Introduction

1

1. Introduction

This chapter provides an overview of your CyberGuard SG appliance’s features and

capabilities, and explains how to install and configure your CyberGuard SG appliance.

This manual describes how to take advantage of the features of your CyberGuard SG

appliance, including setting up network connections, a secure firewall and a VPN.

It also

describes how to set up the CyberGuard SG appliance on your existing or new network

using the Web Management Console web administration pages.

CyberGuard Gateway Appliances (SG3xx, SG5xx Series)

The CyberGuard SG3xx, SG5xx appliance range (SG300, SG530, SG550, SG560,

SG565, SG570, SG575, SG580) enables your office LAN to share a single, secure

Internet connection.

The CyberGuard SG appliance provides Internet security and privacy of communications

for small and medium enterprises.

It simply and securely connects your office to the

Internet, and with its robust stateful firewall, shields your computers from outside threats.

The CyberGuard SG appliance checks and filters data packets to prevent unauthorized

intruders gaining access.

The CyberGuard SG appliance’s NAT/masquerading firewall means that although

computers on your office network can see and access resources on the Internet, all

outsiders see is the CyberGuard SG appliance’s external address.

CyberGuard SG appliance models SG570 and SG575 have an additional Ethernet port

that may be configured as a physically separate DMZ to host servers accessible to the

outside world, in order to further secure your local network.

Alternatively, it may be

configured as a second Internet connection to use as a backup Internet connection

should the primary link become unavailable, or to use simultaneously to perform network

load balancing.

The CyberGuard SG appliance provides you with a Virtual Private Network (VPN) server.

A VPN enables remote workers or branch offices to securely access your company

network to send and receive data at a very low cost.

With the CyberGuard SG appliance,

you can remotely access your office network securely using the Internet.

The

CyberGuard SG appliance can also connect to external VPNs as a client.

Introduction

2

The following figure shows how your CyberGuard SG appliance interconnects.

Figure 1-1

CyberGuard Rack Mount Appliances (SG7xx Series)

The CyberGuard SG710/SG710+ is the flagship of CyberGuard’s SG series.

It features

multi-megabit throughput, rack-optimized form factor, two fast Ethernet ports and two 4-

port fast Ethernet switches as standard, and the option for two additional gigabit ports

(SG710+).

Each of these four (or six with the SG710+) can be configured as a LAN, DMZ or Internet

connection.

Dual Internet connections can be configured for use simultaneously for

network load balancing between the links, or to keep one in reserve as a back up Internet

connection should the primary Internet connection become unavailable.

Additionally, the SG710/SG710+ incorporates a powerful web proxy cache to improve

web page response time and reduce link loads.

It is designed to integrate seamlessly

with upstream proxy caches provided by ISPs.

Bandwidth can be further optimized

through traffic shaping controls, making it excellent for organization that are power web

users or have many remote offices accessing corporate intranets.

Customers wishing to protect against access to inappropriate web material can purchase

an URL content filtering (UCF) subscription service.

This works in conjunction with the

URL proxy embedded in the CyberGuard SG710/SG710+ to increase productivity and

available bandwidth.

The combination supports blocking, monitoring, rating and optional

reporting without the need for an on-site URL database.

The CyberGuard SG710/SG710+ features a powerful, fully configurable firewall,

advanced intrusion detection and the ability to actively enforce network security policies

to protect your network.

Introduction

3

It provides central sites the capacity to securely connect hundreds of mobile and remote

employees.

The SG710/SG710+ includes a high-performance, VPNC-certified VPN

solution for securely connecting branch office networks to the corporate hub using IPsec,

PPTP, L2TP, and other industry-standard protocols. Onboard cryptographic acceleration

ensures excellent VPN throughput.

CyberGuard PCI Appliances (SG6xx Series)

The CyberGuard SG PCI appliance (SG630, SG635) is a hardware-based firewall and

VPN server embedded in a 10/100 Ethernet PCI network interface card (NIC).

It is

installed into the host PC like a regular NIC, providing a transparent firewall to shield the

host PC from malicious Internet traffic, and VPN services to allow secure remote access

to the host PC.

This appliance is recommended for:

•

Security conscious businesses that wish to separate firewall and VPN issues from

server/desktop operating systems.

•

Businesses that wish to eliminate the "soft center".

•

For environments where the integrity of the host server operating environment

cannot be controlled or trusted.

Unlike other CyberGuard SG appliances, a single CyberGuard SG PCI appliance it is not

intended as a means for your entire office LAN to be connected to, and shielded from, the

Internet.

Installing a CyberGuard SG appliance in each network connected PC gives it its

own independently manageable, enterprise-grade VPN server and firewall, running in

isolation from the host operating system.

This approach offers an increased measure of protection against internal threats as well

as conventional Internet security concerns.

You can update, configure and monitor the

firewall and VPN connectivity of a workstation or server from any web browser.

In the

event of a breach, you have complete control over individual PCs' access policies

independent of the host PC's operating system, even if the system has been subverted

and is denying normal administrator access.

All network filtering and what can be CPU intensive cryptographic processing is handled

entirely by the CyberGuard SG appliance.

This has the advantage over the traditional

approach of a host-based personal software firewall and VPN services of not taxing the

host PC's resources.

Introduction

4

Bridged mode

By default, the CyberGuard SG PCI appliance operates in bridged mode.

This is

distinctly different from the NAT/masquerading behavior of the CyberGuard SG gateway

appliance range.

In bridged mode, the CyberGuard SG appliance uses two IP addresses.

Note that these

addresses are both in the same range as the LAN, as no NAT/masquerading is being

performed (see the chapter entitled

Firewall

for more information).

One IP address is used to manage the CyberGuard SG appliance via the Web

Management Console web administration pages.

The other is the host PC's IP address, configurable through the host operating system

identical to a regular NIC.

This is the IP address that other PCs on the LAN see.

It

should be dynamically (DHCP) or statically configured to use the same gateway, DNS,

etc. settings as a regular PC on the LAN.

It is possible to configure the CyberGuard SG PCI appliance to run in NAT mode.

This is

discussed in the chapter entitled

Network Connections

.

Secure by default

By default, all CyberGuard SG appliances run a fully secured stateful firewall.

This

means from the PC that it is plugged into, most network resources are freely accessible.

However, any services that the PC provides, such as file shares or web services (e.g. IIS)

will

not

be visible to the general office LAN without further configuration of the

CyberGuard SG appliance.

For details on how services on the host PC can be made

available to the general office LAN, see the section

Allowing individual ports in bridged

mode

at the end of the chapter entitled

Firewall

.

Introduction

5

Document Conventions

This document uses different fonts and typefaces to show specific actions.

Warning/Note

Text like this highlights important issues.

Bold text

in procedures indicates text that you type, or the name of a screen object (e.g.

a menu or button).