Proxedo Network Security Suite 2 Administrator Guide

Copyright 2021 BalaSys IT Security.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaSys.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

Linux™ is a registered trademark of Linus Torvalds.

Windows™ 10 is registered trademarks of Microsoft Corporation.

The BalaSys™ name and the BalaSys™ logo are registered trademarks of BalaSys IT Security.

The PNS™ name and the PNS™ logo are registered trademarks of BalaSys IT Security.

AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.

Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

BalaSys is not responsible for any third-party websites mentioned in this document. BalaSys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaSys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

October 31, 2024


Table of Contents

Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Contact and support information
4.1. Sales contact
4.2. Support contact
4.3. Training
5. About this document
5.1. Feedback
1. Introduction
1.1. What PNS is
1.2. Who uses PNS?
2. Concepts of the PNS Gateway solution
2.1. Main components of the PNS Gateway solution
2.1.1. PNS
2.1.2. Management Server (MS)
2.1.3. Transfer Agent
2.1.4. Management Console (MC)
2.1.5. Authentication Server (AS)
2.1.6. The concept of the CF framework
2.1.7. Virtual Private Networking (VPN) support
2.1.8. Native services
2.1.9. High Availability
2.1.10. Operating system
2.2. The concepts and architecture of PNS firewalls
2.2.1. Access control
2.2.2. Operation modes of PNS
2.2.3. Proxying connections
2.2.4. Traffic analysis with proxies
2.2.5. Proxy customization
2.2.6. Modular architecture
3. Managing PNS hosts
3.1. MS and MC
3.1.1. Defining a new host and starting MC
3.2. MC structure
3.2.1. Configuration tree
3.2.2. Main workspace
3.2.3. Menu & status bars and Preferences
3.3. Configuration and Configuration management
3.3.1. Configuration process
3.3.2. Configuration buttons
3.3.3. Committing related components
3.3.4. Recording and commenting configuration changes
3.3.5. Multiple access and lock management
3.3.6. Status indicator icons
3.3.7. Copy, paste and multiple select in MC
3.3.8. Links and variables
3.3.9. Disabling rules and objects
3.3.10. Filtering list entries
3.4. Viewing PNS logs
3.4.1. The command bar of the log viewer
4. Registering new hosts
4.1. Bootstrap a new host
4.2. Reconnecting to a host
4.2.1. Reconnecting MS to a host
5. Networking, routing, and name resolution
5.1. Configuring networking interfaces
5.1.1. General interface configuration
5.1.2. Configuring virtual networks and alias interfaces
5.1.3. Configuring bond interfaces
5.1.4. Configuring bridge interfaces
5.1.5. Enabling spoof protection
5.1.6. Interface options and activation scripts
5.1.7. Interface status and statistics
5.2. Managing name resolution
5.3. Managing client-side name resolution
5.3.1. Configure name resolution
5.4. The routing editor
5.4.1. Routes
5.4.2. Sorting, filtering, and disabling routes
5.4.3. Managing the routing tables locally
6. Managing network traffic with PNS
6.1. Understanding Application-level Gateway policies
6.2. Zones
6.2.1. Managing zones with MC
6.2.2. Creating new zones
6.2.3. Zone hierarchies
6.2.4. Using hostnames in zones
6.2.5. Finding zones
6.2.6. Exporting zones
6.2.7. Importing zones
6.2.8. Deleting a zone or more zones simultaneously
6.3. Application-level Gateway instances
6.3.1. Understanding Application-level Gateway instances
6.3.2. Managing Application-level Gateway instances
6.3.3. Creating a new instance
6.3.4. Configuring instances
6.3.5. Instance parameters — general
6.3.6. Instance parameters — logging
6.3.7. Instance parameters — Rights
6.3.8. Instance parameters — miscellaneous
6.3.9. Increasing the number of running processes
6.4. Application-level Gateway services
6.4.1. Creating a new service
6.4.2. Creating a new packet filtering Service (PFService)
6.4.3. Creating a new DenyService
6.4.4. Creating a new DetectorService
6.4.5. Routing — selecting routers and chainers
6.5. Configuring firewall rules
6.5.1. Understanding Application-level Gateway firewall rules
6.5.2. Transparent and non-transparent traffic
6.5.3. Finding firewall rules
6.5.4. Creating firewall rules
6.5.5. Tagging firewall rules
6.5.6. Configuring nontransparent rules with inband destination selection
6.5.7. Connection rate limiting
6.6. Proxy classes
6.6.1. Customizing proxies
6.6.2. Renaming and editing proxy classes
6.6.3. Analyzing embedded traffic
6.7. Policies
6.7.1. Creating and managing policies
6.7.2. Detector policies
6.7.3. Encryption policies
6.7.4. GeoIP policies
6.7.5. GeoLocationLimit
6.7.6. GeoPacketLimit
6.7.7. Limit policies
6.7.8. PacketLimit
6.7.9. Matcher policies
6.7.10. NAT policies
6.7.11. Resolver policies
6.7.12. Stacking providers
6.8. Monitoring active connections
6.9. Traffic reports
6.9.1. Configuring PNS reporting
7. Logging with syslog-ng
7.1. Introduction to syslog-ng
7.1.1. Global options
7.1.2. Sources
7.1.3. Destinations
7.1.4. Filters
7.2. Configuring syslog-ng with MC
7.2.1. Configure syslog-ng
7.2.2. Configuring syslog-ng components through MC
7.2.3. Configuring TLS-encrypted logging
8. The Text editor plugin
8.1. Using the Text editor plugin
8.1.1. Configure services with the Text editor plugin
8.1.2. Use the additional features of Text editor plugin
9. Native services
9.1. BIND
9.1.1. BIND operation modes
9.1.2. Configuring BIND with MC
9.1.3. Setting up split-DNS configuration
9.2. NTP
9.2.1. Configuring NTP with MC
9.2.2. Status and statistics
9.3. Postfix
9.3.1. Configuring Postfix with MC
9.4. Local services on PNS
9.4.1. Enabling access to local services
10. Local firewall administration
10.1. Linux
10.2. Login to the firewall
10.3. Editing configuration files
10.4. Network configuration
10.5. System logging
10.6. NTP
10.7. BIND
10.8. Updating and upgrading your PNS hosts
10.9. Packet filter
10.10. PNS configuration
10.10.1. Policy.py and instances.conf
10.10.2. Application-level Gateway control
10.11. Managing core dump files
11. Key and certificate management in PNS
11.1. Cryptography basics
11.1.1. Symmetric and asymmetric encryption
11.2. PKI Basics
11.2.1. Centralized PKI system
11.2.2. Digital certificates
11.2.3. Creating and managing certificates
11.2.4. Verifying the validity of certificates
11.2.5. Verification of certificate revocation state
11.2.6. Authentication with certificates
11.2.7. Digital encryption in work
11.2.8. Storing certificates and keys
11.2.9. Using Hardware Security modules
11.3. PKI in MS
11.3.1. Committing changes and locking in PKI
11.3.2. The certificate entity
11.3.3. Rules of distribution and owner hosts
11.3.4. Trusted groups
11.3.5. The PKI menu
11.3.6. PKI management
11.3.7. Trusted CAs
11.3.8. Managing certificates
12. Clusters and high availability
12.1. Introduction to clustering
12.2. Clustering solutions
12.2.1. Fail-Over clusters
12.2.2. Load balance clusters
12.3. Managing clusters with MS
12.4. Creating clusters
12.4.1. Creating a new cluster (bootstrapping a cluster)
12.4.2. Adding new properties to clusters
12.4.3. Adding a new node to a PNS cluster
12.4.4. Converting a host to a cluster
12.5. Keepalived for High Availability
12.5.1. Functionality of Keepalived
12.5.2. Prerequisites for configuring Keepalived
12.5.3. Configuring Keepalived
12.5.4. Configuration examples and best practices for Keepalived configuration
12.6. Availability Checker
12.6.1. Prerequisites for configuring the Availability Checker plugin
12.6.2.
13. Advanced MS and Agent configuration
13.1. Setting configuration parameters
13.1.1. Configuring user authentication and privileges
13.1.2. Configuring backup
13.1.3. Configuring the connection between MS and MC
13.1.4. Configuring MS and agent connections
13.1.5. Configuring MS database save
13.1.6. Setting configuration check
13.1.7. Configuring CRL update settings
13.1.8. Set logging level
13.1.9. Configuring SSL handshake parameters
13.2. Setting agent configuration parameters
13.2.1. Configuring connections for agents
13.2.2. Configuring connection to engine
13.2.3. Configuring logging for agents
13.2.4. Configuring SSL handshake parameters for agents
13.3. Managing connections
13.3.1. Setting up initial connection with management agents
13.3.2. Configuring connection with agents
13.3.3. Administering connections
13.3.4. Configuring recovery connections
13.4. Handling XML databases
14. Virus and content filtering using CF
14.1. Content Filtering basics
14.1.1. Quarantining
14.2. Content Filtering with CF
14.2.1. Creating module instances
14.2.2. Creating scanpaths
14.2.3. Routers and rule groups
14.2.4. Configuring PNS proxies to use CF
14.2.5. Managing CF performance and resource use
14.3. Quarantine management in MC
14.3.1. Information stored about quarantined objects
14.3.2. Configuring quarantine cleanup
15. Connection authentication and authorization
15.1. Authentication and authorization basics
15.1.1. Inband authentication
15.1.2. Outband authentication
15.2. The concept of AS
15.2.1. Supported backends and authentication methods
15.3. Authenticating connections with AS
15.3.1. Configuring AS
15.3.2. Authentication of PNS services with AS
15.3.3. Authorization of PNS services
15.3.4. Configuring the Authentication Agent
15.4. Logging in AS
16. Virtual Private Networks
16.1. Virtual Private Networking basics
16.1.1. Types of VPN
16.1.2. VPN topologies
16.1.3. The IPSec protocol
16.1.4. The OpenVPN protocol
16.2. Using VPN connections
16.2.1. Using VPN connections
16.3. Configuring IPSec connections
16.3.1. Configuring IPSec connections
16.3.2. IPSec options
16.3.3. Global IPSec options
16.4. Configuring SSL (OpenVPN) connections
16.4.1. Configuring SSL connections
16.4.2. SSL options
17. Integrating PNS to external monitoring systems
17.1. Monitoring PNS with Munin
17.2. Installing a Munin server on a MS host
17.3. Monitoring PNS with Nagios
A. Keyboard shortcuts in Management Console
A.1. Function keys
A.2. Shortcuts
A.3. Access keys
B. Further readings
B.1. PNS-related material
B.2. General, Linux-related materials
B.3. Postfix documentation
B.4. BIND Documentation
B.5. NTP references
B.6. SSH resources
B.7. TCP/IP Networking
B.8. Netfilter/nftables
B.9. General security-related resources
B.10. syslog-ng references
B.11. Python references
B.12. Public key infrastructure (PKI)
B.13. Virtual Private Networks (VPN)
C. Proxedo Network Security Suite End-User License Agreement
C.1. 1. SUBJECT OF THE LICENSE CONTRACT
C.2. 2. DEFINITIONS
C.3. 3. LICENSE GRANTS AND RESTRICTIONS
C.4. 4. SUBSIDIARIES
C.5. 5. INTELLECTUAL PROPERTY RIGHTS
C.6. 6. TRADE MARKS
C.7. 7. NEGLIGENT INFRINGEMENT
C.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
C.9. 9. LICENSE FEE
C.10. 10. WARRANTIES
C.11. 11. DISCLAIMER OF WARRANTIES
C.12. 12. LIMITATION OF LIABILITY
C.13. 13.DURATION AND TERMINATION
C.14. 14. AMENDMENTS
C.15. 15. WAIVER
C.16. 16. SEVERABILITY
C.17. 17. NOTICES
C.18. 18. MISCELLANEOUS
D. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

List of Procedures

2.1.6.1. Content Filtering with CF
3.1.1. Defining a new host and starting MC
3.2.1.3.1. Adding new configuration components to host
3.2.3.1. Configuring general MC preferences
3.2.3.2. Configuring PNS Class Editor preferences
3.2.3.3. Configuring PNS Rules preferences
3.2.3.4. Configuring MS hosts
3.2.3.6.1. Defining variables
3.2.3.6.2. Editing variables
3.2.3.6.3. Deleting variables
3.3.1.1. Configuring PNS - the general process
3.3.4. Recording and commenting configuration changes
4.1. Bootstrap a new host
4.2.1. Reconnecting MS to a host
5.1.1.1. Configuring a new interface
5.1.2.1. Creating a VLAN interface
5.1.2.2. Creating an alias interface
5.1.3. Configuring bond interfaces
5.1.4. Configuring bridge interfaces
5.1.5.1. Configuring spoof protection
5.1.6.1.1. Creating interface activation scripts
5.1.6.2.1. Creating interface groups
5.1.6.3.1. Configuring interface parameters
5.3.1. Configure name resolution
5.4.2.1. Filtering routes
6.2.2. Creating new zones
6.2.3.1. Organizing zones into a hierarchy
6.2.6. Exporting zones
6.2.7. Importing zones
6.2.8. Deleting a zone or more zones simultaneously
6.3.3. Creating a new instance
6.3.4. Configuring instances
6.3.9. Increasing the number of running processes
6.4.1. Creating a new service
6.4.2. Creating a new packet filtering Service (PFService)
6.4.3. Creating a new DenyService
6.4.4. Creating a new DetectorService
6.4.5.1. Setting routers and chainers for a service
6.5.3. Finding firewall rules
6.5.4. Creating firewall rules
6.5.5. Tagging firewall rules
6.5.7. Connection rate limiting
6.6.1.1. Derive a new proxy class
6.6.1.2. Customizing proxy attributes
6.6.2. Renaming and editing proxy classes
6.6.3.1. Stack proxies
6.7.1. Creating and managing policies
6.7.10.1.1. Configuring NAT
6.9.1. Configuring PNS reporting
7.2.1. Configure syslog-ng
7.2.2.1.1. Set global options
7.2.2.2.1. Create sources
7.2.2.2.2. Create drivers
7.2.2.4.1. Set filters
7.2.2.5.1. Configure routers
7.2.3. Configuring TLS-encrypted logging
8.1.1. Configure services with the Text editor plugin
8.1.2. Use the additional features of Text editor plugin
9.1.2.1. Configuring BIND with MC
9.1.3. Setting up split-DNS configuration
9.2.1. Configuring NTP with MC
9.3.1.1. Configuring Postfix with MC
9.4.1. Enabling access to local services
10.8. Updating and upgrading your PNS hosts
10.10.1.1. Edit the Policy.py file
11.1.1.4.1. Procedure of encrypted communication and authentication
11.2.3.1. Creating a certificate
11.3.7.2. Creating a new CA
11.3.7.4. Signing CA certificates with external CAs
11.3.8.2. Creating certificates
11.3.8.3. Revoking a certificate
11.3.8.4. Deleting certificates
11.3.8.5. Exporting certificates
11.3.8.6. Importing certificates
11.3.8.7. Signing your certificates with external CAs
11.3.8.8. Importing certificates with external private key
11.3.8.9. Monitoring licenses and certificates
12.4.1. Creating a new cluster (bootstrapping a cluster)
12.4.2. Adding new properties to clusters
12.4.3. Adding a new node to a PNS cluster
12.4.4. Converting a host to a cluster
12.5.3.1. Configure Keepalived
12.5.4.1. Simple Cluster with 2 nodes
12.5.4.2. Testing or Pilot node
12.5.4.3. Multiple backup nodes
12.5.4.4. Multiple VRRP groups in the same cluster
12.5.4.5. Managing individual OpenVPN tunnels
12.6.2.1. Configuring the Availability Checker
13.1.1.1. Adding new users to MS
13.1.1.2. Deleting users form MS
13.1.1.3. Changing passwords in MS
13.1.1.4.1. Editing user privileges in MS
13.1.1.5.1. Modifying authentication settings
13.1.2.1. Configuring automatic MS database backups
13.1.2.2. Restoring a MS database backup
13.1.3.1. Configuring the bind address and the port for MS-MC connections
1. Using linking for the IP address
13.1.4. Configuring MS and agent connections
13.1.5. Configuring MS database save
13.1.8. Set logging level
13.1.9. Configuring SSL handshake parameters
13.2.3. Configuring logging for agents
13.2.4. Configuring SSL handshake parameters for agents
13.3.3. Administering connections
13.3.4. Configuring recovery connections
14.2.1.1. Creating a new module instance
14.2.2.1. Creating a new scanpath
14.2.3.1. Creating and configuring routers
14.2.4.1. Configuring communication between PNS proxies and CF
15.1.2.1. Outband authentication using the Authentication Agent
15.3.1.1.1. Creating a new instance
15.3.2.1. Configuring communication between PNS and AS
15.3.2.2. Configuring PNS Authentication policies
15.3.3.1. Configuring authorization policies
16.2.1. Using VPN connections
16.3.1. Configuring IPSec connections
16.4.1. Configuring SSL connections
16.4.2.1. Configuring the VPN management daemon
17.1. Monitoring PNS with Munin
17.2. Installing a Munin server on a MS host
17.3. Monitoring PNS with Nagios