2Date packages for multiple ASGs?



Astaro Report Manager The topics in this chapter will be: Overview of the Astaro Report Manager Installation/Configuration of ARM and Syslog software



Astaro Report Manager / Overview ARM is a data collection, analysis, and reporting tool Aggregates and parses syslog data from network devices Includes: Real time monitoring Alerts based on configurable parameters Built in and customizable reports Forensic analysis



Astaro Report Manager / Overview/ Security Center The Security Center offers manageable Monitoring views and the ability to create ‘Drill Down’ reports by simply double clicking items to bring up a ‘Workbench’



Astaro Report Manager / Overview / Security Center The Reporting Section offers more than 800 reports on information such as Attacks Bandwidth Content Categorization Event Web Activity

Historical information can be viewed using the built in calendar



Astaro Report Manager / Overview / Security Center Information can be viewed in different formats and exported or printed



Astaro Report Manager / Installation/Configuration Hardware requirements are dependant on the number of devices sending data. Recommended specs: Pentium 4- 2.8 Ghz or higher 100 GB or higher disk space 2 GB or higher of RAM Windows server 2k/2003 IIS or Apache (Apache Recommended) Fast IO Internet Explorer 6.0 or higher with Java



Astaro Report Manager / Installation/Configuration ARM is available on the Astaro FTP servers accessible through http://my.astaro.com/ Current version is 4.6 which is the only release that works with AxG V7 FTP site contains both the ARM software and the Syslog server software



Astaro Report Manager / Installation/Configuration Installation requires admin rights

Choose ‘Standalone’ for most installations

Encrypt traffic with SSL Choose Apache Server for most installations



Astaro Report Manager / Installation/Configuration Once Astaro Report Manager installation is complete it will prompt you to install the Syslog server

Choose all of the defaults unless a change is needed for the Sylog port (UDP 514) or you need to use trusted IP’s for connections.



Astaro Report Manager / Installation/Configuration By default the ARM software will check for the presence of a new device sending syslog data every 60 seconds. Devices will appear on the Devices tab Devices must have a valid license before Monitoring will begin



Astaro Report Manager / Installation/Configuration Licenses are managed via the License Manger Icon located in the Upper left corner of the ARM screen The License Manager offers the ability to Add, Manage, and Update licenses and devices



Astaro Report Manager / Installation/Configuration Once a device is licensed and has a checkbox under the Monitoring column it should be accepting Syslog data from your AxG. To confirm that the system is receiving data use the AppStatus Icon Syslog Statistics will be shown here and clicking the Refresh button should show updated counts



Astaro Report Manager / Installation/Configuration The Astaro Report manager default collection policy does not offer monitoring of event logs. This will result in minimal information on dashboard screens. To enable monitoring change the collection policy by clicking on the Policies button to open the Policy Manager. Highlight and edit the ‘Collect All’ policy and add your device. Once saved the dashboards should start displaying real time information



THE END.

Questions & Answers. © Astaro 2004/ ACE_V7.4


ACE Engineer

Recommend Documents