Symantec SGM 1600 Installation Manual

Download

Page 1

Symantec™ Gateway Security 1600 Series v3.0

Installation Guide

Supported platforms:

1620, 1660

Page 2

Symantec™ Gateway Security 1600 Series v.3.0 Installation Guide

and Conditions. Symantec, the Symantec Logo, Symantec Gateway Security are trademarks or registered trademarks

of Symantec Corporation in the United States and certain other countries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Printed in the United States of America. 10987654321

Technical support

As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right amount of service for any

size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute

information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of

protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days

a week worldwide in a variety of languages for those customers enrolled in the Platinum Support program

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role,

offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registration

This product requires a license file. The fastest and easiest way to register your service is to access the Symantec licensing and registration site at https://licensing.symantec.com/licenseapp/jsp/

See the Symantec Gateway Security 1600 Series v3.0 Getting Started Guide.

Page 3

Contacting Technical Support

Customers with a current maintenance agreement may contact the Technical Support group online at

www.symantec.com/techsupp and access the Get Enterprise Support link for information in North

American English. For support in other languages, select the language for the appropriate Global Site, then select the continue link for enterprise.

Customers with Platinum support agreements may contact Platinum Technical Support by accessing the Platinum Web site at https://www-secure.symantec.com/platinum.

When contacting the Technical Support group, have the following information available:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Contacting Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com/techsupp and access the Get Enterprise Support link for support in North American English. For support in other languages, select the language for the appropriate Global Site, then select the continue link for enterprise.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec’s technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Page 4

Page 5

Chapter 1 Installing the appliance

About the Symantec Gateway Security 1600 Series v3.0 ......................................................................................7

Intended audience ............................................................................................................................................... 7

Requirements for the installation .............................................................................................................................7

Installing the Symantec Gateway Security 1600 Series appliance ......................................................................8

Installing as a free-standing appliance ............................................................................................................ 8

Installing as a rack-mounted appliance ........................................................................................................... 8

Symantec Gateway Security 1600 Series hardware ...............................................................................................9

Front panel status indicators ............................................................................................................................. 9

Symantec Gateway Security 1600 Series back panel features ...................................................................10

Connecting an uninterruptible power supply .......................................................................................................11

Resetting the appliance to factory defaults ...........................................................................................................12

Restoring the appliance firmware with the Symantec Gateway Security OS Restore CD-ROM ...................13

Contents

Chapter 2 Developing a security plan

Defining your security policy ..................................................................................................................................15

Before writing your security plan ...................................................................................................................15

Becoming security conscious ...........................................................................................................................16

Educating users ..........................................................................................................................................................16

Involving the user community ........................................................................................................................16

Security policy worksheets ......................................................................................................................................17

Defining your organization ..............................................................................................................................17

Collecting hardware information ....................................................................................................................19

Collecting your TCP/IP address .......................................................................................................................20

Defining your allowed TCP/IP services ..........................................................................................................21

Collecting email information for security gateway notifications ..............................................................23

Defining your Web services .............................................................................................................................23

Defining your network architecture ...............................................................................................................25

Page 6

6 Contents

Page 7

Installing the appliance

This chapter includes the following topics:

■ About the Symantec Gateway Security 1600 Series v3.0

■ Requirements for the installation

■ Installing the Symantec Gateway Security 1600 Series appliance

■ Symantec Gateway Security 1600 Series hardware

■ Connecting an uninterruptible power supply

■ Resetting the appliance to factory defaults

■ Restoring the appliance firmware with the Symantec Gateway Security OS Restore CD-ROM

Chapter

About the Symantec Gateway Security 1600 Series v3.0

Symantec Gateway Security 1600 Series v3.0 is a comprehensive network security device that integrates firewall, VPN, antivirus, antispyware, antispam, intrusion detection and prevention, content filtering, and high availability/load balancing components into an appliance that protects networks at the gateway to the Internet or subnets of larger WANs and LANs.

Intended audience

This manual is intended for system managers or system administrators responsible for installing and administering Symantec Gateway Security 1600 Series appliances.

Warning: This is an electrically powered device. You must adhere to warnings and cautions when installing or working with the Symantec Gateway Security 1600 Series appliance. Read the installation instructions and heed all warnings before connecting the appliance to its power source. See the Symantec Gateway Security 1600 Series Getting Started Guide for all warning information about the Symantec Gateway Security 1600 Series appliances.

Requirements for the installation

Before you install and activate your Symantec Gateway Security 1600 Series appliance, you should review your security plan.

See “Developing a security plan” on page 17.

Page 8

8 Installing the appliance

Installing the Symantec Gateway Security 1600 Series appliance

You can install the Symantec Gateway Security 1600 Series appliance on a flat surface or in a rack. When preparing to install your appliance, refer to the following guidelines:

■ Prepare a smooth and level surface

Place the appliance on a smooth and level surface, such as the top of a computer table or in a rack.

Make sure that the area is clear of dust and debris.

■ Provide adequate ventilation

The installation site must meet minimum environmental specifications. Ensure that there is

adequate space around the appliance to allow air circulation for cooling.

Caution: Never place objects on top of the appliance.

■ Ensure use of a proper power source

Install the appliance near a power source that provides adequate power and is located so that the

power cord is not strained, stretched, or in danger of becoming unplugged.

Caution: Do not use an extension cord to supply power to this unit.

■ Locate the appliance and cables away from high-traffic areas

Install the appliance in an area that is out of the way of foot traffic.

■ Allow access to this area only by authorized security personnel

Installing the Symantec Gateway Security 1600 Series appliance

You can install the Symantec Gateway Security 1600 Series v 3.0 appliance as a free-standing appliance or in a rack.

Installing as a free-standing appliance

The Symantec Gateway Security 1600 Series v3.0 can be installed as a free-standing appliance on a flat surface, such as a desktop or shelf. Install the Symantec Gateway Security 1600 Series v3.0 appliance at a location that meets the pre-installation requirements.

See “Requirements for the installation” on page 7.

When installing as a free-standing appliance, you must attach rubber feet to the bottom of the appliance.

See the Symantec Gateway Security 1600 Series v3.0 Getting Started Guide for instructions about attaching the rubber feet.

Installing as a rack-mounted appliance

This section describes how to install the appliance in a standard 19-inch equipment rack.

Each security gateway is provided with two rack mounting brackets for mounting on the front of twopost or four-post racks. Symantec Gateway Security 1600 Series v3.0 appliances cannot be mounted on two-post center racks. Because rack hardware can differ between sites, rack-mounting screws are not shipped with the security gateway. Before installing your appliance, obtain the proper screws for mounting the appliance in your rack.

Page 9

Symantec Gateway Security 1600 Series hardware

The following rack-mounting procedure applies to all Symantec Gateway Security 1600 Series v3.0 appliances.

To install a rack-mounted appliance

1 Using the bracket screws supplied, connect the mounting brackets to the sides of the appliance.

2 Using the mounting screws provided with the rack, secure the mounting brackets to the equipment

rack.

Symantec Gateway Security 1600 Series hardware

The Symantec Gateway Security 1600 Series v3.0 consists of the models 1620 and 1660. Both models run the same software and have the same front panel features.

Front panel status indicators

The front panel of the Symantec Gateway Security 1600 Series v3.0 contains status indicators to provide a quick visual status of the appliance.

Figure 1-1 shows the front panel status indicators.

Figure 1-1 Front panel status indicators

9Installing the appliance

Table 1-1 describes the front panel status indicators.

Table 1-1 Front panel status indicators

Label Feature Description

1 Power On to indicate the power is on.

2 Disk activity Flashes intermittently when there is activity on the hard disk drive.

3 Attention On when the appliance needs attention or is not passing traffic. Check log

messages for more information.

See the Symantec Gateway Security 1600 Series v3.0 Administration Guide for more information on log messages.

Also on during the power on process.

4 Ready On when the security gateway is running.

5 Network activity Flashes intermittently when there is network traffic.

Page 10

10 Installing the appliance

Symantec Gateway Security 1600 Series hardware

Table 1-2 describes the attention and ready status indicator states.

Table 1-2 Status indicator states

Attention Ready Description

on off Error during startup. Check log messages for more

off slow blink Normal startup in progress

slow blink slow blink Restoring appliance firmware

slow blink on The power button was pushed and the security gateway

off on Normal operation, the security gateway is running.

fast blink on There is a problem with the security gateway. The

information.

See the Symantec Gateway Security 1600 Series v3.0 Administration Guide for more information on log messages.

is shutting down.

The reset button was pushed and the security gateway is restarting.

problem could be over temperature, fan failure, or another other issue. Check log messages for more information.

See the Symantec Gateway Security 1600 Series v3.0 Administration Guide for more information on log messages.

on on The security gateway started, but is not running. Before

the initial setup wizard is completed, the indicators are in this configuration.

Symantec Gateway Security 1600 Series back panel features

This section describes the back panel features of the Symantec Gateway Security 1600 Series v3.0. All models of the Symantec Gateway Security 1600 Series appliances have Ethernet ports which can connect to 10/100/1000 Base-T networks. The back panels of the models 1660 and 1620 are different. The model 1660 has two additional Ethernet ports.

Figure 1-2 describes the back panel features for the Symantec Gateway Security 1660 appliance.

Figure 1-2 Symantec Gateway Security 1660 appliance back panel

Page 11

Connecting an uninterruptible power supply

Table 1-3 describes the Symantec Gateway Security 1660 back panel features.

Table 1-3 Model 1660 back panel features

Location Feature Description

1 Reset button Restarts the security gateway. Also used during the restoring the appliance

firmware process.

See “Restoring the appliance firmware with the Symantec Gateway Security

OS Restore CD-ROM” on page 13.

11Installing the appliance

2 Master power

switch

3 Serial console port Provides a connection for local terminal emulator to access the appliance’s

4 USB ports Provides a modem connection for dialing pager phone numbers for

5 eth0 Accepts a 10/100/1000 Base-T network cable that allows Ethernet network

Turns the appliance on or off.

serial console menu (an abbreviated command line menu) and the Linux operating system. Primary configuration of the security gateway is through the Java-based SGMI. Making changes to the operating system is not supported.

See the Symantec Gateway Security 1600 Series v3.0 Administration Guide for more information on the serial console menu.

delivering notifications. Supports (but does not include) USB modems that use standard AT command set for notifications. Complies with the USB CDC ACM specification.

See the Symantec Gateway Security 1600 Series v3.0 Administration Guide for more information.

Lets you connect an Uninterruptible Power Supply (UPS) to the USB port for smart UPS support.

See “Connecting an uninterruptible power supply” on page 11.

Note: Either USB port can be used for either task.

connection. This port is outlined in green and is used as an inside interface only.

6 eth1 Accepts a 10/100/1000 Base-T network cable that allows Ethernet network

connection. This port is outlined in red and is used as an outside interface only.

7 eth2 Accepts a 10/100/1000 Base-T network cable that allows Ethernet network

connection.

8 eth3 Accepts a 10/100/1000 Base-T network cable that allows Ethernet network

connection. Available only on model 1660.

9 eth4 Accepts a 10/100/1000 Base-T network cable that allows Ethernet network

connection. Available only on model 1660.

10 Power socket Connection for AC power cord.

Connecting an uninterruptible power supply

In the event of a power failure, using an Uninterruptible Power Supply (UPS) provides power for an additional period of time that allows you to control how the appliance is turned off. The appliance communicates directly to the UPS unit through a USB port.

The recommended supplier for UPS units is American Power Conversion (www.apcc.com). The UPS unit must support USB ports. Units that support serial ports only do not work with Symantec Gateway Security 1600 Series appliances.

Page 12

12 Installing the appliance

Resetting the appliance to factory defaults

To connect an uninterruptible power supply

1 Plug the UPS into a suitable power outlet.

2 Turn on the UPS.

3 Plug the Symantec Gateway Security 1600 Series power cord into the UPS power socket.

4 Connect the UPS USB cable to the UPS unit and the appliance.

After you have connected your UPS to the appliance, you can configure UPS support from the Security Gateway Management Interface (SGMI).

See the Symantec Gateway Security 1600 Series v3.0 Administration Guide for more information configuring UPS support.

Resetting the appliance to factory defaults

Use the reset button to reset the security gateway to its original factory default state. Any previously installed license files will be maintained. After resetting the appliance to factory defaults, you must perform the initial setup process again.

See the Symantec Gateway Security 1600 Series Getting Started Guide for more information.

You can also reset the appliance to factory defaults using the serial console menu. See the Symantec Gateway Security 1600 Series Administration Guide for more information.

Caution: Any software patches, including LiveUpdates, that you may have applied are removed and must be reapplied. All network information and configuration data is removed.

See the Symantec Gateway Security 1600 Series Administration Guide for more information about backing up and restoring configurations.

To use the reset button to restore to factory defaults

1 Turn on and boot the appliance normally. Wait until the booting process has completed entirely.

2 On the back panel of the appliance, press the reset button in for at least 6 seconds.

After 5 seconds, on the front panel of the appliance, the attention indicator will start to blink.

3 Release the reset button for about 1-2 seconds.

The ready and attention indicators then start to slow blink alternately.

4 Press the reset button again for about 1-2 seconds, and then release.

The ready and attention indicators blink once as the restoration process starts. The process can

take about 10 to 15 minutes. All files and configurations will be reverted to factory default states

except any previously installed license files, which will be maintained.

When the ready indicator is on steadily, the appliance is restored.

Page 13

Restoring the appliance firmware with the Symantec Gateway Security OS Restore CD-ROM

The Symantec Gateway Security OS Restore CD-ROM contains a Symantec Gateway Security 1600 Series v3.0 restore program. The restore program returns the appliance to its original factory condition. The difference between this restore procedure and the reset button procedure is that using the OS Restore CD-ROM will also delete any license files previously installed. You boot the OS Restore CD-ROM in a computer connected directly or by a network to the appliance.

Caution: The OS restore operation results in the complete overwriting of your existing appliance configuration. All configuration and license data is lost. You will need to reinstall your licenses.

For information on preserving your configuration settings, see the Symantec Gateway Security 1600 v3.0 Series Administration Guide.

Using the Symantec Gateway Security OS Restore CD-ROM that came with your security gateway, place it in the computer that you would use in the event you needed to restore your firmware. Once the Symantec Gateway Security OS Restore CD-ROM boots, it will tell you whether it found the appropriate hardware to continue the process. If it cannot use your network card, locate another computer with a different network interface type.

13Installing the appliance

The requirements for the computer running the operating system restore program are as follows:

■ A computer with a BIOS that lets you boot from an IDE (ATAPI) CD-ROM.

■ Intel x86 based.

■ Bootable from a CD-ROM.

■ PII class processor with at least 64 MB of RAM

■ A single installed 10/100 or 10/100/1000 MB network interface card such as the following:

■ Intel PRO/100+ SGS Adapter (PILA8470B)

■ Linksys EtherFast 10/100 LAN Card (LNE100TX)

■ Netgear Fast Ethernet PCI Adapter (FA312TX)

■ 3Com OfficeConnect Fast Ethernet NIC (3CSOHO100-TX)

■ 3Com Fast EtherLink XL PCI NIC (3C905B-TX)

■ Ethernet cable to connect the appliance directly to the eth0 network interface on the computer or a

connection to a switch or hub to which the appliance is attached.

Restoring the appliance firmware requires that you turn on the appliance while the reset button is depressed. To successfully restore the appliance firmware to its original factory condition, you must allow this process to execute without interruption. This process can take approximately 15 minutes to complete.

To restore the appliance firmware

1 Turn off the power to the appliance using the power switch.

2 Connect the computer used to restore the appliance to the eth0 network interface, on the back of

the appliance, using an Ethernet cable. You can also connect the computer using a switch or hub to

which the appliance is connected.

3 On the computer used to restore the appliance, do the following:

■ Set the computer to boot from the CD-ROM.

■ Insert the Symantec Gateway Security OS Restore CD-ROM into the CD-ROM drive.

■ Reboot the computer.

Page 14

14 Installing the appliance

Restoring the appliance firmware with the Symantec Gateway Security OS Restore CD-ROM

4 When prompted to accept the Symantec Gateway Security Appliance License and Warranty

Agreement, press the space bar to read the entire agreement. Type Y to accept the agreement, and

then press Enter.

Do not follow the restore commands displayed. Proceed using the following steps in this procedure.

5 On the appliance, press and hold the reset button. With the reset button depressed, press and

release the power button to turn on the appliance.

When the attention indicator on the front panel starts flashing, do the following:

■ Release the reset button, and then wait 1-2 seconds before proceeding. After 1-2 seconds, the

ready indicator on the front panel begins to blink, indicating that the appliance is waiting for a confirmation of the network boot command.

■ To confirm the network boot command, press and hold the reset button for 1-2 seconds, and

then release it. The network boot communication is attempted through the computer connected to eth0.

If the network boot communication is successful, the restore process starts. This process can take

15-20 minutes. The appliance reboots automatically after the restore process is complete, and then

turns off.

6 Restart the computer used to do the restore and, during the initial boot process, remove the CD-

ROM from the drive. The CD-ROM is not ejected automatically during the restart.

7 Turn on the security gateway using the power switch, and then perform the initial setup process

again.

For information regarding initial setup, see the Symantec Gateway Security 1600 Series Getting

Started Guide.

Page 15

Developing a security plan

This chapter includes the following topics:

■ Defining your security policy

■ Educating users

■ Security policy worksheets

Defining your security policy

Ideally, your security policy should be captured in a document that describes your organization’s network security needs and concerns. Creating this document is the first step in building an effective overall network security system and should be done prior to installation.

Chapter

Developing a security plan helps you collect the information needed to install and configure your Symantec security gateway.

Your security plan details the implementation of your security policy. Based on the security concerns and trade-offs of your overall policy, your security plan should contain a set of tasks. One of these tasks should consist of establishing procedures and rules for access to resources located on your network.

These resources include:

■ Host computers and servers

■ Wo rk s ta t io n s

■ Connection devices (gateways, routers, bridges, and repeaters)

■ Terminal servers and remote access servers

■ Networking and applications software

■ Information in files and databases

The firewall component of Symantec Gateway Security 1600 Series v3.0 is the main tool for enforcing access security gateway access, allowing you to define a set of rules that allow or deny access to specific resources throughout your network.

Before writing your security plan

Before you begin writing rules to implement your plan, you need to answer the following questions:

■ How many points of entry exist on your network? A security gateway defends a single point of

entry. Every point of entry should be protected by a security gateway. A Virtual Private Network

(VPN) server also defends a single point of entry. You must decide what access the VPN server is

going to provide for resources that exist behind the firewall.

■ What types of services, such as Web or FTP, do you want to allow for internal users?

■ To what hosts, subnets, and users do you want to allow services?

Page 16

16 Developing a security plan

Educating users

■ What external users will have access to your network? Where will they come from and where do

you want to allow them to go? During what hours? For what period of time?

■ Do you intend to implement a service network?

■ Do you intend to implement a de-militarized zone (DMZ)?

■ What types of services do you want to allow for external users and hosts?

■ What type of authentication will you require for external users? (Strong authentication is

recommended for any access from public networks.)

■ If you are implementing VPN tunnels between any internal and external hosts, what types of

traffic will be allowed over these tunnels?

■ Will you place your Web server inside or outside of your protected network, or on a service

network?

Becoming security conscious

Developing and implementing a security plan for the security gateway you are installing should be only one part of your overall security policy. The security gateway offers the best protection against uninvited entry into your network. However, the security gateway cannot guard against entry by people who obtain valid authentication credentials, any more than a sophisticated lock can stop a thief in possession of the right key.

Formulate goals

Take the time to formulate the specific goals of your security plan. Identify the resources you are protecting and all possible threats. Protecting your resources from unauthorized external users may be only one of your goals. You may also need to limit internal access to certain systems to specific users and groups, within specific time periods. You will need to define these users and groups for the firewall and how to configure special services to be passed through these systems.

Review issues

You should review your organization’s specific issues in detail before you begin configuring the security gateway. Your network’s security depends on planning sound policies, implementing them carefully, and confirming that they work as intended.

Educating users

Your overall site policy involves a numbers of tasks. Of these, user education is most important. Publish your company’s security policy. Make sure your users are informed of the determination of would-be invaders and the sophistication of available password guessing programs. Make sure they understand how common security breaches are and how costly they can be. These facts alone dictate that users should be encouraged to select passwords that are difficult to crack and to change passwords regularly.

Involving the user community

When developing the details of your security plan, you should solicit the input of group managers or leaders on what services they require, for what users, and so on. Explain to users the need for network security to protect private information, intellectual property, and your business plans.

Notifying affected users

Before implementing policies, notify the user community of your proposed policies. Doing so in advance can prevent unnecessary frustration on the part of your users.

Page 17

For instance, if you plan to limit Web services to a single server during specific hours, let this be known to the affected groups and users. If you plan to pass all email through a dedicated server, or if external users will be disallowed from accessing certain systems by Telnet, consider passing these changes along before implementation. Consulting users prior to implementation may save you the time needed to fine-tune those policies later.

Taking a pro-active stance

Keep in mind that configuring a set of authorization rules on the security gateway is just one piece of your overall security plan.

To be effective, this plan should also include the following:

■ Physical security of key systems (especially the security gateway)

■ Security risk training for users

■ Guidelines on passwords

■ Proprietary information policies

■ Network planning

Security policy worksheets

17Developing a security plan

To aid you in the planning process, we have provided a set of policy planning worksheets. Use these worksheets to help implement the specific tasks of your security plan and to assist you during the installation process.

Defining your organization

Begin by defining your organization. Here is where you explore your existing security policy, if any. Note who will be assigned as administrators, the types of authentication you will use, and how your administrators will be contacted.

To define your organization

1 Does your organization have a security policy?

_____ Yes _____ No

If you checked No, refer to the first part of this chapter for information relating to the development

of a security policy.

2 Number of users behind your security gateway:

_____

3 Do you plan to establish special groups or users with different levels of access or control that other

groups and users will not have?

_____ Yes _____ No

4 Do you plan to establish subnets, users by subnet, or users by authentication?

_____ Yes _____ No

Page 18

18 Developing a security plan

Security policy worksheets

5 What are your network access points?

______________________________________________________________________

6 Name of the primary administrator:

____________________________________

7 Use Table 2-1 to list all persons involved in administering the system.

Table 2-1 Administrator names

Name Email Phone Pager

______________________ ______________________ ______________________ ______________________

8 Are organization computer resources accessible by remote dial-in?

_____ Yes _____ No

9 Are organization computer resources accessible by an internal network?

_____ Yes _____ No

10 What communications servers (e-mail) are used? (such as SMTP or Microsoft Exchange)

______________________________________________________________________

11 What form of authentication will be used for remote access to company resources?

_____ User name/password _____ RADIUS Defender

_____ Entrust _____ RSA SecurID

_____ LDAP _____ Other

_____ RADIUS

12 Will there be different authentication and group servers?

_____ Yes _____ No

Page 19

13 What kind of security certificate will you use?

_____ Self-signed Secure Socket Layer (SSL) certificate generated by the security gateway

_____ SSL certificate purchased from a third-party certificate authority

14 What mechanism will be used for suspicious activity alerts?

_____ Blacklist _____ Email

_____ Pager _____ Client program

_____ SNMP V1 _____ SNMP V2

15 Do you have other Symantec security gateways on your network now?

_____ Yes _____ No

16 If yes, what version? ________________________________

17 Do you plan to combine security gateways for failover?

Security policy worksheets

19Developing a security plan

_____ Yes _____ No

18 Do you have third-party (non-Symantec) firewalls on your network now?

_____ Yes _____ No

19 If yes, which one and version? ________________________________

20 Have you created a network diagram? If so, please print and attach.

_____ Yes _____ No

Collecting hardware information

Before you begin the installation process, you should collect some basic hardware information.

To collect hardware information

1 Record the number of host computers of each type that compose your network:

_____ UNIX _____ Windows

_____ Other (type) ______

Before installation, ensure that the host network connections are configured and tested properly.

Verify that you can ping the network interfaces of the server from clients on the same network.

2 What kind of Internet access do you have? What speed?

______________________________________________________________________

3 Record the name of your Internet Service Provider (ISP):

______________________________

Page 20

20 Developing a security plan

Security policy worksheets

4 Does your site have, or plan to have, more than one Internet access point?

_____ Yes _____ No

5 Are there any other Internet connections besides the security gateway (such as modems connected

to workstations)?

_____ Yes _____ No

If yes, list.

______________________________________________________________________

6 Will you be using Symantec Client VPN?

_____ Yes _____ No

Collecting your TCP/IP address

It is important to think about the TCP/IP requirements for your site. This includes information about running Domain Name Services (DNS), types and names of domains on your network, and making a list of protocols used that need to pass through your security gateway.

To collect your TCP/IP address information

1 How is your Domain Name Service (DNS) provided?

_____ On your corporate network

_____ Through your Internet Service Provider (ISP)

2 What type of domain structure is in use at your site?

_____ Single domain _____ Multiple domains

_____ Subdomains

3 What type of name service do you provide?

_____ Primary name services _____ Secondary name services

_____ Internal/private

4 Do you have an internal name server?

_____ Yes _____ No

5 Do you have WINS configured?

_____ Yes _____ No

Page 21

Security policy worksheets

6 Do you have someone at your site who is knowledgeable about, and comfortable working with DNS

and how to configure it properly?

_____ Yes _____ No

7 If yes, who?

______________________________________________________________________

8 Check the address types being used at your site:

_____ Registered IP address _____ Private IP address (RFC 1918)

_____ Unregistered IP address

Your connection to the Internet must have at least one public network address. You should use

private, RFC 1918-compliant addresses internally or publicly registered IP addresses.

9 Do you use DHCP to dynamically obtain network addresses?

_____ Yes _____ No

21Developing a security plan

10 List the address ranges you currently use in your network.

____________________________________________________________

11 List the protocols you use in your network.

____________________________________________________________

12 Will you be using network news services (NNTP)?

_____ Yes _____ No

13 If yes, and you have your own internal NNTP server, record its IP address and the address of the

server that will be supplying you with news feeds.

_____ Internal server: _____________________

_____ External news server: ________________

Note: Only IP can be directly handled by the security gateway. Other protocols such as IPX cannot be serviced or passed through the security gateway.

Defining your allowed TCP/IP services

Use the following tables to define all the allowed TCP/IP services in your network.

Page 22

22 Developing a security plan

Security policy worksheets

To define your allowed TCP/IP services

1 Use Table 2-2 and check the access type (if any) you will allow for the following services.

Table 2-2 Allowed TCP/IP access type

Access group

Tel ne t

All users

All internal users

Selected group

No access

SMTP

HTTPS

CIFS

HTTP

NNTP

RealAudio

RTSP

PING

Other

2 Use Table 2-3 to list your TCP/IP services.

Table 2-3 TCP/IP services

Group Authentication Access times

FTP

______________________ __ _ _ _________________ _______________________ _______________________

______________________ _______________________ _______________________ _______________________

Teln et

______________________ _______________________ _______________________ _______________________

HTTP

______________________ _______________________ _______________________ _______________________

Other

______________________ _______________________ _______________________ _______________________

Over time, you will likely refine these permissions. You should make periodic updates to this list.

3 Do you need transparent inbound access from the Internet (VPN)?

_____ Yes _____ No

Page 23

Collecting email information for security gateway notifications

You need to know information about email notifications. Use this section to collect data such as type of mail server, mail server IP address, and mail transport protocol.

To collect email information for security gateway notifications

1 Record the name and IP address of your mail server:

Name: __________________________________

Address:____________________________

2 Select the transport protocol being used for email:

_____ Third-party provided _____ POP3 mail

_____ SMTP mail

3 Does your Internet Service Provider provide a mail relay host?

_____ Yes _____ No

Security policy worksheets

23Developing a security plan

4 If yes, list its name and IP address:

_____ Mail relay host: ________________

_____ Address: ______________________

5 List any mail programs that you use internal to your network (for example, Microsoft Outlook):

___________________________________________________________________

Defining your Web services

Use the following section to define information about your Web services.

To define your Web services

1 Will you be using a Web server?

_____ Yes _____ No

2 If yes, select the location of the Web server:

_____ Internal to the security gateway

_____ External to the security gateway

_____ Service network

3 Record the Web server name and IP address:

Name:_________________

Address:_________________

Page 24

24 Developing a security plan

Security policy worksheets

4 Will you be using an external caching/proxy server? If Yes, record the server name and IP address.

_____ Yes _____ No

Proxy server name:___________

Address:______________

5 Do you plan to use the content filtering service for security gateway?

_____ Yes _____ No

6 Do you plan to restrict access to any specific URLs?

_____ Yes _____ No

7 If yes, list the URLs to be restricted, attach your list of restricted URLs.

8 Use Table 2-4 to list the names of any special services you wish to pass through the security

gateway.

Table 2-4 Special services names

Service name Service port # Service type

Server name

(UDP/TCP)

_______________________ _______________________

Access lists

List those entities and users to which you plan to write rules to allow access through the security gateway.

Use Table 2-5 to list all allowed entity identifications.

Table 2-5 Entity identification

IP address/Fully qualified domain name

Entity type Internal/external

_______________________

Page 25

Table 2-5 Entity identification (Continued)

Security policy worksheets

25Developing a security plan

IP address/Fully qualified domain

Entity type Internal/external

name

_______________________

Use Table 2-6 to list all allowed user identities.

Table 2-6 User identification

User name Group name Client VPN Clientless VPN

________________________________ _______________________ ______________

_________

_______________________ _______________________ ______________

_________

_______________________ _______________________ ______________

_________

_______________________ _______________________ ______________

_________

_______________________ _______________________ ______________

_________

_______________________ _______________________ ______________

9 Do you want the security gateway to keep a record of user passwords for protected resources (single

sign-on)?

_____ Yes _____ No

Defining your network architecture

In the following section, list all of the entities that comprise your network. Show all routers and computers systems that will be directly affected by, or connected to, the security gateway and its directly connected networks. Label each network component with its IP address and netmask.

_________

Page 26

26 Developing a security plan

Security policy worksheets

Use Table 2-7 to create a list of all internal servers. Your internal network consists of at least the security gateway host and a router.

Table 2-7 Internal network servers

DNS name services Mail server Web server Other server

Service

Host name

IP address

Netmask

Use Table 2-8 to list your security gateway host system addresses.

Table 2-8 Security gateway host internal and external IP addresses

Host Internal/external IP addresses Netmask

______________________ ______________________ ______________________

If your network includes VLANs, use Table 2-9 to list the IP addresses to which they are routed.

Table 2-9 Security gateway host internal and external VLAN IP addresses

VLAN IP address

______________________ ______________________

Page 27

Security policy worksheets

Use Table 2-10 to list your router IP addresses.

Table 2-10 Router IP addresses

Router IP addresses

______________________________________ _______________________________________

Your external network can also include external servers, such as an external Web server. Use Table 2-

11 to list all external network servers.

Table 2-11 External network servers

DNS name services Mail server Web server Other server

Service

Host name

27Developing a security plan

IP address

Netmask

Use Table 2-12 to describe your default gateway.

Table 2-12 Default gateway

Host name IP address Netmask

Page 28

28 Developing a security plan

Security policy worksheets