Page is loading ...
Symantecâ„¢ Gateway Security 5000
Series v3.0
Administration Guide
Supported hardware platforms:
Symantec Gateway Security 5600 Series, Symantec Gateway Security 5400 Series,
Symantec Clientless VPN Gateway 4400 Series
Symantecâ„¢ Gateway Security 5000 Series v3.0
Administration Guide
Documentation version 8.0
September 16, 2005
Copyright © 2005 Symantec Corporation. All rights reserved.
Federal Acquisitions: Commercial Software - Government Users Subject to Standard License Terms
and Conditions.
Symantec, the Symantec Logo, Bloodhound, NAVEX, LiveUpdate, Striker, Symantec Client Firewall,
Symantec Security Response, and Symantec DeepSight Analyzer are trademarks or registered
trademarks of Symantec Corporation in the United States and certain other countries. Additional
company and product names may be trademarks or registered trademarks of the individual companies
and are respectfully acknowledged.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be reproduced in
any form by any means without prior written authorization of Symantec Corporation and its licensors,
if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID.
Printed in the United States of America.
10987654321
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains
support centers throughout the world. The Technical Support group’s primary role is to respond to
specific questions on product feature/function, installation, and configuration, as well as to author
content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively
with the other functional areas within Symantec to answer your questions in a timely fashion. For
example, the Technical Support group works with Product Engineering as well as Symantec Security
Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
â– A range of support options that give you the flexibility to select the right amount of service for any
size organization
â– Telephone and Web support components that provide rapid response and up-to-the-minute
information
â– Upgrade insurance that delivers automatic software upgrade protection
â– Content Updates for virus definitions and security signatures that ensure the highest level of
protection
â– Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days
a week worldwide in a variety of languages for those customers enrolled in the Platinum Support
program
â– Advanced features, such as the Symantec Alerting Service and Technical Account Manager role,
offer enhanced response and proactive security support
Please visit our Web site for current information on Support Programs. The specific features available
may vary based on the level of support purchased and the specific product that you are using.
Licensing and registration
This product requires a license file. The fastest and easiest way to register your service is to access the
Symantec licensing and registration site at https://licensing.symantec.com.
Contacting Technical Support
Customers with a current maintenance agreement may contact the Technical Support group by phone
or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical Support by the
Platinum Web site at https://www-secure.symantec.com/platinum. When contacting the Technical
Support group, please have the following:
â– Product release level
â– Hardware information
â– Available memory, disk space, NIC information
â– Operating system
â– Version and patch level
â– Network topology
â– Router, gateway, and IP address information
â– Problem description
â– Error messages/log files
â– Troubleshooting performed prior to contacting Symantec
â– Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com/techsupp, select the
appropriate Global Site for your country, then select the enterprise Continue link. Customer Service is
available to assist with the following types of issues:
â– Questions regarding product licensing or serialization
â– Product registration updates such as address or name changes
â– General product information (features, language availability, local dealers)
â– Latest information on product updates and upgrades
â– Information on upgrade insurance and maintenance contracts
â– Information on Symantec Value License Program
■Advice on Symantec’s technical support options
â– Nontechnical presales questions
â– Missing or defective CD-ROMs or manuals
Contents
Chapter 1 Introducing the security gateway
About Symantec Gateway Security 5000 Series v3.0 ...........................................................................................15
Key components of the security gateway ..............................................................................................................15
Firewall technology ...........................................................................................................................................16
Virtual Private Network (VPN) server technology .......................................................................................16
Antispam scanning ............................................................................................................................................17
Antivirus scanning ............................................................................................................................................18
Intrusion detection and prevention ................................................................................................................18
Content filtering ................................................................................................................................................19
High availability/load balancing .....................................................................................................................19
LiveUpdate support ...........................................................................................................................................19
Security Gateway Management Interface ......................................................................................................20
Network security best practices ..............................................................................................................................20
Chapter 2 Becoming familiar with the SGMI
About the SGMI ..........................................................................................................................................................21
Logging on to the SGMI ............................................................................................................................................21
Logging on to the SGMI for the first time ......................................................................................................22
Integrating the SGMI to the desktop ..............................................................................................................24
Logging on to the SGMI from the desktop .....................................................................................................25
Logging on to the SGMI from a browser ........................................................................................................26
Avoiding hostname mismatches .....................................................................................................................27
Using the SGMI home page ......................................................................................................................................29
Viewing Quick Status ........................................................................................................................................29
Accessing commonly used configuration wizards .......................................................................................30
Viewing DeepSight’s ThreatCon status ..........................................................................................................31
Leaving the SGMI .......................................................................................................................................................31
Navigating in the SGMI ............................................................................................................................................33
Using the SGMI menus .....................................................................................................................................35
Using the SGMI toolbar ....................................................................................................................................37
Navigating from the left pane ..........................................................................................................................38
Navigating the right pane .................................................................................................................................43
Using online Help ......................................................................................................................................................45
Displaying Help ..................................................................................................................................................45
Searching Help ...................................................................................................................................................46
Printing Help ......................................................................................................................................................47
Working with configurations of objects .................................................................................................................47
Changing the display of objects in a table .....................................................................................................48
Viewing and modifying object properties ......................................................................................................50
Adding configuration objects ...........................................................................................................................52
Configuring objects that reference other objects .........................................................................................55
Saving and activating configuration changes ...............................................................................................59
Deleting configuration objects ........................................................................................................................61
Using the lower pane when you change configurations ..............................................................................62
Viewing system information ....................................................................................................................................63
Using wizards to simplify configuration ...............................................................................................................64
6 Contents
Chapter 3 Managing administrative access
Providing access to the security gateway ..............................................................................................................67
Creating administrator accounts ............................................................................................................................67
Creating machine accounts for security gateway access from remote computers .........................................69
Changing passwords .................................................................................................................................................70
Changing administrator passwords ................................................................................................................71
Changing the root password ............................................................................................................................73
Changing a machine account password .........................................................................................................74
Enabling SSH for command-line access to the appliance ...................................................................................74
Chapter 4 Maintaining your security gateway
Performing maintenance tasks ...............................................................................................................................77
Installing and uninstalling hotfixes .......................................................................................................................77
Configuring and running LiveUpdate ....................................................................................................................79
Defining a LiveUpdate server ..........................................................................................................................79
LiveUpdating components ...............................................................................................................................81
Starting and stopping the security gateway .........................................................................................................84
Rebooting the security gateway appliance ............................................................................................................85
Shutting down the security gateway appliance ....................................................................................................86
Understanding and using licenses ..........................................................................................................................86
Viewing the license status of security gateway components .....................................................................87
Viewing license usage .......................................................................................................................................88
Viewing installed licenses ................................................................................................................................88
Obtaining licenses .............................................................................................................................................89
Installing licenses ..............................................................................................................................................94
Removing all license files .................................................................................................................................95
Enabling and disabling security gateway features .......................................................................................96
Backing up and restoring configurations ..............................................................................................................98
Backing up configuration files from the SGMI .............................................................................................98
Restoring security gateway configuration files from the SGMI .................................................................99
Using command-line utilities to perform a local or remote backup ........................................................101
Making system changes with the System Setup Wizard ...................................................................................104
Adding a network interface ............................................................................................................................104
Modifying a network interface ......................................................................................................................108
Modifying system information ......................................................................................................................109
Configuring network interface properties ...................................................................................................112
Maintaining traffic flow .........................................................................................................................................113
Chapter 5 Establishing your network
Understanding security gateway networking components ..............................................................................115
Deployment scenarios .............................................................................................................................................115
Basic deployment .............................................................................................................................................116
Fault tolerant deployment .............................................................................................................................117
Advanced deployment ....................................................................................................................................118
Enclave deployment ........................................................................................................................................119
Advanced enclave deployment ......................................................................................................................120
Defining security gateway routing .......................................................................................................................125
Understanding static routing ........................................................................................................................125
Understanding dynamic routing ...................................................................................................................126
How the security gateway routes traffic ......................................................................................................127
Configuring static routes ................................................................................................................................128
Configuring dynamic routing ........................................................................................................................129
7Contents
Allowing DHCP traffic .............................................................................................................................................131
How the security gateway handles DHCP traffic ........................................................................................131
Configuring the security gateway to allow DHCP traffic ..........................................................................132
Allowing multicast traffic ......................................................................................................................................135
How the security gateway handles multicast traffic ..................................................................................136
Configuring the security gateway to allow multicast traffic ....................................................................136
About the security gateway’s implementation of DNS ......................................................................................138
Configuring a caching name server with no internal name server .........................................................138
Configuring a caching name server with an internal name server ..........................................................140
Configuring an authoritative name server for a domain ..........................................................................140
Configuring an authoritative name server with delegation .....................................................................142
Configuring enclave DNS ...............................................................................................................................143
Understanding the security gateway’s DNS resource records .................................................................143
Configuring resource records for the security gateway ............................................................................145
DNS alternatives ..............................................................................................................................................153
Enabling reverse lookups ...............................................................................................................................157
Solving DNS problems ....................................................................................................................................157
Chapter 6 Defining your security environment
Identifying the objects used to pass traffic .........................................................................................................159
Defining traffic endpoints with network entities ...............................................................................................160
Configuring a single computer with a host network entity ......................................................................160
Defining a network or subnet with a subnet entity ....................................................................................162
Defining a registered domain with a domain name network entity ........................................................163
Creating security gateway network entities for use in tunnels ................................................................164
Creating a network entity group for rules that apply to multiple entities .............................................166
Defining an entity and security gateway pair with a VPN security entity .............................................167
Understanding how protocols affect traffic ........................................................................................................168
Using protocols that are paired with proxies ..............................................................................................168
Using protocols that are not paired with proxies .......................................................................................169
Viewing reserved ports ...................................................................................................................................173
Configuring custom protocols to handle data from special applications ...............................................178
About service groups ...............................................................................................................................................183
Creating service groups ..................................................................................................................................183
Using service groups to customize protocols for rules ..............................................................................185
Understanding proxies ...........................................................................................................................................187
Configuring a GSP for protocols without proxies .......................................................................................188
Configuring the Oracle Net9 Connection Manager proxy .........................................................................189
Controlling full application inspection of traffic ...............................................................................................192
Defining file control and access ....................................................................................................................192
Sending and receiving files ............................................................................................................................198
Controlling Internet-based data communications .....................................................................................203
Controlling Web traffic ...................................................................................................................................208
Controlling news feeds ....................................................................................................................................216
Synchronizing security gateway time ..........................................................................................................222
Supporting UNIX services ..............................................................................................................................223
Handling streaming audio and video ............................................................................................................225
Managing electronic mail ...............................................................................................................................227
Enabling remote logon ....................................................................................................................................236
Allowing ICMP traffic ......................................................................................................................................238
8 Contents
Chapter 7 Limiting user access
Understanding authentication ..............................................................................................................................243
Configuring users for internal authentication ...................................................................................................243
Creating a user account on the internal server ...........................................................................................244
Creating an IKE-enabled user ........................................................................................................................245
Ensuring that the internal server is enabled ...............................................................................................247
Configuring user groups for internal and external authentication .................................................................247
Configuring user groups to authenticate with the internal authentication server ..............................248
Creating an IKE user group ............................................................................................................................250
Importing users and user groups ..................................................................................................................251
Authenticating with an external authentication server ...................................................................................253
Creating authentication server records .......................................................................................................253
Configuring an authentication scheme ........................................................................................................260
Adding an authentication scheme to a rule .................................................................................................261
Authenticating users on external servers ...................................................................................................262
Authenticating using Out-Of-Band Authentication (OOBA) .............................................................................264
Configuring the OOBA service .......................................................................................................................265
Adding OOBA authentication to a rule .........................................................................................................266
Chapter 8 Controlling traffic at the security gateway
How the security gateway controls traffic ..........................................................................................................269
Creating rules and filters to control traffic through the firewall ....................................................................270
Understanding and using rules .............................................................................................................................271
How rules are applied ......................................................................................................................................271
Planning to create rules ..................................................................................................................................272
Configuring rules .............................................................................................................................................272
Rule examples ..................................................................................................................................................280
Configuring HTTP, FTP, and mail (SMTP and POP3) rules with the Firewall Rule Wizard .................284
Using protocols and proxies for specific rules ............................................................................................286
Controlling traffic by date and time .....................................................................................................................287
Configuring a time period range ...................................................................................................................287
Configuring a time period group ...................................................................................................................288
Using packet filters to allow or deny traffic ........................................................................................................289
When to use packet filters ..............................................................................................................................289
Creating a packet filter ...................................................................................................................................290
Understanding packet filter groups .............................................................................................................291
Applying filters and filter groups .................................................................................................................292
Blocking inappropriate content with content filtering .....................................................................................295
Content filtering processing order ...............................................................................................................296
Filtering content by allowing or denying access to defined settings ......................................................296
Filtering by subject matter .............................................................................................................................306
Understanding content filtering and newsgroups .....................................................................................314
Adding content filtering protection to a rule ..............................................................................................316
Chapter 9 Preventing attacks
About preventing attacks .......................................................................................................................................319
Blocking suspicious or malicious traffic with IDS ..............................................................................................319
About intrusion detection and prevention ..................................................................................................320
About IDS/IPS policies ....................................................................................................................................320
Creating IDS/IPS policies ...............................................................................................................................321
Applying IDS/IPS policies ..............................................................................................................................322
Managing intrusion events ............................................................................................................................326
Managing portmap settings ...........................................................................................................................331
9Contents
Protecting your network resources from virus infections ................................................................................333
About antivirus scanning ...............................................................................................................................333
Preventing denial of service attacks .............................................................................................................335
Blocking files that cannot be scanned ..........................................................................................................336
Optimizing scanning resources .....................................................................................................................337
Avoiding potential session time-out errors .................................................................................................340
Blocking mail attachments that are known threats ...................................................................................342
Responding to virus detections .....................................................................................................................344
Adding antivirus protection to a rule ...........................................................................................................347
Troubleshooting antivirus protection ..........................................................................................................349
Increasing productivity by identifying spam email ...........................................................................................349
About the antispam scanning process ..........................................................................................................350
Identifying spam email ...................................................................................................................................351
Reducing false positives .................................................................................................................................356
Adding antispam protection to a rule ...........................................................................................................358
Making your network more secure by hiding addresses ...................................................................................359
Controlling IP addresses with address transforms ....................................................................................359
Mapping addresses with NAT pools ..............................................................................................................361
Redirecting connections to unpublished addresses with service redirections ......................................364
Creating virtual clients by using NAT pools and address transforms ....................................................366
Enabling protection for logical network interfaces ...........................................................................................368
Enabling port scan detection .........................................................................................................................368
Enabling SYN flood protection ......................................................................................................................369
Enabling spoof protection ..............................................................................................................................370
Chapter 10 Providing remote access using VPN tunnels
About VPN tunnels ..................................................................................................................................................373
Understanding gateway-to-gateway tunnels ..............................................................................................374
Understanding Client VPN tunnels ..............................................................................................................374
Tunnel endpoints .............................................................................................................................................375
Tunnel indexes .................................................................................................................................................376
Tunnel communication ...................................................................................................................................376
Tunnel security ................................................................................................................................................377
Types of tunnels ...............................................................................................................................................377
Understanding VPN policies ..................................................................................................................................378
Understanding tunnel negotiation ...............................................................................................................379
Using pre-configured VPN policies ...............................................................................................................379
Creating custom VPN policies ........................................................................................................................380
Creating a VPN policy for IPsec with static key ..........................................................................................382
Viewing or modifying the global IKE policy ................................................................................................384
Configuring tunnels ................................................................................................................................................385
Running the Gateway-to-Gateway Tunnel Wizard ....................................................................................385
Using the Remote Access Tunnel Wizard to create Client VPN tunnels ................................................389
Creating tunnels manually .............................................................................................................................392
Ensuring compliance of remote Client VPN computers ....................................................................................397
Applying client compliance to user groups .................................................................................................398
Simplifying multiple Client VPN computer configuration ...............................................................................399
Delivering Client VPN packages to users .....................................................................................................400
How the Client VPN package is processed on the Symantec Client VPN ................................................400
Importing Client VPN information .......................................................................................................................401
Creating the pkimpvpn file ............................................................................................................................401
Authenticating tunnels using Entrust certificates .............................................................................................402
Multicast traffic through gateway-to-gateway IPsec tunnels ..........................................................................403
How multicast traffic passes through a gateway-to-gateway IPsec tunnel ...........................................404
Configuring multicast support for a gateway-to-gateway IPsec tunnel .................................................406
10 Contents
Chapter 11 Enabling remote access with clientless VPN
About clientless VPN ...............................................................................................................................................409
Clientless VPN concepts .................................................................................................................................410
How clientless VPN controls authentication and remote access .............................................................410
Managing clientless VPN users .............................................................................................................................411
Controlling remote access ......................................................................................................................................412
Defining VPN profiles to allow communication between the security gateway and clientless users ........413
Using rules to allow or deny clientless VPN access ...........................................................................................415
Rule components .............................................................................................................................................415
About simple rules ...........................................................................................................................................415
About advanced rules ......................................................................................................................................419
Using rule sets to group clientless VPN access rules .........................................................................................423
Creating and populating rule sets .................................................................................................................423
Using roles to assign rules to users ......................................................................................................................424
Role structure and inheritance ......................................................................................................................425
Role attributes ..................................................................................................................................................426
Creating and assigning roles ..........................................................................................................................426
Assigning a rule or rule set to a role .............................................................................................................430
Configuring clientless VPN logon policy .....................................................................................................430
Using portal pages to customize the user experience .......................................................................................432
Creating a user portal page ............................................................................................................................433
Creating resource QuickLinks ........................................................................................................................434
Grouping resources .........................................................................................................................................435
Adding resource links to portal pages ..........................................................................................................436
Adding a corporate name and logo ...............................................................................................................437
Adding news items to a portal page ..............................................................................................................437
Removing news items from a portal page ....................................................................................................438
Assign the portal page to a role .....................................................................................................................438
Enabling single sign-on for remote users ............................................................................................................439
Collecting resource logon information ........................................................................................................439
Creating a single sign-on rule ........................................................................................................................439
Deleting user sign-on data .............................................................................................................................440
Using reverse proxy translation ...........................................................................................................................441
Using the Remote Access Tunnel Wizard to set up clientless VPN connections ..........................................442
Clientless VPN connection types ...................................................................................................................442
Advanced mail actions ............................................................................................................................................446
Ensuring client compliance for clientless VPN users ........................................................................................449
Applying client compliance to clientless VPN roles ...................................................................................450
Specifying the SSL cipher suite for data encryption .........................................................................................451
Configuring access to common applications .......................................................................................................452
Identifying resources with URLs ...........................................................................................................................454
Resource URL syntax ......................................................................................................................................455
Chapter 12 Monitoring the security gateway
About monitoring ....................................................................................................................................................461
Viewing system health ............................................................................................................................................462
Monitoring network throughput ...................................................................................................................462
Monitoring system usage and connections .................................................................................................463
Monitoring disk usage .....................................................................................................................................463
Monitoring appliance temperature and fan status ....................................................................................464
Changing the health check poll interval ......................................................................................................465
Viewing quick status .......................................................................................................................................465
11Contents
Monitoring connections .........................................................................................................................................466
Viewing the connection summary ................................................................................................................466
Viewing active connections ............................................................................................................................467
Viewing antivirus server status .....................................................................................................................468
Testing the hardware accelerator chip with hardware encryption diagnostics ....................................469
Viewing clientless VPN failed logon attempts ............................................................................................469
Unlocking user accounts ................................................................................................................................469
Monitoring log files .................................................................................................................................................470
Configuring the logging service ....................................................................................................................470
Using the Event Logs toolbars .......................................................................................................................472
Viewing, copying, and printing current log files ........................................................................................473
Viewing cluster log files ..................................................................................................................................474
Opening, deleting, and backing up archived log files ................................................................................475
Adding or removing Event Log table columns ............................................................................................475
Starting a new log file .....................................................................................................................................476
Displaying selected log messages ..................................................................................................................476
Managing log files remotely ...........................................................................................................................480
Monitoring IDS/IPS alerts ......................................................................................................................................482
Displaying selected IDS/IPS alerts ................................................................................................................484
Alerting using notifications ...................................................................................................................................486
Configuring IDS/IPS blacklist notifications ................................................................................................486
Configuring a client program notification ...................................................................................................488
Configuring an email notification .................................................................................................................489
Configuring a pager notification ...................................................................................................................490
Configuring SNMPv1 and SNMPv2 notifications .......................................................................................491
Integrating Symantec DeepSight Threat Management System .......................................................................494
Reducing the volume of log messages ..................................................................................................................495
Modifying firewall rules to reduce log messages ........................................................................................495
Including host names in log entries ..............................................................................................................495
Configuring reverse lookup timeout value ..................................................................................................496
Chapter 13 Generating reports
About reports ...........................................................................................................................................................497
Analysis reports .......................................................................................................................................................497
Generating and viewing an analysis report .................................................................................................498
Printing and saving analysis reports ............................................................................................................498
Analysis report descriptions ..........................................................................................................................499
Configuration reports .............................................................................................................................................501
Generating and viewing a configuration report .........................................................................................502
Printing and saving a configuration report .................................................................................................502
Configuration report descriptions ................................................................................................................503
Viewing validation reports .....................................................................................................................................506
Upgrade reports .......................................................................................................................................................506
Retrieving upgrade reports using FTP or SSH ............................................................................................507
Chapter 14 High availability and load balancing using clusters
About clustering ......................................................................................................................................................509
How clusters work ...................................................................................................................................................509
Cluster prerequisites .......................................................................................................................................511
Creating a new cluster with the Cluster Wizard .................................................................................................512
12 Contents
Changing cluster settings .......................................................................................................................................514
Changing global cluster configurations .......................................................................................................515
Changing virtual IP addresses for clusters ..................................................................................................515
Monitoring cluster processes .........................................................................................................................516
Configuring ping groups for clusters ...........................................................................................................517
Configuring NIC monitoring on a cluster ....................................................................................................517
Changing traffic groupings for clusters .......................................................................................................518
Managing clusters ...................................................................................................................................................519
Changing the cluster account password ......................................................................................................519
Adding or removing a cluster member .........................................................................................................520
Dissolving a cluster .........................................................................................................................................521
Rebooting a cluster ..........................................................................................................................................523
Using stateful failover to maintain cluster connections ...........................................................................524
Updating interfaces in a cluster configuration ...................................................................................................524
Adding a network interface to a cluster member .......................................................................................525
Removing a network interface from a cluster member .............................................................................526
Changing a network interface .......................................................................................................................527
Monitoring cluster status .......................................................................................................................................528
Viewing the cluster status in the SGMI ........................................................................................................528
Viewing cluster status using the bfstat utility ............................................................................................529
Cluster interactions with other security gateway features ..............................................................................530
Modifying redirected services for clustering ..............................................................................................530
Modifying the RIP daemon for use with clusters .......................................................................................533
Using hot standby mode .................................................................................................................................533
Configuring gateway-to-gateway VPN tunnels that use NAT ..................................................................534
Backing up and restoring cluster configurations ...............................................................................................534
Restoring a cluster configuration .................................................................................................................535
Troubleshooting cluster configuration problems ..............................................................................................539
Errors on the cluster member that propagates the configuration ..........................................................540
Errors when adding a cluster member .........................................................................................................540
Appendix A Advanced system settings
Configuring advanced options ...............................................................................................................................545
Appendix B SSL server certificate management
About SSL certificates .............................................................................................................................................553
Installing a certificate authority ...........................................................................................................................553
Creating a new certificate ......................................................................................................................................554
Generating a request file ........................................................................................................................................555
Installing a signed certificate ................................................................................................................................555
Appendix C Troubleshooting and problem solving
About troubleshooting ............................................................................................................................................557
Accessing Symantec Gateway Security 5000 Series troubleshooting information ..............................557
Important reminders ..............................................................................................................................................558
Isolating a problem ..................................................................................................................................................558
Using an IP address .........................................................................................................................................558
Using the security gateway ............................................................................................................................559
Troubleshooting utilities ........................................................................................................................................560
Setting up the flatten utility ..........................................................................................................................560
Using the FTP client ........................................................................................................................................561
About listlicense ..............................................................................................................................................561
Using tcpdump .................................................................................................................................................562
Troubleshooting problems with the SGMI display ............................................................................................562
13Contents
Appendix D Field descriptions
Monitors field descriptions ....................................................................................................................................563
Status .................................................................................................................................................................564
Logs ....................................................................................................................................................................570
Open Archived Log File dialog box ................................................................................................................574
IDS/IPS Alerts tab ............................................................................................................................................574
Notifications .....................................................................................................................................................579
Policy field descriptions .........................................................................................................................................589
Firewall ..............................................................................................................................................................589
Packet Filters ....................................................................................................................................................600
Time Periods .....................................................................................................................................................602
VPN Tunnels .....................................................................................................................................................605
VPN Policies ......................................................................................................................................................609
IPsec static key policy Properties—Data Privacy Preference tab .............................................................616
Clientless VPN ..................................................................................................................................................617
Antivirus ...........................................................................................................................................................630
Antispam ...........................................................................................................................................................637
IDS/IPS—Policies tab .......................................................................................................................................641
IDS/IPS—Configuration tab ............................................................................................................................642
IDS/IPS—Portmap tab .....................................................................................................................................644
Content Filtering—Advanced Restrictions tab ............................................................................................646
Content Filtering Profile Properties—General tab ......................................................................................649
URL Ratings tab ...............................................................................................................................................650
Newsgroups tab ................................................................................................................................................651
Newsgroup Profiles .........................................................................................................................................652
Client Compliance ............................................................................................................................................653
Policy Parameters ............................................................................................................................................654
Assets field descriptions .........................................................................................................................................655
Network Entities ..............................................................................................................................................655
Network Interfaces ..........................................................................................................................................663
Address Transforms ........................................................................................................................................668
NAT pools ..........................................................................................................................................................670
Redirected Services .........................................................................................................................................672
DNS ....................................................................................................................................................................673
Routes ................................................................................................................................................................685
Authentication Servers ...................................................................................................................................685
Schemes .............................................................................................................................................................693
Network Users ..................................................................................................................................................694
User Groups ......................................................................................................................................................696
Proxies ...............................................................................................................................................................699
H.323 Aliases ....................................................................................................................................................720
Protocols ...........................................................................................................................................................721
Service Groups .................................................................................................................................................726
Parameters for protocols within service groups .........................................................................................728
Portal Pages ......................................................................................................................................................737
Secure Desktop Mail Access ...........................................................................................................................741
Secure Web Mail Access .................................................................................................................................741
Asset Parameters .............................................................................................................................................742
System field descriptions .......................................................................................................................................743
SESA Event Gating ..........................................................................................................................................751
LiveUpdate ........................................................................................................................................................754
SSL Server Certificates ...................................................................................................................................757
Administration .................................................................................................................................................758
SYN Flood Allowed Hosts ...............................................................................................................................766
Licensing ...........................................................................................................................................................767
14 Contents
Cluster field descriptions .......................................................................................................................................767
Cluster Status ...................................................................................................................................................768
Cluster Members window ...............................................................................................................................768
VIPs window .....................................................................................................................................................769
Watchlist window ............................................................................................................................................770
Ping Groups window .......................................................................................................................................770
NIC Monitoring window ..................................................................................................................................771
Traffic Grouping window ...............................................................................................................................772
Menu option field descriptions ..............................................................................................................................773
Analysis reports ..............................................................................................................................................775
Configuration reports .....................................................................................................................................775
Client VPN Package Wizard ...........................................................................................................................776
Remote Access Tunnel Wizard for Client VPN ...........................................................................................777
Remote Access Tunnel Wizard for Clientless VPN ....................................................................................782
Gateway-to-Gateway Tunnel Wizard ...........................................................................................................786
Global IKE policy ..............................................................................................................................................792
System Setup Wizard ......................................................................................................................................795
Cluster Wizard .................................................................................................................................................801
Activate Changes Wizard ...............................................................................................................................807
Restore Wizard .................................................................................................................................................808
Firewall Rule Wizard .......................................................................................................................................812
License Installation Wizard ...........................................................................................................................816
SecurID Server Connection Wizard ..............................................................................................................819
Active Directory Server Connection Wizard ...............................................................................................819
Index
Chapter
1
Introducing the security gateway
This chapter includes the following topics:
â– About Symantec Gateway Security 5000 Series v3.0
â– Key components of the security gateway
â– Network security best practices
About Symantec Gateway Security 5000 Series v3.0
Symantec Gateway Security 5000 Series v3.0 is an integrated hardware and software appliance that
provides many security technologies in one rack-mountable, plug-and-protect appliance that acts as a
security gateway to your enterprise.
The security gateway includes firewall, antivirus, antispam, intrusion detection and prevention, and
content filtering components. The standards-based VPN components provide secure remote access to
both client VPN and clientless VPN users who are telecommuters, satellite office employees, and
authorized contractors. To protect your resources from catastrophic failures and to share traffic loads
among multiple security gateways, Symantec includes an optional high availability/load balancing
(HA/LB) component.
These features provide access control and security enforcement on traffic passing through the security
gateway. They control information entering and leaving networks by using full-inspection scanning
techniques to ensure that data is validated up through the application layer.
Through the Security Gateway Management Interface (SGMI), you can remotely and securely control
and monitor individual or clustered security gateways and create configurable policies for users and
user groups. In addition to its simplified policy management, the Symantec Gateway Security 5600
Series appliance makes installation and configuration quick and easy, with pre-configured and
hardened operating system software and an array of setup wizards.
Key components of the security gateway
Key components of the security gateway include:
â– Firewall technology
â– Virtual Private Network (VPN) server technology
â– Antispam scanning
â– Antivirus scanning
â– Intrusion detection and prevention
â– Content filtering
16 Introducing the security gateway
Key components of the security gateway
â– High availability/load balancing
â– LiveUpdate support
â– Network security best practices
Firewall technology
The security gateway’s firewall component uses a unique architecture to provide strong, transparent
firewall protection against unwanted intrusion without slowing the flow of approved traffic on
enterprise networks. Some key firewall features include:
Virtual Private Network (VPN) server technology
Symantec Gateway Security 5000 Series v3.0 includes VPN technology that lets organizations securely
extend their network perimeters beyond the enterprise.
The security gateway uses VPN tunnels to send encrypted and encapsulated IP packets over public
networks securely to another VPN server. VPN tunnels can be created for connections from IPsec-
compliant clients or clientless VPN access.
Note: The base license that is included with your appliance includes support for one concurrent VPN
user connection and unlimited gateway-to-gateway VPN connections.
Standard application
proxies
The standard proxies that are built into the security gateway work in conjunction with the
firewall driver to handle common services, such as Telnet, HTTP, FTP, and RealAudio.
Standard proxies offer the highest level of protocol checking and logging, as well as ease of
use.
The security gateway uses proxies with both standard and custom protocols:
â– Standard protocols
The most commonly used protocols, such as FTP, HTTP, NNTP, POP3, and SMTP, are
predefined on the security gateway. Over 150 protocols are included.
Unless specifically stated otherwise, when this manual describes how traffic is
passed, it uses standard proxies.
â– Custom protocols
You can add custom protocols for generic services provided by the hosts residing on
either side of the security gateway.
These protocols can represent services that are not supported by the standard proxies
that are provided with the security gateway. A configurable Generic Service Proxy
(GSP) is used with custom protocols.
Security gateway rules You enforce your corporate security policies by creating rules to control traffic through the
security gateway. Rules can include alert thresholds, and content security protection such
as antispam and antivirus configuration. Rules also let you authenticate users through the
use of authentication servers.
Address transforms
and service redirection
You can hide internal addresses by using address transforms and service redirection. You
can assign Network Address Translation (NAT) pool addresses to designate replacement
addresses for client IP addresses that are used in tunneled or non-tunneled connections.
With redirected services, you can redirect connections to non-published destinations.
Firewall log and IDS/
IPS alert viewing
The security gateway’s log and IDS/IPS alert viewing capabilities let you identify threats.
The information from log messages and alerts can help you reconfigure the security
gateway to stop attacks.
Configuration reports You can generate and print reports for every configurable feature of the security gateway.
17Introducing the security gateway
Key components of the security gateway
VPN features include:
Antispam scanning
Spam is unsolicited bulk email, most often advertising messages for a product or service. Spam email
wastes user productivity and consumes network and mail server resources. The security gateway
provides scanning processes that let you optimize spam detection and reduce false positives. You can
also configure how to respond to spam email.
When antispam protection is enabled in a rule, the security gateway scans emails that are handled by
the SMTP and POP3 proxies.
The security gateway lets you configure the following options to optimize spam detection:
To minimize false positives, you can define a list of sender domains that are not evaluated by the real-
time blacklists. You can also specify email addresses and domains that are allowed to bypass scanning
processes.
VPN policies Symantec Gateway Security 5000 Series v3.0 ships with pre-configured VPN policies that
you can apply to your secure IPsec tunnels.
For example, you can apply pre-configured IPsec/IKE policies and IPsec/Static policies to
the IPsec/IKE or IPsec/Static secure tunnel that you create.
Symantec Client VPN
tunnel configurations
Client VPN tunnels let remote users running the Symantec Client VPN software (or any
IPsec compliant VPN client software) safely connect over the Internet to a network secured
by a Symantec security gateway.
A Client configuration is created when a workstation, running Symantec Client VPN
software, connects to the security gateway from either inside the protected network or
from a remote location through the Internet.
Gateway-to-gateway
VPN tunnel
configurations
A gateway-to-gateway configuration is created when two security gateways are connected,
across an internal network, or the Internet, through a VPN tunnel.
Gateway-to-gateway tunnels help secure your internal network by providing a secure
bridge to an external LAN.
Clientless VPN Clientless VPN technology is integrated into the security gateway. It provides portal-based
access for Web-enabled and non-Web based applications, connecting large numbers of
remote users to your corporate network.
Clientless VPN lets users at any dial-up, broadband, or wireless access point gain
authenticated and controlled remote access to email, shared network files and resources,
corporate applications, corporate intranets, and corporate Web-based applications from
any location.
Client compliance The security gateway enforces security parameters set by the administrator prior to
establishing a VPN tunnel. This includes determining if the client is running the expected
corporate profile for required security products.
Real-Time blacklist servers Blocks mail that comes from mail servers known or believed to send spam.
Heuristic sensitivity Sets the sensitivity level of the heuristic antispam scanner.
Email senders identified as spam Identifies spam based on addresses or domains that you specify.
Subject patterns identified as spam Identifies spam based on subject line content that you specify.
Identify messages with no subject line
as spam
Identifies spam based on subject lines that do not contain content.
18 Introducing the security gateway
Key components of the security gateway
Antivirus scanning
The security gateway lets you configure antivirus scanning and filtering policies for any traffic that
uses the FTP, HTTP, POP3, and SMTP protocols. Some scanning and filtering policy features differ
depending on the protocol that you are using.
Configurable options include the following:
Intrusion detection and prevention
Symantec Gateway Security 5000 Series v3.0 provides an intrusion detection and prevention
component that protects internal network resources from attack by pinpointing malicious activities,
identifying intrusions, and responding rapidly to attacks.
Traditionally, network intrusion detection systems (NIDS) consist of one or more sensors deployed
across an enterprise and a console to aggregate and analyze the collected data. The majority of
commercial IDS products are based on a system that examines network traffic for special patterns of
attack. This method of detection is called signature-based detection. Some NIDS systems miss attacks
because they cannot keep pace with the high traffic volumes, or generate unmanageable numbers of
alerts due to false positives.
Symantec’s intrusion detection and prevention component provides a common, highly coordinated
approach to detect attacks at very high speeds within the network environment. Using an array of
detection methodologies to enhance attack identification, the intrusion detection and prevention
component monitors network traffic and collects evidence of malicious activity with a combination of
traffic rate monitoring, protocol state tracking, and IP packet reassembly.
Protect your
environment from
threats
The security gateway offers settings to help prevent denial of service attacks, which are
caused by large container files or files that contain multiple, embedded compressed files.
You can also protect your security gateway by configuring settings to block files that
cannot be scanned.
You can use some scanning and blocking policy settings during a virus outbreak to
further protect your security gateway. Once you have information on the characteristics
of a new virus, you can use this information to block the infected attachment or email
immediately, before virus definitions for the new virus are posted. For maximum
coverage, you can scan all file types rather than limiting the file types that are scanned
for viruses.
Optimize scanning
performance
You can configure settings to restrict the resources that handle certain types of files and
specify the file types to be scanned.
Provide user
comforting
The security gateway lets you enable data trickle user comforting for the POP3, HTTP,
and FTP protocols. The data comforting feature trickles small amounts of the file to the
user while the file is being scanned. This prevents the user from receiving a session time-
out error when downloading a large file. Using data comforting can compromise virus
integrity. Serious consideration should be given to a number of factors before you use the
data comforting feature.
Respond to threats You can configure the security gateway to respond to virus detections in the following
ways:
â– Add an x-virus header to an email message and deliver the email and attachment to
the recipient.
â– Repair the infection or delete the infected file if it is unable to be repaired.
â– Automatically delete the infected file.
You can configure these settings separately for each protocol. You can also notify users
when a virus has been detected and what actions the security gateway took with the
infected file.
19Introducing the security gateway
Key components of the security gateway
The security gateway responds to detected intrusions using signatures to detect and prevent numerous
attacks. Symantec LiveUpdate technology ensures that new signatures are downloaded to address new
threats well before they become security issues.
Content filtering
The security gateway offers a variety of tools for managing Web access for both incoming and
outgoing traffic. You can customize HTTP and NNTP access to and from designated entities within
your network using the content management tools that are available through the appliance.
You can filter content based on the following criteria:
High availability/load balancing
Symantec security gateways include configurable clustering technology that ensures high availability
(HA) for your security gateways and increases performance through load balancing (LB).
To increase availability, you can cluster Symantec’s security gateways into groups of from two to eight
security gateways. When two or more security gateways are clustered, the failure of one security
gateway causes another security gateway to automatically pick up the workload of the failed cluster
member.
Security gateways in a cluster can also share the traffic load to maintain high throughput. With load
balancing configured, the cluster spreads out connections more evenly over several security gateways
instead of always sending requests to one computer. This makes more efficient use of your network
resources.
LiveUpdate support
The Symantec Gateway Security 5000 Series v3.0 software incorporates patented LiveUpdate
technology to keep your security gateway components up-to-date.
HTTP inclusion/
exclusion lists
Configure rules for the HTTP proxy based on inclusion and exclusion lists. This includes
URL address, URL pattern matching, MIME type, and file extensions. Configuring the
security gateway to provide filtering based on these parameters conserves resources and
increases overall efficiency.
Subject matter of
Web content
To provide content enforcement based on subject matter, you can create content profiles
that specify certain types of content for which access should be denied. You can create any
number of content profiles with different levels of content filtering and apply the
appropriate content profile when you configure a rule that contains HTTP. By specifying a
content profile in a rule, you restrict access to selected Web content for those users to which
the rule applies.
To provide comprehensive filtering of Web content based on subject matter, the security
gateway uses a combination of the following:
â– Predefined content categories
These are lists of URLs that contain related subject matter. Thirty-one pre-populated
content categories, which include subject matter ranging from pornography, crime,
and violence to news and humor, are currently provided with the security gateway.
Each content category has an associated DDR dictionary.
â– Dynamic Document Review (DDR) dictionaries
Predefined DDR dictionaries contain key words and phrases, in multiple languages.
DDR dictionaries provide real-time analysis of Web content. DDR dictionaries are used
in conjunction with Content Categories to provide comprehensive subject matter
filtering.
Newsgroup profiles
and subject matter of
newsgroups
Newsgroup profiles let you can control access to newsgroups through the security gateway.
You do this by defining each newsgroup that you want to permit or deny access to, adding it
to a newsgroup profile, and then including that profile in a rule.
20 Introducing the security gateway
Network security best practices
To use the security gateway’s LiveUpdate capabilities, you must purchase subscription licenses that
entitle you to updates of the following content security services:
â– Antivirus
â– Antispam
â– Content filtering
â– Dynamic document rating
â– Intrusion detection and prevention
Security Gateway Management Interface
The Security Gateway Management Interface (SGMI) is a Web-based graphical user interface for
managing and monitoring all functions on the security gateway.
SGMI wizards help you configure the objects that represent your network environment and internal
and external resources. You combine these objects in rules, VPN tunnels, and packet filters that control
access through the security gateway.
The monitoring capabilities of the SGMI let you view the status of connections, the health of the
appliance, log messages generated by the security gateway, and IDS/IPS alerts.
The system management features of the SGMI let you create management accounts, configure and run
LiveUpdate of content security components, create SSL certificates, and manage licenses for the
security gateway features you have purchased.
Network security best practices
Symantec encourages all users and administrators to adhere to the following basic security practices:
â– Turn off or remove unnecessary operating system services.
By default, many operating systems install auxiliary services that are not critical, such as FTP,
Telnet, or Web servers. These services are avenues of attack. If they are removed, blended threats
have fewer exploitation points and you have fewer services to maintain through patch updates.
â– If there is a known exploit for one or more network services, disable or block access to those
services until they are properly patched.
â– Automatically update your antivirus definitions at the gateway, server, and client.
â– Always keep your patch levels up-to-date, especially on computers that host public services and are
accessible through the security gateway, such as HTTP, FTP, mail, and DNS services.
â– Enforce a password policy. Complex passwords make it difficult to crack password files on
compromised computers. This helps to prevent or limit damage when a computer is compromised.
â– Configure your email server to block or remove email that contains file attachments that are
commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
â– Isolate infected computers quickly to prevent further compromising your organization. Perform a
forensic analysis and restore the computers using trusted media.
â– Train employees not to open attachments unless they are expecting them. Also, do not execute
software that is downloaded from the Internet unless it has been scanned for viruses. Simply
visiting a compromised Web site can cause infection if certain browser vulnerabilities are not
patched.
You can find additional information, in-depth white papers, and resources regarding enterprise
security solutions by visiting the Symantec Enterprise Solutions Web site at
http://enterprisesecurity.symantec.com.
/
