Barracuda Networks VERSION SP4 specs

13.5 Configure Forwarding Firewall Rule Set

Enforcement of the security policy is provided by the Barracuda NG Network Access Client software installed on the endpoint itself. Whenever leaving the local collision domain, Barracuda NG Firewalls can provide additional protection. To enforce the health policy, Barracuda NG Firewalls may interpret the access policy attribute assigned to the endpoint within their rule sets. This provides a way to enforce network access control concepts based on date and time, identity and health state and type of network access.

To allow communication to protected servers only for clients conforming to the health policy, modify the gateway firewall rule set as follows:

•Open the forwarding firewall rule set and change to section User Groups.

•Select New… in the context menu to create a new User Object.

•After setting a name for the user object add a new User Condition

•Within the Policy Roles Patterns section, change the logic operation to One Pattern must match (OR).

•Add two new Policy Roles Patterns: healthy and probation.

•Close the User condition dialog.

•Create or edit the firewall rule Healthy-Access-to-protected-Servers.

•Add a reference to the new user object healthy-clientswithin the Authenticated user dialog box.

Fig. 13–7Example configuration – Configure forwarding firewall rule set – Edit/Create User Object > User Condition

181 Barracuda NG Network Access Client - Administrator’s Guide

Image 183

Barracuda Networks VERSION SP4 manual Configure Forwarding Firewall Rule Set

Contents

Page Copyright Notice Barracuda NG Network Access Client VPN Component Configuration Update or MigrationUninstall VPN Configuration 802.1X Technical Guideline Pre-Connector and Remote VPNExample Configuration Warranty and Software License Agreement Endpoint Security and Network Access Control Introduction to Barracuda NG Network Access ClientIntroduction Barracuda NG Personal Firewall Client software consists of the following subsystems 1Barracuda NG Network Access Client environment What can Barracuda NG Network Access Client be used for? Barracuda NG Network Access Client Administrator’s Guide Licensing Aspects What is a Policy Rule Set?Policy Matching Procedure Healthy Limited Access VPN Offline Barracuda NG Network Access Client Administrator’s Guide Probation actions Healthy Local Machine context Current User contextVPN context Matching Criteria Local Machine Current User Health Matching Health State Unhealthy Health State UntrustedHealth State Probation Health State Healthy Health State Requirements Analyse Enforce Monitor Border Patrol 3Trust Relationships System Health Validator Server Config Access Control ServiceAccess Control Service Settings General ParameterDescription Trustzone-Border Remediation Service Advanced Log LevelNumber of used Threads General Access Control Objects Pictures Welcome Messages Personal Firewall Rules 3Access Control Objects Access Control Service Bitmaps Click clipboard, import the adequate registry file Registry Check ObjectsImport of a registry file 7Access Control Service Trustzone Configuration tree Access Control Service Trustzone Servername Assigned Services servicename ACS Rules 9Access Control Service Trustzone Rules Time Restriction Policy NameDeactivate Policy Client Connection External Ignore Internal Group Patterns Net BiosUser Login Policy Matching All-of-following One-of-following X509 X509 IssuerMicrosoft X509 Subject Required Health State Basic Antispyware Required Scanner On Last AS Scan Action Manual Auto Remediation AS Engine Required Ignore Latest default Previous Last-2Last AV Scan Action Manual Auto Remediation Tries to execute a full system scan automatically AV Engine/Pattern Manual Action Auto Remediation Update automatically Parameter Description Message Personal Ruleset Name Firewall SettingsSoftware Yes Update No default Required Yes-Even-Major Server Healthy Vlan Id Settings802.1X Use Use Dhcp renew Limited Access Ruleset Name Limited Access MessageBitmap 802.1X Health PassportVerification Key Passport Verification Key Support Chart Server Config Personal Firewall Rules Rule Set Name TabDouble-click the appropriate VPN Firewall Rule Set 1Rules Incoming Rules Incoming / Outgoing Paste New…Delete Copy Inactive Select New… from the context menu to create a new ruleItem / Parameter Description Comment Section Description Tester Tester view allows testing rule sets for consistency Test Report Following entities are available for rule testing Options With Adsl Pptp Port Protocol Service Name DescriptionIcmp Parameters Connect to the Internet Following objects assigned with status multi are available PreconfiguredAdapters Listing is divided into the following columns Name Specify a name for the adapter object Following further adapter objects are available Adapter/Ref Trust TypeStatus IPs 10User Object dialog User Objects 11Network Objects window Net Objects This object includes the Multicast network 239.255.0.0/16 12Net Object dialog Click New… to open the Net Object dialog 13Service Object dialog Service Objects Service Name Port Protocol Connection Description Application ObjectsKerberos 14Application Object dialog Application Connection Description HKEYLOCALMACHINE\Services registry key Operating & Monitoring Barracuda NG NAC Box Monitoring and Real-time InformationAvailable Columns Clients MAC address as reported by the NG client Possible values are Access, Not Restricted, or ProbationFiltering Name of the matching policy rule Context Menus Visualize this Computer… 3Box Monitoring and Real-time Information Show time in UTC Status Tab Access Tab Status VPN TabQuarantine Tab Client Installation Double-click setup.exe to start the installation routineInstallation routine offers three basic ways of setup Complete Installation See 5.3 Unattended Setup,See 5.4 Customer Setup, 802.1x Enable Dhcp Renew Custom InstallationUnattended Setup Parameter Default See description for parameter Windows File Sharing, See description for parameter Trusted Network, This option prevents deactivating the NG Personal Firewall This parameter defines the Access Control Server to be used See 5.4.1 customer.inf, Customer SetupProceed as follows to prepare a completely customized setup Customer.inf Directive Comment Optionally, the following file-directives may be detailed 0x00001000 0x000008000x00000008 0x00000010 Flags Reg-rootSubkey Value-entry-name Edit profile name Subdir Silent.cmdFilename Diskid For an overview of specific properties see -1, Refer to the OS help for details System Restore Update or Migration Procedure Uninstall VPN Configuration OverviewFacts and Figures Function Comment Function Supported Usage Scenario Architecture Barracuda NG Personal Firewall All Programs Barracuda NG Network Access Client NG Firewall 1Windows 7 Windows Firewall and Action Center screens Integration within Windows 2Rule set selection Rule Set Selection 3Graphical Interface of the Barracuda NG Personal Firewall User Interface Firewall Menu General Firewall Settings and Tasks Menu Bar Block all IP Fragments This tab allows you to configure blocking of Icmp packetsDisable Windows Firewall Automatic Adapter Assignment Connect Close Block View Menu Load Display Security Mode Menu Summary NG Control Center Monitoring Firewall Activities Events 11NG Control Center History window History Add Pass Rule Show DetailsResolve Source/Destination IP Send to Rule Tester Filters incoming or outgoing connections Filters the connection’s Traffic PolicyFilters the source IP address of the connection Filters the application which has attempted to connect Live Activity view details all currently active connections Live Activity Disconnect Filter Conditions Configuration Current State Setting the Security Mode Show Users Show Source Addresses…Show Destination Addresses… Show Adapters Paste Pastes the selected rules from the clipboard ItemDescription Application optional Action Name CommentInactive checkbox Select Source / Destination 18Time restriction dialog Monitor Connections Yes 19Adapter objects window Adapters Control Network Connections Network Connection name for example, Local Area Connection Networks Following options are availableUntrusted Secured Routes are assigned to the Net-NGVPNObject 22Net Object dialog Services Example Applications 24Application Object dialog 10Applications required in Microsoft Windows domains 25User Object dialog Users Rule Tester Rule Tester view allows testing rule sets for consistency 27Test Report window Test Reports Following options are available for customisation Administration Firewall Settings Wizard However, it will not pop up if Automatic Adapter Configuration 28Security Alert windows Automatic Rule Configuration Restrictive rule set only 29Security Alert Advanced Policy Create a New Profile Using the Profile Wizard VPN Component Configuration 2VPN Profile Wizard Profile Wizard 4VPN Profile Wizard Enter personal License 6VPN Profile Wizard Modify Existing Profile Using the Wizard Configure a New Profile Manually 8NG VPN client Connect dialog Field where characters need to be inserted 11Editing options of the VPN client dialog Shows the version information 13Close NG VPN Client informational window Barracuda NG VPN Client’s Menu Bar Connection Dialog Closes the NG VPN Client windowNG VPN Client can be started in the following ways Click Connect to establish a connection to the VPN server Assigned Wins address Status DialogAssigned domain Assigned DNS IP address for the VPN connection Local time on the VPN server Enable or disable compressionUptime for the current connection VPN server to which the client currently is connected 16Message dialog window Message Dialog Name of the profile VPN Profiles Configuration WindowConfigured VPN server to connect to Barracuda Networks Control / Preferences Dialog Use this menu item to terminate a connection Certification Authorities Configuration WindowStore into which the certificate was saved Modify, copy or delete an existing profile Configure specific Barracuda NG VPN adapter settings here Opens a window with detailed certificate informationDeletes the selected certificate from the certificate store General VPN Settings section Direct Access 19Connection Entries tab Connection Entries Tab Following parameters are available for X509 authentication Barracuda Authentication Advanced Settings Tab DescriptionDescriptionExternal File Path to the external X.509 certificate Default Yes Virtual Adapter ConfigurationDefault Direct assignment Use Access Control Service Be established Disconnecting. Recommended value NoEnable MS Logon Fallback Profile User name possibly needed for proxy authentication IP address of the VPN serverURL or IP address of the proxy server Log entry’s time stamp Log Window Module the respective log entry refers to Barracuda NG Access Monitor Access MonitorPort Security Health Agent Monitoring Property Description Advanced Status information State Description 5Connection error using Icmp connectivity checking see Barracuda NG Network Access Client Administrator’s Guide Task Description 11.2.6 802.1X Authentication Port Security Column Description EAP Tracer Use Ntml Authentication Access Control Server IPs from RegistryAccess Control Server IPs from Dhcp Use Basic Authentication Item Description Health Agent Connectivity Value Key Health Agent Authentication Ieee 802.1X Authentication 11.3.9 802.1X Settings Capture 802.1X Traffic EAP Log Settings Log Files16 Log Files Description DownloadLocal.xml Client.xmlConnect.xml Download.xml Pre-Connector and Remote VPN VPN ConnectorCreate a connector to achieve following Thereafter rename the default profile Creating a Connector Remote Domain Logon Pre-Logon Remote VPN rvpn Same example with 10 retries for connecting -c Connection Procedure Dhcp 1Example configuration environment Example Configuration Personal Firewall Rule Set Introduce Access Control Objects Next create and edit the unrestricted rule set Introduce an Access Control Service TrustzonePage Policy Rule dialog is split up into these views Configure an Access Control Service Trustzone Barracuda NG Network Access Client Administrator’s Guide Parameter Value Page Example Configuration Configure Forwarding Firewall Rule Set Example Configuration Client computer SwitchAuthentication Server 802.1X Technical Guideline EAP Packet Tracer Access Control ServerDisabled Enabled Status Monitoring Supplicant console interface Using the Barracuda NG Access Monitor for AnalysisCommand Description Log Files on the Client Computer Path Switch Web InterfaceThese values are described in more details on Key Logging See 14.3.11 Authentication Message Exchange, See 14.3.9 Periodic client re-authentication by the switch, Ethernet AuthenticationSwitch Console Interface Example enabling debug output Point-to-Point Operational SequenceStart up Token Ring Service Friendly Name Service Name WZO prior to Windows VistaDot3svc Windows Vista Wpa-supplicant configuration Successful start of the wpa-supplicant can be verified by To resolve this problem proceed following stepsRuntime You will require elevated privileges to perform this step Enter global configuration mode Return to privileged Exec modeVerify your entries Example Re-authentication started by the switch is illustrated Condition Description CommandEnter the global configuration mode See for the Eapol packet frames Dhcp Renew Return to the privileged Exec mode Resetting the 802.1X Authentication process Shutdown 14 phions.log Output15 phions.log Output Table shows an Eapol packet frame AddendumPackets WPA Supplicant Log File Identifiers 200 802.1X Technical Guideline Sending / receiving commands over pipe 202 802.1X Technical Guideline Additionally following tools have been used for analysis Known Issues using Cisco Catalyst 3750-E SwitchWireshark Engineering Environment No aaa accounting dot1x default group radius Appendix Customer Install Files Appendix Barracuda NG Network Access Client Administrator’s Guide Appendix VPN Profile Registry Keys VPN Profile Registry Keys 3DES AES Profile Registry Keys FAQs Appendix Configuration Parameters 214 Reconnect immidiately 10 X509 Altnames 2 X509 Issuer 2 X509 Subject 2 15.6 Parameter Lists Introduction Server Config Access Control Service Barracuda NG Access Monitor Figures 220 802.1X Technical Guideline Barracuda Networks Software License Agreement Barracuda Networks Limited Hardware Warranty Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Software License Agreement Appendix Page Page No Warranty Terms and Conditions Page Page Page Page Limitation of Liability Page Page Page 238 Page Page Page Page Disclaimer of Warranty Miscellaneous Page Limits Terms and Conditions for USE, REPRODUCTION, and Distribution Page Page Page Page 252 Page Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Page Issue Date Aug 6 262 Page 264