Configuring Access Enforcer
Posted by Third Tier on 19 November 2014 07:21 PM
Now that a year has passed Third Tier is beginning to released the original SMBKitchen documents. Our members got this information a year ago but now is your chance to catch-up. Amy Babinchak wrote this article on configuring an Access Enforcer UTM after you’ve run through the setup wizard. You might want to read it even if you use another UTM device because the concepts will be very similar. If you’d like this information along with webinars and chats as it’s created be sure to sign up for our SMBKitchen ASP. You can purchase yours at http://helpdesk.thirdtier.net
Not a Third Tier customer yet? Let me introduce: We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.
CONFIGURING CALYPTIX ACCESS ENFORCER
By Amy Babinchak Abstract
Running through the basic setup of a UTM firewall like the Calyptix Access Enforcer is not enough to enable proper security. This article will pick up where the setup wizard leaves off. It will provide a suggested configuration however individual situations may vary and different settings may need to be applied to different clients. The presentation here works well for most clients that have anti-spam services hosted offsite and have one or more servers, wireless and devices to protect. The Access Enforcer contains many settings that you may wish to add following
First Things First
The Calyptix Access Enforcer (AE) is classified as a Unified Threat Management (UTM) device. It is built by Calyptix (Calyptix.com) and is based on OpenBSD. OpenBSD is generally considered to be one of the most secure operating systems. It has an active community supporting it and tightly controlled development of the kernel and core. Lawrence Teo, is the principal developer of the AE and is very active and well respected in the OpenBSD community. In addition to OpenBSD Calyptix makes use of other open source products to create the AE. However while doing do they still accept full responsibility for supporting the product as a whole and the elements within. When I was shopping for a new firewall the ability to support all of the open source components was a critical part of the discussion. Calyptix has an interesting security blog that can be found at http://blog.calyptix.com/. Contributors are members of the development staff at Calyptix. The other piece that was very important to me was dedication to the SMB market space. Calyptix and I both consider this to be the only market that we are interested in. I didn’t want to work with a company that would treat my clients as second best after their enterprise clients or that didn’t treat the small IT firms like mine with respect. Calyptix has exceeded my expectations on all fronts. The quality of the product, dedication to the market space, interaction with partners has been superb.
Setting the Stage
The AE is housed in metal casing and comes in several sizes. Each unit contains the same features. The different between units is form factor, number of network ports and throughput capacity. As you move up in models the processing power increases. It has a unique multiple network feature. As you can see in figure 1, there is a WAN port and a number of other Ethernet ports. The Ethernet ports represent different networks. The AE does not contain a switch as many consumer class firewalls do. Instead each Ethernet port is a discrete network that can be used for an additional WAN, guest wireless, LAN wireless, or any other network purpose. The USB ports are used for backup and recovery.
Figure 1: The Ethernet ports on an AE represent different networks
Once you have unpacked the Calyptix you should first notice that you’ve been given a unique password for each unit. Calyptix does not ship units with a standard password. You can change the password later, however you should document the original passwords in case you need to perform a restore. Once powered on you’ll walk through the setup wizard. The setup wizard will take you through the simple one LAN, one WAN configuration. (TIP: Be sure to use the same DNS forwarders in your AE that you have configured in your internal DNS server. For example if you are using Google DNS 188.8.131.52 then use it all the way through.) Complete this task and you have a working unit. At this point most people look for the Port Forwarding configuration and poke some holes to publish server features such as email. This is where most people stop the configuration. For this paper, it is point at which we are going to begin our configuration.
Before we begin our configuration you’ll want to take notice of two portals that Calyptix offers.
https://my.calyptix.com is what they call the single pane of glass portal. This portal provides a central location where you will find all of the units that you have purchased for your clients, alerts and the option to remotely access them. Calyptix offers advanced alerting and other services for additional fees. The second is http://online.calyptix.com. This is the portal where online documentation is kept. This includes both support and marketing materials. This portal is also where you’ll be taken if you press the Help button inside the AE menu. Throughout this paper reference will be made to support documents in this portal. Calyptix provides very nice configuration documents.
Best Practice Analyzer
Calyptix has followed Microsoft’s lead and built in a Best Practice Analyzer (BPA). IT pros should already be familiar with how these work. Launch the BPA and it will run through a series of checks to verify that you’ve performed the basic setup. When you have all Green checks (see Figure 2) you are ready to proceed to customizing the Access Enforcer to meet your client’s security needs.
Figure 2: The Best Practice Analyzer runs through a series of basic configuration checks.
Configuring Active Directory Integration
Active Directory Integration (AD) is a feature that plays a role in several other features. Therefore it is nice to have it setup early in the configuration process. Below is a list of features that make use of the AD integration function.
• Reporting with AD integration provides you and the business owner with user names rather than IP addresses. This makes it easier to identify peoples website viewing habits
• Live Connections. Connections will be identified by username as well as IP address. When troubleshooting traffic problems it makes identification quicker.
• Spam. Although we aren’t going to be configuring the spam features in this paper, the AD integration provides the AE with the list of email addresses in use.
• Time Periods and Web Policies. These features allow you to control when an individual is allowed access to the Internet and to which locations no matter which PC they might log into. These rules could also be applied to AD security group or PC Local Groups.
To setup AD integration requires creating a user account that the AE will use for LDAP queries and reporting. This user needs no special privileges. Create the user account and place it in the Managed Services container of your Active Directory. Set the password to never expire. Then begin your AD configuration following this document found in the Calyptix portal: https://online.calyptix.com/node/359
Gotchas: The Server and PC’s must have their Windows Firewall ON be in the correct firewall domain for the exception rules to work. You also must be able to push Group Policies to the workstations.
Securing Port Forwarding
Like any NAT device, the AE does port forwarding. However it takes it a further step by providing port security and redirection options.
While setting up your port forwarding rules (these are the services that you want to publish to the outside world) you will want to secure some of them at this level. In particular we always secure any RDP access. Notice the highlighted Lock in Figure 3. This lock indicates that the rule is restricted for access to only the IP addresses listed within it.
Figure 3: You can secure port forwarding rules by only allowing access from a list of known IP addresses
Notice that you can also easily modify ports too. So for example if you wanted to publish two different RDP services then you could specify a different Public IP: Port for each.
Configuring Outbound Filtering
Most people tend to think of Firewalls as preventing bad traffic from getting in but it is just as important that the bad guys have trouble getting traffic out too. Knowing where your data is going to just as important. Calyptix and SANS Security Institute recommend that you block the range of ports show in Figure 4 at a minimum. Setting things up this way will give you a Default Allow policy but will block commonly used data ports from gaining access to the Internet. Use this article to set them up: https://online.calyptix.com/outbound-filtering
Figure 4: Calyptix and SANS Security suggest blocking these ports as the minimum configuration level.
You have another option which it to enable a default deny policy on outbound traffic and then create rules to allow outbound traffic that the business requires only. This is a more secure stance but also requires a close eye on traffic for a while to make sure that you’ve enabled the required ports. Your basic outbound filter would then have these ports open DNS – UDP port 53, HTTP – TCP port 80, HTTPS – TCP port 443, SMTP – TCP port 25, NTP – UDP port 123 plus any additional ones that the business needs.
Using either outbound filtering method you can also choose to create more fine grained rules. For example you may want everyone to have Internet access except for the computers that are attached to CNC or other manufacturing equipment. To create this type of rule you will need to specify the IP address of the computer so be sure to set a DHCP reservation on that PC before you configure this rule. Calyptix provides instructions for creating the rules in the document referenced above.
If you have more than 1 WAN (and more and more businesses do these days) then you will need to prioritize your rules for WAN 1 and WAN 2. The AE offers the option for you to have some traffic go over one WAN and other traffic the other, as is often the case with VOIP systems. As an example, in the case of VOIP you will want the VOIP traffic to travel over the T1 line but the rest of your Internet traffic to travel over the less expensive/greater bandwidth Cable line. Failover is also an option as is hybrid. You can configure all of your rules to choose WAN 1 if it can and WAN 2 if necessary; this is failover. In hybrid you setup some of your rules
TIP: It does take time for the AE to failover. Calyptix says about 20 seconds. It also takes time for it to fail back. Another 20 seconds or so depending on how busy it is. If you have a WAN link that is going up and down this can result in a mess and it may be better to unplug that WAN connection until it has stabilized.
TIP: In the case of failover, be sure to have the proper public DNS entries in place. Otherwise if the WAN link that your MX record points to is down and the AE fails over but there’s no MX record to the secondary location your mail will still fail to deliver.
to failover and others to not. You may choose this route due to bandwidth concerns should the higher bandwidth line be the one to fail. Allowing too much traffic on the lower bandwidth connection could cause more problems than it creates in benefits.
Finally you can also configure load balancing. Calyptix provides an example of load balancing in this article: https://online.calyptix.com/node/417 Load balancing is a somewhat manual process whereby you are able to specify which traffic you want to go over which lines. In this way it is similar to the hybrid approach. The main difference is the reason why you are implementing it. I have a client that has a significant sized CAD department. The CAD department has demands for most of the bandwidth use. A cable line was installed to provide them the best possible throughput. This line is used by the rest of the company as failover only thus providing the CAD department unfettered access to the best bandwidth except in the case of an emergency.
Figure 5 shows a couple of rules created specifically for CAD computers.
Figure 5: Rules create to provide the higher bandwidth WAN connection to CAD PC’s.
Configure Remote Management
Limiting the remote management of your firewall is just as critical as limiting the remote management of your servers or securing RDP access. Figure 6 shows the available options. Two of the options that you should definitely implement are to choose Allow only these hosts to manage the AccessEnforcer and Use a blank login page.
The AE allows you to restrict remote management down to only IP addresses that are known to you. In this box you should enter the IP addresses from which you want to allow administration. Calyptix also offers the option of using a blank login page. The trick to thwarting hackers is to provide them with as little information as possible. When you use a blank login page you make it just that much more difficult for the bad guys to determine what they are trying to break into. Anytime you can make it more difficult you’ve increased the likelihood significantly that they will go elsewhere and bother someone less secure.
Figure 6: The remote management access settings. Choosing the right settings here can decrease the likelihood of mismanagement of your firewall.
Firewall and Intrusion Protection
The Access Enforcer contains an excellent intrusion prevention and protection system. Under the hood it uses Snort. Calyptix has made the configuration and management simple to introduce and manage. The first step in the process is to ensure that your Firewall is configured. It ships pre-configured but you should verify with Figure 7 that everything is enabled. Under the Block Policy setting is an option to notify the source that you blocked them. While this might seem like a neighborly thing to do in practice it is just poking the bear. Poke the wrong bear and you could end up with a denial of service attack against you or worse. Leave the default setting of Drop silently in place. Like-wise leave Filtering Optimization set to Normal unless otherwise instructed by Calyptix support to change it. Under Filtering Options all of them should be selected.
Figure 7: The firewall settings shown here come configured out of the box and should be left in place.
The Access Enforcer offers a staged implementation of Intrusion Prevention. Calyptix recommends that you start with the least protective setting and work your way up white listing the URL’s and IP’s that the client requires as necessary as you go along. As a busy IT consultant I find this difficult to do. While the staged process prevents a lot of blocking from occurring at once, it also drags out the final implementation potentially annoying the end user each time you increase the protection level and leaves the possibility that you will get distracted and leave the configuration in a less protected state than desired.
My recommendation is to take a 2 stage approach instead. Stage 1 is enable Intrusion Detection with Dynamic Blacklisting. Once you have finished tweaking the rules and whitelisting websites that your client needs implement Stage 2 which is to enable Intrusion Protection with Dynamic Blacklisting as in figure 8. When you move to Stage 2 you should not need to do any further configuration changes.
Figure 8: Intrusion Prevention isn’t enabled by default. Configure to the highest level as quickly as possible to reduce end user pain.
The trickiest part of configuring intrusion protection is to know what it looks like to your clients so when they call you immediately know what to do. From the user perspective it looks like the website is having a problem. They were able to get to it before but now they can’t but later they can. This is an indication that the IP address has been placed on the Dynamic Blacklist and you need to whitelist it. (Figure 9) Or they were on the home page but as soon as they attempt to login they get page not found. In this case you’ll need to add the domain to the URL whitelist.
(Figure 10) These are typical of what the end user is going to report to you. It’s best to let them know beforehand that you are about to implement some new security on the firewall and that they should report any issues with reaching or using a website to you immediately. You’ll want to catch the website while it is still list on the Dynamic Blacklist. An IP address will only stay on the dynamic blacklist for short while.
Figure 9: Adding IP’s to the static while is needed when the IP address lands in network alerts.
Figure 10: Whitelisting a domain is needed when parts of a webpage works but others don’t
If you find that certain Intrusion Rules are creating a problem for the users then the rules themselves can be deleted. We have rarely had to do this but it has happened. Initially we had some issues with mobile phones triggering the NMAP rules and so we had to whitelist those, however recently this has not been necessary. If I suspected a rule was causing a problem, I would first call Calyptix support and verify that disabling the rule is the best way to do. The rules are there to protect your network so disabling them should not be done except in extreme circumstances. (Figure 11)
Figure 11: Intrusion Rules can be disabled but do it as a last resort.
One of my favorite features of the Access Enforcer is its ability to protect unpatched systems. It does this through Snort rules by the Sourcefire Vulnerability Research Team (VRT). These rules contain prevention signatures based upon published information on vulnerabilities. This is one way that you can help protect those PC’s that have missed patches. Calyptix provides a default set of rules but you will need to subscribe and get your own Oinkcode in order to keep them updated. Calyptix has done all of the programming work, all you need is the code.
To get your Oinkcode visit http://www.snort.org and create an account. Now that you are a registered user you can generate an Oink code and subscribe. To generate an Oinkcode to go My Account, Subscription and Oinkcodes. From here you can sign up for a subscription that for a fee will provide continuous updates. Or you can generate an Oinkcode as a registered user only and get updates on a 30 day delay. Once you have your Oinkcode enter it into the Access Enforcer on the Signature Sources page, as shown in Figure 12.
Figure 12: Once you enter you Oinkcode you’ll see the Sourcefire VRT Rule entry under Current Sources.
I have found that for most small businesses that the 30-day delay code is sufficient but in higher security environments you should subscribe. The subscription will run $499 per year for each Access Enforcer.
Protecting Mail Servers
The Access Enforcer offers a full suite of anti-spam features all of which are detailed and explained very well in https://online.calyptix.com/hb_smtp_filter. These documents will walk you through configuring the spam filter, setting user quarantine pages and managing the system. It is a very complete system and will even bag mail for you should your mail server be unreachable.
The settings that I’d like to point out are applicable to those that will not be using the Access Enforcer for anti-spam services but rather will be hosting those services off-site. These are found on the
Setup/General/Advanced page. This page contains settings that don’t apply to everyone and that Calyptix has not yet built into the other configuration pages. In the SMTP section there are a couple of nice options that you’ll want to configure. In the Only set these comma-separate IP address make outbound SMTP connections: box you should list the internal IP address of your mail server(s). This will tell the Access Enforcer to only allow those machines to send mail and no others. This will prevent any infected PC from suddenly sending spam email out from your network and prevent your client from getting blacklisted. (see
Figure 13 for an example)
Figure 13: SMTP security settings allow you tell the AE which servers’ mail comes from.
In the box, Allow these CIDRs and IP addresses to entirely bypass the SMTP proxy you should enter in the IP address ranges used by your external spam filtering service. Then check the Accept mail only from the above networks box. These settings tell the Access Enforcer to only accept mail from your spam filtering service.
Reports and Web Filtering
As with most products the default report settings are not going to be interesting to your clients. You need to create a customized report for you client. But before you start customizing the report you need to tell the AE to gather web site data. In the Web Filter Settings box use the Monitor: radio button as in Figure 14.
Figure 14: Setting your AE to log web requests enables reports to show websites visited by user.
Notice that this option says that it will log web requests while proxying. The AE is a Proxy. As such it will be caching frequently requested content. I have never had to use it but Calyptix supplies a button on this page that will clear the cache for you should the need arise. (Figure 15)
Figure 15: The AE is also a proxy. If you need to clear the proxy cache there’s a button available in the Web Filtering section.
If you have not implemented Active Directory integration then your reports will be recorded only by the IP address. If you have implemented it then you’ll get the logged on users name along with the website data. The AE contains many advanced features for broad and fine grained web filtering. Great documents already exist for implementing those features here: https://online.calyptix.com/hb_web_filter so we aren’t going to dig deep into that topic.
On the reports tab then you’ll click Add a Report Schedule from the menu on the left side of the screen.
Then give your report a name. Next you will select the data that
you’d like the report to contain. To create a report that will allow management to review the website activity of employees select the items shown on the right: Web Traffic Downloaded by Website,
Web Traffic Downloaded by User/IP and Blocked Web Traffic by User/IP. Finally choose a time period, decide whether you want to generate individual reports or just a group report and who you want to send the reports to. In the PDF setting choose to include Graphs and Show all of the data if you want a list of all websites.
This generates an individual report with at a glance graphs (Figure 16) and web details (Figure 17) for each user and IP address in the company. You might be tempted to only generate reports for usernames but generate a report for IP’s too will capture data from non-domain joined machines, BYOD, Mobile Phones and guests thus giving you a full picture.
Figure 16: At a glance graphics of an individual users activity for the reporting week
Figure 17: Website details for an individual user
Configuring Additional Networks
Another of my favorite features of the AE is its ability to segregate traffic into different networks. In the not too distant past very few of our clients had the need for more than 1 network in their small businesses. But now with the advent of BYOD all of them require trusted and untrusted LANs. Included in BYOD are guest wireless connections and employee owned smartphones so if for a moment there you thought that your clients aren’t involved in the BYOD revolution because they are still purchasing PC’s and Laptops for office user, you might need to rethink. Every business is getting requests for Internet access by untrusted devices.
On the right we see a very common example of a guest wireless setup. Plugged into the port NIC2 port of the AE is a wireless router that it used for guest BYOD users. In this case the guests include employees with smartphones, and guests of the business. The AE provides DHCP, DNS and prevents devices on this untrusted LAN from accessing the trusted LAN.
Each of these LANs can have their own reports, web filtering policy restrictions, etc. You may find that you need additional LANs and you
can make as many as the AE you’ve purchased has available ports.
As we’ve seen the AE has many different security settings. What we’ve gone through in this document is what I consider to be the baseline setup. Individual clients may have needs for more find grained control but the items in this paper provide a good foundation upon which you can configure those additional controls.