JavaScript is disabled on your browser. Please enable JavaScript to enjoy all the features of this site.
Proxedo Network Security Suite
2 Administrator Guide
Chapter 6. Managing network traffic with
PNS
Hide Sidebar
Previous
|
Up
|
Next
Tweet
6.5. Configuring firewall rules
© 2021 BalaSys IT Security.
Send your comments to
support@balasys.hu
Contents
Search
Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Contact and support information
4.1. Sales contact
4.2. Support contact
4.3. Training
5. About this document
5.1. Feedback
1. Introduction
1.1. What PNS is
1.2. Who uses PNS?
2. Concepts of the PNS Gateway solution
2.1. Main components of the PNS Gateway solution
2.1.1. PNS
2.1.2. Management Server (MS)
2.1.3. Transfer Agent
2.1.4. Management Console (MC)
2.1.5. Authentication Server (AS)
2.1.6. The concept of the CF framework
2.1.6.1. Content Filtering with CF
2.1.6.2. Supported modules
2.1.7. Virtual Private Networking (VPN) support
2.1.8. Native services
2.1.9. High Availability
2.1.10. Operating system
2.2. The concepts and architecture of PNS firewalls
2.2.1. Access control
2.2.2. Operation modes of PNS
2.2.3. Proxying connections
2.2.4. Traffic analysis with proxies
2.2.5. Proxy customization
2.2.6. Modular architecture
3. Managing PNS hosts
3.1. MS and MC
3.1.1. Defining a new host and starting MC
3.2. MC structure
3.2.1. Configuration tree
3.2.1.1. Site
3.2.1.2. Host
3.2.1.3. Component
3.2.1.3.1. Adding new configuration components to host
3.2.2. Main workspace
3.2.3. Menu & status bars and Preferences
3.2.3.1. Configuring general MC preferences
3.2.3.2. Configuring PNS Class Editor preferences
3.2.3.3. Configuring PNS Rules preferences
3.2.3.4. Configuring MS hosts
3.2.3.5. PKI menu
3.2.3.6. Variables menu
3.2.3.6.1. Defining variables
3.2.3.6.2. Editing variables
3.2.3.6.3. Deleting variables
3.2.3.7. Status bar
3.3. Configuration and Configuration management
3.3.1. Configuration process
3.3.1.1. Configuring PNS - the general process
3.3.2. Configuration buttons
3.3.2.1. Commit and Revert
3.3.2.2. Upload current configuration
3.3.2.3. Control service
3.3.2.4. View and Check current configuration
3.3.2.5. Files
3.3.3. Committing related components
3.3.4. Recording and commenting configuration changes
3.3.5. Multiple access and lock management
3.3.6. Status indicator icons
3.3.6.1. Site-level indicators
3.3.6.2. Host and cluster-level indicators
Transfer and Monitor connection
Key distribution
Configuration
3.3.6.3. Component-level status indicators
3.3.7. Copy, paste and multiple select in MC
3.3.8. Links and variables
3.3.9. Disabling rules and objects
3.3.10. Filtering list entries
3.4. Viewing PNS logs
3.4.1. The command bar of the log viewer
4. Registering new hosts
4.1. Bootstrap a new host
4.2. Reconnecting to a host
4.2.1. Reconnecting MS to a host
5. Networking, routing, and name resolution
5.1. Configuring networking interfaces
5.1.1. General interface configuration
5.1.1.1. Configuring a new interface
5.1.1.2. Dynamic interfaces
5.1.2. Configuring virtual networks and alias interfaces
5.1.2.1. Creating a VLAN interface
5.1.2.2. Creating an alias interface
5.1.3. Configuring bond interfaces
5.1.4. Configuring bridge interfaces
5.1.5. Enabling spoof protection
5.1.5.1. Configuring spoof protection
5.1.6. Interface options and activation scripts
5.1.6.1. Configuring interface activation scripts
5.1.6.1.1. Creating interface activation scripts
5.1.6.2. Interface groups
5.1.6.2.1. Creating interface groups
5.1.6.3. Other interface options
5.1.6.3.1. Configuring interface parameters
5.1.7. Interface status and statistics
5.1.7.7.
5.2. Managing name resolution
5.3. Managing client-side name resolution
5.3.1. Configure name resolution
5.4. The routing editor
5.4.1. Routes
5.4.2. Sorting, filtering, and disabling routes
5.4.2.1. Filtering routes
5.4.3. Managing the routing tables locally
6. Managing network traffic with PNS
6.1. Understanding Application-level Gateway policies
6.2. Zones
6.2.1. Managing zones with MC
6.2.2. Creating new zones
6.2.3. Zone hierarchies
6.2.3.1. Organizing zones into a hierarchy
6.2.4. Using hostnames in zones
6.2.5. Finding zones
6.2.6. Exporting zones
6.2.7. Importing zones
6.2.8. Deleting a zone or more zones simultaneously
6.3. Application-level Gateway instances
6.3.1. Understanding Application-level Gateway instances
6.3.2. Managing Application-level Gateway instances
6.3.3. Creating a new instance
6.3.4. Configuring instances
6.3.5. Instance parameters — general
6.3.6. Instance parameters — logging
6.3.7. Instance parameters — Rights
6.3.8. Instance parameters — miscellaneous
6.3.9. Increasing the number of running processes
6.4. Application-level Gateway services
6.4.1. Creating a new service
6.4.2. Creating a new packet filtering Service (PFService)
6.4.3. Creating a new DenyService
6.4.4. Creating a new DetectorService
6.4.5. Routing — selecting routers and chainers
6.4.5.1. Setting routers and chainers for a service
6.4.5.2. TransparentRouter
6.4.5.2.. Use client address as source
6.4.5.2.. Target address overridable by the proxy
6.4.5.2.. Modify target port
6.4.5.2.. Modify source port
6.4.5.3. DirectedRouter
6.4.5.3.. Use client address as source
6.4.5.3.. Target address overridable by the proxy
6.4.5.3.. Modify source port
6.4.5.4. InbandRouter
6.4.5.4.. Use client address as source
6.4.5.4.. Modify source port
6.4.5.5. ConnectChainer
6.4.5.5.. Connection timeout
6.4.5.5.. Protocol action
6.4.5.6. FailoverChainer
6.4.5.6.. Keep availability state for
6.4.5.6.. Connection timeout
6.4.5.6.. Protocol action
6.4.5.7. RoundRobinChainer
6.4.5.7.. Keep availability state for
6.4.5.7.. Connection timeout
6.4.5.7.. Protocol action
6.4.5.8. SidestackChainer
6.4.5.8.. Side-stacked proxy
6.4.5.8.. Final chainer
6.4.5.9. AvailabilityChainer
6.4.5.10. RoundRobinAvailabilityChainer
6.5. Configuring firewall rules
6.5.1. Understanding Application-level Gateway firewall rules
6.5.1.1. Evaluating firewall rules
6.5.2. Transparent and non-transparent traffic
6.5.3. Finding firewall rules
6.5.4. Creating firewall rules
6.5.5. Tagging firewall rules
6.5.6. Configuring nontransparent rules with inband destination selection
6.5.7. Connection rate limiting
6.6. Proxy classes
6.6.1. Customizing proxies
6.6.1.1. Derive a new proxy class
6.6.1.2. Customizing proxy attributes
6.6.1.3. Customized proxies and the services
6.6.2. Renaming and editing proxy classes
6.6.3. Analyzing embedded traffic
6.6.3.1. Stack proxies
6.7. Policies
6.7.1. Creating and managing policies
6.7.2. Detector policies
6.7.3. Encryption policies
6.7.3.1. Understanding Encryption policies
6.7.4. GeoIP policies
6.7.5. GeoLocationLimit
6.7.6. GeoPacketLimit
6.7.7. Limit policies
6.7.8. PacketLimit
6.7.9. Matcher policies
6.7.9.1. Matching domain names with DNSMatcher
6.7.9.2. WindowsUpdateMatcher
6.7.9.3. RegexpMatcher
6.7.9.4. RegexpFileMatcher
6.7.9.5. Verifying e-mail addresses with the SmtpInvalidMatcher
6.7.9.6. Making complex decisions with the CombineMatcher
6.7.9.7. Using matcher classes in proxy classes
6.7.10. NAT policies
6.7.10.1. Configuring NAT in Application-level Gateway
6.7.10.1.1. Configuring NAT
6.7.10.2. Types of NAT policies
6.7.10.3. NAT and services
6.7.10.4. NAT and other policy objects
6.7.11. Resolver policies
6.7.12. Stacking providers
6.8. Monitoring active connections
6.9. Traffic reports
6.9.1. Configuring PNS reporting
7. Logging with syslog-ng
7.1. Introduction to syslog-ng
7.1.1. Global options
7.1.2. Sources
7.1.3. Destinations
7.1.4. Filters
7.2. Configuring syslog-ng with MC
7.2.1. Configure syslog-ng
7.2.2. Configuring syslog-ng components through MC
7.2.2.1. Configuring global options
7.2.2.1.1. Set global options
7.2.2.2. Configuring sources
7.2.2.2.1. Create sources
7.2.2.2.2. Create drivers
7.2.2.3. Configuring destinations
7.2.2.4. Configuring filters
7.2.2.4.1. Set filters
7.2.2.5. Configuring routers
7.2.2.5.1. Configure routers
7.2.3. Configuring TLS-encrypted logging
8. The Text editor plugin
8.1. Using the Text editor plugin
8.1.1. Configure services with the Text editor plugin
8.1.2. Use the additional features of Text editor plugin
9. Native services
9.1. BIND
9.1.1. BIND operation modes
9.1.2. Configuring BIND with MC
9.1.2.1. Configuring BIND with MC
9.1.3. Setting up split-DNS configuration
9.2. NTP
9.2.1. Configuring NTP with MC
9.2.2. Status and statistics
9.3. Postfix
9.3.1. Configuring Postfix with MC
9.3.1.1. Configuring Postfix with MC
9.4. Local services on PNS
9.4.1. Enabling access to local services
10. Local firewall administration
10.1. Linux
10.2. Login to the firewall
10.3. Editing configuration files
10.4. Network configuration
10.5. System logging
10.6. NTP
10.7. BIND
10.8. Updating and upgrading your PNS hosts
10.9. Packet filter
10.10. PNS configuration
10.10.1. Policy.py and instances.conf
10.10.1.1. Edit the Policy.py file
10.10.2. Application-level Gateway control
10.11. Managing core dump files
11. Key and certificate management in PNS
11.1. Cryptography basics
11.1.1. Symmetric and asymmetric encryption
11.1.1.1. Symmetric encryption
11.1.1.2. Asymmetric encryption
11.1.1.3. Authentication and public key algorithms
Web of trust and centralized PKI
11.1.1.4. Usage of encryption algorithms for secure communication
11.1.1.4.1. Procedure of encrypted communication and authentication
11.1.1.5. Hashing
11.1.1.6. Digital signature
11.2. PKI Basics
11.2.1. Centralized PKI system
11.2.1.1. CA chains and Root CAs
11.2.2. Digital certificates
11.2.3. Creating and managing certificates
11.2.3.1. Creating a certificate
11.2.4. Verifying the validity of certificates
11.2.5. Verification of certificate revocation state
11.2.5.1. Certificate Revocation List - CRLs
11.2.5.2. Online Certificate Status Protocol (OCSP) stapling
11.2.6. Authentication with certificates
11.2.7. Digital encryption in work
11.2.8. Storing certificates and keys
11.2.9. Using Hardware Security modules
11.3. PKI in MS
11.3.1. Committing changes and locking in PKI
11.3.2. The certificate entity
11.3.3. Rules of distribution and owner hosts
11.3.4. Trusted groups
11.3.5. The PKI menu
11.3.5.1. Site Preferences
11.3.5.2. Distribution of certificates
11.3.5.3. The Edit Certificates menu
11.3.6. PKI management
11.3.6.1. The command bar of PKI management
11.3.7. Trusted CAs
11.3.7.1. The command bar of Trusted CAs
11.3.7.2. Creating a new CA
11.3.7.3. Managing trusted groups
11.3.7.4. Signing CA certificates with external CAs
11.3.8. Managing certificates
11.3.8.1. The Certificates command bar
11.3.8.2. Creating certificates
11.3.8.3. Revoking a certificate
11.3.8.4. Deleting certificates
11.3.8.5. Exporting certificates
11.3.8.6. Importing certificates
11.3.8.7. Signing your certificates with external CAs
11.3.8.8. Importing certificates with external private key
11.3.8.9. Monitoring licenses and certificates
12. Clusters and high availability
12.1. Introduction to clustering
12.2. Clustering solutions
12.2.1. Fail-Over clusters
12.2.1.1. Service IP transferring
12.2.1.2. IP with MAC address takeover
12.2.1.3. Sending RIP messages
12.2.2. Load balance clusters
12.2.2.1. DNS load balancing
12.2.2.2. Load balancing with external devices
12.2.2.3. Multicast load balancing
12.3. Managing clusters with MS
12.4. Creating clusters
12.4.1. Creating a new cluster (bootstrapping a cluster)
12.4.2. Adding new properties to clusters
12.4.3. Adding a new node to a PNS cluster
12.4.4. Converting a host to a cluster
12.5. Keepalived for High Availability
12.5.1. Functionality of Keepalived
12.5.2. Prerequisites for configuring Keepalived
12.5.3. Configuring Keepalived
12.5.3.1. Configure Keepalived
12.5.4. Configuration examples and best practices for Keepalived configuration
12.5.4.1. Simple Cluster with 2 nodes
12.5.4.2. Testing or Pilot node
12.5.4.3. Multiple backup nodes
12.5.4.4. Multiple VRRP groups in the same cluster
12.5.4.5. Managing individual OpenVPN tunnels
12.6. Availability Checker
12.6.1. Prerequisites for configuring the Availability Checker plugin
12.6.2.
12.6.2.1. Configuring the Availability Checker
13. Advanced MS and Agent configuration
13.1. Setting configuration parameters
13.1.1. Configuring user authentication and privileges
13.1.1.1. Adding new users to MS
13.1.1.2. Deleting users form MS
13.1.1.3. Changing passwords in MS
13.1.1.4. Configuring user privileges in MS
13.1.1.4.1. Editing user privileges in MS
13.1.1.5. Configuring authentication settings in MS
13.1.1.5.1. Modifying authentication settings
13.1.2. Configuring backup
13.1.2.1. Configuring automatic MS database backups
13.1.2.2. Restoring a MS database backup
13.1.3. Configuring the connection between MS and MC
13.1.3.1. Configuring the bind address and the port for MS-MC connections
13.1.4. Configuring MS and agent connections
13.1.5. Configuring MS database save
13.1.6. Setting configuration check
13.1.7. Configuring CRL update settings
13.1.8. Set logging level
13.1.9. Configuring SSL handshake parameters
13.2. Setting agent configuration parameters
13.2.1. Configuring connections for agents
13.2.2. Configuring connection to engine
13.2.3. Configuring logging for agents
13.2.4. Configuring SSL handshake parameters for agents
13.3. Managing connections
13.3.1. Setting up initial connection with management agents
13.3.2. Configuring connection with agents
13.3.3. Administering connections
13.3.4. Configuring recovery connections
13.4. Handling XML databases
14. Virus and content filtering using CF
14.1. Content Filtering basics
14.1.1. Quarantining
14.2. Content Filtering with CF
14.2.1. Creating module instances
14.2.1.1. Creating a new module instance
14.2.1.2. CF modules
The clamav module
The HTML module
The NOD32 module
The mail header filtering (mail-hdr) module
The mime module
The program module
The stream editor (sed) module
The spamassassin module
The ModSecurity module
14.2.2. Creating scanpaths
14.2.2.1. Creating a new scanpath
14.2.2.2. Scanpath options
Quarantine and oversized file options
Configuring trickle mode
Automatic decompression and error handling
14.2.3. Routers and rule groups
14.2.3.1. Creating and configuring routers
14.2.3.2. Router actions and conditions
14.2.4. Configuring PNS proxies to use CF
14.2.4.1. Configuring communication between PNS proxies and CF
14.2.5. Managing CF performance and resource use
14.2.5.1. Logging in CF
14.2.5.2. Memory and disk usage of CF
14.3. Quarantine management in MC
14.3.1. Information stored about quarantined objects
14.3.2. Configuring quarantine cleanup
15. Connection authentication and authorization
15.1. Authentication and authorization basics
15.1.1. Inband authentication
15.1.2. Outband authentication
15.1.2.1. Outband authentication using the Authentication Agent
15.2. The concept of AS
15.2.1. Supported backends and authentication methods
15.3. Authenticating connections with AS
15.3.1. Configuring AS
15.3.1.1. Configuring backends
15.3.1.1.1. Creating a new instance
The AS_db backend
The htpass backend
The Pluggable authentication module (PAM) backend
The RADIUS backend
15.3.1.2. Configuring routers
15.3.2. Authentication of PNS services with AS
15.3.2.1. Configuring communication between PNS and AS
15.3.2.2. Configuring PNS Authentication policies
15.3.3. Authorization of PNS services
15.3.3.1. Configuring authorization policies
15.3.3.2. Authorization models of PNS
BasicAccessList
NEyes authorization
Pair authorization
PermitGroup
PermitUser
PermitTime
15.3.4. Configuring the Authentication Agent
15.4. Logging in AS
16. Virtual Private Networks
16.1. Virtual Private Networking basics
16.1.1. Types of VPN
16.1.2. VPN topologies
16.1.3. The IPSec protocol
16.1.4. The OpenVPN protocol
16.2. Using VPN connections
16.2.1. Using VPN connections
16.3. Configuring IPSec connections
16.3.1. Configuring IPSec connections
16.3.2. IPSec options
16.3.3. Global IPSec options
16.4. Configuring SSL (OpenVPN) connections
16.4.1. Configuring SSL connections
16.4.2. SSL options
16.4.2.1. Configuring the VPN management daemon
16.4.2.2. Push options
The Redirect gateway option
17. Integrating PNS to external monitoring systems
17.1. Monitoring PNS with Munin
17.2. Installing a Munin server on a MS host
17.3. Monitoring PNS with Nagios
Appendix A. Keyboard shortcuts in Management Console
A.1. Function keys
A.2. Shortcuts
A.3. Access keys
Appendix B. Further readings
B.1. PNS-related material
B.2. General, Linux-related materials
B.3. Postfix documentation
B.4. BIND Documentation
B.5. NTP references
B.6. SSH resources
B.7. TCP/IP Networking
B.8. Netfilter/nftables
B.9. General security-related resources
B.10. syslog-ng references
B.11. Python references
B.12. Public key infrastructure (PKI)
B.13. Virtual Private Networks (VPN)
Appendix C. Proxedo Network Security Suite End-User License Agreement
C.1. 1. SUBJECT OF THE LICENSE CONTRACT
C.2. 2. DEFINITIONS
C.3. 3. LICENSE GRANTS AND RESTRICTIONS
C.4. 4. SUBSIDIARIES
C.5. 5. INTELLECTUAL PROPERTY RIGHTS
C.6. 6. TRADE MARKS
C.7. 7. NEGLIGENT INFRINGEMENT
C.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
C.9. 9. LICENSE FEE
C.10. 10. WARRANTIES
C.11. 11. DISCLAIMER OF WARRANTIES
C.12. 12. LIMITATION OF LIABILITY
C.13. 13.DURATION AND TERMINATION
C.14. 14. AMENDMENTS
C.15. 15. WAIVER
C.16. 16. SEVERABILITY
C.17. 17. NOTICES
C.18. 18. MISCELLANEOUS
Appendix D. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
Search Highlighter (On/Off)