Proxedo Network Security Suite 2 Installation Guide

Copyright 2021 BalaSys IT Security.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaSys.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

Linux™ is a registered trademark of Linus Torvalds.

Windows™ 10 is registered trademarks of Microsoft Corporation.

The BalaSys™ name and the BalaSys™ logo are registered trademarks of BalaSys IT Security.

The PNS™ name and the PNS™ logo are registered trademarks of BalaSys IT Security.

AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.

Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

BalaSys is not responsible for any third-party websites mentioned in this document. BalaSys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaSys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

October 31, 2024


Table of Contents

Preface
1. Target audience and prerequisites
2. Products covered in this guide
3. Contact and support information
3.1. Sales contact
3.2. Support contact
3.3. Training
4. About this document
4.1. Feedback
1. System requirements
1.1. Hardware requirements for a PNS firewall host
1.1.1. Sizing PNS hosts
1.2. Hardware requirements for Management Server (MS) and Authentication Server (AS) hosts
1.3. Hardware requirements for a Content Filtering (CF) host
1.4. Hardware requirements for a Management Console (MC)
2. Account requirements
2.1. Personal account
2.2. Technical account
3. Installing PNS on an existing Ubuntu server
3.1. Installing Ubuntu Server
3.2. Installing PNS on a Ubuntu server
3.3. Overview of the installation process
3.4. Reconfiguring already installed packages
4. Configuring PNS components
4.1. Configuring PNS modules
4.1.1. Configuring Postfix
4.1.2. Configuring the pns-common package
4.1.3. Configuring the ESET (NOD32) virus filtering modules
4.1.4. Configuring One Time Password for initial connection to MSs
4.1.5. Configuring Management Server (MS)
4.1.6. Installing the electronic license keys
4.2. Upgrading PNS hosts using apt
5. Installing the Management Console (MC)
5.1. Using MC on GNU/Linux platforms
6. Installing the Authentication Agent (AA)
6.1. Installing the Authentication Agent on Microsoft Windows platforms
6.1.1. Installing the Authentication Agent on Microsoft Windows
6.1.2. Installing Authentication Agent with Group Policy Object (GPO) deployment
6.2. Using AA on GNU/Linux platforms
A. Further readings
A.1. PNS-related material
A.2. General, Linux-related materials
A.3. Postfix documentation
A.4. BIND Documentation
A.5. NTP references
A.6. SSH resources
A.7. TCP/IP Networking
A.8. Netfilter/nftables
A.9. General security-related resources
A.10. syslog-ng references
A.11. Python references
A.12. Public key infrastructure (PKI)
A.13. Virtual Private Networks (VPN)
B. Proxedo Network Security Suite End-User License Agreement
B.1. 1. SUBJECT OF THE LICENSE CONTRACT
B.2. 2. DEFINITIONS
B.3. 3. LICENSE GRANTS AND RESTRICTIONS
B.4. 4. SUBSIDIARIES
B.5. 5. INTELLECTUAL PROPERTY RIGHTS
B.6. 6. TRADE MARKS
B.7. 7. NEGLIGENT INFRINGEMENT
B.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
B.9. 9. LICENSE FEE
B.10. 10. WARRANTIES
B.11. 11. DISCLAIMER OF WARRANTIES
B.12. 12. LIMITATION OF LIABILITY
B.13. 13.DURATION AND TERMINATION
B.14. 14. AMENDMENTS
B.15. 15. WAIVER
B.16. 16. SEVERABILITY
B.17. 17. NOTICES
B.18. 18. MISCELLANEOUS
C. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

List of Examples

4.1.

List of Procedures

3.1. Installing Ubuntu Server
3.2. Installing PNS on a Ubuntu server
4.1.1. Configuring Postfix
4.1.2. Configuring the pns-common package
4.1.3. Configuring the ESET (NOD32) virus filtering modules
4.1.4. Configuring One Time Password for initial connection to MSs
4.1.5. Configuring Management Server (MS)
4.2. Upgrading PNS hosts using apt
5.1. Using MC on GNU/Linux platforms
6.1.1. Installing the Authentication Agent on Microsoft Windows
6.1.2. Installing Authentication Agent with Group Policy Object (GPO) deployment
6.2. Using AA on GNU/Linux platforms

Preface

1. Target audience and prerequisites

This guide is intended for use by system administrators and consultants responsible for network security and whose task is the configuration and maintenance of PNS firewalls. PNS gives them a powerful and versatile tool to create full control over their network traffic and enables them to protect their clients against Internet-delinquency.

This guide is also useful for IT decision makers evaluating different firewall products because apart from the practical side of everyday PNS administration, it introduces the philosophy behind PNS without the marketing side of the issue.

The following skills and knowledge are necessary for a successful PNS administrator.

Skill Level/Description
Linux At least a power user's knowledge is required.
Experience in system administration Experience in system administration is certainly an advantage, but not absolutely necessary.
Programming language knowledge It is not an explicit requirement to know any programming languages though being familiar with the basics of Python may be an advantage, especially in evaluating advanced firewall configurations or in troubleshooting misconfigured firewalls.
General knowledge on firewalls A general understanding of firewalls, their roles in the enterprise IT infrastructure and the main concepts and tasks associated with firewall administration is essential. To fulfill this requirement a significant part of Chapter 3, Architectural overview in the PNS Administrator's Guide is devoted to the introduction to general firewall concepts.
Knowledge on Netfilter concepts In-depth knowledge is strongly recommended; while it is not strictly required definitely helps understanding the underlying operations and also helps in shortening the learning curve.
Knowledge on TCP/IP protocol High level knowledge of the TCP/IP protocol suite is a must, no successful firewall administration is possible without this knowledge.

Table 1. Prerequisites


2. Products covered in this guide

The PNS Distribution DVD-ROM contains the following software packages:

  • Current version of PNS 2 packages.

  • Current version of Management Server (MS) 2.

  • Current version of Management Console (MC) 2 (GUI) for both Linux and Windows operating systems, and all the necessary software packages.

  • Current version of Authentication Server (AS) 2.

  • Current version of the Authentication Agent (AA) 2, the AS client for both Linux and Windows operating systems.

For a detailed description of hardware requirements of PNS, see Chapter 1, System requirements.

For additional information on PNS and its components visit the PNS website containing white papers, tutorials, and online documentations on the above products.

3. Contact and support information

This product is developed and maintained by BalaSys IT Security..

Contact: 


         BalaSys IT Security.
         4 Alíz Street
         H-1117 BudapestHungary
         Tel: +36 1 646 4740
         E-mail: 
         Web: http://balasys.hu/
       

3.1. Sales contact

You can directly contact us with sales related topics at the e-mail address , or leave us your contact information and we call you back.

3.2. Support contact

To access the BalaSys Support System, sign up for an account at the BalaSys Support System page. Online support is available 24 hours a day.

BalaSys Support System is available only for registered users with a valid support package.

Support e-mail address: .

3.3. Training

BalaSys IT Security. holds courses on using its products for new and experienced users. For dates, details, and application forms, visit the https://www.balasys.hu/en/services#training webpage.

4. About this document

This guide is a work-in-progress document with new versions appearing periodically.

The latest version of this document can be downloaded from the Documentation Page.

4.1. Feedback

Any feedback is greatly appreciated, especially on what else this document should cover, including protocols and network setups. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at .

Chapter 1. System requirements

This section outlines hardware and software requirements for running PNS on your firewall.

1.1. Hardware requirements for a PNS firewall host

Processor: PNS requires a 64-bit capable x86 processor (for example, Intel Core i series, Intel Xeon, AMD Ryzen, AMD EPYC, and so on).

Memory: At least 4 GiB RAM is recommended, though 2 GiB is acceptable on systems with low load.

Hard disk: Though PNS itself requires minimum of 16 GiB of disk space, 256 GiB or larger disk space is recommended to have enough space for log files, for example.

Hardware compatibility: PNS runs on Ubuntu, currently using version 5.15 of the Linux kernel. Most hardware supported by Linux is also supported by PNS.

Note

Make sure to install PNS on hardware that is Ubuntu Server certified. For a list of Ubuntu Server certified hardware, see Ubuntu Server certified hardware.

Tip

Use disks designed for servers: other disks are not planned for 24/7 usage, and to participate in RAID sets. Use 2 or more redundant disks in a RAID array to prevent data loss and downtime (the PNS automatic installer supports software RAID mirroring).

For details on sizing a PNS host, see Section 1.1.1, Sizing PNS hosts.

Tip

A modern 1- or 2-unit-high server with remote management port is usually an optimal solution. Its size depends on the number of required LAN ports. Use reliable or brand hardware for your firewall with dual power supply and UPS.

1.1.1. Sizing PNS hosts

Correctly sizing the hardware is a difficult task. Actual hardware requirements of a running system depend on several factors, and taking everything into account is rarely possible. The three most demanding aspects of transmitted traffic are: number of new/parallel sessions, bandwidth, and log subsystem settings.

Number of new/parallel sessions: 

The number of parallel sessions directly affects memory and CPU usage. In addition to standard operating system memory requirements, PNS uses memory for each established session. Usually, the following factors have to be taken into account:

  • OS: 64-128 MiB is sufficient for the OS to operate.

  • Per PNS instance: For each and every running PNS instance about 10-20 MiB is required depending on the complexity of the configuration (zones, proxies, services, and so on).

  • Per session: For each additional session about 200 kiB is needed (kernel socket buffers, thread-specific data, dynamic proxy state information, and so on).

On an average firewall handling 500 sessions in 10 instances approximately 256-768 MiB memory is required. The required memory really depends on the complexity of the policy (content filtering can really increase the needs due to the various data buffers).

The question now is how many sessions a given number of clients generate. It can be assumed that peak load is caused by HTTP traffic, which is the most demanding application on the Internet today. Each object on the World Wide Web is fetched by a separate session of HTTP if keep-alive connections are not allowed, and a single web page consists of many objects as each picture is an object on its own. If keep-alive is allowed then only a few sessions are used by a client, and a good estimate is that a single browser opens four sessions simultaneously to fetch a page and additional graphics. Therefore, if you had 100-120 clients browsing constantly, your firewall would have to handle 400-480 sessions at a time as a peak.

Bandwidth: 

Bandwidth adds another aspect to hardware requirements. You might need a single session only, but that single session could require 155 Mbit/sec fully saturated. This defines CPU requirements, but this is much more difficult to estimate. The CPU power is required mainly by session startup and by complex policies (for example, lot of customizations). Of course the bandwidth is important too. An average 2-3 GHz CPU with enough memory can handle about 50-100-150 new sessions per second depending on the type of traffic.

For performance tests, contact your PNS Support Partner.

Log subsystem settings: 

Default log settings of PNS generate about 3-400 bytes of log messages for a single session. On a firewall serving 100000 sessions a day, this means 30-40 MiB of log messages. Increasing the verbosity level adds to this amount. You should carefully fine-tune the logging subsystem by selecting the messages you are really interested in, thus decreasing both storage and runtime demands.

1.2. Hardware requirements for Management Server (MS) and Authentication Server (AS) hosts

MS and AS do not require many resources — a virtual machine can be adequate.

Minimal hardware configuration:

  • Processor: A 64-bit capable x86 processor.

  • Memory: 1 GiB RAM.

  • Hard disk: A minimum of 2 GiB, but significant amount of additional disk space can be required for logging.

1.3. Hardware requirements for a Content Filtering (CF) host

Content Filtering can consume significantly more resources then a simple PNS host. The exact requirements depend heavily on the actual traffic and the type and extent of the content analysis. In general, use the hardware requirements of PNS hosts.

1.4. Hardware requirements for a Management Console (MC)

Minimal hardware configuration:

  • OS: MC runs on GNU/Linux platforms, and on Microsoft Windows.

  • Processor: A 64-bit capable x86 processor.

  • Memory: 512 MiB RAM.

  • Hard disk: A minimum of 100 MiB disk space is required.

Chapter 2. Account requirements

This section describes the details on the account types that will be required at certain points of the installation or upgrade process.

2.1. Personal account

You will need a personal account to access the following sites:

  • download.balasys.eu

  • upload.balasys.hu

  • support.balasys.hu

The personal account is also used to download files manually.

To register a personal account, send an email to with the following personal data:

  • full name

  • phone number

  • company name

  • job title

Note

During a product evaluation period, the Sales Department grants time-limited access rights for the personal account.

After closing a sales process, access is granted for the required number of employees of the organization and a technical account is created. For details on a technical account, see Section 2.2, Technical account

2.2. Technical account

You will need a BalaSys Support System technical account to access the following sites:

  • apt.balasys.eu

The technical account is not used for manual access, but for machine access. For example, it is used to upgrade PNS hosts using APT.

Note

During a product evaluation period, creating a technical account is not possible.

After closing a sales process, a technical account is created automatically.

Chapter 3. Installing PNS on an existing Ubuntu server

This chapter describes how to turn an existing Ubuntu server into a PNS host.

Before starting the installation, advance planning is necessary for a successful firewall implementation. All the critical network parameters, such as firewall IP addresses, routing topology, DNS hierarchy, and so on must be known in advance.

The following IP addresses are particularly important:

  • IP address of the PNS host.

  • IP address of the MS host.

  • IP address of MC.

In addition, you must prepare the following:

  1. Define firewall administration roles with a corresponding password policy.

  2. Define a number of passwords that protect various elements of the system.

  3. Record these passwords (according to the security policy of your organization) and keep them safe for later use.

Note

PNS must be installed on Ubuntu 22.04 LTS.

3.1. Procedure – Installing Ubuntu Server

Purpose: 

To install Ubuntu Server, complete the following steps.

Prerequisites: 

Steps: 

  1. Download Ubuntu 22.04 LTS from the Ubuntu Server downloads page.

  2. Write the installer to an installer media. This is typically an USB drive.

  3. Boot the system from the installer media and select the following options:

    • Ubuntu Server (default install).

    • Use an entire disk (Set up this disk as an LVM group).

    • Install OpenSSH server.

3.2. Procedure – Installing PNS on a Ubuntu server

Purpose: 

If you want to install PNS on an existing Ubuntu server, complete the following steps.

Prerequisites: 

  • An already installed Ubuntu 22.04 LTS server. Install only services and applications that you absolutely need. For details on installing Ubuntu Server, see Procedure 3.1, Installing Ubuntu Server.

  • Ensure that you have a working BalaSys Support System registration and that have downloaded the required PNS license files.

Steps: 

  1. Login to the host as root from a local console or using SSH.

  2. Update your system and upgrade the PNS-related packages. This is important, because there might be newer packages available. To update your system, enter the following commands:

    sudo apt update
    sudo apt dist-upgrade

    Note that during this step, some packages may be downgraded. This is normal.

  3. Create the following mount point for the PNS install medium:

    sudo mkdir -p /media/cdrom
  4. Mount the PNS install medium to the previous mount point.

    sudo mount /dev/cdrom /media/cdrom -o ro
  5. Add PNS installer package repositories to APT’s list of available sources.

    sudo /media/cdrom/add-pns-installer-apt-repository
  6. Install the PNS components that you want to use on the host. Issue the following command: sudo apt install <PNS-components-to-install>, where replace the <PNS-components-to-install> part of the command with the package names of the PNS components that you want to use on the host. The following packages are available:

    • PNS Application-level Gateway: The package required for a firewall host. (Package name: pns-product-alg)

    • Management Server: MS — depending on its product license — can be installed on the PNS firewall host or on a separate machine. (Package name: pns-product-ms)

    • Authentication Server: AS enables the authentication of network traffic on the user level at the firewall using password, CryptoCard, S/key, or X.509 methods. Integrating with existing Microsoft Active Directory, LDAP, PAM, and Radius databases is also supported. The module can be installed either together with the PNS and MS modules or separately at a later date. (Package name: pns-product-as)

    • PNS URL Filtering: The package is required for the URL filtering functionality on a firewall host. (Package name: pns-product-urlfilter)

    • Content Filtering: CF is a framework and a uniform interface to manage various built-in and third party content filtering modules (that is, virus and spam filtering engines). The content filtering modules to be installed (in addition to the CF framework) can be selected from the following list. (Package name: pns-product-cf)

      Warning

      The CF framework and the content filtering modules must be installed on the same host.

      • ESET’s NOD32 antivirus engine: This module contains the libraries and virus signature databases needed for using the ESET’s NOD32 antivirus engine. (Package name: pns-product-eset)

      • ClamAV Antivirus Scanner: This module contains the libraries and virus signature databases needed for using the ClamAV antivirus engine. (Package name: pns-product-clamav)

      • SpamAssassin spam filter: This module contains the libraries and databases needed for using the SpamAssassin spam filtering engine. (Package name: pns-product-spamassassin)

      • ModSecurity: This module contains the libraries needed for using ModSecurity Web Application Firewall (WAF) engine. (Package name: pns-product-waf)

    For further information on the different modules, see the Chapter 14, Virus and content filtering using CF in Proxedo Network Security Suite 2 Administrator Guide.

    Below are some guidelines about which modules should be installed on the different types of machines.

    • When installing a single firewall (or a node of a cluster) that will be managed from a separate MS host, select only the PNS Application-level Gateway (ALG) component.

    • The third-party modules that can be used by CF must be licensed separately from PNS. Select them only if you have a valid license for them, and only when you are installing the host that will run CF.

    • When installing a MS host that will manage one or more PNS firewalls, but the machine itself will not be used as a firewall, select the Management Server (MS) component.

    • If you will use a single host as the firewall and MS, select the Management Server and the PNS Application-level Gateway components. Also select Content Filtering and its required modules, and the Authentication Server component if you have purchased licenses for them.

    • Authentication Server (AS) is an optional, central authentication service that can be installed on a PNS machine. If you have license for AS select it together with the PNS Application-level Gateway component. This service must be licensed separately.

    Note

    The Management Console and the Authentication Agent applications are client–side components that cannot be installed on PNS hosts. Their installation is discussed in Chapter 5, Installing the Management Console (MC) and Chapter 6, Installing the Authentication Agent (AA), respectively.

    After choosing the modules to install, select Continue.

    Note

    When you continue the installation, some steps may not appear for you, depending on the components you have selected to install.

  7. Remove PNS installer package repositories fron APT’s list of available sources.

    sudo /media/cdrom/remove-pns-installer-apt-repository
  8. Umount the PNS install medium from the file system.

    sudo umount /dev/cdrom
  9. Configure network interface bootstrap by MS.

  10. Reboot the system:

    sudo reboot
  11. Repeat this procedure to install other hosts if needed for your environment.

  12. If you have installed a Management Server (MS), install the Management Console (MC) application on the deskop of your PNS administrators. For details, see Chapter 5, Installing the Management Console (MC).

3.3. Overview of the installation process

The installation process can be divided into three main parts:

  • Configuring native services and the PNS modules: This phase installs and configures the components of PNS (for example MS, AS, and so on). Numerous other services (like the mail transfer agent (Postfix), Secure Shell and IPSec access, and so on) are also configured in this phase. See Section 4.1, Configuring PNS modules for details.

  • Installing MC: In order to access the Management Server (MS) remotely using the Management Console (MC), MC has to be installed on the machine from which PNS hosts will be administered. The IP address of this machine has to be known in advance, as during the installation MS has to be configured to accept connections from this machine. See Chapter 5, Installing the Management Console (MC) for details.

PNS has an easy-to-use text-based installer through debconf, requiring only a keyboard (mouse is not needed nor supported by the installer). Navigation between the different options of a screen is possible using the cursor buttons. Selected actions (for example Go back or Continue) is highlighted in red. When multiple selection is possible use space to select/deselect a given item (for example when selecting the PNS modules to be installed).

3.4. Reconfiguring already installed packages

If certain packages have been configured or installed incorrectly, use the dpkg-reconfigure <package-name> command (for example, dpkg-reconfigure strongswan).

Chapter 4. Configuring PNS components

4.1. Configuring PNS modules

4.1.1. Procedure – Configuring Postfix

Purpose: 

PNS uses Postfix as a native service for handling emails. A mail transferring agent (MTA) must be installed on the machine at least for delivering the locally generated messages.

Steps: 

  1. Select the mail server configuration that best meets your needs. The following options are available:

    Postfix Configuration - General

    Figure 4.1. Postfix Configuration - General


    • No configuration: No configuration changes will be done. Use this option if a working Postfix configuration is already available on the host, or if you wish to configure Postfix manually from MC.

    • Internet Site: Sending and receiving mails is possible by using SMTP directly. This option is suitable in the most common scenarios.

    • Internet with smarthost: Mails are received either by using SMTP directly or by running a utility such as fetchmail. Outgoing messages are sent through another machine (a smarthost).

    • Satellite system: No mail is received locally. Root and postmaster mails are handled according to /etc/aliases. All messages are sent to another machine (a smarthost) for delivery.

    • Local only: Mails are only delivered locally on the machine for local users. There is no network.

  2. Enter the name that should appear in the domain part of the outgoing mail (that is, after the @ character). This name will also be used by other programs. It should be the fully qualified domain name (FQDN).

    Postfix Configuration - mail name

    Figure 4.2. Postfix Configuration - mail name


4.1.2. Procedure – Configuring the pns-common package

Purpose: 

If you are installing CF, then configure the vavupdate tool that updates the databases of the virus filtering engines:

Steps: 

  1. HTTP proxy: The vavupdate application can download database updates through HTTP. Type the URL of the HTTP proxy to be used (or leave blank if the updates can be downloaded directly without using a proxy server).

    Configuring pns-common - Configuring the HTTP proxy for database updates

    Figure 4.3. Configuring pns-common - Configuring the HTTP proxy for database updates


  2. Send update logs in email: vavupdate can send the logs of the periodic antivirus (AV) update to the administrator through email. Type the address of the administrator and the subject to be used in these emails. If you do not want email notifications, leave it blank.

    Configuring pns-common - Specifying the administrator's email address

    Figure 4.4. Configuring pns-common - Specifying the administrator's email address


    Note

    It is not advised to use a personal email address. Instead, use an address of a shared folder that can be accessible to whom it belongs. It can also be the address of a mailing list. In this way, more than one administrator can be notified at the same time, and the archive of the messages can be accessed by more than one administrator.

  3. Specifying email prefix: vavupdate can add a prefix to the subject of the emails it sends to make sorting the messages easier for the administrator. Type a prefix (for example the name of the host in square brackets), or leave these fields blank. You can use command subtitution using backticks (`) to include the output of any Linux shell command in the subject. This command will be run before sending the email and the output of the command will be the prefix of the email.

    Note

    This setting can only be changed manually later. Therefore, make sure that you enter a value that you will not want to change.

    As a best practice, use a command rather than a fixed name. A command will dynamically follow the changes to your infrastructure, however, a fixed name will not. For example, if you use the name of the host myhost1 and later you rename your host myhost2, you will still be receiving emails with the myhost1 prefix and that can be confusing.

    Configuring pns-common - Specifying a prefix for the administrator's email messages

    Figure 4.5. Configuring pns-common - Specifying a prefix for the administrator's email messages


    In practice, it can be used in your mail client (or on the mail server) to move these mails (with the given prefix) automatically to a subfolder in the inbox. Also, it can be used to differentiate between emails originating from several firewalls. This can be especially useful if, for example, you have several firewalls and you want to easily identify the firewall that had an unsuccessful update.

    Example 4.1. 

    For example, if you use hostname --long as prefix, you can later determine the exact origin of the message from the prefix, because it will display the Fully Qualified Domain Name (FQDN) of the host.

    Note

    If you want to change this setting later, you can reconfigure pns-common with the following terminal command:

    dpkg-reconfigure pns-common
  4. Verbosity level of vavupdate: Select the level of verbosity of vavupdate.

    First the vavupdate options are displayed:

    Configuring pns-common - Configuring the verbosity of vavupdate log level

    Figure 4.6. Configuring pns-common - Configuring the verbosity of vavupdate log level


    Each level includes the logs of the levels above, for example, verbose will include all errors and successful update messages too.

    • none: Logging is disabled.

    • errors: Only error messages are logged,

    • normal: Error messages and successful updates are logged,

    • verbose: Detailed logging,

    • all: Everything is logged, including the output of the update programs of ClamAV and/or NOD32.

  5. Specify the firewall's BalaSys Support System technical account username and password to enable the firewall to access the PNS repository and to download the updates.

    Configuring pns-common - Specifying the user name for the technical user to access PNS repository

    Figure 4.7. Configuring pns-common - Specifying the user name for the technical user to access PNS repository


    Configuring pns-common - Specifying the technical user’s password to access PNS repository

    Figure 4.8. Configuring pns-common - Specifying the technical user’s password to access PNS repository


  6. Configuring vavupdate: Specify the actual minutes when the vavupdate process shall start in every hour. In case the necessary licenses are also purchased for the URL filter database, the upgrade for the URL database will also be performed as part of the vavupdate process. The upgrade for the URL filter database though will be performed only in the hours being specified in the next step.

    Configuring vavupdate - Specifying the actual minutes for the vavupdate process to start

    Figure 4.9. Configuring vavupdate - Specifying the actual minutes for the vavupdate process to start


  7. Specify the timing for the URL filter database: The actual hours when the upgrade of the URL filter database shall take place. Provide the actual hours for the time of the upgrade.

    Specifying the exact time for the upgrade

    Figure 4.10. Specifying the exact time for the upgrade


  8. Fill in this field only if it is required. (optional step)

    In specific cases, based on an agreement between Balasys and the customer, the customer has a mirror URL filtering database. The location of this mirror database can be specified here.

    In any other cases, please leave this field empty.

    Configuring pns-common - Updating URL filtering database

    Figure 4.11. Configuring pns-common - Updating URL filtering database


  9. Choose the size of the URL filter database.

    At this stage, the administrator can choose the size of the URL filtering database. The database can be a smaller-sized, optimized database (the recommended version) for usual scenarios, which requires 1 GiB storage space and 300 MiB daily update traffic, or a normal database for more extensive scenarios, which requires 6 GiB storage space and 2 GiB daily update traffic. If there are no specific needs, we recommend to choose the optimized database.

    Configuring pns-common - Selecting the size of the URL filtering database

    Figure 4.12. Configuring pns-common - Selecting the size of the URL filtering database


  10. Specify the IP address of your MS/MC, depending on the role of your host:

    Specifying the IP addresses of the machines running MS/MC

    Figure 4.13. Specifying the IP addresses of the machines running MS/MC


    • Application-level Gateway: The IP address of the MS host used to manage the firewall.

    • Management Server: The IP address of the MC used to manage the MS host (that is, the machines from where the firewall administrators will connect to MS). If managing MS is allowed from multiple hosts, separate the IP addresses of these hosts with spaces.

    Warning

    Make sure that you type the IP adresses of the MS/MC hosts correctly.

    Otherwise, the machine will not be accessible from MS/MC. In this case, you must manually correct the configuration of nftables.

4.1.3. Procedure – Configuring the ESET (NOD32) virus filtering modules

Purpose: 

If you are installing CF with the NOD32 module, complete the following steps:

Steps: 

  1. To delete the virus database if you remove the NOD32 package, select Yes.

    Deleting the virus database

    Figure 4.14. Deleting the virus database


  2. To be able to use the NOD32 Scanner effectively, you have to update the NOD32 virus database. The databases of the NOD32 module can be instantly updated from the official ESET webserver if the machine you are installing PNS on has network access.

    To update the NOD32 virus database, select Yes.

    Otherwise, you can start an update using the vavupdate command later.

    Updating the virus database

    Figure 4.15. Updating the virus database


4.1.4. Procedure – Configuring One Time Password for initial connection to MSs

Purpose: 

If the host you are installing will be managed from MS, you have to configure a One Time Password (OTP) for connecting to MS the first time. To configure the initial OTP, complete the following steps.

Steps: 

  1. Type a One Time Password that will be used to connect to MS for the first time. Subsequent connections will be mutually authenticated using X.509 certificates.

    Configuring One Time Password

    Figure 4.16. Configuring One Time Password


  2. To receive email alerts from MS before a certificate or license used in PNS expires, type the email address of the administrator who will receive these alerts.

    Configuring email address for PKI

    Figure 4.17. Configuring email address for PKI


4.1.5. Procedure – Configuring Management Server (MS)

Purpose: 

To configure Management Server, complete the following steps.

Steps: 

  1. Configure the site name.

    The hosts managed by MS are organized into sites. Use a descriptive name for the site, for example, the name of the company. This will help the administrator distinguish MSs from each other. Enter the site name.

    Configuring the site name

    Figure 4.18. Configuring the site name


  2. Configure the hostname of the MS Engine.

    It is recommended to enter the normal hostname, but do not use FQDN. The default value is VMS-Host.

    Warning

    Make sure to enter the correct hostname, because it is stored in the MS database and is complicated to modify later.

    Configuring the hostname of the MS Engine supervising the PNS firewall host

    Figure 4.19. Configuring the hostname of the MS Engine supervising the PNS firewall host


  3. Configure the initial password of the administrator user on MS.

    Enter the MS administrator password. This password is used to login to MS from the Management Console as an administrator, and configure the PNS firewalls. The username of the administrator by default is admin, which can be modified later. The password can be changed later at any time.

    Note

    Make sure to create a password that conforms to the secure password generation standards of your organization.

    Store the password in a secure way.

    Configuring the initial password of the administrator user on MS

    Figure 4.20. Configuring the initial password of the administrator user on MS


  4. Configure the Certificate Authority of MS.

    Enter a secure password for the Certificate Authority (CA) of MS. This password will be used as the passphrase of the initial CA certificate.

    Note

    Make sure to create a password that conforms to the secure password generation standards of your organization.

    Store the password in a secure way.

    Warning

    Make sure to enter the correct CA password. It is difficult to change the CA password later and requires regenerating the whole CA chain.

    Specifying the CA password of MS

    Figure 4.21. Specifying the CA password of MS


  5. Create the root Certificate Authority.

    MS includes public key infrastructure (PKI) management to ensure that each element of the firewall system (MS module, VPNs, users) can be authenticated with X.509 certificates. During this stage of the installation the root CA is created and configured. Provide the following parameters.

    Creating the root Certificate Authority

    Figure 4.22. Creating the root Certificate Authority


    Warning

    Do not use accented characters. They are not supported in the X400/X500 standard.

    • Country ID: two characters only. For example, US, DE, HU.

    • State: Optional. United States (US) only. For example, Nevada.

    • City: Optional. For example, Las Vegas.

    • Company name: Optional. For example, Example Ltd..

    • Department name: Optional. For example, IT department.

4.1.6. Installing the electronic license keys

Besides the license file(s), no online activation or similar activity is required.

Warning

PNS and its components will not operate without the new license files.

If you fail to install the new licenses during the upgrade, you must copy the license files to the host manually to the following locations:

  • PNS Application-level Gateway (ALG): /etc/vela/license.txt

  • Management Server (MS): /etc/vms/license.txt

  • Content Filtering (CF): /etc/vcf/license.txt

  • Authentication Server (AS): /etc/vas/license.txt

Note

When accessing the licenses, the directory structure is important: for each PNS component licensed, there is a separate subdirectory named after the component (for example, PNS, MS, AS) containing a license file named license.txt. Make sure that all file and directory names are in lowercase. When downloading the licenses from an internal Webserver, the same directory structure must be reproduced on the server. These directories do not need to be placed in the root folder of the Webserver, a virtual directory is also suitable.

The license files of 3rd-party engines are not necessary called license.txt.

4.2. Procedure – Upgrading PNS hosts using apt

Purpose: 

All the components of PNS can be upgraded using the standard apt tools. When used on Debian GNU/Linux systems, the Management Console (MC) and Authentication Agent (AA) client-side applications can be upgraded using apt as well. On Microsoft Windows and other Linux platforms, upgrades to these applications must be downloaded manually from BalaSys downloads. To perform an upgrade, complete the following steps.

Prerequisites: 

You will need a BalaSys Support System technical account to perform the upgrade. You can register a technical account by sending an email to with the following personal data:

  • full name

  • phone number

  • company name

  • job title

Make sure to remember your technical account credentials, because you will be asked to enter them during the installation of any PNS component. Later, the APT configuration file /etc/apt/auth.conf is generated automatically using these credentials.

After registering an account, send an email with the subject REQUESTING ACCESS TO PNS UPGRADES to so that you receive the user rights required for downloading software updates.

Steps: 

  1. Login to the host locally, or remotely using SSH.

  2. Issue the following commands: apt update; apt -u dist-upgrade. The host will download and install the new and updated packages.

    Note

    If for any reason you do not want to install new packages, use the apt update; apt -u upgrade command. That way packages are only upgraded, new packages are not installed. Dependencies that are not installed are listed in the output of the command as kept back packages. (Such packages can be installed by issuing the apt -u dist-update command).

Chapter 5. Installing the Management Console (MC)

After successfully installing the server–side components, you have to install the Management Console on the client. The Management Console (MC) is available for Microsoft Windows and GNU/Linux platforms. The Microsoft Windows version is a single .msi install file and the GNU/Linux version is a generic AppImage (a .AppImage package). Both versions are available on the PNS Installation DVD. Downloads and updates for MC can be downloaded from BalaSys downloads.

The Microsoft Windows and GNU/Linux versions are identical in look-and-feel, they are both built with the GTK Toolkit. Therefore, choosing a platform is only a matter of preference.

There are no license restrictions on the number of MCs you can install or run. Therefore, multiple management locations are possible.

Note

It is important to remember that the MC machine must always connect to the MS host and not the PNS firewall itself. The MS host must be reachable. The MS host, in turn, must be able to communicate with the management agents installed on the PNS firewall host.

The following platforms are supported:

  • Windows 10 LTSB (Long-Term Servicing Branch)

  • Windows Server 2016, 2019

  • Ubuntu 22.04 LTS

MC is distributed as a portable AppImage package on GNU/Linux platforms without needing superuser permissions to install the application.

Note

To run AppImages, your system may need to install FUSE (Filesystem in Userspace) library version 2 (package libfuse2 in Ubuntu 22.04 LTS). This can be accomplished by issuing the sudo apt install libfuse2 command from terminal. Do not install entire fuse package (FUSE version 2), as it would break systems with FUSE version 3 installed!

For further information about Appimage and FUSE, visit https://docs.appimage.org/user-guide/troubleshooting/fuse.html

5.1. Procedure – Using MC on GNU/Linux platforms

Purpose: 

To run MC on a GNU/Linux system, complete the following steps.

Steps: 

  1. Make the AppImage file executable:

    • In the terminal, enter the following command: chmod a+x management-console-2.0.0-x86_64.AppImage.

  2. Run the AppImage file:

    • In the terminal, enter the following command: ./management-console-2.0.0-x86_64.AppImage.

    Chapter 6. Installing the Authentication Agent (AA)

    This section describes the installation and configuration of the Authentication Agent on Microsoft Windows and GNU/Linux platforms. The Authentication Agent has to be installed on every computer having access to authenticated services.

    The agent has two components:

    1. Authentication Agent Multiplexer: It is a daemon running in the background, accepting the connections coming from PNS and verifying the TLS certificates of PNS (if the communication is encrypted). In a multi-user environment the Multiplexer displays the dialog of the Authentication Agent on the desktop of the user initiating a connection requiring authentication.

    2. Authentication Agent: This application collects the information required for the authentication, for example, the username, authentication method, password, and so on.

    The following platforms are supported:

    • Windows 10 LTSB (Long-Term Servicing Branch)

    • Windows Server 2016, 2019

    • Ubuntu 22.04 LTS

    AA is distributed as a portable AppImage package on GNU/Linux platforms without needing superuser permissions to install the application.

    6.1. Installing the Authentication Agent on Microsoft Windows platforms

    6.1.1. Procedure – Installing the Authentication Agent on Microsoft Windows

    Purpose: 

    The Authentication Agent (AA) installer is located in the \platforms\windows\ folder of the PNS CD-ROM, its latest version is also available from the BalaSys website.

    The installer is available as Windows Installer Package (.msi)

    Steps: 

    1. Place the PNS CD-ROM into the CD drive and start the authentication-agent-<version>.msi file located in the \platforms\windows\ folder.

      Warning

      Administrator privileges are required to install the application.

    2. Check I accept the terms in the License Agreement to accept the End-User License Agreement, which is displayed after the installer starts. Click Next to continue installation process. To cancel the installation at any time during the process, click Cancel.

      Accepting the EULA

      Figure 6.1. Accepting the EULA


    3. Select the destination folder for the application and click Next to continue. The default folder is C:\Program Files\auth-agent.

      Selecting the destination folder

      Figure 6.2. Selecting the destination folder


    4. Optional step: Click ... button, select the CA certificate to import, then click Open to import the CA certificate.

      Note

      For authentication purposes, when PNS communicates with AA, AA expects TLS-encrypted communication. For details, see section Section 4.1.1, Registry entries on Microsoft Windows platforms in Authentication Agent Manual and section Section 4.1, Configuring Authentication Agent on Microsoft Windows platforms in Authentication Agent Manual.

      If the Authentication Agent and PNS communicate through a TLS-encrypted channel (recommended), the certificate of the Certificate Authority (CA) signing the certificates of the PNS firewalls can be imported to the Authentication Agent Multiplexer's certificate store.

      Note

      The CA certificate has to be in DER or PEM format. (with typical file extensions of *.der, *.pem, *.crt, *.cert) It is not necessary to import the certificate during the installation, it can also be done later. For details about encrypting the agent-PNS authentication, see Section 4.1.3, Configuring TLS connections on Microsoft Windows platforms in Authentication Agent Manual.

      Importing the CA certificate

      Figure 6.3. Importing the CA certificate


    5. Click Install to start the installation process. The installer copies the required files and registers the service called Authentication Agent Multiplexer, which is started after the registration.

      Ready to start installation

      Figure 6.4. Ready to start installation


    6. After the installer has completed the above steps, click Finish.

    7. The Authentication Agent (AA) logo is displayed on the system tray, indicating that the application is running. It is also started automatically after each Windows startup.

    6.1.2. Procedure – Installing Authentication Agent with Group Policy Object (GPO) deployment

    Prerequisites: 

    • Create the necessary certificates as instructed in section Procedure 11.3.8.2, Creating certificates in Proxedo Network Security Suite 2 Administrator Guide.

    • Set the parameters for the AS certificate.

    • Export the CA certificate signed by AS in DER format for the Windows client.

    Steps: 

    1. Download the .msi installer. The browser application or the Windows Defender Cloud might send a notification or a warning due to the new and unknown installer program, this can be disregarded.

    2. Install the Windows Client and import the CA certificate during the installation. Reboot the system, if it is necessary.

    3. Define the preferences with the help of the GUI or via the registry.

    4. Test the expected behaviour by initiating traffic.

    5. Export the following registries:

      • Export the HKEY_CURRENT_USER\Software\Balasys\AuthAgent registry to the hlcuaa.reg file, which contains the user settings for AA. The result shall be as follows:

        Windows Registry Editor Version 5.00
        
        [HKEY_CURRENT_USER\Software\Balasys]
        
        [HKEY_CURRENT_USER\Software\Balasys\AuthAgent]
        "HasPreferences"=dword:00000000
        "TLS"=dword:00000001
        "Automatic"=dword:00000001
        "Details"=dword:00000000
        "CanRemember"=dword:00000001
        "ForgetPassword"=dword:00000000
        "ForgetPasswordInterval"=dword:00000001
      • Export the HKEY_LOCAL_MACHINE\SOFTWARE\Balasys\AuthAgent, which contains the AA Multiplexer settings, into the hklmaa.reg file. The result shall be as follows:

        Windows Registry Editor Version 5.00
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Balasys]
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Balays\AuthAgent]
        "InstallLang"="1033"

        The service private certificate store, used by the AA Multiplexer, can also be deployed as a registry key.

      • Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Cryptography\Services\auth-agent-mpxd registry to the hklmaacert.reg file. The result shall be as follows:

        Windows Registry Editor Version 5.00
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\auth-agent-mpxd]
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\auth-agent-mpxd\
        SystemCertificates]
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\auth-agent-mpxd\
        SystemCertificates\My]
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\auth-agent-mpxd\
        SystemCertificates\My\Certificates]
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\auth-agent-mpxd\
        SystemCertificates\MY\Certificates\6421DCB8501C2E1F15DB8BD3A94F435C01DB7CD3]
        "Blob"=hex:03,00,00,00,01,00,00,00,14,00,00,00,64,21,dc,b8,50,1c,2e,1f,15,db,\
          ...
          ...
          ...
          ...
          ...
          64,0a,87,e9,45,99,04,9e,28,cb,c0,6c,2a,e5,c7,cb,ce,29,d8,b1,e1
        Note
        Note that there can be several empty paths created by the system automatically, which can be included safely.

      For further details on registries, see Section 4.1.1, Registry entries on Microsoft Windows platforms in Authentication Agent Manual.

      As a result, there will be four registries exported.

    6. Switch to the GPO administrator system and download the AA msi flavor installer and place it in the Windows share where the other remotely installled applications are stored.

    7. Continue with the procedures detailed in section Procedure 4.1.5, Configuring Group Policy Object (GPO) deployment in Authentication Agent Manual

    6.2. Procedure – Using AA on GNU/Linux platforms

    Purpose: 

    To run AA on a GNU/Linux system, complete the following steps.

    Steps: 

    1. Make the AppImage file executable:

      • In the terminal, enter the following command: chmod a+x authentication-agent-2.0.0-x86_64.AppImage.

    2. Run the AppImage file:

      • In the terminal, enter the following command: ./authentication-agent-2.0.0-x86_64.AppImage.

    Appendix A. Further readings

    The following is a list of recommended readings concerning various parts of PNS administration.

    Note

    Note that URLs can change over time. The URLs of the online references were valid at the time of writing.

    A.1. PNS-related material

    A.3. Postfix documentation

    • Author's name. Title. Place of publication: publisher, year. The Postfix Home Page

    • Blum, Richard. Postfix. SAMS Publishing, 2001. ISBN: 0672321149

    • Dent, Kyle D. Postfix: The Definitive Guide. O'Reilly Associates, 2004. ISBN: 0596002122

    A.4. BIND Documentation

    A.5. NTP references

    A.6. SSH resources

    A.7. TCP/IP Networking

    • Stevens, W., and Wright, Gary. TCP/IP Illustrated: Volumes 1-3. Addison-Wesley, 2001. ISBN: 0201776316

    • Mann, Scott. Linux TCP/IP Network Administration. Prentice Hall, 2002. ISBN: 0130322202

    A.8. Netfilter/nftables

    A.9. General security-related resources

    • Garfinkel, Simson, et al. Practical UNIX and Internet Security, 3/E. O'Reilly Associates, 2003. ISBN: 0596003234

    A.10. syslog-ng references

    A.11. Python references

    A.13. Virtual Private Networks (VPN)

    • Wouters, Paul, and Bantoft, Ken. Openswan: Building and Integrating Virtual Private Networks. Packt Publishing, 2006. ISBN 1904811256.

    • Feilner, Markus. OpenVPN: Building and Integrating Virtual Private Networks, 2006. Packt Publishing. ISBN 190481185X.

    Appendix B. Proxedo Network Security Suite End-User License Agreement

    (c) BalaSys IT Security.

    B.1. 1. SUBJECT OF THE LICENSE CONTRACT

    1.1 This License Contract is entered into by and between BalaSys and Licensee and sets out the terms and conditions under which Licensee and/or Licensee's Authorized Subsidiaries may use the Proxedo Network Security Suite under this License Contract.

    B.2. 2. DEFINITIONS

    In this License Contract, the following words shall have the following meanings:

    2.1 BalaSys

    Company name: BalaSys IT Security.

    Registered office: H-1117 Budapest, Alíz Str. 4.

    Company registration number: 01-09-687127

    Tax number: HU11996468-2-43

    2.2. Words and expressions

    Annexed Software

    Any third party software that is a not a BalaSys Product contained in the install media of the BalaSys Product.

    Authorized Subsidiary

    Any subsidiary organization: (i) in which Licensee possesses more than fifty percent (50%) of the voting power and (ii) which is located within the Territory.

    BalaSys Product

    Any software, hardware or service licensed, sold, or provided by BalaSys including any installation, education, support and warranty services, with the exception of the Annexed Software.

    License Contract

    The present Proxedo Network Security Suite License Contract.

    Product Documentation

    Any documentation referring to the Proxedo Network Security Suite or any module thereof, with special regard to the reference guide, the administration guide, the product description, the installation guide, user guides and manuals.

    Protected Hosts

    Host computers located in the zones protected by Proxedo Network Security Suite, that means any computer bounded to network and capable to establish IP connections through the firewall.

    Protected Objects

    The entire Proxedo Network Security Suite including all of its modules, all the related Product Documentation; the source code, the structure of the databases, all registered information reflecting the structure of the Proxedo Network Security Suite and all the adaptation and copies of the Protected Objects that presently exist or that are to be developed in the future, or any product falling under the copyright of BalaSys.

    Proxedo Network Security Suite

    Application software BalaSys Product designed for securing computer networks as defined by the Product Description.

    Warranty Period

    The period of twelve (12) months from the date of delivery of the Proxedo Network Security Suite to Licensee.

    Territory

    The countries or areas specified above in respect of which Licensee shall be entitled to install and/or use Proxedo Network Security Suite.

    Take Over Protocol

    The document signed by the parties which contains

    a) identification data of Licensee;

    b) ordered options of Proxedo Network Security Suite, number of Protected Hosts and designation of licensed modules thereof;

    c) designation of the Territory;

    d) declaration of the parties on accepting the terms and conditions of this License Contract; and

    e) declaration of Licensee that is in receipt of the install media.

    B.3. 3. LICENSE GRANTS AND RESTRICTIONS

    3.1. For the Proxedo Network Security Suite licensed under this License Contract, BalaSys grants to Licensee a non-exclusive,

    non-transferable, perpetual license to use such BalaSys Product under the terms and conditions of this License Contract and the applicable Take Over Protocol.

    3.2. Licensee shall use the Proxedo Network Security Suite in the in the configuration and in the quantities specified in the Take Over Protocol within the Territory.

    3.3. On the install media all modules of the Proxedo Network Security Suite will be presented, however, Licensee shall not be entitled to use any module which was not licensed to it. Access rights to modules and IP connections are controlled by an "electronic key" accompanying the Proxedo Network Security Suite.

    3.4. Licensee shall be entitled to make one back-up copy of the install media containing the Proxedo Network Security Suite.

    3.5. Licensee shall make available the Protected Objects at its disposal solely to its own employees and those of the Authorized Subsidiaries.

    3.6. Licensee shall take all reasonable steps to protect BalaSys's rights with respect to the Protected Objects with special regard and care to protecting it from any unauthorized access.

    3.7. Licensee shall, in 5 working days, properly answer the queries of BalaSys referring to the actual usage conditions of the

    Proxedo Network Security Suite, that may differ or allegedly differs from the license conditions.

    3.8. Licensee shall not modify the Proxedo Network Security Suite in any way, with special regard to the functions inspecting the usage of the software. Licensee shall install the code permitting the usage of the Proxedo Network Security Suite according to the provisions defined for it by BalaSys. Licensee may not modify or cancel such codes. Configuration settings of the Proxedo Network Security Suite in accordance with the possibilities offered by the system shall not be construed as modification of the software.

    3.9. Licensee shall only be entitled to analize the structure of the BalaSys Products (decompilation or reverse- engineering) if concurrent operation with a software developed by a third party is necessary, and upon request to supply the information required for concurrent operation BalaSys does not provide such information within 60 days from the receipt of such a request. These user actions are limited to parts of the BalaSys Product which are necessary for concurrent operation.

    3.10. Any information obtained as a result of applying the previous Section

    (i) cannot be used for purposes other than concurrent operation with the BalaSys Product;

    (ii) cannot be disclosed to third parties unless it is necessary for concurrent operation with the BalaSys Product;

    (iii) cannot be used for the development, production or distribution of a different software which is similar to the BalaSys Product

    in its form of expression, or for any other act violating copyright.

    3.11. For any Annexed Software contained by the same install media as the BalaSys Product, the terms and conditions defined by its copyright owner shall be properly applied. BalaSys does not grant any license rights to any Annexed Software.

    3.12. Any usage of the Proxedo Network Security Suite exceeding the limits and restrictions defined in this License Contract shall qualify as material breach of the License Contract.

    3.13. The Number of Protected Hosts shall not exceed the amount defined in the Take Over Protocol.

    3.14. Licensee shall have the right to obtain and use content updates only if Licensee concludes a maintenance contract that includes such content updates, or if Licensee has otherwise separately acquired the right to obtain and use such content updates. This License Contract does not otherwise permit Licensee to obtain and use content updates.

    B.4.  4. SUBSIDIARIES

    4.1 Authorized Subsidiaries may also utilize the services of the Proxedo Network Security Suite under the terms and conditions of this License Contract. Any Authorized Subsidiary utilising any service of the Proxedo Network Security Suite will be deemed to have accepted the terms and conditions of this License Contract.

    B.5.  5. INTELLECTUAL PROPERTY RIGHTS

    5.1. Licensee agrees that BalaSys owns all rights, titles, and interests related to the Proxedo Network Security Suite and all of BalaSys's patents, trademarks, trade names, inventions, copyrights, know-how, and trade secrets relating to the design, manufacture, operation or service of the BalaSys Products.

    5.2. The use by Licensee of any of these intellectual property rights is authorized only for the purposes set forth herein, and upon termination of this License Contract for any reason, such authorization shall cease.

    5.3. The BalaSys Products are licensed only for internal business purposes in every case, under the condition that such license does not convey any license, expressly or by implication, to manufacture, duplicate or otherwise copy or reproduce any of the BalaSys Products.

    No other rights than expressly stated herein are granted to Licensee.

    5.4. Licensee will take appropriate steps with its Authorized Subsidiaries, as BalaSys may request, to inform them of and assure compliance with the restrictions contained in the License Contract.

    B.6.  6. TRADE MARKS

    6.1. BalaSys hereby grants to Licensee the non-exclusive right to use the trade marks of the BalaSys Products in the Territory in accordance with the terms and for the duration of this License Contract.

    6.2. BalaSys makes no representation or warranty as to the validity or enforceability of the trade marks, nor as to whether these infringe any intellectual property rights of third parties in the Territory.

    B.7. 7. NEGLIGENT INFRINGEMENT

    7.1. In case of negligent infringement of BalaSys's rights with respect to the Proxedo Network Security Suite, committed by violating the restrictions and limitations defined by this License Contract, Licensee shall pay liquidated damages to BalaSys. The amount of the liquidated damages shall be twice as much as the price of the BalaSys Product concerned, on BalaSys's current Price List.

    B.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION

    8.1. BalaSys shall pay all damages, costs and reasonable attorney's fees awarded against Licensee in connection with any claim brought against Licensee to the extent that such claim is based on a claim that Licensee's authorized use of the BalaSys Product infringes a patent, copyright, trademark or trade secret. Licensee shall notify BalaSys in writing of any such claim as soon as Licensee learns of it and shall cooperate fully with BalaSys in connection with the defense of that claim. BalaSys shall have sole control of that defense (including without limitation the right to settle the claim).

    8.2. If Licensee is prohibited from using any BalaSys Product due to an infringement claim, or if BalaSys believes that any BalaSys Product is likely to become the subject of an infringement claim, BalaSys shall at its sole option, either: (i) obtain the right for Licensee to continue to use such BalaSys Product, (ii) replace or modify the BalaSys Product so as to make such BalaSys Product non-infringing and substantially comparable in functionality or (iii) refund to Licensee the amount paid for such infringing BalaSys Product and provide a pro-rated refund of any unused, prepaid maintenance fees paid by Licensee, in exchange for Licensee's return of such BalaSys Product to BalaSys.

    8.3. Notwithstanding the above, BalaSys will have no liability for any infringement claim to the extent that it is based upon:

    (i) modification of the BalaSys Product other than by BalaSys,

    (ii) use of the BalaSys Product in combination with any product not specifically authorized by BalaSys to be combined with the BalaSys Product or

    (iii) use of the BalaSys Product in an unauthorized manner for which it was not designed.

    B.9. 9. LICENSE FEE

    9.1. The number of the Protected Hosts (including the server as one host), the configuration and the modules licensed shall serve as the calculation base of the license fee.

    9.2. Licensee acknowlegdes that payment of the license fees is a condition of lawful usage.

    9.3. License fees do not contain any installation or post charges.

    B.10. 10. WARRANTIES

    10.1. BalaSys warrants that during the Warranty Period, the optical media upon which the BalaSys Product is recorded will not be defective under normal use. BalaSys will replace any defective media returned to it, accompanied by a dated proof of purchase, within the Warranty Period at no charge to Licensee. Upon receipt of the allegedly defective BalaSys Product, BalaSys will at its option, deliver a replacement BalaSys Product or BalaSys's current equivalent to Licensee at no additional cost. BalaSys will bear the delivery charges to Licensee for the replacement Product.

    10.2. In case of installation by BalaSys, BalaSys warrants that during the Warranty Period, the Proxedo Network Security Suite, under normal use in the operating environment defined by BalaSys, and without unauthorized modification, will perform in substantial compliance with the Product Documentation accompanying the BalaSys Product, when used on that hardware for which it was installed, in compliance with the provisions of the user manuals and the recommendations of BalaSys. The date of the notification sent to BalaSys shall qualify as the date of the failure. Licensee shall do its best to mitigate the consequences of that failure. If, during the Warranty Period, the BalaSys Product fails to comply with this warranty, and such failure is reported by Licensee to BalaSys within the Warranty Period, BalaSys's sole obligation and liability for breach of this warranty is, at BalaSys's sole option, either:

    (i) to correct such failure,

    (ii) to replace the defective BalaSys Product or

    (iii) to refund the license fees paid by Licensee for the applicable BalaSys Product.

    B.11. 11. DISCLAIMER OF WARRANTIES

    11.1. EXCEPT AS SET OUT IN THIS LICENSE CONTRACT, BALASYS MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE Proxedo Network Security Suite. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BALASYS EXCLUDES ANY OTHER WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.

    B.12. 12. LIMITATION OF LIABILITY

    12.1. SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN UNION, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES AND, THEREFORE, THE FOLLOWING LIMITATION OR EXCLUSION MAY NOT APPLY TO THIS LICENSE CONTRACT IN THOSE STATES AND COUNTRIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET OUT IN THIS LICENSE CONTRACT FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT SHALL BALASYS BE LIABLE TO LICENSEE FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES OR LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE Proxedo Network Security Suite EVEN IF BALASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    12.2. IN NO CASE SHALL BALASYS'S TOTAL LIABILITY UNDER THIS LICENSE CONTRACT EXCEED THE FEES PAID BY LICENSEE FOR THE Proxedo Network Security Suite LICENSED UNDER THIS LICENSE CONTRACT.

    B.13. 13.DURATION AND TERMINATION

    13.1. This License Contract shall come into effect on the date of signature of the Take Over Protocol by the duly authorized

    representatives of the parties.

    13.2. Licensee may terminate the License Contract at any time by written notice sent to BalaSys and by simultaneously destroying all copies of the Proxedo Network Security Suite licensed under this License Contract.

    13.3. BalaSys may terminate this License Contract with immediate effect by written notice to Licensee, if Licensee is in material or persistent breach of the License Contract and either that breach is incapable of remedy or Licensee shall have failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach.

    B.14. 14. AMENDMENTS

    14.1. Save as expressly provided in this License Contract, no amendment or variation of this License Contract shall be effective unless in writing and signed by a duly authorised representative of the parties to it.

    B.15. 15. WAIVER

    15.1. The failure of a party to exercise or enforce any right under this License Contract shall not be deemed to be a waiver of that right nor operate to bar the exercise or enforcement of it at any time or times thereafter.

    B.16. 16. SEVERABILITY

    16.1. If any part of this License Contract becomes invalid, illegal or unenforceable, the parties shall in such an event negotiate in good faith in order to agree on the terms of a mutually satisfactory provision to be substituted for the invalid, illegal or unenforceable

    provision which as nearly as possible validly gives effect to their intentions as expressed in this License Contract.

    B.17. 17. NOTICES

    17.1. Any notice required to be given pursuant to this License Contract shall be in writing and shall be given by delivering the notice by hand, or by sending the same by prepaid first class post (airmail if to an address outside the country of posting) to the address of the relevant party set out in this License Contract or such other address as either party notifies to the other from time to time. Any notice given according to the above procedure shall be deemed to have been given at the time of delivery (if delivered by hand) and when received (if sent by post).

    B.18. 18. MISCELLANEOUS

    18.1. Headings are for convenience only and shall be ignored in interpreting this License Contract.

    18.2. This License Contract and the rights granted in this License Contract may not be assigned, sublicensed or otherwise transferred in whole or in part by Licensee without BalaSys's prior written consent. This consent shall not be unreasonably withheld or delayed.

    18.3. An independent third party auditor, reasonably acceptable to BalaSys and Licensee, may upon reasonable notice to Licensee and during normal business hours, but not more often than once each year, inspect Licensee's relevant records in order to confirm that usage of the Proxedo Network Security Suite complies with the terms and conditions of this License Contract. BalaSys shall bear the costs of such audit. All audits shall be subject to the reasonable safety and security policies and procedures of Licensee.

    18.4. This License Contract constitutes the entire agreement between the parties with regard to the subject matter hereof. Any modification of this License Contract must be in writing and signed by both parties.

    Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

    THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

    1. Definitions

      1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.

      2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.

      3. "Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.

      4. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.

      5. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.

      6. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.

      7. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.

      8. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.

      9. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.

    2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.

    3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:

      1. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,

      2. to Distribute and Publicly Perform the Work including as incorporated in Collections.

      The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).

    4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:

      1. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.

      2. You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.

      3. If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (for example a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.

      4. For the avoidance of doubt:

        1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;

        2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,

        3. Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).

      5. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.

    5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.

    6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    7. Termination

      1. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.

      2. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.

    8. Miscellaneous

      1. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.

      2. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.

      3. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.

      4. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.

      5. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.