Installation Setup Guide: Vital Security Appliance Series
Installation Setup Guide: Vital Security Appliance Series
Installation Setup Guide: Vital Security Appliance Series
and
Setup Guide
Vital Security Appliance Series NG-1000/NG-5000/NG-6000/NG-8000 Installation and Setup Guide Copyright 1996 - 2007. Finjan Inc. and its affiliates and subsidiaries (Finjan). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744 and may be protected by other U.S. Patents, foreign patents, or pending applications. Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners. Q1 2007 For additional information, please visit www.finjan.com or contact one of our regional offices: USA: San Jose 2025 Gateway Place Suite 180 San Jose, CA 95110, USA Toll Free: 1 888 FINJAN 8 Tel: +1 408 452 9700 Fax: +1 408 452 9701 [email protected] USA: New York Chrysler Building 405 Lexington Avenue, 35th Floor New York, NY 10174, USA Tel: +1 212 681 4410 Fax: +1 212 681 4411 [email protected] Israel/Asia Pacific Hamachshev St. 1, New Industrial Area Netanya, Israel 42504 Tel: +972 (0)9 864 8200 Fax: +972 (0)9 865 9441 [email protected] Europe: UK 4th Floor, Westmead House, Westmead, Farnborough, GU14 7LP, UK Tel: +44 (0)1252 511118 Fax: +44 (0)1252 510888 [email protected] Europe: Germany Alte Landstrasse 27, 85521 Ottobrun, Germany Tel: +49 (0)89 673 5970 Fax: +49 (0)89 673 597 50 [email protected] Europe: Netherlands Printerweg 56 3821 AD Amersfoort Netherlands Tel: +31 318 693 272 Fax: +31 318 693 274 [email protected]
O N T E N T S
Update Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Defining System Device Roles via the Management Console . . . . . . . . . . . . . . . . . 25 Connecting your Vital Security Appliance NG-8000 . . . . . . . . . . . . . . . . . . . . . . . . 27
Initial Procedures for the Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Initial Procedures for the Vital Security Scanning Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4 Configuring ICAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Network Appliance Netcache Series (NetApp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Blue Coat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Contents i
5 Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Introduction to Setup Console Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appliance Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Custom Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restart Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reboot/Shutdown Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active/Standby Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 51 52 57 59 73 74 74 75
ii
Contents
H A P T E R
Chapter 3
Chapter 4
Chapter 5
Appendix A Appendix B
H A P T E R
FINJAN OVERVIEW
1 Introduction
Cyber-threats are fast increasing and pose a serious and growing problem for corporate networks, appearing in different forms and using a variety of tactics viruses, worms, Trojans, and more. New, ultra-fast viruses can infect your system within seconds, long before traditional signature-based solutions can protect you. While waiting for anti-virus companies to release a new virus signature, thousands of unprotected computers may have already been infected, leaving no alternative other than to shut down the corporate network. Finjan's proactive behavior-inspection technology at the gateway provides protection by examining active content behavior and identifying and blocking malicious mobile code (viruses, worms, Trojan horses and a myriad of ever-developing attack types). Finjans unique and patented proactive behavior inspection technology offers instant protection against new virus, worm and malicious mobile code outbreaks without time-sensitive signature-file updates, thus closing the Window-of-Vulnerability and providing networks with true day-zero protection. Vital Security - Finjans Integrated Security Platform - is a complete and integrated Secure Content Management solution in which individual best-of-breed security applications work together in concert to respond proactively to the changing security threats of both today and tomorrow. This section contains a brief overview of the Vital SecurityAppliances NG-1000/ NG-5000/NG-6000/NG-8000.
The following table contains the hardware specifications for the NG-8000 appliance..
Component Memory Hard Drive Specification 2 GB 36 GB SAS (Web appliance) 2 x 73 GB SAS ( RAID 1) (Policy Server) Xeon D 2 x 2.0GHz 2
NOTE: This document deals with the basic setup of the NG-8000 Appliance. Please contact Finjans Support, or IBM for information about more advanced setup of the Blade Center.
The following table contains the hardware specifications for the NG-5000 appliance.
Component Memory Hard Drive CPU Flash Card Rack space (1U) Specification 2GB 160GB SATA2 Pentium D 3.4 GHz dual core 1024 MB 429 x 382 x 44 mm (WxDxH) 16.9 x 15.0 x 1.8 inches (WxDxH) 4 1
The following table contains the hardware specifications for the NG-1000 appliance.
Component Memory Hard Drive CPU Flash Card Rack space (1U) Specification 1GB 160GB Pentium IV 2.8GHz 256 MB 428.6 x 360 x 44 mm (WxDxH) 16.9 x 14.1 x 1.7 inches (WxDxH) 4+2 1
The following table contains the hardware specifications for the NG-6000 appliance.
Component Memory Hard Drive CPU Rack space (2U) Specification 2GB 2 x 72 GB SAS (RAID 1) Intel Xeon dual core x 2.0 GHz 445 x 698 x 86 mm (WxDxH) 17.5 x 27.5 x 3.4 inches (WxDxH) 4 Redundant
H A P T E R
GETTING STARTED
This section contains the following topics:
Management Console System Requirements Connecting your Vital Security Appliance (NG-1000/NG-5000/NG-6000) Update Mechanism Defining System Device Roles via the Management Console Connecting your Vital Security Appliance NG-8000 Routing Traffic through the Appliance Working with HTTP Working with ICAP
2.2 Configuration
We recommend locating the Scanning Servers, accessed via the Load Balancer(s) in the DMZ. In this case, all network traffic between the Policy Server and Scanning Servers passes through the internal firewall.
Plug in the power cable and switch the appliance on. Connect a PC directly to the appliances GE3 port (for NG-6000, see Figure 3-1) using a crossover cable, or, using a standard Ethernet cable, connect the appliances GE3 port to a hub or switch that is on the same network segment as the PC. CAT5e cables (or better) are recommended. The default IP of the GE3 interface is 10.0.3.1, and its default netmask is 255.255.255.0. Configure the TCP/IP settings of your PC so that it is on the same logical network subnet as the appliances GE3 interface. For example, configure the IP on the PC as 10.0.3.101 and the PCs netmask as 255.255.255.0 IMPORTANT: Do not set the PCs IP to 10.0.3.1, as this will result in an IP conflict with the appliance.
3.
10
GE3
GE2
GE1 GE0
Plug in the power cable and switch the appliance on. Connect a PC directly to the appliances FE5 port (the left-most port) using a crossover cable, or, using a standard Ethernet cable, connect the appliances FE5 port to a hub or switch that is on the same network segment as the PC. CAT5e cables (or better) are recommended. The default IP of the FE5 interface is 10.0.5.1, and its default netmask is 255.255.255.0.Configure the TCP/IP settings of your PC so that it is on the same logical network subnet as the appliances FE5 interface. For example, configure the IP on the PC as 10.0.5.101 and the PCs netmask as 255.255.255.0 IMPORTANT: Do not set the PCs IP to 10.0.5.1, as this will result in an IP conflict with the appliance.
3.
Open your browser and enter the following address: https://10.0.5.1:3012 (for NG1000 ) or https://10.0.3.1:3012 (for NG-5000 /NG-6000). A certificate warning pops up. Click Yes to close the warning. The Vital Security Setup Console login window is displayed.
5.
11
6. 7.
Log in to the Vital Security Setup Console using admin as the user name and finjan as the password. Read and accept the End User License Agreement. The Setup Selection screen is displayed.
12
An initial setup Web interface working at https://NEW_IP:3012 (when the IP change takes place, you will be disconnected) The next sections detail separately configuration of a Policy Server or All in one, and a Scanning Server.
2.3.3 Configuring a Policy Server or All in One To configure a Policy Server or All in One:
1.
Click the Initial Setup Wizard icon as appears in Figure 3-3 to begin the setup procedure, and in the Welcome screen, click Next. The Appliance Role screen is displayed.
From the Select a Role drop-down list, select one of the following appliance roles, and then click Next: Vital Security Policy Server Selecting the Vital Security Policy Server provides only management and reporting services, and requires an additional appliance for scanning. Vital Security Scanning Server Select the Vital Security Scanning Server if you want to activate this appliance for scanning, while another appliance is providing the management and reporting services. All in One Selecting the All in One appliance provides management, reporting and scanning services. None Initial mode of the Vital Security Appliance.
13
In this procedure, select either the Policy Server or All in One IMPORTANT: In order to change the device role from Scanning Server to Policy
Server or All in one device, the administrator must first Restore Factory Settings. There are two ways of doing this. If you installed 8.4.0 or higher on your appliance using the Installation CD, then you will restore factory settings by using the Installation CD (please refer to Appendix B). If, however, you have installed previous Releases using the standard Update feature, then follow the Restore Factory Settings procedure as outlined in the Installation and Setup Guide 8.3.5; Appendix A.
3.
The License Type screen is displayed if you have selected Policy Server or All-inOne server. The Licensing option is disabled for other roles. Click the required License Type option.
If you selected an Evaluation license, select the required license and security engine options, and then click Next. (Go straight to step 6.).
14
Description
Anti-Virus third party scanning engine which scans for known viruses (McAfee, Sophos or Kaspersky depending on your license) Third party engine which provides categorization of Web sites (SurfControl) Finjans unique content scanning engine based on Behavior Profiles (binary or script) Unique Finjan engine that scans content to identify known vulnerabilities The Anti Spyware engine identifies spyware sites and block access to those sites
5.
If you selected a Subscription license, enter the license key that you received from either Finjan or your reseller, and then click Next.
15
The Network Interface Used by Policy/Scanning Server screen is displayed . If you are using an NG-1000 appliance, the Network Interface will look as below.
16
:
Network Interface for NG-1000 SUPERFORMANCE Appliances FE0 (eth0): 100MB - Auto-negotiation enabled. Recommended! Description Allows communication at a speed of up to 100MB with Auto-Negotiation enabled. Autonegotiation enables simple, automatic connection of devices by taking control of the cable when a connection is established to a network device that supports a variety of modes from a variety of manufacturers. The device is able to automatically configure the highest performance mode of interoperation. Allows communication at a speed of up to 100MB with Auto-Negotiation enabled. Allows communication at a speed of up to 100MB with Auto-Negotiation enabled. Allows communication where a speed of up to 100MB is forced and full-duplex, meaning the transmission of data in two directions simultaneously. Allows communication at a speed of up to 100MB with Auto-Negotiation enabled.
FE1 (eth1): 100MB - Auto-negotiation enabled FE2 (eth2): 100MB - Auto-negotiation enabled FE3 (eth3): 100MB - Forced 100MB Full-Duplex
If you are using an appliance from the NG-5000 / NG-6000 series, the screen will appear as follows:
17
Network Interfaces for NG-5000 / NG-6000 Appliances GE0 (eth0): 1GB - Auto-negotiation enabled - Recommended!
Description Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Autonegotiation enables simple, automatic connection of devices by taking control of the cable when a connection is established to a network device that supports a variety of modes from a variety of manufacturers. The device is able to automatically configure the highest performance mode of interoperation. Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Allows communication at a speed of up to 1GB with Auto-Negotiation enabled.
GE1 (eth1): 1GB - Auto-negotiation enabled GE2 (eth2): 1GB - Auto-negotiation enabled GE3 (eth3) 1GB - Auto-negotiation enabled
IMPORTANT: If you want to change the network interface auto negotiation settings for the NG-5000 /NG-6000, you must do so via the Limited Shell using the ethconf command. Please refer to Limited Shell
8.
Enter the IP address and netmask for the selected interface in the respective fields, and then click Next. The Routing and Gateway screen is displayed .
18
Enter the Gateway IP address and static or local routes as required or leave as is to enable the default routing and gateway configuration, and then click Next. The Domain Name Service screen is displayed.
define the machine name by filling in the Hostname field or leave as is to keep the default settings, and then click Next. The Time Settings screen is displayed.
19
that the correct settings have been selected, and then click Next. The Change Password screen is displayed.
and confirm your new password. Note that changing your password here does not affect the password in the Management Console. Click Next. The Apply Changes screen is displayed.
20
in order to apply all of the changes that have been made. The Setup procedure is complete. Click Next to return to the main Setup Console menu.
From the main Setup Console menu, you must then configure your computers IP address and hostname in order for it to be recognized by the Appliance.
To add yours and other computers to the system, click Add a new host address. The Create Host Address screen is displayed.
21
Enter the IP Address and Hostname of the PC that will work with Vital Security and click Create. The PC is added to the list. Once the PC is recognized, the administrator will have faster performance speed using the Setup Console. NOTE: If you cannot connect via the interface you have selected (with either the old or
the new IP), temporarily reset FE5 to its default settings via the LCD panel (10.0.5.1, netmask 255.255.255.0) by navigating to the Reset FE5 IP option, pressing Enter, pressing Enter again, and then access the Setup Console at https://10.0.5.1:3012
Click the Initial Setup Wizard icon as appears in Figure 3-3 to begin the setup procedure, and in the Welcome screen, click Next. The Appliance Role screen is displayed.
22
2.
Select Vital Security Scanning Server from the drop-down menu, and then click Next. This appliance is used for scanning, while another appliance is providing the management and reporting services The Network Interface Used by Policy/Scanning Server screen is displayed (Figure 3-9). Complete the procedure as detailed in (To configure a Policy Server or All in One: from Step 7 onwards). Configure your computers IP address as described in Configuring the Computers IP Address.
3. 4. 5.
3 Update Mechanism
The Update mechanism periodically checks Finjan's Web site and automatically displays any available updates via the Management Console for the administrator. There are three categories of updates: Behavior scanning logic and vulnerability data: These can be configured automatically. Vital Security behavior profiling data and security processors are updated automatically from the Finjan site as soon as new Windows vulnerabilities are discovered. Vulnerability protection typically arrives before viruses that exploit the vulnerability are released. Finjan Software is a market leader in malicious mobile code and the Malicious Code Research Center at Finjan employs dedicated experts who work around the clock to identify new Windows vulnerabilities and exploits, enabling real day-zero protection. OS Version updates and new feature add-ons: Automatic downloading from the Finjan Web site can be enabled/disabled via the Management Console. You will be notified automatically when updates become available so that you can install them and keep your system up-to-date. Third-party security engines: Vital Security incorporates best-of-breed third-party engines (anti-virus and URL categorization). These applications rely on frequent and regular updates, and these are downloaded and installed automatically by the autoupdate feature.
23
https://mirror.updateNG.finjan.com/remote_update The following table details the ports needed for configuring Automatic Updates:
Description Port Number
All in one machine (web traffic ports) Only HTTP, FTP and HTTPS from LAN to WAN Policy Server in LAN Scanner in DMZ Additional ports to open from LAN to DMZ Manager - transfer of policy 5222 updates, and other updates Manager secure transfer of 5224 policy updates, and other updates Log traffic (from server) 8000 Secure Log traffic 8001 Vital Security Setup Console 3012 (Webmin) SNMP queries (if enabled) 161 UDP Additional ports to open from DMZ and LAN SNMP trap (if enabled and 162 UDP configured to send traps to the SNMP Manager on the LAN)
connected to the offline computer where you manage the Policy Server. From the Management Console, you can install the updates using the Import Local Updates option. This feature requires a special license. Please contact your Finjan representative for further details.
Log in to the Management Console, open the Settings tab and select Devices. If you selected Vital Security Policy Server as your appliance role, you have an All in one preconfigured machine, with a device that is used in the following roles: Policy Server, Report Server, Log Server, Log Relay and Scanning Server.
If you want to configure an All in One device, change the IP address by selecting one of the IPs displayed in the Network Roles tree, and then click the Edit Device icon . The Edit Device dialog box is displayed.
25
Enter the required IP address, and from the Device Roles list, select All in One. If you want to configure a Policy Server only, delete the existing device, and then click the Add Device icon. The Add Device dialog box is displayed.
NOTE: If multiple servers are included on one device, they should be selected together
in the Add Device dialog (using Control on your keyboard). You may not add a server to a device where the IP address has already been defined
5. 6. 7.
Click OK. The device that you have added now appears in the Network Roles tree. Select the IP address of the device you have added. The device status is displayed. Select the Activate checkbox.
26
8. 9.
Under the Scanning Server device, change the Log Server Interface IP to 127.0.0.1 if not already configured as such. When you have defined all devices in the system or made any changes, click Apply on the bottom right hand of the screen, and then click Commit Changes.
After defining your devices, Finjan recommends that you change the default password.
Select the Settings tab on the Main Navigation bar. From the System tab, select the Password tab. The Change Password dialog box is displayed. Enter your old and new passwords in the fields shown, and then click Apply.
Plug in the power cable and switch the appliance on. Configure the network settings of any PC to match those of the appliance (IP address and subnet mask). IP address in the same subnet e.g. 10.0.0.101 Subnet mask 255.255.255.0
3. 4.
Connect your PC to one of the ports on the Gigabit Ethernet switch in I/O switch module Bay 1 on the appliance using a network cable. Power up the blades one by one:
27
Press the Console Select button so that the VGA screen attached to the chassis displays output from the blade being powered up. Press the Power button until the power-up sequence is over. A log in prompt is displayed. Repeat this procedure for each blade.
Open your browser and enter https://10.0.0.1:3012. The Vital Security Set-up Console login window appears. The Vital Security Set-up Console is a Web-based interface that enables you to configure initial setup parameters associated with the box itself. Log in to the Vital Security Set-up Console using admin as the username and finjan as the password, and then click the Advanced Settings icon.
6.
Plug in the power cable and switch the appliance on. Configure the network settings of any PC to match those of the appliance (IP address and subnet mask). IP address in the same subnet e.g. 10.0.0.101 Subnet mask 255.255.255.0
3. 4.
Connect your PC to one of the ports on the Gigabit Ethernet switch in I/O switch module Bay 1 on the appliance using a network cable. Power up the blades one by one:
28
Press the Console Select button so that the VGA screen attached to the chassis displays output from the blade being powered up. Press the Power button until the power-up sequence is over. A login prompt is displayed. Repeat this procedure for each blade.
Open your browser and enter https://10.0.0.1:3012. The Vital Security Set-up Console login window appears. The Setup Console is a Web-based interface that enables you to configure initial setup parameters associated with the box itself. Log in to the Vital Security Set-up Console using admin as the user name and finjan as the password.
6.
NOTE: For information on setting up the NG-8000, please contact your Finjan represetative.
29
7.2.1 Downstream
When Vital Security is positioned downstream of the cache proxy, the cached content is rescanned for every request. This topology clearly works for systems with user/group policies that differentiate between the sites that the different users/groups may visit, as every request is submitted to Vital Security and scanned against the relevant policy. This means that: Every request is scanned with the latest anti-virus updates, even if the content was cached before the last update. Traffic scanned initially by Vital Security is cached and subsequently forwarded again by the caching proxy in line with additional user requests. Each time this happens, the content is rescanned by Vital Security. The resulting drain on resources should be taken into account regarding performance. Every additional request for cached content is subjected to the policy specific to the user making the new request. Policy changes will always be implemented because all content, even if it comes from the cache, is scanned again by Vital Security. All accesses to cached content are subject to the logging policy, and are potentially logged by Vital Security.
7.2.2 Upstream
When Vital Security is positioned upstream from the cache, traffic is scanned only once, and is then cached and forwarded directly to the users. This is optimal for organizations that use a single policy for all Internet access, and do not apply different policies to different users/groups. This is not suitable for per user/group policies that differentiate between the sites visited by users/groups. (In such cases, you may consider working with ICAP.) This means that: Because content is only scanned once, there is less drain on resources, leading to improved performance. Cached content is not subject to the latest anti-virus updates, nor to policy changes. Vital Security cannot log accesses to cached content.
31
Vital Security can also allow another downstream HTTP proxy to perform the authentication, in which case: A downstream proxy needs to be configured to append headers containing user and group information to requests. Vital Security should be configured so that it can recognize the specific headers used by the downstream proxy. Vital Security can also pass these headers on to the next proxy or alternatively remove them before submitting the request over the Internet.
32
Vital Security can receive both REQMOD and RESPMOD requests. Here is an example of an ICAP URL for the REQMOD service:
icap://192.168.2.153:1344/Finjan_REQMOD
NOTE: When working with RESPMOD, REQMOD should also be enabled. Although technically Vital Security will work in RESPMOD-only mode, the REQMOD service is
required to provide the full HTTP transaction context when scanning some types of active content.
Vital Security can also work in REQMOD only, for example, for performing URL filtering,
Chapter 3 - Getting Started
33
but in this case, the actual incoming content is not scanned. Configuration of a Vital Security scanning server as an ICAP server is carried out via the Management Console. NOTE: If there is no direct Internet access, in order to perform pre-fetching of Java classes for Applet scanning, ALL Scanning Servers must have the next proxy configured. If you are using ICAP, ensure that the NG Appliance Scanning Server appears on the Access List.
34
H A P T E R
Log in to the NetApp Web interface. The ICAP Setup window is displayed with the General tab open. Click Setup. Click ICAP ICAP 1.0 in the left hand pane. Select the Enable Version 1.0 option.
35
Open the Service Farms tab. Press the New Service Farm button to create a new ICAP Service.
To set a REQMOD service, ensure that the following conditions are met: In the Vectoring Point field, select REQMOD_PRECACHE. In the Services field set the service URL:
To set a RESPMOD service, ensure that the following conditions are met: In the Vectoring Point field select RESPMODE_PRECACHE In the Services field set the service URL:
icap://[Vital Securitys IP]:[ICAP port]/Finjan_RESPMOD on Several services can be defined in Services and load-balanced by NetApp.
36
Once the services have been configured in the Service Farms, Access Control List rules should be defined to include these services.
37
With every ICAP settings change, NetApp sends an OPTIONS request to the relevant ICAP Service.
Blue Coat
Finjan is a certified Blue Coat partner.
Devices.
In the Devices screen, select the Scanning Server with which you are working, and then select ICAP.
38
In the Weights for ICAP Resource Allocation section, click Add. A drop-down menu is displayed. Select Blue Coat from the Type drop-down list. Enter the IP address of the ICAP client, enter a weight of 100, and click Add. In the ICAP Listening Port section, enter the IP address of the Scanning Server, click Apply, and then click Commit Changes on the top right of the screen.
39
40
NOTE: If, at any time during the session, the Java Plug-in Security Warning appears,
select Grant this session to continue.
From the Blue Coat Management Console, select External Services ICAP Services screen is displayed on the right.
ICAP. The
At the bottom of the ICAP Services screen, click New. The Add List Item dialog box is displayed. Enter a name and click OK. For instance, Reqmod. The External Services window is displayed again with the name you have selected.
41
42
Method Supported
1.
If your Vital Security scanner is up and running, then press the Sense Settings button and then OK. A confirmation message appears; click OK again. (If, on the other hand, your Vital Security scanner is not yet up and running, then click OK only to continue. In this case, you should return to this dialog box later on when Vital Security is up and running in order to select Sense Settings)
2. 3.
In the Edit ICAP Services box, select the Authenticated User checkbox and then click OK. Click Apply in the ICAP Services screen to complete the configuration.
In the Blue Coat Management Console, select Policy The Visual Policy Manager is displayed.
43
Click Launch and the Visual Policy Manager dialog box is displayed.
From the Main Menu Bar, select Policy New Layer dialog box is displayed.
44
Add in the required name and click OK. The Visual Policy Manager is displayed with a new Web Access Layer.
In the Action column, right-click on Use Default Caching, and then select Set. The Set Action Object dialog is displayed.
45
Scroll down and select ICAPRequestService1. Click Edit. The Edit ICAP Request Service Object window is displayed.
46
Select the Use ICAP Request Service checkbox. From the drop-down list, select the REQMOD you have defined, and click OK. back to the Set Action Object dialog box, and click OK. the Install Policy button in the Visual Policy Manager.
10. Go
11. Click
In the Edit ICAP Service dialog box (Figure 4-14) The Service URL should be: icap//<scanner IP (ICAP server)>:<scanner port (default=1344)>/ Finjan_RESPMOD.
For example, icap://192.168.90.10:1344/Finjan_RESPMOD The Method Supported should be response modification instead of request.
2.
In the Set Action Object dialog box (Figure 4-13), select ICAPResponse1 instead of ICAPRequestService1. This opens the Edit ICAP Response Service Object dialog box.
47
3.
In the Edit ICAP Response Service Object (Figure 4-14), select Use ICAP response service and from the drop-down list, select the RESPMOD service that you have defined, and then click OK.
48
H A P T E R
ADVANCED SETTINGS
1 Introduction to Setup Console Advanced Settings
After using the Initial Setup Wizard to configure the appliance, the Advanced Settings can be used to improve and manage the functionality of the appliance. Each appliance will have different configuration needs. Therefore, after completing the Initial Setup Wizard, the Advanced Settings enable you to access each configuration option as required, and configure it to match the system needs. NOTE: Please refer to the Initial Setup Wizard for detailed information about initial
configuration of the appliance.
The Advanced Settings options enable you to define the role the appliance takes, the type of license the appliance works under, the security, access and time settings, and also carry out routine maintenance operations. For further in-depth analysis and diagnostics of the system, the Network Settings option (within the Advanced Settings) is used to define how the network works, and how the appliance communicates with the network.
49
The Advanced Settings screen contains the following options: Appliance Roles: Selecting this option opens a wizard which takes you through the steps for selecting a role and defining a Network Interface to be used as the primary server connection for the appliance. Licensing: This option is used to select the correct License Type to apply to the appliance. Custom Commands: This option is used to enable SNMP Monitoring and Support Access on the appliance, provides repair commands for the Policy Server database and the configuration repository, and enables changing the SNMP community string, and the Management Console IP address and HTTPS Listening Port. Time Settings: This option is used to set the System and/or Hardware Time, and offers the option of synchronizing the time settings with an external Time Server Network Settings: This option provides further configuration options, allowing you to carry out diagnostics and to run in-depth checks on the appliance. Change Password: Use this option to change the password for access to the Setup Console. Restart Role: This is used if there are functionality problems with the appliance software. Reboot/Shutdown Appliance: The Reboot command is used if there are operational problems with the appliance. The Shutdown command is used when it is necessary to switch off and remove the appliance from any power supply.
50
Active/Standby Policy Server: This option allows you to switch from the current Active Policy Server to the Standby Policy Server. NOTE: Any configuration changes made to the appliance are valid only for that particular appliance, and not for any other appliance connected to the network. Each appliance must be configured individually.
2.2 Licensing
The License Type screen is used to select the license. This screen is the same one as appears in the Initial Setup Wizard.
51
The following sections describe the options available within the Custom Commands screen.
52
In the Change SNMP Monitoring Options section, select Yes to enable SNMP monitoring.
Click Change SNMP Monitoring Options to apply the changes. The Execute Command window is displayed confirming SNMP is enabled.
53
In the Change Support Access Options section, select Yes to enable support access to the appliance. You can also enable resetting the Support User Password from this screen.
Click Change Support Access Options to apply the changes. The Execute Command window is displayed confirming Support Access is enabled.
NOTE: There is no back button in this command window, which provides an end to the
command. The server receives the instruction, and restarts itself. To return to the Custom Commands window, click the Back button in your web browser.
54
The Execute Command window is displayed. Click Back to return to the Custom Commands window.
NOTE: The Configuration Repository stores the settings, configured in the Vital
Security Management Console, required for an appliance to function correctly in its specified role.
Click Repair Policy Server database to back up and restore the Policy Server database.
The Execute Command window is displayed. Click Back to return to the Custom Commands window.
55
In the SNMP Community String section, enter the new SNMP community string. NOTE: The appliance has a default password so that access to the SNMP protocol is
automatically available.
Click SNMP Community String to apply the change. The Execute Command window is displayed confirming the SNMP community string has been changed successfully. In the Execute Command window, click Back to return to the Custom Command window.
3.
In the Management Console IP Address field, enter the new IP address, for example 10.0.5.1, or enter * to retain current IP addresses configured on the appliance.
In the Management HTTPS listening port field, enter the required port number. NOTE: The appliance has a default HTTPS listening port to enable immediate
communication through the appliance on initial connection.
3.
Click Change Management Console IP address/port. The Execute Command window is displayed confirming the Management Console IP address/port have been
Chapter 5 - Advanced Settings
56
changed successfully. Access to the Management Console through your browser is now through the specified IP address and port: https://10.0.5.1:1234.
4.
In the Execute Command window, click Back to return to the Custom Commands window.
In the Advanced Settings screen, click Time Settings. The System Time window is displayed.
57
In the Time Zone section, set the Time Zone to your local time zone. You can set either the Hardware Time or System Time and match one to the other. To set the Hardware Time, enter your local time in the Hardware Time section. To match the System Time to the Hardware Time, click Set System Time to Hardware Time.
58
5. 6.
Repeat steps 3-4 to set System Time and match the Hardware Time to the System Time, and then click Save. For more accurate time checking you can synchronize your System Time settings with an external Time Server. In the Timeserver hostnames or addresses field, enter the required hostname or IP address. NOTE: Synchronizing your time settings with an external Time Server is strongly recommended, especially when working with distributed topologies.
7. 8. 9.
Select the Set hardware time too checkbox to also synchronize the hardware time. To synchronize to the Time Server settings randomly, select No in the Synchronize on schedule section. To synchronize on schedule, select Yes in the Synchronize on schedule section, and select the required time schedule in the scheduling options below. and Apply. The screen refreshes with the scheduling configuration.
59
The Advanced Network Settings options are as follows: The Network Interfaces option is used to enable the appliance to communicate with other computers on the network. The Routing and Gateways option is used to define the paths that the system should take to reach certain hosts and networks. The DNS Client option is used for converting a hostname into an IP address, and viceversa. The Host Addresses option is used to configure and match IP addresses with hostnames locally, without the use of a DNS server. This is used when changes made in different configuration options need to be applied simultaneously, for example, changes made to Network Interfaces may affect the Routing and Gateway settings, so it is preferable to make the necessary changes to the Routing and Gateway settings, and then apply changes to both the options simultaneously. The Network Diagnostics options are used to check network connectivity and communications with other hosts within the network.
60
In the Advanced Network Settings screen, click Network Interfaces. The Network Interfaces screen is displayed. In the Interfaces Activated at Boot Time section of the screen, select the required interface to open the Edit Bootup Interface window.
61
Enter the IP address, or select From DHCP for it to be dynamically assigned, or if your system supports it, select From BOOTP. Enter the Netmask and Broadcast address if required. NOTE: Netmask configuration is essential when using static IP.
5.
In Activate at boot?, select Yes or No as required. If Yes is selected, the interface will appear in the Interfaces Active Now section of the Network Interfaces screen after applying the network settings, or after system restart, as well as in the Interfaces Activated at Boot Time section. To save the changes and apply them at a later stage, click Save. To activate the Boot interface immediately, click Save and Apply.
6. 7.
In the Network Interfaces screen, select the required interface from the Interfaces Active Now list. The Edit Active Interface screen is displayed.
62
3.
63
In Default Router, select Gateway and enter the IP address in the Gateway field. In the Device field, select the required interface from the drop-down menu. Configure Static routes or Local routes as required, or leave as is to enable the default routing and gateway configuration. Static routes configured to enable traffic to choose another route to some known host or network, rather than going through the default route. Local routes set up routing to additional IP networks on connected LANs
4.
Click Save.
64
In the Hostname field, enter the name of the PC. In Resolution order, from the various options, select the required resolution order. Select Update hostname in host addresses if changed if required. In the DNS servers fields, enter the IP address of up to three servers. If the first is not available, the system will try the second, and then the third. In the Search domains field, enter any domain names that should be automatically appended to any search results, and then select Listed, or leave the Search domains field empty, and select None. In the DNS Cache field, select On or Off to enable or disable DNS Cache. It is automatically enabled when clicking Apply in the initial Setup Wizard in the Setup Console. Click Flush DNS Cache to "flush" (i.e., empty) the cache, and restart it. Click Save to save any changes made. NOTE: When enabling/disabling DNS Cache (On/Off), you need to run Restart Role for
the settings to take effect.
6.
7. 8.
65
Click on the Add a new host address. The Create Host Address window is displayed.
In the IP Address field, enter the IP address. In the Hostnames field, enter all possible hostnames which can be matched to the IP address, and click Create. The IP address and hostnames are added to the Host Addresses list.
The Network Diagnostic options are as follows: The Ping option is used to test whether a particular host is operating properly and is communicating on the network with the testing ged host. The Traceroute option is used to determine the route packets take over the network to reach a particular host. This option is used to check the process of resolving IP addresses with Hostnames. This option gives a snapshot of the active connections on the appliance, connections that are waiting, or listening. The Tcpdump option is used to display all communication on the system at a certain time. There are no time limits or size limits on the information displayed.
2.5.6.1 Ping
In the Network Diagnostics screen, click Ping. The Ping screen is displayed.
67
In the Hostname field, enter the required hostname. Configure any other relevant parameters, and click Ping It! The Ping report is displayed.
68
2.5.6.2 Traceroute
To use Traceroute:
1.
In the Network Diagnostics screen, click Traceroute. The Traceroute screen is displayed.
69
In the Hostname field, enter the hostname. Configure any other required parameters, and click Trace It! The Traceroute report is displayed.
2.5.6.3 Lookup
To use Lookup:
1.
In the Network Diagnostics screen, click Lookup. The Lookup screen is displayed.
70
3.
Configure any other required parameters. The Nameserver refers to the DNS Server IP address that you can enter in the text box displayed. If you select the radio button next to Default than whichever DNS servers are defined in the Advanced Settings Network Settings DNS Client will be used.
4. Click
2.5.6.4 Netstat
To use Netstat:
In the Network Diagnostics screen, click Netstat. The Netstat screen is displayed.
71
72
2.5.6.5 Tcpdump
In the Network Diagnostics screen, click Tcpdump. The Tcpdump screen is displayed.
In Active Network Interfaces, select the required interface. In Ports, enter the port number, or leave empty. Entering a port number sets limits on the amount of traffic captures. Click Start. The capture begins. Click Stop to stop the current capture. Click Download to download the file if required.
73
In the Advanced Settings screen, click Restart Role to display the Restart Role window.
In the Advanced Settings screen, click Reboot/Shutdown Appliance to display the Reboot/Shutdown Appliance window.
74
3.
To restart the role of a Policy Server, whether as Active or Passive, you can click on the Restart as button to force a restart of the Active/Standby Policy Server. You can choose to switch the Policy Server from Active to Standby or vice versa by clicking the Switch to button. The IP address of the other Policy Server that you defined in the Management Console (Settings Devices Policy Server High Availability Policy Server configuration) will be displayed here. It will be displayed either as the Standby Policy Server Address or as the Active Policy Server Address depending on what the status is of this Policy Server. Click on the link to be redirected to the other Policy Server Setup Console (again this will be displayed as either active or standby depending on the status). For more information on this feature, please refer to the High Availability Policy Server Technical Brief.
75
P P E N D I X
LIMITED SHELL
The Limited Shell feature enables monitoring and viewing the appliances configuration via a serial or SSH connection. Configuration changes cannot be made using this feature. An administrator can log in to the Limited Shell from a remote machine using an SSH client or by connecting to the appliance serial or vga port. The password to the shell (command line) is the same as for the Setup Console. If the current installation was performed through an update (on top of a previous version) then the Setup Console password should be set explicitly in order to reset the limited shell password. Otherwise, access will be denied. SSH access is enabled only if support access is enabled via the Setup Console. To do this, Custom Command screen and click on Yes to enable support go to the Setup Console access to appliance. Then click on Change Support Access Options. No other root user can log in directly to the system. Privileged access (root level) is achieved only after logging in as Super Administrator from the Limited Shell. A timeout mechanism is activated such that idle connections are disconnected after 5 minutes. After you log in to the Limited Shell, enter help to see a list of commands that the shell user can run and their use. The following monitoring commands are available:
Command arp date df disable_al enable_al ifconfig ip2name (ip2name ip) iptraf last
Appendix A - Limited Shell
Description Displays arp table Displays current date and time Displays disk usage Disables access list Enables Access List Displays NIC configuration and statistics Resolves ip to hostname Interactive IP LAN Monitor Displays last login
77
Command name2ip (name2ip name) netstat Ping (ping IP/Hostname) sh_db_size showroute supersh top uptime vmstat w ha_ps_enable ethconf
Description Resolves hostname to ip Displays network statistics Sends ICMP ECHO_REQUEST to network hosts Shows database file size Displays routing table Provides access to privileged shell Displays linux tasks Displays uptime Reports information about system. CTRL-C to stop Shows who is logged on and what they are doing Define a Standby Policy Server Change network interface
78
P P E N D I X
INSTALLATION CD
In order to install 8.4.0 and higher, the update can be performed using an Installation CD. This effectively removes the need to perform Restore Factory Settings.
Attach a CD drive, or a bootable USB flash device and USB-keyboard and VGA Monitor, to the appliance. When the Finjan screen appears, type yes to continue with the process. Let the installation run it will take approximately 10 minutes. The Appliance LCD will indicate that the Vital Security has not been installed yet. Set up the configuration as required via the Setup Console Initial Settings.
NOTE: Currently, the built-in CD-Rom device in the NG-6000 cannot be used.
Attach a CD drive, or a bootable USB flash device and USB-keyboard and VGA Monitor, to the appliance. Check in the BIOS that it is set to Boot from CD/Flash Device using USB2.0.
a b c d
Navigate to Advanced BIOS features and press Enter. Using the arrow keys and the Page Up/Page Down keys, select the required device to boot from (e.g., USB-CDROM). To change the USB to 2.0, navigate backwards using the Escape key and select Integrated Peripherals. Select Enabled on the USB2.0 Controller.
3. 4. 5.
Change the third boot device from HDD-1 to HDD-0. Press F10 to exit and save configuration. When the Finjan screen appears, type yes to continue with the process.
Appendix B - Installation CD
79
6. 7.
Let the installation run it will take approximately 10 minutes. The Appliance LCD will indicate that the Vital Security has not been installed yet. Set up the configuration as required via the Setup Console Initial Settings.
Attach a CD drive to the blade. When the Finjan screen appears, type yes to continue with the process. Choose the first scsi disk available. Let the installation run it will take approximately 20 minutes. Set up the configuration as required via the Setup Console Initial Settings.
80
Appendix B - Installation CD