ACE-Astaro Certified Engineer

Astaro Security Gateway V7
Astaro Certified Engineer
Courseware Version EN-V7.00-0.16
Astaro 2007 / ACE_V7.00-0.16
Astaro Security Gateway V7 - Astaro Certified Engineer Page 1
DISCLAIMER
All rights reserved. This product and related documentation are protected by copyright and distribution under licensing
restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,
or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief
quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other
purpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or
omissions and makes no explicit or implied claims to the validity of this information. This document and features described
herein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither
Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,
loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective
companies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a
term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product
manuals for complete trademark information.
Astaro 2007 / ACE_V7.00-0.16
Before we start over

/ Lets introduce each other!
Your Name, Company,

Responsibility
Your Knowledge
(Networking, Security, Linux,
Astaro Security Gateway)
Your Expectations for the

course
Astaro 2007 / ACE_V7.00-0.16
Agenda - ACE
DAY ONE
DAY TWO
DAY THREE
ASG Overview
User Authentication
Refresher SSL-VPN
Available Products
Users
ASG System Architecture
Groups
IPSec Policy Management
ASG Security Features
Authentication
RSA Site to Site VPN
Introduction to ACC
IPSec VPN
Web Security
X.509 Site to Site VPN
Purpose
HTTP Profiles
Certificate Management
Feature Overview
Proxy User
Remote Access with ASC
Refresher ACA
Networking
Authentication Setup
E-mail Security
VLAN, Link Aggregation
SMTP Proxy
Bridging, Uplink Failover
Certificates
Policy Routing & OSPF
E-mail Encryption
Network Security
High Availability
Server Load Balancing
Active/Passive HA
Quality of Service
Clustering
Generic-, Socks-,
Ident Proxy
VoIP Security
H.323
SIP
Intrusion Protection
Configuration
Implementation Guideline
Astaro 2007 / ACE_V7.00-0.16

/ Course Layout
Hands-On-Training-Scheme
Introduction
Configuration
Training Hours
Day One:
Day Two & Three:
Summary
LAB
Review
10:00 a.m. about 05:00 p.m.

09:00 a.m. about 04:00 p.m.
Prerequisites
Training setup / LAB environment
Location Facilities
Parking
Restrooms
Smoking
Breaks, Lunch, Drinks
Internet Access
Astaro 2007 / ACE_V7.00-0.16

/ ACE Exam
ACE Certificates & Exams
What is the designation of an Astaro Certified Engineer?
ACE certification signifies that an individual has:
Achieved ACE certification
Passed the ACE web-based exam
Demonstrated knowledge required to implement and configure Astaro Security Gateway with
extended features
How to become an Astaro Certified Engineer?

By passing a web-based exam.
45 questions randomly generated must be answered within 60 min
Training participants have one free trial to pass the ACE Exam
To login you will receive a voucher via e-mail short after the training
ACE Exam site is available at https://my.astaro.com/training/
How to prepare for the ACE exam?

Actively participate in the training
Study the ACE-Courseware
Work through the Astaro Security Gateway Manual
Configure and test the discussed scenarios in practice
Astaro 2007 / ACE_V7.00-0.16
ASG System Overview
Architecture
Open Source Components
Configuration Workflow
Astaro 2007 / ACE_V7.00-0.16
ASG System Overview

/ Architecture
Astaro Security Gateway is blend of open-source, proprietary
and OEM technology, combined to create an all-in-one device
that runs as the perimeter security gateway on a network
Astaro Security Gateway is built on an integrated management
platform that makes it easy to install and administer a complete
security solution
Astaro 2007 / ACE_V7.00-0.16
ASG System Overview

/ Security Features
Astaro Security Gateway, based on Astaro's award-winning Astaro
Security Linux, provides a complete package of 9 perimeter
security applications.
Web Security
E-mail Security
Network Security
Spyware Protection
Virus Protection
Virus Protection for

e-mail
Content Filtering
Anti-Spam/Phishing
VPN-Gateway
SPI-Firewall and Proxies
E-mail Encryption
Astaro 2007 / ACE_V7.00-0.16
ASG System Overview

/ Available Appliances
Users
Environments
Astaro
Security
Gateway
110/120
Astaro
Security
Gateway 220
Astaro Security
Gateway 320
Astaro Security
Gateway 425
10/Unrestricted
Unrestricted
Unrestricted
Unrestricted
Unrestricted
Home office,
small office
Small
business,
branch office
Medium business,
enterprise division
Large enterprise
headquarters
Large enterprise
Core networks
Astaro Security
Gateway 525
System
Network ports
3x 10/100 Mbps
8 x 10/100 Mbps
4 x 10/100 Mbps
8 x 10/100/1000 Mbps
10 x 10/100/1000 Mbps
Security Co-Processor
Security Co-Processor
4 x 10/100/1000 Mbps
Performance
Throughput
(Mbps)
Firewall
VPN
IPS/IDS
E-mails/day
100
30
55
350,000
260
150
120
500,000
420
200
180
1,000,000
1200
265
450
1,500,000
3000
400
750
2,200,000
60,000
400,000
550,000
700,000
>1,000,000
(without Mail-Security)
Concurrent
Connections
Astaro 2007 / ACE_V7.00-0.16
Introduction
/ Astaro Configuration Manager
... is the Configuration Manager that
provides a centralized visual
command center where security
policies for all Astaro firewall and
VPN devices are graphically
designed and their corresponding
configurations automatically
generated and uploaded.
End of Life: 30.06.2007
... combines the popular NP

management tools from Solsoft with
Astaro's comprehensive security
offerings.
... resolves complex and costly
network security problems by
unifying, automating and simplifying
the deployment of network security
rules.
Astaro 2007 / ACE_V7.00-0.16
Introduction
/ Astaro Report Manager
The Astaro Report Manager is a
centralized reporting engine
which gives you the ability to
collect and analyze log data from
one or more ASG installations
The Report Manager allows you to
create robust drill down reports
in a variety of output formats like
Word, Excel, HTML and PDF
Currently not supported by ASG V.7
With advanced attack and event

analysis, users can create rulesbased alerts which can notify
administrators when user defined
thresholds have been passed
Astaro 2007 / ACE_V7.00-0.16
Introduction
/ Astaro Secure Client
Astaro Secure Client is an easy-to-use
remote working software based on the
latest VPN technology
The
software
provides
smooth
integration with a remote network and
may be used with any popular IPSeccompliant gateway
The Astaro Secure Client software
provides
strong
and
transparent
authentication and AES encryption to
your network traffic.
Astaro 2007 / ACE_V7.00-0.16
ASG System Overview

/ Architecture
ASG is based on Novell/SUSE
Linux Enterprise 10
ASG comes with its own
hardened and compiled 2.6x
kernel
SLES10 RPMs are used but
completely new compiled
All major processes including

WebGUI run in chrootenvironments.
ASG is built upon a number of
Open Source Projects;
many of those are
actively developed
in cooperation with
Astaro, others are
sponsored by Astaro.
Astaro 2007 / ACE_V7.00-0.16
Architecture
/ Open Source Module
Open source software is distributed with the
source code freely available for alteration
and customization
Collective work of many programmers
Resulting software can become more
useful and free of holes and bugs
Astaro leverages the flexibility and
innovation of Linux and Open Source
Astaro 2007 / ACE_V7.00-0.16
Configuration
/ Administration Workflow
Every function can be configured and

controlled via the Web-Admin
interface.
There is no need to interact with any
of the other components or the
Command Line Interface (CLI) using
a shell like Bash.
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
This chapter provides a brief
refresher for:
Interfaces
NAT
Packet Filtering
DNS
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
/ Setting up Ethernet Interfaces
An Ethernet interface is a standard
10/100/1000 Mbit network card
Things to remember:
Set the correct IP address for each
interface with the correct netmask
Only define one default gateway
Make sure that each interface has
a unique address range in your
environment
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
/ Packetfiltering architecture
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
mangle
filter
ips
incoming
packets
PRE
ROUTING
dnat
conntrack
mangle
spoofdrop
Routing
INPUT
FORWARD
outgoing
packets
Routing
conntrack
mangle
filter
ips
OUTPUT
OUTPUT
POST
ROUTING
masquerading
snat
conntrack
mangle
ips
conntrack
mangle
dnat
Astaro 2007 / ACE_V7.00-0.16
PPTP
IPSEC
BIND
SOCKS
SQUID
SSHD
Filter
NAT
EXIM
Tables:
Apache
Local Processes
Refresher ACA
/ Network Address Translation: Masquerading
Used if one (or multiple) internal networks should be hidden
behind one official IP address.
Especially useful if private IP address ranges are used.
RFC 1918-IP
Astaro 2007 / ACE_V7.00-0.16
Public IP
Refresher ACA
/ DNAT & SNAT
Destination Network Address Translation (DNAT) is used if an
internal resource should be accessible via an IP address assigned to
the firewall
Source Network Address Translation (SNAT) is used like
masquerading, but allows more granular settings
Note: DNAT occurs before packet filtering takes

place. Ensure your packet filtering rules have the
translated address as the destination
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
/ Packet Filter - Configuration Principles (1)
You only need to maintain one table of filter rules.
ASG automatically creates correct entries in the INPUT, OUTPUT or
FORWARD chain as necessary.
The rules in the table are ordered. The first rule to match decides what is
done with the packet.
Possible actions are:
Allow
Drop
Reject
Any action allows optional Logging

If no filter rule matches - the packet is dropped and logged!
Astaro Security Gateway starts with an empty table but keeps implicit
internal rules for all services it is using itself.
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
Default View
Source
Action
and
Destination
Service
Enable/Disable
Description
(optional)
Order
Groupname
Edit or delete
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
To create new or
edit existing rules:
Assign or create a group

Name:
Name for the rule
Move rule to a specific position
The sources:
The service:
The destinations:
What to do:
When to do:
Log Packets:
Comment:
Astaro 2007 / ACE_V7.00-0.16
IP or Group
TCP/UDP/IP
IP or Group
Allow, Drop or Reject
The time
Yes or No
Whatever helps
Refresher ACA
/ DNS - Configuration
Global:
Accepts DNS Requests from allowed,
internal networks (e.g. your AD-Servers,
clients in smaller networks)
Forwarders
Forwards DSN requests of ASG to e.g.
Provider DNS servers
Request Routing
When ASG should be able to resolve the
hostnames of an internal domain hosted
on your own internal DNS server, this
server could be used as an alternate
server to resolve DNS which should not
be resolved by DNS forwarders.
Static Entries
Handles static mappings of hostnames to
IP addresses
Astaro 2007 / ACE_V7.00-0.16
Introduction to ACC
In this chapter you will see:

Astaro Command Center
Astaro 2007 / ACE_V7.00-0.16

/ Overview
Centralized and efficient management
configuring applications
monitoring actual device states
updating of device software.
Using state-of-the-art Web 2.0
technologies like AJAX (Asynchronous
JavaScript And XML)
Tracking of critical system parameters
in real-time
detected threats
license status
software updates
resource usage
No license needed!! Its free!!!

Astaro 2007 / ACE_V7.00-0.16

/ Features
Inventory management provides
comprehensive information about each
device (CPU, hard disk, memory,
network interfaces, software version and
more)
All Astaro Security Gateway devices are
automatically organized into device
groups
Single-sign-on eases configuration
management
Central update management
enables the possibility of
updating multiple devices
through a single click
Role-based multiadministrative support
Astaro 2007 / ACE_V7.00-0.16

/ ASG Configuration (1)
Astaro Command Center allows to manage and monitor ASG devices.

This option allows to connect a specific device to a specific ACC for future usage.
The connection between ASG and ACC is SSL encrypted using port 4433
Packet filter rules to allow this communication are created automatically
Astaro 2007 / ACE_V7.00-0.16

/ ASG Configuration (2)
Up2Date packages can also be fetched

from a cache that can be configured
here
Specify a host serving as a cache
If the ASG is monitored by an ACC
server, this ACC can act as an Up2Date
cache
ACC stores Up2Date packages for the
devices connected to it by default
Astaro 2007 / ACE_V7.00-0.16

Review Questions
Astaro 2007 / ACE_V7.00-0.16

/ Review Questions
1. Which technology is ACC built upon?
2. What features does ACC offer?
3. What port is used for communication between ACC and ASG?
4. Is the traffic encrypted?
5. Is it possible to cache the Up2Date packages for multiple ASGs?
Astaro 2007 / ACE_V7.00-0.16
Networking
In this chapter you will learn
about:
VLAN
Link Aggregation
Bridging
Policy Routing
OSPF
Astaro 2007 / ACE_V7.00-0.16
Networking
/ VLAN (1)
Virtual LAN (VLAN) technology allows a network to be separated in
multiple smaller network segments on the Ethernet level (layer 2).
A VLAN switch plus a VLAN capable network interface simulate a number
of physical interfaces plus cabling.
Every segment is identified by a "tag (an integer number).
Adding a VLAN interface will create a virtual hardware device.
Example
PC1 and PC2 on the first floor and PC4 on the
second floor will be connected together on
VLAN 10.
PC3, PC5 and PC6 will be connected together
on VLAN 20.
Both VLAN can communicate through ASGs
Rulebase.
Switch a
Host4
b3
VLAN
Tag
tagged/
untagged
Port
VLAN
Tag
tagged/
untagged
10, 20
10, 20
2 (PC1)
10
2 (PC4)
10
3 (PC2)
10
3 (PC5)
20
4 (PC3)
20
4 (PC6)
20
10,20
b4
Switch b
Router
b1
Switch a
Port
Host6
b2
Switch b
Astaro 2007 / ACE_V7.00-0.16
Host5
a2
a3
a5
a1
a4
Firewall
Host1
Host2
Host3
Networking
/ VLAN (2)
VLAN segments are distinguished by a
tag (integer value), a 12-bit number,
allowing up to 4095 virtual LANs.
When you add a VLAN interface, you
will create a virtual hardware device
that can be used to add additional
interfaces (aliases) too.
NOTES:
- It is essential to check HCL for ensuring
VLAN capable NICs are supported.
-
PPPoE and PPPoA devices cannot be run

over VLAN virtual hardware.
Make sure you have installed a VLANcapable NIC or refer to the HCL.
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Uplink Fail-Over
Usage:
If a primary connection goes down to the Internet, a secondary
connection will take over.
Requirements:
Additional NIC in the firewall
Additional connection to the Internet
Restrictions:
Will only be allowed on interfaces where there is a default gateway.
MPLS Connection
Primary
LAN
Astaro 2007 / ACE_V7.00-0.16
DSL Connection
Backup
Networking
/ Overview IEEE 802.3ad Link Aggregation
Link aggregation (LA, also known as "port trunking" or "NIC bonding")
allows to aggregate multiple Ethernet network ports into one virtual
interface.
Link Aggregation Control Layer
(LACL) controls the distribution
of the data stream to the
different ports communication
via Link Aggregation Control
Protocol (LACP).
Aggregated ports appear as a single IP address.

Link aggregation is useful to
increase the link speed beyond the speed of any one single NIC
to provide basic failover and fault tolerance by redundancy
All traffic routed over the failed port or switch is automatically re-routed
to remaining ports or switches.
Failover is completely transparent to the system using the connection.
NOTES:
In a HA-Environment, Ethernet connections can even be on different HA units.

Link partners must support IEEE 802.3ad.
LA and Bridging cannot be combined. LA cannot work with DSL.
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Link Aggregation using ASG
Link aggregation allows to have:
Trunking two links for speed and
Two links in redundancy mode
Requirement:
The link partner needs to support Link
Aggregation
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Link Aggregation Configuration (1)
IEEE 802.3ad Link Aggregation
Link Trunking (for speed)
Link Redundancy (for high availability)
Combination of both
To enable Link Aggregation:

Add Links to the group
Astaro Supports up to 4 Link Aggregation
Groups
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Link Aggregation Configuration (2)
Up to four different link aggregation groups with a maximum of four
Ethernet interfaces per group possible.
To create a link aggregation group (LAG), proceed as follows:
1. Select the interfaces you want to convert into a link
aggregation group.
2. Select check box for each unconfigured interface you
want to add to the LAG.
3. Enable LAG
On top of the bonding interface you can create one of the following:
Ethernet Standard
Cable Modem (DHCP)
Ethernet VLAN
Alias interfaces
To disable a LAG, clear the check boxes of the interfaces that make up the LAG
and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced /
Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG
will be used for all other NICs within the LAG.
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Bridging Overview (1)
Bridging occurs at the link layer (OSI
layer 2)
The link layer controls data flow,
handles transmission errors, provides
physical (as opposed to logical)
addressing, and manages access to the
physical medium
Bridges analyze incoming frames,
make forwarding decisions based on
information contained in the frames,
and forward the frames toward the
destination
NOTE: Bridging does not require

splitting a network in two subnets
to integrate ASG into an existing
network.
Astaro 2007 / ACE_V7.00-0.16
Split Subnet
Keep Subnet
Networking
A bridge transparently relays traffic between multiple network
interfaces.
Basically, a bridge connects two or more physical networks
together to form one bigger (logical) network.
How it works:
The default gateway for
172.16.1.2 and 172.16.1.4 is
172.16.1.1
172.16.1.1 is the bridge
interface br0 with ports eth1 and
eth2
NOTE: All devices must have the

same maximum packet size (MTU)
since the bridge doesn't fragment
packets.
Astaro 2007 / ACE_V7.00-0.16
Networking
The idea is that traffic between 172.16.1.4 and 172.16.1.2 is
bridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to a
bridge, then become a part of the
br0 interface
The Linux 2.6 kernel has built-in
support for bridging via the ebtables
project
Ebtables has very basic IPv4
support
Bridge-nf is the infrastructure that
enables iptables/netfilter to see
bridged IPv4 packets and do
advanced things like transparent IP
NAT
It forces bridged IP frames/packets
go through the iptables chains
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Bridging Configuration (1)
Configuration Example:
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Bridging Configuration (2)
There two advanced options available:
Allow ARP Broadcasts
Ageing timeout
By default, ARP broadcasts are not allowed to pass across

the bridged interfaces
If needed, enable the Allow ARP Broadcasts option
As the network can change, we need to specify when to

remove an entry due to in activity, this is the Ageing
timeout.
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Policy Based Routing (1)
Policy-based routing provides a mechanism
for expressing and implementing
forwarding/routing of data packets based
on the policies defined by the network
administrators.
It provides a more flexible mechanism for
routing packets, complementing the
existing mechanism provided by routing
protocols.
Prov. A
Prov. B
DSL
MPLS
Router
Router
Packets can now be routed based on source

IP address, source port and destination
port, in addition to normal routing which is
based on the destination IP address.
DMZ 1
SMTP
Example:
ERP
LAN 2
Route ERP traffic from

Finance to MPLS Provider
Route SMTP traffic from

DMZ to DSL Provider
interface = any
service = SAP
source = Finance
target = Provider A
interface = 2
service = SMTP
source = DMZ1
target = Provider B
Astaro 2007 / ACE_V7.00-0.16
LAN 1
Networking
/ Policy Based Routing (2)
Policy based routing will route by selectors:
Destination
Source
Service
Source Interface
Policy based routing will route to targets:

An interface
A host
Limitations:
It is not possible to select all traffic and route it as this would be a default
gateway
Policy routes have an order which is evaluated in the same way as the packet
filter (top to bottom)
Only user defined policy routes are possible
Network groups in policy routes are not possible
The following benefits can be achieved by implementing policy-based

routing in the networks:
Load Sharing
Cost Savings
Source-Based Transit Provider Selection
Quality of Service (QoS)
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ Overview
OSPF = Open Shortest Path First
Link-state hierarchical routing protocol
Uses Dijkstras SPF Algorithm to calculate the shortest path tree.
Open standard, developed by IETF
ASG supports OSPF version 2, RFC 2328 (using the Quagga package,
http://www.quagga.net)
Interior Gateway Protocol (IGP) for routing within one autonomous
System (AS)
OSPF uses cost as its routing metric (e.g. by dividing 10^8 through the
bandwidth of the interface in bits per second)
The cost of an OSPF-enabled interface is an indication of the overhead required to
send packets across a certain interface.
The cost of an interface is inversely proportional to the bandwidth of that
interface.
A link state database is constructed of the network topology which is

identical on all routers in the area.
OSPF guarantees loop-less routing.
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ Features & Benefits
Area concepts for hierarchical topologies and reduction of CPU and
memory consumption of routers
Independent from IP subnet classes
Arbitrary, dimensionless metric
Load Balancing for paths with equal costs
Special reserved multicast addresses reduce impact at non-OSPF devices
Authentication
External Route Tags
TOS-Routing possible
Fast database reconciliation after topology changes
Support for large networks
Low susceptibility for fault routing information
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ Operating Mode
Router identify their neighbors during integration into network

Conciliation of Link State Database (LSDB) with neighbors by reliable
flooding
Periodical keep-alives for maintaining of neighborhood
Periodical Link State Updates for keeping LSDB consistent
Flooding of LSAs when topology changes occur
Example for a LSDB:
LS-Type
Router-LSA
Router-LSA
Router-LSA
Router-LSA
Router-LSA
Router-LSA
Astaro 2007 / ACE_V7.00-0.16
Link State ID Adv. Router

10.11.12.1
10.11.12.2
10.11.12.3
10.11.12.4
10.11.12.5
10.11.12.6
10.1.1.1
10.1.1.2
10.1.1.3
10.1.1.4
10.1.1.5
10.1.1.6
Checksum
Seq. No.
Age
0x9b47
0x219e
0x6b53
0xe39a
0xd2a6
0x05c3
0x80000006
0x80000007
0x80000003
0x8000003a
0x80000038
0x80000005
0
1618
1712
20
18
1680
OSPF
/ Example LDSB & Principles
10.11.12.1
10.11.12.2
10.11.12.4
10.11.12.6
10.11.12.3
10.11.12.5
Point-To-Point Connections
Costs for each connection := 1
Databases are synchronized
Each router knows shortest path to each other router
10.11.12.1 has two equal routes with identical costs to 10.11.12.6
Assume the connection between 10.11.12.2 and 10.11.12.4 fails
LSAs will flooded over the whole network
After LSDB-Sync. only one shortest path will remain
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ Router Types & Principles (1)
Area border router (ABR)
connect to routers or networks in more than one OSPF area.
maintain an LSDB for each area of which they are a part.
connects also to the main backbone network.
is considered a member of all areas it is connected to.
keeps multiple copies of the link-state database in memory, one for each
area.
Autonomous system boundary router (ASBR)

a router that is connected to more than one AS and that exchanges
routing information with routers in other AS's.
typically also run a non-IGP routing protocol, such as BGP.
used to distribute routes received from other ASs throughout its own AS.
Internal router (IR)

A router is called an internal router if it has only OSPF adjacencies with
routers in the same area.
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ Router Types & Principles (2)
Backbone Routers (BR)
are part of the OSPF backbone.
An area border router is always also a backbone router, but a backbone

router is not necessarily an area border router.
Designated router (DR)
is the router elected among all routers on a particular multi-access network segment.
is elected based on the following default criteria:
If priority setting on a OSPF router is set to 0, that means it can NEVER become a DR or BDR
(Backup Designated Router).
When a DR fails and the BDR takes over
Sending the Hello packets with the highest priority.
If two or more routers tie with the highest priority setting, the router sending the Hello with the
highest RID (Router ID) wins.
Usually the router with the second highest priority number becomes the BDR
The range of priority values range from 1 255
chances of becoming DR or BDR.
, with a higher value increasing its
Backup designated router

A backup designated router (BDR) is a router that becomes the designated router if
the current designated router fails. The BDR is the OSPF router with second highest
priority at the time of the last election.
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ OSPF Packets
IP Header
(Protocol #89)
OSPF
Paket Header
OSPF Paket
OSPF Paket Data
5 types of packets
Hello
Database Description
Link State Request
Link State Update
Link State Acknowledgement
Transmission via IP, Protocol #89

Transfer direct to neighbor or using multicast addresses
OSPF packets are only exchanged between neighbors within the network
never being routed outside of the network they originate from (TTL=1)
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ Header Format
32 Bits
8
Version
8
Typ
8
Lenght
Router ID
Area ID
Checksum
AuType
Authentication *)
Authentication *)
Packet Data
*) if AuType = 2:
0x0000
Key ID
Cryptogr. Sequence Number
Astaro 2007 / ACE_V7.00-0.16
Auth. Length
OSPF
/ Area Types
AS External LSAs are flooded over area borders
Additionally ASBR Summary LSAs are distributed within their areas by
ABRs
Different area types are used to minimize LSDB
Stub Areas
Area, which does not receive external routes.

AS External LSAs are not transferred to stub areas
Routing to external destinations via default routes
no ASBRs & no virtual links
NSSAs (Not-So-Stubby Area )

Type of stub area that can import autonomous system (AS) external routes and
send them to the backbone, but cannot receive AS external routes from the
backbone or other areas.
Extension to Stub Areas
small number of external routes allowed
will be translated at the NSSA-border into AS-External LSAs
NSSA-Border is One-Way-Road for external routing information
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ ASG Configuration OSPF-ID
The OSPF-Id is a unique ID to the router device.

This can be the official Address
It is denoted in x.x.x.x format
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ ASG Configuration OSPF Area
Before you can enable the OSPF

function, you must have at least one
OSPF area configured.
Areas are identified by a 32-bit ID in
dot-decimal notation similar to the
notation of IP addresses.
Astaro 2007 / ACE_V7.00-0.16
OSPF
/ ASG Configuration OSPF Interfaces (1)
The OSPF interface defines Interfaces

that can be used to announce OSPF
networks.
Astaro 2007 / ACE_V7.00-0.16
OSPF
The OSPF interface must be

added to the area that will be
announced
Astaro 2007 / ACE_V7.00-0.16
OSPF
The OSPF debug section gives information about the

current state of OSPF operations. It shows
neighbors, routes interfaces etc. in pop-up windows.
Astaro 2007 / ACE_V7.00-0.16
Networking
Review Questions
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Review Questions
1. How can VLAN segments being distinguished? How many virtual
LANs can be distinguished by ASG?
2. How will ARP broadcasts being handled in terms of bridged
interfaces?
3. What are the two major benefits of Link aggregation at ASG?
4. On which OSI layer bridging occurs?
5. Is it possible to combine bridging and routing on ASG?
6. What are the route selectors in Policy Routing?
7. Name 5 benefits of OSPF.
8. Which transmission protocol is used for OSPF?
9. What router and area types do you know and how do they
interfere each other?
10. What must be configured before you can enable the OSPF
function on ASG?
Astaro 2007 / ACE_V7.00-0.16
Network Security
In this chapter you will learn
about:
Server Load Balancing
Quality of Service
Generic Proxy
Socks Proxy
Ident Proxy
Astaro 2007 / ACE_V7.00-0.16
Network Security
/ Server Load Balancing (1)
Used if the traffic going to one IP address should be split or
"balanced" between multiple servers
Astaro 2007 / ACE_V7.00-0.16
Network Security
/ Server Load Balancing (2)
Configuration for Server Load
Balancing contains three options:
Service to Balance
The Pre-Balance Target
A Group of Target Hosts
These parameters describe

exactly the situation from the last
slide.
Which traffic on which port (The
Balancing Service) on which IP
address (The Pre-Balance target
host) will be distributed to which
servers (The Post-Balance target
host)
Astaro 2007 / ACE_V7.00-0.16
Quality of Service
/ Working Principle
Quality of Service (QoS) can reserve guaranteed bandwidths for certain
types of outbound network traffic passing between two points in the network.
Inbound traffic is optimized internally by various techniques such as
Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED).
Without traffic shaping.
ASG left
ASG right
Headquarter
Branch Office
With traffic shaping.
Astaro 2007 / ACE_V7.00-0.16
Quality of Service
/ Features and Benefits
QoS allows to
Define traffic directions carefully:
Limit available bandwidth

Guarantee minimum
bandwidth
and
Ext. NIC
Works per Interface

Works per Subnet/Host
Works per Service
Astaro 2007 / ACE_V7.00-0.16
downstream
Upstream shape
Int. NIC
HTTP & FTP

Download from
ANY =>
outbound from
the ext. NICs
view
Quality of Service
/ Configuration
Status
The Status tab
lists the
interfaces for
which QoS can
be configured.
By default,
QoS is
disabled for
each interface.
Astaro 2007 / ACE_V7.00-0.16
Traffic
Selectors
A traffic
selector can be
regarded as a
QoS definition
for a certain
type of network
traffic.
Internal & External

Bandwidth Pool describe the
bandwidth shared by multiple
sources.
Bandwidth Pools can also specify
upper bandwidth limits.
Quality of Service
/ Configuration: Status Overview
Display all available interfaces

Define the available, physical bandwidth.
Define the guaranteed uplink and downlink
bandwidth for any Interface, e.g. the DSL line.
By default, QoS is disabled for each interface
Astaro 2007 / ACE_V7.00-0.16
Quality of Service
/ Configuration: Traffic Selectors
Traffic Selectors describe what traffic needs to be accounted.

The description contains details about the source of the traffic, its
destination and its service.
TOS/DSCP allows to pay respect to Type of Service and DiffServ
flags in the traffic.
It is possible to build groups of Traffic Selectors.
Astaro 2007 / ACE_V7.00-0.16
Quality of Service
/ Configuration: Bandwidth Pools
Bandwidth Pools
They describe the available and
guaranteed bandwidth for the available
interfaces
Astaro 2007 / ACE_V7.00-0.16
Network Security
/ Advanced
The Generic
Proxy is
another option
when private
networks are
being used
Astaro 2007 / ACE_V7.00-0.16
SOCKS is an
internet
protocol to
allow clients to
use the
services of a
firewall
transparently
and is short
for SOCKetS
The Ident
Protocol is
specified in
RFC 1413 and
helps
identifying
users of
particular TCP
connection.
Network Security
/ Generic Proxy
Works as a port forwarder
Combines features of DNAT and
Masquerading
Forwarding all incoming traffic for a
specific service to an arbitrary server.
In contrast to DNAT, source IP address
is replaced with the IP of the interface
of the ASG for outgoing connections
It is possible to change target port
number also
Astaro 2007 / ACE_V7.00-0.16
Network Security
/ SOCKS
What is it used for?
Can build TCP and UDP connections for client applications
Can provide incoming ports to listen on
Used with systems that incorporate NAT
Where is it used?
IM clients such as ICQ, AIM
Socks
FTP
RealAudio
Astaro Security Gateway supports SOCKSv5
User authentication can be used
Astaro 2007 / ACE_V7.00-0.16
Network Security
/ IDENT Relay
IDENT is an older protocol
Allows external users to associate a username with a TCP
connection
Not very secure because the connection isn't encrypted
Necessary for some services like IRC and some mail servers
Astaro will respond with the string that you specify as the
default response
Hence the configuration is rather
simple, it offers:
Configuration of the string
to answer with
Optionally the possibility to forward
Ident requests to the internal clients
(which is not always possible)
Astaro 2007 / ACE_V7.00-0.16
Network Security
Review Questions
Astaro 2007 / ACE_V7.00-0.16
Network Security
/ Review Questions
1. What does Server Load Balancing do?
2. With which technology is it realized?
3. For which kinds of traffic is Quality of Service suitable?
4. What is the Generic Proxy used for?
5. What does the Socks Proxy do?
6. What can the Ident Proxy do?
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
In this chapter you will learn how
SIP
and
H.323
security work
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
/ SIP/H.323 Security
SIP and H.323 are so called Signaling
protocols, which are designed to notify
communication partners in telephony like
connections. These signals contain
information about the state of the
connection, like INVITE, RINGING or
HANGUP. The actual voice connection
takes place on a dynamic port.
Astaros VoIP Security uses special
connection tracking helper modules for
monitoring the control channel to
determine which dynamic ports are being
used and then only allowing these ports
to pass traffic when the control channel is
busy.
Rick
Cory
To IP-B, PORT-S
INVITE Cory@IP-B
C = IN IP4 IP-A
M = audio 2000 RTP/AVP 0
To IP-A, PORT-S
200 OK
C = IN IP4 IP-B
M = audio 4000 RTP/AVP 3
Audio stream to IP-A, 2000
To configure VoIP Security, client and

server network definitions need to be
made.
Audio stream to IP-B, 4000
Time
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
/ SIP Session Initiation Protocol
Session Initiation Protocol is is an application-layer
control (signaling) protocol for creating,
modifying, and terminating sessions with one or
more participants. These sessions include Internet
telephone calls, multimedia distribution, and
multimedia conferences." (cit. RFC 3261)
A good starting point for reading about SIP is at

http://en.wikipedia.org/wiki/Session_Initiation_Protocol
Astaro 2007 / ACE_V7.00-0.16
INVITE cory@astaro.com
Rick
SIP Proxy
Cory
SIP Registrar
VoIP Security
/ H323 Session Initiation Protocol
H.323 is an umbrella recommendation from the ITU Telecommunication
Standardization Sector (ITU-T), that defines the protocols to provide
audio-visual communication sessions on any packet network.
H.323 was originally created to provide a mechanism for transporting
multimedia applications over LANs but it has rapidly evolved to address the
growing needs of VoIP networks.
Currently real-time applications such as NetMeeting and Ekiga (the latter
using the OpenH323 implementation) use H323.
A good link to get started with readings about is at
http://en.wikipedia.org/wiki/H323
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
/ SIP/H.323 Security
To configure H.323 or SIP Security, go to

the VoIP Security Menu. Each module can
be activated individually.
Both modules are rather easy to configure,

simply add the allowed clients
to the SIP or H.323 configuration and
configure one or more SIP servers
or H.323 gatekeeper.
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
Review Questions
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
/ Review Questions
1. What does SIP stand for?
2. Which parts do you need to configure for SIP/H323 security?
3. Explain how SIP works.
4. What are the ports SIP is normally making use of?
Astaro 2007 / ACE_V7.00-0.16
In this chapter you will learn about:
Statefulness
Configuration
Ruleset
Advanced
Astaro 2007 / ACE_V7.00-0.16
/ Working Principle
Astaro Security Gateways IPS operates in inline mode
It is placed logically between external, internal and DMZ
networks, located on one single machine.
Astaro uses Inline Snort (http://snort-inline.sourceforge.net)
as IPS, which is a modified version of SNORT (open source
module).
Inline SNORT lets Astaro Security Gateway perform detection
and prevention at the same time.
Another benefit of inline mode is, that all packets must pass
the Astaro Security Gateway and no packets can be
missed, e.g. due to high network load.
Astaro 2007 / ACE_V7.00-0.16
/ Fundamentals
Inline
Sensor Placement Options

1
In front of the Firewall
Within the DMZ
Between Firewall and LAN-Switch
Within the LAN
Astaro 2007 / ACE_V7.00-0.16
/ Working Principle
Each packet runs through the IPS only ONCE:
1. Packet from Network to the local machine
2. Packet from Network to Network
3. Packet from local machine to Network (e.g. of using the proxies and also in
case of an exploit to a Linux module on Astaro Security Gateway itself)
incoming
packets
PRE
ROUTING
Routing
FORWARD
dnat
conntrack
mangle (empty)
spoofdrop
conntrack
mangle
filter
ips
OUTPUT
New netfilter module ips

(kernel module
iptable_ips.o)
Table has lowest priority in
the netfilter hierarchy.
OUTPUT
masquerading
snat
conntrack
mangle
ips
conntrack
mangle
dnat
PPTP
Tables:
IPSEC
BIND
SOCKS
SQUID
SSHD
EXIM
Apache
Local Processes
Astaro 2007 / ACE_V7.00-0.16
POST
ROUTING
Routing
mangle
filter
ips
INPUT
outgoing
packets
Filter
NAT
/ Limitations of Firewalls and Virus-Scanners (1)
A robust firewall policy can minimize the exposure of many networks.
Depending on the security level to be achieved, such countermeasures alone
might not be enough.
Packet Filter Firewalls inspect on a per packet basis.
Even invalid packets may pass through
No detection of application-layer attacks
Protocols using multiple ports are hard to handle by firewalls (e.g. FTP, PPTP, H.323,
MMS, ...)
Proxies (Application Level Gateways) have application layer awareness

Can filter unwanted header types or malformed ones
Would be able to detect protocol anomalies
Will not be able to detect higher level attacks (e.g. CGI script attacks)
Therefore IDS are necessary to fulfill higher security requirements

Additionally, hacker tools make attacks easier and are available for everybody
The level of sophistication of attacks is growing
Astaro 2007 / ACE_V7.00-0.16
/ Limitations of Firewalls and Virus-Scanners (2)
Firewalls inspect for viruses and worms in:
E-mails & Attachments
SMTP, POP3 and HTTP-Streams
Virus Scanners are unable to monitor data by analyzing the

traffic within a network.
Worms like SQL-Slammer or MS.Blaster spread independently

Only detectable after infection
Example: SQL-Slammer
Buffer Overflow in Microsoft SQL-Server
UDP-Packet to Port 1434, Size: 376 Byte (!)
In RAM only
Spreads to random IP-Addresses
Very fast infection rates - high-speed worm
Astaro 2007 / ACE_V7.00-0.16
Intrusion Detection
/ Configuration
Global
Attack
Patterns
Anti-DoS /
Flooding
AntiPortscan
Exceptions
Advanced
General
Settings for
Intrusion
Protection
Enable or
disable the
categories of
attacks that
can be
recognized
Configure the
Denial of
Service and
Flood
Protection
here.
Portscan
detection
configuration
is in here
Of course the
configuration
can be
limited to
certain hosts
and networks
Modified
Rules and IP
address
information
about
dedicated
servers is
here.
Astaro 2007 / ACE_V7.00-0.16
Intrusion Detection
/ Configuration: Global
The global settings contain a list of
networks, that are protected by
intrusion prevention
If attacks from the local networks should be
detected, it is important NOT to add them to this
list!
Depending on the traffic between the LAN
segments a major impact on the performance of
the ASG is possible
The global configuration also contains

settings for the IDS/IPS policy. This can
default to Drop or Reset packets.
Of course, IDS/IPS also offers a live

log, which can be viewed with the
Live Log button.
LAN1
Astaro 2007 / ACE_V7.00-0.16
LAN2
LAN3
Intrusion Protection System

/ Configuration: Attack Patterns
Per Group settings:
Action:
What to do with
packets matching this
group, if detected
Add extra
warning:
Activate extra rules,
that are for
information only
Astaro supports roughly 7000 different rules.
Those are made up in 40 different groups, which
are again separated.
Astaro 2007 / ACE_V7.00-0.16
Notify:
Send an e-mail to the
admin-address, if
packets are detected
matching rules of this
group.
/ Refresher: How SYN Floods work
SYN Attack: Sends a stream of SYN packets with attacking host
(spoofing) source IP-address (to be that of a currently unreachable
host).
Attacking
Host
IP of Unreachable Host #1
SYN
SYN
SYN
SYN
SYN
SYN
SYN
Server
SYN/ACK
Unreachable Host #1
SYN/ACK
Unreachable Host #2
SYN/ACK
Unreachable Host #3
Astaro 2007 / ACE_V7.00-0.16
Server

/ Anti-DoS / Flooding
Anti Flooding allows to limit the number of packets per time.

This works for sender and recipients in the protocols TCP, UDP and ICMP.
In the case of TCP flood protection, only SYN Packets are taken into
account.
Astaro 2007 / ACE_V7.00-0.16
/ Anti-Portscan / Exceptions / Advanced
Anti Portscan:
Detects Portscans
Can have exceptions
Exceptions:
Advanced:
Skip these checks:

Modified Rules
Performance Tuning
Anti-Portscan
Anti-DoS/Flooding TCP
Anti-DoS/Flooding UDP
Anti-DoS/Flooding ICMP
Performance Tuning
For source and
destination networks
Astaro 2007 / ACE_V7.00-0.16
Review Questions
Astaro 2007 / ACE_V7.00-0.16
/ Review Questions
1. How does Intrusion Protection work?
2. What is the improvement over Firewalls or Anti-Virus Products?
3. Where is Astaro Intrusion Detection placed?
4. How does it integrate with the Packetfilter framework?
5. Which detection methods are applied to traffic?
Astaro 2007 / ACE_V7.00-0.16
User Authentication
Users
Groups
Authentication
Astaro 2007 / ACE_V7.00-0.16
User Authentication
/ Purpose
Authentication (Greek: = real or genuine, from
'authentes' = author ) is the act of establishing or confirming
something (or someone) as authentic, that is, that claims made by
or about the thing are true.
Authenticating an object may mean confirming its provenance,
whereas authenticating a person often consists of verifying their
identity.
Authentication depends upon one or more authentication factors.
In computer security, authentication is the process of attempting
to verify the digital identity of the sender of a communication such
as a request to log in.
The sender being authenticated may be a person using a
computer, a computer itself or a computer program.
Astaro 2007 / ACE_V7.00-0.16
Local Authentication
Astaro 2007 / ACE_V7.00-0.16
User Authentication
/ User Management
User management is necessary to allow or
forbid services to certain users or user groups.
To manage local and remote authentication
services, the web interface offers the Users
menu.
This menu is structured to manage:

Users local or remote
Groups - local or remote
Remote Authentication Methods
Astaro 2007 / ACE_V7.00-0.16
User Authentication
/ Local User Management
The User Management in Astaro allows to
administer local users and user groups.
Here you can create user profiles local to the
firewall.
No external authentication service is queried to
authenticate these users.
To create a local authenticated user, select
Authentication: Local
NOTE: The additional e-mailaddresses influence the behavior

of the Anti Spam Reports. See
there.
Astaro 2007 / ACE_V7.00-0.16
Remote Authentication
Astaro 2007 / ACE_V7.00-0.16
/ Available Methods
Astaro has many options for
remote user authentication:
eDirectory
Novell, partly LDAP based
Active Directory
Microsoft, partly LDAP based
RADIUS
Remote Access Dial-In User
Service
Livingston Enterprises, later
RFC
TACACS+
Terminal Access Controller
Access-Control System Plus
Cisco, now RFC
LDAP OSI, X.500, now RFC

Lightweight Directory
Access Protocol
Astaro 2007 / ACE_V7.00-0.16
/ Novell eDirectory
With ASG V7 eDirectory SSO, Novell users will only need to
authenticate once at initial client login to gain web access to the
Internet.
Based on the ASG V7 SSO authenticated user, user-, groupand/or container-based access control and content inspection
profiles are assigned.
Once authenticated, Web security capabilities of ASG are
applied to traffic flows based on the user, including prevention
of phishing, virus and spam attacks, without the need for
further authentication at the browser level.
Astaro 2007 / ACE_V7.00-0.16
/ Novell eDirectory
When creating Groups from the Novell eDirectory, ASG
offers a very convenient eDirectory Browser
It allows you to select usergroups directly in the Web
Admin Interface
NOTE:
SSO in eDir does not work on machines
where more than one users are logged in.
Currently ASG V7 does not support
containers and multiple root nodes in
eDir.
Astaro 2007 / ACE_V7.00-0.16
/ Active Directory (1)
Can be used to implement
single sign on with Astaro
Security Gateway when using
the HTTP Proxy
NTLM uses a challengeresponse authentication
scheme
Active Directory allows to
have all users centrally
managed in groups of users.
NOTE: Ensure that the Netbios name is an unique name on

the network! The Netbios name is derived from the Hostname
in the Basic System Settings! (see there)
Astaro 2007 / ACE_V7.00-0.16
/ Active Directory (2)
Using Surf-Protection with Active Directory
Authentication requires a running Windows
Server and AD services.
Active Directory Service manages the users of a
Windows Domain.
LDAP uses the Distinguished Name (DN) of an
user for identification. The name has to be unique
within the directory.
Steps to perform:
1.
Create an AD user with read privileges.
(applied by ASG to query the AD service)
2.
Add the AD Users and Computers Snap
Inn in the MS Management Console to
define it.
3.
To add the user, right click on your Domain
Controller to define a new user.
4.
Grand full read privileges to your defined
user. (Right click CN: properties)
5.
Create as much users as you need in your
Active Directory. All of theses users are
able to authenticate.
Astaro 2007 / ACE_V7.00-0.16
/ RADIUS
Remote Access Dial-In User Service (RADIUS)
Uses UDP port 1813 or 1645 to send
queries for authentication
Uses external directory for large
installations, often used by Internet
Service Providers for the purpose
of network, router and internet access
Only the password is encrypted
NOTE: Since the passwords are transferred over the

network using a weak encryption, you should place the
server in a trusted network which cannot be sniffed.
Astaro 2007 / ACE_V7.00-0.16
/ TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+)
Uses TCP port 49 to send queries for authentication
and is therefore more reliable than RADIUS
Also uses external directory for large
installations, often used by Internet
Service Providers
TACACS+ separates, unlike RADIUS,
authentication and authorization.
Whole datagram is encrypted
Despite the name, TACACS+ does not
have too much in common with
TACACS (without the +)
Astaro 2007 / ACE_V7.00-0.16
/ LDAP
LDAP (Lightweight Directory Access Protocol) is an information model and a protocol for
querying and manipulating tree-like directories.
LDAP's overall data and namespace model is essentially that of X.500.
The authentication by querying an LDAP Server requires an active DNS Proxy with valid
entries.
Astaro Security Gateway can connect to LDAP-based directories such as:
Sun Identity Server
Open LDAP
Netscape Directory
But also these are based on LDAP:
Active Directory
Novell eDirectory
Control of Proxy-usage on a per-user basis!
Bind-DN and password are used for login to a LDAP server
Base-DN specifies location of user database in LDAP-tree
Astaro 2007 / ACE_V7.00-0.16
/ Advanced
Advanced Configuration
Backend query order
Defines in which order all the
configured backends for
authentication are queried. This is
important if the same user exists in
different directories.
Password complexity
When users change their password
in the Astaro End-User Portal, you
can force them to use complex
passwords with these settings.
Astaro 2007 / ACE_V7.00-0.16
User Authentication
Configuration Example
Astaro 2007 / ACE_V7.00-0.16
Authentication
/ Local Users (1)
To add yourself to the local user directory,
first go to the Users/Users Menu.
This menu offers you to view existing or add
new user:
When adding a new user, you will need to

fill out the following form, which contains:
a username
the real name
e-mail address
additional e-mail addresses
(optional)
authentication is local
Astaro 2007 / ACE_V7.00-0.16
Authentication
/ Local Users (2)
When you have finished and saved the entry, you should find
the following user in the list:
Every entry has two buttons which allow you to

Edit the entry and bring you back to the
user-add dialog
or
Delete the entry
The rest of the line contains information about the user, his
eMail-Address, the authentication source and a comment
Astaro 2007 / ACE_V7.00-0.16
Authentication
/ Remote User-Authentication: NTLM (1)
Before NTLM/SSO becomes available, you
need to setup the Active Directory
configuration.
Active Directory takes only
few parameters:
the server itself
Use an existing or newly created definition here
the Port to connect to

predefined to 389 (the default)
SSL
encrypt or not
The authentication information:

the Bind User Distinguished Name
The user that connects to the directory (read-only)
the authentication password

A (valid) password for this user.
Astaro 2007 / ACE_V7.00-0.16
Authentication
/ Remote User-Authentication: NTLM (2)
Once the Active Directory Configuration is setup, NTLM/SSO
becomes available and can be configured. To do so, you need to
join your ASG into your Windows Domain
This works exactly as it would with a Windows PC you need an
adminstrative account to approve the join.
Simply enter the Domain Name and the credentials and hit
apply.
NOTE: Ensure that the Netbios name is an unique name on

the network! The Netbios name is derived from the
Hostname in the Basic System Settings! (see there)
Astaro 2007 / ACE_V7.00-0.16
Authentication
/ Remote User Groups
Finally, to use whole groups on the
remote Active Directory, you may want to
create an assignment of remote user
groups to local user groups:
To do so, go to the Users/groups menu
and create a new user group
The group should be of group-type
Backend Membership with the backend
Active Directory. This example limits
the membership to the local group
Active Directory to members of the
remote AD group http_users (which
exists in the Active Directory).
Astaro 2007 / ACE_V7.00-0.16
User Authentication
Review Questions
Astaro 2007 / ACE_V7.00-0.16
User Authentication
/ Review Questions
1. How are Users and Groups structured?
2. Which Authentication Methods are supported by Astaro?
3. Whats the benefit of using NTLM Authentication?
4. How is SSO activated when using Active Directory?
Astaro 2007 / ACE_V7.00-0.16
Web Security
HTTP Profiles
HTTP Authentication
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy Overview (1)
The HTTP Proxy allows to do
User Authentication
Content Filtering
HTTP Protocol Enforcement
The content filter works with

SurfControl
Astaro AV
Clam AV
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy Overview (2)
The HTTP Proxy relays HTTP, HTTPS, FTP
and WebDAV queries
HTTP and FTP queries are cached in disk
and memory
FTP
HTTP
HTTP
HTTPS
FTP/HTTP
Proxy & Cache
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy - Workflow
Flexible configuration is
possible through so called
Proxy Profiles and Filters.
Each Profile holds a

combination of options and
settings.
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ Content Classification
Text Classification
Text is categorized using Bayes' statistic methodology and vector machine
algorithms.
Optical Character Recognition (OCR)
OCR recognizes text in graphics and images, and can even analyze colored type
or transparent text on any background. This module supports a wide range of
type fonts, colors, sizes and rotations.
Logo and Object Recognition
This module searches for logos, symbols and other graphical elements in photos.
Variations in size, color and rotation are taken into consideration.
Face Recognition
This module recognizes faces, including color, hue and texture. With high-quality
images, it is even possible to search for individual persons.
Pornography and Recognition of Nudity
This module identifies nudity by analyzing the qualities of human skin and
individual skin tones.
Digital Fingerprint
This module characterizes and labels images and data for later identification on
the Internet, intranets or in e-mail messages.
Astaro 2007 / ACE_V7.00-0.16
HTTP Proxy Configuration Overview
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy (1)
HTTP Proxy Global Configuration
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy (2)
Operational Modes
Standard
Proxy listens on port 8080
Allows any network listed in
Allowed Networks to connect
Client browser must be configured
HTTP proxy service requires a
valid Domain Name Server (DNS)
Transparent
Proxy handles all traffic on port 80
Client doesnt need to touch browser
configuration
Proxy cannot handle FTP and HTTPS
Packetfilter must allow port 21 and 443
No HTTP on other than port 80
Clients must be able to resolve
hostnames
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy (3)
Operational Modes with
User Authentication:
Basic
Enabling User Authentication

will bring up a User/Group
selection dialog
Active Directory
Novell eDirectory
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Proxy (4)
Configuring User
Authentication for HTTP:
When you have selected
one of the userauthentication operation
modes, a User/Groups
selection box
pops up.
Drag and Drop the
allowed Users and
Groups to this box.
Drag & Drop the allowed Users
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ Anti Virus
HTTP Anti Virus
Enable/Disable Virus scanning
Use one or both Virus scanner

and, if available, the Hardware
Scan-Engine
Virus-Scan files up to this size.
Disallow Downloads by
file-extension
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ Content Filter (1)
HTTP Content Filter:
Default profile
Operation mode:
Black or Whitelist
Categories to block or allow
Black-/White-list these URLs
Activate Spyware Protection
Control Active Content removal
Astaro 2007 / ACE_V7.00-0.16
Web Security
HTTP Content Filter
Category assignment
The Number of Categories is fixed
Names and Contents can be edited.
Name of Category
Assigned Subcategories
Modify Name
and Assignment
Astaro 2007 / ACE_V7.00-0.16
Web Security
HTTP Content Filter
Exceptions
Content Filter Exceptions,
e.g. windowsupdate.com
Skip individual checks, like:

Authentication
Anti Virus
Content Filter
for selected Hosts
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ Content Filter Profiles (1)
HTTP Content Filter Profiles
Content Filter Profiles allow to treat different
user(-groups) and network-areas differently.
The configuration is done by linking Proxy
Profiles and Filter Actions through Filter
Assignments
Astaro 2007 / ACE_V7.00-0.16
Web Security
A Proxy Profile
combines
Source Networks
Filter Assignments
and Authentication
Methods
They are processed in order
Astaro 2007 / ACE_V7.00-0.16
Web Security
A Filter Assignment
combines
Users and Usergroups

Access times
and Filter Actions
Astaro 2007 / ACE_V7.00-0.16
Web Security
Filter Actions
Work either as Black or
Whitelist
Contain the things to block
or allow:
Blacklisted/Allowed Sites
Categories or
uncategorized
Spyware
Content
Virus
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ HTTP Content Filter Working Principle
Networks,
Authentication Methods
Proxy Profile
Users, Groups
Time, Action
WWW
Filter
Assignment
Astaro 2007 / ACE_V7.00-0.16
Filter
Actions
Categories
Anti-Virus
Content Removal
Web Security
/ HTTP Proxy Advanced Options
Skip Hosts and Networks for Transparent

Proxying
The port to listen for client requests

Write Access-Log file at all?
Care for those services outside.
If integrated in a proxy hierarchy, use this
parent.
The parent proxy takes username and password

as configuration if authentication is necessary.
Astaro 2007 / ACE_V7.00-0.16
Web Security
Review Questions
Astaro 2007 / ACE_V7.00-0.16
Web Security
/ Review Questions
1. What do you need to consider when using NTLM Authentication if
your PC is not assigned to the domain ASLLAB?
2. Is it possible to limit access to Entertainment, Trading and Gambling
during working hours but allowing it after 6 p.m.?
3. What happens if you have time-based profiles for groups during the
working hours created but nothing defined for after hours?
4. What is the default Profile meant for?
5. What might be reasons if NTLM is not working correctly?
6. What is the purpose of different profiles?
7. What happened when downloading eicar.com from the Internet?
8. What would you recommend if servers will download larger patches
automatically over the http proxy and Virus-scanning is enabled?
Astaro 2007 / ACE_V7.00-0.16
Refresher: SMTP Proxy

Upon completion of this chapter you will be
able to perform the following:
Explain the SMTP proxy architecture
Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy
/ Overview
Simple Mail Transfer Protocol
SMTP relay shields your internal mail server from
malformed, malicious, and unwanted messages
Can relay incoming and outgoing mails
Scans mails for viruses and other malicious data
Deals with SPAM
NOTES:
The SMTP proxy also supports subdomains
To use the SMTP proxy correctly, a valid name server (DNS)
must be configured
Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy
/ Relaying Incoming / Outgoing e-mail
Define the domains the security system should be responsible for
You should have an DNS MX record for every domain pointing to the
security system
Specify the internal server to which e-mails should be forwarded to
Decide whether you want to scan the content of outgoing e-mails
Define which networks and hosts are allowed to send outgoing e-mail
using the security system (never use ANY)
Optionally you can switch on authenticated relaying for single users
Define a smarthost if outgoing e-mail is not delivered to the recipient
directly
Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy
/ Anti-Virus
Anti-Virus scanning checks every message for viruses,
worms and other malware
Astaro Security Gateway features several anti-virus engines
for best security
Single Scan provides maximum performance
Dual Scan uses two different scan engines for an extra level
of security
Optionally activate the Hardware accelerated scanner (only
supported with hardware applicances ASG425/ASG525)
Messages containing malicious content will be blocked

and stored in the e-mail quarantine or instantly removed
Unwanted file attachments can be blocked by file
extensions
End users can review and release their quarantined
messages either through the Astaro End User Portal or
the daily End User Spam Report
Using the Pattern Up2Date, you will always be protected
against the latest threats
Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy
/ Anti-Spam: Overview
Provides many "arrows for the quiver" in fighting unwanted e-mails
from entering the network
Users can consult with real-time blackhole lists and allow certain
senders or networks to be exempt from many of the checks
Expression (keyword) filtering can take action on
messages that contain certain patterns in the
subject line or message body
Astaro Security Gateway features several
techniques to reduce Spam:
Realtime Blackhole Lists
Advanced heuristic analysis
Greylisting
SPF record checks
BATV reverse path signing
Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy Refresher

Review Questions
Astaro 2007 / ACE_V7.00-0.16
SMTP Proxy
/ Review Questions
1. What is the fundamental precondition that the SMTP
proxy will handle incoming e-mails?
2. Is it possible to configure more than one SMTP route?
3. What are possible configuration options to avoid SPAM?
4. What is User spam releasing?
5. What happens to SPAM messages sent from hosts listed
in Allowed Networks?
6. Does VirusProtection also checks outgoing e-mails?
7. What are the options to handle unwanted e-mails?
8. What happens if BATV is turned on?
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
Upon completion of this chapter you will be
able to perform the following:
Configure & test e-mail encryption using S/MIME or
OpenPGP
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Motivation
Still one of the most used services
Over 95% of all e-mails are sent as plain text!
Would You sent your tax declarations on a postcard?
s;f sdf;aknmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslaskhddfsgdsfg
Protect your intellectual property and privacy!
Business Requirements
Industry espionage
Formal/Legal Requirements
Data Protection
Secure cooperation
Basel II
Cost effectiveness
HIPAA
Sarbanes-Oxley
Industry Initiatives
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Goals
What objective want to be achieved using secure e-mail?
1.
Confidentiality
Encryption: only recipient who possess the correct private key can
decrypt and read content of e-mail
2.
Integrity
Hashes: assures that content has not been altered during transport over
the internet
3.
Authenticity/Non-Repudiation
Digital Signatures: endorses that the content is sent by a specific user

Digital Certificate: public/private key pair actually belongs to a specific
user, issued by a trusted third party (Certificate Authority, CA)
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Standards
S/MIME (Secure / Multipurpose Internet Mail Extensions, V3.1, RFC 3850-52)
Uses X.509 digital certificates for securing MIME-encapsulated e-mails
Implemented by MS-Outlook, Thunderbird, Lotus Notes,
Algorithms: RSA, SHA-1, MD5, 3DES, AES
OpenPGP (Pretty Good Privacy, RFC 2440)
Uses public/private keys for securing e-mails (and other content) within
a web of trust
No central certificate authority -> keys are signed by other users
Used by commercial and open source software (GnuPG, PGP, )
Algorithms: DSA/ElGamal, RSA, SHA-1, MD5, AES, 3DES, CAST5
Both standards provide e-mail encryption and digital signing via
similar public key mechanisms
However, they are not compatible with each other!
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ E-mail Encryption & Content Scanning
Encryption SW
on Client
NO additional SW
on Client
Encryption SW
on Gateway
Internal
users
OpenPGP
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
Content Scanning/
Virus Protection
SMTP
E-mail
Server
Astaro 2007 / ACE_V7.00-0.16
External
users
S/MIME
E-mail
Encryption &
Digital Signing
Management of
Keys & Certificates
OpenPGP
S/MIME
E-mail
Server
E-mail Encryption
/ Configuration in a few steps
Configuration of e-mail encryption is easy and done in a few simple steps:
1. Activate e-mail encryption on WebAdmin

2. Accept or change Default Policy
3. Enter e-mail addresses of internal users
4. Import public key or certificate of external recipients
Done
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Activate e-mail Encryption
Enable e-mail encryption

Fill in organization details
Save and create e-mail CA
Astaro 2007 / ACE_V7.00-0.16
NOTE: You have to configure the

SMTP-Proxy properly!
E-mail Encryption
/ Generate CA certificate and postmaster (1)
Automatic generation of S/MIME certificate authority (CA)

Automatic generation of OpenPGP postmaster
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Generate CA certificate and postmaster (2)
Unique fingerprint for verification
Astaro 2007 / ACE_V7.00-0.16
Download public CA certificate and

send it to your recipients.
E-mail Encryption
/ Define default policy
By default, outgoing messages from internal users will be scanned,

automatically signed, and encrypted using the recipient's certificate
(S/MIME) or public key (OpenPGP), if provided
If the foreign CA certificate exists on the security system, user certificates
can automatically be extracted and imported from incoming e-mails
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Create internal users (1)
Create a new entry for every user who should
encrypt outgoing e-mails
Use the default policy or set individual options
Import existing OpenPGP keys and X.509

certificates or let the security system generate
them automatically
Upload of X.509 certificates with private keys
requires the PKCS#12 format with a
passphrase
The OpenPGP public and private key have to
be provided in a single file without any pass
phrase
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Create internal users (2)
Keys and certificates are generated automatically by the security system, if desired
Download the public keys and certificates and provide them to your e-mail recipients
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Import public OpenPGP-keys
To create recipients using OpenPGP,

just import a keyring file with one or
multiple public keys
Every imported key is trusted and an
entry with the first e-mail address on
this key is created
E-Mails for recipients listed here are
automatically encrypted
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Import public X.509 certificates
To create recipients using S/MIME with
X.509 certificates you can import a public
certificate for every single recipient or you
can import a CA certificate and let the
security system extract the public
certificates from incoming signed e-mails
(see next step)
If you import a X.509 user certificate
manually, messages from the e-mail
address associated with this certificate are
always trusted without the need to import
the appropriate CA certificate!
The source is always trusted!
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Use case: Send encrypted e-mail
Decrypt on Client
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
E-mail
Server
hs@asllab.net
SMTP
1.
SMTP
Astaro
Security
Gateway
mail.extern.corp
POP3
Client
4.
S/MIME or OpenPGP
5.
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
2.+3.
1. Internal client sends plain e-mail to ASG
user1@extern.corp
2. ASG searches for X.509 cert or OpenPGP key for recipient

user1@extern.corp in local database
3. According to policy e-mail is encrypted and signed
4. Deliver encrypted e-mail to mail server of recipient
5. Recipient fetches e-mail from server and decrypts using
client software (e.g. Mozilla Thunderbird)
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Advanced Topics: S/MIME authorities
Import a public CA certificate to achieve multiple
objectives
Every incoming e-mail signed by a certificate
issued by this CA is verified valid (if the content
is not altered during transport)
If Automatic extraction of S/MIME certificates
is enabled, X.509 user certificates attached to a
signed S/MIME message issued by this CA are
extracted and imported
Astaro Security Gateway ships several public
keys of commercial Certification Authorities:
Trustcenter (http://www.trustcenter.de)
S-TRUST (http://www.s-trust.de)
Thwate (http://www.thawte.com)
Verisign (http://www.verisign.com)
and more
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
Review Questions
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ Review Questions
1. What objective want to be achieved using secure e-mail?
2. Which algorithms are supported by S/MIME
Symmetric encryption/Signatures
Asymmetric encryption
Hashes
3. Which algorithms are supported by OpenPGP

Symmetric encryption/Signatures
Asymmetric encryption
Hashes
4. Which information has to be provided to start S/MIME CA certificate and OpenPGP

Postmaster generation?
5. Which options can be set for the default policy?
6. Which file types are supported to import S/MIME certificates or OpenPGP keys for
internal users?
7. For which standard automatic extraction of foreign certificates or keys is supported?
8. Do your need a passphrase for internal OpenPGP keys?
9. Which steps are needed to send and receive encrypted e-mails to and from external
recipients
10. Do you have to import the public S/MIME CA of external recipients before you can send
them encrypted e-mails?
Astaro 2007 / ACE_V7.00-0.16
High Availability & Clustering

High Availability
High Performance
Working Principle
Astaro 2007 / ACE_V7.00-0.16

/ Overview
No more single point of failure!
redundant switches
redundant links
redundant
Hardware
LAN
Internet
:= Aggregated Links
Astaro 2007 / ACE_V7.00-0.16

/ HA Modes
Active-Passive HA (Standby)
This has been there before
Only the Master is active
Passive (Slave) takes over in case of failure
Configuration and operating states are synchronized
This includes IP-connection states and e-mail
Active-Active HA (Cluster)
New in Version 7!
Offers High Availability AND Load balancing
All appliances are working
If one unit fails, all other units take over
Load is actively balanced
Astaro 2007 / ACE_V7.00-0.16

/ Feature Overview
Active-Active HA (Cluster)
Increased Appliance Performance
Faster handling of performance intensive
tasks using
Accelerator Card
Needs an additional PCI slot
Other appliances in cluster mode

Only one port and cable
One logical FW unit (cluster)
Increases availability
Increased Network Performance

Link Aggregation
Logical Interface
Astaro 2007 / ACE_V7.00-0.16

/ Hot Standby Mode
Hot Standby Mode

Master
Status & Config
Synchronisation
Slave
All tunnels, SPF-Connections (IPConntrack) and quarantined objects are
synchronized
Stateful Failover < 2sec
Astaro 2007 / ACE_V7.00-0.16

/ Active-Active-Mode
High Availability
(Active/Active) (loadbalancing)
Active/Active Mode
Master runs Packet

Filtering & distributes
the load.
Slave
Master
Cluster Nodes
Scalable
1 Gigabit/sec
VPN, IPS, AV, AS
LAN
Fully meshed
Note:
Packet Filtering runs on the Master only
Balanced Services are:
Internet
Fully meshed
Slave and cluster
nodes handle the
load.
AV for HTTP, FTP, SMTP, POP3

AS for SMTP, POP3
IPSec
IPS
Cluster Distribution is round robin, except HTTP
which is session based.
Astaro 2007 / ACE_V7.00-0.16

/ Auto Configuration (1)
Automatic Configuration = Default Configuration
Both devices configure themselves upon connection
through the HA-Port
To configure an Active/Active Cluster, only the
Master needs to be configured to Cluster Mode
Appliances: HA interface eth3 (HA port)
Master
HA port (eth3)
Slave
Astaro 2007 / ACE_V7.00-0.16

Step 1:
Activate HA (if necessary)
Default setting for

appliances (HA-Port)
If HA is active, Status will look like this.
Astaro 2007 / ACE_V7.00-0.16

Step 2:
Connect other HA device
Make sure the cabling
is correct
Start the device
If everything is correct, the

system switches to active/passive
operation automatically:
Astaro 2007 / ACE_V7.00-0.16

/ Disabling Master-Slave
Disabling Master/Slave:
Switch back Operation
mode To Off
The slave device will perform a
factory reset and shuts down.
Astaro 2007 / ACE_V7.00-0.16

/ ASG Cluster Configuration (1)
Cluster Configuration:
For the Master System:

Set Operation Mode to Cluster
Configure NIC
Configure Device name, e.g. Node1
Select Node ID (1, 2, 3)
Configure an encryption Key
Astaro 2007 / ACE_V7.00-0.16

/ ASG Cluster Configuration (2)
Cluster Configuration:
For the Slave System:
The slave system is still configured
to auto configuration on eth2 from
before
(check, if not sure)
Make sure cabling is correct
Power on the device
Once the slave is working, you can
see the HA status.
It will display Operation Mode:
Cluster
Astaro 2007 / ACE_V7.00-0.16
High Availability
Review Questions
Astaro 2007 / ACE_V7.00-0.16
High Availability
/ Review Questions
1. Which HA options are supported by Astaro?
2. How many nodes are supported in Cluster Mode?
3. What are the requirements for Active / Passive? Cluster Mode?
4. Which device corresponds with the HA Port in the Appliances?
5. Which applications are balanced to other nodes in cluster mode?
6. How is the load distributed between the cluster nodes?
Astaro 2007 / ACE_V7.00-0.16
Refresher: SSL-VPN
In this chapter you will learn to configure, test
and maintain:
Remote Access using SSL-VPN
Astaro 2007 / ACE_V7.00-0.16
Remote Access
/ Brief Technology Comparism
PPTP
Developed by Microsoft
Based on PPP protocol
Included in MS-Windows
Easy to install and use
Weak security
session key dependant on password
IPSec
De-facto standard for VPNs today
optimized for site-to-site VPN
Many alternative mechanisms

complex protocol, many possible failures
The most secure protocol

(if correctly configured)
Access not always possible from each

network
(if ports blocked by firewalls)
L2TP (over IPSec)

Used by Microsoft
Tunnels all layer 3 protocols
SSL
De facto standard for online-shops
(optimized for remote access)
(like PPTP)
Easy to install and use
More secure than PPTP
Passes through most firewalls
(using IPSec security mechanisms)
(even through proxies, uses only one port)
Adds another layer of complexity to

IPSec
Network configuration automatically

updated
(VPN networks, DNS/WINS/domain)
Astaro 2007 / ACE_V7.00-0.16
SSL-based Remote Access

/ Technology and Terminology (1)
Secure, private Internet connections
Transparent to transported protocols
FTP
Telnet
Optimized for HTTP
Security measures
Encryption
Source authentication
Message authentication
TLS Handshake Protocol provides:
Peer identity verification
Uses public keys
Shared key negotiation

TLS Record Protocol provides:
Privacy via symmetric encryption (DES, RC4)
Keys generated during TLS handshake
Reliability via HMAC mechanisms (SHA, MD5)

Astaro 2007 / ACE_V7.00-0.16

/ Technology and Terminology (2)
Digital passport
Describes an entitycan be a machine or a person

Contains identifying information
Must be issued (and signed) by a certification authority
Server certificate
Describes the server, typically a Web server

Includes organization name and fully qualified domain name
Client certificate
Electronic drivers license

Contains identifying information about the holder of the certificate
CA root certificates
The CAs vouch for the validity of the information contained within
the certificate
The browser or server trusts the certificate because it trusts the
CA
Astaro 2007 / ACE_V7.00-0.16
Remote Access
/ The promise of SSL VPNs
The promise of SSL VPNs
Easy to install
Does not require a client (uses SSL mechanisms integrated into each browser)
Allows remote access from anywhere

including internet cafes, hot spots
Sufficient security
Also supporting certificates
SSL VPNs - the real world

Browser based (clientless) remote access only for web based applications
Allows remote access from internet cafes, but do you really want to use an
unknown PC for accessing sensitive company data?
Think about the traces that you will leave behind on the PC
(through autocomplete, caches, cookies, temporary files and browser history)
And what about hidden trojans and keyloggers installed on the PC?
SSL offers solid security, although not as paranoid as IPSec
Astaro 2007 / ACE_V7.00-0.16
Remote Access
/ SSL VPN native application support
Webifier
Transforms native applications into web-based applications
Usage is not as comfortable as with native applications (different GUI)
Often out of action due to complex protocol transformation
Requires much processing power on SSL VPN gateway
Port forwarding
Applet on client forwards traffic for each server/application through SSL
tunnel to SSL gateway
Typically requires admin rights on client
ActiveX controls within browser
ActiveX-Agent forwards all traffic through SSL tunnel
Real network access through virtual network interface
Dependant on OS and browser (MS-Windows/IE only)
SSL client
Offers the same benefits as ActiveX controls (full network access)
Platform independent
Astaro 2007 / ACE_V7.00-0.16
Remote Access
/ Astaro One Click VPN
Complete Remote Access VPN functionality
Feature rich clients for SSL and IPSec
Astaro SSL VPN Client
Astaro Secure Client
One Click Installation

With the new self service user portal, download complete individual client
packages with just one mouse click
Client software
Client configuration
Keys & certificates
Astaro 2007 / ACE_V7.00-0.16
Remote Access
/ Astaro SSL VPN Client
Based on OpenVPN Client
Uses latest SSL version (TLS)
Proven technology
Used for all internet applications
Offers Secure and stable authentication and encryption

Easy installation and configuration
Platform independant
Windows, Linux, MacOS X, Solaris, OpenBSD, FreeBSD, NetBSD
Accessible from anywhere

Via NAT, UMTS, GPRS, DSL,..
Using dynamic IP addresses
Astaro 2007 / ACE_V7.00-0.16

/ Conclusion
SSL VPNs are a great alternative to current remote access technology
Clientless SSL VPNs only offer limited capability
You will require some form of client for complete transparent remote access
Client based solutions do not have to be complex in any case
Astaros VPN solutions provide an industryindustry-unique combination of

secure, feature rich remote access and
an easy to use OneOne-Click installation capability
Astaro 2007 / ACE_V7.00-0.16

/ Configuration Steps in detail (1)
Define the user account
for the remote host:
Open <Users> Users
page
Define a new user
account for the remote
client.
With remote access via

SSL this user account is
necessary for accessing
the Astaro End User
Portal and for VPN. Use static remote access IP: With
a Remote Access via SSL it is not
possible to assign a static IP
address to the user. Leave this
option deactivated if the user uses
only the remote access via SSL.
Astaro 2007 / ACE_V7.00-0.16

Configure the SSL remote
access:
Open the <Remote
Access> SSL page.
On the Global tab enable
the SSL re-mote access
by clicking Enable.
Pool network: The default settings assign addresses

from the private IP space 10.242.2.x/24. This network is
called the VPN Pool (SSL). If you wish to use a different
network, simply change the definition of the VPN Pool
(SSL) on the Definitions Networks page.
Local certificate: In order to authenticate for
VPN clients, the SSL server needs a local
certificate (in this example: Local X.509 Cert
- this certificate is automatically preset).
Astaro 2007 / ACE_V7.00-0.16

Configure the advanced SSL remote access
settings: Open the Remote Access SSL
Advanced tab.
You must define this packet filter rule if you have

disabled the Automatic packet filter rule function during
the configuration of the SSL remote access in step 3.
Override hostname: The value in this dialog box is used
as the target hostname for client VPN connections and is
by default the hostname of the firewall. Only change the
default if the system's regular hostname (or DynDNS
hostname) cannot be reached under this name from the
Internet.
Astaro 2007 / ACE_V7.00-0.16

Configure Packet Filter for SSL-based Remote
Access:
Open the Network Security >> Packet Filter
Rules tab.
Source: Remote host or user (in this example:
amertz).
Service: Set the service.
Destination: The allowed internal network (in
this example: Internal (Network)).
Action: Allow.
Also enable which host/network should be able
to send traffic back!
Astaro 2007 / ACE_V7.00-0.16

Define the masquerading rule

(optional):
Masquerading is optional for remote
users, who have only private IP addresses
so that they can surf on the Internet with
an official IP address.
Activate the proxies (optional):

If remote employees shall access URL
services via the remote access you may
con-figure the required proxies on ASG
(DNS and HTTP).
Astaro 2007 / ACE_V7.00-0.16

Enable End User Portal

Define Allowed Networks & Users
Configuration of the Remote Client

Users may open Open browser and
enter the management address of the
Astaro End User Portal
(https://IP address will be
redirected)
Download Software and Certificates
Astaro 2007 / ACE_V7.00-0.16

SSL VPN contains

software and keys for
SSL-Client with 3
options:
A complete software
package with the
pertinent key for a new
installation
A config update for a an
already installed SSL
VPN client with new
keys.
A ZIP archive for the
configuration of SSL
VPN on Linux, MacOS X,
BSD and Solaris.
Astaro 2007 / ACE_V7.00-0.16
Next Unpack
the installation
package and
launch the file
setup.exe

Installing the SSL VPN Client
Software
The installation wizard copies
all needed files to the client
system.
A virtual network card will be
installed during the installation
process.
Since the relevant driver is not
certified by Microsoft, a caution
message will appear but can be
ignored.
Astaro 2007 / ACE_V7.00-0.16

Using the SSL Client
Login in with Username and
Password
Connection dialogue box allows
to monitor the set-up of the
connection.
SSL VPN Remote Access can be
disconnected by clicking
<Disconnect>.
Astaro 2007 / ACE_V7.00-0.16

Connectivity Testing
Login in with Username
and Password
Connection dialogue box
allows to monitor the setup of the connection.
SSL VPN Remote Access
can be disconnected by
clicking <Disconnect>.
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN using certificates

Upon completion of this chapter you will learn:
About IPSec protocols from a more detailed perspective
How to create and manage X.509 certificates
How to establish IPSec Connections with certificate-based
authentication of VPN partners
How to find and solve typical VPN-related problems
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ Supported Protocols & Parameters (1)
IPSec provides two security functions at the IP (Internet Protocol) level:
Authentication
Encryption
This requires a higher-level protocol (IKE) for the setup of the IP-level
services (ESP, AH).
Three protocols are used in an IPsec implementation:
ESP, Encapsulating Security Payload
AH, Authentication Header
IKE, Internet Key Exchange
Encrypts and/or
authenticates data
Provides a packet
authentication service
Negotiates connection
parameters, including keys
IKE (Internet Key Exchange) is defined in RFC 2409 and is based on the
Internet Security Association and Key Management Protocol (ISAKMP, RFC
2408), the IPsec Domain of Interpretation (DOI, RFC 2407), OAKLEY (RFC
2412) and SKEME (Secure Key Exchange Mechanism).
ASG V7 is using StrongSwan the most stable Linux implementation of
IPSec.
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
In IPSec, two protocols and two modes exist:
ESP vs. AH
Transport Mode vs. Tunneling Mode
Most secure and flexible is ESP Tunneling mode.
Astaro Security Gateway only supports this mode.
ESP is a new protocol

type on the same level
as TCP, UDP and ICMP.
New IP
Header
Original IP header
is not changed
IP
Header
IP packets are
encapsulated in other
IP packets.
ESP
Header
IPSec is a non-proprietary and open standard.

IP packets are encapsulated in other IP packets using
protocol ESP.
ESP Tunneling Mode encrypts and authenticates single
IP packets.
TCP or UDP
Header
The complete original IP

packet is encrypted and
authenticated.
Packet
Data
mnhjbfv09WERRrnoim37QTW
Encrypted
Authenticated
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
IKE happens in two phases:
Negotiate parameters (SA, Security Association) for the key exchange
(ISAKMP) using the Aggressive Mode or Main Mode
Create an SA for IPsec using Quick Mode
A Security Association is a set of parameters which are established between

two communicating partners of a connecetion and consists of:
Identification, using Preshared Keys (PSK) or certificates (X.509)
Encryption algorithms used to secure the IPsec connection
From which (IP-) network the IPsec connection starts
In which (IP-) network the connection ends
Period of time after which both partners have to re-authenticate each other
Period of time after which all IPsec keys have to be negotiated again
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ ISAKMP and IPsec SA
Initiator
IKE
ISAKMP SA
Header
Proposal
Responder
1
2
IKE
Header
IKE
Header
DH Key
Exchange
Ni
encrypted
IDi Certi Sigi
GW1 and GW2 agree on IKE-Connection

Parameters such as Encryption Algorithm
and Authentication Method
3 + 4
A common symmetric key is generated

by using the Diffie-Hellman-Algorithm
5 + 6
Identification and Authentication

of the connection partners
ISAKMP SA
Response
IKE
Header
DH Key
Exchange
3
Nr
encrypted
IKE
Header
6
1 + 2
IKE
Header
IDr Certr Sigr
IKE uses UDP port 500

Quick Mode 3 messages
In cooperation Prof. Dr. A. Steffen / ZHW
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ Diffie-Hellman Key-Exchange Algorithm (1)
Alices
Private
Key
Alices
Public
Key
Alice
Bobs
Public
Key
Bobs
Private
Key
Bob
Diffie-Hellmann Key
Calculation Engine
4
Shared Secret Key
(Session Key)
Astaro 2007 / ACE_V7.00-0.16
1. Alice & Bob exchange public keys

2. Using Diffie-Hellmann, Alice combines her
private key with Bobs public key to generate
the shared secret key (s = gab mod n).
3. vice versa
4. Alice and Bob can be replaced by firewall A and
firewall B, whereas the shared key is used to
verify and decrypt the encrypted packet. It is
mathematically impossible to derive the private
key from the public key.
5. The result K is equal for both parties and can
be used as a key to encrypt the ongoing
communication between Alice and Bob
Performance of asymmetric cryptography is
1000 times slower than symmetric
cryptography - therefore it is typically used to
encrypt small amounts of data, such as keys for
symmetric cryptography.
Diffie-Hellman Key-Exchange is not secure if an
attacker is able to intercept the communication
and alters the messages. This can be avoided
using MAC (Message Authentication Codes).
Site-to-Site VPN
/ Diffie-Hellman Key-Exchange Algorithm (2)
1. Alice and Bob agree on a large prime modulus n, a primitive element g
and the one-way function y = f(x) = gx mod n.
2. The integers n and g are not secret and can be published.
3. Alice chooses a large random integer a and sends Bob
A = ga mod n
4. Bob chooses a large random integer b and sends Alice
B = gb mod n
5. Alice computes
s = Ba mod n = gba mod n
6. Bob computes
s = Ab mod n = gab mod n
7. Alice and Bob share now the secret key s = gab mod n
8. Since computing the inverse x = f-1(y) is extremely difficult, no one
listening to the key-exchange can compute the secret key s from the
values A, B, n and g.
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
Possible parameters of IPSec tunnels (Security Association SA):
IKE Parameters
Encryption algorithms
DES, 3DES (168bit), AES (Rijndael) (128bit, 192bit, 256bit), Blowfish (128bit), Twofish
(128bit), Serpent (128bit)
Authentication algorithms
MD5 (128bit), SHA-1 (160bit), SHA-256 (256bit), SHA-512 (512bit)
IPSec Parameters
Encryption algorithms
Null, DES, 3DES (168bit), AES (Rijndael) (128bit, 192bit, 256bit), Blowfish (128bit),
Twofish (128bit), Serpent (128bit)
Authentication algorithms
MD5 (128bit), SHA-1 (160bit), SHA-256 (256bit), SHA-512 (512bit)
SA lifetime
60s 86400s, default value = 7800 sec.
Perfect Forward Secrecy (PFS group)

Groups 1,2,5,14,15,16 - MODP768 MODP4096
Strict policy
Accept only exactly the parameters specified.
Compression
NOTES:
PFS is not fully interoperable
with all vendors.
MODP768 (DH Group 1) is
considered weak and only
supported for interoperability
reasons.
enable/disable IPCOMP
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ Symmetric Encryption Algorithms
Performance Issues
MARS (IBM)
Modified Feistel Network - 32 Rounds
Based on mixed structure DES
RC6 (RSA)
Feistel Network - 20 Rounds
Based on modified RC5
Twofish (Bruce Schneier)

Feistel Network - 16 Rounds
Based on modified Blowfish
Serpent (Ross Anderson / Eli Biham / Lars

Knudsen)
Substitution Permutation Network - 32
Rounds
Based on bit-slice operations
AES-Rijndael (Joan Daemen / Vincent

Rijmen)
Modified Substitution Permutation Network 10 Rounds
Based on Square
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ ISAKMP and IPsec SA
09:00 #1 ISAKMP SA rightid=@vpn_gw.astaro.com

09:00 #2 IPsec SA
09:10
rightsubnet=10.1.1.0/22
#3 IPsec SA
09:50
#4 IPsec SA
10:05
#5 IPsec SA
10:50
#6 IPsec SA
ikelifetime=3h
keylife=1h
11:00
#7 IPsec SA
11:40
#8 ISAKMP SA
10
11
12
In cooperation Prof. Dr. A. Steffen / ZHW
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ PKI - Important terms
Public Key Infrastructure: technology, processes, software and hardware
Certification Authority (CA): Body that issues digital certificates
Digital certificate: Unique certificate assigning a digital signature to an
entity
Digital signature: Unique signature, guaranteed to be unreproducible by a
third party that can be used to sign a transaction
Registration Authority (RA): Body that registers entities on behalf of the CA
Entity: Person, Organization or Data
Algorithm: mathematical calculation used to produce a numerical result
(RSA, DES, 3DES, SHA)
Smart Card: Plastic card with a built-in, programmable chip
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ PKI Big Picture
Name: John
Doe
Valid : from
01.00
till
07.02
Public Key
Public Key
Issuer
CA
Signature
Certificate
Name: John
Doe
Age: 27
Country:
Germany
Directory
(LDAP, X.500Server)
Title: Dipl. Inf.
----
Personal
Data
Registration Authority
(RA)
Database
Internal
Clock
Verification Service
Astaro 2007 / ACE_V7.00-0.16
Time Stamp Service (TSS)
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (1)
Scenario & Configuration Example
The authentication of the tunnel end points must be done by using X.509 Certificates.
The headquarter CA is trusted and will be used as signing CA for all branch offices.
ASGleft #1
A-L CA
#0
ASG-T CA
ASG-L CA
ASGright #2
A-L CA
#0
ASG-T CA
ASG-L CA
LAN left
LAN right
ASG left
ASG right
Headquarter
Branch Office
Configuration steps on ASG left
Configuration steps on ASG right
1.
2.
Define Network Entities

Create IKE/IPSec-Policy
3.
4.
5.
6.
Create Host Certificate for branch ASG

Export Host Certificate for branch ASG as
PKCS#12 container
Configure a new VPN connection
8. Import PKCS#12 file

9. Install Host Certificate ASG as local key
10. Configure a new VPN connection
11. Start the connection
12. Configure firewall rules
7.
Define Network Entities

Create IKE/IPSec-Policy
13. Start the connection

14. Configure firewall rules
15. Test it
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
The Signing CA is automatically generated when the WebAdmin is opened
for the first time.
The signing CA is used to verify the certificate requests.

Only one signing CA can be configured for the Astaro Security Gateway.
It is possible to upload multiple Verification CAs
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
Create the Certificates
For each gateway (local and remote) a host certificate will be
generated. The verification through the signing CA is done automatically.
The certificate for the local VPN gateway is automatically generated
when the WebAdmin is opened for the first time ( Certificates tab)
It is possible to
replace the local,
default certificate
by any other, e.g.
one using DN as
VPN identifier.
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
Create the host certificate for the branch office
Download this certificate as PKCS#12 file
File contains Root CA, Host Certificate & Private Key
1
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
Import Host Certificate as local key on the remote ASG (branch office)
Finally, on both gateways

Start the connection
Configure firewall rules
Test if the tunnel comes up and carries encrypted traffic
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
New Example: Net2Net X.509 Certificates / Cross Site Certification (1)
Task:
The scenario is the same as in the previous example with one exception:
Both communication partners run their own CA.
ASGleft #1
A-L CA
ASGright #1
#0
ASG-T CA
A-R CA
ASG-L CA
LAN left
A-R CA
ASG left
#0
ASG-T CA
ASG-R CA
LAN right
#0
ASG-R CA
A-L CA
Exchange !
#0
ASG-L CA
ASG right
Differences in the configuration steps:

Own Root CA Certificate on both sides
Host Certificates must be issued by the Root CA on each site
Additional Verification CAs from other side must be exchanged
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
New Example: Net2Net X.509 Certificates / Cross Site Certification (2)
ASGleft #1
A-L CA
ASGright #1
#0
ASG-T CA
A-R CA
ASG-L CA
LAN left
A-R CA
ASG left
Astaro 2007 / ACE_V7.00-0.16
#0
ASG-T CA
ASG-R CA
LAN right
#0
ASG-R CA
A-L CA
Exchange !
#0
ASG-L CA
ASG right
Site-to-Site VPN
Review Questions
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ Review Questions
1. Name the IPSec encryption algorithm options you can choose from at ASG
V7.
2. What is the possible range of IPSec SA lifetime in seconds? What is a
reasonable value? Why?
3. Explain the term <Allow Path MTU Discovery>. What is the default MTU
size in byte when using ESP.
4. What does ASG perform in IPSec when enabling PFS?
5. Is it possible to import multiple Verification CAs? When would it be useful?
What about multiple Signing CAs?
6. In which format the public key of each signing CA can be downloaded?
7. What are the VPN-IDs you can select from? What happens if you install
certificates issued with identical e-mail addresses as VPN-ID?
8. Explain a typical use case for automatic CRL fetching.
9. What means <Parsing> in the IPSec debug options? Why wouldnt it be a
good idea to run IPSec debugging in an operational stage?
Astaro 2007 / ACE_V7.00-0.16
IPSec Remote Access

Upon completion of this chapter you will learn:
About IPSec protocols from a more detailed perspective
How to create and manage X.509V3 user certificates
How to establish IPSec based Remote Access using ASC
and certificate-based authentication
How to troubleshoot ASC and solve typical VPN-related
problems.
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ Important Aspects: NAT Traversal
Problem
AH and ESP verify integrity of a TCP packet by
recalculating the checksum/hash value. If the
headers get changed due to NAT/NAPT, the
check will fail.
Solution
NAT-Traversal detects one or more NATTING
devices between IPsec peers
It uses UDP encapsulation of the IPsec packets
to establish IPSec tunnels through NAT devices.
UDP encapsulation works the way, that the IPSec
packet is wrapped inside a UDP/IP header,
allowing NAT devices to change IP or port
addresses without modifying the IPsec packet.
UDP encapsulation is only used if NAT is detected
between the two IPSec peers. Otherwise normal
ESP packets are sent.
With NAT-Traversal enabled, you are able to

place the ASG or an ASC behind a NATing
router and still establish an IPSec tunnel.
Astaro 2007 / ACE_V7.00-0.16
Remote
Clients
NAT-ing
Router
LAN
Branch Office
VPN Gateway
NAT-ing Router
VPN-Tunnel
Intranet
VPN Gateway
Central Office
Remote Access IPSec

/ Important Aspects: NAT Traversal
Since IKE peers already communicate over UDP port 500, UDP encapsulated
ESP on this same port (avoids drilling new holes in the firewall).
The solution works only for IPsec ESP using Tunnel Mode
Encapsulation always requires de-capsulation.
ESP-protected packets are exchanged between IKE peers: gateway-to-gateway,
client-to-gateway and client-to-client.
Peers must support the same method of UDP ESP encapsulation.
Working principle:
The sender indicates that an encapsulated packet follows by setting the first 8 bytes of the UDP
payload to zero. These bytes overlap the IKE Initiator Cookie field, for which zero is an invalid
value.
Thus, implementations can use these bytes to discriminate between IKE and UDP-encapsulated
ESP arriving on port 500. Because only peers that agree will ever send UDP-encapsulated ESP
packets, backward compatibility is not an issue.
NOTE: Using NAT-T you need to configure VIPs for remote access.
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ Configuration: Host to Gateway
Major Configuration Steps
Remote
Users
ASG-CA #0
1. Create Root CA and Certificates for the

gateway itself and the remote clients
ASG-CA
RemUser #2
NATT-ing
Router
ASG-CA
2. Create / Edit a predefined IPSec Policy
3. Create / Edit IPSec Pools
4. Configure & activate the connection at

the IPSec gateway
VPN-Tunnel
5. Define Rules / Security Policy
ASG-GW #1
ASG-CA
VPN Gateway
ASG-CA #0
6. Download of certificates / ASC

configuration file from End User Portal
7. Install configuration file in ASC & test it

Astaro 2007 / ACE_V7.00-0.16
ASG-CA
Intranet
Central Office
Remote Access IPSec

/ Configuration Step 1+2
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ Configuration Step 4 + 5
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ Configuration Step 6
From End User Portal, the user can download the certificate as
p.12- file and also the ASC configuration file as .ini-file
The configuration file (.ini) can be opened with an editor

allowing a closer look to the ASC configuration
automatically created by ASG.
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ Configuration Step 7
You can import the ASC configuration file by using the Profile Import Assistant.
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ ASC manual configuration (1)
Alternatively it is be possible to setup the ASC configuration manually step
by step, starting with the wizard right after installing ASC.
The next slides show a configuration example using X509 certificates.
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

8
7
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

9
10
11
Astaro 2007 / ACE_V7.00-0.16
12
Remote Access IPSec

13
Connect
Astaro 2007 / ACE_V7.00-0.16
14
and
check
connection
and log file
IPSec VPN
Review Questions
Astaro 2007 / ACE_V7.00-0.16
Remote Access IPSec

/ Review Questions
1. Explain NAT-Traversal.
2. How can DNS and WINS servers information be provided for the
use of remote access clients while establishing a connection to the
ASG?
3. What are the possible options to download user certificates?
4. What it the benefit of using DN as authentication type instead of
PSK or certificates?
5. How can you avoid split tunneling at ASC?
6. What methods offers ASC for troubleshooting IPSec issues?
7. Does ASG support XAUTH?
8. How can you establish a granular access policy?
Astaro 2007 / ACE_V7.00-0.16
THE END.
Questions
&
Answers.
Astaro 2007 / ACE_V7.00-0.16

ACE-Astaro Certified Engineer

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACE-Astaro Certified Engineer

Uploaded by

Copyright:

Available Formats

Astaro Security Gateway V7

Astaro Certified Engineer

Courseware Version EN-V7.00-0.16

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 1

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 2

Before we start over

Your Name, Company,

Your Expectations for the

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 3

ASG System Architecture

IPSec Policy Management

ASG Security Features

RSA Site to Site VPN

X.509 Site to Site VPN

Remote Access with ASC

VLAN, Link Aggregation

Bridging, Uplink Failover

Policy Routing & OSPF

Server Load Balancing

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 4

Before we start over

10:00 a.m. about 05:00 p.m.

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 5

Before we start over

How to become an Astaro Certified Engineer?

How to prepare for the ACE exam?

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 6

ASG System Overview

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 7

ASG System Overview

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 8

ASG System Overview

Virus Protection for

SPI-Firewall and Proxies

Astaro Security Gateway V7 - Astaro Certified Engineer Page 9

ASG System Overview

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 10

End of Life: 30.06.2007

... combines the popular NP

Astaro Security Gateway V7 - Astaro Certified Engineer Page 11

Currently not supported by ASG V.7

With advanced attack and event

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 12

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 13

ASG System Overview

All major processes including

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 14

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 15

Every function can be configured and

Astaro 2007 / ACE_V7.00-0.16

Astaro Security Gateway V7 - Astaro Certified Engineer Page 16