The Clavister W30, which wasdesigned for use in branch offi­ces, remote offices and small da­ta centres includes VPNs (IPsec,L2TP, PPTP and SSL), advancedrouting (also as part of a policy)and anti­spam features alongsidethe actual firewall functionalitywith deep packet inspection, as isthe case with modern next­gene­ration firewalls (NGFs). In addi­tion to this, there are Kasperskyanti­virus functions, an IPS, loadbalancing, bandwidth manage­ment, link aggregation, a web fil­ter and application control functi­ons. The device has six GBitethernet interfaces and an expan­sion slot and supports highavailability to enhance the fail­safe characteristics of the NGFinstallation.

The testIn the test, we firstly set up oneof the W30 solutions on our net­work as an internet gateway. Todo this, we connected the productto the network switch and DSLmodem and booted it. We thenaccessed the web­based manage­

ment interface of the deviceusing a browser and ran the initi­al configuration. Alternatively,there is a command line whichcan run batch files, for example.This makes sense when manynew devices need to be configu­red automatically.

Once the initial setup was com­pleted, we looked at the configu­ration tool in detail via a browser(which, according to the manu­facturer, is best for managing in­dividual devices) and learnedabout the functional scope of thesolution. In addition, we adaptedthe configuration specifically toour needs.

Next, we set up various VPNconnections to external networks

and devices. Once this had beendone, we installed the centralmanagement tool "Clavister In­Control" on a Windows 7 workstation, which, according to themanufacturers, can manage se­veral thousand gateways and in­cluded our gateway in the In­Control configuration. We thentook InControl in hand and ana­lysed the scope of the solution.

When this process was comple­ted, we analysed the internal andexternal interfaces of the devicewith various security tools suchas Nessus, Nmap and Metasploit.We had assigned the external in­terface with a fixed IP address forthis purpose. Our goal was tofind out if there were securityflaws or if the solution revealed

The test: Clavister W30

A high­availability, next­generation­

Dr. Götz Güttich

With the devices in the Eagle and Wolf Series, Clavister is supplying next­generationfirewalls which are particularly suitable for environments where multiple firewalls

are in use, for example, in distributed networks. Their central management toolsensure that the relevant staff always have a clear overview of the situation. The

devices are available as part of various hardware configurations which means thatcompanies can use the device that best suits the performance requirements in thatbranch's particular environment. Since the hardware solutions only differ in their

performance (in terms of functionality, all of the products are identical), this test, whichwas carried out using two Clavister W30s, is also applicable to the other

next­generation firewalls from the same manufacturer.

1

firewall for distributed networks

unnecessary information thatcould help hackers to attack thesystem. Furthermore, we alsoused several attack tools to per­form DoS attacks on the device,for example, and to test how itresponded to them.

Finally, we modified our test in­stallation so that we could look atthe high­availability function ofthe products (HA) in detail. Sincethe HA feature can not cope withdynamically assigned external IPaddresses and PPPoE connecti­ons, for this purpose, we connec­ted both devices as a cluster be­hind a router which took on therole of providing internet access.

In doing so, we maintained theconfiguration of the fixed exter­nal IP address. In the cluster, thesystem which was originally con­figured by us took on the role ofthe master. The second device,which we hadn't yet touched, hadjoined as a slave of the configu­ration from the master.

CommissioningThe commissioning process ofthe W30 is relatively simple. Allyou have to do is unpack the pro­duct and work through the enclo­sed quick­start guide. This sug­gests using the first interface asthe LAN interface and the secondfor the WAN connection. Onceall cables are connected, the rele­vant staff can boot the device andthen connect to the product's webinterface via the default IP ad­dress https://192.168.1.1.

After that, you will find yourselfon the overview screen of themanagement tool. This allowsyou to start the "Setup Wizard",which will assist you during theinitial configuration of the soluti­on.

After we had completed this step,the system displayed a welcomescreen which told us which stepsthe assistant would carry out.First of all, we had to set a newpassword for the administratoraccount, which makes sense, as itensures that Clavister devices arenot able to function on the net­work with standard passwords.

The next step was to set the cor­rect time and to configure the ti­me zone. Then we had to confi­gure the WAN interface. As men­tioned previously, we initially

used the device as an internet ga­teway on a "Telekom" (company:German Telecommunications)DSL connection.

That is why we chose the option"PPPoE" for the WAN configura­tion. Alternatively, the solutioncan work with fixed IP addressesand those assigned via DHCP orvia PPTP. For the PPPoE confi­guration, it sufficed to enter theuser name and password and toassign the service a name. Afterthat, the WAN interface was setup.

The next step was to set up aDHCP server for the LAN. Indoing so, we mistyped somethingand discovered as a result that thewizard makes you aware of faul­ty configuration details and re­

quests they be corrected. There­fore, you can assume that the in­itial configuration will generallyrun smoothly.

Finally, the assistant wants toknow which time servers willkeep the system time up to dateand which syslog server shouldbe used to receive data from thedevice. This brings the initialconfiguration to a close and thechanges are adopted. Usually thelicensing of the product is part ofthe functionality of the wizard,but we did not perform this step

because our test devices alreadycame with an installed licence.

The web­based configuration toolis used to manually adjust theLAN address. In fact, this step isdescribed in the "Getting StartedGuide" available on the Clavisterwebsite so that there are no pro­blems during the test. In our opi­nion, this step is also part of theinitial configuration and shouldtherefore be processed within thewizard. The same goes for thedefinition of rules for internet ac­cess.

By default, Clavister allows theservices DNS and HTTP for ac­cess to the external network fol­lowing the initial configuration.This can, of course, be changedat any time via the management

2

The setup wizard alerts users to errors in the configuration

tool. However, it would be nice ifthe wizard could, at least, help increating a rudimentary internetaccess policy which is more sui­ted to the company's require­ments.

The web­based configurationtoolAfter we had completed the initi­al configuration, we logged intothe NGF using our new LAN ad­dress and started by setting up aguest LAN on the third interfaceof the device. We established aWLAN access point there so thatvisitors were able to browse theinternet using our internet

connection, without seeing ourLAN components.

To do this, we basically copiedour LAN configuration with anadditional DHCP server and ano­ther subnet on the third interface.The guest WLAN then worked asexpected.

When we had ensured in thismanner that all the users on ournetwork had access to the inter­net via the Clavister device, westarted to deal with the configu­

ration tool itself and, as a result,the functional scope of the soluti­on, thus adapting our setting spe­cifically to our requirements. Todo this, we firstly updated the de­vice's firmware to cOS Core11.02.01.03, the version that wasup­to­date at the time of the test,to ensure that we were workingwith the latest version.

After logging into the web inter­face, the administrator will findhimself back on a status screenwhich will inform him about thecurrent status of the NGF. A me­nu bar appears at the top of thewindow and on the left­hand side

there is a tree structure whichcontains the items which belongto the menu that is open.

The status screen mentioned abo­ve contains a system overviewwith performance, connections,CPU load, memory usage, sys­tem time, the top five applicati­ons, the top five web content fil­ter categories and the like. Youcan view and search through va­rious log files directly below this.These include the system log, theanti­virus log, the log for applica­

tion control, the intrusion detec­tion log and the content filter log.

Under "Sub Systems", the admi­nistrators can view the currentblacklist and have the option torevoke existing lock­outs. In ad­dition, it is possible to look at theexisting connections in detail inlist form.

From here, the DHCP server canalso be configured, the hardwarecan be monitored (for example,the CPU temperature) and the in­terface activity can be displayed.The interface overview also in­cludes graphical information re­lating to the send and receive ra­te. Furthermore, under Sub Sys­tems, the system even displaysthe routing table, data regardingserver load balancing and similarinformation.

The sub menu "Maintenance" gi­ves users the opportunity to safe­guard and restore the configurati­on and the core binaries. In addi­tion to this, they can upload anew licence, perform a reset orreset the device to its factorydefault settings.

You can also activate notificati­ons which will inform the rele­vant staff members about newfirmware releases and set up au­tomatic updates to the anti­virusand the intrusion protection sys­tem. This section was logicallystructured and should not poseadministrators any issues.

Options for loading new firmwa­re files and a support area whichprovides you with a diagnosticconsole with system messagesand the option to download asupport file that provides systeminformation, together with a toolsmenu, make up the overview of

3

The status screen provides content filter statistics, as well as other information

the system status. The tools menuincludes functions such as Ping,an SSH key generator and apacket capture tool.

With the latter, data transmittedover individual interfaces can becaptured and downloaded ontothe PC in a CAB file for furtheranalysis – for example with asniffer. Overviews of IDP signa­tures are also included in thetools, as is an application library,which includes a large number ofapplications (such as AOL, So­phos AV, Google Play and manymore) and informs the user aboutwhat each application does andwhat each application's associa­ted hazard level is. Since the app­lication library is used later to de­fine the rules for application mo­nitoring, it makes sense to fami­liarise yourself with it in advan­ce.

The system settingsThe main menu "System" con­tains all the settings to configurethe device itself. First of all, the­se include the settings for thesystem time, time zone, time ser­ver and the DNS client. The per­sons responsible can also deter­mine which users can access thedevice's management interfacevia which networks, which sys­tems in the network can receivelogs and events from the NGF(via services like syslog andSNMP) and what the high availa­bility configuration looks like,which we will look at in moredetail at a later date.

Monitoring is an important partof system management. First ofall, monitoring of hardware playsa role in this respect. By default,Clavister has a sensor for theCPU temperature in place for thispurpose. However, it is also pos­

sible to use other sensors whichkeep an eye on the voltage, thefan and similar components. Ne­vertheless, the availability of thesensors always depends on thehardware which is currently inuse.

On the contrary, the purpose ofthe "link monitor" is to monitoritems such as hosts or networks.If these are not available for anyreason, the device is able to per­form predefined actions such asfailovers and reconfigurations.

Finally, the "real time monitoralerts" monitor certain valuessuch as the CPU load, perfor­mance, the number of spam mes­sages or even the number ofdropped packages. The relevantemployees can set limits for theseand the NGF generates log ent­ries if these thresholds are excee­ded. The system settings also in­clude user management for thelocal user database, a white listwhich contains entries that are

not blocked by IDP and similarrules and the definition of HTTPbanner files which define the ap­pearance of the authenticationand application level gateway re­striction pages.

Various device settings round offthe system menu. These includeIP settings such as the defaultTTL, logging of checksum errorsand many more, as well as TCPsettings such as sequence numbervalidation. If the administratorshover over an item with their

mouse (hover function), the W30will display a brief explanation ofevery configuration option,which is very useful because the­re are settings here which noteven IT employees who are well­versed in network protocols arenecessarily familiar with. In ad­dition to these protocols there arealso settings relating to ICMP,PPP, connection time­outs, lengthlimits and performing fragmenta­tion and local reassembly. This

4

The interface status also includes graphical representations of the transmitted

data traffic

also applies to SSL settings, thestate engine, the maximum num­ber of pipe users and diagnosis.During operation, it occurred tous that the device is set up tosend anonymous user statistics toClavister automatically bydefault.

This can be prevented here, butin our opinion this configurationstep should also be carried out aspart of the initial setup wizard.Settings for application controlsuch as the maximum number ofunclassified packages and un­classified bytes round off the sys­tem configuration.

ObjectsThe objects are the basis for defi­ning the policies. First of all, theyinclude the address book, the IP,network and MAC addresses. Ifrequired, administrators also ha­ve the option to add new host andnetwork addresses. In contrast tothis, the services represent theprotocols used on the network.Clavister has already predefineda large number of these, such as"all_icmp", "ssh", "ipsec_suite","igmp" or "ping". Once again, itis also possible for the relevantstaff to add their own items atany time.

Items relating to the applicationlevel gateways can be found un­der "ALG". ALGs for H.323 andSIP have been predefined, butyou can also add your own wherenecessary, for example, forHTTP, POP3, PPTP and so on. Inthe same place, the relevant ITemployees can view the key ringand create new keys, if necessary– such as for securing connecti­ons.

Another interesting point: the ad­dress pools. These are home to IP

pools (dynamic items with IP lea­ses) and NAT pools which can beused in NAT rules.

The VPN items are used to defi­ne virtual private networks. Firstof all, the VPN configuration

enables LDAP servers to be defi­ned. The NGF can download cer­tificates and certificate revocati­on lists (CRLs) from these ser­vers, if required.

The "IKE config fashion pool"then assigns IP addresses andDNS and WINS servers to theVPN clients during operation.Apart from that, the algorithms tobe used and other items can bedefined via the VPN settings.

Network settingsThe purpose of the main point"Network" is essentially to confi­gure the interfaces, VPNs androutes. Consequently, the settingsfor the ethernet adapter with ad­dress, network and virtual routingcan be adjusted. The link aggre­

gation can also be set here, alongwith the PPPoE interfaces,VLANs and similar items.

Another interesting point: theVPN configuration. The Clavistersolution supports IPsec, SSL,

GRE and 6in4 and can commu­nicate not only with PPTP andL2TP servers and clients, but alsowith PPTP V3 and L2TP V3components. During the test, weestablished IPSec connections toa Lancom router of the type1781A and to the current NCPVPN client for Windows. Theseconnections posed no difficulties.

That's not all, the network set­tings also support "interfacegroups" where multiple interfacescan be combined for easier policymanagement. In terms of routing,not only can the operator set sta­tic routes, but also implementrouting tables on a policy basis.

Apart from that, it is also possi­ble to achieve load balancing

5

Clavister has already predefined all of the relevant services

using the various routes. Dyna­mic routing with the help of OS­PF, virtual routing and multicastrouting are also supported. Final­ly, under "network services", theadministrators configure DHCPservers and relays, radius relays,DynDNS and so on.

The policiesThe area "policies" is at the heartof the NGF because the relevantstaff set the rules that will beused to safeguard data transfers.In this regard, the "main IP rules"must be determined first of all.These can be compiled intogroups to increase clarity andmanageability.

For example, it is possible to di­sable all the rules in a group at

once. The individual rules work –as is the case with most firewalls– with parameters such as sourceand destination of the data trans­fer (network, host and such like),the affected service (such as"FTP" or "all_ip"), the period (in

which the rule is valid) and theaction to be carried out (drop, al­low, deny, reject). Furthermore,administrators also have the op­portunity to add services such asapplication control, the web con­tent filter, or even the anti­virusfunction to the policies, whichwill then become active for therelevant protocols. There were noabsolutely no difficulties withthis during the test.

At this point, let's say somethingabout the application controlmentioned above. This providesthe appropriate staff with the op­tion to create rules that only app­ly to the traffic generated by aspecific application. It workswith signatures that have beenstored in a database. With the

help of application control, veryfinely tiered policies can be crea­ted. For example, it is possible toassign a particular user groupwith a specific range for the useof Bittorrent. This allows the net­work data traffic to be adapted

specifically to the requirementsof the organization.

Under "Profiles", the relevantstaff can specify schedules duringwhich time certain rules apply.Framework conditions for ser­vices such as the anti­virus sys­tem (e.g. file types excluded bythe scan or handling compromi­sed files) and the web content fil­ter (categories such as "adverti­sing", "gambling", "swimsuit"etc. which are to be banned) canalso be set, amongst other things.Email control with white andblacklist and anti­spam are alsoconfigured here.

In terms of user authentication,the system supports external LD­AP and radius servers alongsidethe local database. Intrusion pre­vention works with signatureswhich can be used with the helpof policies to monitor traffic forattacks. These policies consist ofa name, the affected service, aschedule, the signatures in ques­tion and such like. On the otherhand, the "zone defence" is usedto block hosts and networks withthe aid of switches in the event ofIPS and threshold rule block in­fringements. Last but not least,the W30 also has extensive traf­fic­shaping functions.

Installation of InControlAfter we had worked through theconfiguration tool and optimisedour configuration, we installedthe management software "In­Control" on a test client on theLAN using Windows 7. As men­tioned before, this is suitable formanaging large installations withmany NGFs. The software con­sists of a client/server combinati­on. In this way, it is possible todistribute them on the networkand access them via multiple cli­

6

The definition of a firewall rule

ents. The installation runs via awizard and should not pose admi­nistrators any issues. Immediate­ly after setup had been completed(for the test we installed all thecomponents on one system), we

were able to call up the client andlog on to the server with thedefault access data "admin" and"admin".

Next, we had to add our gatewaysto the InControl configuration. Todo this, we had to generate a keyto secure the connection on theindividual gateways first of alland release it for managementconnections via the key ring.Then the IT staff can specify theIP addresses of the gateways inInControl and enter the applica­ble keys for the individual devi­ces. After that, InControl regis­ters with the NGFs and they ap­pear in the software workspace. Itsounds complicated but we wor­ked through these steps quicklyand since the whole procedurewas described precisely in the do­

cumentation, there reallyshouldn't be any issues here.

Working with InControlAfter logging in with the console,the user will find himself at "Ho­

me". At this point, the solutiondisplays the "Global domain"first of all. The administrators eit­her add their existing gateways tothis as described above, or set uptheir own domains or HA clus­ters. We will come back to theclusters later. For performance re­asons, Clavister recommends ta­king the global domain wherepossible. However, in large envi­ronments it can still make senseto create your own domains sincethe policy management can bebased on domain, if necessary.

InControl provides various tabsat the top of the screen, includinga ribbon bar containing iconswhich can be used to call up ap­propriate functions for each se­lected context. The solution'sworkspace is somewhat similar to

Microsoft Office, which simpli­fies the integration into the toolsignificantly.

The first tab – "File" – is used toexport and import data, define theSMTP server for email alerts andsimilar tasks. The "Home" tab ismore interesting, which – asmentioned before – is displayedimmediately after you have log­ged in. This contains the registe­red security gateways, lists withalarms and licence details and thelibrary browser which gives usersaccess to items such as the trafficsummary, the top app usage, thetop rule usage, the top talkers andsuch like. In addition to this, "ho­me" also provides a log explorer(which can run queries), repor­ting functions (which can be au­tomated with a schedule, if re­quired, it is also possible to sendreports by email) and a log ana­lyser, which informs the admi­nistrators about application usa­ge, the top talkers, the interfaceusage and so on. There is also theoption here to configure monito­ring dashboards which displayparameters which are of interestto the relevant staff in the form ofgauges, graphics and similar for­mats. Furthermore, you can ma­nage users who may access In­Control either as an administratoror as an auditor and managegroups and audit trails. The latterpoints include the configurationchanges on the gateway and va­rious other actions.

If an IT employee selects a gate­way, the icon "Configure" beco­mes active. This is used to set upthe devices. There is a tree struc­ture on the left hand side whichcontains the gateway in questionand the items "system", "objects","network", "policies" and "updatecentre". This gives those respon­

The configuration of the web content filter

7

sible access to the functionalityof the NGFs. Since the functionalscope of the solutions has alreadybeen presented, we won't go intothe details once again. It'senough to say that the tree struc­ture was very clearly designedand that the configuration workwith InControl went smoothly.We liked the InControl interfacein the test even more than theweb interface and we would evenrecommend that users who onlyhave one Clavister firewall inoperation install InControl andcarry out the configuration usingthis software. However, this iscertainly a matter of preference.

As mentioned above, the confi­guration can also take place on adomain basis. If an administratorselects a domain instead of a ga­teway, then they have the optionto adapt items, services, NATpools, profiles and much more totheir requirements at domain le­vel. By clicking the right mousebutton on a gateway, severalother functions are available.These are a remote console, a re­vision control for configuration,device maintenance functions(with upload firmware, downloadtechnical support file, restart,etc.) and such like. In this re­spect, the "Quick monitor" fea­ture is worth mentioning. Thiscan also be accessed by clickingthe right mouse button. This is apredefined monitoring dashboardwhich provides information onthroughput, CPU and buffer usa­ge, the CPU temperature,connections and interface stati­stics. All of the functions whichare accessible via the right mousebutton are also available viaicons in the ribbon bar.

The "Progress view" shows thecurrent status, for example when

distributing configurations. Anoverview of the accumulated er­ror messages rounds off the sco­pe of InControl.

SecurityWhen we worked through themanagement tools, we set out tolook at the device in detail withvarious hacking and security so­lutions in relation to securityflaws. While doing this, we al­ways scanned the external andinternal interfaces (both had beenassigned fixed IP addresses forthis purpose). The specific resultof this was that Nmap detectedthe open services for our confi­guration on the internal interfacesuch as HTTP, SSH and such li­ke, as we would expect. In addi­tion to this, the tool suspected

that the device was a D­link de­vice, but also stated straightaway that this statement was notreliable. All of the ports on theexternal interface were filtered,that is why Nmap could not ac­quire much information. Nevert­heless, the scanner establishedthat it was a Clavister solutionwith the aid of the MAC address.Nessus also detected the releasedservices on the internal interface,even with the version of the ser­ver in use, and criticised the cer­tificate installed on the device.

That was only logical, since wehad left the self­generated origi­nal Clavister certificate on thedevice and therefore this does notrepresent a security risk. Nessusalso stated that it was a Clavistersolution. Nessus did not findanything on the external inter­face.

Just like nmap, Metasploit alsothought it was a D­Link deviceafter the scan of the internal in­terface. The security solution alsodetected the released services, asexpected. It didn't find anythingat the external interface either.Not one of our attack tools couldcause the Clavister solution anyembarrassment, on either the in­ternal or external interface. It wascompletely unmoved by the at­

tacks and came through the secu­rity test unharmed.

High availabilityDuring the next step, we used In­Control to set up a cluster withour two NGFs. To do this, fixedIP addresses were used again onthe WAN interfaces.

Firstly, we added our two gate­ways to the InControl system andconfigured the later master gate­way so that it met our require­ments. To do this, we essentially

The InControl configuration dialogue

8

adopted our old configuration,but we also pointed various IPaddresses at the interfaces. In or­

der for the cluster configurationto work, all of the device interfa­ces must have both a shared IPaddress as well as a private IP ad­dress (in the case of unused inter­faces, that can be loopback). On­ce this was done, it sufficed todefine a cluster in InControl,combine two of the gateway in­terfaces as synchronisation inter­faces and then add the master tothe cluster first, followed by theslave. As soon as that had takenplace, InControl asked for themode which the cluster should beoperated in. There are three diffe­rent options to choose from inthis case. Firstly, "Synced". Inthis case, the whole configurationof InControl is managed, it isuploaded to the first node andthen after a break, it is uploadedto the second node. In this mode,it is no longer possible to managethe cluster simultaneously via theweb interface, InControl must beused for management. In "Auto"mode, the tool only uploads theconfiguration to the first node

and the cluster takes on the syn­cing process. Finally, the thirdoption is called "Manual". In this

case, everything is up to the ad­ministrator. If you have chosen amode, we chose the second opti­on in the test (because we wantedto continue to use the web inter­face at the same time), InControl

asks what network interfacesshould be used for the synchroni­sation. After we had answeredthis question, the tool uploadedthe configuration to the first no­de, synchronisation took placeand the cluster went into operati­on. In the test, there were no dif­

ficulties during failover. By theway, according to the manufac­turer, failover takes less than 800milliseconds. As mentioned be­fore, clusters can also be createdvia the web interface. There isalso a wizard for requesting therequired parameters.

ConclusionThe Clavister W30 made an ex­cellent impression during the test.The solution is equipped with allthe safety functions that are re­quired in the business environ­ment. Examples of this highstandard are the next­generationfirewall, the IPS, the web filter,the application control and theanti­virus and anti­spam features,to name but a few. The centralmanagement tool is exemplary,the routing functions have beendesigned efficiently and with theweb interface and CLI, adminis­trators have a comprehensive setof alternative tools at their dispo­sal for managing devices. Thesecan also be used simultaneously,

if required. For applicationswhere high availability is requi­red, Clavister also provides func­tions which are easy to operateand can be used to implementclusters quickly and efficiently.Therefore, the solutions comehighly recommended.

The "Quick monitor" in operation

Clusters can be managed in the same way as individual gateways while they

are in operation

9