Network Connections

61

DMZ Connection

Note

SG560, SG565, SG580, SG570, SG575 and SG7xx series only.

A DMZ (de-militarized zone) is a physically separate LAN segment, typically used to host

servers that are publically accessible from the Internet.

Servers on this segment are isolated to provide better security for your LAN.

If an

attacker compromises a server on the LAN, then the attacker will immediately have direct

access to your LAN.

However, if an attacker compromises a server in a DMZ, they will

only be able to access other machines on the DMZ.

In other words, by default the CyberGuard SG appliance blocks network traffic originating

from the DMZ from entering the LAN.

Additionally, any network traffic originating from

the Internet is blocked from entering the DMZ and must be specifically allowed before the

servers become publically accessible.

Network traffic originating from the LAN is allowed

into the DMZ and network traffic originating from the DMZ is allowed out to the Internet,

however.

The section

Services on the DMZ Network

discusses how to allow certain traffic from the

Internet into the DMZ.

To allow public access to the servers in the DMZ from the

Internet, this step must be performed.

You may also allow certain network traffic

originating from the DMZ into the LAN, however this is not usually necessary.

By default, machines on the DMZ network will have addresses in a private IP address

range, such as

192.168.1.0

/

255.255.255.0

or

10.1.0.0

/

255.255.0.0

.

Real world

addresses may be used on the DMZ network by by unchecking

Enable NAT from DMZ

interfaces to Internet interfaces

under the

Advanced

tab.

See the

Network address

translation

section later in this chapter for further information.

A DMZ segment is established by selecting

Direct DMZ

or

Bridged DMZ

from the

Configuration

pull down box of the network port to be connected to the DMZ.

Direct DMZ

A

Direct DMZ

connection is configured in the same way as a primary

Direct Internet

Connection

.

Setting a

Gateway

will not usually be necessary.

Refer to the section

entitled

Primary Internet Connection

earlier in this chapter for details.

Network Connections

62

Bridged DMZ

Refer to the section entitled

Bridging

later in this chapter.

Services on the DMZ Network

Once you have configured the DMZ connection, you will also want to configure the

CyberGuard SG appliance to allow access to services on the DMZ.

There are two

methods of allowing access.

If the servers on the DMZ have public IP addresses, you need to add packet filtering

rules to allow access to the services.

See the section called

Packet Filtering

in the

chapter entitled

Firewall

.

If the servers on the DMZ servers have private IP addresses, you need to port forward

the services.

See the section called

Incoming Access

in the chapter entitled

Firewall

.

Creating port forwarding rules automatically creates associated packet filtering rules to

allow access.

However, you can also create custom packet filtering rules if you wish to

restrict access to the services.

You may also want to configure your CyberGuard SG appliance to allow access from

servers on your DMZ to servers on your LAN.

By default, all network traffic from the DMZ

to the LAN is dropped.

See the section called

Packet Filtering

in the chapter entitled

Firewall

.

Guest Connection

Note

SG560, SG565, SG580, SG570, SG575 and SG7xx series only.

The intended usage of Guest connections is for connecting to a Guest network, i.e. an

untrusted LAN or wireless networks.

Machines connected to the Guest network must

establish a VPN connection to the CyberGuard SG appliance in order to access the LAN,

DMZ or Internet.

By default, you can configure the CyberGuard SG’s DHCP server to hand out addresses

on a Guest network, and the CyberGuard SG’s VPN servers (IPSec, PPTP, etc.) to listen

for connections from a Guest network and establish VPNs.

Aside from this, access to

any LAN, DMZ or Internet connections from the Guest network is blocked.

Network Connections

63

If you want to allow machines on a Guest network direct access to the Internet, LAN or

DMZ without first establishing a VPN connection, then you will need to add packet

filtering rules to allow access to services on the LAN or Internet as desired.

See the

Packet Filtering

section in the chapter entitled

Firewall

for details.

Warning

Caution is advised before allowing machines on a Guest network direct access to your

LAN.

This may make it a lot easier for an attacker to compromise internal servers.

Caution is also advised before allowing machines on a Guest network direct access to

the Internet, particularly in the case of Guest wireless networks.

This may result in

unauthorized use of your Internet connection for sending spam, other malicious or illegal

activities, or simply Internet access at your expense.

Machines on the Guest network will typically have addresses in a private IP address

range, such as

192.168.2.0

/

255.255.255.0

or

10.2.0.0

/

255.255.0.0

.

For network

address translation (NAT) purposes, the Guest connection is considered a LAN interface,

i.e. the NAT checkboxes for

LAN interfaces

under

Advanced

modify settings for both

LAN connections and Guest connections.

See the

Network address translation

section

later in this chapter for further information.

A Guest connection is established by selecting

Direct Guest

or

Bridged Guest

from the

Configuration

pull down box of the network port to be connected to the Guest network.

Direct Guest

A

Direct Guest

connection is configured in the same way as a primary

Direct Internet

Connection

.

Setting a

Gateway

will not usually be necessary.

Refer to the section

entitled

Primary Internet Connection

earlier in this chapter for details.

Bridged Guest

Refer to the section entitled

Bridging

later in this chapter.

Network Connections

64

Wireless

Note

SG565 only.

The SG565’s wireless interface may be configured as a wireless access point, accepting

connections from 802.11b (11mbit/s) or 802.11g (54mbit/s) capable wireless clients.

The

wireless interface is configured as a LAN, DMZ, or Guest connection in the same way as

any other interface.

Typically, the CyberGuard SG appliance’s wireless interface will be configured in one of

two ways; with strong wireless security (WPA) to bridge wireless clients directly onto your

LAN, or if your wireless clients don’t support WPA, with weak wireless security as a

Guest connection.

The latter requires wireless clients to establish a VPN tunnel on top of

the wireless connection to access the LAN, DMZ and Internet, to compensate for the

security vulnerabilities WEP poses.

In addition to connection configuration, you may also configure wireless access point,

access control list (ACL) and advanced settings by selecting

Edit Wireless

configuration

from the

Wireless

interface’s

Configuration

pull down box.

Note

A walkthrough for configuring your CyberGuard SG appliance to bridge wireless clients

directly onto your LAN is provided in the section entitled

Connecting wireless clients to

your LAN

, towards the end of this chapter.

Basic wireless settings

Basic settings for your wireless network are configured under

Access Point

.

Each of the

fields is discussed below.

ESSID:

(Extended Service Set Identifier) The ESSID is a unique name that identifies a

wireless network.

This value is case sensitive, and may be up to 32 alphanumeric

characters.

Network Connections

65

Broadcast ESSID:

Enables broadcasting of the ESSID.

This makes this wireless

network visible to clients that are scanning for wireless networks.

Choosing not to

broadcast the ESSID should not be considered a security measure; clients can still

connect if they know the ESSID, and it is possible for network sniffers to read the ESSID

from other clients.

Channel/Frequency:

Select the operating frequency or channel for the wireless network.

Changing to a different channel may give better performance if there is interference from

another access point.

Bridge Clients:

This setting enables the access point to forward packets between clients

at the wireless level, i.e. wireless clients are able to “see” each other.

This means that

packets between wireless clients will not be restricted by the firewall.

Note that if you

disable this setting, but you still want to allow access between clients in the firewall, then

usually you will also need to configure each client to route to other clients via the access

point.

Wireless security

Encryption and authentication settings for your wireless network are configured under

Access Point

.

Fields will vary based on the security method you choose.

If

Security Method

is set to

None

, any client is allowed to connect, and there is no data

encryption.

Warning

If you use this setting, then it is highly recommended that you configure wireless interface

as a Guest connection, disable bridging between clients, and only allow VPN traffic over

the wireless connection.

WEP security method

WEP (Wired Equivalent Privacy) allows for 64 or 128 bit encryption.

Warning

The WEP protocol has known security flaws, so it is recommended that you configure the

wireless interface as a Guest connection, disable bridging between clients, and only allow

VPN traffic over the wireless connection.