Introduction........................................................................................................................................................... 1 Package Contents .................................................................................................................................................. 1 Factory Default Settings ......................................................................................................................................... 1 Web Admin Console ..................................................................................................................................................1 Port Configuration .....................................................................................................................................................2 IPv4 Configuration .................................................................................................................................................2 IPv6 Configuration .................................................................................................................................................2 Text Based Administration Console ...........................................................................................................................2 SSH .............................................................................................................................................................................2 Deployment modes ............................................................................................................................................... 2 Deployment Scenarios ........................................................................................................................................... 2 Deployment wizard....................................................................................................................................................2 Bridge .........................................................................................................................................................................3 When to use Bridge Mode: ....................................................................................................................................3 Scenario to place Cyberoam in bridge mode .............................................................................................................7 Before Deployment ...............................................................................................................................................7 After Deployment ..................................................................................................................................................8 Gateway .....................................................................................................................................................................8 When to use Gateway Mode .................................................................................................................................8 Scenario to place Cyberoam in Gateway Mode ......................................................................................................12 Before Deployment .............................................................................................................................................12 After Deployment ................................................................................................................................................13 Mixed Mode (Gateway & Bridge) ............................................................................................................................13 As a Proxy ................................................................................................................................................................14 Web Proxy Configuration.....................................................................................................................................14 Under Parent proxy setting .................................................................................................................................14 When do we require Cyberoam to be configured in Web proxy mode? ............................................................14 Web Proxy Deployment Scenario ........................................................................................................................15 Link Aggregation ......................................................................................................................................................16 LACP .....................................................................................................................................................................16 LAG Modes...........................................................................................................................................................16 Scenario ...............................................................................................................................................................16 Registration & Subscription ................................................................................................................................. 17 CyberoamOS Update ........................................................................................................................................... 17 Labs ..................................................................................................................................................................... 19 Lab #1 Factory Reset ................................................................................................................................................19 Web Admin Console of the appliance .................................................................................................................19 CLI of Appliance ...................................................................................................................................................19 Lab #2 Deployment in Bridge Mode (Optional) .......................................................................................................21 Lab #3 Deployment in Gateway Mode ....................................................................................................................25 Lab #4 Registration & Subscription..........................................................................................................................27 Lab #5 Upgrade (Optional) ......................................................................................................................................30
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Introduction After knowing the basics of the Cyberoam appliance and the entire product family, this module shows how Cyberoam can be deployed in various network scenarios.
Package Contents The Cyberoam package when opened, contains the following:
One Cyberoam Appliance
One Serial Cable (Null-Modem Cable)
One Straight-through Ethernet Cable
One AC Adapter Cable
One Crossover Ethernet Cable
One Cyberoam Quick Start Guide
Documentation CD
Rack Mounting Brackets (Optional)
Factory Default Settings The Cyberoam appliance when taken out from the box has the following settings
Web Admin Console On the Web Admin Console, there are two username/password combinations activated
Username/Password : admin/admin (this is the device administrator account)
The password for this account should be changed immediately on booting the appliance
This account cannot be deleted
1
Cyberoam Certified Network & Security Professional
Username/Password : cyberoam/cyber (this is the database administrator account)
The password for this account should be changed immediately on booting the appliance
This account can be deleted if required.
Deploying Cyberoam
Port Configuration When first booted the appliance has following configuration on the ports IPv4 Configuration
Port A (LAN) – IP Address : 172.16.16.16/24
This port has the DHCP Server service running
Port B (WAN) – IP Address : Unassigned
This port has the DHCP Client service running
Port C (DMZ) – IP Address : 10.10.1.1/24
IPv6 Configuration
By Default, Cyberoam does not have any IPv6 address assigned.
Dual stack implementation allows IPv6 as well as IPv4 address on each port.
Text Based Administration Console On the Text based Administration console when opened will prompt for the administrator password (the password for the account “admin”)
SSH When SSH is done on the appliance, it will prompt for password. Here, the only password that can be used is the password for admin account.
Deployment modes A Cyberoam appliance can be deployed into two modes from the wizard viz. Gateway mode and bridge mode. By default, the factory setting is always in the gateway mode. In bridge mode the appliance is transparent to all the traffic, however the Cyberoam appliance can monitor and scan all the traffic (Monitoring and Scanning is explained in the modules to follow). In Bridge mode, features like DMZ, Custom zones, Multiple WAN links, Load balancing, VPN, and high Availability are not available. Bridge mode exclusively supports features like LAN Failsafe. In Gateway mode, Cyberoam does not support LAN Failsafe. Note: High Availability and LAN Failsafe are features provided by Cyberoam appliance in different modes. However they have a similar functionality. The major functionality offered by both the features is the maximum availability of network.
Deployment Scenarios This section exhibits the various scenarios in which Cyberoam appliance can be deployed. Practically each scenario is different and needs to be understood before placing the appliance. It is always recommended that major changes are not done in the customers’ network unless there is actually a requirement to do so.
Deployment wizard All Cyberoam appliances come with a built in wizard for the ease of deployment. A wizard can be
2
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
started from the dashboard by logging into web admin console of the Cyberoam appliance. The screen below shows the wizard button on the dashboard.
On clicking the wizard button a new browser window is opened which guides the user on the deployment scenario. Cyberoam appliance can be deployed in bridge mode or gateway mode. By Default the Cyberoam appliance is always in the Gateway mode.
Shown above is the first screen from the deployment wizard, on clicking the start button the wizard asks for the deployment mode. Note: The wizard option can be used, the first time Cyberoam is deployed in the network. On running the wizard again, all configuration and settings on Cyberoam appliance will be flushed.
Bridge Cyberoam when deployed in Bridge mode acts as a Transparent for the networks. Device will act as a transparent bridge. When to use Bridge Mode: Bridge mode provides the ideal solution for networks that already have an existing firewall or router acting as a Gateway and customer don’t want to replace the firewall, but still wish to add the security through Cyberoam’s deep-packet inspection, Intrusion Prevention System Services, Gateway Anti Virus, and Gateway Anti spam. If you do not have Cyberoam security modules subscriptions, you may register for free trial. This mode of deployment is agreed without changing any network schema of the organisation’s internal infrastructure. On choosing the bridge mode on the deployment wizard, it shows the bridge mode scenario and diagram.
3
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
From this screen onwards, the bridge mode configuration starts. On clicking the next icon it shows the bridge pair highlighted on the appliance model. This is important as we know that in the bridge mode, Cyberoam’s LAN Failsafe feature is applicable. So it is appropriate to choose the corresponding bridge pair from the appliance and model documentation.
After selecting the port pair (LAN & WAN) for the bridge, on the next screen Cyberoam will ask for the network parameters to be entered.
4
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Enter the network parameters like IP Address and Subnet mask of Cyberoam appliance, Gateway name (ISP Name) and IP Address of the gateway. Lastly enter the primary and secondary DNS and click on next arrow.
The Cyberoam will ask Internet access configuration, which will apply default policies (These policies are discussed in the later module).
A monitor only policy will monitor all the traffic and does not block any traffic.
The general Internet Policy blocks all unhealthy web traffic like porn, etc. It will also scan the traffic for Viruses and malwares
The Strict Internet Policy is same as general Internet policy, except for the fact that each user will
5
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
have to be authenticated by Cyberoam device to access the Internet. After this configuration, mail notification configuration wizard screen will appear
Here all the mail settings for the primary email address to be used by the Cyberoam appliance for reporting and alerting the network administrator is used.
Lastly, the Date and Time configuration can be manually or from the NTP servers. After this step, Cyberoam deployment will display a summary page.
6
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
The configuration overview is shown on this page, at this point the configuration is over and you will have to wait until the Cyberoam appliance configures itself and gives the Successfully Configured message. From this point onwards, Cyberoam appliance is configured as an L2 Bridge and can be accessed from (10.10.10.1) in this case.
Scenario to place Cyberoam in bridge mode Before Deployment
7
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
After Deployment
Gateway Gateway is a network point that acts as an entry point to another network or subnet to access the resources. In Enterprises, the gateway is the appliance that routes the traffic from a workstation to the outside network. In homes, the gateway is the ISP that connects the user to the Internet. Cyberoam when deployed in Gateway mode acts as a Gateway for the networks to route the traffic. Gateway mode provides an ideal solution for networks that already have an existing firewall and plans to replace their existing firewall and wish to add the security through Cyberoam’s deep-packet inspection, Intrusion Prevention System Services, Gateway Anti Virus, and Gateway Anti spam. If you do not have Cyberoam security modules subscriptions, you may register for free trial. When to use Gateway Mode Cyberoam Appliance needs to be deployed in the gateway mode when
You want to replace your existing firewall or router acting as a gateway for your network with Cyberoam
You want your gateway to act as a VPN concentrator
You want redundancy in your network with by utilizing the multilink and HA (High-Availability) features of Cyberoam
You want to configure separate DMZ zone to protect servers from LAN & WAN zone. NOTE: All the features except Hardware bypass (LAN bypass) are available in Gateway mode. To start the Gateway mode deployment configuration, start the wizard and click on gateway
8
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
On the next screen, you will asked for the zone and network configuration
As we move ahead, each single port is highlighted in yellow and the configuration of the port is made
9
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
On clicking the next arrow, the wizard now displays the internet access configuration page, where we can select from Monitor only, General Internet Policy, or Strict Internet Policy.
Next the wizards ask for email settings
10
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
In the last step, the wizard now asks for date and time configuration
Lastly, wizard shows the configuration summary page.
11
Cyberoam Certified Network & Security Professional
On this screen, click finish and wait until the wizards configures Cyberoam in gateway mode.
Scenario to place Cyberoam in Gateway Mode Before Deployment
12
Deploying Cyberoam
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
After Deployment
Mixed Mode (Gateway & Bridge)
Mixed mode is a combination of a Gateway as well as Bridge deployment. In a normal bridge scenario, only one pair can be bridged, however in mixed mode, a pair can be bridged and other ports can be left to work in gateway mode, or creating more pairs. Screen below depicts the mixed mode configuration from GUI. Navigate to Network Interface Interface Add Bridge-Pair
13
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
An IPv6 bridge can be configured as shown in the diagram below.
As shown in the diagram above, the interface is configured with IPv6 address DEAD:FACE::1/64.
As a Proxy To use Cyberoam as a Web proxy server, configure Cyberoam LAN IP address as a proxy server IP address in your browser setting and enable access to Web proxy services from Local ACL section. Web Proxy Configuration This configuration is applicable only when Cyberoam is configured as Web Proxy. Enter Port number which is to be used for Web Proxy and click Save Under Web Proxy Trusted Ports Setting, click Add to add the trusted ports. Cyberoam allows the access to those sites which are hosted on standard port only if deployed as Web proxy. To allow access to the sites hosted on the non-standard ports, you have to define non-standard ports as trusted ports. Under Parent proxy setting Click ‘Enable Parent Proxy’. If enabled all the HTTP requests will be sent to HTTP Parent proxy server via Cyberoam. One needs to configure Parent Proxy in case when network allows web traffic only via proxy instead of direct gateway. When do we require Cyberoam to be configured in Web proxy mode?
14
You would like to replace existing software / appliance based proxy solution
You would like to use Cyberoam Identity based features along with Content Filtering / Bandwidth Management / Anti-virus / User based Reporting.
You want to use Cyberoam as a drop in solution in proxy mode.
You don’t want to make any major changes with you existing proxy setup
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Go configure the Appliance in Web Proxy mode, Navigate System -> Configuration -> Web Proxy
By Default, Cyberoam works on web proxy port 3128. To Configure Parent proxy on the appliance, go to System -> Configuration -> Parent Proxy
Web Proxy Deployment Scenario
15
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
Parent Proxy Deployment Scenario
Link Aggregation Link Aggregation Group (LAG) is a method by which multiple network connections can be combined into a single connection. It is also known as trunking, NIC teaming, NIC bonding and Ether Channel. LAG is mostly used for handling LAN traffic. LACP Link Aggregation Control Protocol (LACP) is a part of IEEE specification that groups two or more physical links into a single logical link. LACP must be enabled at both ends of the link to be functional. Appliance supports LAG to combine multiple physical links into a single logical link so that bandwidth can be increased and automatic failover is available. LAG Modes Active-Backup Active Backup is the mode which provides automatic link failover facility. In this a single slave (member of LAG) remains active. If the active slave fails then other slave in the LAG becomes the active slave. LACP (802.3ad) This mode provides load balancing and automatic failover. In this mode all the links are used for forwarding the traffic. Scenario Increase bandwidth of LAN and DMZ zone by making links redundant.
16
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Registration & Subscription Registration is the process which will create customer account in Cyberoam central registration database. Registration is a mandatory task without which subscription modules cannot be subscribed. Registration gives following benefits:
8 x 5 Support as per country time zone
Gateway Anti-Virus
Gateway Anti-Spam
Web & Application Filter
Intrusion Prevention System (IPS)
Access of customer my account for
Support ticket management
Subscription management Customer my account can be accessed from: http://customer.cyberoam.com Multiple Cyberoam appliances can be registered using the same customer account so that customer can manage all support tickets under one customer account.
CyberoamOS Update Cyberoam releases new Operating system for its devices at definite intervals of time. It is always recommended to the customer, to install and upgrade the appliances as and when a new Operating system is released. The update process works in two steps. First the customer is required to download the CyberoamOS update file from customer’s account at customer.cyberoam.com Log in with the username and password provided when the appliance was registered.
17
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
Next, upon downloading the CyberOS file, upload the file to the appliance by navigating System-> Maintenance -> Firmware and click on the upload firmware button
Click to specify the location of the firmware image or browse to locate the file. You can simply upload the image or upload and boot from the image. The uploaded firmware can only be active after next reboot. The existing firmware will be removed and the new firmware will be available. Note: Incase of Upload & Boot, firmware image is uploaded and upgraded to the new version, closes all sessions, restarts, and displays the login page. This process may take few minutes as this process also migrates the entire configuration. All the changes made after new firmware won’t be available in previous firmware. Once the firmware is uploaded, the appliance would undergo a reboot and would be running the latest build.
18
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Labs Lab #1 Factory Reset Factory Reset will remove entire user configurations of your Cyberoam appliance, and boot the appliance with factory default settings. So it is recommended to take back up of the appliance before factory reset. There are 2 ways of performing Factory Reset on the appliance: Web Admin Console of the appliance
Access Web Admin Console with user having “Administrator” profile
Go to System -> Maintenance -> Firmware and page displays the list of available firmware versions downloaded. Maximum of two firmware versions are available simultaneously in Cyberoam and one of the two firmware versions is active i.e. the firmware is deployed.
Click on the icon which you want to boot with factory reset settings as shown below:
Boot with factory default configuration – Appliance will be rebooted and will load default configuration. Entire configuration will be lost if you choose this option.
Click on the “Boot with Factory default configuration” and it will ask you to take back up of your configuration. Note: All the configurations will be removed after factory reset. Change the IP address of your machine in the subnet of 172.16.16.0/24, to access the Web Admin Console of Cyberoam over port A, which is accessible through default IP address 172.16.16.16. CLI of Appliance Access Cyberoam CLI using a serial connection. Factory reset from the CLI requires physical connectivity between the appliance and Management Console. Hence, it can be done using a serial connection only, and not other remote sessions like Telnet and SSH. You can connect a serial console to the Serial port of any of the Cyberoam appliance models. Once the connection is successfully established, specify Cyberoam CLI password i.e. “admin” at the prompt, press Enter and you will get the following screen. Choose Option 5 – Cyberoam Management and it will lead you to sub menus, asking about factory reset option
19
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
Chose option 3 - Reset to Factory Defaults to factory reset the appliance. Press ‘y’ to reset appliance to factory default.
Appliance will reboot, and come with factory default settings. In a case where the password to CLI and GUI are forgotten, Serial connection can be made to the appliance and on the password prompt type “RESET” in upper case without the quotes. This is show the below menu.
20
On pressing 1, all the configuration will be reset, but there will be no changes on the signature and report databases.
On pressing 2, all configuration and signatures will be flushed, but there will be no changes on the report database.
On pressing 3, all configuration, signatures, and reports will be flushed from the appliance.
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Lab #2 Deployment in Bridge Mode (Optional) By default, all Cyberoam appliances are configured to work in gateway mode. We already know the scenario when an appliance works in the bridge mode.
Connect port A of the appliance to your computer using a cross-over cable.
Connect port B of the appliance to the WAN switch using a straight-through cable.
The lab setup should look like the diagram below. Please note that the diagram represents only an individual learner.
Every learner now needs to access their Cyberoam appliance web admin console. The appliance has to following settings
Port A IP Address is 172.16.16.16/24
By default the DHCP server service is on for Port A, therefore each learner will be assigned an IP Address by their Cyberoam appliance. If Cyberoam has not assigned an IP Address to the learner’s computer. The learner may now change his IP Address in range of 172.16.16.x/24.
Browse to https://172.16.16.16 and you should see the Cyberoam Web Admin Console login page. Enter the credentials, username should be Cyberoam and password is cyber.
If you cannot log on, verify the following configurations:
Did you plug your computer Ethernet cable into the port A on the appliance? - Deployment can only be performed through port A.
Is the link light glowing on both the computer and the Appliance? – If not, check and replace the cable
Is your computer set to a static IP address of 172.16.16.16 and subnet as 255.255.255.0?
Did you enter correct IP address in your Web browser?
Starting with the configuration: Click the wizard button at the top of the dashboard. This will start the network configuration wizard.
21
Cyberoam Certified Network & Security Professional
22
Deploying Cyberoam
Click start on the network configuration wizard screen and follow the steps listed the screens below.
Select bridge mode the options shown on the network configuration wizard window
The Network configuration wizard will now show the zone configuration window in which the learner shall select the ports on which the bridge needs to created.
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
After the zones are configured, the network configuration wizard will now show the network configuration window. In this window, we shall enter the IP Address of the bridge, gateway IP Address, and DNS configuration.
After the network configuration, Cyberoam being a firewall device will block the traffic from different zones. The wizard will give an option the policy we wish to apply to the traffic from LAN > WAN. At this point simply select monitor only. We will discuss more on the policies in the modules to come.
The following are the three pre-defined policies:
Monitor Only: o o o
Allow all outbound traffic without any authentication. No scanning. No content filtering.
General Internet Policy: o Allow all outbound traffic without any authentication. o Web traffic will be scanned for virus / malware / spyware. o Content filtering will be “ON” by using default content filtering policy “General Corporate Policy” which blocks below web URL categories: o Porn, Nudity, Adult Content, URL Translation Sites, Drugs, Crime and Suicide, Gambling, Militancy and Extremist, Phishing and Fraud, Violence, Weapons
23
Cyberoam Certified Network & Security Professional
24
Deploying Cyberoam
Strict Internet Policy: o Block all outbound unauthenticated traffic. o Web traffic will be scanned for virus / malware / spyware. o All traffic will be scanned by IPS engine.
The next prompt from this window will be the email address settings required to alert the administrator.
Lastly, the network configuration will ask for updating and setting up the time zone. A summary page will be displayed at the end of the configuration and the learner will be required to click finish, to close the window. The Cyberoam appliance will take some time to configure and alert with the completion window.
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
Lab #3 Deployment in Gateway Mode Connect port A of the Appliance to your computer’s Ethernet interface using the crossover Ethernet cable.
Connect port B of the Appliance to switch for WAN connectivity using the straight Ethernet cable. 1. Connect to the web admin console on 172.16.16.16. 2. Click the Wizard button on the top right of the Dashboard to start Network Configuration Wizard and click Start.
3. When the network configuration window appears, click start.
25
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
4. On the next screen, network configuration wizard will be displayed where we will select the gateway mode.
5. In the next screens to follow, the network configuration wizard will run. This wizard allows us to configure each port on the appliance.
6. From the above screen, we can see that the appliance allows us to configure the Port A, however, utmost care has to be taken not to click next until the configuration is done. Most users make a mistake here by clicking next arrow instead of the highlighted next button. In the next screens, we choose the configuration for each port. After configuring all the ports, Internet access configuration wizard is displayed. This wizard allows setting the predefined policies.
26
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
7. From the previous lab, we already know what policy is used for what configuration. The role of each policy will be discussed in the modules and labs to follow. As of now, the learners can select monitor only. Monitor only will put the Cyberoam appliance into monitor mode, in this mode the Cyberoam will not block any traffic, but still will be generating reports of all the traffic. The next screen to follow is the mail configuration settings.
8. Lastly, the network configuration will ask for updating and setting up the time zone. A summary page will be displayed at the end of the configuration and the learner will be required to click finish, to close the window. The Cyberoam appliance will take some time to configure and alert with the completion window.
Lab #4 Registration & Subscription To register the Cyberoam appliance, go to customer.cyberoam.com, and open a new account if you don’t have one, and register your appliance. Once registration is done, subscribe to all four modules using trial license. Firstly, we need to identify if Cyberoam is registered. 1. Go to System Maintenance licensing, there you will find “Appliance Registration Information”. It will show you the registration information of the appliance. If the appliance is not registered, you will get the message for the same.
27
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
2. To register the appliance, go to customer.cyberoam.com. If you haven’t created any account with Cyberoam, click on the register tab on the main page, as shown in the diagram.
3. As soon as you will click on the tab “Registration”, you will see below page of registration. Please, provide proper Email ID, password and Appliance key, to register the appliance.
4. Please, note that: 5. Registration Email-id will be used as a username to access customer my account. 6. If you already have customer account with Cyberoam then you can provide the registration details to login into your account, but in Lab create new customer account. 7. If you already have customer account then login with the user credentials, and click on “Register Appliance” button as shown below:
28
Deploying Cyberoam
Cyberoam Certified Network & Security Professional
8. Once the appliance is registered, SystemMaintenanceLicensing.
you
can
verify
the
registration
from
9. If the registration information does not appear automatically, click on the Synchronize button as shown in the screen.
10. To subscribe to any module, go to customer my account and click on the appliance link and click on subscribe
11. The above screen shows how modules can be subscribed.
29
Cyberoam Certified Network & Security Professional
Deploying Cyberoam
Lab #5 Upgrade (Optional) Log in with the username and password provided when the appliance was registered.
Next, upon downloading the CyberoamOS file, upload the file to the appliance by navigating System-> Maintenance -> Firmware and click on the upload firmware button
Click to specify the location of the firmware image or browse to locate the file. You can simply upload the image or upload and boot from the image. The uploaded firmware can only be active after next reboot. The existing firmware will be removed and the new firmware will be available.
30