WatchGuard Technologies FireboxTM System 4.6 guide

PART III Configuring a Security Policy

This section describes how to configure your security system. Its primary focus is on using the WatchGuard Control Center and Policy Manager to develop and implement a network security policy. It includes chapters on:

WatchGuard Control Center

The WatchGuard Control Center is an intuitive management, monitoring, and reporting package that puts everything you need at your fingertips. From a single location, you can configure your system, implement security policies, and monitor all of your protected systems.

Firebox basics

Complete basic tasks related to setting up and using the Firebox hardware, including opening and saving configuration files, and setting the Firebox time zone.

Configure a network

After installation, the next step in implementing a security policy is to delineate your network. Set up either a drop-in or routed network, add secondary networks, and define network and host routes.

Block sites and ports

Use default packet handling to establish a global policy for dynamically blocking packets and sites. Alternatively, configure your network to permanently block individual sites and ports.

Configure services

With the network configured, apply protection for individual services such as SMTP and FTP. Define both incoming and outgoing traffic rules as well as specific service properties.

Control Web traffic

Use the WebBlocker feature of the WatchGuard Firebox System in conjunction with the HTTP proxy to provide Web-site filtering capabilities. This enables

User Guide

19

Image 29

WatchGuard Technologies FireboxTM System 4.6 manual Part III Configuring a Security Policy

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity CSA Statement FCC CertificationCE Notice Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 WatchGuard Firebox System components Part I IntroductionWelcome to WatchGuard WatchGuard security suite WatchGuard FireboxWatchGuard Control Center Minimum requirements LiveSecurity ServiceSoftware requirements Web browser requirements CPU Hardware requirements LiveSecurity Service Part II WatchGuard ServicesWatchGuard Optional Features Technical SupportPage Software Update LiveSecurity ServiceLiveSecurity broadcasts Information Alert Editorial Activating the LiveSecurity ServiceSupport Flash Virus Alert Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Click the LSS/SOHO Known Issues link on the left Known issuesGetting Internet technical support Getting telephone support WatchGuard Interactive Training System Wits Training Instructor-led courses WatchGuard users groupOnline Help Searching for topics Starting WatchGuard Online HelpCopying the Help system to additional platforms Online Help system requirements Context-sensitive Help Currently available options WatchGuard OptionsVPN Manager High Availability SpamScreen Obtaining WatchGuard optionsMobile User VPN Part III Configuring a Security Policy Connect with out-of-band management Set up network address translation NATSet up logging and notification Firebox Basics What is a Firebox? Placing a Firebox within a network Saving a configuration file Opening a configuration fileOpening a configuration from the Firebox Opening a configuration from a local hard disk Saving a configuration to the local hard disk Resetting Firebox passphrasesSaving a configuration to the Firebox Tips for creating secure passphrases Reinitializing a misconfigured Firebox Setting the time zoneSelect Setup =Time Zone Reinitialize the Firebox using the QuickSetup wizard Booting from the system area Starting the Control Center and connecting to a Firebox Using the WatchGuard Control CenterNavigating the WatchGuard Control Center Control Center components Firebox and VPN tunnel status QuickGuideFront panel Remote VPN tunnels IPSecExpanding and collapsing the display Red exclamation point Setting the maximum number of log messages Connecting to a FireboxWorking with the Control Center Traffic Monitor Opening WatchGuard Firebox System tools Policy ManagerManipulating the Traffic Monitor Changing the Policy Manager view Firebox MonitorsLogViewer LiveSecurity Event Processor HostWatchHistorical Reports LiveSecurity Event Processor Running the QuickSetup wizard Configuring a NetworkTrusted External Setting up a drop-in network Setting up a routed network Adding a secondary network Select Network = ConfigurationDefining a network route Select Network = Routes Select Network = Default Gateway Setting the default gatewayDefining a host route Changing an interface IP address Select Network = Configuration. Click the Dhcp Server tab Select Network = Configuration. Click the General tabEntering Wins and DNS server addresses Defining a Firebox as a Dhcp server Click the subnet to remove it. Click Remove Click OK Modifying an existing subnetRemoving a Subnet Defining a Firebox as a Dhcp server Blocking Sites and Ports Configuring default packet handlingSelect Setup = Default Packet Handling Removing a blocked site Blocking a site permanentlyChanging the auto-block duration Logging and notification for blocked sites Removing a blocked port Blocking a port permanentlyLogging and notification for blocked ports Category list, click Blocked Sites Viewing the Blocked Sites list Blocking sites temporarily with service settingsConfiguring a service to temporarily block sites Click OK to close the Properties dialog box Configuring ServicesAdding an existing service Ignore Creating a new serviceSecure Port Adding incoming service properties Defining service properties Working with wg icons Adding outgoing service propertiesAdding addresses to service properties Modifying a service Configuring services for authenticationDeleting a service Under Internal Hosts, click Add Configuring an Smtp proxy service Setting up proxy servicesConfiguring the incoming Smtp proxy Click Yes Adding address patterns Selecting content typesProtecting your mail server against relaying Select headers to allow Configuring the outgoing Smtp proxy Configuring an FTP proxy serviceClick Outgoing Add masquerading options Configuring an Http proxy service Service precedence From Rank Any List Service precedence Reverting to old WebBlocker databases Controlling Web TrafficHow WebBlocker works Prerequisites to using WebBlocker Configuring the WebBlocker serviceLogging and WebBlocker Activating WebBlocker Scheduling operational and non-operational hours Setting privilegesCreating WebBlocker exceptions Click the WebBlocker Controls tab Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Select Setup = NAT Using simple dynamic NATEnabling simple dynamic NAT Adding dynamic NAT entries Configuring service-based NAT exceptions Using service-based NATEnabling service-based NAT Setting static NAT for a service Configuring a service for incoming static NATSelect Network = Configuration. Click the External tab Adding external IP addresses Click OK to close the Add Static NAT dialog box Enter the internal IP addressCheckbox Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification LiveSecurity Event Processor WatchGuard logging architectureDesignating Event Processors for a Firebox Select Setup = Logging Editing an Event Processor settingAdding an Event Processor Enabling Syslog logging Reordering Event Processors Removing an Event ProcessorSynchronizing Event Processors For Windows NT Event Processors Installing the Event Processor program Setting up the LiveSecurity Event ProcessorRunning an Event Processor on Windows Running an Event Processor on Windows NT or Windows Interactive mode from a DOS window As a Windows NT or Windows 2000 ServiceViewing the Event Processor Click WG LiveSecurity Event Processor. Click Startup Setting the log encryption key Setting global logging and notification preferencesSetting the interval for log rollover Starting and stopping the Event Processor Scheduling log reports Customizing logging and notification by service or optionControlling notification Category Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Enabling the Management Station Connecting a Firebox with OOB managementConnect with Out-of-Band Management Configure the dial-up connection Install the modemPreparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Select Network = Configuration. Click the OOB tab Configuring the Firebox for OOBConfiguring PPP for connecting to a Firebox Establishing an OOB connection Establishing an OOB connection Aliases and Authentication Part IV Administering a Security PolicyFirebox Activity Monitors Network Activity ReportsPage Using host aliases Creating Aliases Implementing Authentication Removing a host alias Adding a host aliasModifying a host alias How user authentication works What is user authentication?User authentication types Configuring Windows NT Server authentication Configuring Firebox authenticationUnder Authentication Enabled Via, click the Firebox option To close the Setup Remote User dialog box, click Close Click the Windows NT Server tab Configuring Radius server authentication Enter the administrator password Configuring CRYPTOCard server authenticationOn the Radius Server Enter or accept the time-out in seconds Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox ServiceWatch Setting Firebox Monitors view propertiesBandwidth Meter StatusReport Packet counts Network configurationLog and notification hosts Blocked Sites list Logging options Authentication host informationMemory Load average Interface the Firebox uses for each destination address InterfacesRoutes ARP table Authentication listBlocked Sites list HostWatch display Replaying a log fileSelect File = Connect Select File = Open Controlling the HostWatch display Viewing authenticated usersViewing specific hosts Viewing specific ports Add Modifying view properties HostWatch 102 Reviewing and Working with Log Files Setting LogViewer preferencesViewing files with LogViewer Starting LogViewer and opening a log file Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files Copying log files Setting log encryption keysForcing the rollover of log files From LiveSecurity Event Processor Working with log files 108 Starting Historical Reports Generating Reports of Network ActivityCreating and editing reports Viewing the reports list Creating a new report Specifying report sectionsEditing an existing report Deleting a report Consolidating report sections Setting report propertiesSpecifying a report time span Exporting reports to Html format Exporting reportsExporting a report to WebTrends for Firewalls and VPNs Enter the number of elements to rank in the table Creating a new filter Using report filtersExporting a report to a text file Editing a filter Scheduling and running reportsDeleting a filter Applying a filter Manually running a report Report sections and consolidated sections Time Summary Proxied Traffic Session Summary Packet FilteredHost Summary Proxied Traffic Proxy Summary Consolidated Sections 118 Remote user virtual private network Part V WatchGuard Virtual Private NetworkingBranch office virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking How does Dvcp work? Using Dvcp to connect to devicesBasic and Enhanced Dvcp Creating a tunnel to a Soho or SOHOtc Select Network = Branch Office VPN = Basic Dvcp Editing a tunnel to a deviceTelecommuter IP Address Soho Private Network Removing a tunnel to a device Branch office VPN with IPSecDefining a Firebox as an Enhanced Dvcp Client Select the tunnel policy. Click Edit Select Network = Branch Office VPN = IPSec Configuring a gatewayAdding a gateway Click Gateways Incoming Settings for Outgoing checkbox Configuring a tunnel with manual securityUsing Encapsulated Security Protocol ESP Removing a gateway Using Authenticated Headers AH Configuring a tunnel with dynamic securityClick Key. Enter a passphrase. Click OK Click the Dynamic Security tab Block Creating an IPSec policyBypass Dst Port field, enter the remote host port Changing IPSec policy order Configuring services for branch office VPN with IPSecSrc Port field, enter the local host port Incoming WatchGuard VPN configuration models Configuring WatchGuard VPNSetting up WatchGuard VPN Allow VPN access to any services Changing remote network entries Enable the Activate WatchGuard VPN checkboxPreventing IP spoofing with WatchGuard VPN Enter the encryption key. Click Make Key Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Mobile User VPN Configuring the Firebox for Remote User VPNRemote User Pptp Adding a member to built-in Ruvpn user groups Configuring shared servers for RuvpnAdding remote access users Using the Any service Configuring services to allow incoming RuvpnBy individual service Activating Remote User Pptp Configuring the Firebox for Remote User PptpEntering IP addresses for Remote User sessions Select Network = Remote User. Click the Pptp tab Rules for valid Remote User Pptp addresses Configuring the Firebox for Mobile User VPNPurchasing a Mobile User VPN license Entering license keys Preparing Mobile User VPN configuration filesDefining a new mobile user Select Network = Remote User. Click the Mobile User VPN tab Distributing the software and configuration files Saving the configuration to a FireboxModifying an existing Mobile User VPN entry Select Network = Remote User Debugging Remote User VPN Pptp Configuring debugging optionsDebugging Mobile User VPN Preparing the client computers Preparing a Host for Remote User VPN Click the Identification tab Remote host operating systemWindows 95/98 platform preparation Windows NT platform preparation Installing Client for Microsoft NetworksInstalling Dial-Up Adapter #2 VPN Support Click Dial Out Only. Click Continue Setting up Ruvpn for WindowsAdding a domain name to a Windows NT workstation Select Computer Browser Installing a VPN adapter on Windows 95/98 Configuring the remote host for Ruvpn with PptpInitial Connection window that appears, click Yes Click Obtain an IP Address Automatically. Click OK Starting Remote User Pptp Using Remote User PptpInstalling a VPN adapter on Windows NT Running Remote User Pptp Enter the remote client username and passwordDouble-click the Ruvpn connection Click Connect Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160