ISCS version 0.1.1
Version 0.1.1 only supports the SG565 and higher models running firmware version 3.1.2 or higher. Lower models do not support ssh which is the out-of-band ISCS management protocol for CyberGuard devices. Lower firmware revisions do not support scp.
We cannot alter the initialization scripts for iptables without patching the firmware. Thus we must work with the existing initialization scripts and files. We also cannot easily change the default behavior. For example, additional rules can be loaded through the /etc/config/ipfwrules file however this file reloads with every configuration change, e.g., every time a RAS user connects. Moreover, the rules are added individually rather than in batch mode. This can create for absurdly long outages every time there is a change, e.g., every time a RAS user connects. Thus, we completely bypass the normal SG rule loading mechanism. This bypass implies that the SG device can no longer dynamically adapt its rules to configuration changes. The most striking example is that an SG device administered by this version of ISCS cannot have a dynamic IP address; there is as of yet no way to dynamically change the iptables rules to reflect a dynamically changing IP address.
We do not currently configure the VPN or routing for the SG series. One must configure these features using the SG series native web interface. We do manage the additional IP bindings (e.g., for NAT).
Configure all but the iptables rules and NAT IP address bindings via the native SG web interface, e.g., routing, VPN, load certificates and keys.
From either the console or the web interface, create a files named iptables.load, ProxyARPUp and ProxyARPDown in the /etc/config/ directory with the following contents:
iptables.load:
copy the contents of the iptables.load.SG580 file in the tarball PEP directory
ProxyARPUp and ProxyARPDown are initially empty bash scripts:
#!/bin/sh
iptables.load
copy the contents of the iptables.load.tcl file in the tarball PEP directory
ProxyARPUp and ProxyARPDown are initially empty bash scripts:
#!/bin/metash
Grant execute rights to at least the root user (this must be done from the console - remember to sync the changes to permanent storage):
chmod 770 /etc/config/iptables.load /etc/config/ProxyARPUp /etc/config/ProxyARPDown
Edit the /etc/config/start file by adding the following line at the end:
sh /etc/config/iptables.load
Edit the /etc/config/ifmond.conf file by adding the following at the end. The parent entries may vary if one has implemented VLANs:
connection nataddr parent conn-eth0 parent conn-eth1 start /etc/config/ProxyARPUp stop /etc/config/ProxyARPDown
Make sure there is a new line at the end of the files. When creating or editing any file from the console (as opposed to the web interface), remember to issue a "sync -f" for bash systems or a "sync" for sash systems to write the changes to permanent storage.
Go to the Rules section on the left hand menu of the SG web interface, click on Custom firewall rules are instead of builtin rules (very important) and add the temporary rules:
iptables -P OUTPUT ACCEPT
This is merely to prevent an error when using custom instead of built-in rules and to preserve the configuration station’s access until finished.
Go to the configuration files section, click on ipfwrules, edit, remove all entries and click on apply.
Through the same configuration files section, configure SSH by editing the sshd_config file (not ssh_config). SSH should be configured to allow root connections, use only SSH version 2 (make sure there is only one uncommented Protocol line and that it reads “Protocol 2” without the quotation marks), disable password authentication and allow authentication via rsa . Copy the id_rsa.pub key for the root user on the DBD via the file upload section of the configuration files page and name it /etc/config/authorized_keys. Make sure the DBD can connect to the SG PEP without being prompted for a password or to accept the PEP's key. This is a common error. Unless one first connects via ssh from the command line or populates the DBD's SSH known_hosts file in some other way, the SPM will hang when it contacts the PEP because it will be awaiting keyboard input from stdin.
One may wish to modify this procedure depending on one's environment. For example, if the device is directly connected to the Internet, one may wish to leave the default rules in place until the new rules have been loaded.