Installation Setup Guide: Vital Security Appliance Series

Installation
and
Setup Guide
Vital Security Appliance Series

NG-1000/NG-5000/NG-6000/NG-8000
Installation and Setup Guide
Vital Security Appliance Series NG-1000/NG-5000/NG-6000/NG-8000 Installation and Setup Guide Copyright 1996 - 2007. Finjan Inc. and its affiliates and subsidiaries (Finjan). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744 and may be protected by other U.S. Patents, foreign patents, or pending applications. Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners. Q1 2007 For additional information, please visit www.finjan.com or contact one of our regional offices: USA: San Jose 2025 Gateway Place Suite 180 San Jose, CA 95110, USA Toll Free: 1 888 FINJAN 8 Tel: +1 408 452 9700 Fax: +1 408 452 9701 salesna@finjan.com USA: New York Chrysler Building 405 Lexington Avenue, 35th Floor New York, NY 10174, USA Tel: +1 212 681 4410 Fax: +1 212 681 4411 salesna@finjan.com Israel/Asia Pacific Hamachshev St. 1, New Industrial Area Netanya, Israel 42504 Tel: +972 (0)9 864 8200 Fax: +972 (0)9 865 9441 salesint@finjan.com Europe: UK 4th Floor, Westmead House, Westmead, Farnborough, GU14 7LP, UK Tel: +44 (0)1252 511118 Fax: +44 (0)1252 510888 salesuk@finjan.com Europe: Germany Alte Landstrasse 27, 85521 Ottobrun, Germany Tel: +49 (0)89 673 5970 Fax: +49 (0)89 673 597 50 salesce@finjan.com Europe: Netherlands Printerweg 56 3821 AD Amersfoort Netherlands Tel: +31 318 693 272 Fax: +31 318 693 274 salesne@finjan.com
Catalog number: VSNG_IASG 8.4.3 Email:support@finjan.com Internet:www.finjan.com
O N T E N T S
1 About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Finjan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Appliance Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Management Console System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Connecting your Vital Security Appliance (NG-1000/NG-5000/NG-6000) . . . . . . 10

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Connection Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Update Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Defining System Device Roles via the Management Console . . . . . . . . . . . . . . . . . 25 Connecting your Vital Security Appliance NG-8000 . . . . . . . . . . . . . . . . . . . . . . . . 27
Initial Procedures for the Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Initial Procedures for the Vital Security Scanning Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Routing Traffic through the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Configuring Workstations for Routing Traffic through the Appliance . . . . . . . . . . . . . . . . . . . 29 Transparent Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Working with HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

HTTP Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Working with Caching Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 HTTP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Working with ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Why work with ICAP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Vital Security as an ICAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 REQMOD RESPMOD Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 ICAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4 Configuring ICAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Network Appliance Netcache Series (NetApp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Blue Coat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Contents i
5 Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Introduction to Setup Console Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appliance Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Custom Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restart Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reboot/Shutdown Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active/Standby Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 51 52 57 59 73 74 74 75
A Limited Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 B Installation CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
ii
Contents
H A P T E R
ABOUT THIS MANUAL

Chapter Chapter 1 Chapter 2 Description About this Manual Overview - An introduction to Finjan's Vital Security Appliance platform, including a brief overview of the Vital Security Appliances NG-1000/NG-5000/NG6000/NG-8000. Getting Started This section tells you everything you need to know about getting started and lists the necessary steps to be taken when installing and working with your appliance. This includes: System requirements (hardware and software) Information on supported protocols (HTTP and ICAP) Configuration of end-user machines Transparent proxy configuration Connecting describing the steps to be taken prior to accessing the web-based Management Console Configuring the ICAP Clients Discusses configuration of Network Appliance (NetApp) and Blue Coat Configuring Advanced Settings This Chapter describes how to use the Advanced Settings of the Setup Console to manage the functionality of the appliance Limited Shell This Appendix describes the Limited Shell feature. Installation CD This Appendix details the installation procedure using the Installation CD
Chapter 3
Chapter 4
Chapter 5
Appendix A Appendix B
Chapter 1 - About this Manual
H A P T E R
FINJAN OVERVIEW
1 Introduction
Cyber-threats are fast increasing and pose a serious and growing problem for corporate networks, appearing in different forms and using a variety of tactics viruses, worms, Trojans, and more. New, ultra-fast viruses can infect your system within seconds, long before traditional signature-based solutions can protect you. While waiting for anti-virus companies to release a new virus signature, thousands of unprotected computers may have already been infected, leaving no alternative other than to shut down the corporate network. Finjan's proactive behavior-inspection technology at the gateway provides protection by examining active content behavior and identifying and blocking malicious mobile code (viruses, worms, Trojan horses and a myriad of ever-developing attack types). Finjans unique and patented proactive behavior inspection technology offers instant protection against new virus, worm and malicious mobile code outbreaks without time-sensitive signature-file updates, thus closing the Window-of-Vulnerability and providing networks with true day-zero protection. Vital Security - Finjans Integrated Security Platform - is a complete and integrated Secure Content Management solution in which individual best-of-breed security applications work together in concert to respond proactively to the changing security threats of both today and tomorrow. This section contains a brief overview of the Vital SecurityAppliances NG-1000/ NG-5000/NG-6000/NG-8000.
1.1 Appliance Types

This manual deals with the following Vital Security Appliances:
1.1.1 Vital Security Appliance Series NG-8000

This appliance is a specially configured chassis containing multiple hot swappable blades, with redundant power supplies, disks etc. The Vital Security Operating System (VSOS) is preinstalled and preconfigured.
Chapter 2 - Finjan Overview
Figure 2-1: NG-8000 Superformance Appliance
The following table contains the hardware specifications for the NG-8000 appliance..
Component Memory Hard Drive Specification 2 GB 36 GB SAS (Web appliance) 2 x 73 GB SAS ( RAID 1) (Policy Server) Xeon D 2 x 2.0GHz 2
CPU Gigabit Ethernet NIC
NOTE: This document deals with the basic setup of the NG-8000 Appliance. Please contact Finjans Support, or IBM for information about more advanced setup of the Blade Center.
1.1.2 Vital Security Appliance Series NG-1000/NG-5000/NG-6000

This appliance is typically deployed to include multiple appliances, each running the Vital Security Operating System (VSOS). It can, however, also be deployed All-in-one, using a single appliance. The different services running on each appliance can be configured according to your organization's network requirements.
The following table contains the hardware specifications for the NG-5000 appliance.
Component Memory Hard Drive CPU Flash Card Rack space (1U) Specification 2GB 160GB SATA2 Pentium D 3.4 GHz dual core 1024 MB 429 x 382 x 44 mm (WxDxH) 16.9 x 15.0 x 1.8 inches (WxDxH) 4 1
Gigabit Ethernet NIC Built-in LCD display
Component Memory Hard Drive CPU Flash Card Rack space (1U) Specification 1GB 160GB Pentium IV 2.8GHz 256 MB 428.6 x 360 x 44 mm (WxDxH) 16.9 x 14.1 x 1.7 inches (WxDxH) 4+2 1
Fast/Gigabit Ethernet NIC Built-in LCD display
Component Memory Hard Drive CPU Rack space (2U) Specification 2GB 2 x 72 GB SAS (RAID 1) Intel Xeon dual core x 2.0 GHz 445 x 698 x 86 mm (WxDxH) 17.5 x 27.5 x 3.4 inches (WxDxH) 4 Redundant
Gigabit Ethernet NIC Power Supply
H A P T E R
GETTING STARTED
This section contains the following topics:
Management Console System Requirements Connecting your Vital Security Appliance (NG-1000/NG-5000/NG-6000) Update Mechanism Defining System Device Roles via the Management Console Connecting your Vital Security Appliance NG-8000 Routing Traffic through the Appliance Working with HTTP Working with ICAP
1 Management Console System Requirements

1.1 Operating Systems
The following operating systems are supported for the web browser: Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows XP Professional Microsoft Windows 2003 Server
1.2 Software Requirements

The following software is required: Microsoft Internet Explorer 6.0 (or higher) for accessing the Management Console
Chapter 3 - Getting Started
2 Connecting your Vital Security Appliance (NG-1000/NG-5000/ NG-6000)

2.1 Installation
For installation details, please refer to Appendix B- Installation CD.
2.2 Configuration
We recommend locating the Scanning Servers, accessed via the Load Balancer(s) in the DMZ. In this case, all network traffic between the Policy Server and Scanning Servers passes through the internal firewall.
2.3 Connection Procedure

This section contains the following topics:
Accessing the Vital Security Setup Console Using the Initial Setup Wizard
2.3.1 Accessing the Vital Security Setup Console

The Vital Security Setup Console is a secure, Web-based interface that enables you to configure initial setup parameters associated with the box itself. The following initial procedure is slightly different for the different models (as well as the Load Balancer).
To access the Vital Security Setup Console in NG-5000/NG-6000:

1. 2.
Plug in the power cable and switch the appliance on. Connect a PC directly to the appliances GE3 port (for NG-6000, see Figure 3-1) using a crossover cable, or, using a standard Ethernet cable, connect the appliances GE3 port to a hub or switch that is on the same network segment as the PC. CAT5e cables (or better) are recommended. The default IP of the GE3 interface is 10.0.3.1, and its default netmask is 255.255.255.0. Configure the TCP/IP settings of your PC so that it is on the same logical network subnet as the appliances GE3 interface. For example, configure the IP on the PC as 10.0.3.101 and the PCs netmask as 255.255.255.0 IMPORTANT: Do not set the PCs IP to 10.0.3.1, as this will result in an IP conflict with the appliance.
3.
10
GE3
GE2
GE1 GE0
Figure 3-1: NG-6000 Back Panel, Network Interfaces
To access the Vital Security Setup Console in NG-1000:

1. 2.
Plug in the power cable and switch the appliance on. Connect a PC directly to the appliances FE5 port (the left-most port) using a crossover cable, or, using a standard Ethernet cable, connect the appliances FE5 port to a hub or switch that is on the same network segment as the PC. CAT5e cables (or better) are recommended. The default IP of the FE5 interface is 10.0.5.1, and its default netmask is 255.255.255.0.Configure the TCP/IP settings of your PC so that it is on the same logical network subnet as the appliances FE5 interface. For example, configure the IP on the PC as 10.0.5.101 and the PCs netmask as 255.255.255.0 IMPORTANT: Do not set the PCs IP to 10.0.5.1, as this will result in an IP conflict with the appliance.
3.
Continue for all appliances as follows:

4.
Open your browser and enter the following address: https://10.0.5.1:3012 (for NG1000 ) or https://10.0.3.1:3012 (for NG-5000 /NG-6000). A certificate warning pops up. Click Yes to close the warning. The Vital Security Setup Console login window is displayed.
5.
Figure 3-2: Setup Console Login
11
6. 7.
Log in to the Vital Security Setup Console using admin as the user name and finjan as the password. Read and accept the End User License Agreement. The Setup Selection screen is displayed.
Figure 3-3: Setup Selection
2.3.2 Using the Initial Setup Wizard

The Initial Setup Wizard guides you step by step through the initial configuration process. Use this Wizard to configure the following: An appliance with one active Ethernet interface with an IP that you have set (all other interfaces will be deactivated) Your selected network settings Default gateway, Hostname, and so on Time settings that you have manually configured Active appliance roles that work according to the Ethernet interface and IP that you have selected If you have selected the management services to be part of the appliance (All-in-One or Policy Server) you will also have installed a license (either an evaluation license or a permanent license) A new password of your choice for the initial setup Web interface admin user (the password cannot be finjan or an empty string)
12
An initial setup Web interface working at https://NEW_IP:3012 (when the IP change takes place, you will be disconnected) The next sections detail separately configuration of a Policy Server or All in one, and a Scanning Server.
2.3.3 Configuring a Policy Server or All in One To configure a Policy Server or All in One:
1.
Click the Initial Setup Wizard icon as appears in Figure 3-3 to begin the setup procedure, and in the Welcome screen, click Next. The Appliance Role screen is displayed.
Figure 3-4: Appliance Role: Policy Server 2.
From the Select a Role drop-down list, select one of the following appliance roles, and then click Next: Vital Security Policy Server Selecting the Vital Security Policy Server provides only management and reporting services, and requires an additional appliance for scanning. Vital Security Scanning Server Select the Vital Security Scanning Server if you want to activate this appliance for scanning, while another appliance is providing the management and reporting services. All in One Selecting the All in One appliance provides management, reporting and scanning services. None Initial mode of the Vital Security Appliance.
13
In this procedure, select either the Policy Server or All in One IMPORTANT: In order to change the device role from Scanning Server to Policy
Server or All in one device, the administrator must first Restore Factory Settings. There are two ways of doing this. If you installed 8.4.0 or higher on your appliance using the Installation CD, then you will restore factory settings by using the Installation CD (please refer to Appendix B). If, however, you have installed previous Releases using the standard Update feature, then follow the Restore Factory Settings procedure as outlined in the Installation and Setup Guide 8.3.5; Appendix A.
3.
The License Type screen is displayed if you have selected Policy Server or All-inOne server. The Licensing option is disabled for other roles. Click the required License Type option.
Figure 3-5: License Type 4.
If you selected an Evaluation license, select the required license and security engine options, and then click Next. (Go straight to step 6.).
14
Figure 3-6: Evaluation License Options
The following table describes the Evaluation License Options:

Field Name
Anti-Virus
Description
Anti-Virus third party scanning engine which scans for known viruses (McAfee, Sophos or Kaspersky depending on your license) Third party engine which provides categorization of Web sites (SurfControl) Finjans unique content scanning engine based on Behavior Profiles (binary or script) Unique Finjan engine that scans content to identify known vulnerabilities The Anti Spyware engine identifies spyware sites and block access to those sites
URL Filtering Application-Level Behavior Blocking Vulnerability Antidote Anti-Spyware
5.
If you selected a Subscription license, enter the license key that you received from either Finjan or your reseller, and then click Next.
15
Figure 3-7: Subscription License 6.
The License Details are displayed. Click Next.
Figure 3-8: License Details 7.
The Network Interface Used by Policy/Scanning Server screen is displayed . If you are using an NG-1000 appliance, the Network Interface will look as below.
Figure 3-9: Network Interface NG-1000
16
:
Network Interface for NG-1000 SUPERFORMANCE Appliances FE0 (eth0): 100MB - Auto-negotiation enabled. Recommended! Description Allows communication at a speed of up to 100MB with Auto-Negotiation enabled. Autonegotiation enables simple, automatic connection of devices by taking control of the cable when a connection is established to a network device that supports a variety of modes from a variety of manufacturers. The device is able to automatically configure the highest performance mode of interoperation. Allows communication at a speed of up to 100MB with Auto-Negotiation enabled. Allows communication at a speed of up to 100MB with Auto-Negotiation enabled. Allows communication where a speed of up to 100MB is forced and full-duplex, meaning the transmission of data in two directions simultaneously. Allows communication at a speed of up to 100MB with Auto-Negotiation enabled.
FE1 (eth1): 100MB - Auto-negotiation enabled FE2 (eth2): 100MB - Auto-negotiation enabled FE3 (eth3): 100MB - Forced 100MB Full-Duplex
FE4 (eth4): 100MB - Auto-negotiation enabled
If you are using an appliance from the NG-5000 / NG-6000 series, the screen will appear as follows:
17
Figure 3-10: Network Interface (NG-5000/NG-6000)
Network Interfaces for NG-5000 / NG-6000 Appliances GE0 (eth0): 1GB - Auto-negotiation enabled - Recommended!
Description Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Autonegotiation enables simple, automatic connection of devices by taking control of the cable when a connection is established to a network device that supports a variety of modes from a variety of manufacturers. The device is able to automatically configure the highest performance mode of interoperation. Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Allows communication at a speed of up to 1GB with Auto-Negotiation enabled.
GE1 (eth1): 1GB - Auto-negotiation enabled GE2 (eth2): 1GB - Auto-negotiation enabled GE3 (eth3) 1GB - Auto-negotiation enabled
IMPORTANT: If you want to change the network interface auto negotiation settings for the NG-5000 /NG-6000, you must do so via the Limited Shell using the ethconf command. Please refer to Limited Shell
8.
Enter the IP address and netmask for the selected interface in the respective fields, and then click Next. The Routing and Gateway screen is displayed .
18
Figure 3-11: Routing and Gateways 9.
Enter the Gateway IP address and static or local routes as required or leave as is to enable the default routing and gateway configuration, and then click Next. The Domain Name Service screen is displayed.
Figure 3-12: Domain Name Service 10. Either
define the machine name by filling in the Hostname field or leave as is to keep the default settings, and then click Next. The Time Settings screen is displayed.
19
Figure 3-13: Time Settings 11. Ensure
that the correct settings have been selected, and then click Next. The Change Password screen is displayed.
Figure 3-14: Change Password 12. Enter
and confirm your new password. Note that changing your password here does not affect the password in the Management Console. Click Next. The Apply Changes screen is displayed.
20
Figure 3-15: Apply Changes 13. Click Apply
in order to apply all of the changes that have been made. The Setup procedure is complete. Click Next to return to the main Setup Console menu.
2.3.3.1 Configuring the Computers IP Address
From the main Setup Console menu, you must then configure your computers IP address and hostname in order for it to be recognized by the Appliance.
To configure the computers IP address:

1.
Navigate to Advanced Settings Network Settings Host Addresses screen is displayed.
Host Addresses. The
Figure 3-16: Host Addresses 2.
To add yours and other computers to the system, click Add a new host address. The Create Host Address screen is displayed.
21
Figure 3-17: Create Host Address 3.
Enter the IP Address and Hostname of the PC that will work with Vital Security and click Create. The PC is added to the list. Once the PC is recognized, the administrator will have faster performance speed using the Setup Console. NOTE: If you cannot connect via the interface you have selected (with either the old or
the new IP), temporarily reset FE5 to its default settings via the LCD panel (10.0.5.1, netmask 255.255.255.0) by navigating to the Reset FE5 IP option, pressing Enter, pressing Enter again, and then access the Setup Console at https://10.0.5.1:3012
2.3.4 Configuring a Scanning Server To configure a Scanning Server

1.
Click the Initial Setup Wizard icon as appears in Figure 3-3 to begin the setup procedure, and in the Welcome screen, click Next. The Appliance Role screen is displayed.
Figure 3-18: Appliance Role: Scanning Server
22
2.
Select Vital Security Scanning Server from the drop-down menu, and then click Next. This appliance is used for scanning, while another appliance is providing the management and reporting services The Network Interface Used by Policy/Scanning Server screen is displayed (Figure 3-9). Complete the procedure as detailed in (To configure a Policy Server or All in One: from Step 7 onwards). Configure your computers IP address as described in Configuring the Computers IP Address.
3. 4. 5.
3 Update Mechanism
The Update mechanism periodically checks Finjan's Web site and automatically displays any available updates via the Management Console for the administrator. There are three categories of updates: Behavior scanning logic and vulnerability data: These can be configured automatically. Vital Security behavior profiling data and security processors are updated automatically from the Finjan site as soon as new Windows vulnerabilities are discovered. Vulnerability protection typically arrives before viruses that exploit the vulnerability are released. Finjan Software is a market leader in malicious mobile code and the Malicious Code Research Center at Finjan employs dedicated experts who work around the clock to identify new Windows vulnerabilities and exploits, enabling real day-zero protection. OS Version updates and new feature add-ons: Automatic downloading from the Finjan Web site can be enabled/disabled via the Management Console. You will be notified automatically when updates become available so that you can install them and keep your system up-to-date. Third-party security engines: Vital Security incorporates best-of-breed third-party engines (anti-virus and URL categorization). These applications rely on frequent and regular updates, and these are downloaded and installed automatically by the autoupdate feature.
3.1 Installing Updates

Updates are installed via the Vital Security Management Console, which runs on the All-inOne appliance or Policy Server at the default HTTPS port (443). It is recommended to check for updates each time that you use the system, in the event that security and functional updates have been released either since the product was installed or since the last check was performed.
23
3.1.1 Configuring Next Proxy for Updates

If you are connecting your All-in-One appliance or Policy Server to the Internet via a proxy server, you must configure the proxy in the Proxy Server and Port fields on the Settings Updates Updates Configuration tab, and then click Apply and Commit Changes to ensure that the change takes effect.
3.1.2 Configuring the Firewall for Automatic Updates

In order to enable Automatic updates for the NG Appliance Series, the Firewall should be opened for the Policy Server, using the HTTPS (port 443) protocol in the outgoing direction. There are two destination URLs:
https://updateNG.finjan.com/remote_update
https://mirror.updateNG.finjan.com/remote_update The following table details the ports needed for configuring Automatic Updates:
Description Port Number
All in one machine (web traffic ports) Only HTTP, FTP and HTTPS from LAN to WAN Policy Server in LAN Scanner in DMZ Additional ports to open from LAN to DMZ Manager - transfer of policy 5222 updates, and other updates Manager secure transfer of 5224 policy updates, and other updates Log traffic (from server) 8000 Secure Log traffic 8001 Vital Security Setup Console 3012 (Webmin) SNMP queries (if enabled) 161 UDP Additional ports to open from DMZ and LAN SNMP trap (if enabled and 162 UDP configured to send traps to the SNMP Manager on the LAN)
3.1.3 Offline Updates

Customers who are using the appliance in an isolated network that is not connected to the Internet, can download any updates from the Finjan update site. These updates can be manually downloaded and saved onto a removable media (e.g. CD) which should then be
24
connected to the offline computer where you manage the Policy Server. From the Management Console, you can install the updates using the Import Local Updates option. This feature requires a special license. Please contact your Finjan representative for further details.
4 Defining System Device Roles via the Management Console

You can also define and edit system device roles via the Management Console.
To edit system device roles:

1.
Log in to the Management Console, open the Settings tab and select Devices. If you selected Vital Security Policy Server as your appliance role, you have an All in one preconfigured machine, with a device that is used in the following roles: Policy Server, Report Server, Log Server, Log Relay and Scanning Server.
Figure 3-19: Network Roles Tree 2.
If you want to configure an All in One device, change the IP address by selecting one of the IPs displayed in the Network Roles tree, and then click the Edit Device icon . The Edit Device dialog box is displayed.
25
Figure 3-20: Edit Device IP Dialog Box 3. 4.
Enter the required IP address, and from the Device Roles list, select All in One. If you want to configure a Policy Server only, delete the existing device, and then click the Add Device icon. The Add Device dialog box is displayed.
Figure 3-21: Figure 21: Add Device Dialog Box
NOTE: If multiple servers are included on one device, they should be selected together
in the Add Device dialog (using Control on your keyboard). You may not add a server to a device where the IP address has already been defined
5. 6. 7.
Click OK. The device that you have added now appears in the Network Roles tree. Select the IP address of the device you have added. The device status is displayed. Select the Activate checkbox.
Figure 3-22: Activate checkbox
26
8. 9.
Under the Scanning Server device, change the Log Server Interface IP to 127.0.0.1 if not already configured as such. When you have defined all devices in the system or made any changes, click Apply on the bottom right hand of the screen, and then click Commit Changes.
After defining your devices, Finjan recommends that you change the default password.
To change the default password:

1. 2. 3.
Select the Settings tab on the Main Navigation bar. From the System tab, select the Password tab. The Change Password dialog box is displayed. Enter your old and new passwords in the fields shown, and then click Apply.
5 Connecting your Vital Security Appliance NG-8000

The Vital Security Appliance NG-8000 is supplied as one or more separate blades. You can assign system roles according to your requirements using each blade as a separate server, or activate more than one service on a single blade. Each Vital Security appliance is supplied with a default IP address, and can be remotely accessed for initial setup by any PC in the same subnet. Vital Security uses a secure (HTTPS) connection to a Web-based interface for remote access.
5.1 Initial Procedures for the Policy Server

The following initial procedure is the same for all the blades irrespective of the intended network role (except for the Load Balancer).
To configure the Policy Server:

1. 2.
Plug in the power cable and switch the appliance on. Configure the network settings of any PC to match those of the appliance (IP address and subnet mask). IP address in the same subnet e.g. 10.0.0.101 Subnet mask 255.255.255.0
3. 4.
Connect your PC to one of the ports on the Gigabit Ethernet switch in I/O switch module Bay 1 on the appliance using a network cable. Power up the blades one by one:
27
To power up the blades one by one:

a b c
Press the Console Select button so that the VGA screen attached to the chassis displays output from the blade being powered up. Press the Power button until the power-up sequence is over. A log in prompt is displayed. Repeat this procedure for each blade.
Figure 3-23: Blade 5.
Open your browser and enter https://10.0.0.1:3012. The Vital Security Set-up Console login window appears. The Vital Security Set-up Console is a Web-based interface that enables you to configure initial setup parameters associated with the box itself. Log in to the Vital Security Set-up Console using admin as the username and finjan as the password, and then click the Advanced Settings icon.
6.
5.2 Initial Procedures for the Vital Security Scanning Server

The following initial procedure is the same for all the blades irrespective of the intended network role (except for the Load Balancer).
To configure the Vital Security Scanning Server for setup:

1. 2.
Plug in the power cable and switch the appliance on. Configure the network settings of any PC to match those of the appliance (IP address and subnet mask). IP address in the same subnet e.g. 10.0.0.101 Subnet mask 255.255.255.0
3. 4.
Connect your PC to one of the ports on the Gigabit Ethernet switch in I/O switch module Bay 1 on the appliance using a network cable. Power up the blades one by one:
28
To power up the blades one by one:

a b c 5.
Press the Console Select button so that the VGA screen attached to the chassis displays output from the blade being powered up. Press the Power button until the power-up sequence is over. A login prompt is displayed. Repeat this procedure for each blade.
Open your browser and enter https://10.0.0.1:3012. The Vital Security Set-up Console login window appears. The Setup Console is a Web-based interface that enables you to configure initial setup parameters associated with the box itself. Log in to the Vital Security Set-up Console using admin as the user name and finjan as the password.
6.
NOTE: For information on setting up the NG-8000, please contact your Finjan represetative.
6 Routing Traffic through the Appliance

You can use any of the following proxy setting alternatives, or configure proxy access to be transparent.
6.1 Configuring Workstations for Routing Traffic through the Appliance

Manual Configuration per Individual User In Internet Explorer, select Tools Internet Options Connections LAN Settings and click the Advanced button in the Proxy Servers area. In the Proxy Settings dialog box, enter the IP address of the Vital Security Scanning Server or Load Balancer in the HTTP field. Customized Installation of Internet Explorer Download the Microsoft tool IAEK6 in order to enable customized installation of Internet Explorer for all users. Group Policy Manager In the Microsoft Active Directory, create a Group Policy Object (GPO) that configures which proxy to use per machine or user. Login Scripts For older legacy systems such as NT4, you can use login scripts to configure the proxy server.
29
6.2 Transparent Proxy

Vital Security can be deployed as a transparent HTTP proxy, in conjunction with a third-party content switch or a layer-4 router in the network. This means that all HTTP traffic is routed, at packet level, through the content switch to the Vital Security Appliance. End-users are not aware of this and have the same surfing experience as if they were communicating directly with the Web server. When deployed as a transparent proxy, there is no need to configure proxy settings of individual end-user browsers. However, because of the transparency, the appliance is not able to perform proxy-level user authentication. The following diagram illustrates the deployment.
Figure 3-24: Transparent Proxy
7 Working with HTTP

In order for browsers or other appliances to be protected by Vital Security, the Vital Secuirty must be configured as the Proxy Server. Working with the Vital Security you can configure your browser for maximum efficiency (number of requests per second) in Microsoft Internet Explorer by selecting Tools Internet Options Advanced and selecting both Use HTTP 1.1 and Use HTTP 1.1 through proxy connections.
30
7.1 HTTP Proxies

Vital Security can communicate with any RFC-compliant Web proxy.
7.2 Working with Caching Proxies

When a caching proxy is in use, Vital Security can be integrated either upstream or downstream from the cache proxy in the network.
7.2.1 Downstream
When Vital Security is positioned downstream of the cache proxy, the cached content is rescanned for every request. This topology clearly works for systems with user/group policies that differentiate between the sites that the different users/groups may visit, as every request is submitted to Vital Security and scanned against the relevant policy. This means that: Every request is scanned with the latest anti-virus updates, even if the content was cached before the last update. Traffic scanned initially by Vital Security is cached and subsequently forwarded again by the caching proxy in line with additional user requests. Each time this happens, the content is rescanned by Vital Security. The resulting drain on resources should be taken into account regarding performance. Every additional request for cached content is subjected to the policy specific to the user making the new request. Policy changes will always be implemented because all content, even if it comes from the cache, is scanned again by Vital Security. All accesses to cached content are subject to the logging policy, and are potentially logged by Vital Security.
7.2.2 Upstream
When Vital Security is positioned upstream from the cache, traffic is scanned only once, and is then cached and forwarded directly to the users. This is optimal for organizations that use a single policy for all Internet access, and do not apply different policies to different users/groups. This is not suitable for per user/group policies that differentiate between the sites visited by users/groups. (In such cases, you may consider working with ICAP.) This means that: Because content is only scanned once, there is less drain on resources, leading to improved performance. Cached content is not subject to the latest anti-virus updates, nor to policy changes. Vital Security cannot log accesses to cached content.
31
7.3 HTTP Authentication

Authentication enables the following: Ensures that only requests from bona-fide users are handled/processed. Enables the allocation of different policies to different users and/or groups by matching authentication data to user identifiers in the system. Ensures that all logged transactions are attributed to the corresponding user. In order to implement group, or user-based policies, some form of authentication is clearly required (e.g. NTLM). This means that a network path must be enabled between Vital Security and an LDAP server so that it can originate LDAP queries to the LDAP server. Via the Management Consoles Main Navigation Settings tab, select Defaults Authentication in order to configure the Vital Security appliance. HTTP
Vital Security can also allow another downstream HTTP proxy to perform the authentication, in which case: A downstream proxy needs to be configured to append headers containing user and group information to requests. Vital Security should be configured so that it can recognize the specific headers used by the downstream proxy. Vital Security can also pass these headers on to the next proxy or alternatively remove them before submitting the request over the Internet.
8 Working with ICAP

ICAP stands for Internet Content Adaptation Protocol. ICAP is used in conjunction with caching proxies such as Network Appliance NetCache or BlueCoat Proxy SG. ICAP configurations typically require significant tuning to maximize the benefits. For more information about ICAP, go to www.I-cap.org
8.1 Why work with ICAP?

One of the reasons is that if you are working with a caching proxy that supports the ICAP protocol, you can achieve significant performance benefits from configuring Vital Security as an ICAP server rather than an HTTP proxy. This is because only the relevant (potentially dangerous) traffic is submitted for scanning. For example, gif files go straight through without being scanned.
32
8.2 Vital Security as an ICAP Server

When deployed in the ICAP environment, the ICAP client typically provides user credentials and Vital Security does not have to authenticate users.
Figure 3-25: Vital Security as an ICAP Server
8.3 REQMOD RESPMOD Deployment

As an ICAP Server, Vital Security can provide both REQMOD (Request Modification) and RESPMOD (Response Modification) services.
The service name for REQMOD is Finjan_REQMOD. The service name for RESPMOD is Finjan_RESPMOD.
Vital Security can receive both REQMOD and RESPMOD requests. Here is an example of an ICAP URL for the REQMOD service:
icap://192.168.2.153:1344/Finjan_REQMOD
NOTE: When working with RESPMOD, REQMOD should also be enabled. Although technically Vital Security will work in RESPMOD-only mode, the REQMOD service is
required to provide the full HTTP transaction context when scanning some types of active content.
Vital Security can also work in REQMOD only, for example, for performing URL filtering,
33
but in this case, the actual incoming content is not scanned. Configuration of a Vital Security scanning server as an ICAP server is carried out via the Management Console. NOTE: If there is no direct Internet access, in order to perform pre-fetching of Java classes for Applet scanning, ALL Scanning Servers must have the next proxy configured. If you are using ICAP, ensure that the NG Appliance Scanning Server appears on the Access List.
8.4 ICAP Clients

There are a number of ICAP Clients that support Vital Security: Network Appliance NetCache Series Blue Coat Proxy SG Series Finjan Vital Security for SSL
34
H A P T E R
CONFIGURING ICAP CLIENTS

This chapter describes the configuration of the following ICAP clients: Network Appliance NetCache Series (NetApp) Blue Coat
1 Network Appliance Netcache Series (NetApp)

To configure NetApp via the NetApp web interface:
1. 2. 3. 4.
Log in to the NetApp Web interface. The ICAP Setup window is displayed with the General tab open. Click Setup. Click ICAP ICAP 1.0 in the left hand pane. Select the Enable Version 1.0 option.
Chapter 4 - Configuring ICAP Clients
35
Figure 4-1: ICAP Setup - General 5. 6.
Open the Service Farms tab. Press the New Service Farm button to create a new ICAP Service.
To configure an ICAP Service Farm:

1.
To set a REQMOD service, ensure that the following conditions are met: In the Vectoring Point field, select REQMOD_PRECACHE. In the Services field set the service URL:
icap://[Vital Securitys IP]:[ICAP port]/Finjan_REQMOD on

2.
To set a RESPMOD service, ensure that the following conditions are met: In the Vectoring Point field select RESPMODE_PRECACHE In the Services field set the service URL:
icap://[Vital Securitys IP]:[ICAP port]/Finjan_RESPMOD on Several services can be defined in Services and load-balanced by NetApp.
36
Figure 4-2: New ICAP Service Farm 3.
Once the services have been configured in the Service Farms, Access Control List rules should be defined to include these services.
37
Figure 4-3: Access Control Lists
With every ICAP settings change, NetApp sends an OPTIONS request to the relevant ICAP Service.
Blue Coat
Finjan is a certified Blue Coat partner.
To configure Blue Coat via Vital Security:

1. 2.
In the Vital Security Management Console, select Settings
Devices.
In the Devices screen, select the Scanning Server with which you are working, and then select ICAP.
38
Figure 4-4: ICAP Protocol: Blue Coat Configuration 3. 4. 5. 6.
In the Weights for ICAP Resource Allocation section, click Add. A drop-down menu is displayed. Select Blue Coat from the Type drop-down list. Enter the IP address of the ICAP client, enter a weight of 100, and click Add. In the ICAP Listening Port section, enter the IP address of the Scanning Server, click Apply, and then click Commit Changes on the top right of the screen.
To configure Blue Coat via the Blue Coat Web interface

1.
Log in to the Blue Coat web interface.
39
Figure 4-5: Blue Caot Main Screen 2.
Navigate to the Management Console.
Figure 4-6: Blue Coat Management Console
40
NOTE: If, at any time during the session, the Java Plug-in Security Warning appears,
select Grant this session to continue.
To define REQMOD (Request Modification) Service.

1. 2. 3.
From the Blue Coat Management Console, select External Services ICAP Services screen is displayed on the right.
ICAP. The
At the bottom of the ICAP Services screen, click New. The Add List Item dialog box is displayed. Enter a name and click OK. For instance, Reqmod. The External Services window is displayed again with the name you have selected.
Figure 4-7: Blue Coat ICAP Services 4.
Click Edit. The Edit ICAP Services dialog box is displayed.
41
Figure 4-8: Edit ICAP Services
42
The following table describes the field data to be entered:

Field Name
ICAP Version Server Type
Field Data to be entered

Select 1.0 from the dropdown list Enter the following: icap://<scanner IP (ICAP server)>:<scanner port (default=1344)>/Finjan_REQMOD. For example, icap://192.168.90.10:1344/ Finjan_REQMOD Click the request modification radio button.
Method Supported
1.
If your Vital Security scanner is up and running, then press the Sense Settings button and then OK. A confirmation message appears; click OK again. (If, on the other hand, your Vital Security scanner is not yet up and running, then click OK only to continue. In this case, you should return to this dialog box later on when Vital Security is up and running in order to select Sense Settings)
2. 3.
In the Edit ICAP Services box, select the Authenticated User checkbox and then click OK. Click Apply in the ICAP Services screen to complete the configuration.
To activate the REQMOD Service:

1.
In the Blue Coat Management Console, select Policy The Visual Policy Manager is displayed.
Visual Policy Manager.
43
Figure 4-9: Visual Policy Manager Launch 2.
Click Launch and the Visual Policy Manager dialog box is displayed.
Figure 4-10: Visual Policy Manager Dialog Box 3.
From the Main Menu Bar, select Policy New Layer dialog box is displayed.
Add Web Content Layer, and the Add
44
Figure 4-11: Add New Layer Dialog Box 4.
Add in the required name and click OK. The Visual Policy Manager is displayed with a new Web Access Layer.
Figure 4-12: Web Access Layer Added 5.
In the Action column, right-click on Use Default Caching, and then select Set. The Set Action Object dialog is displayed.
45
Figure 4-13: Set Action Object 6. 7.
Scroll down and select ICAPRequestService1. Click Edit. The Edit ICAP Request Service Object window is displayed.
46
Figure 4-14: Edit ICAP Request Service Object 8. 9.
Select the Use ICAP Request Service checkbox. From the drop-down list, select the REQMOD you have defined, and click OK. back to the Set Action Object dialog box, and click OK. the Install Policy button in the Visual Policy Manager.
10. Go
11. Click
To define RESPMOD (Response Modification) Service

This is carried out using the same steps as for REQMOD with the following differences:
1.
In the Edit ICAP Service dialog box (Figure 4-14) The Service URL should be: icap//<scanner IP (ICAP server)>:<scanner port (default=1344)>/ Finjan_RESPMOD.
For example, icap://192.168.90.10:1344/Finjan_RESPMOD The Method Supported should be response modification instead of request.
2.
In the Set Action Object dialog box (Figure 4-13), select ICAPResponse1 instead of ICAPRequestService1. This opens the Edit ICAP Response Service Object dialog box.
47
3.
In the Edit ICAP Response Service Object (Figure 4-14), select Use ICAP response service and from the drop-down list, select the RESPMOD service that you have defined, and then click OK.
48
H A P T E R
ADVANCED SETTINGS
1 Introduction to Setup Console Advanced Settings
After using the Initial Setup Wizard to configure the appliance, the Advanced Settings can be used to improve and manage the functionality of the appliance. Each appliance will have different configuration needs. Therefore, after completing the Initial Setup Wizard, the Advanced Settings enable you to access each configuration option as required, and configure it to match the system needs. NOTE: Please refer to the Initial Setup Wizard for detailed information about initial
configuration of the appliance.
The Advanced Settings options enable you to define the role the appliance takes, the type of license the appliance works under, the security, access and time settings, and also carry out routine maintenance operations. For further in-depth analysis and diagnostics of the system, the Network Settings option (within the Advanced Settings) is used to define how the network works, and how the appliance communicates with the network.
2 Configuring Advanced Settings

From the Setup Selection Screen, select Advanced Settings. The Advanced Settings screen is displayed.
Chapter 5 - Advanced Settings
49
Figure 5-1: Advanced Settings
The Advanced Settings screen contains the following options: Appliance Roles: Selecting this option opens a wizard which takes you through the steps for selecting a role and defining a Network Interface to be used as the primary server connection for the appliance. Licensing: This option is used to select the correct License Type to apply to the appliance. Custom Commands: This option is used to enable SNMP Monitoring and Support Access on the appliance, provides repair commands for the Policy Server database and the configuration repository, and enables changing the SNMP community string, and the Management Console IP address and HTTPS Listening Port. Time Settings: This option is used to set the System and/or Hardware Time, and offers the option of synchronizing the time settings with an external Time Server Network Settings: This option provides further configuration options, allowing you to carry out diagnostics and to run in-depth checks on the appliance. Change Password: Use this option to change the password for access to the Setup Console. Restart Role: This is used if there are functionality problems with the appliance software. Reboot/Shutdown Appliance: The Reboot command is used if there are operational problems with the appliance. The Shutdown command is used when it is necessary to switch off and remove the appliance from any power supply.
50
Active/Standby Policy Server: This option allows you to switch from the current Active Policy Server to the Standby Policy Server. NOTE: Any configuration changes made to the appliance are valid only for that particular appliance, and not for any other appliance connected to the network. Each appliance must be configured individually.
2.1 Appliance Role

The Appliance Role screen is used to change the role of the Appliance. This screen is the same one as appears in the Initial Setup Wizard. Selecting the Policy Server, Scanning Server or All in One redirects you to the Network Interface Used by Policy/Scanning Server screen. Only Network Interfaces that are selected to be activated at boot time will appear in the selection menu. Choose the required Network Interface, and click Next and then Apply to apply any changes you make.
Figure 5-2: Appliance Role
2.2 Licensing
The License Type screen is used to select the license. This screen is the same one as appears in the Initial Setup Wizard.
51
Figure 5-3: License Type
2.3 Custom Commands

Selecting Custom Commands displays the following screen:
Figure 5-4: Custom Commands
The following sections describe the options available within the Custom Commands screen.
52
2.3.1 Change SNMP Monitoring Options

This will enable an SNMP client to access network and resource utilization information via SNMP. The traps listed in the Management Console will only work if SNMP Monitoring has been enabled here. NOTE: When accessing the Custom Commands screen, the current status of SNMP
Monitoring is not displayed.
To enable SNMP Monitoring:

1.
In the Change SNMP Monitoring Options section, select Yes to enable SNMP monitoring.
Figure 5-5: Change SNMP Monitoring Options 2.
Click Change SNMP Monitoring Options to apply the changes. The Execute Command window is displayed confirming SNMP is enabled.
Figure 5-6: SNMP Monitoring Enabled 3.
Click Back to return to the Custom Commands window.
53
2.3.2 Change Support Access Option

This will allow privileged users, e.g. the Finjan Support Team, to access the appliance to provide support, or run checks or reports on the machine. NOTE: It is advisable to turn the Support Access option off once the support activity has
ended.
To enable Support Access to the Management Console

1.
In the Change Support Access Options section, select Yes to enable support access to the appliance. You can also enable resetting the Support User Password from this screen.
Figure 5-7: Change Support Access to Appliance 2.
Click Change Support Access Options to apply the changes. The Execute Command window is displayed confirming Support Access is enabled.
Figure 5-8: Support Access Enabled
NOTE: There is no back button in this command window, which provides an end to the
command. The server receives the instruction, and restarts itself. To return to the Custom Commands window, click the Back button in your web browser.
54
2.3.3 Repair Configuration Repository

This option checks if the configuration repository is corrupted. If corruption is detected, the repository is then repaired.
To repair the Configuration Repository:

1.
Click Repair Configuration Repistory:
Figure 5-9: Repair Configuration Repository 2.
The Execute Command window is displayed. Click Back to return to the Custom Commands window.
NOTE: The Configuration Repository stores the settings, configured in the Vital
Security Management Console, required for an appliance to function correctly in its specified role.
2.3.4 Repair Policy Server Database

This option backs up and restores the Policy Server database.
To repair the Policy Server database:

1.
Click Repair Policy Server database to back up and restore the Policy Server database.
Figure 5-10: Repair Policy Server database 2.
The Execute Command window is displayed. Click Back to return to the Custom Commands window.
2.3.5 SNMP Community String

The SNMP community string is used to enable access to the SNMP protocol.
55
To change the SNMP Community String:

1.
In the SNMP Community String section, enter the new SNMP community string. NOTE: The appliance has a default password so that access to the SNMP protocol is
automatically available.
Figure 5-11: SNMP Community String 2.
Click SNMP Community String to apply the change. The Execute Command window is displayed confirming the SNMP community string has been changed successfully. In the Execute Command window, click Back to return to the Custom Command window.
3.
2.3.6 Management Console IP Address/Port

Changes to the Management Console IP address/port can be made where there is a need to limit access to the Management Console across the network, or define different levels of access to the Management Console.
To change the Management Console IP address/port:

1.
In the Management Console IP Address field, enter the new IP address, for example 10.0.5.1, or enter * to retain current IP addresses configured on the appliance.
Figure 5-12: Management Console IP address/port 2.
In the Management HTTPS listening port field, enter the required port number. NOTE: The appliance has a default HTTPS listening port to enable immediate
communication through the appliance on initial connection.
3.
Click Change Management Console IP address/port. The Execute Command window is displayed confirming the Management Console IP address/port have been
56
changed successfully. Access to the Management Console through your browser is now through the specified IP address and port: https://10.0.5.1:1234.
4.
In the Execute Command window, click Back to return to the Custom Commands window.
2.3.7 Collect Specific Log Information

This feature enables collecting just the log files (without the database or other heavy data). This may take up to 5 minutes during which log data will be collected from the machine and compressed into a downloadable tar.gz file.
Figure 5-13: Collect Specific Log Information
2.4 Time Settings

To configure the Time Settings:
1.
In the Advanced Settings screen, click Time Settings. The System Time window is displayed.
57
Figure 5-14: System Time 2. 3. 4.
In the Time Zone section, set the Time Zone to your local time zone. You can set either the Hardware Time or System Time and match one to the other. To set the Hardware Time, enter your local time in the Hardware Time section. To match the System Time to the Hardware Time, click Set System Time to Hardware Time.
58
5. 6.
Repeat steps 3-4 to set System Time and match the Hardware Time to the System Time, and then click Save. For more accurate time checking you can synchronize your System Time settings with an external Time Server. In the Timeserver hostnames or addresses field, enter the required hostname or IP address. NOTE: Synchronizing your time settings with an external Time Server is strongly recommended, especially when working with distributed topologies.
7. 8. 9.
Select the Set hardware time too checkbox to also synchronize the hardware time. To synchronize to the Time Server settings randomly, select No in the Synchronize on schedule section. To synchronize on schedule, select Yes in the Synchronize on schedule section, and select the required time schedule in the scheduling options below. and Apply. The screen refreshes with the scheduling configuration.
10. Click Sync
2.5 Network Settings

Clicking Network Settings in the Advance Settings screen, displays the Advanced Network Settings screen.
59
Figure 5-15: Advanced Network Settings
The Advanced Network Settings options are as follows: The Network Interfaces option is used to enable the appliance to communicate with other computers on the network. The Routing and Gateways option is used to define the paths that the system should take to reach certain hosts and networks. The DNS Client option is used for converting a hostname into an IP address, and viceversa. The Host Addresses option is used to configure and match IP addresses with hostnames locally, without the use of a DNS server. This is used when changes made in different configuration options need to be applied simultaneously, for example, changes made to Network Interfaces may affect the Routing and Gateway settings, so it is preferable to make the necessary changes to the Routing and Gateway settings, and then apply changes to both the options simultaneously. The Network Diagnostics options are used to check network connectivity and communications with other hosts within the network.
60
2.5.1 Network Interfaces

Clicking Network Interfaces in the Advance Network Settings screen, displays the Network Interface screen. In the Network Interfaces screen, the Interfaces Activated at Boot Time list displays the interfaces that are configured permanently on the system. These can be optionally brought up at boot. The Interfaces Active Now list displays interfaces that are currently up.
Figure 5-16: Network Interfaces
To edit a Bootup Interface:

1. 2.
In the Advanced Network Settings screen, click Network Interfaces. The Network Interfaces screen is displayed. In the Interfaces Activated at Boot Time section of the screen, select the required interface to open the Edit Bootup Interface window.
61
Figure 5-17: Edit Bootup Interface 3. 4.
Enter the IP address, or select From DHCP for it to be dynamically assigned, or if your system supports it, select From BOOTP. Enter the Netmask and Broadcast address if required. NOTE: Netmask configuration is essential when using static IP.
5.
In Activate at boot?, select Yes or No as required. If Yes is selected, the interface will appear in the Interfaces Active Now section of the Network Interfaces screen after applying the network settings, or after system restart, as well as in the Interfaces Activated at Boot Time section. To save the changes and apply them at a later stage, click Save. To activate the Boot interface immediately, click Save and Apply.
6. 7.
To edit the configuration of an Active Interface:

1.
In the Network Interfaces screen, select the required interface from the Interfaces Active Now list. The Edit Active Interface screen is displayed.
62
Figure 5-18: Edit Active Interface 2.
Configure the Active Interface parameters as follows:

IP Address A unique Internet Protocol address for the given Network Interface. When you change the IP address here, you MUST change it in the Management Console. Please refer to Defining System Device Roles via the Management Console for more information. Netmask - The Netmask address is used to communicate with computers outside of the network Broadcast - The Broadcast address is used to enable communication with several computers within one network MTU - Defines the maximum size of the packets sent from your appliance onto the network Any packets larger than the size set here are divided into smaller packets. Status The Network Interface may be brought up or down (temporarly enabled/ disabled). Hardware address The MAC address. Generally this does not have to be changed.
3.
Click Save to save the configuration changes.
2.5.2 Routing and Gateways

Clicking Routing and Gateways in the Advanced Network Settings screen, displays the Routing and Gateways screen.
63
Figure 5-19: Routing and Gateways
To configure Routing and Gateways:

1. 2. 3.
In Default Router, select Gateway and enter the IP address in the Gateway field. In the Device field, select the required interface from the drop-down menu. Configure Static routes or Local routes as required, or leave as is to enable the default routing and gateway configuration. Static routes configured to enable traffic to choose another route to some known host or network, rather than going through the default route. Local routes set up routing to additional IP networks on connected LANs
4.
Click Save.
2.5.3 DNS Client

Clicking DNS Client in the Advance Network Settings screen, displays the DNS Client screen. DNS Cache enables caching of Domain names and addresses which reduces network traffic to and from the DNS Server and hence speeds up system performance. The following behavior is supported by the DNS Cache mechanism. It performs a DNS health check which is carried out on all configured DNS servers through the DNS protocol. If there is a DNS failure, then there is automatic failover between servers. The DNS cache is persistent which means that it can survive an appliance reboot. Caching is enabled also for multi-IP hosts if they are provided by the configured DNS Servers through the DNS Protocol. When the DNS cache is enabled and the user changes the DNS servers settings there is no need to run restart role.
64
Figure 5-20: DNS Client
To configure a DNS Client:

1. 2. 3. 4. 5.
In the Hostname field, enter the name of the PC. In Resolution order, from the various options, select the required resolution order. Select Update hostname in host addresses if changed if required. In the DNS servers fields, enter the IP address of up to three servers. If the first is not available, the system will try the second, and then the third. In the Search domains field, enter any domain names that should be automatically appended to any search results, and then select Listed, or leave the Search domains field empty, and select None. In the DNS Cache field, select On or Off to enable or disable DNS Cache. It is automatically enabled when clicking Apply in the initial Setup Wizard in the Setup Console. Click Flush DNS Cache to "flush" (i.e., empty) the cache, and restart it. Click Save to save any changes made. NOTE: When enabling/disabling DNS Cache (On/Off), you need to run Restart Role for
the settings to take effect.
6.
7. 8.
2.5.4 Host Addresses

Clicking Host Addresses in the Advanced Network Settings screen, displays the Host Addresses screen.
65
Figure 5-21: Host Addresses
To add a Host address:

1.
Click on the Add a new host address. The Create Host Address window is displayed.
Figure 5-22: Create Host Address 2. 3.
In the IP Address field, enter the IP address. In the Hostnames field, enter all possible hostnames which can be matched to the IP address, and click Create. The IP address and hostnames are added to the Host Addresses list.
2.5.5 Apply Network Settings

Click on the Apply Network Settings icon in the Advanced Network Settings window to apply any configuration changes that need to be applied simultaneously.
2.5.6 Network Diagnostics

Clicking Network Diagnostics in the Advanced Network Settings screen, displays the Network Diagnostics screen.
66
Figure 5-23: Network Diagnostics
The Network Diagnostic options are as follows: The Ping option is used to test whether a particular host is operating properly and is communicating on the network with the testing ged host. The Traceroute option is used to determine the route packets take over the network to reach a particular host. This option is used to check the process of resolving IP addresses with Hostnames. This option gives a snapshot of the active connections on the appliance, connections that are waiting, or listening. The Tcpdump option is used to display all communication on the system at a certain time. There are no time limits or size limits on the information displayed.
2.5.6.1 Ping
To use the ping option:

1.
In the Network Diagnostics screen, click Ping. The Ping screen is displayed.
67
Figure 5-24: Ping 2. 3.
In the Hostname field, enter the required hostname. Configure any other relevant parameters, and click Ping It! The Ping report is displayed.
68
Figure 5-25: Ping Report
2.5.6.2 Traceroute
To use Traceroute:
1.
In the Network Diagnostics screen, click Traceroute. The Traceroute screen is displayed.
69
Figure 5-26: Traceroute 2. 3.
In the Hostname field, enter the hostname. Configure any other required parameters, and click Trace It! The Traceroute report is displayed.
2.5.6.3 Lookup
To use Lookup:
1.
In the Network Diagnostics screen, click Lookup. The Lookup screen is displayed.
Figure 5-27: Lookup 2.
In the Hostname field, enter the required hostname.
70
3.
Configure any other required parameters. The Nameserver refers to the DNS Server IP address that you can enter in the text box displayed. If you select the radio button next to Default than whichever DNS servers are defined in the Advanced Settings Network Settings DNS Client will be used.
4. Click
Look Up! The Lookup report is displayed.
2.5.6.4 Netstat
To use Netstat:
In the Network Diagnostics screen, click Netstat. The Netstat screen is displayed.
71
Figure 5-28: Netstat
72
2.5.6.5 Tcpdump
To use the Tcpdump option:

1.
In the Network Diagnostics screen, click Tcpdump. The Tcpdump screen is displayed.
Figure 5-29: Tcpdump 2. 3. 4. 5. 6.
In Active Network Interfaces, select the required interface. In Ports, enter the port number, or leave empty. Entering a port number sets limits on the amount of traffic captures. Click Start. The capture begins. Click Stop to stop the current capture. Click Download to download the file if required.
2.6 Change Password

The Change Password screen is the same as that of the Setup Console Wizard (Figure 314). NOTE: Changing your password for the Setup Console does not affect the password for
the Management Console.
73
2.7 Restart Role

To restart the appliance role:
1.
In the Advanced Settings screen, click Restart Role to display the Restart Role window.
Figure 5-30: Restart Role 2.
Click Next. The Finished screen is displayed.
2.8 Reboot/Shutdown Appliance

To reboot or shutdown the appliance:
1.
In the Advanced Settings screen, click Reboot/Shutdown Appliance to display the Reboot/Shutdown Appliance window.
Figure 5-31: Reboot/Shutdown Appliance 2.
Click Reboot System to reboot the system.
74
3.
Click Shutdown System to shut down the system.
2.9 Active/Standby Policy Server

This screen displays the Policy Servers status: Active or Standby. The High Availability feature containing the Active or Standby Policy Servers must be initially enabled from the Management Console in order for this screen to appear.
Figure 5-32: Active/Standby Policy Server
To restart the role of a Policy Server, whether as Active or Passive, you can click on the Restart as button to force a restart of the Active/Standby Policy Server. You can choose to switch the Policy Server from Active to Standby or vice versa by clicking the Switch to button. The IP address of the other Policy Server that you defined in the Management Console (Settings Devices Policy Server High Availability Policy Server configuration) will be displayed here. It will be displayed either as the Standby Policy Server Address or as the Active Policy Server Address depending on what the status is of this Policy Server. Click on the link to be redirected to the other Policy Server Setup Console (again this will be displayed as either active or standby depending on the status). For more information on this feature, please refer to the High Availability Policy Server Technical Brief.
75
P P E N D I X
LIMITED SHELL
The Limited Shell feature enables monitoring and viewing the appliances configuration via a serial or SSH connection. Configuration changes cannot be made using this feature. An administrator can log in to the Limited Shell from a remote machine using an SSH client or by connecting to the appliance serial or vga port. The password to the shell (command line) is the same as for the Setup Console. If the current installation was performed through an update (on top of a previous version) then the Setup Console password should be set explicitly in order to reset the limited shell password. Otherwise, access will be denied. SSH access is enabled only if support access is enabled via the Setup Console. To do this, Custom Command screen and click on Yes to enable support go to the Setup Console access to appliance. Then click on Change Support Access Options. No other root user can log in directly to the system. Privileged access (root level) is achieved only after logging in as Super Administrator from the Limited Shell. A timeout mechanism is activated such that idle connections are disconnected after 5 minutes. After you log in to the Limited Shell, enter help to see a list of commands that the shell user can run and their use. The following monitoring commands are available:
Command arp date df disable_al enable_al ifconfig ip2name (ip2name ip) iptraf last
Appendix A - Limited Shell
Description Displays arp table Displays current date and time Displays disk usage Disables access list Enables Access List Displays NIC configuration and statistics Resolves ip to hostname Interactive IP LAN Monitor Displays last login
77
Command name2ip (name2ip name) netstat Ping (ping IP/Hostname) sh_db_size showroute supersh top uptime vmstat w ha_ps_enable ethconf
Description Resolves hostname to ip Displays network statistics Sends ICMP ECHO_REQUEST to network hosts Shows database file size Displays routing table Provides access to privileged shell Displays linux tasks Displays uptime Reports information about system. CTRL-C to stop Shows who is logged on and what they are doing Define a Standby Policy Server Change network interface
78
Appendix A - Limited Shell
P P E N D I X
INSTALLATION CD
In order to install 8.4.0 and higher, the update can be performed using an Installation CD. This effectively removes the need to perform Restore Factory Settings.
To install this Release using the Installation CD on NG-6000/NG-5000:

1. 2. 3. 4.
Attach a CD drive, or a bootable USB flash device and USB-keyboard and VGA Monitor, to the appliance. When the Finjan screen appears, type yes to continue with the process. Let the installation run it will take approximately 10 minutes. The Appliance LCD will indicate that the Vital Security has not been installed yet. Set up the configuration as required via the Setup Console Initial Settings.
NOTE: Currently, the built-in CD-Rom device in the NG-6000 cannot be used.
To install this Release using the Installation CD on NG-1000:

1. 2.
Attach a CD drive, or a bootable USB flash device and USB-keyboard and VGA Monitor, to the appliance. Check in the BIOS that it is set to Boot from CD/Flash Device using USB2.0.
a b c d
Navigate to Advanced BIOS features and press Enter. Using the arrow keys and the Page Up/Page Down keys, select the required device to boot from (e.g., USB-CDROM). To change the USB to 2.0, navigate backwards using the Escape key and select Integrated Peripherals. Select Enabled on the USB2.0 Controller.
3. 4. 5.
Change the third boot device from HDD-1 to HDD-0. Press F10 to exit and save configuration. When the Finjan screen appears, type yes to continue with the process.
Appendix B - Installation CD
79
6. 7.
Let the installation run it will take approximately 10 minutes. The Appliance LCD will indicate that the Vital Security has not been installed yet. Set up the configuration as required via the Setup Console Initial Settings.
To install this Release using the Installation CD on NG-8000:

1. 2. 3. 4. 5.
Attach a CD drive to the blade. When the Finjan screen appears, type yes to continue with the process. Choose the first scsi disk available. Let the installation run it will take approximately 20 minutes. Set up the configuration as required via the Setup Console Initial Settings.
80
Appendix B - Installation CD

Installation Setup Guide: Vital Security Appliance Series

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Installation Setup Guide: Vital Security Appliance Series

Hochgeladen von

Copyright:

Verfügbare Formate

Installation

Vital Security Appliance Series

Installation and Setup Guide

Catalog number: VSNG_IASG 8.4.3 Email:support@finjan.com Internet:www.finjan.com

3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Management Console System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Connecting your Vital Security Appliance (NG-1000/NG-5000/NG-6000) . . . . . . 10

Routing Traffic through the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Working with HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Working with ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Installation and Setup Guide

A Limited Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 B Installation CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

ABOUT THIS MANUAL

Chapter 1 - About this Manual

1.1 Appliance Types

1.1.1 Vital Security Appliance Series NG-8000

Chapter 2 - Finjan Overview

Installation and Setup Guide

Figure 2-1: NG-8000 Superformance Appliance

CPU Gigabit Ethernet NIC

1.1.2 Vital Security Appliance Series NG-1000/NG-5000/NG-6000

Chapter 2 - Finjan Overview

Installation and Setup Guide

Figure 2-2: NG-5000 Superformance Appliance

Gigabit Ethernet NIC Built-in LCD display

Chapter 2 - Finjan Overview

Installation and Setup Guide

Figure 2-3: NG-1000 Superformance Appliance

Fast/Gigabit Ethernet NIC Built-in LCD display

Chapter 2 - Finjan Overview

Installation and Setup Guide

Figure 2-4: NG-6000 Superformance Appliance

Gigabit Ethernet NIC Power Supply

Chapter 2 - Finjan Overview

1 Management Console System Requirements

1.2 Software Requirements

Chapter 3 - Getting Started

Installation and Setup Guide

2 Connecting your Vital Security Appliance (NG-1000/NG-5000/ NG-6000)

2.3 Connection Procedure

2.3.1 Accessing the Vital Security Setup Console

To access the Vital Security Setup Console in NG-5000/NG-6000:

Chapter 3 - Getting Started

Installation and Setup Guide

Figure 3-1: NG-6000 Back Panel, Network Interfaces

To access the Vital Security Setup Console in NG-1000:

Continue for all appliances as follows:

Figure 3-2: Setup Console Login

Chapter 3 - Getting Started

Installation and Setup Guide

Figure 3-3: Setup Selection

2.3.2 Using the Initial Setup Wizard

Chapter 3 - Getting Started

Installation and Setup Guide

Figure 3-4: Appliance Role: Policy Server 2.

Chapter 3 - Getting Started

Installation and Setup Guide

Figure 3-5: License Type 4.

Chapter 3 - Getting Started

Installation and Setup Guide

Figure 3-6: Evaluation License Options

The following table describes the Evaluation License Options:

URL Filtering Application-Level Behavior Blocking Vulnerability Antidote Anti-Spyware