Barracuda Networks VERSION SP4 1.3 What is a Policy Rule Set?

8 Introduction

seemingly complex procedure is rather straightforward and easy to understand. As autonomous

machine authentication is rather uncommon in the VPN context, the "limited access" and the "local

machine" firewall rule sets and policies need to be provided together with the actual VPN rule set.

1.2.2 Licensing Aspects

In order to operate an Access Control Service either as a SHV or a remediation server or both, a valid

license needs to be present. On Barracuda NG Firewall systems, the Access Control Service is

automatically licensed.

It is possible to equip all Barracuda NG Firewall branch office devices with a remediation server in

order to reduce WAN traffic and optimize response times.

1.2.3 Policy Matching Procedure

Each Access Control Service belongs to a so called trustzone. All Access Control Services within the

same trust zone share the same set of security policies. In addition, they share a signing key, so that

a mutual trust relationship can be established.

Within each trustzone there are three policy rule sets. There is a "local machine" policy rule set that is

used to determine a policy for a connecting machine. A connecting machine is an endpoint system that

does not request user authentication.

As soon as user authentication is requested by the connecting client, the "current user" policy rule set

is used for policy matching.

If the connection attempt is mediated by an intermittent VPN Service the VPN policy rule set is

adopted.

1.3 What is a Policy Rule Set?

A policy rule set is an ordered list of policy rules that is processed from the top to the bottom in

sequential order. If no identity match can be found a "no rule exception policy" is assigned. From now

The "local machine" rule set thus acts as a VPN-offline rule set that can be used to centrally control the network

access rights of the mobile user even when they are not connected to the corporate LAN.

Table 1–1

Policy

VPN Assignment

Healthy Limited Access VPN Offline

Firewall rule set Firewall rule set Firewall rule set (=local machine rule set)

Message of the day Message

Welcome picture

Network access policies

Contents

Main Page Barracuda NG Network Access Client Chapter 1 - Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 Chapter 2 - Server Config Access Control Service. . . . 17 Chapter 3 - Server Config Personal Firewall Rules . . . 41 Chapter 4 - Operating & Monitoring Barracuda NG NAC . 62 Chapter 6 - Update or Migration. . . . . . . . . . . . . . . . . . . 81 Chapter 7 - Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Chapter 8 - VPN Configuration. . . . . . . . . . . . . . . . . . . . 83 Chapter 9 - Barracuda NG Personal Firewall . . . . . . . . . 87 Chapter 10 - VPN Component Configuration. . . . . . . . . 124 Chapter 12 - Pre-Connector and Remote VPN . . . . . . . . 167 Chapter 13 - Example Configuration . . . . . . . . . . . . . . 172 Chapter 14 - 802.1X Technical Guideline . . . . . . . . . . 183 Chapter 15 - Appendix. . . . . . . . . . . . . . . . . . . . . . . . . 205 Warranty and Software License Agreement . . . . . . . . . 222 Chapter 1 Introduction 1.1 Endpoint Security and Network Access Control 1.2 Introduction to Barracuda NG Network Access Client Page 1.2.1 What can Barracuda NG Network Access Client be used for? Page 1.2.2 Licensing Aspects 1.2.3 Policy Matching Procedure 1.3 What is a Policy Rule Set? Page 10 Introduction Page 1.4 Health Matching 1.4.1 Health State "Untrusted" 1.4.2 Health State "Probation" 1.4.3 Health State "Healthy" 1.4.4 Health State "Unhealthy" 1.4.5 Health State Requirements 1.5 Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor) 1.6 The Border Patrol Page Chapter 2 Server Config Access Control Service 2.1 General 2.2 Access Control Service Settings 2.2.1 System Health Validator 18 Server Config Access Control Service 19 Barracuda NG Network Access Client - Administrators Guide 2.2.2 Remediation Service 2.2.3 Trustzone-Border 2.2.4 802.1X 2.2.5 Advanced 2.2.6 General 2.3 Access Control Objects Page Page Page 2.4 Access Control Service Trustzone Page 2.4.1 Rules 28 Server Config Access Control Service If the identity match fails, the next rule is taken into account. 29 Barracuda NG Network Access Client - Administrators Guide 30 Server Config Access Control Service 2.4.3 Identity Matching - Advanced Page 32 Server Config Access Control Service 33 Barracuda NG Network Access Client - Administrators Guide 2.4.5 Required Health State - Advanced 34 Server Config Access Control Service Page 36 Server Config Access Control Service 2.4.6 Policy Assignments 37 Barracuda NG Network Access Client - Administrators Guide 2.4.7 Settings Exception attributes. Page Page 2.4.8 Support Chart Chapter 3 Server Config Personal Firewall Rules 3.1 General 3.2 <Rule Set Name> Tab Page 3.2.1 Rules Incoming / Outgoing 3.2.2 Context Menu 3.2.3 Button Bar Page Configure the following connection details in the Advanced view of the Rule Object window: 46 Server Config Personal Firewall Rules Page 48 Server Config Personal Firewall Rules The following entities are available for rule testing: 3.2.6 Test Report 3.2.7 Options Page 3.3 Adapters Page Page 3.4 User Objects 3.5 Net Objects Page Page Page The following services are available in the Barracuda NG Personal Firewall by default: 3.7 Application Objects Page Page Chapter 4 Operating & Monitoring Barracuda NG NAC 4.1 Box Monitoring and Real-time Information 4.1.1 Available Columns 4.1.2 Filtering 4.1.3 Context Menus Page 4.1.4 Status Tab 4.1.5 Status VPN Tab 4.1.6 Access Tab 4.1.7 Quarantine Tab Chapter 5 Client Installation 5.1 Complete Installation 5.2 Custom Installation 5.3 Unattended Setup 71 Barracuda NG Network Access Client - Administrators Guide Trusted Network see description for parameter Windows File Sharing, page 120. see description for parameter Trusted Network, page 120 Allow other to access my files and printer(s) Specific properties must be inserted into one row. Table 51 Property Value (*=default) Corresponding Option in the Firewall Settings Page 5.4 Customer Setup 5.4.1 customer.inf 74 Client Installation 5.4.2 Section "1. Customer Area" / [PhionCustomerCopyFiles] Optionally, the following file-directives may be detailed: Table 53 75 Barracuda NG Network Access Client - Administrators Guide 5.4.3 Section "2. Customer Area" / [CustomerReg] Table 53 76 Client Installation This section is used for creating profiles and defining default values. Table 54 Page 5.4.5 silent.cmd Page Page Page Page Chapter 8 VPN Configuration 8.1 Overview 8.2 Facts and Figures Personal firewall capabilities Policy matching capabilities Usage Scenario 85 Barracuda NG Network Access Client - Administrators Guide Table 84 Function Barracuda NG VPN Client Barracuda NG SSL VPN and NAC Table 83 Function Comment Architecture OS requirements Chapter 9 Barracuda NG Personal Firewall 9.1 Overview 9.1.1 Integration within Windows 7 Page Page 9.4 General Firewall Settings and Tasks (Menu Bar) 9.4.1 Firewall Menu This tab allows you to configure blocking of ICMP packets. 9.4.2 View Menu 9.4.3 Security Mode Menu 9.5 Load Display 9.6 NG Control Center - Monitoring Firewall Activities 9.6.1 Summary 9.6.2 Events 9.6.3 History Select and then right-click a list entry to display the following context menu: 9.6.5 History Selection Tab In the History Selection tab, the following checkboxes are available for fast and easy filtering. Only displays connections that have been granted (marked with ). Only displays connection attempts that have been blocked (marked with ). Page Page 101 Barracuda NG Network Access Client - Administrators Guide 9.6.8 Listing and Context Menu The listing is divided into the following columns: Table 94 Column Description Table 95 Item Description Page 9.7 Current State - Setting the Security Mode 9.8 Configuration 9.8.1 General 9.8.2 Rules 9.8.3 Context Menu Page Configure the following connection details in the Rules view of the Rule Object window: Source / Destination / Service or Adapter / Source / Service or Adapter / Destination / Service Configure the following connection details in the Advanced view of the Rule Object window: 9.8.6 Adapters Page 9.8.7 Networks Page 9.8.8 Services Page 9.8.9 Applications Page Page 9.8.10 Users 9.8.11 Rule Tester The Rule Tester view allows testing rule sets for consistency. The following entities are available for rule testing: 9.8.12 Test Reports 120 Barracuda NG Personal Firewall Select a report and click Delete to delete the report from the Test Report window. 9.9 Administration - Firewall Settings Wizard The following options are available for customisation: 9.9.1 Automatic Adapter Configuration 9.9.2 Automatic Rule Configuration Page Page Page Page 10.2 Configure a New Profile Manually Page Page 10.2.1 Functional Elements of the Barracuda NG Network Access Clients System Tray Icon 10.2.2 The Barracuda NG VPN Clients Menu Bar 10.3 Connection Dialog Page 10.4 Status Dialog Page 10.5 Message Dialog 10.6 Barracuda Networks Control / Preferences Dialog 10.6.1 VPN Profiles Configuration Window 10.6.2 Certification Authorities Configuration Window 10.6.3 Advanced Page 10.6.4 Connection Entries Tab 10.6.5 Barracuda Authentication The following parameters are available for Barracuda Authentication: The following parameters are available for X509 authentication: 10.6.6 X509 Authentication Selecting this method requires a valid X.509 certificate (*.). 10.6.8 Advanced Settings Tab Individual profile settings related to connection details can be configured from within the Configure the following section when connecting to the VPN server over a proxy. 144 VPN Component Configuration Tunnel Settings section: 145 Barracuda NG Network Access Client - Administrators Guide Always Connect section: OS Settings section: User Interface Settings section: 10.6.9 Adaptation of Profile Creation using an .ini file (Barracuda NG Authentication only) 10.7 Log Window Page Chapter 11 Barracuda NG Access Monitor 11.1 Overview 11.1.1 Access Monitor 11.1.2 Port Security 11.2 Monitoring 11.2.1 Health Agent 151 Barracuda NG Network Access Client - Administrators Guide Table 111 Property Description Page Page Page Page 11.2.6 802.1X Authentication - Port Security 11.2.8 Advanced Status Information Page 159 Barracuda NG Network Access Client - Administrators Guide 11.3 Configuration 11.3.1 Health Agent Connectivity Page 11.3.6 Health Agent Authentication 11.3.9 802.1X Settings Page 11.3.14 Log Settings 11.4 Log Files Page Chapter 12 Pre-Connector and Remote VPN 12.1 General 12.2 VPN Connector 12.2.1 Creating a Connector 12.2.2 Connecting And Disconnecting using the Barracuda NG VPN Client 12.2.3 Remote Domain Logon (Pre-Logon) 12.3 Remote VPN (rvpn) 12.4 Connection Procedure Page Chapter 13 Example Configuration 13.1 Introduce Access Control Objects 13.2 Personal Firewall Rule Set 13.3 Introduce an Access Control Service Trustzone Page 13.4 Configure an Access Control Service Trustzone Page Page Page Page 13.5 Configure Forwarding Firewall Rule Set Page Chapter 14 802.1X Technical Guideline 14.1 Overview 14.2 Status Monitoring 14.2.1 EAP Packet Tracer 14.2.2 Using the Barracuda NG Access Monitor for Analysis 14.2.3 Log Files on the Client Computer 186 802.1X Technical Guideline To enable or disable verbose the below registry needs to be set: 14.2.4 Switch Web Interface These values are described in more details on: Complete URL: Command: Table 144 Item Description Page 14.2.5 Switch Console Interface 14.3 Authentication 14.3.1 Notes 14.3.2 Operational Sequence 14.3.6 Start up Page Page 14.3.7 Runtime Page Page Page Page Page 14.3.16 Shutdown 199 Barracuda NG Network Access Client - Administrators Guide 14.4 Addendum 14.4.1 Packets 14.4.2 WPA Supplicant Log File Identifiers The table shows an EAPOL packet frame: The table below shows the fields of the EAP request-response frame: 200 802.1X Technical Guideline Table 1418 201 Barracuda NG Network Access Client - Administrators Guide Table 1418 202 802.1X Technical Guideline Table 1418 14.4.3 Engineering Environment This technical guideline is based on an engineering environment using following components: 14.4.4 Known Issues using Cisco Catalyst 3750-E Switch Additionally following tools have been used for analysis: Page 205 Appendix Chapter 15 Appendix 15.1 customer.inf File Template Table 1523 Customer Install Files 206 Appendix 207 Barracuda NG Network Access Client - Administrators Guide 208 Appendix 209 Barracuda NG Network Access Client - Administrators Guide 15.2 VPN Profile Registry Keys Table 1524 VPN Profile Registry Keys 210 Appendix Table 1524 VPN Profile Registry Keys 15.3 Profile Registry Keys 15.4 FAQs Page 15.5 Configuration Parameters Page Page Page 217 Barracuda NG Network Access Client - Administrators Guide 15.6 Parameter Lists Chapter 1 Introduction Chapter 2 Server Config Access Control Service Chapter 3 Server Config Personal Firewall Rules Chapter 4 Operating & Monitoring Barracuda NG NAC Chapter 5 Client Installation Page 219 Barracuda NG Network Access Client - Administrators Guide 15.7 Figures Chapter 1 Introduction Chapter 2 Server Config Access Control Service Chapter 3 Server Config Personal Firewall Rules Chapter 4 Operating & Monitoring Barracuda NG NAC Chapter 9 Barracuda NG Personal Firewall Chapter 10 VPN Component Configuration Chapter 11 Barracuda NG Access Monitor Chapter 12 Pre-Connector and Remote VPN 221 Barracuda NG Network Access Client - Administrators Guide Chapter 13 Example Configuration Chapter 14 802.1X Technical Guideline Chapter 15 Appendix Barracuda Networks Warranty and Software License Agreement 0.1 Barracuda Networks Limited Hardware Warranty 0.2 Barracuda Networks Software License Agreement Page Page 0.3 Barracuda Networks Software License Agreement Appendix