ibm proventia network multi-function security (mfs ... · ibm proventia® network multi-function...

IBM Proventia® Network Multi-Function Security

Deployment Guide: Routing Mode with No DMZDecember 18, 2007

Deployment and Task Overview

Description Follow the tasks in this guide to deploy the appliance as a router-firewall device on your network with one internal network only and no DMZ. This guide assumes you want to perform the initial appliance configuration first in a predeployment environment, and then move the appliance to the live production network.

Important: For information on transparent mode deployments, SiteProtector deployments, VPN deployments, or high availability deployments, see the other Deployment Guides located at http://www.iss.net/support/documentation/docs.php?product=38&family=12.

Tasks This deployment requires the following tasks:

Task

“Verify Requirements” on page 3

“Connect to Proventia Setup Assistant” on page 6

“Initialize the System with Proventia Setup Assistant” on page 7

“Connect to Proventia Manager” on page 9

“Install Licenses” on page 10

“Install Updates” on page 11

“Configure Automatic Updates” on page 14

Table 1: Tasks for deploying in routing mode with no DMZ

1

IBM Internet Security Systems

http://www.iss.net/support/documentation/docs.php?product=38&family=12

http://www.iss.net/support/documentation/docs.php?product=38&family=12

Deployment Guide: Routing Mode with No DMZ

“Create Full System Backup” on page 15

“Configure Appliance Access” on page 16

“Configure Internal Interface (eth0)” on page 18

“Configure External Interface (eth1)” on page 19

“Configure Internal DHCP Server” on page 23

“Configure Firewall Access Policies” on page 26

“Deploy Antispam, Antivirus, and Web Filter Protection” on page 29

“Save Policies and Move to Live Production Network” on page 30

Task

Table 1: Tasks for deploying in routing mode with no DMZ

2

Contents of document subject to change.

Verify Requirements

Verify Requirements

PC requirements You will need a PC to download your product licenses from IBM Internet Security Systems (ISS) and to access the first-time setup utility on your new appliance. The PC must have Internet Explorer 6 or later and be configured to obtain its IP configuration automatically. Detailed instructions on how to check your PC’s IP configuration are included in this topic.

License requirements

If you have not already done so, obtain your product licenses as described the Welcome Kit and Order Confirmation Email you received from IBM ISS or go directly to the License Registration Web site for instructions:

https://www1.iss.net/cgi-bin/lrc

Important: Once you have your product licenses, save them to an easily accessible location such as your PC or a removable USB drive. Keep in mind that the PC will not have access to network shares once connected to the appliance.

If you need further assistance with licenses, contact our license support center:

● Email: [email protected]

● Online: www.iss.net/support

Network connection requirements

You will need to connect the appliance to a network connection that provides Internet access and supports automatic IP configuration. The appliance uses the connection to get important initial updates from IBM ISS. You can use the same network connection you used to obtain your licenses.

Important: If your network connection does not support automatic IP configuration or if you are deploying the appliance in transparent mode, then you must provide the appliance with the following settings to use the network connection:

● IP address

● subnet mask

● default gateway

● nameserver

● DNS suffix

Note: You can use the same settings assigned to your PC or contact your network administrator for the settings.

DNS suffix requirements

You will need the DNS suffixes used on your network connection.

Cable requirements You will need the following cables for initial configuration:

● Red Ethernet crossover cable (included)

● Power cable (included)

3


https://www1.iss.net/cgi-bin/lrc

http://www.iss.net/support/index.html


● Standard Ethernet crossover cable (not included)

Detailed instructions

Follow the steps below to verify that your PC and network connection support automatic IP configuration and to gather the required DNS suffixes you will need during initial setup:

Note: If your PC and network connection do not support automatic IP configuration, record your static IP settings as described in this task.

Note: Exact steps vary depending on your Windows version and display settings. The steps listed are for Windows Classic interface.

1. On the PC, select Start Settings Network Connections.

2. Right-click Local Area Connection, and then click Properties.

3. Double-click Internet Protocol (TCP/IP).

4


Verify Requirements

4. If your screen looks like Figure 1, then go to Step 5.

If your screen looks like Figure 2, then write down your specific IP address, subnet mask, default gateway, and preferred DNS nameserver. Next, select Obtain an IP address automatically and Obtain DNS server address automatically. Go to Step 5.

5. Click the Advanced button.

6. Select the DNS tab, and then write down the DNS suffixes listed under Append these suffixes (in order).

Figure 3: DNS search path settings

7. Click OK to close Advanced TCP/IP Settings.

8. Click OK to close Internet Protocol (TCP/IP) Properties.

9. Close network connections.

Figure 1: Automatic IP configuration Figure 2: Static IP configuration

5



Connect to Proventia Setup Assistant

Introduction The Proventia Setup Assistant is a Web-based utility that gives you access to the system for the first time and helps you configure the new appliance. It is typically used one time only for initial configuration. You will perform all other appliance configuration and administration in Proventia Manager or in SiteProtector once the device is deployed.

Procedure To connect to Proventia Setup Assistant:

1. Connect the red Ethernet cable from the Internal port to your PC.

2. Connect the standard Ethernet cable from the External port to your Internet connection.

3. Connect the power cable from the power port to a power outlet.

4. Switch on the appliance.

5. Wait for the appliance to fully boot.

6. Start Internet Explorer.

7. Type the default IP address of the appliance, and press ENTER:

https://192.168.123.1238. When the security alert appears, click Yes.

Tip: Click Run, Yes, or Accept on any other alerts or messages that appear.

9. At the Proventia Local Management Interface login prompt, type admin for the username and admin for the password, and then click OK.

10. Wait while the setup utility is loaded.

When you see the Welcome screen, you are connected to Proventia Setup Assistant and ready to start the initial configuration.

6


Initialize the System with Proventia Setup Assistant

Initialize the System with Proventia Setup Assistant

Procedure To initialize the system with Proventia Setup Assistant:

Note: Keep the default settings where indicated. If you are unsure about how to configure a specific setting, click Cancel to stop the process. For more information on the policies described in this topic and instructions on how to customize the policies once the appliance is deployed, see the IBM Proventia® Network Multi-Function Security (MFS) Policy Configuration Guide.

1. On the Welcome screen, click Next.

2. On the End User License Agreement screen, select I Accept, and then click Next.

3. On the Linux End User License Agreement screen, select I Accept, and then click Next.

4. On the Mode screen, select Routing, and then click Next.

5. On the Routing Mode Configuration screen, review the settings, and then click Next.

6. On the Hostname screen, enter a fully qualified domain name, and then click Next.

7. On the Internal Interface screen, keep the default settings, and then click Next.

8. On the External IP Type screen, keep the default DHCP setting, and then click Next.

Important: If your network connection does not support automatic IP configuration, select Static IP, click Next, and then enter a static IP address, subnet mask, default gateway, and DNS server. You can use the same static settings assigned to your PC.

Note: PPPoE is typically not used during initial configuration.

9. On the External Interface (eth1) screen, keep the default setting, and then click Next.

Important: If you are using static IP settings, then you must enter the static IP for at least one nameserver.

10. On the DNS Search Path screen, enter the DNS suffixes used on your network, and then click Next.

11. On the DHCP Server screen, keep the default settings, and then click Next.

12. On the Appliance Management Access screen, accept the default setting, and then click Next.

13. On the Time Zone screen, select your time zone, and then click Next.

14. On the Date and Time screen, enter the date and time, and then click Next.

15. On the Root Password screen, set the password, and then click Next.

16. On the Administrator Password screen, set the password, and then click Next.

Tip: Select Same As Root.

17. On the Proventia Manager Password, set the password, and then click Next.

Tip: Select Same As Root.

18. On the Bootloader screen, select Disable, and then click Next.

Tip: Enable the bootloader password if you want to require users to enter the root password before they can change boot settings.

19. On the Settings Review screen, scroll through and review the settings, and then click Finish.

7



20. When you see the Setup Complete window, click End Assistant Session, and then click Yes.

21. Close Internet Explorer.

22. Wait while the appliance applies the settings and fully reboots.

When the appliance reboots, you are ready to connect to Proventia Manager where you can finish the initial configuration process.

8


Connect to Proventia Manager

Connect to Proventia Manager

Repairing or resetting the connection

Before you can connect to Proventia Manager, you must repair or reset the connection between the PC and the appliance as described:

Connecting to Proventia Manager

To connect to Proventia Manager:

Note: After some configuration tasks in this guide, the appliance will automatically reboot and end your session. Use this procedure to reconnect to Proventia Manager.

1. On the PC connected to the appliance, start Internet Explorer.

2. Type the default IP address of the appliance, and then press ENTER:

https://192.168.123.1233. When the security alert appears, click Yes.

Tip: Click Run, Yes, or Accept on any other alerts or messages that appear.

4. At the login, type admin for the username, type your Proventia Manager password, and then click OK.

5. On the Welcome screen, select No, continue without the Getting Started Help., and then click Next.

When you see the Home page in Proventia Manager, you are connected.

If your PC normally has... Then

Automatic IP configuration 1. Select Start Settings Network Connections.

2. Right-click the Local Area Connection, and then select Repair.

Static IP configuration 1. Select Start Settings Network Connections.

2. Right-click the Local Area Connection, and then select Properties.

3. Double-click Internet Protocol (TCP/IP).

4. Select Use the following IP address, and then enter your static settings.

5. Select Use the following DNS server addresses, and then enter your static nameserver addresses.

6. Click OK to close Internet Protocol (TCP/IP) Properties.

7. Close network connections.

Table 2: How to repair or reset your connection

9



Install Licenses

Procedure To install your product license keys:

1. In the upper-right corner of Proventia Manager, find the Important System Message, and then click Install License:

2. Click Browse, select the license file, click Open, and then click Upload.

Tip: Licenses are issued as xml files.

3. Repeat Step 2 to upload each license.

Tip: The licenses might not appear on the Licensing page until after you have uploaded all of your license keys.

10


Install Updates

Install Updates

Procedure To install important security updates that were released since your appliance was shipped:

Important: Install the updates in the order listed in this procedure.

Note: This procedure assumes the appliance has Internet access.

1. In Proventia Manager, select Maintenance Updates Status.

2. Click the Find Updates button.

3. Wait while the system contacts IBM ISS for updates.

4. When the Update Status page displays, click Download Updates.

5. Wait while the system downloads the updates to the appliance.

11



6. Click Install Now for Intrusion Prevention.

7. Wait while the system installs the update.

8. When the Update Status page reappears, click Install Now for Antivirus.

9. Wait while the system installs the update.

10. When the Update Status page reappears, click Install Now for Firmware.

11. At the confirmation prompt, click OK.

12. When you see the following alert, close Internet Explorer. If you have multiple instances of Internet Explorer running, close them all. This action ends your session

12


Install Updates

with Proventia Manager. You will need to reconnect to Proventia Manager after the firmware update is finished.

13



Configure Automatic Updates

Procedure To configure automatic product updates:

1. In Proventia Manager, select Maintenance Updates Automatic Settings.

2. Select the Update Settings tab.

3. In the Security Updates section, select Automatically Download and Automatically Install.

Tip: These settings force the system to automatically install antivirus and intrusion prevention updates which are released often to address the latest security threats. These updates run in the background and do not take the system offline.

4. In the Web Filter & Antispam Database Updates section, select Automatically Update Web Filter and Antispam Database.

Tip: Enable automatic database updates only if are going to deploy Antispam and Web filter protection. Database updates run in the background and do not take the system offline.

5. In the Firmware Updates section, select Automatically Download.

Tip: These settings do not force the system to automatically install firmware updates, but the system will download firmware updates as they become available. After downloading a firmware update, the system will alert you and give you the option to install or disregard the firmware update.

6. Click Save Changes.

14


Create Full System Backup

Create Full System Backup

Procedure To create a full system backup:

Note: The full system backup is a complete image of the system, including all the updates you have installed and settings you have configured. The full system backup is similar to a system restore point and provides an easy way to restore the system without having to reinstall all the initial updates. Keep in mind that you can store only one full system backup on the appliance at a time.

1. In Proventia Manager, select Maintenance Backup and Recovery.

2. Select the Full Backup tab, and then click Create System Backup.

3. Follow the onscreen instructions to end your session and close Internet Explorer.

15



Configure Appliance Access

Important By default, you can access the appliance from any computer with an IP address on the same subnetwork as the appliance’s internal interface (eth0). If this setting meets your requirements, then you can skip this task. Otherwise, follow the steps in this procedure to configure appliance access settings based on your requirements.

Procedure To configure appliance access:

Recommendation: Do not delete the default SysEth0Range setting.

1. In Proventia Manager, select Configuration System Appliance Access.

2. On the Appliance Access Configuration page, click the Add icon.

3. Type a description, and then define the address or networks than can access the appliance:

If you want to allow access from a...

Then...

Static IP address 1. Select Single IP Address, and then select Static Address.

2. Type the IP address, and then click OK.

Address name 1. Select Single IP Address, and then select Address Name.

2. Select an entry, and then click OK.

Dynamic address name 1. Select Dynamic Address Name.


Range of static IP addresses

1. Select Address Range, and then select Static Address Range.

2. Type the IP address range, and then click OK.

16


Configure Appliance Access

4. Do not save changes yet, but go to the next task.

Address range name 1. Select Address Range, and then select Address Name Range.


Dynamic address range name

1. Select Address Range, and then select Dynamic Address Range Name.


If you want to allow access from a...

Then...

17



Configure Internal Interface (eth0)

Procedure To configure the internal interface (eth0) for deployment:

Note: This interface will be connected to your internal network.

1. In Proventia Manager, select Configuration System Network Interfaces.

2. Select the Internal Interfaces tab.

3. Highlight the eth0 interface line, and then click the Edit icon.

4. Do the following:

■ Verify the Enabled checkbox is selected.

■ Verify eth0 is selected.

■ Enter the IP address and Subnet Mask. Use the following tips to help you configure the interface:

■ Verify the Primary Management Interface option is unchecked.

5. Click OK.


If you are... Then...

replacing an existing router-firewall device

use the same internal interface IP address and subnet mask currently assigned to the device you are replacing.

installing the appliance as a new device

designate an appropriate IP address and subnet mask from your internal network.

18


Configure External Interface (eth1)


Introduction This topic explains how to configure the external interface for deployment. This interface will be connected to the Internet or other external network. This topic covers the following types of external interface configuration:

● DHCP (automatic through a DHCP server)

● Static

● PPPoE (automatic through an Internet Service Provider)

How to configure the interface

How you configure the external interface depends on your requirements:

● If you are replacing an existing router-firewall device, then use the same settings currently assigned to the existing device’s external interface.

● If you are installing the appliance as a new device, then identify the network connection that you are going to connect to the external interface, and determine how the connection assigns IP addresses. This information determines what information you will need when you configure the external interface.

■ If the connection assigns IP addresses automatically, no information is required.

■ If the connection requires a static IP address, obtain the static IP address, subnet mask, default gateway, and nameserver.

■ If the connection assigns IP addresses using PPPoE, obtain the username and password required from your Internet Service Provider.

Using DHCP To configure the external interface to obtain an IP address using DHCP:


2. Select the External Interfaces tab.



■ Verify the Host Name.


4. In the IP Address section, verify the DHCP option is selected.

19



5. If you want to replicate the MAC address of another device on the eth0 port, then select Enable MAC cloning and enter the MAC address.

6. In the DNS section, verify the Use Dynamic Settings option is selected.

7. In the DNS Search Path section, verify that the DNS suffixes listed are correct. To add a DNS suffix, click the Add icon, and enter the domain name.


Using PPPoE To configure the external interface to obtain an IP address using PPPoE:

Note: Most of the settings required in this procedure are provided by your ISP.







20



4. In the IP Address section, select PPPoE from the drop-down list.

5. Type the User Name and Password required to obtain IP addresses from your PPPoE server.

6. Do the following optional tasks as needed:

■ Select On Demand link activation type if your PPPoE-based network connection is not continuous, meaning it is active only when requested.

■ Verify the Clamp MSS option is selected.

■ Enter the Service Name only if your ISP requires this information.

7. In the DNS section, verify the User Dynamic Settings option is selected.

8. In the DNS Search Path section, verify the DNS suffixes are correct. To add a DNS suffix, click the Add icon, and enter the domain name.


21



Static To configure the external interface with a static IP configuration:







4. In the IP Address section, select Static, and then type the IP Address, Subnet Mask, and Default Gateway.

5. In the DNS section, verify the Use Dynamic Settings option is selected.

6. In the DNS Search Path section, verify the DNS suffixes are correct. To add a DNS suffix, click the Add icon, and enter the domain name.


22


Configure Internal DHCP Server


Introduction This topic explains how to configure or disable the internal DHCP server. This server functions like any other DHCP server in that it automatically configures IP settings for devices on your internal network.

How to configure the server

Whether you deploy the internal DHCP server and how you configure the server depends on your network requirements.

Use the following tips to help you configure the DHCP server:

Note: The server is enabled by default on a new appliance so that your PC can connect to the appliance for initial configuration.

● If you already have DHCP servers on your network to assign IP settings to devices on the internal network, then you can disable the server.

● If you want to use the internal DHCP server, then you need to configure the server so that it assigns appropriate IP settings to the devices on your internal network.

● If there are devices on your internal network that need a static IP address, then you can reserve static IP addresses for the devices.

Configuring the server

To configure the internal DHCP server to assign IP addresses to devices on your internal network:

1. In Proventia Manager, select Configuration System DHCP.

2. Select the DHCP Server tab.

3. In the first section, do the following:

■ Verify the DHCP Server Enabled option is selected.

■ Verify the Lease Time is appropriate for your network. Lease time is how long a host can keep an IP address once assigned.

4. If you want the server to assign domain name suffixes to your network devices, then enter the correct suffixes in the Domain Name Suffix box.

5. In the Address Ranges section, do the following:

■ Click the Add icon.

■ Enter the IP Address Range, Subnet Mask, and Gateway IP Addresses.

23



■ Click OK.

Tip: Use the following tips to help you configure the server:

6. In the DNS section, keep the default Use Default setting unless you want to manually assign nameservers to the hosts on your internal network. In that case, select Specify Settings, and then enter the IP addresses of the nameservers.

7. In the Static Address Assignments, do the following to permanently lease IP addresses to hosts on your internal network:

Note: This task is optional.

■ Click the Add icon.

■ Enter the Host Name, MAC Address, and IP Address.

If you are... Then...

Replacing an existing DHCP server

Replicate the settings from your existing DHCP server.

Deploying the DHCP server in addition to the ones already deployed on your network

Enter an IP address range different from the one currently being managed by the existing server.

Deploying the server as a new DHCP server

Keep the default settings unless they conflict with your IP subnetting requirements; in that case, change the settings as needed.

24



■ Click OK.

8. In the WINS Configuration section, enter the IP addresses of your WINS servers. These servers allow the network to convert NetBIOS names to IP addresses.

Note: This task is optional.


Disabling the DHCP server

To disable the internal DHCP server:

1. In Proventia Manager, select Configuration System DHCP.

2. Select the DHCP Server tab.

3. Uncheck the DHCP Server Enabled checkbox.


25



Configure Firewall Access Policies

Introduction This topic explains how to configure firewall access policies.

Default firewall access policies

The appliance comes with the following default firewall access policies enabled. These policies are appropriate for most deployments:

Note: You can edit the policies or add custom policies at any time in Proventia Manager or in SiteProtector.

● Allow outbound traffic from the internal network (eth0) to any destination

● Allow all outbound traffic from self to any destination

● Allow DHCP requests to self

● Allow ICMP ping to self from internal network (eth0)

DMZ firewall access policies

If you are deploying the appliance with a DMZ, then you must create two additional firewall access policies with the following settings prior to deployment:

Policy Settings

Allow DMZ to access the Internet and other internal networks

This policy will allow hosts on the DMZ to connect to other hosts in your secure internal network (eth0) and to other others on the Internet.

Action = Allow

Log Enabled = Yes

Protocol = Any

Source Address = DMZ subnet

Source Port = Any

Destination Address = Any

Destination Port = Any

Table 3: DMZ firewall access policies

26


Configure Firewall Access Policies

Configuring firewall access policies

To configure firewall access policies:

1. In Proventia Manager, select Configuration Firewall.

2. Select the Access Policy tab.

3. Click the Add icon.

4. Set the Rule Order.

5. Verify the Rule Guid.

6. Verify the Enabled option is selected.

7. Select the Action (Allow or Reject).

8. Select Log Enabled to log events associated with this rule.

9. Type a Comment (description) for the rule.

10. Select the following tabs, and then complete them as needed:

Allow access to the DMZ from the Internet

This policy will allow users on the Internet to connect to a host inside your secure DMZ.

Action = Allow

Log Enabled = Yes

Protocol = Any

Source Address = Any

Source Port = Any

Destination Address = SysEth1IP (network object or IP address of the external interface)

Destination Port = Any

Policy Settings

Table 3: DMZ firewall access policies (Continued)

Tab Description

Protocol Select one of the following:

• Any

• Protocol Name

• Protocol Number

Source Address Select one of the following:

• Any

• Self

• Single IP Address

• Address Range

• Network Address / Network Bits (CIDR)

• Specify Network Objects

Tip: Click the Add icon to create a network object.

Source Port Select one of the following:

• Any

• Single Port

• Port Range

27




Destination Address Select one of the following:

• Any

• Self

• Single IP Address

• Address Range

• Network Address / Network Bits (CIDR)



Destination Port Select one of the following:

• Any

• Single Port

• Port Range



Tab Description

Protocol Select one of the following:

• Any

• Protocol Name

• Protocol Number

28


Deploy Antispam, Antivirus, and Web Filter Protection

Deploy Antispam, Antivirus, and Web Filter Protection

Introduction This topic explains how to deploy basic antispam, antivirus, and Web filter protection. It does not explain how to customize or tune policies for these modules. For that information, see the IBM Proventia® Network Multi-Function Security (MFS) Policy Configuration Guide.

Note: Antispam, antivirus, and Web filter are optional.

Deploying antispam, antivirus, and Web filter

To deploy antispam, antivirus, and Web filter protection:

1. In Proventia Manager, select Configuration Antispam.

2. Select the Protection Settings tab, and then select Spam Detection Enabled.

3. Select Configuration Antivirus.

4. On the Basic Configuration tab, select the Signature and Behaviorial Antivirus Module Enabled checkbox.

5. Select Configuration Web Filter Web Filter Settings.

6. On the Protection Settings tab, select the Web Filter Module Enabled checkbox.


29



Save Policies and Move to Live Production Network

Saving policies It is important to understand that once you save your policies you will not be able to access the appliance again until you physically move it to the live production network, connect the cables, and boot the system.

To save your policies, click Save Changes in Proventia Manager. This action will end your session with Proventia Manager and lock you out of the appliance temporarily until the appliance is operational on the production network.

Moving the appliance into production

The physical move to the live production network will require some network downtime, so schedule the move to occur during a low usage time and factor in time to rack mount the appliance if needed.

To move the appliance to production:

1. Switch off the appliance.

2. Disconnect the appliance and cables from your setup or configuration environment as described:

■ Disconnect the red Ethernet cable from the Internal port to your PC.

■ Disconnect the standard Ethernet cable from the External port to your Internet connection.

■ Disconnect the power cable from the power port to a power outlet.

3. Move the device to its location on the production network and rack mount the device if needed.

4. Reconnect the cables as described:

■ Connect a standard Ethernet cable from the Internal port to your internal network.

■ Connect a standard Ethernet cable from the External port to your Internet connection.

■ Connect additional standard Ethernet cables from the internal ports to your internal networks including your DMZ if needed.

■ Connect the power cable from the power port to a power outlet.

5. Switch on the appliance.

Tuning policies and routine maintenance

See the following publications for additional assistance:

● For information on how to customize policies, see the IBM Proventia® Network Multi-Function Security (MFS) Policy Configuration Guide.

● For information on how to perform routine maintenance such as backups, see the IBM Proventia® Network Multi-Function Security (MFS) Administrator Guide.

30


Save Policies and Move to Live Production Network

© Copyright IBM Corporation 2007. All Rights Reserved.

IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

31



32


ibm proventia network multi-function security (mfs ... · ibm proventia® network multi-function...

Documents