Stonesoft StoneGate, STONEGATE 5.2 Reference Manual
STONEGATE 5.2
FIREWALL/VPN REFERENCE GUIDE
F IREWALL
V IRTUAL PRIVATE NETWORKS
Legal Information
End-User License Agreement
The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at
the Stonesoft website:
www.stonesoft.com/en/support/eula.html
Third Party Licenses
The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for
those products at the Stonesoft website:
www.stonesoft.com/en/support/third_party_licenses.html
U.S. Government Acquisitions
If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions
apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is
defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is
supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as
defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the
Government is subject to such restrictions or successor provisions.
Product Export Restrictions
The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC)
N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as
amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.
General Terms and Conditions of Support and Maintenance Services
The support and maintenance services for the products described in these materials are provided pursuant to the general terms for
support and maintenance services and the related service description, which can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/terms/
Replacement Service
The instructions for replacement service can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/return_material_authorization/
Hardware Warranty
The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the
Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/warranty_service/
Trademarks and Patents
The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos.
1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095,
131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284;
7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534;
7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the
Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered
trademarks are property of their respective owners.
Disclaimer
Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes
no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of
the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.
Copyright © 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: SGFRG_20101015
2
TABLE OF CONTENTS
INTRODUCTION
CHAPTER 1
Using StoneGate Documentation . . . . . . . . . . . 13
How to Use This Guide . . . . . . . . . . . . . . . . . . 14
Typographical Conventions . . . . . . . . . . . . . . 14
Documentation Available. . . . . . . . . . . . . . . . . 15
Product Documentation. . . . . . . . . . . . . . . . . 15
Support Documentation . . . . . . . . . . . . . . . . 15
System Requirements. . . . . . . . . . . . . . . . . . 16
Contact Information . . . . . . . . . . . . . . . . . . . . 16
Licensing Issues . . . . . . . . . . . . . . . . . . . . . 16
Technical Support. . . . . . . . . . . . . . . . . . . . . 16
Your Comments . . . . . . . . . . . . . . . . . . . . . . 16
Other Queries. . . . . . . . . . . . . . . . . . . . . . . . 16
CHAPTER 2
Introduction to Firewalls . . . . . . . . . . . . . . . . . 17
The Role of the Firewall. . . . . . . . . . . . . . . . . . 18
Firewall Technologies . . . . . . . . . . . . . . . . . . . 18
Packet Filtering. . . . . . . . . . . . . . . . . . . . . . . 18
Proxy Firewalls . . . . . . . . . . . . . . . . . . . . . . . 19
Stateful Inspection . . . . . . . . . . . . . . . . . . . . 19
StoneGate Multi-Layer Inspection. . . . . . . . . . 19
Additional Firewall Features . . . . . . . . . . . . . . . 21
Authentication . . . . . . . . . . . . . . . . . . . . . . . 21
Deep Packet Inspection and Unified Threat
Management . . . . . . . . . . . . . . . . . . . . . . . . 21
Integration With External Content Inspection. . 21
Load Balancing and Traffic Management. . . . . 22
Logging and Reporting . . . . . . . . . . . . . . . . . 22
Network Address Translation (NAT). . . . . . . . . 23
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Firewall Weaknesses. . . . . . . . . . . . . . . . . . . . 23
Complexity of Administration . . . . . . . . . . . . . 23
Single Point of Failure . . . . . . . . . . . . . . . . . . 24
Worms, Viruses, and Targeted Attacks . . . . . . 24
CHAPTER 3
Introduction to StoneGate
Firewall/VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 25
The StoneGate Security Platform . . . . . . . . . . . 26
StoneGate Firewall/VPN System Components. . 27
Firewall/VPN Engines . . . . . . . . . . . . . . . . . . 28
Main Benefits of StoneGate Firewall/VPN. . . . . 28
Advanced Traffic Inspection. . . . . . . . . . . . . . 28
Built-in Clustering for Load Balancing and
High Availability . . . . . . . . . . . . . . . . . . . . . . 29
Multi-Link Technology . . . . . . . . . . . . . . . . . . 29
Built-in Inbound Traffic Management . . . . . . . 30
QoS and Bandwidth Management . . . . . . . . . 30
Integration with StoneGate IPS . . . . . . . . . . . 31
Clustered Multi-Link VPNs. . . . . . . . . . . . . . . 31
CHAPTER 4
StoneGate Firewall/VPN Deployment . . . . . . . . 33
Deployment Overview . . . . . . . . . . . . . . . . . . . 34
Supported Platforms . . . . . . . . . . . . . . . . . . 34
General Deployment Guidelines . . . . . . . . . . 34
Positioning Firewalls. . . . . . . . . . . . . . . . . . . . 35
External to Internal Network Boundary. . . . . . 35
Internal Network Boundaries. . . . . . . . . . . . . 36
DMZ Network Boundaries . . . . . . . . . . . . . . . 37
Positioning Management Center Components . 38
INTERFACES AND ROUTING
CHAPTER 5
Single Firewall Configuration. . . . . . . . . . . . . . 41
Overview to Single Firewall Configuration . . . . . 42
Configuration of Single Firewalls . . . . . . . . . . . 42
Dynamic Firewall Interface Addresses . . . . . . 42
Internal DHCP Server . . . . . . . . . . . . . . . . . . 43
Configuration Workflow. . . . . . . . . . . . . . . . . 43
Task 1: Create a Single Firewall
Element . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Task 2: Define Physical Interfaces . . . . . . . 43
Task 3: Define VLAN Interfaces. . . . . . . . . . 43
Task 4: Define an ADSL Interface . . . . . . . . 44
Task 5: Define IP Addresses. . . . . . . . . . . . 44
Task 6: Define Modem Interfaces . . . . . . . . 44
Task 7: Install the Firewall Engine . . . . . . . . 44
Task 8: Install a Firewall Policy . . . . . . . . . . 45
Example of a Single Firewall Deployment . . . . . 45
Setting up a Single Firewall. . . . . . . . . . . . . . 45
Adding a New Interface to an Existing
Configuration. . . . . . . . . . . . . . . . . . . . . . . . 46
Table of Contents
3
CHAPTER 6
Firewall Cluster Configuration . . . . . . . . . . . . . 47
Overview to Firewall Cluster Configuration. . . . . 48
Benefits of Clustering . . . . . . . . . . . . . . . . . . 48
Communication Between the Nodes. . . . . . . . 48
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuration of Firewall Clusters. . . . . . . . . . . 49
Load Balancing. . . . . . . . . . . . . . . . . . . . . . . 49
Standby Operation . . . . . . . . . . . . . . . . . . . . 49
Network Interfaces and IP Addresses. . . . . . . 50
Clustering Modes . . . . . . . . . . . . . . . . . . . . . 51
How Packet Dispatch Works . . . . . . . . . . . . . 51
Configuration Workflow . . . . . . . . . . . . . . . . . 53
Task 1: Create a Firewall Cluster
Element. . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Task 2: Create Physical Interfaces. . . . . . . . 53
Task 3: Define VLAN Interfaces . . . . . . . . . . 53
Task 4: Configure Physical or VLAN
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 54
Task 5: Install the Firewall Engines . . . . . . . 55
Task 6: Install a Firewall Policy . . . . . . . . . . 55
Using a Firewall Cluster. . . . . . . . . . . . . . . . . . 55
Internal DHCP Server . . . . . . . . . . . . . . . . . . 55
Node State Synchronization. . . . . . . . . . . . . . 56
Security Level for State Synchronization . . . . . 56
Manual Load Balancing. . . . . . . . . . . . . . . . . 56
Examples of Firewall Cluster Deployment . . . . . 57
Setting up a Firewall Cluster . . . . . . . . . . . . . 57
Adding a Node to a Firewall Cluster . . . . . . . . 58
CHAPTER 7
Routing and Antispoofing. . . . . . . . . . . . . . . . . 59
Overview to Routing and Antispoofing. . . . . . . . 60
Configuration of Routing and Antispoofing . . . . 60
Reading the Routing and Antispoofing Trees . . 60
Multi-Link Routing for Single and Clustered
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Default Elements . . . . . . . . . . . . . . . . . . . . . 62
Configuration Workflow . . . . . . . . . . . . . . . . . 63
Task 1: Add Router or NetLink. . . . . . . . . . . 63
Task 2: Add Network(s). . . . . . . . . . . . . . . . 63
Task 3: Refresh Firewall Policy . . . . . . . . . . 63
Using Routing and Antispoofing . . . . . . . . . . . . 63
Policy Routing. . . . . . . . . . . . . . . . . . . . . . . . 63
Multicast Routing . . . . . . . . . . . . . . . . . . . . . 63
Modifying Antispoofing . . . . . . . . . . . . . . . . . 64
Examples of Routing . . . . . . . . . . . . . . . . . . . . 64
Routing Traffic with Two Interfaces . . . . . . . . . 64
Routing Internet Traffic with Multi-Link . . . . . . 64
Routing Traffic to Networks That Use Same
Address Space . . . . . . . . . . . . . . . . . . . . . . 65
ACCESS CONTROL POLICIES
CHAPTER 8
Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . 69
Overview to Firewall Policies . . . . . . . . . . . . . . 70
Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . 70
How StoneGate Examines the Packets. . . . . . 70
Configuration of Policy Elements . . . . . . . . . . . 72
Default Elements . . . . . . . . . . . . . . . . . . . . . 74
Configuration Workflow. . . . . . . . . . . . . . . . . 74
Task 1: Create a Firewall Template
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Task 2: Create a Firewall Policy. . . . . . . . . . 75
Task 3: Create a Firewall Sub-Policy . . . . . . 75
Task 4: Install the Policy . . . . . . . . . . . . . . 76
Using Policy Elements and Rules. . . . . . . . . . . 77
Validating Policies . . . . . . . . . . . . . . . . . . . . 77
Connection Tracking vs. Connectionless Packet
Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Policy Snapshots . . . . . . . . . . . . . . . . . . . . . 80
Continue Rules . . . . . . . . . . . . . . . . . . . . . . 80
Adding Comments to Rules. . . . . . . . . . . . . . 80
Examples of Policy Element Use . . . . . . . . . . . 81
Protecting Essential Communications . . . . . . 81
Improving Readability and Performance . . . . . 81
Restricting Administrator Editing Rights . . . . . 82
CHAPTER 9
Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Overview to Access Rules . . . . . . . . . . . . . . . . 84
Configuration of Access Rules. . . . . . . . . . . . . 85
Considerations for Designing Access Rules . . 87
Default Elements . . . . . . . . . . . . . . . . . . . . . 87
Configuration Workflow. . . . . . . . . . . . . . . . . 89
Task 1: Define the Source and
Destination . . . . . . . . . . . . . . . . . . . . . . . . 89
Task 2: Define the Service . . . . . . . . . . . . . 89
Task 3: Select the Action and Action
Options. . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Task 4: Select Logging Options. . . . . . . . . . 92
Task 5: Add User Authentication . . . . . . . . . 92
Task 6: Restrict the Time When the
Rule Is Enforced . . . . . . . . . . . . . . . . . . . . 92
Task 7: Restrict the Rule Match Based
on Source VPN . . . . . . . . . . . . . . . . . . . . . 93
4
Table of Contents
Using Access Rules . . . . . . . . . . . . . . . . . . . . 93
Allowing System Communications . . . . . . . . . 93
Configuring Default Settings for Several Rules 94
Using Continue Rules to Set Logging
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Using Continue Rules to set the
Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Using Aliases in Access Rules. . . . . . . . . . . . 95
Examples of Access Rules. . . . . . . . . . . . . . . . 96
Example of Rule Order . . . . . . . . . . . . . . . . . 96
Example of Continue Rules . . . . . . . . . . . . . . 98
CHAPTER 10
Inspection Rules . . . . . . . . . . . . . . . . . . . . . . . 99
Overview to Inspection Rules. . . . . . . . . . . . . . 100
Configuration of Inspection Rules. . . . . . . . . . . 101
Considerations for Designing Inspection Rules 102
Exception Rule Cells . . . . . . . . . . . . . . . . . . . 103
Default Elements . . . . . . . . . . . . . . . . . . . . . 104
Configuration Workflow . . . . . . . . . . . . . . . . . 104
Task 1: Activate Deep Inspection in
Access Rules . . . . . . . . . . . . . . . . . . . . . . . 105
Task 2: Activate the Relevant Inspection
Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Task 3: Define the Exceptions . . . . . . . . . . . 105
Task 4: Eliminate False Positives. . . . . . . . . 106
Task 5: Add Custom Inspection Checks . . . . 106
Using Inspection Rules . . . . . . . . . . . . . . . . . . 106
Setting Default Options for Several Inspection
Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Example of Inspection Rules . . . . . . . . . . . . . . 107
Eliminating a False Positive . . . . . . . . . . . . . . 107
CHAPTER 11
Network Address Translation (NAT) Rules . . . . 109
Overview to NAT . . . . . . . . . . . . . . . . . . . . . . . 110
Static Source Translation . . . . . . . . . . . . . . . 110
Dynamic Source Translation . . . . . . . . . . . . . 111
Static Destination Translation . . . . . . . . . . . . 112
Destination Port Translation . . . . . . . . . . . . . 112
Configuration of NAT . . . . . . . . . . . . . . . . . . . . 113
Considerations for Designing NAT Rules . . . . . 115
Default Elements . . . . . . . . . . . . . . . . . . . . . 115
Configuration Workflow . . . . . . . . . . . . . . . . . 115
Task 1: Define Source, Destination, and
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Task 2: Define Address Translation . . . . . . . 115
Task 3: Define the Firewall(s) that Apply
the Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Task 4: Check Other Configurations. . . . . . . 116
Using NAT and NAT Rules . . . . . . . . . . . . . . . . 116
NAT and System Communications . . . . . . . . . 116
Example of a Situation Where a
Contact Address is Needed . . . . . . . . . . . . 117
Contact Addresses and Locations . . . . . . . . 118
Outbound Load Balancing NAT . . . . . . . . . . . 118
Proxy ARP and NAT. . . . . . . . . . . . . . . . . . . . 119
Protocols and NAT . . . . . . . . . . . . . . . . . . . . 119
Examples of NAT . . . . . . . . . . . . . . . . . . . . . . 119
Dynamic Source Address Translation . . . . . . . 119
Static Address Translation . . . . . . . . . . . . . . 120
NAT with Hosts in the Same Network. . . . . . . 120
CHAPTER 12
Protocol Agents . . . . . . . . . . . . . . . . . . . . . . . 123
Overview to Protocol Agents . . . . . . . . . . . . . . 124
Connection Handling . . . . . . . . . . . . . . . . . . 124
Protocol Validation . . . . . . . . . . . . . . . . . . . . 124
NAT in Application Data . . . . . . . . . . . . . . . . 125
Configuration of Protocol Agents . . . . . . . . . . . 125
Configuration Workflow. . . . . . . . . . . . . . . . . 125
Task 1: Create a Custom Service with
a Protocol Agent . . . . . . . . . . . . . . . . . . . . 125
Task 2: Set Parameters for the Protocol
Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Task 3: Insert the Service in Access
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Using Protocol Agents . . . . . . . . . . . . . . . . . . 126
FTP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 126
H.323 Agent . . . . . . . . . . . . . . . . . . . . . . . . 127
HTTP Agents . . . . . . . . . . . . . . . . . . . . . . . . 127
HTTPS Agent . . . . . . . . . . . . . . . . . . . . . . . . 127
ICMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . 128
MSRPC Agent . . . . . . . . . . . . . . . . . . . . . . . 128
NetBIOS Agent. . . . . . . . . . . . . . . . . . . . . . . 128
Oracle Agent . . . . . . . . . . . . . . . . . . . . . . . . 128
Remote Shell (RSH) Agent . . . . . . . . . . . . . . 128
Services in Firewall Agent . . . . . . . . . . . . . . . 129
SIP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 129
SMTP Agent. . . . . . . . . . . . . . . . . . . . . . . . . 129
SSH Agent. . . . . . . . . . . . . . . . . . . . . . . . . . 129
SunRPC Agent . . . . . . . . . . . . . . . . . . . . . . . 129
TCP Proxy Agent. . . . . . . . . . . . . . . . . . . . . . 130
TFTP Agent . . . . . . . . . . . . . . . . . . . . . . . . . 130
Examples of Protocol Agent Use . . . . . . . . . . . 130
Preventing Active Mode FTP . . . . . . . . . . . . . 130
Logging URLs Accessed by Internal Users . . . 131
Table of Contents
5
CHAPTER 13
User Authentication . . . . . . . . . . . . . . . . . . . . . 133
Overview to User Authentication . . . . . . . . . . . 134
Configuration of User Authentication . . . . . . . . 135
The Internal User Database. . . . . . . . . . . . . . 136
External User Database Integration . . . . . . . . 137
External User Database Without Integration . . 137
User Management . . . . . . . . . . . . . . . . . . . . 137
Authentication Services . . . . . . . . . . . . . . . . 138
RADIUS Authentication . . . . . . . . . . . . . . . . 138
TACACS+ Authentication . . . . . . . . . . . . . . . 138
Default Elements . . . . . . . . . . . . . . . . . . . . . 138
Configuration Workflow . . . . . . . . . . . . . . . . . 139
Task 1: Create an External Authentication
Server Element. . . . . . . . . . . . . . . . . . . . . . 139
Task 2: Create an LDAP Server Element. . . . 139
Task 3: Create an Authentication Service
Element. . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Task 4: Add an LDAP Domain . . . . . . . . . . . 140
Task 5: Add Users and User Groups . . . . . . 140
Task 6: Define User Authentication in
IPv4 Access Rules . . . . . . . . . . . . . . . . . . . 141
Examples of User Authentication . . . . . . . . . . . 143
Using the Internal Database for Authenticating
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Using StoneGate with a Microsoft Active
Directory Server . . . . . . . . . . . . . . . . . . . . . . 143
Using SecurID Authentication with StoneGate
VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . 144
CHAPTER 14
HTTPS Inspection . . . . . . . . . . . . . . . . . . . . . . 147
Overview to HTTPS Inspection . . . . . . . . . . . . . 148
Configuration of HTTPS Inspection . . . . . . . . . . 149
Default Elements . . . . . . . . . . . . . . . . . . . . . 149
Configuration Workflow . . . . . . . . . . . . . . . . . 149
Task 1: Create Server Protection
Credentials Elements . . . . . . . . . . . . . . . . . 149
Task 2: Create Client Protection
Certificate Authority Elements . . . . . . . . . . . 150
Task 3: Specify HTTPS Inspection
Options in the Firewall Properties. . . . . . . . . 150
Task 4: Create an HTTPS Inspection
Exceptions Element . . . . . . . . . . . . . . . . . . 150
Task 5: Create a Custom HTTPS
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Task 6: Create an IPv4 Access Rule. . . . . . . 150
Using HTTPS Inspection . . . . . . . . . . . . . . . . . 151
Security Considerations . . . . . . . . . . . . . . . . 151
Virus Scanning of Decrypted HTTPS Traffic . . . 151
Examples of HTTPS Inspection. . . . . . . . . . . . . 151
Server Protection . . . . . . . . . . . . . . . . . . . . . 151
Client Protection . . . . . . . . . . . . . . . . . . . . . 152
CHAPTER 15
Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 153
Overview to Web Filtering . . . . . . . . . . . . . . . . 154
Configuration of Web Filtering . . . . . . . . . . . . . 154
Default Elements . . . . . . . . . . . . . . . . . . . . . 155
Configuration Workflow. . . . . . . . . . . . . . . . . 155
Task 1: Prepare the Firewall . . . . . . . . . . . . 155
Task 2: Create User Response Messages . . 155
Task 3: Blacklist/Whitelist Individual URLs . 155
Task 4: Configure Web Filtering Rules
in the Policy. . . . . . . . . . . . . . . . . . . . . . . . 155
Examples of Web Filtering. . . . . . . . . . . . . . . . 156
Allowing a Blocked URL . . . . . . . . . . . . . . . . 156
CHAPTER 16
Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . 157
Overview to Virus Scanning. . . . . . . . . . . . . . . 158
Configuration of Virus Scanning . . . . . . . . . . . 158
Configuration Workflow. . . . . . . . . . . . . . . . . 158
Task 1: Activate the Anti-Virus Feature
for a Firewall . . . . . . . . . . . . . . . . . . . . . . . 158
Task 2: Select Traffic for Inspection
with Access Rules . . . . . . . . . . . . . . . . . . . 158
Task 3: Define the Content Not to Be
Scanned . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Using Virus Scanning . . . . . . . . . . . . . . . . . . . 159
Integrated Scanning vs. Content Inspection
Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Limitations of Virus Scanning on Clusters . . . 159
CHAPTER 17
External Content Inspection . . . . . . . . . . . . . . 161
Overview to Content Inspection . . . . . . . . . . . . 162
Configuration of Content Inspection. . . . . . . . . 163
Default Elements . . . . . . . . . . . . . . . . . . . . . 163
Configuration Workflow. . . . . . . . . . . . . . . . . 164
Task 1: Create a CIS Server Element. . . . . . 164
Task 2: Create a Custom Service for
Content Inspection Server Redirection. . . . . 164
Task 3: Define Access Rules for
Redirection . . . . . . . . . . . . . . . . . . . . . . . . 164
Task 4: Configure NAT Rules for
Content Inspection Server Redirection. . . . . 164
Using Content Inspection . . . . . . . . . . . . . . . . 165
Example of Content Inspection . . . . . . . . . . . . 166
Inspecting Internal User’s Web Browsing and
File Transfers. . . . . . . . . . . . . . . . . . . . . . . . 166
6
Table of Contents
CHAPTER 18
Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Overview to Situations . . . . . . . . . . . . . . . . . . 170
Configuration of Situations . . . . . . . . . . . . . . . 170
Situation Contexts . . . . . . . . . . . . . . . . . . . . 171
Anti-Virus Contexts . . . . . . . . . . . . . . . . . . . 171
Protocol-Specific Contexts. . . . . . . . . . . . . . 171
System Contexts . . . . . . . . . . . . . . . . . . . . 171
Default Elements . . . . . . . . . . . . . . . . . . . . . 172
Configuration Workflow . . . . . . . . . . . . . . . . . 172
Task 1: Create a Situation Element . . . . . . . 172
Task 2: Add a Context for the
Situation . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Task 3: Associate Tags and/or Situation
Types with the Situation . . . . . . . . . . . . . . . 173
Task 4: Associate the Situation with a
Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . 173
Using Situations . . . . . . . . . . . . . . . . . . . . . . . 173
Example of Custom Situations. . . . . . . . . . . . . 174
Detecting the Use of Forbidden Software . . . . 174
CHAPTER 19
Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Overview to Blacklisting . . . . . . . . . . . . . . . . . 176
Risks of Blacklisting . . . . . . . . . . . . . . . . . . . 176
Whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuration of Blacklisting . . . . . . . . . . . . . . 177
Configuration Workflow . . . . . . . . . . . . . . . . . 177
Task 1: Define Blacklisting in Access
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Task 2: Define Analyzer-to-Firewall or
Analyzer-to-Sensor Connections . . . . . . . . . . 178
Task 3: Define Inspection Rules in the
IPS Policy. . . . . . . . . . . . . . . . . . . . . . . . . . 178
Using Blacklisting . . . . . . . . . . . . . . . . . . . . . . 178
Automatic Blacklisting. . . . . . . . . . . . . . . . . . 178
Monitoring Blacklisting . . . . . . . . . . . . . . . . . 179
Examples of Blacklisting . . . . . . . . . . . . . . . . . 179
Blacklisting Traffic from a Specific IP Address
Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Automatic Blacklisting with IPS . . . . . . . . . . . 179
TRAFFIC MANAGEMENT
CHAPTER 20
Outbound Traffic Management . . . . . . . . . . . . . 183
Overview to Outbound Traffic Management . . . . 184
Configuration of Multi-Link. . . . . . . . . . . . . . . . 184
Load Balancing Methods. . . . . . . . . . . . . . . . 185
Standby NetLinks for High Availability . . . . . . 185
Link Status Probing . . . . . . . . . . . . . . . . . . . 185
Configuration Workflow. . . . . . . . . . . . . . . . . 186
Task 1: Create NetLink Elements . . . . . . . . 186
Task 2: Configure Routing for NetLinks . . . . 186
Task 3: Combine NetLinks into Outbound
Multi-Link Elements . . . . . . . . . . . . . . . . . . 186
Task 4: Create NAT Rules for Outbound
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Using Multi-Link . . . . . . . . . . . . . . . . . . . . . . . 187
Multi-Link with a Single Firewall. . . . . . . . . . . 187
Multi-Link with a Firewall Cluster . . . . . . . . . . 188
Using Multiple Outbound Multi-Link elements. 189
Examples of Multi-Link . . . . . . . . . . . . . . . . . . 189
Preparing for ISP Breakdown. . . . . . . . . . . . . 189
Excluding a NetLink from Handling a QoS
Class of Traffic. . . . . . . . . . . . . . . . . . . . . . . 189
Balancing Traffic According to Link Capacity . . 190
Balancing Traffic between Internet Connections 190
CHAPTER 21
Inbound Traffic Management. . . . . . . . . . . . . . 191
Overview to Server Pool Configuration . . . . . . . 192
Configuration of Server Pools . . . . . . . . . . . . . 192
Multi-Link for Server Pools . . . . . . . . . . . . . . 193
Default Elements . . . . . . . . . . . . . . . . . . . . . 193
Configuration Workflow. . . . . . . . . . . . . . . . . 194
Task 1: Define Hosts . . . . . . . . . . . . . . . . . 194
Task 2: Combine Hosts into a Server
Pool Element . . . . . . . . . . . . . . . . . . . . . . . 194
Task 3: Configure the External DNS
Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Task 4: Create an Inbound Load
Balancing Rule . . . . . . . . . . . . . . . . . . . . . 194
Task 5: Set up Server Pool Monitoring
Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Using Server Pools. . . . . . . . . . . . . . . . . . . . . 195
Dynamic DNS (DDNS) Updates . . . . . . . . . . . 195
Using Server Pool Monitoring Agents . . . . . . . 195
Examples of Server Pools . . . . . . . . . . . . . . . . 197
Load Balancing for Web Servers . . . . . . . . . . 197
Setting up Multi-Link and Dynamic DNS
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
CHAPTER 22
Bandwidth Management And Traffic Prioritization 199
Overview to Bandwidth Management and Traffic
Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . 200
Bandwidth Management . . . . . . . . . . . . . . . . 200
Traffic Prioritization. . . . . . . . . . . . . . . . . . . . 200
Table of Contents
7
Effects of Bandwidth Management and
Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . 200
Configuration of Limits, Guarantees, and Priorities
for Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Default Elements . . . . . . . . . . . . . . . . . . . . . 202
Configuration Workflow . . . . . . . . . . . . . . . . . 202
Task 1: Define QoS Classes . . . . . . . . . . . . 202
Task 2: Define QoS Policies . . . . . . . . . . . . 203
Task 3: Assign QoS Classes to Traffic . . . . . 204
Task 4: Define QoS for Physical or
VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . 204
Using Bandwidth Management and Traffic
Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . 205
Implementation Options . . . . . . . . . . . . . . . . 205
Designing QoS Policies . . . . . . . . . . . . . . . . . 205
Communicating Priorities with DSCP Codes . . 206
Managing Bandwidth of Incoming Traffic . . . . . 207
Examples of Bandwidth Management and Traffic
Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . 208
Ensuring Quality of Important Communications 208
Preparing for ISP Breakdown . . . . . . . . . . . . . 209
Limiting the Total Bandwidth Required . . . . . . 210
VIRTUAL PRIVATE NETWORKS
CHAPTER 23
Overview to VPNs . . . . . . . . . . . . . . . . . . . . . . 213
Introduction to VPNs . . . . . . . . . . . . . . . . . . . . 214
IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Security Associations (SA). . . . . . . . . . . . . . . 215
Internet Key Exchange (IKE). . . . . . . . . . . . . . 215
Perfect Forward Secrecy (PFS) . . . . . . . . . . . . 216
AH and ESP . . . . . . . . . . . . . . . . . . . . . . . . . 216
Authentication . . . . . . . . . . . . . . . . . . . . . . . 217
Tunnel and Transport Modes . . . . . . . . . . . . . 217
VPN Topologies. . . . . . . . . . . . . . . . . . . . . . . . 217
CHAPTER 24
VPN Configuration . . . . . . . . . . . . . . . . . . . . . 221
Overview to VPN Configuration . . . . . . . . . . . . . 222
Configuration of VPNs . . . . . . . . . . . . . . . . . . . 222
Default Elements . . . . . . . . . . . . . . . . . . . . . 224
Configuration Workflow. . . . . . . . . . . . . . . . . 224
Task 1: Define the Gateway Settings. . . . . . 224
Task 2: Define the Gateway Profile . . . . . . . 224
Task 3: Define the Gateways . . . . . . . . . . . 225
Task 4: Define the Sites. . . . . . . . . . . . . . . 225
Task 5: Create Certificates . . . . . . . . . . . . . 226
Task 6: Define the VPN Profile . . . . . . . . . . 226
Task 7: Define the VPN Element . . . . . . . . . 226
Task 8: Modify the Firewall Policy . . . . . . . . 227
Task 9: Configure VPN Clients and
External Gateway Devices. . . . . . . . . . . . . . 228
Using VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 228
VPN Logging . . . . . . . . . . . . . . . . . . . . . . . . 229
Using a Dynamic IP Address for a VPN
End-Point. . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Using a NAT Address for a VPN End-Point. . . . 229
Supported Authentication and Encryption
Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
FIPS Mode. . . . . . . . . . . . . . . . . . . . . . . . . 230
GOST-Compliant Systems . . . . . . . . . . . . . . 230
Message Digest Algorithms . . . . . . . . . . . . 230
Authentication Methods . . . . . . . . . . . . . . . 231
Encryption Algorithms. . . . . . . . . . . . . . . . . 232
Using Pre-Shared Key Authentication . . . . . . . 233
Using Certificate Authentication . . . . . . . . . . 233
Validity of Certificates . . . . . . . . . . . . . . . . 234
Internal VPN Certificate Authority. . . . . . . . . 234
External Certificate Authorities . . . . . . . . . . 235
Configuring VPNs with External Gateway
Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Clustering and VPNs. . . . . . . . . . . . . . . . . . . 236
Multi-Link VPN . . . . . . . . . . . . . . . . . . . . . . . 237
Examples of VPN Configurations . . . . . . . . . . . 238
Creating a VPN Between Three Offices. . . . . . 238
Creating a VPN for Mobile Users . . . . . . . . . . 239
Creating a VPN That Requires NAT. . . . . . . . . 240
APPENDICES
APPENDIX A
Command Line Tools. . . . . . . . . . . . . . . . . . . . 245
Management Center Commands . . . . . . . . . . . 246
Engine Commands . . . . . . . . . . . . . . . . . . . . . 254
Server Pool Monitoring Agent Commands. . . . . 259
APPENDIX B
Default Communication Ports . . . . . . . . . . . . . 261
8
Table of Contents
Management Center Ports . . . . . . . . . . . . . . . 262
Firewall/VPN Engine Ports . . . . . . . . . . . . . . . 264
APPENDIX C
Predefined Aliases . . . . . . . . . . . . . . . . . . . . . . 269
Pre-Defined User Aliases. . . . . . . . . . . . . . . . . 270
System Aliases. . . . . . . . . . . . . . . . . . . . . . . . 270
APPENDIX D
Regular Expression Syntax . . . . . . . . . . . . . . . . 273
Syntax for StoneGate Regular Expressions . . . . 274
Special Character Sequences . . . . . . . . . . . . . 276
Pattern-Matching Modifiers . . . . . . . . . . . . . . . 277
Bit Variable Extensions . . . . . . . . . . . . . . . . . . 278
Variable Expression Evaluation . . . . . . . . . . . . 280
Stream Operations . . . . . . . . . . . . . . . . . . . . 282
Other Expressions . . . . . . . . . . . . . . . . . . . . 283
System Variables . . . . . . . . . . . . . . . . . . . . . . 284
Independent Subexpressions. . . . . . . . . . . . . . 285
Parallel Matching Groups. . . . . . . . . . . . . . . . . 286
APPENDIX E
Schema Updates for External LDAP Servers . . . 287
APPENDIX F
SNMP Traps and MIBs . . . . . . . . . . . . . . . . . . . 289
APPENDIX G
Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . 301
The General Features of Multicasting . . . . . . . . 302
Multicasting vs. Unicasting . . . . . . . . . . . . . . 302
Multicasting vs. Broadcasting . . . . . . . . . . . . 302
IP Multicasting Overview . . . . . . . . . . . . . . . . . 302
Multicasting Applications . . . . . . . . . . . . . . . 303
Internet Group Management Protocol . . . . . . . . 303
Membership Messages. . . . . . . . . . . . . . . . . 303
Ethernet Multicasting . . . . . . . . . . . . . . . . . . . 304
Multicasting and StoneGate . . . . . . . . . . . . . . 304
Unicast MAC . . . . . . . . . . . . . . . . . . . . . . . . 305
Multicast MAC . . . . . . . . . . . . . . . . . . . . . . . 306
Multicast MAC with IGMP . . . . . . . . . . . . . . . 307
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Table of Contents
9
10
Table of Contents
INTRODUCTION
In this section:
Using StoneGate Documentation - 13
Introduction to Firewalls - 17
Introduction to StoneGate Firewall/VPN - 25
StoneGate Firewall/VPN Deployment - 33
11
12
CHAPTER 1
USING STONEGATE DOCUMENTATION
Welcome to StoneGate™ High Availability Firewall/VPN solution by Stonesoft Corporation. This
chapter describes how to use this Guide and related documentation. It also provides
directions for obtaining technical support and giving feedback about the documentation.
The following sections are included:
How to Use This Guide (page 14)
Documentation Available (page 15)
Contact Information (page 16)
13
How to Use This Guide
This Reference Guide provides information that helps administrators of StoneGate firewalls
understand the system and its features. It provides high-level descriptions and examples of the
configuration workflows.
This guide is divided into several sections. The chapters in the first section provide a general
introduction to StoneGate firewalls. The sections that follow each include chapters related to
one feature area. The last section provides detailed reference information in tabular form, and
some guideline information.
For other available documentation, see Documentation Available (page 15).
Typographical Conventions
The following typographical conventions are used throughout the guide:
Table 1.1 Typographical Conventions
Formatting Informative Uses
Normal text This is normal text.
User Interface text
References, terms
Command line
User input User input on screen is in monospaced bold-face.
Command parameters Command parameter names are in monospaced italics.
Text you see in the User Interface (buttons, menus, etc.) and any
other interaction with the user interface are in bold-face.
Cross-references and first use of acronyms and terms are in
italics.
File names, directories, and text displayed on the screen are
monospaced.
We use the following ways to indicate important or additional information:
Note – Notes provide important information that prevents mistakes or helps you complete
a task.
Caution – Cautions provide critical information that you must take into account to prevent
breaches of security, information loss, or system downtime.
Tip – Tips provide information that is not crucial, but may still be helpful.
14
Chapter 1 Using StoneGate Documentation
Documentation Available
StoneGate technical documentation is divided into two main categories: Product Documentation
and Support Documentation. Each StoneGate product has a separate set of manuals.
Product Documentation
The table below lists the available product documentation. PDF guides are available on the
Management Center CD-ROM and at http://www.stonesoft.com/support/.
Table 1.2 Product Documentation
Guide Description
Explains the operation and features of StoneGate comprehensively.
Reference Guide
Installation Guide
Online Help
Demonstrates the general workflow and provides example scenarios
for each feature area. Available for StoneGate Management Center,
Firewall/VPN, and StoneGate IPS.
Instructions for planning, installing, and upgrading a StoneGate
system. Available for StoneGate Management Center, Firewall/VPN,
IPS, and SOHO firewall products.
Describes how to configure and manage the system step-by-step.
Accessible through the Help menu and by using the Help button or
the F1 key in any window or dialog. Available in the StoneGate
Management Client and the StoneGate Web Portal. An HTML-based
system is available in the StoneGate SSL VPN Administrator through
help links and icons.
Describes how to configure and manage the system step-by-step.
Administrator’s Guide
User’s Guide
Appliance Installation Guide
Available as a combined guide for both StoneGate Firewall/VPN and
StoneGate IPS, and as separate guides for StoneGate SSL VPN and
StoneGate IPsec VPN Client.
Instructions for end-users. Available for the StoneGate IPsec VPN
Client and the StoneGate Web Portal.
Instructions for physically installing and maintaining StoneGate
appliances (rack mounting, cabling, etc.). Available for all StoneGate
hardware appliances.
Support Documentation
The StoneGate support documentation provides additional and late-breaking technical
information. These technical documents support the StoneGate Guide books, for example, by
giving further examples on specific configuration scenarios.
The latest StoneGate technical documentation is available on the Stonesoft website at http://
www.stonesoft.com/support/.
Documentation Available
15
System Requirements
The certified platforms for running StoneGate engine software can be found at the product
pages at http://www.stonesoft.com/en/products_and_solutions/products/fw/
Software_Solutions/.
The hardware and software requirements for the version of StoneGate you are running can also
be found in the Release Notes, available at the Stonesoft Support Documentation pages.
Contact Information
For street addresses, phone numbers, and general information about StoneGate and Stonesoft
Corporation, visit our website at http://www.stonesoft.com/.
Licensing Issues
You can view your current licenses at the License Center section of the Stonesoft website at
https://my.stonesoft.com/managelicense.do.
For license-related queries, e-mail order@stonesoft.com.
Technical Support
Stonesoft offers global technical support services for Stonesoft’s product families. For more
information on technical support, visit the Support section at the Stonesoft website at http://
www.stonesoft.com/support/.
Your Comments
We want to make our products fulfill your needs as well as possible. We are always pleased to
receive any suggestions you may have for improvements.
• To comment on software and hardware products, e-mail feedback@stonesoft.com.
• To comment on the documentation, e-mail documentation@stonesoft.com.
Other Queries
For queries regarding other matters, e-mail info@stonesoft.com.
16
Chapter 1 Using StoneGate Documentation
CHAPTER 2
INTRODUCTION TO FIREWALLS
This chapter introduces and discusses the underlying security principles of firewalls in
general. In this chapter we will discuss what firewalls are, which different types of firewalls
there are, how they are used, what they are capable of, as well as what their possible
weaknesses are.
The following sections are included:
The Role of the Firewall (page 18)
Firewall Technologies (page 18)
Additional Firewall Features (page 21)
Firewall Weaknesses (page 23)
17
The Role of the Firewall
Firewalls are the primary tool for perimeter access control between networks with different
security levels. Firewalls control the traffic between networks and deny access that does not
look like acceptable business use as defined by the administrators.
The generally accepted principle of access control is whatever is not expressly permitted is
denied. The most secure network is achieved when nobody and nothing is permitted entry to the
protected network. In most cases, such a network is naturally too limited, so a firewall must be
introduced to allow specific limited services to pass in a safe way. That means that in order for
any traffic to be allowed into the network, it must first match an explicit “allow” rule.
There are three main types of platforms for running a firewall:
• Dedicated firewall appliances.
• Firewall software installed on a server dedicated to be used as a firewall.
• Firewall software running as a virtual machine in a virtualized server environment.
The StoneGate Firewall/VPN is available on all of these platform types.
Regardless of the type of platform, the network structure in which the firewalls are placed must
be carefully designed so that there are no loopholes or back doors. Firewalls can only control
traffic that actually passes through them; even the most carefully planned firewall system can
be undermined by a single back door that allows traffic to circumvent the firewall.
In addition to access control, modern firewall devices often include a variety of additional
integrated features, such as intrusion prevention systems (IPS), content filtering, and anti-virus.
In this chapter, the additional features are discussed separately, and the main discussion
concentrates on the primary role of access control. Such additional features in StoneGate
firewalls are covered in more detail in section Additional Firewall Features (page 21) and in other
chapters of this book.
Firewall Technologies
This section presents an overview to the main firewall techniques, and explains how StoneGate
uses them. The discussion here is limited to the traditional firewall component of a firewall
system; the various additional inspection features that modern firewalls often incorporate are
discussed separately.
Traditional firewall features are commonly achieved through three main techniques:
• packet filtering
• proxy firewalls
• stateful inspection.
The next sections first discuss these techniques separately and then explains how they can be
utilized together to achieve an optimal balance between performance and security.
Packet Filtering
Packet filtering examines the header information of packets and allows or stops each packet
individually. In addition to firewalls, such simple access control lists (ACLs) are implemented on
most common routing devices. Pure packet filters cannot protect against protocol misuse or
18
Chapter 2 Introduction to Firewalls
other malicious contents in higher levels of the protocol stack. However, for some simple
network protocols, packet filtering can be light on firewall resources and even provide an
adequate level of protection.
Proxy Firewalls
Proxy firewalls are firewalls running application proxy services. Proxies are a man-in-the-middle,
and they establish their own separate connections to both the client and the server. This type of
firewall is fully application-aware, and therefore very secure, but at the same time there’s a
trade-off in performance due to the inevitable increase in overhead.
Illustration 2.1 Proxy Firewall Model
Stateful Inspection
Stateful inspection firewalls are aware of basic networking standards and use historical data
about connections in determining whether to allow or stop a packet. They track the established
connections and their states in dynamic state tables and ensure that the connections comply
with the security policies and protocol standards.
Since stateful inspection understands the context of connections (and therefore can relate the
returning packets to appropriate connections), connections already determined to be “secure”
can be allowed without full examination based on previous packets. This is especially important
with services such as FTP, which can open several related connections that do not match a
single basic profile. Even though Stateful inspection has some application awareness, it
concentrates on protocols, not on inspecting data at the application layer.
StoneGate Multi-Layer Inspection
StoneGate Multi-Layer Inspection combines application layer inspection, stateful inspection, and
packet filtering technologies flexibly for optimal security and system performance. Like stateful
inspection, StoneGate uses state tables to track connections and judge whether a packet is a
part of an established connection or not. The StoneGate firewall also features application-layer
inspection through specific Protocol Agents, when necessary, for enhanced security to inspect
data all the way up to the application layer. The StoneGate firewall can also act as a packet filter
for types of connections that do not require the security considerations of stateful inspection.
Firewall Technologies
19
Illustration 2.2 Multi-layer Inspection Model
By default, all StoneGate firewall Access rules implement stateful inspection, but the
administrator can flexibly configure rules with simple packet filtering or an additional layer of
application level security as needed.
StoneGate firewalls apply application level inspection with or without proxying the connections,
depending on what is required. Application level inspection can be selected to certain types of
traffic by attaching a connection to a protocol-specific Protocol Agent.
Protocol Agents are also used to handle protocols that generate complex connection patterns,
to redirect traffic to content inspection servers, and to modify data payload if necessary. For
example, the FTP Protocol Agent, can inspect the control connection and only allow packets
containing valid FTP commands. If an FTP data connection is opened using a dynamically
assigned port, the Protocol Agent reads the port and allows the traffic. If NAT (network address
translation) is applied to the connection, the Protocol Agent can also modify the IP address and
port transported in the packet payload to allow the connection to continue despite the NAT. The
Protocol Agents are covered in more detail in Protocol Agents (page 123).
20
Chapter 2 Introduction to Firewalls
Additional Firewall Features
A firewall can have several different functions on a network. Although a firewall’s main function
is to control network access, they can be used in several complementary roles depending on the
firewall product used. This discussion concentrates on the main features available in StoneGate
products.
Authentication
The primary task of any firewall is to control access to data resources, so that only authorized
connections are allowed. Adding an authentication requirement to firewall policies allows the
firewall to also consider the user before access is granted.
For more information on authentication in StoneGate, see User Authentication (page 133).
Deep Packet Inspection and Unified Threat Management
Deep packet inspection includes measures such as virus detection, Web content filtering,
intrusion detection, or some other check of the actual data being transferred. When several
such features are combined together with a firewall, the solution is often called unified threat
management (UTM). StoneGate offers a UTM solution that includes:
• Virus checking.
• URL filtering.
• Intrusion detection.
By combining several features, a UTM solution simplifies the physical network setup and makes
the administration simpler. However, device performance limits can be quickly reached when
several advanced inspection features are active. Therefore, UTM firewalls are generally used in
environments where the traffic load stays relatively low even at peak times. When higher traffic
volumes are needed, external content inspection servers and IPS devices are more often used
for further inspecting the traffic.
For more information on the advanced traffic inspection features in StoneGate, see Inspection
Rules (page 99), Virus Scanning (page 157), and Web Filtering (page 153).
Integration With External Content Inspection
External content inspection servers (CIS) are a preferred choice in high traffic environments, as
they offer better hardware optimization. Content inspection services can be run on a dedicated
physical or virtual server that can be configured, scaled, and exchanged independently from the
firewall. The firewall redirects the traffic to the CIS, which either strips anything deemed
malicious from the packet or drops the packet altogether, according to what the security rules in
force on the CIS define. Screened traffic continues to the destination.
Additional Firewall Features
21
Illustration 2.3 Content Screening with CIS
Client Server
Content Inspection Server
Firewall
For instance, incoming SMTP e-mail traffic could be forwarded from the firewall to the CIS for
virus and content checking. The CIS removes suspicious content and the “scrubbed” packets
are returned back to the firewall for routing to their final destination.
For more information on integrating a CIS with StoneGate, see External Content Inspection
(page 161).
In addition to sending traffic to external content inspection, StoneGate Firewalls also integrate
with StoneGate IPS. The firewalls accept blacklisting requests from the IPS and can therefore
stop traffic that the IPS has detected to be harmful.
For more information on integration with external StoneGate IPS components, see Blacklisting
(page 175).
Load Balancing and Traffic Management
As an access controller with address translation duties, a firewall is also a natural point for
affecting the distribution of traffic load. StoneGate firewalls utilize the Stonesoft’s patented
Multi-Link technology to flexibly use several standard network links to increase bandwidth and
provide automatic failover when links go down.
For more information on traffic management in StoneGate, see Outbound Traffic Management
(page 183) and Inbound Traffic Management (page 191).
Outbound bandwidth can be additionally managed through QoS measures by setting priorities,
limits, and guarantees for different types of traffic.
For more information on the QoS features in StoneGate, see Bandwidth Management And Traffic
Prioritization (page 199).
Logging and Reporting
As a perimeter security device a firewall is a primary tool for logging the traffic that crosses or
attempts to cross the network perimeter. Properly recorded log data can be used to monitor the
capacity of networks, detect network misuse and intruders, and even to establish evidence to
use against attackers.
Since a firewall operating in any corporate-type setting will quickly generate huge masses of log
data, it is essential to have efficient tools to access and manage the logs in the form of filtered
views, statistics, and reports. Consolidating logs from several sources is also vital in supporting
the administrators in fully understanding the numerous network events.
For more information on logging in StoneGate, see the Management Center Reference Guide.
22
Chapter 2 Introduction to Firewalls
Network Address Translation (NAT)
Network address translation (NAT) modifies the IP headers of packets, changing IP address and
port information for the source and/or destination. Originally created to alleviate the problem of
the rapidly diminishing IP address space, NAT has an added benefit; it can be used to conceal
the private IP addresses of hosts and the structure of an internal network. In fact, NAT enables
even hiding an entire network behind a single public IP address. As handy as NAT is, it is
important to understand that NAT is not primarily a security feature. It simply a method of
modifying packets that lends itself to security applications.
For more information on NAT in StoneGate, see Network Address Translation (NAT) Rules
(page 109).
VPNs
VPNs (virtual private networks) conceal and encrypt traffic between end-points to establish a
virtual, secure tunnel through an insecure network.
In IPsec VPNs, a firewall transparently encrypts and decrypts data exchanges at the network
layer with some other IPsec VPN end-point on behalf of any number of computers. IPsec VPNs
can also provide remote access to internal resources for individual client computers that have a
VPN client application installed. IPsec VPNs are a good fit for VPN access that involves many
communicating parties and/or many different applications.
SSL VPNs (secure socket layer virtual private networks) provide clientless access by utilizing the
SSL encryption features included in Web browsers. Users log in to a portal to access those
resources that administrators have specifically configured. SSL VPNs are a good fit when there
is a need to provide remote access to a few specific resources from various different types of
devices and platforms.
StoneGate SSL VPN is available as a separate appliance product. For more information on
StoneGate SSL VPN, refer to the SSL VPN Administrator’s Guide.
IPsec VPN features are integrated in the firewall. For more information on IPsec VPNs, see
Overview to VPNs (page 213). For more information on how IPsec VPNs are configured in
StoneGate, see VPN Configuration (page 221).
Firewall Weaknesses
Complexity of Administration
When a complex system is maintained with limited resources, the ease of administration
becomes crucial. A great part of the benefits of a security system are wasted if administrators
find it difficult to keep up with monitoring the system and the requests for adjusting its policies,
if upgrades have to be postponed due to the effort required, or if there is no support for
checking and finding errors in the configuration.
Ease of administration is central to the StoneGate Management Center. StoneGate’s centralized
management system provides the administrators more visibility into the whole network,
simplifies and automates system maintenance tasks, and reduces the work required to
configure the system. If you think the system could work even better for you, let us know by
writing to feedback@stonesoft.com.
Firewall Weaknesses
23
Single Point of Failure
As a network choke point, the failure of the firewall to pass traffic can mean that the network
connectivity is completely cut off. In some environments, this small risk can be considered
acceptable. However, an increasing number of organizations require network connectivity to
conduct business, so a reliable high availability solution is required.
StoneGate firewalls have built-in support for clustering, which allows operating up to 16 physical
firewall devices as a single unit. All units can actively handle traffic at the same time. No special
configuration is required in the surrounding network to achieve this, as the whole
implementation is achieved through basic networking standards. Units can be plugged in, taken
out, and replaced flexibly without cutting network connectivity from the users.
For more information on clustering StoneGate firewalls, see Firewall Cluster Configuration
(page 47).
Worms, Viruses, and Targeted Attacks
As essential as a firewall is, it should not cause a false sense of being safe from all harm in the
organization. There are many security threats that the firewall cannot stop, even if it
incorporates several different kinds of additional inspection methods:
• Many virus and worm outbreaks and even many intentional attacks may start within an
organization’s internal network. Malicious code can be introduced to the network on
removable media, unauthorized equipment attached to the network, or on the laptops of
travelling users. The firewall has no way to detect and prevent something before it crosses a
network boundary that the firewall enforces.
• Attackers may be able to bypass security measures by obtaining legitimate credentials of
users or even administrators through spying and social engineering. If the firewall is not
properly secured, it may itself be susceptible to a targeted attack. If the attacker gains
remote administrator access or physical access to the firewall, the system can be covertly
altered to allow and conceal further malicious activities.
• A denial-of-service attack may consume all of the inbound bandwidth before any of the
organization’s own security devices receive the traffic.
24
In many of these cases, the firewall may still be useful for containing damage and for collecting
more information on what has taken place.
Chapter 2 Introduction to Firewalls
CHAPTER 3
INTRODUCTION TO STONEGATE
FIREWALL/VPN
This chapter gives you an overview of the StoneGate Firewall/VPN system’s architecture and
how the system inspects traffic.
The following sections are included:
The StoneGate Security Platform (page 26)
StoneGate Firewall/VPN System Components (page 27)
Main Benefits of StoneGate Firewall/VPN (page 28)
25
The StoneGate Security Platform
StoneGate Firewall/VPN is part of the StoneGate security platform, which is especially wellsuited to complex and distributed network environments. In addition to firewalls and virtual
private networking, the StoneGate security platform also provides intrusion detection and
prevention.
Illustration 3.1 StoneGate Security Platform in Distributed Networks
The configuration, monitoring, and control of the system is done through a centralized
management system that provides a single point of contact for a large number of geographically
distributed administrators. The unified management platform provides major benefits for
organizations of all sizes:
• Interaction between the firewall and IPS components in the same system creates real
security benefits by allowing automatic coordinated responses when a security threat is
detected, providing instant blocking of unwanted traffic, and reducing the the need for
immediate human intervention.
• Multiple administrators can log in at the same time to efficiently configure and monitor all
StoneGate components. The system provides a single user interface that allows unified
configuration, monitoring, and reporting of the whole StoneGate security platform with the
same tools and within the same user session.
• The reuse of configuration information across components in the system allows you to avoid
the laborious and error-prone duplicate work of configuring the same details for all
components individually or exporting and importing the configurations between multiple
separate systems.
• The system is designed to manage large installations and to be geographically distributed, so
it is flexible and allows scaling up the existing components and adding new types of
components to the system without sacrificing ease-of-use.
26
Chapter 3 Introduction to StoneGate Firewall/VPN
StoneGate Firewall/VPN System Components
The StoneGate system components and their roles are illustrated below.
Illustration 3.2 StoneGate Security Platform Components
One StoneGate Management Center can manage a large number of both Firewall/VPN and IPS
engines. The StoneGate distributed architecture allows deploying the system components
effectively in different network environments. You can flexibly add, remove, and reposition
StoneGate system components according to need.
The different system components are described in Table 3.1.
Table 3.1 StoneGate Firewall/VPN System Components
Component Description
Firewall/VPN engines Inspect and filter the traffic.
Management Servers and Log
Servers
Web Portal Servers
Management Clients
Store all configuration and log data and relay Management
Client commands to the engines.
Provide read-only access to a restricted amount of system
configuration information and logs.
Provide a user interface for configuring, controlling, and
monitoring all components in the StoneGate system. All tasks
are done centrally through a connection to the Management
Server.
StoneGate Firewall/VPN System Components
27
All communications between system components are authenticated and encrypted. The
firewall/VPN engines work independently according to their installed configuration, so even if
the connections to the Management Center are cut, the firewall/VPN system continues its
operation without interruption.
Firewall/VPN Engines
The term firewall engine refers to the combination of the physical device and the firewall/VPN
software, including the integrated operating system (a specially hardened version of Linux).
There is no need for separate operating system patches or upgrades; all software on the
engines is upgraded during the firewall/VPN software upgrade.
Firewall engines have the following representations in the Management Client:
• The Firewall element is a container for the main configuration information directly related to
the firewall.
• The individual physical firewall engines are shown as one or more Nodes under the main
Firewall element in some views of the Management Client.
Main Benefits of StoneGate Firewall/VPN
In addition to standard firewall features, the StoneGate Firewall/VPN system provides additional
advanced features.
Advanced Traffic Inspection
StoneGate’s traffic inspection process is designed to ensure a high level of security and
throughput.
The firewalls’ policies determine when to use stateful connection tracking, packet filtering, or
application-level security. The system expends the resources necessary for application-level
security only when the situation so demands and without unnecessarily slowing or limiting
network traffic.
Some types of connections can be selected for inspection of the data content against harmful
or otherwise undesired patterns in connections. The deep packet inspection features provide
IPS-type capabilities right on the firewall, and help in finding and stopping malicious or
suspicious network activities. You can even inspect the content of encrypted HTTPS connections
using the built-in deep packet inspection features.
An antivirus scanner complements the standard traffic inspection features when the firewall is
licensed for the UTM (unified threat management) feature.
28
Chapter 3 Introduction to StoneGate Firewall/VPN
Built-in Clustering for Load Balancing and High Availability
StoneGate provides innovative built-in clustering and load-balancing features that provide
several benefits over traditional solutions.
Traditionally, in order to achieve high availability on the firewall itself, additional hardware
switches, software clustering products, or special load balancing devices have been added and
maintained. This often results in the transfer of a single point of failure to another network
component—typically the network link.
In StoneGate, however, the clustering of the firewall engines is integrated in the product, thus
introducing true built-in high availability and load balancing. The firewall engines dynamically
load-balance individual connections between the cluster nodes, transparently transferring
connections to available nodes in case a node becomes overloaded or experiences a failure.
A firewall cluster can have a maximum of 16 nodes. With load balancing, the processing of
network traffic is automatically balanced between the cluster nodes. This way, the performance
of the StoneGate system can be upgraded by simply adding new nodes to the cluster when
necessary. Individual nodes can also be taken offline during business hours for maintenance
purposes; connections that were handled by that particular engine are transparently
redistributed to other online nodes.
StoneGate also comes with built-in technology for high availability and load-balancing between
different network connections as explained in the next section.
Multi-Link Technology
StoneGate single-node and clustered firewall installations both support Multi-Link, which
ensures high availability for network connections by utilizing alternative network links.
Multi-Link allows configuring redundant network connections out of standard network
connections without the complexity of traditional solutions that require redundant external
routers and switches. In contrast to many alternative solutions, there is no need to use complex
routing protocols, such as Border Gateway Protocol (BGP) and Hot Standby Routing Protocol
(HSRP), and peering arrangements between the ISPs.
Any IP-based link with a dedicated IP address range can be used as part of a Multi-Link
configuration. You can also define standby links that are used only when primary links fail. The
illustration that follows shows a basic Multi-Link setup with a single firewall that has two active
and one standby network links to the Internet.
Illustration 3.3 StoneGate Multi-Link Technology
Most often, multiple network links are used to ensure continuity of Internet access, but MultiLink can be used to provide redundant links to internal networks as well. The traffic is
dynamically balanced across the different connections based on a performance measurement
Main Benefits of StoneGate Firewall/VPN
29
or based on the links’ relative bandwidths. The traffic automatically fails over to other links when
the firewall detects that one of the links fails. The firewall uses network address translation
(NAT) to direct the traffic through the different links to make the source IP address valid for the
link used.
StoneGate Multi-Link technology provides highly available network connections for the following
scenarios:
• Outbound connections: Multi-Link routing ensures that outbound traffic always uses the
optimal link towards its destination and allows configuring standby links as backups. The
traffic can be distributed across the links in several different ways. For more information, see
Outbound Traffic Management (page 183).
• Inbound connections: the built-in inbound traffic management feature can utilize Multi-Link for
ensuring continuity of services your company offers to external users. For more information,
see Multi-Link for Server Pools (page 193).
• VPN connections: the Multi-Link tunnel selection for VPN traffic is done independently from
other types of traffic. Standby links can also be selected independently for a VPN. For more
information, see Multi-Link VPN (page 237).
Built-in Inbound Traffic Management
The built-in Server Pool feature allows StoneGate firewalls to monitor a pool of alternative
servers that offer the same service to the users. If one of the servers becomes unavailable or
overloaded, the firewall automatically redirects new connections to the alternative servers.
Server pools can also interact with the Multi-Link feature for high availability of the incoming
network connection.
For more information, see Inbound Traffic Management (page 191)
QoS and Bandwidth Management
Quality of Service (QoS) rules are interface-specific rules on a firewall that help you ensure that
important network services are given priority over less important traffic. Quality of Service and
bandwidth management features are not supported for Modem interfaces of single firewalls.
With QoS rules, you can set up a minimum and maximum bandwidth for traffic, and set a priority
value for the traffic based on type. You can also create QoS rules that read or write the priorities
in DiffServ Code Point (DSCP) type of service (ToS) field, so that StoneGate is aware of the
priorities set by other network equipment and other equipment is aware of the priorities set in
StoneGate.
For more information, see Bandwidth Management And Traffic Prioritization (page 199).
30
Chapter 3 Introduction to StoneGate Firewall/VPN
Loading...