Manuals / Brands / Computer Equipment / Network Hardware / Barracuda Networks / Computer Equipment / Network Hardware

Barracuda Networks VERSION SP4 13.4 Configure an Access Control Service Trustzone

1 268

Download 268 pages, 7.02 Mb

176 Example Configuration

13.4 Configure an Access Control Service Trustzone

The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and

the three policy rule sets on the right.

To guarantee that our policy trustzone has a public/private key pair to properly authenticate clients to

all participating Access Control Services, we initially need to create a Health Passport Signing Key

(Settings > Identity > Health Passport Signing Key). The Health Passport is used for authenticating

against other Access Control Service instances (for example Remediation Service and Border Patrol).

Therefore, generation of a Heath Passport Signing key is required.

Click New Key … to create a new Health Passport Signing key. In this setup with local created

public/private keys use the previously created key and export the public part into the clipboard. This

public key is imported again as Health Passport Verification Key.

To keep our setup as simple as possible we will start with local machine policies. We recommend to

extend your setup by applying user specific or VPN policies as a next step. At the beginning even

setting up a restricted local machine rule set and configuring the gateway firewall rule set requires quite

some time.

So as a next step create at least one rule within the "Local Machine" policy rule set. The first and for

the moment the only available rule is our catch-all rule which usually should be at the end of your policy

rule set. Click New … at the bottom of the policy rule set or via the context-menu to create a policy rule.

When using more than one rule, remember that policy rule sets are processed from top to bottom.

The Policy Rule dialog is split up into these views:

• Identity Matching

• Required Health State

• Policy Assignments

Contents

Main Page Barracuda NG Network Access Client Chapter 1 - Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 Chapter 2 - Server Config Access Control Service. . . . 17 Chapter 3 - Server Config Personal Firewall Rules . . . 41 Chapter 4 - Operating & Monitoring Barracuda NG NAC . 62 Chapter 6 - Update or Migration. . . . . . . . . . . . . . . . . . . 81 Chapter 7 - Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Chapter 8 - VPN Configuration. . . . . . . . . . . . . . . . . . . . 83 Chapter 9 - Barracuda NG Personal Firewall . . . . . . . . . 87 Chapter 10 - VPN Component Configuration. . . . . . . . . 124 Chapter 12 - Pre-Connector and Remote VPN . . . . . . . . 167 Chapter 13 - Example Configuration . . . . . . . . . . . . . . 172 Chapter 14 - 802.1X Technical Guideline . . . . . . . . . . 183 Chapter 15 - Appendix. . . . . . . . . . . . . . . . . . . . . . . . . 205 Warranty and Software License Agreement . . . . . . . . . 222 Chapter 1 Introduction 1.1 Endpoint Security and Network Access Control 1.2 Introduction to Barracuda NG Network Access Client Page 1.2.1 What can Barracuda NG Network Access Client be used for? Page 1.2.2 Licensing Aspects 1.2.3 Policy Matching Procedure 1.3 What is a Policy Rule Set? Page 10 Introduction Page 1.4 Health Matching 1.4.1 Health State "Untrusted" 1.4.2 Health State "Probation" 1.4.3 Health State "Healthy" 1.4.4 Health State "Unhealthy" 1.4.5 Health State Requirements 1.5 Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor) 1.6 The Border Patrol Page Chapter 2 Server Config Access Control Service 2.1 General 2.2 Access Control Service Settings 2.2.1 System Health Validator 18 Server Config Access Control Service 19 Barracuda NG Network Access Client - Administrators Guide 2.2.2 Remediation Service 2.2.3 Trustzone-Border 2.2.4 802.1X 2.2.5 Advanced 2.2.6 General 2.3 Access Control Objects Page Page Page 2.4 Access Control Service Trustzone Page 2.4.1 Rules 28 Server Config Access Control Service If the identity match fails, the next rule is taken into account. 29 Barracuda NG Network Access Client - Administrators Guide 30 Server Config Access Control Service 2.4.3 Identity Matching - Advanced Page 32 Server Config Access Control Service 33 Barracuda NG Network Access Client - Administrators Guide 2.4.5 Required Health State - Advanced 34 Server Config Access Control Service Page 36 Server Config Access Control Service 2.4.6 Policy Assignments 37 Barracuda NG Network Access Client - Administrators Guide 2.4.7 Settings Exception attributes. Page Page 2.4.8 Support Chart Chapter 3 Server Config Personal Firewall Rules 3.1 General 3.2 <Rule Set Name> Tab Page 3.2.1 Rules Incoming / Outgoing 3.2.2 Context Menu 3.2.3 Button Bar Page Configure the following connection details in the Advanced view of the Rule Object window: 46 Server Config Personal Firewall Rules Page 48 Server Config Personal Firewall Rules The following entities are available for rule testing: 3.2.6 Test Report 3.2.7 Options Page 3.3 Adapters Page Page 3.4 User Objects 3.5 Net Objects Page Page Page The following services are available in the Barracuda NG Personal Firewall by default: 3.7 Application Objects Page Page Chapter 4 Operating & Monitoring Barracuda NG NAC 4.1 Box Monitoring and Real-time Information 4.1.1 Available Columns 4.1.2 Filtering 4.1.3 Context Menus Page 4.1.4 Status Tab 4.1.5 Status VPN Tab 4.1.6 Access Tab 4.1.7 Quarantine Tab Chapter 5 Client Installation 5.1 Complete Installation 5.2 Custom Installation 5.3 Unattended Setup 71 Barracuda NG Network Access Client - Administrators Guide Trusted Network see description for parameter Windows File Sharing, page 120. see description for parameter Trusted Network, page 120 Allow other to access my files and printer(s) Specific properties must be inserted into one row. Table 51 Property Value (*=default) Corresponding Option in the Firewall Settings Page 5.4 Customer Setup 5.4.1 customer.inf 74 Client Installation 5.4.2 Section "1. Customer Area" / [PhionCustomerCopyFiles] Optionally, the following file-directives may be detailed: Table 53 75 Barracuda NG Network Access Client - Administrators Guide 5.4.3 Section "2. Customer Area" / [CustomerReg] Table 53 76 Client Installation This section is used for creating profiles and defining default values. Table 54 Page 5.4.5 silent.cmd Page Page Page Page Chapter 8 VPN Configuration 8.1 Overview 8.2 Facts and Figures Personal firewall capabilities Policy matching capabilities Usage Scenario 85 Barracuda NG Network Access Client - Administrators Guide Table 84 Function Barracuda NG VPN Client Barracuda NG SSL VPN and NAC Table 83 Function Comment Architecture OS requirements Chapter 9 Barracuda NG Personal Firewall 9.1 Overview 9.1.1 Integration within Windows 7 Page Page 9.4 General Firewall Settings and Tasks (Menu Bar) 9.4.1 Firewall Menu This tab allows you to configure blocking of ICMP packets. 9.4.2 View Menu 9.4.3 Security Mode Menu 9.5 Load Display 9.6 NG Control Center - Monitoring Firewall Activities 9.6.1 Summary 9.6.2 Events 9.6.3 History Select and then right-click a list entry to display the following context menu: 9.6.5 History Selection Tab In the History Selection tab, the following checkboxes are available for fast and easy filtering. Only displays connections that have been granted (marked with ). Only displays connection attempts that have been blocked (marked with ). Page Page 101 Barracuda NG Network Access Client - Administrators Guide 9.6.8 Listing and Context Menu The listing is divided into the following columns: Table 94 Column Description Table 95 Item Description Page 9.7 Current State - Setting the Security Mode 9.8 Configuration 9.8.1 General 9.8.2 Rules 9.8.3 Context Menu Page Configure the following connection details in the Rules view of the Rule Object window: Source / Destination / Service or Adapter / Source / Service or Adapter / Destination / Service Configure the following connection details in the Advanced view of the Rule Object window: 9.8.6 Adapters Page 9.8.7 Networks Page 9.8.8 Services Page 9.8.9 Applications Page Page 9.8.10 Users 9.8.11 Rule Tester The Rule Tester view allows testing rule sets for consistency. The following entities are available for rule testing: 9.8.12 Test Reports 120 Barracuda NG Personal Firewall Select a report and click Delete to delete the report from the Test Report window. 9.9 Administration - Firewall Settings Wizard The following options are available for customisation: 9.9.1 Automatic Adapter Configuration 9.9.2 Automatic Rule Configuration Page Page Page Page 10.2 Configure a New Profile Manually Page Page 10.2.1 Functional Elements of the Barracuda NG Network Access Clients System Tray Icon 10.2.2 The Barracuda NG VPN Clients Menu Bar 10.3 Connection Dialog Page 10.4 Status Dialog Page 10.5 Message Dialog 10.6 Barracuda Networks Control / Preferences Dialog 10.6.1 VPN Profiles Configuration Window 10.6.2 Certification Authorities Configuration Window 10.6.3 Advanced Page 10.6.4 Connection Entries Tab 10.6.5 Barracuda Authentication The following parameters are available for Barracuda Authentication: The following parameters are available for X509 authentication: 10.6.6 X509 Authentication Selecting this method requires a valid X.509 certificate (*.). 10.6.8 Advanced Settings Tab Individual profile settings related to connection details can be configured from within the Configure the following section when connecting to the VPN server over a proxy. 144 VPN Component Configuration Tunnel Settings section: 145 Barracuda NG Network Access Client - Administrators Guide Always Connect section: OS Settings section: User Interface Settings section: 10.6.9 Adaptation of Profile Creation using an .ini file (Barracuda NG Authentication only) 10.7 Log Window Page Chapter 11 Barracuda NG Access Monitor 11.1 Overview 11.1.1 Access Monitor 11.1.2 Port Security 11.2 Monitoring 11.2.1 Health Agent 151 Barracuda NG Network Access Client - Administrators Guide Table 111 Property Description Page Page Page Page 11.2.6 802.1X Authentication - Port Security 11.2.8 Advanced Status Information Page 159 Barracuda NG Network Access Client - Administrators Guide 11.3 Configuration 11.3.1 Health Agent Connectivity Page 11.3.6 Health Agent Authentication 11.3.9 802.1X Settings Page 11.3.14 Log Settings 11.4 Log Files Page Chapter 12 Pre-Connector and Remote VPN 12.1 General 12.2 VPN Connector 12.2.1 Creating a Connector 12.2.2 Connecting And Disconnecting using the Barracuda NG VPN Client 12.2.3 Remote Domain Logon (Pre-Logon) 12.3 Remote VPN (rvpn) 12.4 Connection Procedure Page Chapter 13 Example Configuration 13.1 Introduce Access Control Objects 13.2 Personal Firewall Rule Set 13.3 Introduce an Access Control Service Trustzone Page 13.4 Configure an Access Control Service Trustzone Page Page Page Page 13.5 Configure Forwarding Firewall Rule Set Page Chapter 14 802.1X Technical Guideline 14.1 Overview 14.2 Status Monitoring 14.2.1 EAP Packet Tracer 14.2.2 Using the Barracuda NG Access Monitor for Analysis 14.2.3 Log Files on the Client Computer 186 802.1X Technical Guideline To enable or disable verbose the below registry needs to be set: 14.2.4 Switch Web Interface These values are described in more details on: Complete URL: Command: Table 144 Item Description Page 14.2.5 Switch Console Interface 14.3 Authentication 14.3.1 Notes 14.3.2 Operational Sequence 14.3.6 Start up Page Page 14.3.7 Runtime Page Page Page Page Page 14.3.16 Shutdown 199 Barracuda NG Network Access Client - Administrators Guide 14.4 Addendum 14.4.1 Packets 14.4.2 WPA Supplicant Log File Identifiers The table shows an EAPOL packet frame: The table below shows the fields of the EAP request-response frame: 200 802.1X Technical Guideline Table 1418 201 Barracuda NG Network Access Client - Administrators Guide Table 1418 202 802.1X Technical Guideline Table 1418 14.4.3 Engineering Environment This technical guideline is based on an engineering environment using following components: 14.4.4 Known Issues using Cisco Catalyst 3750-E Switch Additionally following tools have been used for analysis: Page 205 Appendix Chapter 15 Appendix 15.1 customer.inf File Template Table 1523 Customer Install Files 206 Appendix 207 Barracuda NG Network Access Client - Administrators Guide 208 Appendix 209 Barracuda NG Network Access Client - Administrators Guide 15.2 VPN Profile Registry Keys Table 1524 VPN Profile Registry Keys 210 Appendix Table 1524 VPN Profile Registry Keys 15.3 Profile Registry Keys 15.4 FAQs Page 15.5 Configuration Parameters Page Page Page 217 Barracuda NG Network Access Client - Administrators Guide 15.6 Parameter Lists Chapter 1 Introduction Chapter 2 Server Config Access Control Service Chapter 3 Server Config Personal Firewall Rules Chapter 4 Operating & Monitoring Barracuda NG NAC Chapter 5 Client Installation Page 219 Barracuda NG Network Access Client - Administrators Guide 15.7 Figures Chapter 1 Introduction Chapter 2 Server Config Access Control Service Chapter 3 Server Config Personal Firewall Rules Chapter 4 Operating & Monitoring Barracuda NG NAC Chapter 9 Barracuda NG Personal Firewall Chapter 10 VPN Component Configuration Chapter 11 Barracuda NG Access Monitor Chapter 12 Pre-Connector and Remote VPN 221 Barracuda NG Network Access Client - Administrators Guide Chapter 13 Example Configuration Chapter 14 802.1X Technical Guideline Chapter 15 Appendix Barracuda Networks Warranty and Software License Agreement 0.1 Barracuda Networks Limited Hardware Warranty 0.2 Barracuda Networks Software License Agreement Page Page 0.3 Barracuda Networks Software License Agreement Appendix