ahighavailability, nextgeneration firewall for ...€¦ · as nessus, nmap and metasploit. we had...
TRANSCRIPT
The Clavister W30, which wasdesigned for use in branch offices, remote offices and small data centres includes VPNs (IPsec,L2TP, PPTP and SSL), advancedrouting (also as part of a policy)and antispam features alongsidethe actual firewall functionalitywith deep packet inspection, as isthe case with modern nextgeneration firewalls (NGFs). In addition to this, there are Kasperskyantivirus functions, an IPS, loadbalancing, bandwidth management, link aggregation, a web filter and application control functions. The device has six GBitethernet interfaces and an expansion slot and supports highavailability to enhance the failsafe characteristics of the NGFinstallation.
The testIn the test, we firstly set up oneof the W30 solutions on our network as an internet gateway. Todo this, we connected the productto the network switch and DSLmodem and booted it. We thenaccessed the webbased manage
ment interface of the deviceusing a browser and ran the initial configuration. Alternatively,there is a command line whichcan run batch files, for example.This makes sense when manynew devices need to be configured automatically.
Once the initial setup was completed, we looked at the configuration tool in detail via a browser(which, according to the manufacturer, is best for managing individual devices) and learnedabout the functional scope of thesolution. In addition, we adaptedthe configuration specifically toour needs.
Next, we set up various VPNconnections to external networks
and devices. Once this had beendone, we installed the centralmanagement tool "Clavister InControl" on a Windows 7 workstation, which, according to themanufacturers, can manage several thousand gateways and included our gateway in the InControl configuration. We thentook InControl in hand and analysed the scope of the solution.
When this process was completed, we analysed the internal andexternal interfaces of the devicewith various security tools suchas Nessus, Nmap and Metasploit.We had assigned the external interface with a fixed IP address forthis purpose. Our goal was tofind out if there were securityflaws or if the solution revealed
The test: Clavister W30
A highavailability, nextgeneration
Dr. Götz Güttich
With the devices in the Eagle and Wolf Series, Clavister is supplying nextgenerationfirewalls which are particularly suitable for environments where multiple firewalls
are in use, for example, in distributed networks. Their central management toolsensure that the relevant staff always have a clear overview of the situation. The
devices are available as part of various hardware configurations which means thatcompanies can use the device that best suits the performance requirements in thatbranch's particular environment. Since the hardware solutions only differ in their
performance (in terms of functionality, all of the products are identical), this test, whichwas carried out using two Clavister W30s, is also applicable to the other
nextgeneration firewalls from the same manufacturer.
1
firewall for distributed networks
unnecessary information thatcould help hackers to attack thesystem. Furthermore, we alsoused several attack tools to perform DoS attacks on the device,for example, and to test how itresponded to them.
Finally, we modified our test installation so that we could look atthe highavailability function ofthe products (HA) in detail. Sincethe HA feature can not cope withdynamically assigned external IPaddresses and PPPoE connections, for this purpose, we connected both devices as a cluster behind a router which took on therole of providing internet access.
In doing so, we maintained theconfiguration of the fixed external IP address. In the cluster, thesystem which was originally configured by us took on the role ofthe master. The second device,which we hadn't yet touched, hadjoined as a slave of the configuration from the master.
CommissioningThe commissioning process ofthe W30 is relatively simple. Allyou have to do is unpack the product and work through the enclosed quickstart guide. This suggests using the first interface asthe LAN interface and the secondfor the WAN connection. Onceall cables are connected, the relevant staff can boot the device andthen connect to the product's webinterface via the default IP address https://192.168.1.1.
After that, you will find yourselfon the overview screen of themanagement tool. This allowsyou to start the "Setup Wizard",which will assist you during theinitial configuration of the solution.
After we had completed this step,the system displayed a welcomescreen which told us which stepsthe assistant would carry out.First of all, we had to set a newpassword for the administratoraccount, which makes sense, as itensures that Clavister devices arenot able to function on the network with standard passwords.
The next step was to set the correct time and to configure the time zone. Then we had to configure the WAN interface. As mentioned previously, we initially
used the device as an internet gateway on a "Telekom" (company:German Telecommunications)DSL connection.
That is why we chose the option"PPPoE" for the WAN configuration. Alternatively, the solutioncan work with fixed IP addressesand those assigned via DHCP orvia PPTP. For the PPPoE configuration, it sufficed to enter theuser name and password and toassign the service a name. Afterthat, the WAN interface was setup.
The next step was to set up aDHCP server for the LAN. Indoing so, we mistyped somethingand discovered as a result that thewizard makes you aware of faulty configuration details and re
quests they be corrected. Therefore, you can assume that the initial configuration will generallyrun smoothly.
Finally, the assistant wants toknow which time servers willkeep the system time up to dateand which syslog server shouldbe used to receive data from thedevice. This brings the initialconfiguration to a close and thechanges are adopted. Usually thelicensing of the product is part ofthe functionality of the wizard,but we did not perform this step
because our test devices alreadycame with an installed licence.
The webbased configuration toolis used to manually adjust theLAN address. In fact, this step isdescribed in the "Getting StartedGuide" available on the Clavisterwebsite so that there are no problems during the test. In our opinion, this step is also part of theinitial configuration and shouldtherefore be processed within thewizard. The same goes for thedefinition of rules for internet access.
By default, Clavister allows theservices DNS and HTTP for access to the external network following the initial configuration.This can, of course, be changedat any time via the management
2
The setup wizard alerts users to errors in the configuration
tool. However, it would be nice ifthe wizard could, at least, help increating a rudimentary internetaccess policy which is more suited to the company's requirements.
The webbased configurationtoolAfter we had completed the initial configuration, we logged intothe NGF using our new LAN address and started by setting up aguest LAN on the third interfaceof the device. We established aWLAN access point there so thatvisitors were able to browse theinternet using our internet
connection, without seeing ourLAN components.
To do this, we basically copiedour LAN configuration with anadditional DHCP server and another subnet on the third interface.The guest WLAN then worked asexpected.
When we had ensured in thismanner that all the users on ournetwork had access to the internet via the Clavister device, westarted to deal with the configu
ration tool itself and, as a result,the functional scope of the solution, thus adapting our setting specifically to our requirements. Todo this, we firstly updated the device's firmware to cOS Core11.02.01.03, the version that wasuptodate at the time of the test,to ensure that we were workingwith the latest version.
After logging into the web interface, the administrator will findhimself back on a status screenwhich will inform him about thecurrent status of the NGF. A menu bar appears at the top of thewindow and on the lefthand side
there is a tree structure whichcontains the items which belongto the menu that is open.
The status screen mentioned above contains a system overviewwith performance, connections,CPU load, memory usage, system time, the top five applications, the top five web content filter categories and the like. Youcan view and search through various log files directly below this.These include the system log, theantivirus log, the log for applica
tion control, the intrusion detection log and the content filter log.
Under "Sub Systems", the administrators can view the currentblacklist and have the option torevoke existing lockouts. In addition, it is possible to look at theexisting connections in detail inlist form.
From here, the DHCP server canalso be configured, the hardwarecan be monitored (for example,the CPU temperature) and the interface activity can be displayed.The interface overview also includes graphical information relating to the send and receive rate. Furthermore, under Sub Systems, the system even displaysthe routing table, data regardingserver load balancing and similarinformation.
The sub menu "Maintenance" gives users the opportunity to safeguard and restore the configuration and the core binaries. In addition to this, they can upload anew licence, perform a reset orreset the device to its factorydefault settings.
You can also activate notifications which will inform the relevant staff members about newfirmware releases and set up automatic updates to the antivirusand the intrusion protection system. This section was logicallystructured and should not poseadministrators any issues.
Options for loading new firmware files and a support area whichprovides you with a diagnosticconsole with system messagesand the option to download asupport file that provides systeminformation, together with a toolsmenu, make up the overview of
3
The status screen provides content filter statistics, as well as other information
the system status. The tools menuincludes functions such as Ping,an SSH key generator and apacket capture tool.
With the latter, data transmittedover individual interfaces can becaptured and downloaded ontothe PC in a CAB file for furtheranalysis – for example with asniffer. Overviews of IDP signatures are also included in thetools, as is an application library,which includes a large number ofapplications (such as AOL, Sophos AV, Google Play and manymore) and informs the user aboutwhat each application does andwhat each application's associated hazard level is. Since the application library is used later to define the rules for application monitoring, it makes sense to familiarise yourself with it in advance.
The system settingsThe main menu "System" contains all the settings to configurethe device itself. First of all, these include the settings for thesystem time, time zone, time server and the DNS client. The persons responsible can also determine which users can access thedevice's management interfacevia which networks, which systems in the network can receivelogs and events from the NGF(via services like syslog andSNMP) and what the high availability configuration looks like,which we will look at in moredetail at a later date.
Monitoring is an important partof system management. First ofall, monitoring of hardware playsa role in this respect. By default,Clavister has a sensor for theCPU temperature in place for thispurpose. However, it is also pos
sible to use other sensors whichkeep an eye on the voltage, thefan and similar components. Nevertheless, the availability of thesensors always depends on thehardware which is currently inuse.
On the contrary, the purpose ofthe "link monitor" is to monitoritems such as hosts or networks.If these are not available for anyreason, the device is able to perform predefined actions such asfailovers and reconfigurations.
Finally, the "real time monitoralerts" monitor certain valuessuch as the CPU load, performance, the number of spam messages or even the number ofdropped packages. The relevantemployees can set limits for theseand the NGF generates log entries if these thresholds are exceeded. The system settings also include user management for thelocal user database, a white listwhich contains entries that are
not blocked by IDP and similarrules and the definition of HTTPbanner files which define the appearance of the authenticationand application level gateway restriction pages.
Various device settings round offthe system menu. These includeIP settings such as the defaultTTL, logging of checksum errorsand many more, as well as TCPsettings such as sequence numbervalidation. If the administratorshover over an item with their
mouse (hover function), the W30will display a brief explanation ofevery configuration option,which is very useful because there are settings here which noteven IT employees who are wellversed in network protocols arenecessarily familiar with. In addition to these protocols there arealso settings relating to ICMP,PPP, connection timeouts, lengthlimits and performing fragmentation and local reassembly. This
4
The interface status also includes graphical representations of the transmitted
data traffic
also applies to SSL settings, thestate engine, the maximum number of pipe users and diagnosis.During operation, it occurred tous that the device is set up tosend anonymous user statistics toClavister automatically bydefault.
This can be prevented here, butin our opinion this configurationstep should also be carried out aspart of the initial setup wizard.Settings for application controlsuch as the maximum number ofunclassified packages and unclassified bytes round off the system configuration.
ObjectsThe objects are the basis for defining the policies. First of all, theyinclude the address book, the IP,network and MAC addresses. Ifrequired, administrators also have the option to add new host andnetwork addresses. In contrast tothis, the services represent theprotocols used on the network.Clavister has already predefineda large number of these, such as"all_icmp", "ssh", "ipsec_suite","igmp" or "ping". Once again, itis also possible for the relevantstaff to add their own items atany time.
Items relating to the applicationlevel gateways can be found under "ALG". ALGs for H.323 andSIP have been predefined, butyou can also add your own wherenecessary, for example, forHTTP, POP3, PPTP and so on. Inthe same place, the relevant ITemployees can view the key ringand create new keys, if necessary– such as for securing connections.
Another interesting point: the address pools. These are home to IP
pools (dynamic items with IP leases) and NAT pools which can beused in NAT rules.
The VPN items are used to define virtual private networks. Firstof all, the VPN configuration
enables LDAP servers to be defined. The NGF can download certificates and certificate revocation lists (CRLs) from these servers, if required.
The "IKE config fashion pool"then assigns IP addresses andDNS and WINS servers to theVPN clients during operation.Apart from that, the algorithms tobe used and other items can bedefined via the VPN settings.
Network settingsThe purpose of the main point"Network" is essentially to configure the interfaces, VPNs androutes. Consequently, the settingsfor the ethernet adapter with address, network and virtual routingcan be adjusted. The link aggre
gation can also be set here, alongwith the PPPoE interfaces,VLANs and similar items.
Another interesting point: theVPN configuration. The Clavistersolution supports IPsec, SSL,
GRE and 6in4 and can communicate not only with PPTP andL2TP servers and clients, but alsowith PPTP V3 and L2TP V3components. During the test, weestablished IPSec connections toa Lancom router of the type1781A and to the current NCPVPN client for Windows. Theseconnections posed no difficulties.
That's not all, the network settings also support "interfacegroups" where multiple interfacescan be combined for easier policymanagement. In terms of routing,not only can the operator set static routes, but also implementrouting tables on a policy basis.
Apart from that, it is also possible to achieve load balancing
5
Clavister has already predefined all of the relevant services
using the various routes. Dynamic routing with the help of OSPF, virtual routing and multicastrouting are also supported. Finally, under "network services", theadministrators configure DHCPservers and relays, radius relays,DynDNS and so on.
The policiesThe area "policies" is at the heartof the NGF because the relevantstaff set the rules that will beused to safeguard data transfers.In this regard, the "main IP rules"must be determined first of all.These can be compiled intogroups to increase clarity andmanageability.
For example, it is possible to disable all the rules in a group at
once. The individual rules work –as is the case with most firewalls– with parameters such as sourceand destination of the data transfer (network, host and such like),the affected service (such as"FTP" or "all_ip"), the period (in
which the rule is valid) and theaction to be carried out (drop, allow, deny, reject). Furthermore,administrators also have the opportunity to add services such asapplication control, the web content filter, or even the antivirusfunction to the policies, whichwill then become active for therelevant protocols. There were noabsolutely no difficulties withthis during the test.
At this point, let's say somethingabout the application controlmentioned above. This providesthe appropriate staff with the option to create rules that only apply to the traffic generated by aspecific application. It workswith signatures that have beenstored in a database. With the
help of application control, veryfinely tiered policies can be created. For example, it is possible toassign a particular user groupwith a specific range for the useof Bittorrent. This allows the network data traffic to be adapted
specifically to the requirementsof the organization.
Under "Profiles", the relevantstaff can specify schedules duringwhich time certain rules apply.Framework conditions for services such as the antivirus system (e.g. file types excluded bythe scan or handling compromised files) and the web content filter (categories such as "advertising", "gambling", "swimsuit"etc. which are to be banned) canalso be set, amongst other things.Email control with white andblacklist and antispam are alsoconfigured here.
In terms of user authentication,the system supports external LDAP and radius servers alongsidethe local database. Intrusion prevention works with signatureswhich can be used with the helpof policies to monitor traffic forattacks. These policies consist ofa name, the affected service, aschedule, the signatures in question and such like. On the otherhand, the "zone defence" is usedto block hosts and networks withthe aid of switches in the event ofIPS and threshold rule block infringements. Last but not least,the W30 also has extensive trafficshaping functions.
Installation of InControlAfter we had worked through theconfiguration tool and optimisedour configuration, we installedthe management software "InControl" on a test client on theLAN using Windows 7. As mentioned before, this is suitable formanaging large installations withmany NGFs. The software consists of a client/server combination. In this way, it is possible todistribute them on the networkand access them via multiple cli
6
The definition of a firewall rule
ents. The installation runs via awizard and should not pose administrators any issues. Immediately after setup had been completed(for the test we installed all thecomponents on one system), we
were able to call up the client andlog on to the server with thedefault access data "admin" and"admin".
Next, we had to add our gatewaysto the InControl configuration. Todo this, we had to generate a keyto secure the connection on theindividual gateways first of alland release it for managementconnections via the key ring.Then the IT staff can specify theIP addresses of the gateways inInControl and enter the applicable keys for the individual devices. After that, InControl registers with the NGFs and they appear in the software workspace. Itsounds complicated but we worked through these steps quicklyand since the whole procedurewas described precisely in the do
cumentation, there reallyshouldn't be any issues here.
Working with InControlAfter logging in with the console,the user will find himself at "Ho
me". At this point, the solutiondisplays the "Global domain"first of all. The administrators either add their existing gateways tothis as described above, or set uptheir own domains or HA clusters. We will come back to theclusters later. For performance reasons, Clavister recommends taking the global domain wherepossible. However, in large environments it can still make senseto create your own domains sincethe policy management can bebased on domain, if necessary.
InControl provides various tabsat the top of the screen, includinga ribbon bar containing iconswhich can be used to call up appropriate functions for each selected context. The solution'sworkspace is somewhat similar to
Microsoft Office, which simplifies the integration into the toolsignificantly.
The first tab – "File" – is used toexport and import data, define theSMTP server for email alerts andsimilar tasks. The "Home" tab ismore interesting, which – asmentioned before – is displayedimmediately after you have logged in. This contains the registered security gateways, lists withalarms and licence details and thelibrary browser which gives usersaccess to items such as the trafficsummary, the top app usage, thetop rule usage, the top talkers andsuch like. In addition to this, "home" also provides a log explorer(which can run queries), reporting functions (which can be automated with a schedule, if required, it is also possible to sendreports by email) and a log analyser, which informs the administrators about application usage, the top talkers, the interfaceusage and so on. There is also theoption here to configure monitoring dashboards which displayparameters which are of interestto the relevant staff in the form ofgauges, graphics and similar formats. Furthermore, you can manage users who may access InControl either as an administratoror as an auditor and managegroups and audit trails. The latterpoints include the configurationchanges on the gateway and various other actions.
If an IT employee selects a gateway, the icon "Configure" becomes active. This is used to set upthe devices. There is a tree structure on the left hand side whichcontains the gateway in questionand the items "system", "objects","network", "policies" and "updatecentre". This gives those respon
The configuration of the web content filter
7
sible access to the functionalityof the NGFs. Since the functionalscope of the solutions has alreadybeen presented, we won't go intothe details once again. It'senough to say that the tree structure was very clearly designedand that the configuration workwith InControl went smoothly.We liked the InControl interfacein the test even more than theweb interface and we would evenrecommend that users who onlyhave one Clavister firewall inoperation install InControl andcarry out the configuration usingthis software. However, this iscertainly a matter of preference.
As mentioned above, the configuration can also take place on adomain basis. If an administratorselects a domain instead of a gateway, then they have the optionto adapt items, services, NATpools, profiles and much more totheir requirements at domain level. By clicking the right mousebutton on a gateway, severalother functions are available.These are a remote console, a revision control for configuration,device maintenance functions(with upload firmware, downloadtechnical support file, restart,etc.) and such like. In this respect, the "Quick monitor" feature is worth mentioning. Thiscan also be accessed by clickingthe right mouse button. This is apredefined monitoring dashboardwhich provides information onthroughput, CPU and buffer usage, the CPU temperature,connections and interface statistics. All of the functions whichare accessible via the right mousebutton are also available viaicons in the ribbon bar.
The "Progress view" shows thecurrent status, for example when
distributing configurations. Anoverview of the accumulated error messages rounds off the scope of InControl.
SecurityWhen we worked through themanagement tools, we set out tolook at the device in detail withvarious hacking and security solutions in relation to securityflaws. While doing this, we always scanned the external andinternal interfaces (both had beenassigned fixed IP addresses forthis purpose). The specific resultof this was that Nmap detectedthe open services for our configuration on the internal interfacesuch as HTTP, SSH and such like, as we would expect. In addition to this, the tool suspected
that the device was a Dlink device, but also stated straightaway that this statement was notreliable. All of the ports on theexternal interface were filtered,that is why Nmap could not acquire much information. Nevertheless, the scanner establishedthat it was a Clavister solutionwith the aid of the MAC address.Nessus also detected the releasedservices on the internal interface,even with the version of the server in use, and criticised the certificate installed on the device.
That was only logical, since wehad left the selfgenerated original Clavister certificate on thedevice and therefore this does notrepresent a security risk. Nessusalso stated that it was a Clavistersolution. Nessus did not findanything on the external interface.
Just like nmap, Metasploit alsothought it was a DLink deviceafter the scan of the internal interface. The security solution alsodetected the released services, asexpected. It didn't find anythingat the external interface either.Not one of our attack tools couldcause the Clavister solution anyembarrassment, on either the internal or external interface. It wascompletely unmoved by the at
tacks and came through the security test unharmed.
High availabilityDuring the next step, we used InControl to set up a cluster withour two NGFs. To do this, fixedIP addresses were used again onthe WAN interfaces.
Firstly, we added our two gateways to the InControl system andconfigured the later master gateway so that it met our requirements. To do this, we essentially
The InControl configuration dialogue
8
adopted our old configuration,but we also pointed various IPaddresses at the interfaces. In or
der for the cluster configurationto work, all of the device interfaces must have both a shared IPaddress as well as a private IP address (in the case of unused interfaces, that can be loopback). Once this was done, it sufficed todefine a cluster in InControl,combine two of the gateway interfaces as synchronisation interfaces and then add the master tothe cluster first, followed by theslave. As soon as that had takenplace, InControl asked for themode which the cluster should beoperated in. There are three different options to choose from inthis case. Firstly, "Synced". Inthis case, the whole configurationof InControl is managed, it isuploaded to the first node andthen after a break, it is uploadedto the second node. In this mode,it is no longer possible to managethe cluster simultaneously via theweb interface, InControl must beused for management. In "Auto"mode, the tool only uploads theconfiguration to the first node
and the cluster takes on the syncing process. Finally, the thirdoption is called "Manual". In this
case, everything is up to the administrator. If you have chosen amode, we chose the second option in the test (because we wantedto continue to use the web interface at the same time), InControl
asks what network interfacesshould be used for the synchronisation. After we had answeredthis question, the tool uploadedthe configuration to the first node, synchronisation took placeand the cluster went into operation. In the test, there were no dif
ficulties during failover. By theway, according to the manufacturer, failover takes less than 800milliseconds. As mentioned before, clusters can also be createdvia the web interface. There isalso a wizard for requesting therequired parameters.
ConclusionThe Clavister W30 made an excellent impression during the test.The solution is equipped with allthe safety functions that are required in the business environment. Examples of this highstandard are the nextgenerationfirewall, the IPS, the web filter,the application control and theantivirus and antispam features,to name but a few. The centralmanagement tool is exemplary,the routing functions have beendesigned efficiently and with theweb interface and CLI, administrators have a comprehensive setof alternative tools at their disposal for managing devices. Thesecan also be used simultaneously,
if required. For applicationswhere high availability is required, Clavister also provides functions which are easy to operateand can be used to implementclusters quickly and efficiently.Therefore, the solutions comehighly recommended.
The "Quick monitor" in operation
Clusters can be managed in the same way as individual gateways while they
are in operation
9