Silicon Graphics Gauntlet Service manual
Gauntlet™for IRIX™
Administrator’s Guide
Document Number 007-2826-004
Gauntlet™ for IRIX™ Administrator’s Guide
Document Number 007-2826-004
CONTRIBUTORS
Written by John Raithel with updates by Pam Sogard
Production by Julie Sheikman
Engineering contributions by Ed Mascarenhas
St. Peter’s Basilica image courtesy of ENEL SpA and InfoByte SpA. Disk Thrower
image courtesy of Xavier Berenguer, Animatica.
© 1997, Silicon Graphics, Inc.— All Rights Reserved
The contents of this document may not be copied or duplicated in any form, in whole
or in part, without the prior written permission of Silicon Graphics, Inc.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure of the technical data contained in this document by
the Government is subject to restrictions as set forth in subdivision (c) (1) (ii) of the
Rights in Technical Data and Computer Software clause at DFARS 52.227-7013
and/or in similar or successor clauses in the FAR, or in the DOD or NASA FAR
Supplement. Unpublished rights reserved under the Copyright Laws of the United
States. Contractor/manufacturer is Silicon Graphics, Inc., 2011 N. Shoreline Blvd.,
Mountain View, CA 94043-1389.
Silicon Graphics and the Silicon Graphics logo are registered trademarks, and IRIX
and InPerson are trademarks, of Silicon Graphics, Inc. Gauntlet and the TIS logo are
trademarks of Trusted Information Systems, Inc. Netscape Navigator and Netscape
Proxy Server are trademarks of Netscape Communications Corporation. Macintosh
is a registered trademark of Apple Computer, Inc. Microsoft and Windows are either
registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. UNIX is a registered trademark in the United States and
other countries, licensed exclusively through X/Open Company, Ltd. NFS is a
registered trademark of Sun Microsystems, Inc.
iii
Contents
List of Figures xvii
About This Guide xix
Audience xix
About This Guide xix
Conventions Used in This Guide xxii
Installation and System Requirements xxiii
Additional Resources xxiii
Books xxiii
Newsgroups xxiii
Mailing Lists xxiii
Frequently Asked Questions Lists xxiv
White Papers xxiv
How to Get Latest Security Patches xxv
PART I Understanding the Gauntlet Internet Firewall
1. Understanding the Gauntlet Firewall 3
Understanding Gauntlet Firewall Concepts 3
Design Philosophy 3
Security Perimeter 4
Trusted and Untrusted Networks 4
Policy 6
Transparency 6
Understanding Gauntlet Firewall Components 7
Hardware and Software 7
iv
Contents
How a Firewall Works 10
Dual-Homed Bastion Host 12
Processing Packets and Requests 14
PART II Configuring and Using Proxies
2. Managing SMTP Services 19
Understanding the Proxy 19
How It Works 20
Configuring the Firewall for SMTP 20
Planning 21
Configuring the Firewall 21
Configuring Network Services 22
Configuring the Proxy Rules 22
Advertising the Firewall as a Mail Exchanger 22
Configuring Your Internal Mail Hub 22
Verifying Your Setup 23
Using Mail 23
3. Managing POP3 Services 25
Understanding the Proxy 25
How the POP3 Proxy Works 26
Configuring the Firewall for POP3 26
Planning 27
Configuring Network Services 27
Configuring the Proxy Rules 27
Configuring Your Internal POP3 Mail Server 27
Setting APOP Passwords on the Firewall 28
Verifying Your Setup 28
Using POP3 to Exchange Mail 28
Contents
v
4. Managing Terminal Services 31
Understanding the Proxies 31
How the Proxies Work 32
Using the TELNET and Rlogin Proxies Without Network Access Control 33
Configuring the Firewall for Terminal Services 33
Planning 33
Configuring the Firewall 34
Configuring Network Services 34
Configuring the Proxy Rules 34
Creating Authentication User Entries 35
Verifying Your Setup 35
Using Terminal Services 35
TELNET, Rlogin, and TN3270 Without Authentication 35
TELNET and Rlogin With Authentication 36
TN3270 With Authentication 37
5. Managing FTP Services 39
Understanding the FTP Proxy 39
How the FTP Proxy Works 40
Configuring the Firewall for FTP Services 41
Planning 41
Configuring Network Services 41
Configuring the Proxy Rules 41
Creating Authentication User Entries 41
Verifying Your Setup 42
Using FTP Services 42
Using Authentication 42
Using Authentication With Some GUI FTP Tools 43
Running an Anonymous FTP Server 44
vi
Contents
6. Managing Rsh Services 47
Understanding the Rsh Proxy 47
How It Works 48
Configuring the Firewall for Rsh Services 48
Planning 48
Configuring Network Services 48
Configuring the Proxy Rules 49
Verifying Your Setup 49
Using Rsh Services 49
Configuring the Remote Machine 49
7. Managing Gopher and WWW Services 51
Understanding the Proxy 51
How It Works 52
Authenticated HTTP 53
Gopher and FTP Services 54
SHTTP and SSL Services 54
Configuring the Firewall for WWW and Gopher Services 54
Planning 54
Configuring Network Services 55
Configuring the Proxy Rules 55
Creating User Authentication Entries 55
Verifying Your Setup 55
Using Web Services 55
Using Proxy-Aware Browsers 56
Using Non-Proxy-Aware Browsers 58
Using Gopher Services 59
Running a WWW Server 60
Contents
vii
8. Managing RealAudio Services 61
Understanding the RealAudio Proxy 61
How It Works 62
Configuring the Firewall to Use the RealAudio Proxy 62
Planning 63
Configuring Network Services 63
Configuring the Proxy Rules 63
Verifying Your Setup 63
Using the RealAudio Proxy 63
To configure the RealAudio player: 64
9. Managing MediaBase Services 65
Understanding the MediaBase Proxy 65
How It Works 66
Configuring the Firewall to Use the MediaBase Proxy 66
Planning 66
Configuring Network Services 67
Configuring the Proxy Rules 67
Verifying Your Setup 67
Using the MediaBase Proxy 67
10. Managing X Window Services 69
Understanding the X11 Proxy 69
How the X11 Proxy Works 70
Configuring the Firewall for X11 Services 71
Planning 71
Configuring Network Services 71
Configuring the Proxy Rules 71
Verifying Your Setup 71
Using X11 Services 72
viii
Contents
11. Managing LP Services 75
Understanding the lp Proxy 75
How the lp Proxy Works 76
Configuring the Firewall for lp Services 76
Planning 76
Configuring Network Services 77
Configuring the Proxy Rules 77
Configuring the Sending Machine 77
Configuring the Receiving Machine 77
Verifying Your Setup 78
Using lp Services 78
12. Managing Sybase Services 79
Understanding the Sybase Proxy 79
How It Works 80
Configuring the Firewall for Sybase Services 81
Planning 81
Configuring Network Services 81
Configuring the Proxy Rules 81
Configuring Sybase Clients 82
Verifying Your Setup 82
PART III Administering General
Gauntlet Firewall Services
13. Managing NNTP and General TCP Services 85
Understanding the Proxy 86
How It Works 87
Contents
ix
Configuring the Firewall for NNTP 87
Planning 87
Configuring the Firewall 88
Configuring Network Services 88
Configuring the Proxy Rules 88
Informing Your News Feed 88
Configuring Your News Server 88
Verifying Your Setup 89
Using NNTP 89
Configuring the Firewall for Other Protocols 89
Planning 89
Configuring Network Services 90
Configuring the Proxy Rules 90
Configuring Your Service 91
Verifying Your Setup 91
Configuring Multiple Newsfeeds 91
Configuring Your NNTP Proxy for Reading News 92
14. Managing General TCP Services With Authentication 93
Understanding the Circuit Proxy 93
How It Works 94
Configuring the Firewall for Authenticated TCP Services 95
Planning 95
Configuring Network Services 96
Configuring the Proxy Rules 97
Verifying Your Setup 98
Using the Circuit Proxy 98
15. Managing Information Services on the Firewall 101
Understanding the Info Server 101
How It Works 102
HTTP and Gopher Server 102
FTP Server 102
How the Database Works 103
x
Contents
Configuring the Firewall 105
Planning 106
Configuring Network Services 106
Configuring the Proxy Rules 106
Verifying Your Setup 106
Using the Info Server 106
Planning 107
Creating Files 107
Placing Files on the Firewall 107
Adding Files to the Database 107
Creating FTP List Files 109
Creating Gopher Menu Files 109
Advertising Your Server 110
16. Using the Network Access Control Daemon 111
Understanding the Network Access Control Daemon 111
How It Works 112
Configuring the Network Access Control Daemon 112
Planning 113
Configuring Network Services 113
Configuring the Proxy Rules 113
Configuring Your Service 113
Verifying Your Setup 113
17. The Graphical Management Interface 115
First Time User Tips 116
Help Links 116
Hide and Unhide Buttons 116
Gauntlet Default Settings 117
When to Use Configure All 117
Using the Gauntlet Management Interface 117
Configuring Gauntlet Locally 118
Introductory Management Form 118
Contents
xi
Networks and Interfaces Configuration Form 123
Trusted Networks 126
Trusted Interfaces 126
Untrusted Networks 127
Trusted Ports 127
Routing Configuration Form 128
Additional Routing Information 130
Proxy Servers Configuration Form 131
Remote (Network) Connections 131
Enabling Transparent Proxies 132
Enabling Individual Proxy Services 132
Domain Name Service (DNS) and Gauntlet 139
DNS Configuration Form 140
Configuring Fully Populated DNS Server 140
Configuring a Split DNS Server 142
Sendmail on Gauntlet Servers 146
Mail Hubs 146
Mail Relays 147
Gauntlet and Subdomains 147
Sendmail Configuration Form 148
swIPe Configuration Form 152
Authentication and Encryption Schemes 153
VPN Paths 154
Preparing a Server for swIPe Configuration 154
Configuring a Server for swIPe 156
Verifying Your Setup 159
Logfiles and Reports Configuration Form 159
Authorizing Users Form 163
Configuring Gauntlet for Remote Administration 168
Accessing the Administration Tool from a Browser 170
Accessing the Administration Tool from an X Display 170
Configuring Gauntlet for Secure Remote Administration 170
xii
Contents
18. Managing User Authentication 173
Understanding the User Authentication Management System 173
How the Firewall Uses This Information 174
How Other Services Use This Information 174
The Pieces 175
Understanding Strong Authentication 176
Access Key II 176
APOP 176
SecurID 177
EnigmaLogic SafeWord 177
S/Key 177
Reusable Passwords 177
Configuring the User Authentication Management System 178
Configuring Third Party Systems 178
Configuring Network Services 179
Configuring Authentication Management System Rules 180
Verifying Your Installation 180
Managing Groups 180
Creating Groups 181
Disabling Groups 181
Deleting Groups 181
Managing Users 181
Creating Users 181
Creating Users with Access Key II 183
Changing User Names 184
Changing Groups 184
Changing Protocols 185
Changing Passwords 185
Enabling Users 186
Disabling Users 186
Deleting Users 187
Contents
xiii
19. Using the Login Shell 189
Understanding the Login Shell Program 189
How It Works 189
Configuring the Firewall to use the Login Shell Program 190
Planning 190
Enabling Remote Login 190
Adding Support for the Login Shell 190
Creating User Accounts 191
Configuring the Proxy Rules 191
Configuring the Shell 191
Creating User Authentication Records 192
Securing Other Applications 192
Verifying Your Setup 193
Using the Login Shell Program 193
Accessing the Firewall from Trusted Networks 193
Accessing the Firewall from Untrusted Networks 193
Changing Password for User Account 194
20. Logging and Reporting 195
Understanding Logging and Reporting 195
Creating Logs 196
Configuring Logs 197
Configuring Additional Logging 197
Configuring Log Retention Time 197
Creating Reports 197
Service Summary Reports 198
Exception Reports 198
Configuring Reports 199
Configuring Events to Ignore 199
Configuring the Firewall 199
Reading Logs and Reports 200
Logs 200
Service Summary Reports 201
Exception Reports 201
xiv
Contents
21. Backups and System Integrity 203
Backing Up Your Firewall 203
Backup Considerations 203
Restoring the Firewall 204
Verifying System Integrity 204
Understanding System Integrity 204
Configuring the Files to Ignore 204
Protecting the Integrity Database 205
Verifying System Integrity 205
Understanding the Results 205
PART IV Appendixes
A. Gauntlet System Files 209
Viewing the Gauntlet File List 209
B. Netperm Table 215
Policy Rules 215
Application-Specific Rules 216
Proxies 216
Applications 217
Using This Information 217
Modifying the Netperm Table File 218
Netperm table Syntax 218
Precedence 218
Format 219
Keywords 220
Attributes 221
Creating New Policies 221
Adding Proxy Services 223
Denying Services By Network or Host 223
Denying Access From a Host or Network 223
Controlling Services by User, Group or Time 224
User or Group 225
Contents
xv
Operation 225
Denying Access to a Host or Network 226
Attribute Reference 227
C. Virtual Private Networks 269
Understanding Virtual Private Networks 269
Privacy With Trust (Trusted Link) 271
Privacy Without Trust (Private Link) 272
Encryption Through Multiple Firewalls (Passthrough Link) 272
How It Works 273
Encrypting the Data 273
Decrypting the Data 273
Routing the Packet 274
D. Configuring SSL on the Gauntlet Firewall 275
Getting Ready for SSL Configuration 275
SSL Configuration Procedure 276
Supplementary Instructions for Generating a Key Pair 277
Supplementary Instructions for Generating a Certificate 277
Saving the Email Reply from Your Certificate Authority 278
Supplementary Instructions for Installing Your Certificate 278
xvii
List of Figures
Figure 1-1 Gauntlet Internet Firewall Standard Configuration 11
Figure 1-2 Dual-Homed Bastion Host 13
Figure 3-1 Eudora Pro Configuration for APOP 29
Figure 7-1 Proxy Configuration for Netscape Navigator 2.0 for Windows 57
Figure 10-1 Example X Window Port Information 73
Figure 10-2 Example X Window Confirmation 74
Figure 17-1 Hide Button 116
Figure 17-2 Unhide Button 117
Figure 17-3 Gauntlet Introductory Management Form (1 of 3) 120
Figure 17-4 Gauntlet Introductory Management Form (2 of 3) 121
Figure 17-5 Gauntlet Introductory Management Form (3 of 3) 122
Figure 17-6 Networks and Interfaces Configuration Form (1 of 2) 124
Figure 17-7 Networks and Interfaces Configuration Form (2 of 2) 125
Figure 17-8 Routing Configuration Form 129
Figure 17-9 Example Gauntlet Host Routing Configuration 130
Figure 17-10 Proxy Servers Configuration Form (1 of 3) 136
Figure 17-11 Proxy Servers Configuration Form (2 of 3) 137
Figure 17-12 Proxy Servers Configuration Form (3 of 3) 138
Figure 17-13 DNS Configuration Form (1 of 2) 144
Figure 17-14 DNS Configuration Form (2 of 2) 145
Figure 17-15 Sendmail Configuration Form 151
Figure 17-16 Gauntlet Hosts Using swIPe in a VPN 153
Figure 17-17 swIPe Configuration Form 155
Figure 17-18 Add swIPe Key Form 157
Figure 17-19 Add swIPe Path Form 158
Figure 17-20 Reports and Logfiles Form (1 of 2) 161
Figure 17-21 Reports and Logfiles Form (2 of 2) 162
xviii
List of Figures
Figure 17-22 Authorizing Users Form 165
Figure 17-23 Add User Form 166
Figure 17-24 User Authentication 167
Figure C-1 Yoyodyne Virtual Private Network 270
xix
About This Guide
Audience
This guide is intended for firewall administrators. It assumes familiarity with UNIX®
system administration, networking and basic firewall concepts. System administrators
should be familiar with TCP/IP, domain name service, sendmail, and router
configuration. Consult your local library, bookstore, network resources, and IRIX®
administrator for additional references.
About This Guide
This guide is comprised of three parts and contains the following chapters:
Part I, “Understanding the Gauntlet Internet Firewall,” presents the initial information
about the firewall.
• Chapter 1, “Understanding the Gauntlet Firewall,” presents an overview of what
firewalls are and why they are important. It presents an overview of how the
Gauntlet™firewall system works.
Part II, “Configuring and Using Proxies,” explains how to configure the various
applications and proxies.
• Chapter 2, “Managing SMTP Services,” explains what the SMTP proxy does and
how it works. It presents instructions for configuring the Gauntlet firewall, as well
as required and potential configuration steps for mail applications.
• Chapter 3, “Managing POP3 Services,” explains what the POP3 proxy does and
how it works. It presents instructions for configuring the Gauntlet firewall, as well
as required and potential configuration steps for mail applications.
• Chapter 4, “Managing Terminal Services,” explains the types of terminal service
applications that the Gauntlet firewall supports. It explains what the TELNET and
Rlogin proxies do and how they work. It presents instructions for configuring the
xx
About This Guide
Gauntlet firewall, as well as required and potential configuration steps for the
terminal applications.
• Chapter 5, “Managing FTP Services,” explains what the FTP proxy does and how it
works. It presents instructions for configuring the Gauntlet firewall, as well as
required and potential configuration steps for the FTP application. It also includes
notes on running an anonymous FTP server.
• Chapter 6, “Managing Rsh Services,” explains what the Rsh proxy does and how it
works. It presents instructions for configuring the Gauntlet firewall, as well as
required and potential configuration steps for Rsh.
• Chapter 7, “Managing Gopher and WWW Services,” explains the types of
information services the Gauntlet firewall supports. It explains what the HTTP
proxy does for HTTP, SHTTP, SSL, and Gopher proxies and how it works. It
presents instructions for configuring the Gauntlet firewall, as well as required and
potential configuration steps for these applications.
• Chapter 8, “Managing RealAudio Services,” describes the RealAudio proxy, which
securely handles requests to listen to audio data.
• Chapter 9, “Managing MediaBase Services,” describes the MediaBase proxy, which
securely handles requests to play video and multimedia data.
• Chapter 10, “Managing X Window Services,” explains what the X11 proxy does and
how it works. It presents instructions for configuring the Gauntlet firewall, as well
as required and potential configuration steps for the X11 applications.
• Chapter 11, “Managing LP Services,” explains what the lp proxy does and how it
works. It presents instructions for configuring the Gauntlet firewall, as well as
required and potential configuration steps for lp.
• Chapter 12, “Managing Sybase Services,” explains what the Sybase proxy does and
how it works. It presents instructions for configuring the Gauntlet firewall, as well
as required and potential configuration steps for Sybase.
Part III, “Administering General Gauntlet Firewall Services,” presents information on
the other administrative tasks for the Gauntlet firewall.
• Chapter 13, “Managing NNTP and General TCP Services,” explains the types of
News and network services the Gauntlet firewall supports. It explains what the
plug proxy does and how it works. It presents instructions for configuring the
Gauntlet firewall, as well as required and potential configuration steps for the News
and network applications.
Table of contents
Popular Firewall manuals by other brands
Cisco
Cisco Firepower 2120 Hardware installation guide
Fortinet
Fortinet FortiGate FortiGate-500 quick start guide
SonicWALL
SonicWALL SuperMassive 9800 AC installation guide
H3C
H3C SecPath F5000-A5 installation guide
Bosch
Bosch DIVAR IP 7000 1U installation manual
Trend Micro
Trend Micro viruswall enforcer 1500i Installation and guide
Trend Micro
Trend Micro Gatelock X200 user guide
ZyXEL Communications
ZyXEL Communications ADSL 2+ Security Gateway user guide
Freedom9
Freedom9 freeGuard Blaze 2100 Guide
Cisco
Cisco Small Business RV220W Administration guide
Fortinet
Fortinet FortiGate FortiGate-800F quick start guide
Siemens
Siemens SIMATIC NET SCALANCE S615 operating instructions
Softing
Softing TH LINK PROFINET installation manual
Yamaha
Yamaha FWX120 Operation manual
NETASQ
NETASQ U30 PRODUCT PRESENTATION AND INSTALLATION
ADTRAN
ADTRAN NetVanta 2050 Specifications
PaloAlto Networks
PaloAlto Networks PA-7000 Series Hardware reference guide
Kantech
Kantech Intevo Compact installation manual