Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Firewall Configuration Guide Security Reporting Center June 15, 2006 Notice THI

Firewall Configuration Guide Security Reporting Center June 15, 2006 Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Marshal, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non- disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Marshal may make improvements in or changes to the software described in this document at any time. © 2006 Marshal Limited, all rights reserved. U.S. Government Restricted Rights: The software and the documentation are commercial computer software and documentation developed at private expense. Use, duplication, or disclosure by the U.S. Government is subject to the terms of the Marshal standard commercial license for the software, and where applicable, the restrictions set forth in the Rights in Technical Data and Computer Software clauses and any successor rules or regulations. Marshal, MailMarshal, the Marshal logo, WebMarshal, Security Reporting Center and Firewall Suite are trademarks or registered trademarks of Marshal Limited or its subsidiaries in the United Kingdom and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. Contents v Contents Notice............................................................................................................................................................. 4 About This Book and the Library ............................................................................................................ ix Conventions .................................................................................................................................................. x About Marshal ............................................................................................................................................. xi Chapter 1 Configuring Supported Firewalls and Logs 1 BorderWare Firewall Server........................................................................................................................ 2 Check Point VPN-1/FireWall-1 v4.x ....................................................................................................... 3 Configuring an Unauthenticated Connection........................................................................... 3 Managing Check Point LEA Log Files...................................................................................... 6 Exporting Check Point Logs....................................................................................................... 6 Special Firewall Configuration .................................................................................................... 7 Special LEA Service Configuration............................................................................................ 9 Check Point VPN-1/Firewall-1 NG....................................................................................................... 11 Using OPSEC LEA .................................................................................................................... 12 Using Exported Log Files.......................................................................................................... 17 Configuring log files for HTTP, SMTP, and FTP.................................................................18 Special Firewall Configuration .................................................................................................. 19 Special LEA Service Configuration..........................................................................................20 CimTrak Web Security Edition................................................................................................................21 Cisco Content Engine................................................................................................................................23 Cisco IOS Firewall and Router ................................................................................................................24 Cisco PIX Firewall .....................................................................................................................................27 Clavister Firewall ........................................................................................................................................29 Getting Log Information ........................................................................................................... 29 Configuring Clavister Log Conversion Scripts.......................................................................30 Configuring Security Reporting Center ...................................................................................32 Converting Logs Manually......................................................................................................... 33 vi Firewall Configuration Guide CyberGuard Firewall ..................................................................................................................................35 Fortinet FortiGate Network Protection Gateways ...............................................................................39 GTA Firewall Family..................................................................................................................................41 Ingate Systems Firewall..............................................................................................................................43 Inktomi Traffic Server................................................................................................................................45 iPrism Web Filtering Appliance................................................................................................................47 Lucent Managed Firewall...........................................................................................................................49 Lucent VPN Firewall..................................................................................................................................51 Microsoft ISA Server 2000........................................................................................................................53 Microsoft Proxy Server..............................................................................................................................55 Neoteris IVE ...............................................................................................................................................57 Netasq Firewall............................................................................................................................................59 Netopia S9500 Security Appliance...........................................................................................................63 Netscape Proxy Server...............................................................................................................................67 NetScreen Firewall......................................................................................................................................69 Configuring with NetScreen Web Administration Interface................................................69 Configuring with NetScreen Command-line Interface..........................................................70 Network Appliance NetCache..................................................................................................................73 Network Associates Gauntlet Firewall for UNIX.................................................................................74 Configuring Gauntlet for Syslog................................................................................................74 Network Associates Gauntlet Firewall for Windows NT....................................................................79 Configuring Versions 2.1 and 5.0..............................................................................................80 Configuring Version 5.5..............................................................................................................81 Network-1 CyberwallPLUS.......................................................................................................................85 Configuring CyberwallPLUS for Syslog...................................................................................86 Novell BorderManager Firewall Services................................................................................................87 RapidStream.................................................................................................................................................89 Secure Computing Sidewinder..................................................................................................................93 SonicWALL Internet Security Appliance................................................................................................97 Getting Log Information............................................................................................................97 Squid ...........................................................................................................................................................100 Sun Microsystems SunScreen..................................................................................................................101 Contents vii Symantec Enterprise Firewall.................................................................................................................103 Special Firewall Configuration ................................................................................................105 3Com Firewalls.........................................................................................................................................107 Getting Log Information .........................................................................................................107 TopLayer AppSwitch 3500.....................................................................................................................109 Getting Log Information .........................................................................................................109 Configuring AppSwitch Components....................................................................................110 Identifying Protocols in AppSwitch Log Files......................................................................110 WatchGuard Technologies Firebox ......................................................................................................111 Getting Log Information .........................................................................................................111 Exporting Log Files ..................................................................................................................112 Chapter 2 WebTrends Enhanced Log Format 119 Log File Format........................................................................................................................................119 Record Format...........................................................................................................................119 Field Format...............................................................................................................................120 Identifying Users, Servers, and Sites .....................................................................................................120 Required Fields .........................................................................................................................................121 id= 122 time=...........................................................................................................................................122 fw= ..............................................................................................................................................123 pri=..............................................................................................................................................124 proto=.........................................................................................................................................124 Optional Fields .........................................................................................................................................126 rule= ............................................................................................................................................127 duration=....................................................................................................................................127 sent=............................................................................................................................................127 rcvd=...........................................................................................................................................128 src=..............................................................................................................................................128 srcname= ....................................................................................................................................128 dst=..............................................................................................................................................128 viii Firewall Configuration Guide dstname=.....................................................................................................................................128 cat_site=......................................................................................................................................129 cat_page=....................................................................................................................................129 catlevel_site=..............................................................................................................................129 catlevel_page=............................................................................................................................130 cat_action= .................................................................................................................................131 user=............................................................................................................................................131 op=...............................................................................................................................................131 arg=..............................................................................................................................................132 result=..........................................................................................................................................132 vpn=.............................................................................................................................................132 type=............................................................................................................................................132 msg= ............................................................................................................................................133 ref=...............................................................................................................................................133 agent=..........................................................................................................................................134 cache=..........................................................................................................................................134 Sample Records.........................................................................................................................................134 Sample Web Records.................................................................................................................134 Sample Email Records ..............................................................................................................135 Sample Telnet Records .............................................................................................................135 Sample FTP Records.................................................................................................................136 Sample RealAudio Records......................................................................................................136 Sample VPN Records................................................................................................................136 Sample Management Records..................................................................................................137 Sample Error Messages.............................................................................................................137 Using WELF with the NetIQ Syslog Service.......................................................................................137 Index 139 About This Book and the Library ix About This Book and the Library The Firewall Configuration Guide provides information about how to configure supported firewalls, proxy servers, and security devices to work with Security Reporting Center. It describes where log files are located, how to retrieve them, and how to make sure that they use a format that can be read and analyzed by Security Reporting Center. It also includes information about configuring both Security Reporting Center and your firewall to produce the most useful reports. Intended Audience This book provides information for firewall administrators and security personnel in charge of firewall configuration and Security Reporting Center administration. Other Information in the Library The library provides the following information resources: Evaluation Guide Provides general information about the product and guides you through the trial and evaluation process. User Guide Provides conceptual information about Security Reporting Center. This book also provides an overview of the Security Reporting Center user interface and the Help. x Firewall Configuration Guide Conventions The library uses consistent conventions to help you identify items throughout the documentation. The following table summarizes these conventions. Convention Use Bold • Window and menu items • Technical terms, when introduced Italics • Book and CD-ROM titles • Variable names and values • Emphasized words Fixed Font • File and folder names • Commands and code examples • Text you must type • Text (output) displayed in the command-line interface Brackets, such as [value] • Optional parameters of a command Braces, such as {value} • Required parameters of a command Logical OR, such as value1 | value2 • Exclusive parameters. Choose one parameter. About Marshal xi About Marshal Marshal delivers a complete email and Web security solution to a variety of Internet risks. The Marshal solution provides comprehensive protection by acting as a gateway between an organization and the Internet. It allows organizations to restrict, block, copy, archive, and automatically manage the sending and receiving of messages. Marshal Products Marshal's Content Security solution, which includes MailMarshal SMTP, MailMarshal Exchange and WebMarshal, delivers a complete email and Web security solution to these risks by acting as a gateway between your organization and the Internet. The products sit behind your firewall but in front of your network systems to control outbound documents and their content. By providing anti-virus, anti-phishing and anti- spyware protection at the gateway, Marshal's Content Security solution offers you a strategic, flexible and scalable platform for policy-based filtering that protects your network, and as a result, your reputation.: Contacting Marshal Please contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our Web site. If you cannot contact your partner, please contact our Technical Support team. Telephone: +44 (0) 1256 848 080 (EMEA) +1 404 459 2890 (Americas) + 64 9 984 5700 (Asia-Pacific)) Sales Email: info@marshal.com Support: www.marshal.com/support Web Site: www.marshal.com Chapter 1 •Configuring Supported Firewalls and Logs 1 Chapter 1 Configuring Supported Firewalls and Logs This chapter describes the supported firewalls and log formats for Security Reporting Center and helps you configure your firewall and Security Reporting Center to create meaningful reports based on your logs. 2 Firewall Configuration Guide BorderWare Firewall Server Versions Supported BorderWare Firewall Server versions 5.x and 6.x Obtaining Log Information To create a firewall profile for use with Security Reporting Center, you must specify the log file location. The BorderWare Firewall Server maintains several log files. Using FTP, move the connections logs and messages logs from the root/logs directory on the BorderWare Firewall server. When you create a profile, select the FTP retrieval method and specify both the name of the connections log and the name of the messages log in the Log File Path text box. Use a vertical bar (|) to separate the two files. •Configuring Supported Firewalls and Logs 3 Check Point VPN-1/FireWall-1 v4.x Versions Supported Check Point™ VPN-1® v 4.x Check Point FireWall-1® v4.x Obtaining Log Information You must specify the location of the Check Point firewall log file when you create a profile in Security Reporting Center. For step-by-step instructions on creating a profile, see the User Guide for Security Reporting Center. Security Reporting Center supports two methods for accessing a Check Point firewall uploads/s1/ firewall-config-guide.pdf