2. About myself… Ajay Nawani (Easy name: AJ) Presales Head – Global Operation Cyberoam India Email: ajay.nawani@cyberoam.com
3.
4.
5.
6.
7.
8.
9.
10. Cyberoam is the only Identity-based Unified Threat Management appliance that provides integrated Internet security to enterprises and educational institutions through its unique granular user-based controls. Cyberoam – Identity Based Security
20. Cyberoam is the only Identity-based Unified Threat Management appliance that provides integrated Internet security to enterprises and educational institutions through its unique granular user-based controls. Cyberoam – Identity Based Security
26. Cyberoam – End Point Data Protection Protect your Data. Protect your Assets. Cyberoam End Point Data Protection Protect Your Data, Protect Your Assets
27.
28.
29. Cyberoam iView The Intelligent Logging & Reporting Solution Its an Open Source, its free!
41. Cyberoam Package Cyberoam Appliance Documentation CD Blue Straight-through Ethernet Cable Red Crossover Ethernet Cable Quick Start Guide Serial Cable Power Cable
42. Web Based Administration Console: Username: cyberoam Password: cyber Text Based Administration console (Telnet or Serial Connection): Password: admin SSH: Username: admin Password: admin Cyberoam Factory Defaults Zone Type IP Address Port A B 172.16.16.16/255.255.255.0 192.168.2.1/ 255.255.240.0 LAN WAN
43.
44.
45. Before Cyberoam Scenario - Gateway Default Gateway: 192.168.0.1 Firewall INT IP:192.168.0.1/24 DMZ IP: 172.16.1.1/24 EXT IP: 61.0.5.2/29 Gateway IP: 61.0.5.1 Router IP:61.0.5.1/29 Network: 192.168.0.x/24 Users Mail Server IP:172.16.1.3 Gateway: 172.16.1.1 Database Server IP:172.16.1.4 Gateway: 172.16.1.1 DMZ Zone Switch Web Server IP:172.16.1.2 Gateway: 172.16.1.1 Switch IP Address ___ ___ ___ ___ Subnet Mask ___ ___ ___ ___ Zone Type LAN/WAN/DMZ Port A IP Address ___ ___ ___ ___ Subnet Mask ___ ___ ___ ___ Zone Type LAN/WAN/DMZ Port B IP Address ___ ___ ___ ___ Subnet Mask ___ ___ ___ ___ Zone Type LAN/WAN/DMZ IP Address ___ ___ ___ ___ Subnet Mask ___ ___ ___ ___ Zone Type LAN/WAN/DMZ Port C Port D IP address of the Default Gateway: ___ ___ ___ ___ DNS IP Address: ___.___.___.___ System Time Zone: ______________ System Date and Time: ______________ Email ID of the administrator : ______________
46. Cyberoam in Gateway Mode Default Gateway: 192.168.0.1 Network:192.168.0.x/24 Router IP:61.0.5.1/29 Users Mail Server IP:172.16.1.3 Gateway: 172.16.1.1 Database Server IP:172.16.1.4 Gateway: 172.16.1.1 Switch Web Server IP:172.16.1.2 Gateway: 172.16.1.1 Switch Console INT IP:192.168.0.1/24 DMZ IP: 172.16.1.1/24 EXT IP: 61.0.5.2/29 Gateway IP: 61.0.5.1 DMZ Zone
47. WAN Zone LAN Zone DMZ Zone Local Zone Cyberoam in Gateway mode have Four default zone LAN Zone : Network connected to LAN interface of Cyberoam WAN Zone : Network connected to WAN interface of Cyberoam DMZ Zone : Network connected to DMZ interface of Cyberoam Local Zone : IP Addresses assigned on Cyberoam interfaces falls under Local Zone Gateway Mode- Zone information
48.
49. Default Gateway: 192.168.0.1 Before Cyberoam Scenario - Bridge Bridge IP Address ___.___.___.___ Subnet Mask ___.___.___.___ IP address of the Default Gateway ___.___.___.___ DNS IP Address ___.___.___.___ System Time Zone ______________ System Date and Time ______________ Email ID of the administrator ______________ Users Router Switch Network: 192.168.0.x/24 Firewall INT IP: 192.168.0.1/24
50. Default Gateway: 192.168.0.1 Cyberoam in Bridge Mode Users Router Network: 192.168.0.x/24 Firewall INT IP: 192.168.0.1/24 Bridge IP Address ___.___.___.___ Subnet Mask ___.___.___.___ 192.168. 0 . 5 255.255.255. 0 IP address of the Default Gateway ___.___.___.___ DNS IP Address 202 . 54 . 1 . 30 System Time Zone ______________ System Date and Time ______________ Email ID of the administrator ______________ 192.168. 0 . 1
51. LOCAL Zone WAN Zone LAN Zone Cyberoam in transparent mode have three default zone LAN Zone : Network connected to LAN interface of Cyberoam WAN Zone : Network connected to WAN interface of Cyberoam Local Zone : IP Address assigned on the Bridge Interface falls under Local Zone Bridge Mode- Zone information
52.
53.
54.
55.
56. Cyberoam’s HTTP proxy listens on port 3128 by default Configure to use an upstream parent proxy server Configure Web Proxy System Web Proxy
57. The Network Configuration Wizard requires you to configure the Default Internet Access Policy Default Internet Access Policy
65. View port wise network (physical interface) and zone details. If virtual sub-interfaces are configured for VLAN implementation, they are also nested and displayed beneath the physical interface. Interface - Physical interfaces/ports available on Cyberoam. If virtual sub-interface is configured for the physical interface, it also displayed beneath the physical interface. Virtual sub-interface configuration can be updated or deleted. IP Management Network Interface
67. Zone Types LAN : The Internal and most secure zone. WAN : The external, no-control and non-reliable zone. DMZ : The secured publicly accessible server zone. Local : All ports of the Cyberoam Appliance fall in this zone. VPN : It is the only zone that does not have an assigned physical port/interface . Zone Management
69. Cyberoam provides several standard services and allows creating: • Customized service definitions • Firewall rule for Customized service definitions Service Management Objects Services Add
83. Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host. If port forwarding is not enabled in virtual host then firewall rule with “All Services” is created. Loopback rules allow internal users to access the internal resources using its public IP (external IP) or FQDN. Loopback Firewall rule
84. Port Forwarding concept Example: We have one public IP 154.146.25.37. In the DMZ, we have connected multiple servers like Web Server (192.168.1.157), FTP Server (192.168.1.158) and RDP Server (192.168.1.159). We want to publish all these servers using only one public IP 154.146.25.37. In this case, we will use Port Forwarding while configuring the Virtual Host. We will have to create 3 Virtual Hosts for above 3 servers with same external IP and different Internal IP addresses, with port forwarding. We have already created a Virtual Host for the Web Server with port 80, now we will create remaining two Virtual Hosts for FTP and RDP.
97. Note : All users need not authenticate against the same authentication server. VPN & SSL-VPN users can now authenticate against a different server than the one selected for firewall authentication. Authentication Settings Identity Authentication Auth Settings
99. Authentication Methods Normal - HTTP client - Corporate client Windows: http://download.cyberoam.com/solution/optionals/Corporateclientsetup.exe Windows (Vista & Windows 7 – 32 bit): http://download.cyberoam.com/solution/optionals/Corporateclientsetup_vista_win7.exe Clientless - No Authentication Required Single Sign On - Authentication is done in sync with user’s authentication in domain
137. Default SMTP scanning rule Anti Virus Mail SMTP Scanning Rules The default rules scans emails from any sender / recipient. Apply scanning in the appropriate firewall rule to scan incoming & outgoing emails.
138. Custom SMTP rules Anti Virus Mail Address Groups Add Use address group to create custom rules The above custom rule will block all executable attachments for the recipient sales.manager@abc.com
139.
140.
141.
142. How does Cyberoam HTTP AV work? Blocks all virus infected files being downloaded Cyberoam Virus Definition includes - Viruses - Worms - Trojans & Spyware - Hacker Utilities - Malware How does it help? - Blocks spyware not only from spyware sites but also from innocent sites - Malware being stopped at gateway level
143.
144. HTTP Antivirus Configuration Anti Virus HTTP Configuration Anti Virus HTTP Scanning Rules Note: Default mode selected is batch mode.
155. Few On-appliance Mail Reports Mail Usage Report: Top Mail Senders iView the open source reporting software powered by Cyberoam is integrated as the Cyberoam’s on-appliance reporting tool starting with Version X.
156. Few On appliance Mail Reports Spam Report: Top Applications used for Spam
159. IPS acts as the Second layer of defense, It scans the traffic that has been allowed by the firewall for threats. Introduction to IPS
160.
161. IPS Policy General Policy Default IPS Policy IPS Policy Cyberoam offers four pre-defined policies to choose from. General Policy, LANtoWAN strict, LANtoWAN general & DMZ policy. Seen above are the signature categories.
169. Default VPN Zone Being a zone based firewall, Cyberoam creates the VPN zone which is used while creating firewall rules to control VPN traffic. Network Interface Zone
170. Default VPN Zone Creation of firewall rules using the VPZ zone.
177. L2TP & PPTP Host Objects Objects Hosts IP Host Cyberoam creates PPTP & L2TP hosts by default which can be used while creating firewall rules to control VPN traffic.
179. Custom VPN firewall rules Creating custom firewall rules using the L2TP/PPTP host objects to control the remote access traffic.
180.
181.
182.
183. Global Setting page allows you to configure certain parameters globally for both the type of Access Select protocol TCP or UDP from the dropdown list. Selected network protocol will be the default protocol for all the SSL VPN clients. Connection over UDP provides better performance. SSL certificate from the dropdown list to be used for authentication. If you do not have certificate Specify the range of IP addresses reserved for the SSL Clients. SSL clients will be leased IP address from the configured pool.
184.
185.
186. Select tunnel type Select the access mode by clicking the appropriate option Bookmarks are the resources that will be available through Web portal Accessible Resources allows restricting the access to the certain hosts of the private network SSL-VPN Policy Creation
187. SSL-VPN Portal SSL-VPN users authenticate on the portal with their username/password. If Cyberoam is integrated with external authentication server, the user needs to enter the credentials accordingly.
188. Once logged into the portal the users get access to the bookmarks & the link to download the configuration file required for tunnel mode access. SSL-VPN Portal (Welcome Page)
197. Setup Gateway- Configure Weights Network Gateway Click on the gateway name By default Cyberoam assigns the weight as 1 to all the gateways configured using the initial network configuration wizard. One needs to change the weights of the gateway manually as shown above.
205. A backup gateway is the one that can be used in an active/passive setup. The traffic is routed through Backup gateway only when Active gateway is down Backup gateway with failover condition Network Gateway Click on the gateway name
206. Automatic Failover Backup gateway will take over and traffic will be routed through backup gateway when any of the active gateway fails Backup gateway will take over and traffic will be routed through backup gateway when all the configured active gateways fail Backup gateway will take over and traffic will be routed through back up gateway if ISP1 gateway fails Configure when the Backup gateway should take over the active gateway.
207. Manual Gateway Failover Administrator has to manually change the gateway if the active gateway fails . If you want Backup gateway to inherit the parent gateway’s (Active gateway) weight specify weight.
208. Enable Active-Passive gateway configuration through firewall rule Create a firewall rule for top management Route the traffic through one gateway Configure the another available gateway as Backup
209.
210.
211.
212. The above example defines a static route where all requests destined for 4.2.2.2 will always be routed via 1.1.1.1 (Port B). This traffic will be dropped in case the interface is down. Static Routing Network Static Route Unicast
213. Static routing method satisfies most of the requirements, but is limited to forwarding based on destination address only. Policy based routing is extended static routes which provide more flexible traffic handling capabilities. It allows for matching based upon source address, service/application, and gateway weight for load balancing. Hence, it offers granular control for forwarding packets based upon a number of user defined variables like: • Destination • Source • Application • Combination of all of the above Policy Based Routing
214. With the above firewall rule all HTTP traffic from LAN-WAN will be load balanced. Policy Based Routing
215. With the above firewall rule all SMTP traffic from LAN-WAN will always be routed via ISP1. This traffic will be routed via ISP2 (backup) while ISP1 is down. Policy Based Routing
216. Source Network routing allows Administrators to direct traffic generated from particular Network over designated links according to the business policies. When you define Source based routing for a particular subnet, all the traffic coming from that subnet will be forwarded to the defined Interface. Source Based Routing Network Static Route Source Route All the traffic from network 192.168.1.0/24 will always be routed via ISP1 gateway
217.
218. OSPF (Open Shortest Path First) is one of IGPs (Interior Gateway Protocols). Compared with RIP, OSPF can serve much more networks and period of convergence is very short. OSPF is widely used in large networks such as ISP backbone and enterprise networks. The Cyberoam implementation of OSPF supports OSPF version 2 (as described in RFC 2328) and plain text and Message Digest 5 (MD5) authentication Dynamic Routing - OSPF
219. BGP (Border Gateway Protocol) is a path vector protocol that is used to carry routing between routers that are in the different administrative domains (Autonomous Systems) e.g. BGP is typically used by ISPs to exchange routing information between different ISP networks. The Cyberoam implementation of BGP supports Version 4 (RFC 1771), Communities Attribute (RFC 1997), Route Reflection (RFC 2796), Multi-protocol extensions (RFC 2858) and Capabilities Advertisement (RFC 2842) Additionally, a firewall rule is to be configured for the zone for which the BGP traffic is to be allowed i.e. LAN to LOCAL or WAN to LOCAL. Dynamic Routing - BGP
220. Configuration of RIP, OSPF & BGP is beyond the scope of CCNSP and is a part of CCNSE curriculum. Please refer the document on Cyberoam knowledgebase sites for configuration: RIP: http://kb.cyberoam.com/default.asp?id=1000&SID=&Lang=1 OSPF: http://kb.cyberoam.com/default.asp?id=999&SID=&Lang=1 BGP: http://kb.cyberoam.com/default.asp?id=1001&SID=&Lang=1 Dynamic Routing - Configuration
221. Cyberoam supports multicast traffic forwarding in both Gateway / Bridge Mode. Multicast forwarding is controlled by specifying static routes for multicast traffic. In Gateway mode, multicast forwarding needs to be enabled and then static routing needs to be configured. In Bridge mode, only multicast forwarding needs to be enabled. Multicast forwarding can be enabled and the mroutes can be added from both the GUI and console. Multicast routing configuration is beyond the scope of CCNSP and is a part of CCNSE curriculum. Refer knowledge base article for multicast routing configuration: http://kb.cyberoam.com/default.asp?id=1021&SID=&Lang=1 Multicast Routing
225. To create a new administration profile. Role Based Administration System Administration Profile Add
226. As per the above new user configuration, profile option is only activated if we set the user type as Administrator. Here, we have selected the user type as Administrator and we have selected the profile as we created in previous slide. Role Based Administration Attach a profile to a user.
227.
228.
229.
230. The administrator can also configure to receive pre-defined reports via email on a daily or a weekly basis. Logs & Reports View Reports Report Management
261. Email Support: Chat support: http://www.cyberoam.com/presalessupport Presales Contact Details EMEA [email_address] APAC [email_address] Latin America [email_address] North America and Canada [email_address] India [email_address] SAARC Countries [email_address] Region Toll Free Number Non Toll Free Number USA +1-877-777-0368 +1-973-302-8446 Europe +44-808-120-3958 +44-203-355-7917 APAC +1-877-777-0368 +1-973-302-8446 Middle East & Africa +1-877-777-0368 +1-973-302-8446 India 1-800-301-00013 +91-79-66065777
50 % of security problems originate from internal threats – Yankee Group.
Cyberoam firewall is the only UTM firewall that embeds user identity in firewall rule matching criteria, enabling enterprises to configure policies and identify users directly by the username rather than through IP addresses. Cyberoam’s powerful hardware firewall provides stateful and deep packet inspection, access control, user authentication, network and application-level protection.
The way Cyberoam is licensed… scale from 25-1500 users. Appliance model matches number of users
Identifies attacks based on - 1. Excessive log-ins over a given period of time 2. Data accessed outside of a user's job requirements 3. Simply a spike in overall usage
Cyberoam Central Console enables enforcement of global policies for Firewall , Intrusion Detection & Prevention and Anti-virus scanning. This supports the creation and implementation of enterprise-wide security policy to strengthen branch and remote office security while lowering operational complexity. The Cyberoam Central Console enables administrators to assign security policies based on user’s work profile even in remote locations. This fully leverages Cyberoam's unique user identity-based security approach.
NOTE: Two AC Power Cables in Case of 1000i & 1500i Appliance
help
help
help
help
The Essential information needed to create a firewall rule in Cyberoam, a source zone and host, destination zone and host , the service (protocol) schedule and action (Accept , reject, drop).Check the help .
The Essential information needed to create a firewall rule in Cyberoam, a source zone and host, destination zone and host , the service (protocol) schedule and action (Accept , reject, drop).Check the help .
Select public IP address type and configure IP address. The configured IP address is mapped to the destination host/network and used as the IP address of the virtual host. Select mapped IP address type and configure IP address. It is the IP address to which the public IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host.
Select public IP address type and configure IP address. The configured IP address is mapped to the destination host/network and used as the IP address of the virtual host. Select mapped IP address type and configure IP address. It is the IP address to which the public IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host.
Select public IP address type and configure IP address. The configured IP address is mapped to the destination host/network and used as the IP address of the virtual host. Select mapped IP address type and configure IP address. It is the IP address to which the public IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host.
Create a Firewall rule from WAN to DMZ as the Web Server is located in DMZ with destination as the Virtual host for the Web Server created.
There is no need for the administrator to create loop back rule explicitly. It will be created automatically whenever a Virtual Host is created. This means c reating a virtual host will create a DMZ-DMZ rule by default. These rules allow internal users to access the resource on same public IP. Whenever a Virtual Host will be selected as Destination of a Firewall Rule, it is annotated as (VH) and by taking the cursor of mouse over it, it displays the mapping of public IP address with mapped IP address.
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: flooding a network, thereby preventing legitimate network traffic; disrupting a server by sending more requests than it can possibly handle, thereby preventing access to a service; preventing a particular individual from accessing a service; disrupting service to a specific system or person
A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more. UDP Flood: This attack links two systems. It hooks up one system’s UDP character-generating service, with another system’s UDP echo service.Once the link is made, the two systems are tied up exchanging a flood of meaningless data. Tcp flood : This attack sends huge amount of TCP packets than the host/victim computer can handle. ICMP flood is based on sending the victim an overwhelming number of ping packets. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.
DoS Protection settings vary for different organizations give example
When the burst rate is crossed, Cyberoam considers it as an attack. Cyberoam provides DoS attack protection by dropping all the excess packets from the particular source/destination. Cyberoam will continue to drop the packets till the attack subsides. Because Cyberoam applies threshold value per IP address, traffic from the particular source/destination will only be dropped while the rest of the network traffic will not be dropped at all i.e. traffic from the remaining IP addresses will not be affected at all.
Explain the relationship between policies Explain how different categories make an IAP and how different policies Can be applied to a User. User Identity-based Policies Cyberoam’s user identity-based filtering provides the granular controls required to control access by individual users and groups to applications, sites, information upload, as well as entry of virus, worm, spyware and other attacks on the network. By allowing enterprises to set distinct surfing policies with differing access rights based on individual names rather than IP addresses, Cyberoam enables the creation of surfing policies based on the user’s work profile. Policies can be created based on the user’s department, group, hierarchy or individual requirements, providing great dynamism and flexibility in policy creation and management. Rapid user-IP mapping with instant user identity recognition reduces time lag and processor load. Group is a collection of users having common policies that can be managed as a single unit. Its a mechanism of assigning various policies to a number of users in one operation/step. It simplifies the user configuration. Users that belong to a particular group are referred to as a group user. Users are needed for Auditing and Security can be configured at more finer granule Isolation point can be identified immediately Integration will identify access request based on User names Generate reports based on Usernames
Threats over email like spam, phishing, viruses, worms, are released in the billions within a short span of time. Today’s attackers launch threats for financial gain rather than out of malicious intent. They mask the originator and launch the attack using a network of zombie machines. With Zombie botnets carrying the ability to send up to 1 billion spam messages within a few hours, the spread of the attack is rapid. Gateway level spam protection for Zero-hour spam detection To effectively match the speed with which attacks spread, zero-hour responsiveness is required to deliver enterprise security. Zero-hour protection swings into action, generating defenses in the first hour of an attack. Further, the content and characteristics of the message within a single attack differ, making it difficult to identify the threat through traditional methods. Solutions that rely on signature databases are likely to leave the enterprise defenses lowered during the critical first hours of attack. Cyberoam in Partnership with CommTouch RPD (Recurrent Pattern Detection) Cyberoam delivers zero-hour spam protection in addition to image spam defense though Recurrent Pattern Detection (RPD) technology. This unique content-agnostic technology detects and blocks image spam which accounts for almost 35 % of worldwide spam mail and 70% of bandwidth taken by spam. Cyberoam’s anti-spam protection delivers maximum spam detection with low false positives through relevant, continuous and real-time spam detection. The solution reduces spyware, phishing and adware attempts, controls spam involving pornography while enhancing enterprise productivity by preventing mail systems from being submerged by spam
this connection is also called Host-to-Net connection may be with or without static IP