Copyright © 2021 BalaSys IT Security.
Copyright 2021 BalaSys IT Security.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaSys.
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
Linux™ is a registered trademark of Linus Torvalds.
Windows™ 10 is registered trademarks of Microsoft Corporation.
The BalaSys™ name and the BalaSys™ logo are registered trademarks of BalaSys IT Security.
The PNS™ name and the PNS™ logo are registered trademarks of BalaSys IT Security.
AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.
Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
All other product names mentioned herein are the trademarks of their respective owners.
DISCLAIMER
BalaSys is not responsible for any third-party websites mentioned in this document. BalaSys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaSys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
October 31, 2024
Table of Contents
- Preface
- 1. Introduction
- 2. Concepts of the PNS Gateway solution
- 3. Managing PNS hosts
- 3.1. MS and MC
- 3.2. MC structure
- 3.3. Configuration and Configuration management
- 3.3.1. Configuration process
- 3.3.2. Configuration buttons
- 3.3.3. Committing related components
- 3.3.4. Recording and commenting configuration changes
- 3.3.5. Multiple access and lock management
- 3.3.6. Status indicator icons
- 3.3.7. Copy, paste and multiple select in MC
- 3.3.8. Links and variables
- 3.3.9. Disabling rules and objects
- 3.3.10. Filtering list entries
- 3.4. Viewing PNS logs
- 4. Registering new hosts
- 5. Networking, routing, and name resolution
- 6. Managing network traffic with PNS
- 6.1. Understanding Application-level Gateway policies
- 6.2. Zones
- 6.3. Application-level Gateway instances
- 6.3.1. Understanding Application-level Gateway instances
- 6.3.2. Managing Application-level Gateway instances
- 6.3.3. Creating a new instance
- 6.3.4. Configuring instances
- 6.3.5. Instance parameters — general
- 6.3.6. Instance parameters — logging
- 6.3.7. Instance parameters — Rights
- 6.3.8. Instance parameters — miscellaneous
- 6.3.9. Increasing the number of running processes
- 6.4. Application-level Gateway services
- 6.5. Configuring firewall rules
- 6.6. Proxy classes
- 6.7. Policies
- 6.8. Monitoring active connections
- 6.9. Traffic reports
- 7. Logging with syslog-ng
- 8. The Text editor plugin
- 9. Native services
- 10. Local firewall administration
- 11. Key and certificate management in PNS
- 11.1. Cryptography basics
- 11.2. PKI Basics
- 11.2.1. Centralized PKI system
- 11.2.2. Digital certificates
- 11.2.3. Creating and managing certificates
- 11.2.4. Verifying the validity of certificates
- 11.2.5. Verification of certificate revocation state
- 11.2.6. Authentication with certificates
- 11.2.7. Digital encryption in work
- 11.2.8. Storing certificates and keys
- 11.2.9. Using Hardware Security modules
- 11.3. PKI in MS
- 12. Clusters and high availability
- 13. Advanced MS and Agent configuration
- 13.1. Setting configuration parameters
- 13.1.1. Configuring user authentication and privileges
- 13.1.2. Configuring backup
- 13.1.3. Configuring the connection between MS and MC
- 13.1.4. Configuring MS and agent connections
- 13.1.5. Configuring MS database save
- 13.1.6. Setting configuration check
- 13.1.7. Configuring CRL update settings
- 13.1.8. Set logging level
- 13.1.9. Configuring SSL handshake parameters
- 13.2. Setting agent configuration parameters
- 13.3. Managing connections
- 13.4. Handling XML databases
- 14. Virus and content filtering using CF
- 15. Connection authentication and authorization
- 16. Virtual Private Networks
- 17. Integrating PNS to external monitoring systems
- A. Keyboard shortcuts in Management Console
- B. Further readings
- B.1. PNS-related material
- B.2. General, Linux-related materials
- B.3. Postfix documentation
- B.4. BIND Documentation
- B.5. NTP references
- B.6. SSH resources
- B.7. TCP/IP Networking
- B.8. Netfilter/nftables
- B.9. General security-related resources
- B.10. syslog-ng references
- B.11. Python references
- B.12. Public key infrastructure (PKI)
- B.13. Virtual Private Networks (VPN)
- C. Proxedo Network Security Suite End-User License Agreement
- C.1. 1. SUBJECT OF THE LICENSE CONTRACT
- C.2. 2. DEFINITIONS
- C.3. 3. LICENSE GRANTS AND RESTRICTIONS
- C.4. 4. SUBSIDIARIES
- C.5. 5. INTELLECTUAL PROPERTY RIGHTS
- C.6. 6. TRADE MARKS
- C.7. 7. NEGLIGENT INFRINGEMENT
- C.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
- C.9. 9. LICENSE FEE
- C.10. 10. WARRANTIES
- C.11. 11. DISCLAIMER OF WARRANTIES
- C.12. 12. LIMITATION OF LIABILITY
- C.13. 13.DURATION AND TERMINATION
- C.14. 14. AMENDMENTS
- C.15. 15. WAIVER
- C.16. 16. SEVERABILITY
- C.17. 17. NOTICES
- C.18. 18. MISCELLANEOUS
- D. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
List of Examples
- 3.1. Referring to components with variables
- 5.1. Referencing static and dynamic interfaces in firewall rules
- 6.1. Using the Internet zone
- 6.2. Subnetting
- 6.3. Finding IP networks
- 6.4. Customized logging for HTTP accounting
- 6.5. Overriding the target port SQLNetProxy
- 6.6. Overriding the target port SQLNetProxy
- 6.7. RFC-compliant proxying in Application-level Gateway
- 6.8. Virus filtering and stacked proxies
- 6.9. Defining a Detector policy
- 6.10. GeoPacketLimit example settings
- 6.11. PacketLimit example settings
- 6.12. DNSMatcher for two domain names
- 6.13. Defining a RegexpMatcher
- 6.14. Blacklisting e-mail recipients
- 6.15. SmtpProxy class using a matcher for controlling relayed zones
- 6.16. Address translation examples using
- 6.17. Defining a Resolver policy
- 6.18. Using HashResolver to direct traffic to specific servers
- 7.1. Selecting log messages from Postfix using filter
- 7.2. Setting up a router
- 9.1. Forward-only DNS server
- 9.2. Split-DNS implementation
- 9.3. Special requirements on mail handling
- 10.1. Specifying the target IP address of a TCP destination
- 15.1. BasicAccessList
List of Procedures
- 2.1.6.1. Content Filtering with CF
- 3.1.1. Defining a new host and starting MC
- 3.2.1.3.1. Adding new configuration components to host
- 3.2.3.1. Configuring general MC preferences
- 3.2.3.2. Configuring PNS Class Editor preferences
- 3.2.3.3. Configuring PNS Rules preferences
- 3.2.3.4. Configuring MS hosts
- 3.2.3.6.1. Defining variables
- 3.2.3.6.2. Editing variables
- 3.2.3.6.3. Deleting variables
- 3.3.1.1. Configuring PNS - the general process
- 3.3.4. Recording and commenting configuration changes
- 4.1. Bootstrap a new host
- 4.2.1. Reconnecting MS to a host
- 5.1.1.1. Configuring a new interface
- 5.1.2.1. Creating a VLAN interface
- 5.1.2.2. Creating an alias interface
- 5.1.3. Configuring bond interfaces
- 5.1.4. Configuring bridge interfaces
- 5.1.5.1. Configuring spoof protection
- 5.1.6.1.1. Creating interface activation scripts
- 5.1.6.2.1. Creating interface groups
- 5.1.6.3.1. Configuring interface parameters
- 5.3.1. Configure name resolution
- 5.4.2.1. Filtering routes
- 6.2.2. Creating new zones
- 6.2.3.1. Organizing zones into a hierarchy
- 6.2.6. Exporting zones
- 6.2.7. Importing zones
- 6.2.8. Deleting a zone or more zones simultaneously
- 6.3.3. Creating a new instance
- 6.3.4. Configuring instances
- 6.3.9. Increasing the number of running processes
- 6.4.1. Creating a new service
- 6.4.2. Creating a new packet filtering Service (PFService)
- 6.4.3. Creating a new DenyService
- 6.4.4. Creating a new DetectorService
- 6.4.5.1. Setting routers and chainers for a service
- 6.5.3. Finding firewall rules
- 6.5.4. Creating firewall rules
- 6.5.5. Tagging firewall rules
- 6.5.7. Connection rate limiting
- 6.6.1.1. Derive a new proxy class
- 6.6.1.2. Customizing proxy attributes
- 6.6.2. Renaming and editing proxy classes
- 6.6.3.1. Stack proxies
- 6.7.1. Creating and managing policies
- 6.7.10.1.1. Configuring NAT
- 6.9.1. Configuring PNS reporting
- 7.2.1. Configure syslog-ng
- 7.2.2.1.1. Set global options
- 7.2.2.2.1. Create sources
- 7.2.2.2.2. Create drivers
- 7.2.2.4.1. Set filters
- 7.2.2.5.1. Configure routers
- 7.2.3. Configuring TLS-encrypted logging
- 8.1.1. Configure services with the Text editor plugin
- 8.1.2. Use the additional features of Text editor plugin
- 9.1.2.1. Configuring BIND with MC
- 9.1.3. Setting up split-DNS configuration
- 9.2.1. Configuring NTP with MC
- 9.3.1.1. Configuring Postfix with MC
- 9.4.1. Enabling access to local services
- 10.8. Updating and upgrading your PNS hosts
- 10.10.1.1. Edit the Policy.py file
- 11.1.1.4.1. Procedure of encrypted communication and authentication
- 11.2.3.1. Creating a certificate
- 11.3.7.2. Creating a new CA
- 11.3.7.4. Signing CA certificates with external CAs
- 11.3.8.2. Creating certificates
- 11.3.8.3. Revoking a certificate
- 11.3.8.4. Deleting certificates
- 11.3.8.5. Exporting certificates
- 11.3.8.6. Importing certificates
- 11.3.8.7. Signing your certificates with external CAs
- 11.3.8.8. Importing certificates with external private key
- 11.3.8.9. Monitoring licenses and certificates
- 12.4.1. Creating a new cluster (bootstrapping a cluster)
- 12.4.2. Adding new properties to clusters
- 12.4.3. Adding a new node to a PNS cluster
- 12.4.4. Converting a host to a cluster
- 12.5.3.1. Configure Keepalived
- 12.5.4.1. Simple Cluster with 2 nodes
- 12.5.4.2. Testing or Pilot node
- 12.5.4.3. Multiple backup nodes
- 12.5.4.4. Multiple VRRP groups in the same cluster
- 12.5.4.5. Managing individual OpenVPN tunnels
- 12.6.2.1. Configuring the Availability Checker
- 13.1.1.1. Adding new users to MS
- 13.1.1.2. Deleting users form MS
- 13.1.1.3. Changing passwords in MS
- 13.1.1.4.1. Editing user privileges in MS
- 13.1.1.5.1. Modifying authentication settings
- 13.1.2.1. Configuring automatic MS database backups
- 13.1.2.2. Restoring a MS database backup
- 13.1.3.1. Configuring the bind address and the port for MS-MC connections
- 1. Using linking for the IP address
- 13.1.4. Configuring MS and agent connections
- 13.1.5. Configuring MS database save
- 13.1.8. Set logging level
- 13.1.9. Configuring SSL handshake parameters
- 13.2.3. Configuring logging for agents
- 13.2.4. Configuring SSL handshake parameters for agents
- 13.3.3. Administering connections
- 13.3.4. Configuring recovery connections
- 14.2.1.1. Creating a new module instance
- 14.2.2.1. Creating a new scanpath
- 14.2.3.1. Creating and configuring routers
- 14.2.4.1. Configuring communication between PNS proxies and CF
- 15.1.2.1. Outband authentication using the Authentication Agent
- 15.3.1.1.1. Creating a new instance
- 15.3.2.1. Configuring communication between PNS and AS
- 15.3.2.2. Configuring PNS Authentication policies
- 15.3.3.1. Configuring authorization policies
- 16.2.1. Using VPN connections
- 16.3.1. Configuring IPSec connections
- 16.4.1. Configuring SSL connections
- 16.4.2.1. Configuring the VPN management daemon
- 17.1. Monitoring PNS with Munin
- 17.2. Installing a Munin server on a MS host
- 17.3. Monitoring PNS with Nagios
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu