advertisement
NITO User Guide
Nomadix publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Nomadix Internet Traffic Optimizer (NITO).
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Nomadix
Nomadix and the Nomadix Pinwheel Design Logo are registered trademark of Nomadix, Inc. Smoothwall is a registered trademark of Smoothwall Ltd. Microsoft, Active Directory, Internet Explorer, Windows 95,
Windows 98, Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 are either registered trademarks or trademarks of Microsoft Corporation. Netscape is a registered trademark of
Netscape Communications Corporation. Apple, Mac, iPad and iPhone are registered trademarks of Apple
Computer Inc. Android is a trademark of Google Inc. eDirectory is a trademark of Novell, Inc. Linux is a trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire, Inc. Intel and Core are registered trademarks of Intel Corporation. VIPRE is a registered trademark of GFI Software.
All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the US, UK and/or other countries.
Copyright © 2012 Smoothwall Ltd. All Rights Reserved.
Nomadix NITO
User Guide
Trademarks
The symbol, and Nomadix Service Engine™ are trademarks of Nomadix,
Inc. All other trademarks and brand names are marks of their respective holders.
Product Information
Telephone: +1.818.597.1500
Fax: +1.818.597.1502
Write your product serial number in this box:
Disclaimer
Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein.
In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising from the use of Nomadix, Inc. products.
WARNING
Risk of electric shock; do not open; no user-serviceable parts inside.
AVERTISSEMENT
Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil.
WARNUNG
Nicht öffnen; elektrische Bauteile.
AVISO
Riesgo de shock eléctrico. No abrir. No hay piezas configurables dentro.
CAUTION
Read the instruction manual prior to operation.
ATTENTION
Lire le mode d’emploi avant utilisation.
ACHTUNG
Lesen Sie das Handbuch bevor Sie das Gerät in Betrieb nehmen.
PRECAUCIÓN
Leer el manual de instrucciones antes de poner en marcha el equipo.
30851 Agoura Rd, Suite 102, Agoura Hills, CA 91301 USA (head office)
Table of Contents
i
Table of Contents
ii
Nomadix NITO
User Guide
iii
Table of Contents
iv
1
Introduction
In this chapter: z
An overview of NITO z z
Who should read this guide
Support information.
Overview of NITO
Nomadix Internet Traffic Optimizer (NITO) delivers a complete Unified Threat Management solution in a single, powerful, state-of-the-art appliance.
NITO provides: z
Firewall: stateful packet inspection with Layer 7 content analysis and Intrusion Detection z
Web security: content filtering and browser exploit detection
NITO’s powerful hardware supports the processor and system intensive web content analysis functions onbox, rather than compromise effectiveness by using less demanding off-box solutions.
Who should read this guide?
System administrators maintaining and deploying NITO should read this guide.
Other Documentation and User Information
Apart from this guide, the following documentation is available: z
http://www.nomadix.com/support_overview.php
contains support, self-help and training information as well as product updates and the latest product manuals.
1
Introduction
Other Documentation and User Information
2
2
NITO Overview
In this chapter: z
How to access NITO z
An overview of the pages used to configure and manage NITO.
Accessing NITO
1.
In the browser of your choice, enter the address of your NITO, for example: https://192.168.110.1:441
Note: The example address above uses HTTPS to ensure secure communication with your NITO. It is possible to use HTTP on port 81 if you are satisfied with less security.
Note: The following sections assume that you have registered and configured NITO as described in the NITO
Getting Started Guide.
To access NITO:
1.
Accept NITO’s certificate.The login screen is displayed.
2.
Enter the following information:
Field Information
Username
Enter admin
This is the default NITO administrator account.
Password
Enter nomadix
This is the default NITO password.
3
NITO Overview
Dashboard
3.
Click Login. The Dashboard opens.
The following sections give an overview of NITO’s default sections and pages.
Dashboard
The dashboard is the default home page of your NITO system. It displays a to-do list for getting started, service information and a customizable number of summary reports.
Logs and reports
The Logs and reports section contains the following sub-sections and pages:
Reports
Pages Description
Summary
Reports
Displays a number of generated reports. For more information, see Chapter 15, About
Where you generate and organize reports. For more information, see Chapter 15,
Generating Reports on page 202.
Recent and saved
Lists recently-generated and previously saved reports. For more information, see
Chapter 15, Saving Reports on page 202.
Scheduled
Sets which reports are automatically generated and delivered. For more information, see
Chapter 15, Scheduling Reports on page 205.
Custom
Enables you to create and view custom reports. For more information, see Appendix B,
Understanding Templates and Reports on page 285.
4
Nomadix NITO
User Guide
Alerts
Pages
Alerts
Alert settings
Description
Determine which alerts are sent to which groups of users and in what format. For more
information, see Chapter 18, Alerts on page 256.
Settings to enable the alert system and customize alerts with configurable thresholds and
trigger criteria. For more information, see Chapter 18, Configuring Alert Settings on page 257.
Realtime
Traffic graphs
Logs
Pages
System
Firewall
Portal
Web filter
Description
A realtime view of the system log with some filtering options. For more information, see
Chapter 18, System Information on page 261.
A realtime view of the firewall log with some filtering options. For more information,
see Chapter 18, Firewall Information on page 262.
A realtime view of activity on user portals. For more information, see Chapter 18,
Portal Information on page 263.
A realtime version of the web filter log viewer with some filtering options. For more
information, see Chapter 12, Realtime Web Filter Information on page 145.
Displays a realtime bar graph of the bandwidth being used. For more information, see
Chapter 18, Traffic Graphs on page 263.
Pages
System
Firewall
IDS
IPS
Web filter
User portal
Description
Simple logging information for the internal system services. For more information, see
Chapter 18, System Logs on page 265.
Displays all data packets that have been dropped or rejected by the firewall. For more
information, see Chapter 18, Firewall Logs on page 266.
Displays network traffic detected by the intrusion detection system (IDS). For more
information, see Chapter 18, IDS Logs on page 269.
Displays network traffic detected by the intrusion detection system (IPS). For more
information, see Chapter 18, IPS Logs on page 270.
Displays detailed analysis of web proxy and filtering activity. For more information,
see Chapter 12, Web Filter Logs on page 146.
Displays information on access by users to portals. For more information, see Chapter
18, User Portal Logs on page 271.
5
NITO Overview
Networking
Pages Description
Log settings
Settings to configure the logs you want to keep, an external syslog server, automated
log deletion and rotation options. For more information, see Chapter 18, Configuring
Settings
Pages
Database settings
Database backup
Groups
Output settings
Description
Settings to manage the database storing NITO report data. For more information, see
Chapter 15, Managing Report Data on page 206.
Enables you to back-up and restore report data as well as optimize, empty and prune
databases. For more information, see Chapter 15, Backing up Data on page 209.
Where you create groups of users which can be configured to receive automated alerts
and reports. For more information, see Chapter 18, Configuring Groups on page 274.
Settings to configure the Email to SMS Gateway and SMTP settings used for delivery
of alerts and reports. For more information, see Chapter 18, Configuring Output
Networking
The Networking section contains the following sub-sections and pages:
Filtering
Pages
Zone bridging
Group bridging
IP block
Description
Used to define permissible communication between pairs of network zones. For more
information, see Chapter 6, About Zone Bridging Rules on page 51.
Used to define the network zones that are accessible to authenticated groups of users.
For more information, see Chapter 6, Group Bridging on page 55.
Used to create rules that drop or reject traffic originating from or destined for single or
multiple IP addresses. For more information, see Chapter 5, Creating IP Blocking Rules on page 43.
Routing
Pages
Subnets
Description
Used to generate additional routing information so that the system can route traffic to
other subnets via a specified gateway. For more information, see Chapter 4, Creating
6
Nomadix NITO
User Guide
Pages
RIP
Sources
Ports
Description
Used to enable and configure the Routing Information Protocol (RIP) service on the
system. For more information, see Chapter 4, Using RIP on page 32.
Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. For
more information, see Chapter 4, Sources on page 34.
Used to create rules to set the external interface based on the destination port. For more
information, see Chapter 4, Ports on page 35.
Interfaces
Pages Description
Interfaces
External aliases
Configure and display information on your NITO’s internal interfaces. For more
information, see Chapter 3, Managing Network Interfaces on page 19.
Internal aliases
Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the
need for physical switches. For more information, see Chapter 4, Managing Internal
Used to create IP address aliases on static Ethernet external interfaces. External aliases allow additional static IPs that have been provided by an ISP to be assigned
to the same external interface. For more information, see Chapter 4, Creating an
External Alias Rule on page 36.
Connectivity
PPP
Secondaries
Used to create external connection profiles and implement them. For more
information, see Chapter 3, Creating a Connection Profile on page 21.
Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. For more information, see
Chapter 3, Creating a PPP Profile on page 27.
Used to configure an additional, secondary external interface. For more information,
see Chapter 4, Working with Secondary External Interfaces on page 40
Firewall
Pages
Port forwarding
Source mapping
Advanced
Description
Used to forward incoming connection requests to internal network hosts. For more
information, see Chapter 7, Introduction to Port Forwards – Inbound Security on page 59.
Used to map specific internal hosts or subnets to an external alias. For more information,
see Chapter 4, Creating a Source Mapping Rule on page 38
Used to enable or disable NAT-ing helper modules and manage bad external traffic. For
more information, see Chapter 7, Network Application Helpers on page 61.
7
NITO Overview
Services
Outgoing
Pages
Sources
Groups
Ports
External services
Description
Used to assign outbound access controls to IP addresses and networks. For more
information, see Chapter 7, Source Rules on page 66.
Used to assign outbound access controls to authenticated groups of users. For more
information, see Chapter 7, Assigning Rules to Groups on page 69.
Used to define lists of outbound destination ports and services that should be blocked or
allowed. For more information, see Chapter 7, Outbound Access on page 63.
Used to define a list of external services that should always be accessible to internal
network hosts. For more information, see Chapter 7, Managing External Services on page 68.
Settings
Pages
Port groups
Advanced
Description
Create and edit groups of ports for use throughout NITO. For more information, see
Chapter 5, Working with Port Groups on page 47.
Used to configure advanced network and traffic auditing parameters. For more
information, see Chapter 5, Configuring Advanced Networking Features on page 44.
Services
The Services section contains the following sub-sections and pages:
Authentication
Pages
Control
Settings
Groups
Temporary bans
Description
Used to view the current status of the authentication system, and to restart and stop the service. It also allows diagnostic tests to be performed against different areas of the
authentication service. For more information, see Chapter 14, Authentication and User
Used to set global login time settings. For more information, see Chapter 14,
Configuring Authentication Settings on page 188.
Used to customize group names. For more information, see Chapter 14, Managing
Enables you to manage temporarily banned user accounts. For more information, see
Chapter 14, Managing Temporarily Banned Users on page 180
8
Nomadix NITO
User Guide
Pages Description
Local users
Used to add, import and export user profiles, for example: usernames and passwords, to
and from the system’s own local user database. For more information, see Chapter 14,
Managing Local Users on page 177.
User activity
Displays the login times, usernames, group membership and IP address details of
recently authenticated users. For more information, see Chapter 14, Viewing User
SSL login
Kerberos keytabs
Used to customize the end-user login page. For more information, see Chapter 14,
Enabling SSL Login on page 183.
This is where Kerberos keytabs are imported and managed. For more information, see
Chapter 14, Managing Kerberos Keytabs on page 185.
User Portal
Pages
Portals
Groups
User exceptions
Description
This page enables you to configure and manage user portals. For more information, see
Chapter 13, Working with User Portals on page 149.
This page enables you to assign groups of users to portals. For more information, see
Chapter 13, Assigning Groups to Portals on page 153.
This page enables you to override group settings and assign a user directly to a portal.
For more information, see Chapter 13, Making User Exceptions on page 153.
Message Censor
Pages
Policies
Filters
Time
Custom categories
Description
Enables you to create and manage filtering policies by assigning actions to matched
content. For more information, see Chapter 13, Creating and Applying Message
Censoring Policies on page 161.
This is where you create and manage filters for matching particular types of message
content. For more information, see Chapter 13, Creating Filters on page 160.
This is where you create and manage time periods for limiting the time of day during
which filtering policies are enforced. For more information, see Chapter 13, Setting
Enables you to create and manage custom content categories for inclusion in filters.
For more information, see Chapter 13, Managing Custom Categories on page 157.
System
The System section contains the following sub-sections and pages:
9
NITO Overview
System
Maintenance
Pages
Updates
Modules
Licenses
Archives
Scheduler
Shutdown
Shell
Description
Used to display and install available product updates, in addition to listing currently
installed updates. For more information, see Chapter 16, Managing Updates on page 211.
Used to upload, view, check, install and remove NITO modules. For more information,
see Chapter 16, Managing Modules on page 213.
Used to display and update license information for the licensable components of the
system. For more information, see Chapter 16, Licenses on page 214.
Used to create and restore archives of system configuration information. For more
information, see Chapter 16, Archives on page 214.
Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote
backup archives. For more information, see Chapter 16, Scheduling on page 216.
Used to shutdown or reboot the system. For more information, see Chapter 16, Shutting
down and Rebooting on page 219.
Used to access the NITO’s system console via a Java-based SSH shell. For more
information, see Chapter 16, Shell Access on page 220.
Central Management
Pages
Overview
Child nodes
Local node settings
Description
This is where you monitor nodes and schedule updates in a Nomadix system. For more
information, see Chapter 17, Managing Nodes in a Nomadix System on page 250.
This is where you add and configure nodes in a Nomadix system. For more information,
see Chapter 17, Configuring Child Nodes on page 247.
This is where you configure a node to be a parent or child in a Nomadix system and manage central management keys for use in the system. For more information, see
Chapter 17, Setting up a Centrally Managed Nomadix System on page 246.
Preferences
Pages
Time
Registration options
Description
Used to manage set NITO’s time zone, date and time settings. For more information,
see Chapter 16, Setting Time on page 221.
Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Nomadix. For more
information, see Chapter 16, Configuring Registration Options on page 223.
10
Pages
Hostname
Nomadix NITO
User Guide
Description
Used to configure NITO’s hostname. For more information, see Chapter 16,
Configuring the Hostname on page 224.
Administration
Pages
Admin options
External access
Administrative users
Hardware
Description
Used to enable secure access to NITO using SSH, and to enable referral checking.
For more information, see Chapter 16, Configuring Admin Access Options on page 225.
Used to create rules that determine which interfaces, services, networks and hosts
can be used to administer NITO. For more information, see Chapter 16,
Configuring External Access on page 226.
Used to manage user accounts and set or edit user passwords on the system. For
more information, see Chapter 16, Administrative User Settings on page 227.
Pages
UPS
Description
Used to configure the system's behavior when it is using battery power from an
Uninterruptible Power Supply (UPS) device. For more information, see Chapter 16,
Diagnostics
Pages
Configuration tests
Diagnostics
IP tools
Whois
Traffic analysis
Description
Used to ensure that your current NITO settings are not likely to cause problems. For
more information, see Chapter 16, Diagnostics on page 238.
Used to create diagnostic files for support purposes. For more information, see
Chapter 16, Generating Diagnostics on page 239.
Contains the ping and traceroute IP tools. For more information, see Chapter 16, IP
Used to find and display ownership information for a specified IP address or domain
name. For more information, see Chapter 16, Whois on page 240.
Used to generate and display detailed information on current traffic. For more
information, see Chapter 16, Analyzing Network Traffic on page 241.
11
NITO Overview
Guardian
Guardian
The Guardian section contains the following sub-sections and pages:
Quick Links
Page Description
Getting started
This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see
Chapter 9, Guardian Getting Started on page 80.
Shortcuts
This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see
Chapter 8, About Shortcuts on page 75.
Quick block/ allow
This page enables you to block or allow content immediately. For more
information, see Chapter 8, Blocking and Allowing Content Immediately on page 72.
Web Filter Policies
Pages Description
Manage policies
This is where you manage how web filtering policies are applied. For more
information, see Chapter 9, Managing Web Filter Policies on page 88.
Policy wizard
This is where you can configure a custom web filtering policy. For more
information, see Chapter 9, Creating Web Filter Policies on page 89.
Location blocking
Exceptions
Outgoing
Enables you to block computers at a specific location from accessing web content.
For more information, see Chapter 8, Blocking Locations on page 72.
Here you can exempt computers from any web filtering. For more information, see
Chapter 8, Excepting Computers from Web Filtering on page 73
This is where you configure outgoing settings for a censor policy for content and/or
files posted using web forms. For more information, see Chapter 9, Censoring Web
HTTPS Inspection Policies
Pages Description
Manage policies
This is where you manage HTTPS inspection policies that decrypt and inspect
encrypted communications. For more information, see Chapter 9, Managing
HTTPS Inspection Policies on page 92.
Policy wizard
This is where you create custom policies for managing encrypted communications.
For more information, see Chapter 9, Creating an HTTPS Inspection Policy on page 93.
12
Nomadix NITO
User Guide
Pages
Settings
Description
This is where you manage CA security certificates and configure HTTPS
interception messages. For more information, see Chapter 9, Configuring HTTPS
Inspection Policy Settings on page 95.
Content Modification Policies
Pages
Manage policies
Policy wizard
Block Page Policies
Description
This is where you manage content modification policies that apply recommended security rules and enforce SafeSearch in browsers. For more information, see
Chapter 9, Managing Content Modification Policies on page 97.
Enables you to create custom policies for applying security rules and enforcing
SafeSearch in browsers. For more information, see Chapter 9, Creating a Content
Modification Policy on page 98.
Pages
Manage policies
Policy wizard
Block pages
Description
This is where you manage block page policies. For more information, see Chapter
11, Managing Block Page Policies on page 141.
This is where you create and edit block page policies. For more information, see
Chapter 11, Configuring a Block Page Policy on page 140.
This is where you create and edit block pages. For more information, see Chapter
11, Managing Block Pages on page 137.
Policy Objects
Pages
Category groups
User defined
Time slots
Locations
Description
This is where you manage content categories used when applying a web
filtering policy. For more information, see Chapter 9, Working with Category
This is where you manage custom content categories. For more information,
see Chapter 9, Defining Categories on page 81.
This is where you create and manage time slot policy objects for use in content
filtering policies. For more information, see Chapter 9, Working with Time
This is where you create and manage location policy objects for use in content
filtering policies. For more information, see Chapter 9, Working with Location
13
NITO Overview
Web Proxy
Quotas
Pages Description
This is where you create and manage quota policy objects for use in content
filtering policies. For more information, see Chapter 9, Working with Quota
Web Proxy
The Web proxy section contains the following sub-sections and pages:
Web Proxy
Pages Description
Settings
Automatic configuration
This is where you configure and manage web proxy settings. For more
information, see Chapter 11, Overview of NITO’s Web Proxy on page 119.
This is where you create and make available proxy auto-configuration (PAC)
scripts. For more information, see Chapter 11, Using PAC Scripts on page 124.
Bandwidth limiting
This is where you can manage how much bandwidth is made available to
clients. For more information, see Chapter 11, Limiting Bandwidth on page 126.
WCCP
This is where you can configure NITO to join a Web Cache Coordination
Protocol (WCCP) cache engine cluster. For more information, see Chapter 11,
Upstream Proxy
Pages
Manage policies
Proxies
Filters
Description
This is where you manage upstream proxy policies. For more information, see
Chapter 11, Working with Multiple Upstream Proxies on page 134.
This is where you configure upstream proxy settings. For more information, see
Chapter 11, Configuring an Upstream Proxy on page 130.
This is where you manage upstream proxy source and destination filters. For
more information, see Chapter 11, Configuring Source and Destination Filters on page 131.
Authentication
Pages
Manage polices
Description
This is where you manage authentication policies which determine which web
filter policies are applied. For more information, see Chapter 10, Managing
Authentication Policies on page 113.
14
Nomadix NITO
User Guide
Pages
Policy wizard
Exceptions
Ident by location
Description
This is where you create and edit authentication policies. For more information,
see Chapter 10, Creating Authentication Policies on page 105.
This is where you can exempt content from authentication. For more
information, see Chapter 10, Managing Authentication Exceptions on page 114.
This is where you configure identification of groups and/or users by their
location. For more information, see Chapter 10, Identification by Location on page 114.
MobileProxy
Pages
Settings
Proxies
Exceptions
Description
On this page, you configure global MobileProxy server settings. For more information, see Chapter 9, Enabling MobileProxy on page 91.
On this page, you manage MobileProxyservers for use with mobile devices. For more information, see Chapter 9, Specifying MobileProxy Servers on page 92.
On this page, you specify proxy exceptions. For more information, see Chapter
9, Configuring Proxy Exceptions on page 93.
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required configuration settings.
Specifying Networks, Hosts and Ports
IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example:
192.168.10.1-192.168.10.20
192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0
192.168.10.0/24
15
NITO Overview
Configuration Guidelines
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0
255.255.0.0
255.255.248.0
Service and Ports
A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:
21
7070
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of NITO can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.
Comments are entered in the Comment fields and displayed alongside saved configuration information.
Creating, Editing and Removing Rules
Much of NITO is configured by creating rules – for example, IP block rules and administration access rules.
1.
2.
Creating a Rule
To create a rule:
Enter configuration details in the Add a new rule area.
Click Add to create the rule and add it to the appropriate Current rules area.
3.
4.
1.
2.
Editing a Rule
To edit a rule:
Find the rule in the Current rules area and select its adjacent Mark option.
Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values.
Change the configuration values as necessary.
Click Add to re-create the edited rule and add it to the Current rules area.
16
Nomadix NITO
User Guide
Removing a Rule
1.
To remove one or more rules:
Select the rule(s) to be removed in the Current rules area.
2.
Click Remove to remove the selected rule(s).
Note: The same processes for creating, editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc.
Connecting via the Console
You can access NITO via a console using the Secure Shell (SSH) protocol.
Configuring Admin Access Options on page 225 for more information.
Connecting Using a Client
1.
2.
When SSH access is enabled, you can connect to NITO via a secure shell application, such as PuTTY, or from the System > Maintenance > Shell page.
To connect using an SSH client:
Check SSH access is enabled on NITO. See Chapter 16, Configuring Admin Access Options on page 225
for more information.
Start PuTTY or an equivalent client.
3.
Enter the following information:
4.
Host Name (or IP address)
Port
Protocol
Field Description
Enter NITO’s host name or IP address.
Enter
222
Select SSH.
Click Open. When prompted, enter root
, and the password associated with it. You are given access to the
NITO command line.
17
NITO Overview
Secure Communication
Connecting Using Web-based SSH
1.
To connect via the web-based SSH:
Navigate to the System > Maintenance > Shell page.
2.
Enter the username root
, and the password associated with it. As a root user, you will access the NITO command line.
Secure Communication
When you connect your web browser to NITO’s web-based interface on a HTTPS port for the first time, your browser will display a warning that NITO’s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.
Unknown Entity Warning
This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, NITO’s certificate is a self-signed certificate.
Note: The data traveling between your browser and NITO is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by NITO.
To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser’s documentation for information on how to import the certificate.
Inconsistent Site Address
Your browser will generate a warning if NITO’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address.
A certificate can only contain a single site name, and in NITO’s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match.
To remove this warning, access NITO using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated.
In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future.
Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that
HTTPS is also about identity as well encryption.
18
Working with Interfaces
In this chapter: z
How to manage NITO’s network interfaces.
Managing Network Interfaces
1.
You can configure and review network interfaces on NITO’s internal interfaces page.
To access interface settings:
Browse to the Networking > Interfaces > Interfaces page.
3
19
Working with Interfaces
Changing the IP Address
The following settings for your NITO’s interface are available:
Setting Description
Default interface
A drop-down list of the current interfaces available.
Primary DNS
If NITO is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure.
For more information, see Appendix A, NITO and DNS on page 282.
Secondary DNS
Enter the IP address of the secondary DNS server, if one is available.
Changing the IP Address
1.
If required, it is possible to change NITO’s IP address.
To change the IP address:
On the Networking > Interfaces > Interfaces page, locate the interface from the Default interface dropdown list and, in the appropriate Settings area, enter the following settings:
Field Explanation
IP address
Enter the IP address you want NITO to use on your internal network.
Netmask
If required, enter the netmask NITO should use on your internal network.
2.
Browse to the bottom of the page. Click Save to save the changes and then click Restart to restart networking.
Note: Restarting the networking system can take some time and may interrupt some services.
3.
After 15 seconds, in your browser’s address field, enter the new IP address. When prompted, enter your user name and password. NITO now uses the new IP address.
Interfaces
Here you can review all the settings for your NITO interfaces.
Tip:
Clicking the graph takes you to the relevant interface report.
Restarting Networking
1.
Several key changes may have an effect on connectivity of NITO. For this reason, most changes are only applied when networking is restarted.
To restart networking:
Click Restart.
Note: Restarting networking can take some time and may interrupt some services.
20
Nomadix NITO
User Guide
About Connection Methods and Profiles
NITO supports the following connection methods:
Connection Method
Ethernet
Modem
Ethernet/modem hybrid
Description
An Ethernet NIC routed to an Internet connection, not controlled by NITO.
An internal or external modem connected to the Internet via an ISP, controlled by NITO.
An Ethernet NIC routed to an external modem connected to the Internet via an ISP, controlled by NITO.
Up to five different connections to the Internet can be defined, each stored in its own connection profile.
Each connection profile defines the type of connection that should be used and appropriate settings.
About Connection Profiles for Modems
PPP Profiles
Connection profiles for modems, including ISDN, and Ethernet/modem hybrid devices use an additional profile: a Point-To-Point (PPP) profile.
A PPP profile contains the username, password and other settings used for dial-up type connections. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account.
Modem Profiles
A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices.
Creating a Connection Profile
The following sections explain how to create a connection profile. When creating a connection profile, you configure the global settings, including the connection method, and then configure the method-specific settings.
21
Working with Interfaces
Creating a Connection Profile
Configuring Global Settings
1.
To configure global settings:
Navigate to the Networking > Interfaces > Connectivity page.
2.
Configure the following settings:
Setting
Profiles
Profile name
Method
Auto connect on boot
Custom MTU
Description
Select Empty from drop-down list and click Select.
Enter a name for the connection profile.
Choose the connection method from the drop-down list. Options include:
Static Ethernet – for more information, see Configuring a Static Ethernet
Connection on page 23.
DHCP Ethernet – for more information, see Configuring a DHCP Ethernet
Connection on page 24.
PPP over Ethernet – for more information, see Configuring a PPP over Ethernet
Connection on page 24.
PPTP over Ethernet – for more information, see Configuring a PPTP over
Ethernet Connection on page 25.
ADSL Modem – for more information, see Configuring an ADSL/DSL Modem
Connection on page 25.
ISDN TA – for more information, see Configuring an ISDN Modem Connection on page 26.
Modem – for more information, see Configuring a Dial-up Modem Connection on page 27.
By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option.
Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here.
22
Nomadix NITO
User Guide
Setting
Automatic failover to profile
Primary failover ping IP
Secondary failover ping IP
Load balance outgoing traffic
Load balance web proxy traffic
Weighting
Description
Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if NITO cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail.
Enter an IP address that is known to be contactable if the external connection is operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
Optionally, enter a secondary IP address that is known to be contactable if the external connection is operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection.
Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the primary external connection.
Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection.
3.
4.
Click Update to display further method-specific settings in the settings area.
At this point, click Save as configuration using other pages may be necessary for some connection methods, for example PPP and modem profiles.
To complete the connection profile, refer to the method-specific sections in the remaining sections of this chapter.
Configuring a Static Ethernet Connection
1.
A static Ethernet connection enables NITO to use a static IP address, as assigned by your ISP.
To create a static Ethernet connection:
Configure the global settings and select Static Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
23
Working with Interfaces
Creating a Connection Profile
2.
In the Static Ethernet settings area, configure the following settings:
3.
Setting Description
Interface
Default gateway
From the drop-down list, select the Ethernet interface for this connection.
Enter the default gateway IP address as provided by your ISP.
Address
Netmask
Enter the static IP address provided by your ISP.
Enter the subnet mask as provided by your ISP.
Primary DNS
Enter the primary DNS server details as provided by your ISP.
Secondary
DNS
Enter the secondary DNS server details as provided by your ISP.
Click Save.
Configuring a DHCP Ethernet Connection
1.
2.
A DHCP Ethernet connection enables NITO to be allocated a dynamic IP address, as assigned by the ISP.
To create a DHCP Ethernet connection:
Configure the global settings and select DHCP Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the DHCP Ethernet settings area, configure the following settings:
Setting
Interface
DHCP
Hostname
MAC spoof
Description
From the drop-down list, select the Ethernet interface for this connection.
Optionally enter a DHCP hostname, if provided by your ISP.
Enter a MAC spoof value if required.
Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier.
3.
Click Save.
Configuring a PPP over Ethernet Connection
1.
This section explains how to configure NITO to use a PPPoE modem for Internet connectivity.
To create a PPP over Ethernet connection:
Configure the global settings and select PPP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
24
Nomadix NITO
User Guide
2.
In the PPP over Ethernet settings area, configure the following settings:
3.
Setting Description
Service name
If required, enter the service name as specified by your ISP.
Concentrator
If required, enter the concentrator name as specified by your ISP.
Interface
PPP Profile
From the drop-down list, select the Ethernet interface for this connection.
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the PPPNetworking >
Interfaces > Interfaces and create one.
Click Save.
Configuring a PPTP over Ethernet Connection
1.
2.
This section explains how to configure NITO to use a PPTP modem for Internet connectivity.
To create a PPTP over Ethernet connection:
Configure the global settings and select PPTP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the PPTP over Ethernet settings area, configure the following settings:
Setting Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Address
Netmask
Gateway
Telephone
Enter the IP address assigned by your ISP.
Enter the netmask assigned by your ISP.
Enter the gateway assigned by your ISP
Enter the dial telephone number as provided by your ISP.
3.
Click Save.
Configuring an ADSL/DSL Modem Connection
Note: The following sections apply if an ADSL/DSL modem is installed in your NITO.
NITO can connect to the Internet using an ADSL modem. If your ADSL connection uses a PPPoE connection, see Configuring a PPP over Ethernet Connection on page 24 for more information.
1.
To complete the connection profile:
Configure the global settings and select ADSL Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
25
Working with Interfaces
Creating a Connection Profile
2.
In the ADSL Modem settings area, configure the following settings:
Setting Description
Service name
Leave this field blank. It is not required for this type of profile.
Concentrator Leave this field blank. It is not required for this type of profile.
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
3.
Click Save.
Configuring an ISDN Modem Connection
Note: The following sections apply if an ISDN modem is installed in your NITO.
This section explains how to configure NITO to use an ISDN modem for Internet connectivity.
1.
To complete the connection profile:
Configure the global settings and select ISDN TA as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
2.
In the ISDN settings area, configure the following settings:
3.
Setting Description
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Telephone
Channels
Keep second channel up
Minimum time to keep second channel up
(sec)
Enter the telephone number for the ISDN connection.
From the drop-down list, select either Single channel or Dual channel, depending on whether you are using one or two ISDN lines.
Select to force the second channel to remain open when its data rate falls below a worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput rates. If this occurs in dual channel mode, and the data-rate of the second channel decreases below a threshold where it is of no benefit, NITO will automatically close it. Forcing the second channel to stay up will help prevent this from happening.
Enter a minimum time, in seconds, if your ISDN connection experiences intermittent loss of data throughput for short periods of time.
This option is of use when the second channel data-rate falls below the threshold for short periods of time.
Click Save.
26
Nomadix NITO
User Guide
Configuring a Dial-up Modem Connection
Note: The following sections apply if a dial-up modem is installed in your NITO.
This section explains how to configure NITO to use a dial-up modem for Internet connectivity.
1.
2.
To complete the profile:
Configure the global settings and select Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the Modem settings area, configure the following settings:
Setting Description
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Modem profile
Telephone
Enter the telephone number for the connection.
3.
Click Save.
Creating a PPP Profile
1.
Up to five PPP profiles can be created to store username, password and connection-specific details for connections where NITO controls the connecting device, e.g. an ADSL modem attached to NITO.
To create a PPP profile:
Navigate to the Networking > Interfaces > PPP page.
27
Working with Interfaces
Modifying Profiles
2.
Configure the following settings:
Setting Description
Profiles
Profile name
Dial on
Demand
Dial on
Demand for
DNS
Idle timeout
From the drop-down list, select Empty.
Enter a name for the profile.
Select to ensure that the PPP connection is only established if an outward-bound request is made. This may help reduce costs if your ISP uses per unit time billing.
Select to ensure that the system dials for DNS requests – this is normally the desired behavior.
Persistent connection
Maximum retries
Username
Enter the number of minutes that the connection must remain inactive for before it is automatically closed by NITO. Enter 0 to disable this setting.
Select to ensure that once this PPP connection has been established, it will remain connected, regardless of the value entered in the Idle timeout field.
Enter the maximum number of times that NITO will try to connect following failure to connect.
Enter your ISP assigned username.
Password
Method
Script name
Type
Primary DNS
Enter your ISP assigned password.
Choose the authentication method as specified by your ISP in this field.
Enter the name of a logon script here, if your ISP informs you to do so. Ensure that the relevant script type has been selected in the Method drop-down list.
Specifies the DNS type used by your ISP.
Manual – select if your ISP has provided you with DNS server addresses to enter.
Automatic – select if your ISP automatically allocates DNS settings upon connection.
If Manual has been selected, enter the primary DNS server IP address.
Secondary DNS
If Manual has been selected, enter the secondary DNS server IP address.
3.
Click Save to save your settings and create a PPP profile.
Modifying Profiles
1.
To modify an existing connection, PPP or modem profile:
Navigate to the appropriate profile page.
2.
3.
Choose the profile from the Profiles drop-down list that you wish to modify and click Select.
The profile details will now be displayed. Make changes to any of the fields, review the changes and click
Save.
Note: Any changes made to a profile that is used as part of a current connection will only be applied following re-connection. The connection can be manually restarted on the main > control page.
28
Nomadix NITO
User Guide
Deleting Profiles
1.
To delete an existing connection, PPP or modem profile:
Navigate to the appropriate profile page.
2.
3.
Choose the profile from the Profiles drop-down list that you wish to delete and click Select.
The profile details will now be displayed. If you are certain that you wish to delete the selected profile, click Delete.
Note: Deleting a profile that is used as part of a current connection will cause the current connection to close.
29
Working with Interfaces
Deleting Profiles
30
4
Managing Your Network
Infrastructure
In this chapter: z
Creating subnets and internal subnet aliases
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway.
To create a subnet rule:
1.
Navigate to the Networking > Routing > Subnets page.
2.
Configure the following settings:
Setting
Network
Netmask
Description
Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value.
Enter a network mask that specifies the size of the subnet when combined with the network field.
31
Managing Your Network Infrastructure
Using RIP
Setting Description
Gateway
Metric
Enter the IP address of the gateway device by which the subnet can be found.
This will be an address on a locally recognized network zone. It is necessary for NITO to be able to route to the gateway device in order for the subnet to be successfully configured.
The gateway address must be a network that NITO is directly attached to.
Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with
0
being the highest priority and the default for new routes.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
3.
Click Add. The rule is added to the Current rules table.
Editing and Removing Subnet Rules
To edit or remove existing subnet rules, use Edit and Remove in the Current rules area.
Using RIP
1.
The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds.
NITO’s RIP service can: z
Operate in import, export or combined import/export mode z
Support password and MD5 authentication z
Export direct routes to the system’s internal interfaces.
To configure the RIP service:
Navigate to the Networking > Routing > RIP page.
32
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting Description
Enabled
Scan interval
Direction
Select to enable the RIP service.
From the drop-down menu, select the time delay between routing table imports and exports.
Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval.
Note: There is a performance trade-off between the number of RIP-enabled devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information.
From the drop-down menu, select how to manage routing information. The following options are available:
Import and Export
The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information received from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP enabled gateways.
Logging level
RIP interfaces
From the drop-down menu, select the level of logging.
Select each interface that the RIP service should import/export routing information to/from.
Authentication
Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices.
Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint.
Password
In this mode, a plain text password is specified which must match other RIP devices.
MD5
In this mode, an MD5 hashed password is specified which must match other RIP devices.
Password
Again
If Password is selected as the authentication method, enter a password for RIP authentication.
If Password is selected as the authentication method, re-enter the password to confirm it.
Direct routing interfaces
Optionally, select interfaces whose information should also include routes to the
RIP service’s own interfaces when exporting RIP data.
This ensures that other RIP devices are able to route directly and efficiently to each exported interface.
33
Managing Your Network Infrastructure
Sources
3.
Click Save.
Sources
The Sources page is used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active.
Source rules can be created for individual hosts, ranges of hosts or subnet ranges.
Creating Source Rules
1.
Source rules route outbound traffic from selected network hosts through a particular external interface.
To create a source rule:
Navigate to the Networking > Routing > Sources page.
2.
Configure the following settings:
3.
Setting
Source IP or network
Internal interface
External interface
Comment
Enabled
Description
Enter the source IP or subnet range of internal network host(s) specified by this rule. For more information, see About IP Address Definitions on page 35.
From the drop-down menu, select the internal interface that the source IP must originate from to use the external connection.
From the drop-down menu, select the external interface that is used by the specified source IP or network for external communication.
Alternatively, select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP, network and internal interface is routed via the primary external interface.
Note: If the external interface is set to Exception, any traffic specified here will not be subject to any load balancing.
Note: Using Exception will always send traffic out via the primary, no matter what interface is currently being used by the primary connection.
Optionally, enter a description for the source rule.
Select to activate the rule.
Click Add.
34
Nomadix NITO
User Guide
Removing a Rule
1.
To remove one or more rules:
Select each rule in the Current rules area and click Remove.
Editing a Rule
1.
2.
To edit a rule:
Locate it within the Current rules region, select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values.
Alter the configuration values as necessary, and click Add.
About IP Address Definitions
Single or multiple IP addresses can be specified in a number of different manners:
IP address – An identifier for a single network host, written as quartet of dotted decimal values, e.g.
192.168.10.1
IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g.
192.168.10.0/255.255.255.0
defines a subnet range of IP addresses from
192.168.10.0
to
192.168.10.255
IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation, e.g.
192.168.10.0/24
defines a subnet range of IP addresses from
192.168.10.0
to
192.168.10.255
.
Ports
The Ports page is where you route outbound traffic for selected ports through a particular external interface. For example, you can create a rule to send all SMTP traffic down a specific external interface.
Note: The rules specified on the sources pages will always be examined first, so a rule will only travel down this
list of ports if it does not first hit a sources rule. For more information, see Sources on page 34.
Creating a Ports Rule
1.
Port rules route outbound traffic for selected ports through a particular external interface.
To create a ports rule:
Navigate to the Networking > Routing > Ports page.
35
Managing Your Network Infrastructure
Creating an External Alias Rule
2.
Configure the following settings:
Setting
Protocol
Service
Port
External interface
Comment
Enabled
Description
From the drop down menu, select the protocol the traffic uses.
From the drop down menu, select the select the services, port range or group of ports.
If the service is user defined, enter the port number.
From the drop-down menu, select the external interface to use.
Select Exception to never route the traffic via an alternative interface.
Note: Using Exception will always send traffic out via the primary, no matter what interface is currently being used by the primary connection.
Enter a description of the rule.
Select to enable the rule currently active.
3.
Click Add to create the rule. The rule is created and listed in the Current rules area.
Removing Rules
1.
To remove one or more rules:
Select each rule in the Current rules area and click Remove.
1.
2.
Editing a Rule
To edit a rule:
Select the rule in the Current rules area and click Edit.
In the Add a new rule area, make the changes you require and click Add. The rule is updated and listed in the Current rules area.
Creating an External Alias Rule
NITO enables you to associate multiple public IP addresses with a single NITO by creating external aliases. An external alias binds an additional public IP address to Nomadix System’s external interface.
36
1.
To create an external alias rule:
Navigate to the Networking > Interfaces > External aliases page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
External interface
Select
Connectivity profile
Alias IP
Netmask
Comment
Enabled
Description
From the drop-down list, select the external interface to which you want to bind an additional public IP address.
Click to select the interface.
Used to determine when the external alias is active. Options include:
All – The external alias will always be active, irrespective of the currently active connection profile.
Named connection profile – The external alias will only be active if the named connection profile is currently active. This is particularly useful for creating aliases for connection profiles that are used as failover connections.
Enter the IP address of the external alias. This address should be provided by your ISP as part of an multiple static IP address allocation.
Used to specify the network mask of the external alias. This value is usually the same as the external interface's netmask value. This value should be provided by your ISP.
A field used to assign a helpful message describing the external alias rule.
Determines whether the external alias rule is currently active.
3.
Click Add. The external alias rule is added to the Current rules table.
Editing and Removing External Alias Rules
To edit or remove existing external alias rules, use Edit and Remove in the Current rules region.
Port Forwards from External Aliases
NITO extends your system’s port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias.
37
Managing Your Network Infrastructure
Creating a Source Mapping Rule
No special configuration is required to use this feature. Use the existing Networking > Firewall > Port forwarding page and select the required external alias from the Source IP drop-down list.
Creating a Source Mapping Rule
1.
NITO enables you to map internal hosts to an external IP alias, instead of the default, real external IP, by creating source mapping rules. This allows outbound communication from specified hosts to appear to originate from the external alias IP address.
A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address. If the incoming IP address is an external alias, and outbound mail fails to mirror the
IP address as its source, some SMTP servers will reject the mail. This is because the mail will not appear to originate from the correct IP address, i.e. the NITO default external IP is not the MX for the email domain.
This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic.
To create a source mapping rule:
Navigate to the Networking > Firewall > Source mapping page.
2.
Configure the following settings:
Setting
Source IP
Alias IP
Comment
Enabled
Description
Enter the source IP or network of hosts to be mapped to an external.
For a single host, enter its IP address.
For a network of hosts, enter an appropriate IP address and subnet mask combination, for example, enter
192.168.100.0/255.255.255.0
will create a source mapping rule for hosts in the IP address range
192.168.100.1
through to
192.168.100.255
.
For all hosts, leave the field blank.
From the drop-down list, select the external alias that outbound communication is mapped to.
Enter a description of the rule.
Select to enable the rule.
3.
Click Add. The source mapping rule is added to the Current rules table.
Editing and Removing Source Mapping Rules
To edit or remove existing source mapping rules, use Edit and Remove in the Current rules area.
38
Nomadix NITO
User Guide
Managing Internal Aliases
NITO can be configured to create internal aliases for each installed NIC. Internal aliases can be used to create logical subnets amongst hosts within the same physical network zone.
Note: This function is recommended only for experienced network administrators, as there are a number of security implications and limitations that using this feature will impose on the rest of your network.
Internal alias rules are used to create such bindings on an internal network interface, thus enabling it to route packets to and from IP addresses on a virtual subnet – without the need for physical switches.
Note: No services will run on the alias IP.
Note: Use of this feature is not normally recommended for the following reasons:
• No physical separation – Internal aliases should not be considered as a substitute for physically separating multiple networks. Network users can join a logical subnet by changing their IP address.
• No DHCP service – DHCP servers cannot serve a logical subnet, as it is impossible for it to know which subnet (physical or logical) that the client should be on.
• No direct DNS or proxy access – The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Requests for such services must be routed via the IP address of the physical interface – this is not the case when an alias is in use.
Generally, internal aliases should only be created in special circumstances.
Creating an Internal Alias Rule
1.
To create an internal alias rule:
Navigate to the Interfaces > Internal aliases page.
2.
Configure the following settings:
Setting Description
Interface
From the drop-down menu, select the internal interface on which to create the alias.
IP address
Enter an IP address for the internal alias.
Netmask
Enter a network mask that specifies the size of the subnet accessible via the internal alias
(when combined with a network value).
39
Managing Your Network Infrastructure
Working with Secondary External Interfaces
Setting
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Description
3.
Click Add. The internal alias rule is added to the Current rules table.
Editing and Removing Internal Alias Rules
To edit or remove existing internal alias rules, use Edit and Remove in the Current rules area.
Working with Secondary External Interfaces
The Secondaries page is used to configure an additional, secondary external interface. A secondary external interface will operate independently of the primary external interface, NATing its own outbound traffic.
Once a secondary external interface is active, the system can be configured to selectively route different internal hosts, ranges of hosts and subnets out across either the primary or secondary external interface.
Configuring a Secondary External Interface
Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces.
To configure a secondary external interface:
1.
Navigate to the Networking > Interfaces > Secondaries page.
40
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting Description
Secondary external interface
Select
Address
From the drop-down list, select the interface you want to use as the secondary external interface.
Click to select the interface.
Enter the IP address.
Netmask
Enter the netmask.
Default gateway
Enter the default gateway.
Enabled
Primary failover ping IP
Secondary failover ping IP
Load balance outgoing traffic
Load balance web proxy traffic
Select to enable the interface
Optionally, specify an IP address that you know can be contacted if the secondary connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active.
If this IP address cannot be contacted, all outbound traffic will be redirected to the primary connection. If a secondary failover IP has been entered, it must also fail before failover routing is activated.
Optionally, specify an additional IP address that you know can be contacted if the secondary connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active.
If this IP address and the primary failover ping IP cannot be contacted, all outbound traffic will be redirected to the primary connection.
Optionally, select to add the currently selected secondary address to the load balancing pool of connections.
Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have been added to the load balancing pool.
Note: If no load balance options are enabled, all traffic will be sent out of the primary external connection.
Optionally, select to add the currently selected secondary address to the proxy load balancing pool.
Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have themselves been added to the proxy load balancing pool.
Note - If no load balance tick-box controls are selected, all traffic will be sent out of the primary external connection.
41
Managing Your Network Infrastructure
Working with Secondary External Interfaces
Setting
Weighting
Description
•
•
Optionally, select to set the weighting for load balancing on the currently selected secondary address.
A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. For example:
A connection weighted 10 will be given 10 times as much load as a connection weighted 1.
A connection weighted 6 will be given 3 times as much load as a connection weighted 2.
• A connection weighted 2 will be given twice as much load as a connection weighted 1.
The weighting value is especially useful for load balancing external connections of differing speeds.
3.
Click Save to save your settings and enable the secondary external interface.
42
5
General Network Security Settings
In this chapter: z
Using IP blocking to block source IPs and networks z z z
Reviewing network interface information
Fine-tuning network communications using the advanced networking features
Creating groups of ports for use throughout NITO.
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware.
IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network addresses to always be allowed.
Creating IP Blocking Rules
1.
IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks.
To create an IP block rule:
Navigate to the Networking > Filtering > IP block page.
43
General Network Security Settings
Configuring Advanced Networking Features
2.
Configure the following settings:
Control
Source IP or network
Destination IP or network
Drop packet
Reject packet
Exception
Log
Comment
Enabled
Description
•
•
•
Enter the source IP, IP range or subnet range of IP addresses to block or exempt.
To block or exempt:
An individual network host, enter its IP address, for example:
192.168.10.1
.
A range of network hosts, enter an appropriate IP address range, for example:
192.168.10.1-192.168.10.15
.
A subnet range of network hosts, enter an appropriate subnet range, for example,
192.168.10.0/255.255.255.0
or
192.168.10.0/24
.
•
•
•
Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt:
An individual network host, enter its IP address, for example:
192.168.10.1
.
A range of network hosts, enter an appropriate IP address range, for example:
192.168.10.1-192.168.10.15
.
A subnet range of network hosts, enter an appropriate subnet range, for example,
192.168.10.0/255.255.255.0
or
19
Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network.
Select to cause an ICMP Connection Refused message to be sent back to the originating IP, and no communication will be possible.
Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules.
Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it.
Select to log all activity from this IP.
Optionally, describe the IP block rule.
Select to enable the rule.
3.
Click Add. The rule is added to the Current rules table.
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Editing and Removing IP Block Rules
To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
Configuring Advanced Networking Features
NITO’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption.
44
1.
To configure advance networking features:
Navigate to the Networking > Settings > Advanced page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting Description
Block ICMP ping broadcasts
Block ICMP ping
Enable SYN cookies
Select to defend the system against SYN flood attacks.
A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed.
The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack.
Block and ignore
IGMP packets
Select this option to block and ignore multi-cast reporting Internet Group
Management Protocol (IGMP) packets.
IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity.
If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries.
Block and ignore multicast traffic
Select to prevent the system responding to broadcast ping messages from all network zones (including external).
This can prevent the effects of a broadcast ping-based DoS attack.
Select to block all ICMP ping requests going to or through NITO.
This will effectively hide the machine from Internet Control Message
Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose.
ARP table size
Select this option to block multicast messages on network address
224.0.0.0
from ISPs and prevent them generating large volumes of spurious log entries.
You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the dropdown.
In normal situations, the default value of 2048 will be adequate, but in very big networks, select a bigger value.
Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of NITO's network interfaces.
45
General Network Security Settings
Enabling Traffic Auditing
Setting
Connection tracking table size
SYN backlog queue size
Description
Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall.
The value entered in this field determines the table’s maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements.
Occasionally, the default size, which is set according to the amount of memory, is insufficient – use this field to configure a larger size.
Select this option to set the maximum number of requests which may be waiting in a queue to be answered.
The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service.
3.
Click Advanced to access the following settings:
Setting
Block SYN+FIN packets
Enable TCP timestamps
Enable selective
ACKs
Enable window scaling
Enable ECN
Description
Select to automatically discard packets used in SYN+FIN scans used passively scan systems.
Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged.
Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links.
Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high.
Select this option to enable TCP window scaling to improve the performance of TCP on high speed links.
Select this option to enable Explicit Congestion Notification (ECN), a mechanism for avoiding network congestion.
While effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default.
4.
Click Save to enable the settings you have selected.
Enabling Traffic Auditing
1.
Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming, outgoing and forwarded traffic.
To activate a particular traffic auditing feature:
Navigate to the Networking > Settings > Advanced page.
46
Nomadix NITO
User Guide
2.
Click Advanced to access the Traffic auditing area and configure the following settings:
Setting Description
Direct incoming traffic
Direct outgoing traffic
Select to log all new connections to all interfaces that are destined for the firewall.
Select to log all new connections from any interface.
Forwarded traffic
Select to log all new connections passing through one interface to another.
3.
Click Save.
Note: Traffic auditing can potentially generate vast amounts of logging data. Ensure that the quantity of logs generated is acceptable.
Note: Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page.
Working with Port Groups
You can create and edit named groups of TCP/UDP ports for use throughout NITO. Creating port groups significantly reduces the number of rules needed and makes rules more flexible.
For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers.
Creating a Port Group
1.
To create a port group:
Navigate to the Networking > Settings > Port groups page.
47
General Network Security Settings
Working with Port Groups
2.
In the Port groups area, click New and configure the following settings:
3.
Setting
Group name
Name
Port
Description
Enter a name for the port group and click Save.
Enter a name for the port or range of ports you want to add to the group.
Enter the port number or numbers.
For one port, enter the number.
For a range, enter the start and end numbers, separated by
:
for example:
1024:65535
For non-consecutive ports, create a separate entry for each port number.
Optionally, add a descriptive comment for the port or port range.
Comment
Click Add. The port, ports or port range is added to the group.
1.
2.
Adding Ports to Existing Port Groups
To add a new port:
Navigate to the Networking > Settings > Port groups page.
Configure the following settings:
Setting
Port groups
Name
Port
Comment
Description
From the drop-down list, select the group you want to add a port to and click Select.
Enter a name for the port or range of ports you want to add to the group.
Enter the port number or numbers.
For one port, enter the number.
For a range, enter the start and end numbers, separated by
:
for example:
1024:65535
Optionally, add a descriptive comment for the port or port range.
3.
Click Add. The port, ports or range are added to the group.
1.
2.
3.
4.
Editing Port Groups
To edit a port group:
Navigate to the Networking > Settings > Port groups page.
From the Port groups drop-down list, select the group you want to edit and click Select.
In the Current ports area, select the port you want to change and click Edit.
In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
Deleting a Port Group
1.
To delete a Port group:
Navigate to the Networking > Settings > Port groups page.
48
2.
3.
From the Port groups drop-down list, select the group you want to delete and click Select.
Click Delete.
Note: Deleting a port group cannot be undone.
Nomadix NITO
User Guide
49
General Network Security Settings
Working with Port Groups
50
6
Configuring Inter-Zone Security
In this chapter: z
How bridging rules allow access between internal network zones.
About Zone Bridging Rules
By default, all internal network zones are isolated by NITO. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones.
A zone bridging rule defines a bridge in the following terms:
Term Description
Zones
Direction
Defines the two network zones between which the bridge exists.
Defines whether the bridge is accessible one-way or bi-directionally.
Source
Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host.
Destination
Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts.
Service
Protocol
Defines what ports and services can be used across the bridge.
Defines what protocol can be used across the bridge.
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to any-host bridge, using any port and protocol.
In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
Creating a Zone Bridging Rule
Zone bridging rules enable communications between specific parts of separate internal networks.
51
Configuring Inter-Zone Security
Creating a Zone Bridging Rule
1.
To create a zone bridging rule:
Navigate to the Networking > Filtering > Zone bridging page.
2.
Configure the following settings:
Setting
Source interface
Destination interface
Bidirectional
Protocol
Source IP
Description
From the drop-down menu, select the source network zone.
From the drop-down menu, select the destination network zone.
Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface and not vice versa, ensure that this option is not selected.
From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols.
•
•
•
•
Enter the source IP, IP range or subnet range from which access is permitted.
To create a bridge from:
A single network host, enter its IP address, for example:
192.168.10.1
.
A range of network hosts, enter an appropriate IP address range: for example,
192.168.10.1-192.168.10.15
.
A subnet range of network hosts, enter an appropriate subnet range, for example:
192.168.10.0/255.255.255.0
or
192.168.10.0/24
.
Any network host in the source network, leave the field blank.
52
Nomadix NITO
User Guide
Setting
Destination
IP
Service
Port
Comment
Enabled
Description
•
•
•
•
Enter the destination IP, IP range or subnet range to which access is permitted.
To create a bridge to:
A single network, enter its IP address, for example,
192.168.10.1
.
A range of network hosts, enter an IP address range, for example,
192.168.10.1-192.168.10.15
.
A subnet range of network hosts, enter a subnet range, for example:
192.168.10.0/255.255.255.0
or
192.168.10.0/24
.
To create a bridge to any network host in the destination network, leave the field blank.
From the drop-down list, select the services, port range or group of ports to which access is permitted.
Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol.
Note: This is only applicable to TCP and UDP.
If User defined is selected as the destination port, specify the port number.
Or, leave the field blank to permit access to all ports for the relevant protocol.
Enter a description of the bridging rule.
Select to enable the rule.
3.
Click Add. The rule is added to the Current rules table.
Editing and Removing Zone Bridge Rules
To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
A Zone Bridging Tutorial
In this tutorial, we will use the following two local network zones:
Network zone
Protected network
DMZ
Description
Contains local user workstations and confidential business data.
Contains a web server.
IP address
192.168.100.0/24
192.168.200.0/24
Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created, neither zone can see or communicate with the other.
In this example, we will create a DMZ that: z z z
Allows restricted external access to a web server in the DMZ, from the Internet.
Does not allow access to the protected network from the DMZ.
Allows unrestricted access to the DMZ from the protected network.
A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ.
53
Configuring Inter-Zone Security
A Zone Bridging Tutorial
Creating the Zone Bridging Rule
1.
To create the rule:
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
2.
Settings
Source interface
Destination interface
Protocol
Comment
Enabled
Description
From the drop-down menu, select the protected network.
From the drop-down menu, select the DMZ.
From the drop-down list, select All.
Enter a description of the rule.
Select to activate the bridging rule once it has been added.
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa.
Allowing Access to the Web Server
1.
To allow access to a web server in the DMZ from the Internet:
Navigate to the Networking > Firewall > Port forwarding page and configure the following settings:
Setting
Protocol
Destination
IP
Source
Comment
Enabled
Description
From the drop-down list, select TCP.
Enter the IP address of the web server
192.168.200.10
.
From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server.
Enter a description, such as Port forward to DMZ web server.
Select to activate the port forward rule once it has been added.
2.
Click Add.
Accessing a Database on the Protected Network
Multiple zone bridging rules can be used to further extend the communication allowed between the zones.
As a extension to the previous example, a further requirement might be to allow the web server in the
DMZ to communicate with a confidential database in the Protected Network.
54
1.
Nomadix NITO
User Guide
To create the rule:
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Setting
Source interface
Destination interface
Protocol
Source IP
Destination IP
Service
Port
Comment
Enabled
Description
From the drop-down menu, select DMZ.
From the drop-down menu, select Protected Network.
From the drop-down menu, select TCP.
Enter the web server’s IP address:
192.168.200.10
Enter the database’s IP address:
192.168.100.50
Select User defined.
The database service is accessed on port 3306. Enter 3306.
Enter a comment: DMZ web server to Protected Network DB.
Select Enabled to activate the bridging rule once the bridging rule has been added.
2.
Click Add.
Group Bridging
By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy, in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone.
Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms:
Group – The group of users from the authentication sub-system that may access the bridge.
Zone – The destination network zone.
Destination – Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts.
Service – Defines what ports and services can be used across the bridge.
Protocol – Defines what protocol can be used across the bridge.
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and protocol) or wide (e.g. allow access to any host, using any port and protocol).
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use.
Group Bridging and Authentication
Group bridging uses the core authentication mechanism, meaning that users must be pre-authenticated before group bridging rules can be enforced by NITO.
Users can authenticate themselves using the authentication system’s Login mechanism, either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL
Login page.
55
Configuring Inter-Zone Security
Group Bridging
Authentication can also be provided by any other mechanism used elsewhere in the system. For further
information about authentication, see Chapter 14, Authentication and User Management on page 177.
Creating Group Bridging Rules
1.
Group bridging rules apply additional zone communication rules to authenticated users.
To create a group bridging rule:
Navigate to the Networking > Filtering > Group bridging page.
2.
Configure the following settings:
Setting Description
Groups
Select
Destination interface
From the drop-down menu, select the group of users that this rule will apply to.
Click to select the group.
Select the interface that the group will be permitted to access.
Destination IP
Enter the destination IP, IP range or subnet range that the group will be permitted to access. To create a rule to allow access to:
• A single network host in the destination network, enter its IP address, for example:
192.168.10.1
.
• A range of network hosts in the destination network, enter an appropriate IP address range, for example:
192.168.10.1-192.168.10.15
.
•
• A subnet range of network hosts in the destination network, enter an appropriate subnet range, for example:
192.168.10.0/255.255.255.0
or
192.168.10.0/24
.
Any network host in the destination network, leave the field blank.
Protocol
From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols.
56
Nomadix NITO
User Guide
Setting
Service
Port
Comment
Enabled
Description
From the drop-down list, select the service, port or port range to be used.
To restrict to a custom port, select User defined and enter a port number in the Port field.
To allow any service or port to be used, select User defined and leave the Port field empty.
If applicable, enter a destination port or range of ports. If this field is blank, all ports for the relevant protocol will be permitted.
Enter a description of the rule.
Select to enable the rule.
3.
Click Add. The rule is added to the Current rules table.
Editing and Removing Group Bridges
To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules region.
57
Configuring Inter-Zone Security
Group Bridging
58
7
Managing Inbound and Outbound
Traffic
In this chapter: z
How port forward rules work z z
Application helpers which allow traffic passing through the firewall to work correctly
How to manage outbound access to IP addresses and networks.
Introduction to Port Forwards – Inbound Security
Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone.
It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an external interface, regardless of whether the external interface connects to the Internet or some other external network zone.
Port Forward Rules Criteria
Port forward rules can be configured to forward traffic based on the following criteria:
Criterion Description
External IP
Source IP
Port
Protocol
Destination IP
Forward traffic if it originated from a particular IP address, IP address range or subnet range.
Forward traffic if it arrived at a particular external interface or external alias.
Forward traffic if it was destined for a particular port or range of ports.
Forward traffic if it uses a particular protocol.
A port forward will send traffic to a specific destination IP.
Destination port
A port forward will send traffic to a specific destination port.
For example, you can create a port forward rule to forward HTTP requests on port
80
to a web server listening on port
81
in a De-Militarized Zone (DMZ).
If the web server has an IP address of
192.168.2.60
, you can create a port forward rule to forward all port
80
TCP traffic to port
81
on
192.168.2.60
.
59
Managing Inbound and Outbound Traffic
Introduction to Port Forwards – Inbound Security
Note: It is important to consider the security implications of each new port forward rule. Any network is only as secure as the services exposed upon it.
Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts in the network.
For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the Networking > Filtering
> Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, i.e. a DMZ scenario.
Creating Port Forward Rules
1.
To create a port forward rule:
Navigate to the Networking > Firewall > Port forwarding page.
2.
Configure the following settings:
Setting
Protocol
External IP or network
Log
Source IP
Description
From the drop-down list, select the network protocol for the traffic that you want to forward. For example, to port forward a HTTP request, which is a
TCP-based protocol, choose the TCP option.
Enter the IP address, address range or subnet range of the external hosts allowed to use this rule.
Or, to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server), leave this field blank.
Select to log all port forwarded traffic.
Select the external IP alias that this rule will apply to. In most cases, this will be the IP of the default external connection.
60
Nomadix NITO
User Guide
Setting
Source service
User defined
Destination IP
Destination service
User defined
Comment
Enabled
Description
From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined.
Note: Only applies to the protocols TCP and UDP.
If User defined is selected in the Source service drop-down menu, enter a single port or port range.
Port ranges are specified using an
A:B
notation. For example:
1000:1028 covers the range of ports from
1000
to
1028
.
Enter the IP address of the network host to which traffic should be forwarded.
From the drop-down menu, select the service, port, port range or group of ports. Or, select User defined.
If User defined is selected as the destination service, enter a destination port.
Leave this field empty to create a port forward that uses the source port as the destination port.
If left blank and the source service value specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target.
Enter a description of the port forward rule.
Select to enable the rule.
3.
Click Add. The port forward rule is added to the Current rules table.
Load Balancing Port Forwarded Traffic
1.
2.
NITO enables you to load balance port forwarded traffic to different network hosts.
To load balance port forwards:
On the Networking > Firewall > Port forwarding page, create a port forward rule to the first network
host. See Creating Port Forward Rules on page 60 for more information.
On the Networking > Firewall > Port forwarding page, create another port forward rule using exactly the same settings except for the destination IP to the second network host.
NITO automatically balances the traffic between the hosts.
Editing and Removing Port Forward Rules
To edit or remove existing port forward rules, use Edit and Remove in the Current rules area.
Advanced Network and Firewall Settings
The following sections explain network application helpers, how you can manage bad traffic actions and reflective port forwarding.
Network Application Helpers
NITO includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly.
61
Managing Inbound and Outbound Traffic
Advanced Network and Firewall Settings
1.
To activate helper applications:
Navigate to the Networking > Firewall > Advanced page.
The following helper applications are available:
1.
2.
3.
Application
FTP
IRC
Advanced
PPTP client support
H323
Description
IP information is embedded within FTP traffic – this helper application ensures that FTP communication is not adversely affected by the firewall.
IP information is embedded within IRC traffic – this helper application ensures that IRC communication is not adversely affected by the firewall.
When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing.
If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP traffic. For this reason, this option is not enabled by default.
When enabled, loads modules to enable passthrough of H323, a common protocol used in Voice over IP (VoIP) applications.
Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive incoming H323 calls through the use of a port forward on the H323 port.
This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality.
To enable a helper application:
In the Network application helpers area, select the application(s) you require.
Optionally, in the Advanced area, select Drop to drop traffic silently. This runs NITO in a stealth-like manner and makes things like port scans much harder to do.
Click Save.
62
Nomadix NITO
User Guide
1.
2.
Managing Bad External Traffic
3.
By default, bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. This is what Internet hosts are meant to do.
Using the Bad external traffic action option, you can drop traffic silently which enables you to ‘stealth’ your firewall and make things like port scans much harder to do.
To manage bad external traffic:
Navigate to the Networking > Firewall > Advanced page.
From the Bad external traffic action drop-down list, select Drop to silently discard the traffic and not send a message to the sender, or Reject to keep the default behavior, that is, reject the traffic and notify the sender.
Click Save to implement your selection.
1.
2.
Configuring Reflective Port Forwards
By default, port forwards are not accessible from within the same network where the destination of the forward resides. However, when enabled, the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network.
This makes it possible to access a port forwarded service from inside the internal network using the same
(external) address as an external host would.
To configure reflective port forwards:
Navigate to the Networking > Firewall > Advanced page.
Select Reflective port forwards and click Save.
Outbound Access
The following sections discuss outbound port and source rules.
Port rules are used to create lists of outbound communication rules that can be subsequently applied to individual hosts and networks using source rules.
Port Rule Modes
Port rules can operate in one of two modes:
Mode Description
Permissive
Reject only outbound requests to the named ports.
Restrictive
Allow only outbound requests to the named ports.
63
Managing Inbound and Outbound Traffic
Outbound Access
Preset Port Rules
NITO supports a maximum of 20 port rule sets, of which the following preset rules are installed by default and can be customized:
Preset port rules
MS ports
Known exploits
Basic services
DMZ
Description
Ports commonly associated with Microsoft Windows such as SMB (NetBIOS),
Active Directory etc.
Ports associated with many common exploits against a variety of programs and services, including many ports associated with malware attacks
Services common to most user computers, including web browsing (HTTP and
HTTPS), email (POP3), DNS etc.
Basic ports necessary for hosting servers in a DMZ network.
In addition, the following preset rules are included and cannot be customized:
Preset port rules
Allow all
Reject all
Description
This port rule allows unrestricted access to the Internet.
This port rule denies all outbound access to the Internet.
Creating a Port Rule
1.
To create a port rule:
Navigate to the Networking > Outgoing > Ports page.
64
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting Description
Port rules
Port rule name
From the drop-down menu, select Empty and click Select.
Enter a name for the port rule. This name will be displayed in the Port rules drop-down list and where ever the rule can be selected.
Reject only listed ports
Select to reject listed ports.
Allow only listed ports
Select to allow listed ports.
Rejection logging
Select if you want to log outbound requests rejected by this rule.
Note: This generates a lot of data and should be used with care.
Stealth mode
Block Aimini
Block BitTorrent
Block eDonkey
Block Filetopia
Block Gnutella
Select if you want to log but not reject outbound requests.
Select to block access to the Aimini network.
Select to block the use of the BitTorrent protocol for P2P file transfers.
Select to block access to eDonkey and eMule P2P variants.
Select to block access to Filetopia.
Select to block access to the Gnutella and GnutellaNet P2P networks.
Block iMESH
Block KaZaA
Block Manolito
Block Pando
Block SoulSeek
Block StealthNet
Block WinMX
Select to block access to iMESH.
Select to block access to the KaZaA P2P network.
Select to block access to Manolito.
Select to block access to Pando.
Select to block access to SoulSeek.
Select to block access to StealthNet.
Select to block access to WinMX.
3.
Click Save. The port rule is added to the Port rules drop-down list.
Note: The dedicated P2P blocking options are provided due to the nature of certain P2P software. Various P2P applications are port-aware and use a number of evasive techniques to circumvent regular outbound access controls. NITO is able to detect such activity when these options are activated, and ensure that P2P communication is completely blocked.
4.
In the Add a new rule area, configure the following settings:
Setting
Protocol
Service
Description
From the drop-down menu, select a network protocol to add to the port rule.
From the drop-down menu, select the service, port, port range or group of ports you want to allow or deny, depending on the rule you are creating.
Select User defined to be able to specify a specific port number in the User defined port or range field.
65
Managing Inbound and Outbound Traffic
Outbound Access
Port
Setting
Comment
Enabled
Description
Enter a custom port number or range of ports if User defined is selected in the
Service drop-down list. A port range is specified using from:to
notation, for example:
1024:2048
.
Enter a description of the rule.
Select to enable the rule.
5.
Click Add. The rule is added to the Current rules region.
1.
2.
3.
Editing a Port Rule
4.
To edit an existing port rule:
Navigate to the Networking > Outgoing > Ports page.
Choose the port rule that you wish to edit from the Port rules drop-down list.
Click Select to display the port rule and make any changes to the port rule settings using the controls in the
Port rules region.
Click Save in the Port rules region.
Editing and Removing Protocols and Ports
To edit or remove existing protocols and ports for a port rule, use Edit and Remove in the Current rules region.
1.
2.
Deleting a Port Rule
To delete an existing port rule:
Navigate to the Networking > Outgoing > Ports page.
Select the port rule that should be deleted using the Port rules drop-down list from the Port rules region.
Click Delete.
1.
2.
Viewing a Port Rule
To display the contents of preset or custom port rules:
Navigate to the Networking > Outgoing > Ports page.
In the Port rules region, choose a set of port rules using the Port rules drop-down list. Click Select. The set of port rules and associated configuration are displayed in the Port rules and Current rules regions.
Source Rules
Source rules are used to assign outbound access controls to IP addresses and networks. Each source rule associates a particular host or network with a preset or customized port rule.
When the source IP of an outbound packet originates from a host that is defined in a source rule, NITO checks that the packet does not break the port rules assigned to the host.
If the packet is destined for a banned port, the packet is rejected. If the packet is destined for an allowed port, the packet is allowed.
Note: Once a packet matches a source rule, it will not be subjected to further rule matching. Source rules cannot be stacked.
66
Configuring the Default Source Rule Settings
1.
To create a source rule:
Navigate to the Networking > Outgoing > Sources page.
Nomadix NITO
User Guide
2.
Configure the following settings:
3.
Setting Description
Default port rule
From the drop-down list, select the port rule to be applied to outbound packets originating from a source IP that has no matching source rule configured. This value is usually set to one of the preset catch-all port rules, either Allow all or
Reject all.
Selecting Allow all enables all hosts that are not matched by a source rule to initiate any kind of outbound communication. Selecting Reject all prevents all outbound communication from all non-matching hosts.
Best practice is to select Reject all.
Rejection logging
Select to log all traffic rejected by the default or current list of source rules.
Stealth mode
Select to allow all traffic that would normally be rejected by the default port rule and log all traffic information in the firewall logs.
Click Save. In the Add a new rule area, configure the following settings:
Setting
Source IP or network
Description
•
•
•
Enter the source IP or network that the selected port rule will affect.
To apply the port rule to:
A specific host, enter its IP address.
A range of network hosts, enter an IP address range, for example, entering the value
192.168.10.10:50
will encompass the range of addresses from
192.168.10.10 to 192.168.10.50
.
A subnet, enter a source IP and network mask, for example,
192.168.10.0/255.255.255.0
will encompass the range of range of addresses from
192.168.10.0 to 192.168.10.255
.
67
Managing Inbound and Outbound Traffic
Managing External Services
Setting
Port rule
Comment
Enabled
Description
From the drop-down list, select the port rule to apply.
Enter a description of the rule.
Select to enable the rule.
4.
Click Add. The source rule is added to the Current rules table.
Editing and Removing Source Rules
To edit or remove existing source rules, use Edit and Remove in the Current rules region.
Managing External Services
1.
You can prevent local network hosts from using external services by creating appropriate source and port rules to stop outbound traffic.
To create an external service rule:
Navigate to the Networking > Outgoing > External services page.
2.
Configure the following settings:
Setting Description
Service
Select Empty from the drop-down list.
Service rule name
Enter a name for the rule.
Protocol
Service
Select the protocol used by the service.
From the drop-down menu, select the service, port, port range or group of ports.
Or, to specify a user defined port, select User defined.
68
Nomadix NITO
User Guide
Setting Description
Port
If User defined is selected in the Service drop-down menu, enter a single port or port range.
Port ranges are specified using an
A:B
notation. For example:
1000:1028 covers the range of ports from
1000
to
1028
.
Rejection logging
Select to log all traffic rejected by the external services rule
Stealth mode
Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs.
3.
Click Save. In the Add a new rule area:
Setting
Destination IP
Comment
Enabled
Description
Enter the IP address of the external service to which the rule applies.
Enter a description of the rule.
Select to enable the rule.
4.
Click Add. The external service rule is added to the Current rules region:
Editing and Removing External Service Rules
To edit or remove existing external service rules, use Edit and Remove in the Current rules area.
Assigning Rules to Groups
The Groups page is used to assign outbound access controls to authenticated groups of users. Each group rule associates a particular authenticated group of users with a preset or customized port rule.
69
Managing Inbound and Outbound Traffic
Assigning Rules to Groups
1.
To assign rules to groups:
Navigate to the Networking > Outgoing > Groups page.
2.
3.
4.
Select Enable authenticated groups.
Locate the authentication group in the Group rules area and choose its port rule from the adjacent Port
rule drop-down list.
Click Save.
Note: Group rules cannot be enforced in all circumstances. If a user has not actively authenticated themselves, using the SSL Login page or by some other authentication method, the user is unknown to the system and group rules cannot be applied.
In this case, only source rules will be applied. Group rules are often more suitable for allowing access to ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service.
70
Deploying Web Filtering
In this chapter: z
How to get content filtering up and running quickly z z
How to block or allow content immediately
Shortcuts to daily tasks z z
About NITO’s default web filter policies
About NITO’s default authentication policies.
Getting Up and Running
1.
2.
By default, NITO comes with a comprehensive set of web filter policies and an authentication policy which you can use immediately in order to protect your users and your organization.
The following section explains how to use these policies to get web filtering up and running quickly.
To get up and running:
On users’ computers, configure the web browser to use port 800 on NITO as the web proxy, i.e. nontransparent proxying.
Navigate to the Web proxy > Web proxy > Settings page.
8
3.
4.
Check that the Guardian option is enabled.
Scroll to the bottom of the page and click Save and Restart. NITO starts to provide web security.
71
Deploying Web Filtering
Getting Up and Running
5.
On a user’s computer, browse to http://thepiratebay.se/
NITO blocks access to the site and displays a block page
You can edit the default policies and create new policies to suit you organization. For more information,
see Chapter 9, Working with Policies on page 77.
Blocking and Allowing Content Immediately
1.
NITO enables you to block or allow content immediately without having to create or edit a web filter policy.
To block or allow content immediately:
Browse to the Guardian > Quick links > Quick block/allow page.
2.
3.
Enter the URL to the content you want to block or allow.
Click Block or Allow depending on what you want. NITO immediately blocks or allows the content and adds the URL to the appropriate custom blocked or allowed content lists.
Blocking Locations
1.
NITO enables you to block web-enabled resources at a specific location from accessing content.
To block a location:
Browse to the Guardian > Web filter > Location blocking page.
2.
Locate the location and click Block. NITO blocks any web-enabled resources at that location from
72
Nomadix NITO
User Guide
Excepting Computers from Web Filtering
NITO enables you to except specific computers from any web filtering. You can configure exceptions based on the source IP address or the destination IP address.
Configuring Source Exceptions
1.
A source exception IP using a non-transparent connection will have unfiltered access to the Internet if configured to use port 801. A source exception IP going through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to NITO.
A source exception IP using a transparent connection requires no client browser configuration.
To configure a source exception:
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. NITO exempts the computer(s) from any web filtering.
73
Deploying Web Filtering
Getting Up and Running
Configuring Destination Exceptions
1.
A destination exception IP which goes through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to NITO.
To configure a destination exception:
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. NITO exempts the computer(s) from any web filtering.
74
About Shortcuts
1.
NITO provides a number of shortcuts to tasks you might carry out on a daily basis.
To access the shortcuts:
Browse to the Guardian > Quick links > Shortcuts page.
Nomadix NITO
User Guide
2.
Click on a link to be taken to the task’s page.
About NITO’s Default Policies
The following sections discuss NITO’s default web filtering and authentication policies.
About the Default Web Filter Policies
NITO’s default web filtering default policies are: z
Web filter policies – these policies allow users access to custom specified content, access to specific web sites at lunch time and Microsoft Windows updates. They also block core and custom specified undesireable content and adverts and enforce file security. To review this policy, browse to the Guardian > Web filter > Manage policies page. For information on customizing web filter
policies, see Chapter 9, Managing Web Filter Policies on page 88.
z z
HTTPS inspection policies – these policies can be enabled to allow users to access online banking sites securely while inspecting encrypted traffic and checking security certificates. To review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For information on
customizing HTTPS inspection policies, see Chapter 9, Managing HTTPS Inspection Policies on page 92.
Content modification policies – these policies apply recommended security rules and force search engines to use SafeSearch functionality. To review these policies, browse to the Guardian > Content modification policies > Policy page. For information on customizing content modification policies,
see Chapter 9, Managing Content Modification Policies on page 97.
About the Default Authentication Policies
NITO comes with the following authentication policy ready for use: z
Non-transparent authentication policy – any user’s browser configured to use NITO on port 800 as its web proxy will have this authentication policy applied to it. For information on creating more
authentication policies, see Chapter 10, About Authentication Policies on page 105.
75
Deploying Web Filtering
About NITO’s Default Policies
76
9
Working with Policies
In this chapter: z
An overview of policies, what comprises them and what types of policy you can create z z
Working with objects that make up a policy
Configuring and managing policies.
An Overview of Policies
Policies determine how NITO handles web content to best protect your users and your organization. You can create and deploy custom policies to fit your organization. Deploying custom policies entails: z
Configuring custom policies based on your organization’s Acceptable Usage Policies (AUPs); for
more information, see Types of Policies on page 77
z z
Configuring authentication policies; for more information, see Chapter 10, Creating Authentication
Configuring users’ browsers or network connections to use NITO as their web proxy or default
gateway; for more information, see Chapter 10, Connecting to NITO on page 115.
Types of Policies
NITO enables you to create the following types of policies: z
Web filter policies – Web filter policies determine whether to allow, block, softblock or whitelist
z z
HTTPS inspection policies – when enabled, HTTPS inspection policies determine whether to decrypt and inspect encrypted content in order to determine to handle the content based on web filter policies. HTTPS inspection policies can also be used to validate web site certificates. For more
information, see Managing HTTPS Inspection Policies on page 92
Content modification policies – Content modification policies can be used to identify and stop
malicious content embedded in web pages from being accessed. For information, see Chapter 9,
Managing Content Modification Policies on page 97.
How Policies are Applied
How NITO applies policies depends on the original web request from a user. The following diagrams give a high-level view of what happens when a user makes a non-encrypted (HTTP) web request and an encrypted (HTTPS) web request.
77
Working with Policies
An Overview of Policies
Applying Policies to a HTTP Web Request
78
Applying Policies to a HTTPS Web Request
Nomadix NITO
User Guide
79
Working with Policies
Working with Category Group Objects
Guardian Getting Started
The Getting started page explains policies and policy objects.
Working with Category Group Objects
A category group object is a collection of URLs, domains, phrases, lists of file types and/or security rules.
NITO uses category group objects in policies to determine if a user should be allowed access to the content they have requested using their web browser.
Creating Category Group Objects
1.
The following section explains how to create a category group object to be used in a web filter policy.
To create a category group object:
Browse to the Guardian > Policy objects > Category groups page.
80
Nomadix NITO
User Guide
2.
In the Manage category groups area, configure the following settings:
3.
Setting
Name
Comment
Content categories
Description
Enter a name for the category group.
Optionally, enter a comment to make it easier to remember what the category contains.
Select the content you want to include in the category group object. Click [ + ] to access and view any sub-categories available.
Tip:
Click the Advanced view option to access more detailed information on the
content.
Click Save. The category group object is saved and added to the list of groups of content available.
Defining Categories
1.
You can define new categories of content for use in category group objects to suit you organizations requirements.
To define a category:
Browse to the Guardian > Policy objects > User defined page.
81
Working with Policies
Working with Category Group Objects
2.
Configure the following settings:
Setting
Name
Comment
Domains &
URLs
Description
Enter a name for the category.
Optionally, enter a comment describing the category.
Enter one domain or URL per line. For example: example.com
Do not include www
. in URLs.
3.
Optionally, click Advanced to access the following settings:
Setting
Search term filtering
URL patterns
Headers to override
File extensions
Description
Enter one search term, surrounded by delimiters, per line for example:
( hardcore )
(xxx)
Spaces before and after a term are not removed, thus simplifying searching for whole words.
Parenthesis are required.
You can use the following delimiters:
[] () {} <> ||
Enter a URL pattern per line, for example:
( adultsite|sexdream )
The example above looks for URLs containing either the word adultsite
or the word sexdream
.
You can use the following delimiters:
[] () {} <> ||
Note: If the URL pattern you enter contains a delimiter, you must use a different delimiter to contain the whole pattern. For example:
[ mysearchwith(abracket) ]
Here you can specify if NITO should use the requested site’s capability to override
HTTP headers sent to it and redirect users to other content.
For example, if a student tries to access inappropriate Youtube content, NITO can request YouTube to override the request and redirect them to YouTube Education.
Also, if your organization uses Google Apps, you can configure NITO to request
Google Apps to prevent users from accessing their personal Google accounts.
Note: To use YouTube Education, you must sign up for an account and obtain a key.
See
http://www.youtube.com/schools
for instructions.
To request a redirect to YouTube education:
1 Enter a value in this format:
X-YouTube-Edu-Filter: AbcdEfghIjklmnOpq_rstU
To request a restriction by Google Apps:
1 Enter a value in this format:
X-GoogApps-Allowed-Domains: example.org, example.net
Note: For a Google Apps restriction, HTTPS interception is required as Google Apps
uses HTTPS throughout. For more information, see Managing HTTPS
Inspection Policies on page 92.
Enter one file extension, e.g.
.doc
, or MIME type, e.g. application/octetstream
per line. You must include the dot (
.
) when entering file extensions.
4.
Click Save. NITO creates the content category and makes it available on the Guardian > Policy objects >
Category groups page.
82
Nomadix NITO
User Guide
Editing Category Group Objects
1.
You can edit category group objects to suit you organizations requirements.
To edit a category group object:
Browse to the Guardian > Policy objects > Category groups page.
2.
4.
From the Category groups list, select the object you want to edit and click Edit category group. NITO displays the object in the Manage category groups area. Click [ + ] to access and view any sub-categories available.
Tip:
Click the advanced view option to access more detailed information on the content and sub-categories.
3.
Select any new content you want to add to the object and de-select any content you want to remove from the object.
Click Save. NITO saves and applies the changes.
Deleting Category Group Objects
1.
You can delete category group objects you no longer require.
To delete a category group object:
Browse to the Guardian > Policy objects > Category groups page.
2.
From the Category groups list, select the content category object you want to delete and click Delete
category group. NITO deletes the object.
Note: You cannot delete a category group object if it is in use in a policy. You must first remove the object from the policy.
83
Working with Policies
Working with Time Slot Objects
Working with Time Slot Objects
You can configure NITO to allow or stop users accessing the Internet during certain time periods depending on the time and day.
Creating a Time Slot
1.
The following section explains how to create a time slot for use in a web filter policy.
To create a time slot:
Navigate to the Guardian > Policy objects > Time slots page.
2.
Configure the following settings:
3.
4.
Setting
Name
Comment
Description
Enter a name for the time slot.
Optionally, enter a comment to help identify when the period is used
In the time-table, click and drag to select the periods of time you want to include in the time slot.
Click Save. NITO creates the time slot and adds it to the list of time slots. It also makes the time slot available where applicable on the policy wizard pages for inclusion in policies.
Editing a Time Slot
1.
The following section explains how to edit a time slot.
To edit a time slot:
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to edit.
84
Nomadix NITO
User Guide
2.
Click the Edit time button. NITO displays the time slot in the time-table.
Tip:
You can use the Clear and Edit in full-text mode options to make changes the time slot.
3.
Make the changes you require and click Save. NITO makes the changes and saves the time slot.
Deleting a Time Slot
1.
2.
The following section explains how to delete a time slot.
To edit a time slot:
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to delete.
Click the Delete time button. NITO deletes the time slot.
Working with Location Objects
NITO enables you to create locations into which you can place resources such as desktop and laptop computers. You can use a location to block the resources at the location from accessing external networks or the Internet.
Creating a Location Object
1.
To create a location object:
Browse to the Guardian > Policy objects > Locations page.
2.
In the Manage location area, configure the following settings:
Setting
Name
Enter a name for the location object.
Description
85
Working with Policies
Working with Quota Objects
Setting
Addresses
Description
Enter an IP address, hostname, IP range or a subnet of the resource(s), for example:
For a computer, enter:
192.168.0.58
For a range of computers, enter:
192.168.0.61-192.168.0.71
For content identified by a hostname, enter: roaming_laptop
3.
Optionally, click Advanced and configure the following settings to define exceptions to any address ranges you specified in the previous step:
Setting
Exceptions
Description
Enter an individual IP, hostname, IP range or a subnet of the resource(s), for example:
To make an exception for a computer, enter:
192.168.0.53
To make an exception for a range of computers, enter:
192.168.0.65-
192.168.0.67
4.
Click Save. NITO adds the resources to the location object and lists it in the Locations list.
2.
3.
Editing Location Objects
1.
You can edit a location object.
To edit a location object:
On the Guardian > Policy objects > Locations page, in the Locations area, select the location and click the Edit location button.
Make the changes you require and click Save, NITO displays the settings.
Click Save. NITO updates the resources in the location object and lists it in the Locations list.
Deleting Location Objects
1.
You can delete location objects you no longer require.
Note: You cannot delete a location object if it is in use in a policy. You must first remove the object from the policy.
To delete a location object:
Browse to the Guardian > Policy objects > Locations page.
2.
In the Locations list, locate the location object you want to delete and click the Delete location button.
NITO deletes the location object.
Working with Quota Objects
NITO’s quota objects enable you to limit user access to content on a daily basis. When a quota is used in a web filter policy, users to whom the policy is applied are prompted to confirm that they want to access the content and are told how long their quota is and how much of the quota they have left.
About the Default Quota Object
NITO comes with a default quota object which is ready for use in a web filtering policy. When used, the default quota limits access to the relevant content to 60 minutes per 24 hours. Users will be prompted every 10 minutes to confirm that they want to continue using their quota. Default quotas are reset daily at
86
Nomadix NITO
User Guide
04:00. You can edit the default quota but you cannot remove it – there must always be a default in case the quota action is used in a web filtering policy.
Creating Quota Objects
1.
Creating a quota object entails specifying who the quota applies to, how long the quota is, how often to prompt the user to confirm that they want to continue using their quota and when the quota is reset.
To create a quota object:
Browse to the Guardian > Policy objects > Quotas page.
2.
Click Create a new quota and configure the following settings:
Setting
Available users or groups
Duration
Prompt every
Reset at
Enable quota
Description
From the list, select the user(s) and/or group(s) to whom the quota will apply.
Tip:
Enter a name or part of a name and NITO will search for names of users and groups that match. To select more than one user or
group, hold the CTRL button down while selecting them.
Click Add.
Move the slider to set the duration of the quota.
From the drop-down list, select how often users will be prompted to confirm that they want to use more of their quota.
From the drop-down list, select when to rest the quota.
Select to enable the quota.
3.
4.
Click Save. NITO creates the quota and lists it on the Guardian > Policy objects > Quotas page.
Drag and drop the quota object to the correct position.
87
Working with Policies
Managing Web Filter Policies
Note: Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must consider their position when using them. Take, for example Bob. Bob is a member of the Staff group. The Staff group has a quota of 60 minutes. However, because of Bob’s responsibilities, he needs a quota of 120 minutes.
To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the Guardian >
Policy objects > Quotas page, list it above the Staff quota object. When NITO applies the web filtering policy to the Staff group, it will check for quotas and allow Bob 120 minutes while other people in the Staff group will get 60 minutes. If Bob’s quota object is listed below the Staff group’s quota object, Bob will get
60 minutes just like everyone else.
Editing Quota Objects
1.
2.
3.
It is possible to edit a quota object’s settings.
To edit a quota object:
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Edit
quota button. NITO displays the settings.
Make the changes required. See Working with Quota Objects on page 86 for more information on the
settings available.
Click Save. NITO edits and updates the quota and lists it on the Guardian > Policy objects > Quotas page.
Deleting Quota Objects
1.
You can delete a quota object when it is no longer required.
To delete a quota object:
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its
Delete quota button. NITO deletes the quota and removes it from the Guardian > Policy objects > Quotas page.
Managing Web Filter Policies
NITO processes web filter policies in order of priority, from top to bottom, until it finds content that matches. When it finds a match, NITO applies the action, block, allow, whitelist, soft block or limit to quota as configured in the policy.
You can review the default web filter policies on the Guardian > Web filter > Manage policies page and you can change the order by dragging and dropping policies in the list.
The following sections discuss how to create, edit and delete web filter policies.
88
Nomadix NITO
User Guide
Creating Web Filter Policies
1.
You can create custom web filter policies to allow or block specific content, allow access to specific web sites at certain times or apply an acceptable usage policy (AUP) to meet your organization’s requirements.
To create a web filter policy:
Browse to the Guardian > Web filter > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Step 2: What
Step 3: Where
Description
From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply.
Tip:
Enter a name or part of a name and NITO will search for names of users and groups that match. To select more than one user or group, hold the
CTRL button down while selecting them.
Click Add and, when you have added all the users and/or groups, click Next to continue.
From the Available categories or category groups list, select what is to be filtered.
Tip:
Enter the name or part of the name and NITO will search for content that
matches. To select more than one type of content, hold the CTRL button
down while selecting it.
Click Add and, when you have selected all the content, click Next to continue.
From the Available locations list, select where the policy will apply.
Tip:
Enter the name or part of the name and NITO will search for locations that
match. To select more than one location, hold the CTRL button down while
selecting them.
Click Add and, when you have added the location(s), click Next to continue.
89
Working with Policies
Managing Web Filter Policies
Step
Step 4: When
Step 5: Action
Description
From the Available time slots list, select when the policy will apply.
Tip:
Enter the name or part of the name and NITO will search for time slots that
match. To select more than one time slot, hold the CTRL button down while
selecting them.
Click Add and, when you have added the time slot(s), click Next to continue.
Select one of the following actions to use when applying this policy:
Create policy folder – Select this action when configuring a policy at a central installation where you need to create policy folders for multiple locations or groups.
Block – Select this action to block the selected content.
Allow – Select this action to allow the content.
NITO may also categorize the content and apply any content modification policies in place. You can use this option to create specific exceptions to broad blocking policies.
Another possible use is to prevent over-blocking of diverse content such as news articles, which may fall under a variety of categorizations depending on the type of news article.
Whitelist – Select this action to whitelist the selected content.
When content is whitelisted, NITO does not examine it any further. Whitelisting is applied early on when NITO is checking URLs. Content which is whitelisted will not be subjected to outgoing filtering or dynamic content analysis. Content modification policies may still be applied, unless the categorization of the original, unmodified URL matches the whitelist.
Whitelisting content may help to conserve system resources and prevent unintentional blocking when dealing with trusted content, such as online banking sites or Windows updates.
Softblock – Select this action to soft-block the selected content.
Anyone trying to access the content will be prompted by NITO to confirm that they want to access content.
Limit to quota – Select this action to apply a quota when applying the policy.
When the policy is applied, NITO will check the quotas defined on the Guardian >
Policy objects > Quotas page and limit access to the requested content based on the quota object’s settings.
Note: Any content being streamed or downloaded by a user will not be stopped when the user’s quota runs out.
Note: Each step must be completed in order to create the policy. If you skip a step, NITO creates a policy folder
3.
Select Enable policy to enable the policy and click Confirm.
4.
NITO displays the settings you have selected. Review them and click Save to create the policy. NITO creates the policy and makes it available on the Guardian > Web filter > Manage policies page. You must now specify in what order NITO should apply the policy.
90
5.
Browse to the Guardian > Web filter > Manage policies page.
Nomadix NITO
User Guide
6.
7.
Locate the policy in the Filtering policies area. Drag and drop the policy to where you want NITO to apply it. For example, if you have created a policy which allows media students to access advertising content during their lunch break, drag the policy to the top of the list of policies.
Click Save. NITO re-orders and applies the filtering policies and allows all users in the media student group to access adverts during their lunch break.
1.
2.
Editing Web Filter Policies
3.
4.
You can edit an existing web filter policy to suit your organization’s requirements.
To edit a web filter policy:
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to edit.
Click the Edit policy button. NITO displays the policy settings on the Guardian > Web filter > Policy wizard page.
Make the changes necessary, see Creating Web Filter Policies on page 89 for more information on
working with policies.
Click Confirm. NITO displays the settings you have selected. Review them and click Save to save the changes to the policy. NITO updates the policy and makes it available on the Guardian > Web filter >
Manage policies page.
1.
2.
Deleting Web Filter Policies
You can delete a web filter policy you no longer require.
To delete a web filter policy:
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to delete.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy. Click
Remove. NITO deletes the policy.
91
Working with Policies
Managing HTTPS Inspection Policies
Managing HTTPS Inspection Policies
The following sections discuss how to create, edit and delete HTTPS inspection policies.
HTTPS inspection policies enable you to inspect and manage communication between users on your network and web sites which use HTTPS by configuring an inspection method for different user groups, destinations and locations.
NITO processes HTTPS inspection policies in order of priority as listed on the Guardian > HTTPS inspection > Manage policies page, from top to bottom, until a match is found. You can change the order by dragging and dropping policies in new positions.
NITO comes with three pre-configured HTTPS inspection policies which handle the following content: z z z
Online banking – when enabled, this policy allows end-users to do online banking without communications being decrypted and inspected
All encrypted content accessed by unauthenticated IPs – when enabled, this policy decrypts and inspects all encrypted content that users at unauthenticated IPs try to access
Certificate validation – enabled by default, this policy check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked.
Enabling HTTPS Inspection Policies
1.
The following section explains how to enable HTTPS inspection policies that are listed on the Guardian >
HTTPS inspection > Manage policies page.
To enable HTTPS inspection policies:
Browse to the Guardian > HTTPS inspection > Manage policies page.
2.
3.
Locate the policy you want to enable, click on the Enabled button and select Enable.
Repeat the step above for any other policies you want to enable and then click Save. NITO enables the policies.
Note: When, for the first time, you enable a HTTP inspection policy which decrypts and inspects content NITO informs you that users’ browsers must have the NITO CA certificate in order for the policy to work.
You can click on Guardian CA certificate in the text displayed and download the certificate ready for
import into browsers. See Managing Certificates on page 96 for more information on how to import the
certificate.
92
Nomadix NITO
User Guide
Creating an HTTPS Inspection Policy
When an HTTPS inspection policy is in place, NITO displays a warning page informing users who try to access a HTTPS web site that their communication with the site is being monitored. Users must actively accept the monitoring by clicking Yes in order to continue to the site, or click No to end the communication.
Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy to work. For
more information, see Configuring HTTPS Inspection Policy Settings on page 95.
To create an HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Step 2: What
Description
From the Available users or groups list, select who the policy will apply to.
Tip:
Enter a name or part of a name and NITO will search for names of users and groups that match. To select more than one user or group, hold the
CTRL button down while selecting them.
Click Add and, when you have added all the users and/or groups, click Next to continue.
From the Available categories or category groups list, select what is to be inspected.
Tip:
Enter the name or part of the name and NITO will search for content that
matches. To select more than one type of content, hold the CTRL button
down while selecting it.
Click Add and, when you have added all the categories or category groups, click
Next to continue.
93
Working with Policies
Managing HTTPS Inspection Policies
Step
Step 3: Where
Step 4: When
Step 5: Action
Description
From the Available locations list, select where the policy will apply.
Tip:
Enter the name or part of the name and NITO will search for locations that
match. To select more than one location, hold the CTRL button down
while selecting them.
Click Add and, when you have added the location(s), click Next to continue.
From the Available time slots list, select when the policy will apply.
Tip:
Enter the name or part of the name and NITO will search for time slots that
match. To select more than one time slot, hold the CTRL button down
while selecting them.
Click Add and, when you have added the time slot(s), click Next to continue.
Select one of the following actions to apply:
Create policy folder – Select this action when configuring NITO at a central installation where you need to create policy folders for multiple locations or groups.
Decrypt and inspect – Select this action to decrypt and inspect the encrypted content.
Validate certificate only – Select this action to check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked.
Do not inspect – Select this action to not inspect the communication. An example of using this would be to not intercept communication with banking sites if a blanket policy of inspecting all HTTPS communication was in place.
Note: Each step must be completed in order to create the policy. If you skip a step, NITO creates a policy folder
3.
Select Enable policy to enable the policy and then click Confirm.
4.
5.
NITO displays the settings you have selected. Review them and click Save to create the policy. NITO creates the policy and makes it available on the Guardian > HTTPS Inspection > Manage policies page.
You must now specify in what order NITO should apply the policy.
Browse to the Guardian > HTTPS Inspection > Manage policies page.
94
Nomadix NITO
User Guide
6.
7.
Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want NITO to apply it. For example, if you have created a policy which does not inspect the Google HTTPS AdSense site when accessed by marketing students, drag the policy to the top of the list of policies.
Click Save. NITO re-orders and applies the HTTPS inspection policies and allows all users in the marketing student group to access the Google AdSense site.
Editing HTTPS Inspection Policies
1.
2.
3.
4.
You can edit an existing HTTPS inspection policy to suit your organization’s requirements.
To edit a HTTPS inspection policy:
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to edit.
Click the Edit policy button. NITO displays the policy settings on the Guardian > HTTPS inspection >
Policy wizard page.
Make the changes necessary, see Creating an HTTPS Inspection Policy on page 93 for more information
on working with policies.
Click Confirm. NITO displays the settings you have selected. Review them and click Save to save the changes to the policy. NITO updates the policy and makes it available on the Guardian > HTTPS inspection policies > Manage policies page.
Deleting HTTPS Inspection Policies
1.
2.
You can delete a HTTPS inspection policy you no longer require.
To delete a HTTPS inspection policy:
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to delete.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy. Click
Remove. NITO deletes the policy.
Configuring HTTPS Inspection Policy Settings
For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings. Configuring these settings entails exporting certificate authority certificates, import them into the list of trusted CA
95
Working with Policies
Managing HTTPS Inspection Policies
certificates on the computers in your network and configuring warning and confirmation messages that are displayed to users when communications are being decrypted and inspected.
Managing Certificates
1.
Managing certificate authority (CA) certificates entails exporting them and then installing them on endusers’ computers. Without certificates on users’ computers, HTTPS inspection policies cannot work.
To export a certificate:
Browse to the Guardian > HTTPS inspection > Settings page.
2.
Click Export. NITO generates the
Guardian CA Cert.crt
file. Save the certificate and import it into the list of trusted CA certificates on the computers in your network on which you want to implement
HTTPS filtering.
Tip:
At the time of writing, to import the certificate on a PC running Internet Explorer 8: from the Tools menu,
select Internet Options. On the Content tab, click Certificates and then click Import. Run the Certificate
Import Wizard and place the certificate in Trusted Root Certification Authorities store.
In Firefox 3 on Windows XP, from the Tools menu, select Options. Click Advanced and display the
Encryption tab. Click View Certificates and then click the Authorities tab. Click Import, browse to
where the certificate is stored and click Open. When prompted, select Trust this CA to identify web sites
and click OK, OK and OK.
For Active Directory, you can deploy the certificate using a group policy. Consult your Active Directory documentation for more information.
Configuring Warning Information
1.
When implemented, NITO displays a warning page informing users who try to access HTTPS web site(s) that their communication with the site(s) is being decrypted and inspected. Users must actively accept the decryption and inspection in order to continue to the site.
To configure HTTP inspection policy settings:
Browse to the Guardian > HTTPS inspection > Settings page.
96
Nomadix NITO
User Guide
2.
In the Manage HTTPS interception warning area, configure the following settings:
Setting
Warning message
Confirmation button label
Description
Accept the default message or enter a custom message informing users that their HTTPS connections will be decrypted and filtered if they continue to the site they have requested.
Note: After displaying the warning page, NITO will not display it again for 24 hours or until the user restarts their browser.
Accept the default label or enter a new label to display on the button users must click in order to continue to the site they accepted.
3.
Click Save to save the settings.
Clearing the Generated Certificate Cache
1.
It is possible to clear NITO’s cache of certificates generated for use with HTTPS inspection policies.
To clear the cache:
Browse to the Guardian > HTTPS inspection > Settings page and click Clear. NITO clears the cache.
Managing Content Modification Policies
The following sections discuss how to create, edit and delete content modification policies.
A content modification policy can apply recommended security rules, determine if Internet searches should use SafeSearch functionality, warn about address spoofing and more. It can also ignore content thus making it possible to exempt content from modification for specific users or locations.
97
Working with Policies
Managing Content Modification Policies
Creating a Content Modification Policy
1.
You can create a content modification policy that enforces or ignores security rules and/or SafeSearch for specific users at certain locations.
To create a content modification policy:
Browse to the Guardian > Content modification > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Step 2: What to target
Step 3: Where
Description
From the Available users or groups list, select who the policy applies to.
Tip:
Enter a name or part of a name and NITO will search for names of users and groups that match. To select more than one user or group, hold the
CTRL button down while selecting them.
Click Add and, when you have added all the users and/or groups, click Next to continue.
From the Available categories or category groups list, select what the policy applies to.
Tip:
Enter the name or part of the name and NITO will search for matches. To
select more than one item, hold the CTRL button down while selecting it.
Click Add and, when you have selected the categories or category groups, click
Next to continue.
From the Available locations list where the policy will apply.
Tip:
Enter the name or part of the name and NITO will search for locations that
match. To select more than one location, hold the CTRL button down
while selecting them.
Click Add and, when you have selected the location(s), click Next to continue.
98
Nomadix NITO
User Guide
Step
Step 4: Action
Description
Select one of the following options:
Create policy folder – Select this action to group related rules in a policy folder.
You can then use Apply or Ignore actions within this folder. For more
Working with Policy Folders
information on policy folders, see
Apply – Select this action to modify the categories and category groups selected.
Ignore – Select this action to exempt the categories and category groups from being modified.
Note: Usually creating a policy which ignores content implies that there is another policy which modifies content. For example, there might be an
Apply policy which enforces SafeSearch for everyone, and another Ignore policy which exempts certain users who need unrestricted search. In such a case, on the Guardian > Content modification > Manage policies page, the Ignore policy which creates the exception must be placed before the
Apply policy which modifies the content.
From the Available categories or category groups list, select the content modification to apply and click Add.
Tip:
Enter the name or part of the name and NITO will search for matches. To
select more than one item, hold the CTRL button down while selecting it.
Note: If you are creating a policy that ignores content, the options here are disabled.
Note: Each step must be completed in order to create the policy. If you skip a step, NITO creates a policy folder
3.
Select Enable policy to enable the policy and click Confirm.
4.
5.
NITO displays the settings you have selected. Review them and click Save to create the policy. NITO creates the policy and makes it available on the Guardian > Content modification > Manage policies page.
You must now specify in what order NITO should apply the policy.
Browse to the Guardian > Content modification > Manage policies page.
6.
Locate the policy. Drag and drop the policy to where you want NITO to apply it. For example, if you have created a policy which exempts search results from modification for users in the teachers group, drag the policy to the top of the list of policies.
99
Working with Policies
Working with Policy Folders
Editing Content Modification Policies
1.
2.
3.
4.
You can edit an existing content modification policy to suit your organization’s requirements.
To edit a content modification policy:
Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to edit.
Click the Edit policy button. NITO displays the policy settings on the Guardian > Content modification > policy wizard page.
on working with policies.
Click Confirm. NITO displays the settings you have selected. Review them and click Save to save the changes to the policy. NITO updates the policy and makes it available on the Guardian > Content modification > Manage policies page.
Deleting Content Modification Policies
1.
2.
You can delete a content modification policy you no longer require.
To delete a content modification policy:
Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to delete.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy. Click
Remove. NITO deletes the policy.
Working with Policy Folders
Policy folders enable you to organize and apply policies according to whatever criteria are most appropriate to your organization.
For example, by default, NITO blocks all adverts for all users all the time in every location. If you want to allow some users and/or groups to access adverts sometimes and others to access them always at specific locations, you can accomplish this by creating a policy folder which contains a general web filter policy allowing access to adverts. You can then add policies to the folder specifying which groups are allowed access, at what times and in which locations.
Using policy folders makes it easier to understand the policy table on the manage policies page and more accurately reflects how a policy is applied to specific groups.
Creating a Policy Folder
1.
2.
3.
4.
You create a policy folder by using a policy wizard.
To create a policy folder:
When running a policy wizard, do not add a policy object for the criterion you want to use to determine the type of policy folder. For example, if you want to create a web filter policy folder to contain policies that can be applied to specific groups and/or users, do not add any users or groups to the policy.
When configuring the policy action, select Create policy folder. After you have completed the policy wizard, NITO makes the policy folder available on the manage policies page.
To add a policy to a folder, browse to the relevant manage policies page, locate the policies folder and click
Add policy to folder. NITO opens the folder and displays it on the policy wizard page.
Add the policy object, for example a group to which you want to apply the policy and click Confirm.
NITO displays the policy settings. Review the settings and then click Save. NITO creates the policy, places it in the policy folder and makes it available on the manage policies page.
100
Nomadix NITO
User Guide
2.
3.
Editing Policy Folders
1.
You can edit policy folders by changing the policy objects it contains.
To edit a policy folder:
On the relevant manage policies page, locate the policy folder and click Edit policy folder. NITO opens the folder and displays it on the policy wizard page.
Make changes to the policy object(s) included in the folder by adding or removing them as required.
Click Confirm, review the changes and click Save to apply the changes and update the folder.
Deleting Policy Folders
1.
You can delete policy folders you no longer require.
To delete a policy folder:
On the relevant manage policies page, locate the policy folder and click Delete policy folder. Click
Remove when prompted to confirm that you want to delete the folder. NITO deletes the folder and removes it from the relevant manage policies page.
Censoring Web Form Content
1.
The following section explains how to create and apply a censor policy for content and/or files posted using web forms. A censor policy consists of a filter, an action and a time period.
To create and apply a censor policy:
Browse to the Services > Message censor > Policies page.
101
Working with Policies
Censoring Web Form Content
2.
Configure the following settings:
Service
Setting Description
From the drop-down menu, select one of the following options:
Web filter outgoing – Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTP.
Web filter secure outgoing (HTTPS) – Select to apply the policy to content and/or files being posted in web forms, such as to message boards or
Wikipedia, using HTTPS.
Note: A HTTPS inspection policy must be deployed for this to work. See
Managing HTTPS Inspection Policies on page 92 for more
information.
Click Select to update the policy settings available.
3.
Filter
Time period
Action
Log severity level
Group
Comment
Enabled
From the drop-down menu, select a filter to use. For more information on
filters, see Chapter 13, Creating Filters on page 160.
From the drop-down menu, select a time period to use, or accept the default
setting. For more information on time settings, see Chapter 13, Setting Time
From the drop-down menu, select one of the following actions:
Block - Content which is matched by the filter is blocked.
Allow - Content which is matched by the filter is allowed and is not processed by any other filters.
NITO enables you to store all blocked content, no blocked content or only blocked content above a certain severity level.
If you want NITO to only store blocked content above a certain severity level, you must assign severity levels to the content.
The Log severity level option enables you to this.
From the drop-down list, select the severity level to assign to content that has been blocked by this policy.
Note: You must also configure the options for storing blocked content on the
Guardian > Web filter > Outgoing page. See below for more information.
From the drop-down list, select the group to which you want to apply the policy.
Optionally, enter a description of the policy.
Select to enable the policy.
Click Add and, at the top of the page, click Restart to apply the policy.
102
4.
Browse to the Guardian > Web filter > Outgoing page.
Nomadix NITO
User Guide
5.
Configure the following settings:
6.
Setting
MessageCensor filtering and logging
Store blocked content
Store blocked content above severity level
Description
Select Enable to enable censoring of content and/or files posted using web forms.
Select this option if you want NITO to store content it blocks.
Note: This option does not apply to content posted using HTTPS.
If you have selected to store blocked content, from the drop-down list, select one of the following options:
Always store – NITO stores all blocked content and makes it available for review in the web filter log.
–4 to 5 – Select a severity level above which NITO stores the blocked content and makes it available for review in the web filter log. For more information, see the Log severity option above.
Note: This option does not apply to content posted using HTTPS.
Click Save. NITO applies the policy.
103
Working with Policies
Censoring Web Form Content
104
10
Managing Authentication Policies
In this chapter: z
About and working with authentication policies z z z
About exceptions to authentication and identification by location
About and how to configure transparent and non-transparent connections to NITO
Some example scenarios of how to use authentication to manage web access.
About Authentication Policies
Note: By default, NITO comes with an authentication policy in place. To use it, you configure your users’ web
browsers to use NITO as their web proxy. For more information, see Creating a Non-transparent
Connection Manually on page 116.
NITO uses authentication to: z
Identify users and assign them to groups, so that NITO can apply different policies to each group z
Allow access to registered users or trusted workstations z z
Provide logging and auditing facilities in case of misuse
Show in real time which users are accessing content.
An authentication policy is comprised of a connection type, an authentication method, port information and a location.
NITO can use several different authentication methods to identify a user or group, with different requirements and restrictions. Authentication policies determine which method is used. They also determine which interfaces and ports NITO listens on for web requests.
Creating Authentication Policies
NITO enables you to create the following types of authentication policies: z
Non-transparent authentication policies – this type of policy is applied to users whose web browsers are configured to connect to the Internet using NITO as their web proxy. For more information, see
Creating Non-transparent Authentication Policies on page 106
z
Transparent authentication policies – this type of policy is applied to users whose computers’
network connection uses NITOFor more information, see Creating Transparent Authentication
105
Managing Authentication Policies
Creating Authentication Policies
Creating Non-transparent Authentication Policies
1.
Non-transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users.
To create a non-transparent authentication policy:
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Non-Transparent and from the Method drop-down list, select one of the following authentication methods:
Method
No authentication
Kerberos
Kerberos
(Terminal
Services compatibility mode)
Proxy authentication
Proxy authentication
(Terminal
Services compatibility mode)
Setting
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
This method is designed to work with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Identify users by requesting a username and password from the user’s browser.
This authentication method prompts users to enter a username and password when they try to web browse. The username and password details are encoded in all future requests made by the user’s browser.
Identify users by requesting a username and password from the user’s browser.
This method is designed to work with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
106
Nomadix NITO
User Guide
Method
NTLM identification
NTLM identification
(Terminal
Services compatibility mode)
NTLM authentication
Setting
Identify users according to the username logged into their Microsoft Windows workstation.
Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft
Windows domain. Unsecured clients can spoof their credentials.
Note: NITO supports NTLM on Microsoft operating system software and browsers only. NTLM should not be used with any other browser or platform, even if the platform claims to support NTLM.
NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames.
Identify users according to the username logged into their Microsoft Windows workstation.
Can be used in conjunction with Microsoft Terminal Services.
Note: NTLM identification does not verify a user’s credentials. It should only be used where all client workstations are secured and members of a Microsoft
Windows domain. Unsecured clients can spoof their credentials.
Note: NITO supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM.
Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames.
This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft
Windows 2000 Server, and Microsoft Windows Server 2003.
•
•
Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller.
Prerequisites:
There must be a computer account for NITO in Active Directory
The account specified on the Services > Authentication > Settings page must have permission to join the computer to the domain.
Note: NITO supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM.
Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames
107
Managing Authentication Policies
Creating Authentication Policies
Method
NTLM authentication
(Terminal
Services compatibility mode)
Redirect users to
SSL Login page
(with background tab)
Redirect users to
SSL Login page
(with session cookie)
Core authentication
Setting
•
Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller.
Can be used in conjunction with Microsoft Terminal Services.
Prerequisites:
There must be a computer account for NITO in Active Directory
• The account specified on the Services > Authentication > Settings page must have permission to join the computer to the domain.
Note: NITO supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM.
Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames.
This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft
Windows 2000 Server, and Microsoft Windows Server 2003.
Identify users with the NITO authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password.
The NITO authentication service supports only one user per client IP address.
Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This method is also suitable if a user’s browser plugins or applications require the authenticated session to remain active.
SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s workstation and the NITO system is encrypted.
To securely logout, the user must click Logout on the SSL Login page.
Identify users with the NITO authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password.
The NITO authentication service supports only one user per client IP address.
Using this method, NITO stores a session cookie on the user’s browser. The cookie removes the need for the user to reauthenticate.
This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background.
SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s workstation and the NITO system is encrypted.
To securely logout, the user must click Logout from the SSL Login page.
Identify users with the NITO authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated
IPs group.
The NITO authentication service supports only one user per client IP address.
Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access.
108
Nomadix NITO
User Guide
Ident
Method
Identification by
Location
Kerberos (via redirect)
NTLM identification
(via redirect)
NTLM authentication
(via redirect)
Setting
Identify users according to the username returned by an Ident server running on their workstation.
NITO supports Ident for compatibility with any Ident-enabled networks your organization may already be using. Networks supporting Ident authentication require an Ident server application to be installed on all workstations that can be queried by Ident-enabled systems.
The user does not need to enter their username as it is automatically supplied by the Ident server application.
Once a user’s Ident server has identified the user, the user’s web activities will be filtered according to their authentication group membership.
For details of how to configure this with your choice of Ident server, please refer to the ident server’s administrator's guide.
Note: Ident does not verify a user’s credentials. It should only be used where all client workstations are secured and running an Ident server controlled by the network administrator. Unsecured clients can spoof their credentials.
Identify users by their IP address. Assign a group based on the identification by location policy configured for their location.
Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network.
For more information, see Identification by Location on page 114.
For information on locations, see Chapter 9, Working with Location Objects on page 85.
Identify users with the NITO authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
The NITO authentication service supports only one user per client IP address.
Identify users with the NITO authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation.
The NITO authentication service supports only one user per client IP address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
Identify users with the NITO authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller.
The NITO authentication service supports only one user per client IP address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
3.
Configure the following settings:
Setting
Interface
Port
Description
From the drop-down list, select the interface on which to apply the authentication policy.
From the drop-down list, select the port on which to apply the authentication policy.
109
Managing Authentication Policies
Creating Authentication Policies
Setting
Enabled
Select to enable the policy.
Description
4.
5.
6.
7.
Click Next and add the location at which the policy will apply.
Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, NITO assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list.
Click Next, select Enabled and click Confirm. NITO displays the policy settings.
Review the settings and click Save to make the policy available for use.
Creating Transparent Authentication Policies
1.
Transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users.
To create a transparent authentication policy:
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Transparent and, from the Method drop-down list, select one of the following authentication methods:
Method
No authentication
Kerberos
Kerberos
(Terminal
Services compatibility mode)
Setting
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
This method is designed to work with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
110
Nomadix NITO
User Guide
Method
Redirect users to
SSL Login page
(with background tab)
Redirect users to
SSL Login page
(with session cookie)
Core authentication
Identification by location
Kerberos (via redirect)
NTLM identification
(via redirect)
Setting
Identify users with the NITO authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password.
The NITO authentication service supports only one user per client IP address.
Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This method is also suitable if a user’s browser plugins or applications require the authenticated session to remain active.
SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s workstation and the NITO system is encrypted.
To securely logout, the user must click Logout on the SSL Login page.
Identify users with the NITO authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password.
The NITO authentication service supports only one user per client IP address.
Using this method, NITO stores a session cookie on the user’s browser. The cookie removes the need for the user to reauthenticate.
This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background.
SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s workstation and the NITO system is encrypted.
To securely logout, the user must click Logout from the SSL Login page.
Identify users with the NITO authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated
IPs group.
The NITO authentication service supports only one user per client IP address.
Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access.
Identify users by their IP address. Assign a group based on the identification by location policy configured for their location.
Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see
Identification by Location on page 114.
For information on locations, see Chapter 9, Working with Location Objects on page 85.
Identify users with the NITO authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
The NITO authentication service supports only one user per client IP address.
Identify users with the NITO authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation.
The NITO authentication service supports only one user per client IP address.
Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft
Windows domain. Unsecured clients can spoof their credentials.
111
Managing Authentication Policies
Creating Authentication Policies
Method
NTLM authentication
(via redirect)
Setting
Identify users with the NITO authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller.
The NITO authentication service supports only one user per client IP address.
3.
Configure the following settings:
Setting
Interface
HTTPS
Enabled
Description
From the drop-down list, select the interface on which to apply the authentication policy.
Note: For more information on the WCCP interface option, see Chapter 11,
Select this option to transparently intercept HTTPS connections.
Select to enable the policy. When disabled, no filtering is performed on HTTPS requests from clients without deployed proxy settings.
Note: Transparent HTTPS interception is not compatible with Internet Explorer running on Windows XP or earlier.
6.
7.
4.
5.
Click Next and add the location at which the policy will apply.
Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, NITO assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list.
Click Next, select Enabled and click Confirm. NITO displays the policy settings.
Review the settings and click Save to make the policy available for use.
112
Nomadix NITO
User Guide
Managing Authentication Policies
1.
NITO applies authentication policies in the order they are displayed on the Web proxy > Authentication >
Manage policies page. You can re-order the policies by dragging and dropping them in new positions.
To access authentication policies:
Browse to the Web proxy > Authentication > Manage policies page.
NITO displays the current authentication policies.
Editing Authentication Policies
1.
2.
3.
4.
5.
You can make changes to authentication policies by editing them.
To edit an authentication policy:
On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to change.
Click the Edit policy button. NITO displays the policy on the Web proxy > Authentication > Policy
wizard page.
the settings available.
Click Confirm, review your changes and then click Save to save and apply the changes. NITO applies the changes and prompts you to restart the NITO proxy.
Click Restart proxy. NITO restarts the proxy.
1.
2.
3.
4.
Deleting Policies
You can delete authentication policies you no longer require.
To delete an authentication policy:
On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to delete.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy.
Click Delete. NITO deletes the policy and prompts you to restart the NITO proxy.
Click Restart proxy. NITO restarts the proxy.
113
Managing Authentication Policies
Managing Authentication Exceptions
Managing Authentication Exceptions
1.
You can configure NITO to allow access to content without requiring authentication. For example, automatic Windows updates can be accessed without user authentication.
To create an exception:
Browse to the Web proxy > Authentication > Exceptions page.
2.
3.
Select the content to be excepted from authentication and click Add.
Click Save to create the exception.
Identification by Location
You can configure NITO to identify groups and/or users by the location in which they are situated. This ident by location status can be used to configure an identification by location authentication policy.
Note: The settings configured on this page are only used when Identification by Location is selected as the
method in an authentication policy. See Creating Authentication Policies on page 105 fro more
information.
114
1.
To configure identification by location:
Browse to the Web proxy > Authentication > Ident by location page.
Nomadix NITO
User Guide
2.
3.
4.
From the Selected location drop-down list, select the location.
Select the groups and/or users to include in the location and click Add.
Click Confirm. NITO lists the location in the Location to group mappings table.
Connecting to NITO
The following sections explain how to connect non-transparently and transparently to NITO.
About Non-transparent Connections
Non-transparent connections from users’ web browsers to NITO are suitable when content is accessed using
HTTPS or when using NTLM or proxy authentication or identification in terminal services compatibility mode.
Connecting to NITO non-transparently entails configuring users’ web browsers to use NITO as the web proxy using one of the following methods: z z
Manually – Web browser LAN settings are manually configured, see Creating a Non-transparent
Connection Manually on page 116 for more information
Automatic configuration script – Web browser LAN settings are configured to receive proxy configuration settings from an automatic configuration script which is generated by NITO, see
Configuring Non-transparent Connections Using a PAC Script on page 116 for more information
115
Managing Authentication Policies
Connecting to NITO
z
WPAD automatic script – Web browser LAN settings are configured to detect proxy settings, see
Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 116 for more
information.
Creating a Non-transparent Connection Manually
Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the documentation delivered with the browsers.
To create a non-transparent connection manually:
1.
On users’ computers, start Internet Explorer, and from the Tools menu, select Internet Options.
2.
3.
4.
5.
6.
7.
On the Connections tab, click LAN settings.
In the Automatic configuration area, check that Automatically detect settings and Use automatic
configuration script are not selected.
In the Proxy server area, select Use a proxy server for your LAN …
Enter NITO's IP address and port number 800 and select Bypass proxy server for local addresses.
Click Advanced to access more settings. In the Exceptions area, enter NITO’s IP address and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki.
Click OK and OK to save the settings.
Configuring Non-transparent Connections Using a PAC Script
2.
3.
A proxy auto-config (PAC) script is a file generated by NITO. Once configured, any changes to connections are automatically retrieved by the user’s web browser. For information on working with PAC
scripts, see Chapter 11, Using PAC Scripts on page 124.
Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the documentation delivered with the browsers.
To configure a non-transparent connection using a PAC script:
1.
On the user’s computer, start Internet Explorer, and from the Tools menu, select Internet Options.
On the Connections tab, click LAN settings.
Configure the settings as follows:
Setting
Automatically detect settings
Use automatic configuration script
Address
Description
Deselect this option.
Select this option.
Enter the address of the script.
Tip:
To locate the address, navigate to the Web proxy >
Web proxy > Settings page. The address is listed in
the Automatic configuration script address area.
4.
Ensure that no other proxy settings are enabled or have entries.
Note: You may need to restart the web browser for the settings to take effect.
Configuring a Non-transparent Connection Using a WPAD Automatic Script
Note: This method is only for administrators familiar with configuring web and DNS servers. End-user browsers must support WPAD – the latest versions of Microsoft Internet Explorer support this method.
116
Nomadix NITO
User Guide
1.
The WPAD method works by the web browser pre-pending the hostname wpad
to the front of its fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat
file. The file works in the same way as the automatic configuration script and tells the browser what web security policy it should use.
To use WPAD:
Configure your network to use NITO as the network web proxy. Consult your network documentation for more information on how to do this.
2.
3.
Using a local DNS server or NITO’s static DNS, add the host ' wpad.YOURDOMAINNAME
' substituting your own domain name. The host must resolve to NITO’s IP address.
Configure users’ browsers to automatically detect LAN settings.
Note: Users’ computers must be configured with the same domain name as the A record. However, the Microsoft
Knowledge Base article Q252898 suggests that WPAD does not work on Windows 2000. Microsoft suggests that you should use a DHCP auto-discovery method using a PAC script. See the article for more information.
About Transparent Connections
You configure transparent connections from users’ computers NITO by configuring computers’ network connections to use NITO as the default gateway.
In order for a transparent policy to work, the following must be in place: z z z
DNS must be set up correctly on your network so that user computers can resolve the short form of
NITO’s hostname, for example: resolve mysystem for the hostname mysystem.example.com
User computers and NITO must be within the same DNS domain
Internet Explorer must be configured to authenticate automatically with intranet sites.
Authentication Scenarios
The following are high level examples of how you can configure NITO to suit your organization’s authentication requirements.
New Content Filtering – Changing the Listening Port
Anna runs an Internet cafe. She is replacing her current content filter with NITO because of its superior filtering. To avoid reconfiguring each workstation, she needs NITO to listen on the same port as before, which was port 3128.
Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface and port are disabled. She changes the port to 3128 and saves her changes, and a message prompts her to restart NITO.
Providing Filtered Web Access to the Public
Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian wants to provide filtered web access for a new conference centre open to the public. He does not want delegates to need to configure a proxy in their browsers.
Brian configures NITO to listen in transparent mode. On the Web proxy > Authentication > Policy wizard page, he selects Transparent and No authentication and leaves the other options at their defaults.
After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new transparent authentication policy so he removes the default entry for port 800.
117
Managing Authentication Policies
Authentication Scenarios
He then configures the firewall and DHCP servers on the network to route traffic through NITO.
Requiring Authentication to Browse the Web
Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and shared
PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest is responsible for web traffic in case of misuse. She wants a simple system which doesn’t require guests to register their wireless devices.
Charlotte creates a local user account for each room, with names like ‘room23’ and a random simple password. Guests are told the password for their room when they check in if they request Internet access, and the password is changed when they check out.
Charlotte then configures NITO in transparent mode on the Web proxy > Authentication > Policy page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at their defaults.
She removes the entry for port 800 before restarting NITO.
Using Multiple Authentication Methods
Donald is a college system administrator. His network contains Windows PCs, Macs, and network points for student laptops. Donald wants to provide authentication across the network using single sign on wherever possible.
For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he names
‘Macs’. This location contains the IP address ranges assigned to macs.
On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing the authentication method to NTLM authentication. Then he adds a new entry, choosing Ident authentication for the location ‘Macs’. This is displayed above the entry for NTLM on the policy page. Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login.
Using group policy and central admin tools, he configures the Windows PCs and Macs to use NITO, and installs an Ident server on the Macs. Windows and Mac users now authenticate to NITO using their desktop login session, but laptop users are presented with the SSL Login screen when they browse.
Controlling an Unruly Class
Ellen is a secondary school teacher. Ellen’s students are supposed to be reading about the Civil War but are inclined to waste time when her back is turned. Ellen needs to be able to ban students from accessing the
Internet as a punishment for misbehavior.
While the students are working, Ellen looks around the room and also monitors web usage on the Logs and reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching videos on
YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his login entry, and selects Ban. This takes her to the temporary bans page where she configures the ban to expire at the end of the lesson. When Fred clicks on another video, he is shown the block page.
118
Managing Web Security
In this chapter: z
Overview of web proxy settings z z
Using PAC scripts
Limiting bandwidth and configuring WCCP z z z
Managing upstream proxies
Managing blocklists
Configuring block pages.
Overview of NITO’s Web Proxy
1.
The following sections provide an overview of NITO’s web proxy settings.
To access NITO’s web proxy settings:
Navigate to the Web proxy > Web proxy > Settings page.
11
119
Managing Web Security
Overview of NITO’s Web Proxy
Global Options
The following table lists NITO’s global web proxy setting:
1.
Setting
Guardian
Description
Select Enable to enable content filtering and NITO’s web proxy.
Click Advanced to access advanced web proxy settings which are documented in the following sections.
120
Nomadix NITO
User Guide
Advanced Web Proxy Settings
The following advanced web proxy settings are available.
Web Filter Options
The following optional advanced web filter settings are available:
Settings
HTTP strict mode
File upload policy
Resume interrupted
NTLM connections
Resolve single component hostnames
Allow access to web servers on these additional ports
Description
By default, this option is enabled. However, for certain client applications going through NITO you may need to disable this so as to handle problems, for example, with headers that the applications send.
The following options are available:
Allow unlimited uploads – All file uploads are allowed.
Block all uploads – All file uploads are blocked.
Restrict upload size to – Files below the size specified are allowed.
By default NITO resumes interrupted NTLM connections caused by nonstandard web browser behavior.
Enable – This is the default setting. Select this setting to configure NITO to resume interrupted NTLM connections.
Disable – Select this setting to disable resumption of interrupted NTLM connections when restrictive Active Directory account lockout policies are in operation.
By default, NITO makes no attempt to interpret single component hostnames which are not fully qualified.
Enable – Select this setting to enable NITO to atempt to interpret single component hostnames which are not fully qualified if single component hostnames are being used.
Disable – Select this setting to stop NITOfrom trying to interpret single component hostnames which are not fully qualified.
By default, NITO only allows requests to servers running on a certain subset of privileged ports, i.e. ports below 1024, such as HTTP (80), HTTPS (443) and FTP (21).
If you require access to servers running on non-standard ports, enter them here.
Logging Options
The following advanced logging settings are available:
Setting
Proxy logging
Organization name
Description
We recommend that you disable this option when Filter logging mode is enabled.
This is because NITO proxy logs are effectively duplicated subsets of NITO web filter logs.
Disabling proxy logging can lead to improved performance by reducing system storage and processing requirements.
Enter a name which can be used to identify NITO in your organization.
Organization names are also referenced in certain web reports.
121
Managing Web Security
Overview of NITO’s Web Proxy
Setting Description
Filter logging mode
From the drop-down list, select one of the following logging modes:
Normal – Select this option to generate proxy logs with all recorded data.
Anonymized – Select this option to generate proxy logs with anonymous username and IP address information.
Disabled – Select this option to disable content filter logging.
Client hostnames
Select one of the following options:
Log – Select this option to record hostnames of computers using NITO. When enabled, filter logs and reports incorporating hostname information can be generated. It is important that DNS servers exist on the local network and are correctly configured with the reverse DNS of all machines if this option is enabled, otherwise performance will suffer.
Do not log – Select this option to disable the logging of hostnames of computers using NITO.
Client user-agents
Select one of the following options:
Log – Select to record the types of browsers used by users.
Do not log – Select to disable the logging of the types of browsers used by users.
Explicitly allowed sites
Select one of the following options:
Log – Select this option to log information on explicitly allowed sites.
Do not log – Select to disable the logging of information on explicitly allowed sites.
Advert blocks
Select one of the following options:
Log – Select this option to log information on advert blocking.
Do not log – Select to disable the logging of information on advert blocking.
Cache Options
The following advanced, optional cache settings are available:
Setting
Global cache size
Description
The size entered here determines the amount of disk space allocated to NITO for caching web content. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached.
The specified size must not exceed the amount of free disk space available.
The cache size should be configured to an approximate size of around 40% of the system’s total storage capacity, up to a maximum of around 2 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection.
For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages.
122
Nomadix NITO
User Guide
Setting
Max and min object size that can be stored in the cache
Max object size that can pass in and out of proxy
Do not cache these domains
Description
The values entered here determine the maximum and minimum sizes of objects stored the cache.
Max object size – Enter the largest object size that will be stored in NITO’s cache. Any object larger than the specified size will not be cached. This prevents large downloads filling the cache.
The default of 30720 bytes (30 MB) should be adjusted to suit the needs of your end-users.
Min object size – Enter the smallest object size that will be stored in NITO’s cache. Any object smaller than the specified size will not be cached. This can be useful for preventing large numbers of tiny objects filling the cache. The default is no minimum – this should be suitable for most purposes.
The values entered here determine the maximum sizes of objects which can pass through the web proxy.
Max outgoing size – Enter the maximum amount of outbound data that can be sent by a browser in any one request. This can be used to prevent large uploads or form submissions. The default no limit.
Max incoming size – Enter the maximum amount of inbound data that can be received by a browser in any one request. This limit is independent of whether the data is cached or not. This can be used to prevent excessive and disruptive download activity. The default is no limit.
Used to specify domains that should be excluded from the web cache. This can be used to ensure that old content of frequently updated web sites is not cached.
Enter domain names without the www
prefix, one entry per line.
To apply the option to any subdomains, enter a leading period, for example:
.example.com
123
Managing Web Security
Using PAC Scripts
Internet Cache Protocol
The following advanced, optional Internet Cache Protocol (ICP) settings are available:
Setting
ICP server
ICP server
IP addresses
Description
Select one of the following options:
Enable – Select to allow ICP compatible proxies to query NITO's cache. ICP is a technique employed by proxies to determine if an unfulfilled local cache request can be fulfilled by another proxy’s cache. ICP-enabled proxies work together as cache peers to improve cache performance across a LAN.
ICP is recommended for LANs with multiple NITO proxy servers; non-Nomadix proxies must use port 801 for HTTP traffic.
Disable – Select to disable NITOas an ICP server.
Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN that
NITO should query. Use in conjunction with the ICP server option enabled to allow two-way cache sharing.
Load Balancing
The following load balancing option is available:
Setting
Direct
Return
Server
Virtual IP
Description
Enables you to use a load balancing device which uses a virtual IP with NITO.
Enter the IP address on which NITO can accept load balanced connections.
Assuming a load balancer has been setup, NITO will form part of its cluster.
Note: This IP address must not respond to ARP queries, as ARP-ing behavior is what sets this type of Virtual IP apart from a simple alias.
Using PAC Scripts
NITO enables you to create and make available proxy auto-config (PAC) scripts which determine which IP addresses and domains to access via NITO and which to access directly.
NITO supports built-in PAC scripts and custom PAC script templates.
124
Nomadix NITO
User Guide
Using a Built-in Script
1.
A built-in script is an auto configuration script which you can customize with additional settings such as exceptions.
To use a built-in script:
Browse to the Web proxy > Web proxy > Automatic configuration page.
2.
Select Built-in and configure the following settings:
Setting
Bypass proxy server for local addresses
Description
Select this option to not use NITO when connecting to local addresses.
When selected, this option makes users’ browsers bypass the NITO proxy if the address is a hostname only, for example: myhostname
. Browsers will not bypass the NITO proxy if the address is a fully qualified domain name (FQDN) for example: myhostname.example.local
. We recommend that this setting is enabled.
125
Managing Web Security
Limiting Bandwidth
Setting
Exception domains and IP addresses
Exception regular expression domains
Description
In this text box, enter an IP address, IP address range, network address or hostname that users may access directly.
For example:
192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24 hostname.local
Optionally, click Advanced to access the Exception regular expression domains area. In the text box, enter one regular expression domain per line that users may access directly.
For example:
^(.*\.)?youtube\.com$
^(.*\.)?ytimg\.com$ would disable usage of NITO for youtube.com
, ytimg.com
and subdomains such as www.youtube.com
; but not, for example, fakeyoutube.com
.
3.
Click Save. NITO creates the script and makes it available at: http://Your_System_IP_address/ proxy.pac
Using a Custom Script
A custom script provides advanced functionality by enabling you to use a script customized to suit your organization.
Tip:
You can use the built-in template as starting point for creating a custom script. On the Web proxy > Web
proxy > Automatic configuration page, click Download and save the default script to a suitable location.
Edit the file to suit your requirements and save it using a different name. See below for how to upload it.
To use a custom script:
1.
2.
After configuring the custom script, browse to the Web proxy > Web proxy > Automatic configuration page.
Select Custom script template and click Browse. Locate and select the script and click Upload. NITO uploads the script and makes it available at: http://Your_System_IP_address/proxy.pac
1.
2.
Managing the Configuration Script
3.
You define the policy for each interface, by configuring which proxy address the configuration script should direct clients to.
To manage the configuration script:
Browse to the Web proxy > Web proxy > Automatic configuration page.
In the Manage configuration script area, from the Interface drop-down list, select the address the configuration script should direct clients to.
Click Save.
Limiting Bandwidth
NITO enables you to limit downstream bandwidth overall or based on the URL being accessed.
126
Nomadix NITO
User Guide
Limiting Overall Bandwidth
1.
By default, NITO does not limit bandwidth. The following section explains how you can limit overall bandwidth.
To limit bandwidth:
Navigate to the Web proxy > Web proxy > Bandwidth limiting page.
2.
3.
In the Default options area, select the Restrict bandwidth to option and enter the overall bandwidth limit in kilobytes per second.
Click Save, NITO applies the limit.
1.
2.
Limiting Bandwidth Based on URL
You can create bandwidth limiting rules to apply when users enter URLs or parts of URLs. These rules override the default bandwidth limit settings as specified in the section above.
To limit bandwidth based on a URL or part of a URL:
Navigate to the Web proxy > Web proxy > Bandwidth limiting page.
In the Add a new rule area, configure the following settings:
Setting
URL or part of URL
Bandwidth limit
Allocated to each proxy client
Shared between all proxy clients
Comment
Description
Enter the full URL or part of it to which the limit will be applied.
In kilobytes per second, enter the maximum amount of bandwidth allowed.
Select this option to allocate the bandwidth limit to each client.
Select this option to share the maximum amount of bandwidth specified between all clients on the network.
Optionally, enter a comment describing the rule.
127
Managing Web Security
Configuring WCCP
Enabled
Setting
Select to enable the rule.
Description
3.
Click Save, NITO applies the limit.
Configuring WCCP
NITO can be added to a Web Cache Communication Protocol (WCCP) cache engine cluster. When enabled, NITO broadcasts its availability to a nominated WCCP-compatible router.
The WCCP-compatible router can forward web traffic and perform load balancing across all the WCCP capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via WCCP
Note: WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel, therefore you must configure a transparent authentication policy for the interface which will receive redirected traffic.
For information on transparent authentication policies, see Chapter 10, Creating Transparent
Authentication Policies on page 110.
For more information on configuring WCCP on your router, see
http://www.cisco.com/en/US/docs/ios/
11_2/feature/guide/wccp.html
To configure WCCP:
1.
Browse to the Web proxy > Web proxy > WCCP page.
2.
Select the option you require and configure its settings:
Option Description
No WCCP
Select to disable WCCP.
WCCP version 1
Select this option to enable WCCP version 1. Version 1 does not require authentication for caches to join the cluster, and only supports a single coordinating router.
WCCP router IP – Enter the WCCP router’s IP address.
128
Nomadix NITO
User Guide
Option
WCCP version 2
Description
Select this option to enable WCCP version 2. Version 2 can be more secure than version
1, as it supports authentication for caches to join the cluster, providing a level of protection against rogue proxies on the LAN. In addition, it supports multiple coordinating routers.
Note: Currently, WCCP version 2 in NITO only supports routers configured to use the hash assignment method and GRE for both the forwarding and return methods.
Password – Enter the password required to join the WCCP cluster. WCCP passwords can be a maximum of 8 characters.
Cache weight – Enter a cache weight to provide a hint as to the proportion of traffic which will be forwarded to this particular cache.
Caches with high weights relative to other caches in the cluster will receive more redirected requests.
Device IP addresses – Enter the IP addresses of one or more WCCP version 2 routers.
3.
4.
Click Save. NITO saves the settings.
On the Web proxy > Authentication > Manage policies page, create a transparent authentication policy using the authentication method you require and select WCCP as the interface. For more information, see
Chapter 10, Creating Transparent Authentication Policies on page 110.
NITO completes the WCCP configuration.
Managing Upstream Proxies
NITO enables you to configure and deploy policies which manage access to upstream proxies. The policies can: z z
Allow or deny access to upstream proxies based on network location
Direct web requests to a specific upstream proxy depending on the type of request z
Provide load balancing and failover.
The following sections explain how to configure and deploy upstream proxy policies.
Overview
Managing upstream proxies entails: z
z z
Creating source and destination filters, for more information see Configuring Source and
Destination Filters on page 131
129
Managing Web Security
Managing Upstream Proxies
Configuring an Upstream Proxy
1.
The following section explains how to configure an upstream proxy.
To configure an upstream proxy:
Browse to the Web proxy > Upstream proxy > Proxies page.
2.
Configure the following settings:
Setting Description
Name
Enter a name for the upstream proxy. Only the following characters and numbers are allowed in a proxy name:
., abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
The name
Default
is invalid as it is reserved as the name of the default proxy.
Enter the IP address or the hostname of the upstream proxy.
IP/
Hostname
Port
Enter the port number to use on the upstream proxy.
Comment
Optionally, enter a comment or description.
130
Nomadix NITO
User Guide
3.
Click Advanced to access the following, optional settings:
Setting
Credential forwarding
Username
Password
Load balance ratio
Description
Select one of the following credential forwarding options:
Disabled – Select this option to use the static username and password entered below when logging in to the upstream proxy.
Username only – Forward the username of the client making the request with the password entered below when logging in to the upstream proxy. This allows the upstream proxy to identify individual users without revealing their passwords.
Note: This requires proxy authentication, NTLM authentication or NTLM identification to be enabled, otherwise usernames cannot be determined by
NITO.
Username and password – Forward the username and password of the client making the request when logging in to the upstream proxy. This could be used if both NITO and the upstream proxy are authenticating against the same directory server, but should be used with caution as it reveals client credentials.
Note: This option requires proxy authentication to be used, not NTLM. Otherwise, plaintext usernames and passwords cannot be determined by NITO.
Note: NITO can only log in to upstream proxies which require basic proxy authentication, not NTLM or any other authentication scheme.
Enter a static username for use when credential forwarding is disabled.
Enter a static password for use when credential forwarding is disabled, or when forwarding usernames only.
Enter a load balance ratio value.
Values are relative. For example, if one upstream proxy has the value: 2 and another upstream proxy has the value: 1 and both use the round robin load balancing method, then the proxy with value: 2 will receive twice as many web requests as the proxy with value:1.
For more information, see Configuring Multiple Upstream Proxy Policies on page 134.
4.
5.
Click Save. NITO adds the upstream proxy to the list of current upstream proxies.
Repeat the steps above to add other upstream proxies.
Configuring Source and Destination Filters
NITO enables you to create source and destination filters which are used when applying upstream proxy policies.
Configuring a Destination Filter
NITO uses destination filters to determine which upstream proxy policy to apply based on the destination domain(s), IP(s) or destination URL regular expressions.
131
Managing Web Security
Managing Upstream Proxies
1.
To create a destination filter:
Browse to the Web proxy > Upstream proxy > Filters page.
2.
Configure the following settings:
3.
Setting
Type
Name
Comment
IPs/Hostnames
Description
Select Destination.
Enter a name for the destination filter.
Optionally, enter a description or comment.
Enter a destination IP address or hostname.
Optionally, click Advanced and configure the following setting:
Setting
Destination regular expression
URLs
Description
Optionally, click Advanced. Enter one regular expression URL, including the protocol, per line.
Note: The full URL is not available for HTTPS requests.
4.
5.
Click Save. NITO adds the filter and lists it in the Upstream proxy filters.
Repeat the steps above to add more destination filters.
Configuring a Source Filter
NITO uses source filters to determine which upstream proxy policy to apply based on the source IP(s), subnet(s) or IP range(s) of the client machine(s).
132
Nomadix NITO
User Guide
1.
2.
To create a source filter:
Browse to the Web proxy > Upstream proxy > Filters page.
Configure the following settings:
Setting
Type
Name
Comment
IPs/Hostnames
Description
Select Source.
Enter a name for the filter.
Optionally, enter a description or comment.
Enter a source IP address, IP address range, network address or hostname.
For example:
192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24 hostname.local
Note: Hostnames require reverse DNS look-ups to be performed.
3.
4.
Click Save. NITO adds the filter and lists it in the Upstream proxy filters area.
Repeat the steps above to add more source filters.
Using a Single Upstream Proxy
1.
single upstream proxy for all web requests.
To use a single upstream proxy:
Browse to the Web proxy > Upstream proxy > Manage policies page.
2.
In the Global options area, configure the following settings:
Setting
Default upstream proxy
Description
This setting determines the default proxy which is used when upstream proxies are not available, not configured or not allowed by policies.
From the drop-down list, select an upstream proxy.
133
Managing Web Security
Managing Upstream Proxies
Setting
Allow direct connections
Leak client IP with Xforwarded-For header
Description
Select this option to allow direct connections to origin servers.
If allowed, direct connections will be made as a final fall-back if the default proxy is unavailable or not configured.
For more information, see Enforcing Upstream Proxy Usage on page 135.
Select this option to send the originating IP addresses of client requests upstream.
3.
Click Save. NITO starts using the single upstream proxy.
Working with Multiple Upstream Proxies
The following sections discuss general upstream proxy behavior, how to load balance using multiple upstream proxy policies and how to enforce upstream proxy usage.
About Upstream Proxy Behavior
1.
There are three potential destinations for a web request forwarded to an upstream proxy. These are as follows, in order of precedence:
A pool of one or more proxies which are allowed by the upstream proxy policies, to service the request.
2.
3.
The default proxy, if configured.
Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target destination of web request, i.e. the server from which a requested resource originates.
Upstream proxy policies are additive. NITO checks requests against all the policies, in order. Any proxy which is allowed to service a particular request is added to the proxy pool in step 1. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules decide which one will be sent the request.
Note: The rules above only apply to requests serviced by NITO. If a client behind NITO is able to obtain direct, unfiltered web access, the client’s requests will be treated no differently from other Internet traffic.
Configuring Multiple Upstream Proxy Policies
1.
2.
By configuring multiple upstream proxy policies, you can balance the web request load across two or more upstream proxies.
To load balance using upstream proxy policies:
On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you will be using.
Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced.
134
Nomadix NITO
User Guide
3.
Configure the following settings:
Setting
Load balancing method
Upstream proxy
Source filter
Destination filter
Action
Comment
Enabled
Description
From the drop-down list, select the load balancing method you require.
The following methods are available:
Source IP – Based on the client’s IP address, NITO selects one proxy from the set of allowed proxies and uses it as long as that proxy is available.
For example: three requests for example.com
from one machine might all go via proxy A; three requests from the machine next to it might all go via proxy B.
Username – Based on the client’s username, NITO selects one proxy from the set of allowed proxies and uses it as long as that proxy is available.
For example: three requests for example.com
while logged in as Alice might all go via proxy A; three requests while logged in as Bob might go via proxy B, even if Bob has the same IP as Alice.
Round-robin – NITO cycles through the proxies one by one. Three requests for example.com
, with three proxies allowed to serve the request, would send one request via each.
Note: This method requires NITO to be configured for username and password
From the drop-down list, select the proxy for which you are configuring the policy.
From the drop-down list, select Everything.
From the drop-down list, select Everything.
Select Allow.
Optionally, enter a comment describing the proxy.
Select to enable the policy.
4.
5.
Click Save. NITO creates the policy and lists it in the Upstream proxy policies table.
Configure policies for other upstream proxies by repeating steps 2 and 3 above.
Once you have configured policies for the upstream proxies you require, NITO will check any web requests against the policy table and each of the proxies will be allowed to service the request, so load balancing and failover rules will be used to pick the most suitable proxy. NITO monitors availability of upstream proxies automatically and avoid forwarding requests to unavailable proxies.
If none of the proxies permitted to service a request are available, NITO will use the default proxy. If the default proxy is not available, or if no default proxy is configured, the request will be forwarded directly to its origin server.
Enforcing Upstream Proxy Usage
If you want to prevent web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable, disable the Allow direct connections option.
Note: As the Allow direct connections option eliminates the last option for forwarding requests in failure scenarios, only use it to implement strict requirements that all traffic go through an upstream proxy.
For finer-grained control of direct connection behavior, you can configure policies using the dummy upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly, enable the Allow direct connections option, then create a policy with upstream proxy None, action Block, and a destination filter corresponding to the youtube.com domain.
135
Managing Web Security
Managing Blocklists
Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections and create None, Allow policies matching those requests for which direct access is permissible. This may be useful for bandwidth conservation, if direct access is routed over a slower link than access to the upstream proxies.
Managing Blocklists
A blocklist is a group of pre-configured settings which is updated on a regular basis by NITO. A blocklist maintains NITO’s list of undesirable, inappropriate or objectionable content.
NITO automatically checks for and installs blocklist updates. You can also check for and install blocklist updates manually.
Viewing Blocklist Information
1.
To view blocklist information:
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the product you are using.
Blocklist subscription status is displayed.
By default, NITO checks for updated blocklists hourly. When a new blocklist becomes available, NITO automatically downloads and installs it.
Note: As NITO complies with Internet Watch Foundation (IWF) guidelines, this mode of working is mandatory.
Visit
http://www.iwf.org.uk/
for more information.
Manually Updating Blocklists
1.
To manually update blocklists:
Navigate to the System > Maintenance > Licenses page.
2.
Click Update. The latest blocklists are installed and displayed in the Blocklists subscription area.
Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a blocklist subscription, please contact your NITO reseller or NITO directly.
136
Nomadix NITO
User Guide
Managing Block Pages
When an end-user’s web request is blocked, NITO displays its default block page which tells the user that they have been blocked from accessing the web content they requested. It also shows other information such as which group the user is in, what the blocked content is categorized as and the computer’s IP address.
Which block page NITO displays is determined by the block page policies in use. The following sections explain about the different block pages you can use, how to create a block page policy and how to manage block page policies.
You can configure NITO to display the following different types of block pages: z z
A block page located at a specified URL, see Using an External Block Page on page 139.
Customizing a Block Page
1.
You can customize the default block page in many ways, including supplying a new message about why a block occurred and using different graphics.
To customize a block page:
Navigate to the Guardian > Block page > Block pages page.
137
Managing Web Security
Managing Block Pages
2.
Configure the following settings:
Setting
Name
Comment
Description
Enter a name for the block page.
Enter a comment describing the block page.
3.
Select the Manually create contents for block page option and configure the following settings:
Setting
Block message
Quota message
Quota button label
Sub message
Administrator's email address
Description
This is the default message shown when a user is blocked from accessing content because of the web filter policy that applies to them. You can use this text or enter a custom message explaining to the user what has happened.
This is the default message shown when a user tries to access content which is time limited because of the web filter policy that applies to them. You can use this
text or enter a custom message. For more information on quotas, see Chapter 9,
Working with Quota Objects on page 86.
This is the text used on the quota button which users must click to start using their quota of time to access the content. You can use this text or enter custom text.
Accept the default message, or enter a custom, secondary message.
Optionally, enter a administrator’s email address, for contact purposes.
4.
Optionally, click Advanced and configure the following settings:
Setting Description
Custom title image
Custom background image
1
2
3
This option determines the image displayed at the top of the block page.
Note: To use a custom title image, the image must be 551 x 79 pixels.
To specify a custom title image:
Click Browse.
In the dialog box that opens, browse to and select the image. Click OK.
Click Upload.
1
2
3
This option determines the image displayed as a background on the block page.
Note: To use a custom title image, the image must be 551 x 552 pixels.
To specify a custom background image:
Click Browse.
In the dialog box that opens, browse to and select the image. Click OK.
Click Upload.
Optionally, select to display the user’s username, if applicable.
Show client username
Show email address
Optionally, select to display the administrator's email address.
Show client IP
Optionally, select to display the IP address of the user’s workstation.
138
Nomadix NITO
User Guide
Setting
Show client hostname
Show user group
Show unblock controls
Description
Optionally, select to display the workstation’s hostname on the block page.
Optionally, select to display the users group membership, if applicable.
Optionally, select to display controls on the block page which allow administrators to add domains and URLS to the custom allowed or custom blocked content
categories. For more information, see Working on Block Pages on page 141.
Optionally, select to display the reason why the web request was blocked.
Show reason for block
Show bypass controls
Optionally, select to display temporary bypass controls on the block page. These controls allow users with bypass privileges to temporarily bypass the NITO.For
more information, see Customizing a Block Page on page 137.
Note: When an HTTPS inspection policy is enabled, see About the Default Web
Filter Policies on page 75, and a user visits a site with an invalid certificate,
NITO’s temporary bypass will not work. This is because NITO must check the certificate before authentication information for bypass can be detected. In this case, bypass controls will be visible on the block page if enabled, but will not work.
Optionally, select to display the URL of the blocked web request.
Show URL of blocked page
Use custom title image
Show categories matched
Use custom background image
Select if you have specified a custom title image, see above for more information.
Optionally, select to display the filter category that caused the page to be blocked, if applicable.
Select if you have specified a custom background image, see above for more information.
5.
Click Save to save the block page and make it available for use in a block page policy.
Using an External Block Page
1.
NITO enables you to specify an external page as a block page.
To use an external page as a block page:
Navigate to the Guardian > Block page > Block pages page and configure the following settings:
Setting
Name
Comment
Redirect to block page
Block page URL
Description
Enter a name for the block page.
Enter a comment describing the block page.
Select to enable NITO to use an external block page.
Enter the block page’s URL.
139
Managing Web Security
Managing Block Pages
2.
Click Save to make it available for use in a block page policy.
Configuring a Block Page Policy
1.
By default, NITO displays a standard block page whenever it blocks a web request by users. You can configure NITO to display a specific block page when a web request is blocked based on unsuitable or objectionable content, location or time.
To configure a block page policy:
Browse to the Guardian > Block page > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Step 2: What
Step 3: Where
Step 4: When
Description
From the Available users or groups list, select who will see the block page when content is blocked. Click Next to continue.
From the Available categories or category groups list, select what categories or category groups will trigger the content being blocked. Click Next to continue.
For information on categories, see Chapter 9, Working with Category Group
From the Available locations list, select where the policy applies. Click Next to continue.
For information on locations, see Chapter 9, Working with Location Objects on page 85.
From the Available time slots list, select when the policy applies. Click Next to continue.
For information on time slots, see Chapter 9, Working with Time Slot Objects on page 84.
140
Nomadix NITO
User Guide
Step
Step 5: Action
Description
Select which block page to use.
For information on the types of block pages you can use, see Chapter 11,
Managing Block Pages on page 137.
3.
4.
Select Enable policy to enable the policy and click Confirm.
NITO displays the settings you have specified for the policy. Review the settings and then click Save to save the policy and make it available on the manage policies page.
Managing Block Page Policies
1.
Block page policies are managed on the manage policy page. NITO processes policies in order of priority, from top to bottom, until it finds a match. You can change the order by dragging and dropping them on the page.
To manage block page policies:
Browse to the Guardian > Block page > Manage policies page.
2.
3.
To change the order of the policies displayed, select a policy and drag it to the position you require.
Click Save to save the change(s). NITO re-orders the policies.
Working on Block Pages
Depending on how a block page is configured, there may be controls to add URLS and domains to userdefined blocked or allowed categories as well as temporary bypass features to allow users with the correct privileges to access the blocked content.
Adding to User-defined Categories
Note: The availability of these options depends on how the block page is configured. For more information, see
Customizing a Block Page on page 137.
141
Managing Web Security
Managing Block Pages
1.
To add to user-defined categories:
Configure the following settings on the block page:
Setting
Control
Temporary
Bypass
Description
From the User-defined categories drop-down list, select one of the following options:
Custom blocked content – Add the blocked URL or domain to the custom blocked category.
Custom allowed content – Add the blocked URL or domain to the custom allowed category.
Enables temporary bypass of the block page if the user has the necessary privileges.
Select from the following options:
30 seconds– Temporarily bypass the block page for 30 seconds.
5 minutes – Temporarily bypass the block page for 5 minutes.
30 minutes – Temporarily bypass the block page for 30 minutes.
When prompted, enter the bypass password.
Note: The temporary bypass and control options use non-standard port 442. This is to enable administrator access controls to be used without affecting these features.
142
NITO Alerts, Logs and Reports
In this chapter: z
Configuring alerts z z z
Reviewing realtime and logged information
Generating reports
Backing up and restoring data.
About Alerts
You access the alerts and their settings on the Logs and reports> Alerts > Alerts page.
12
Alert
Guardian Violations
Guardian upstream proxy status
Guardian URL violations
Description
Constantly monitors NITO activity and generates warnings about suspicious or blocked web access.
Web proxy failover status notifications occur when the web proxy either fails over, or fails back. Monitored once every five minutes
Monitors URL activity once every five minutes.
143
NITO Alerts, Logs and Reports
About Alerts
Alert
Guardian Web Proxy
Failover Status
Description
Web proxy failover status notifications occur when the web proxy either fails over, or fails back. Monitored once every five minutes
Configuring the Guardian Violations Alert
1.
When configured and enabled, NITOgenerates warnings about suspicious or blocked web accesses.
To set the alert:
On the Logs and reports > Alerts > Alert settings page, configure the following settings:
Setting
Forbidden user accesses
Forbidden IP address accesses
Description
Monitor for blocked accesses – Select to alert when the warning and caution thresholds are exceeded.
Warning threshold – Accept the default threshold, or enter a threshold above which a warning alert is generated.
Caution threshold – Accept the default threshold, or enter a threshold above which a caution alert is generated.
Exclude adverts – Select to exclude adverts when monitoring the number of accesses.
Note: The alert will be triggered only if the method used to authenticate users supplies a username. For more information
on authentication methods, see Chapter 10, Managing
Authentication Policies on page 105.
Monitor for blocked accesses – Select to alert when the warning and caution thresholds are exceeded.
Warning threshold – Accept the default threshold, or enter a threshold above which a warning alert is generated.
Caution threshold – Accept the default threshold, or enter a threshold above which a caution alert is generated.
Exclude adverts – Select to exclude adverts when monitoring the number of accesses.
2.
Click Save to save and apply the settings.
Configuring the Guardian URL Violations Alert
When configured and enabled, NITOgenerates warnings about suspicious URL activity.
144
1.
To set the alert:
On the Logs and reports > Alerts > Alert settings page, configure the following settings:
Nomadix NITO
User Guide
Setting
URLs to monitor
Warning threshold
Caution threshold
Description
Enter a URL or part of a URL to monitor. NITOwill search for each entry exactly as entered.
For example, any of the following entries: http://www.example.com
example.com
real would match: http://www.example.com/we%20are%20not%20real
Enter the number of URL matches above which a warning alert is generated.
Enter the number URL matches above which a caution alert is generated.
2.
Click Save to save and apply the settings.
Realtime Web Filter Information
1.
NITO enables you to view realtime information on web filtering.
To display realtime information:
Navigate to the Logs and reports > Realtime > Web filter page.
2.
3.
Configure the following options:
Click Update to refresh the information displayed. NITO displays the following details about the content being filtered:
URL
The URL of the content requested.
Code
The HTTP return code of the content request.
145
NITO Alerts, Logs and Reports
Web Filter Logs
Web Filter Logs
Web filter logs provide detailed analysis of NITO web proxy and filtering activity.
Information can be viewed, with customized content by IP address, request type, authenticated username and domain.
You can select what you want to view with the options at the top of the page. You may select the day, month, year and the source IP to view the logs for. You can use regular expressions to filter certain lines from the log and also filter to show only a single user, domain or category. The default has been set to strip all images, etc.
Viewing Log Entries
1.
To view web filter log entries:
Navigate to the Logs and reports > Logs > Web filter page.
2.
Configure the following options to view NITO log information:
Option
View mode
Max results to display
Date
Start time
Description
Allows a particular subset of web or filter logs to be displayed.
Web Filter Logs – Used to display all web filter log entries including blocked and exception log entries.
Web Filter Logs (only denied pages) – Used to display all log entries where the request was blocked by the filter.
Web Filter Logs (only denied and exception) – Used to display all log entries where the request was blocked or let through due to an exception rule.
By default, NITO displays 1 000 log entries.
To change this, select a new number from the drop-down list.
By default, NITO uses the current date. To change this, from the drop-down lists, select the date you want to show for.
By default, NITO uses 00.00 as the start time. To change this, from the dropdown lists, set the time you want to start showing for.
146
Nomadix NITO
User Guide
Option Description
Source IP
Ignore filter
Used to display web filter logs originating from a particular source by IP.
Used to enter a regular expression that excludes matching log entries.
The default value excludes common log entries for image, javascript, CSS style and other file requests.
Used to activate the ignore filter.
Enable ignore filter
User filter
Used to display log entries recorded against a particular username.
For example, john
will display log entries for the user john
. However, this will not match johnathan
.
It is possible to include regular expressions within the filter – for example, john.*
will match john
, johnny
, johnathan
etc.
To activate the user filter, the Enable user filter option must be selected.
Enable user filter
Used to activate the user filter.
Domain filter
Used to display log entries recorded against a particular domain. Matching will occur on the start of the domain part of the URL.
For example, www.abc
will match www.abc.com
, www.abc.net
but not match abc.net
etc.
It is possible to include regular expressions within the filter – for example
(www.)?abc.com
will match both abc.com
and www.abc.com
.
To activate the domain filter, the Enable domain filter option must be selected.
Used to activate the domain filter.
Enable domain filter
Export format
When exporting log information you can select from the following export formats:
Comma Separated Values – The information is exported in comma separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
To export and download all log entries generated by the current settings, for all dates available, select this option.
3.
Choose or enter appropriate settings using the above controls and click Update. Log entries will be displayed in the Web log area.
The following display columns are presented in the Web log area:
Column
Time
Source IP
User
Website
Code
Description
The time the web request was made.
The source IP address the web request originated from.
The username of the user the web request originated from.
The URL of the requested web resources.
Note: When content matches a web filter policy, NITO displays a link to the policy.
The HTTP return code of the request.
147
NITO Alerts, Logs and Reports
Guardian Reports
Restoring the Default Settings
To restore the default view settings, click Restore defaults in the Settings area.
Guardian Reports
NITO provides a number of Guardian reports which supply information on IP activity, sites visited and much more.
Report types
Blogs
Category analysis
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Contains reports on Dailymotion, Flickr, Fotolog, ImageShack, ImageVenue and YouTube.
Description
Contains reports on bloggers, blogs and WordPress activity.
Contains reports on categories by hits and bandwidth and categories and the users who viewed sites within them.
Contains reports on BBC News, CNet, CNN, general news and Slashdot.
Contains reports on IMDB and Wikipedia.
Contains reports on Amazon, Craigslist, EBay and shopping and online auctions.
Contains reports on Delicious, Digg, Reddit and StumbleUpon.
Contains reports on Bebo, Facebook, Friendster, Hi5, Linkedin, MySpace,
Orkut, general social networking and Twitter.
Contains reports on BBC Sport, ESPN and general sport.
Contains reports on AOL, Google, search engines, Windows Live and MSN and
Yahoo.
For information on working with reports, see Chapter 15, Reporting on page 201.
148
13
NITO Services
In this chapter: z
User portals
Working with User Portals
NITO enables you to create user portals which can be configured to make reports and software downloads available and enable users with the correct privileges to ban other users or locations from web browsing.
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific group.
149
NITO Services
Working with User Portals
1.
To create a user portal and make it available to users:
Browse to the Services > User portal > Portals page.
2.
3.
In the Portals area, enter a name for the portal and click Save. NITO creates the portal and makes it accessible on your NITO system at, for example: http://192.168.72.141/portal/
Browse to the Services > User portal > Groups page.
150
Nomadix NITO
User Guide
4.
Configure the following settings:
5.
Setting
Group
Description
From the drop-down menu, select the group containing the users you want to authorize
to use the portal. For more information on users and groups, see Chapter 14, Managing
From the drop-down menu, select the portal you want the group to access.
Portal
Click Add. NITO authorizes the group to use the portal.
The next step is to configure the portal to enable authorized users to use it to download files, manage web access and display reports.
Configuring a Portal
The following sections explain how to configure a NITO portal so that authorized users can view reports, block other users from accessing the web, download VPN client files and receive a welcome message.
4.
5.
2.
3.
Making Reports Available
1.
When enabled, NITO will make the most often viewed reports available on the portal. For more
information on working with reports, see Chapter 15, Reporting on page 201.
To make reports available on a portal:
Browse to the Logs and reports > Reports > Recent and saved page, locate the report you want to publish on a portal.
On the Permissions tab, click Portal Access. A dialog box containing report details opens.
From the Add access drop-down list, select the portal where you want to publish the report and click Add.
Click Close to close the dialog box.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the following settings:
6.
Portals
Setting Description
From the drop-down list, select the portal on which you want to make reports available and click Select.
In the Portal published reports and templates area, configure the following settings:
7.
Setting
Enabled
Top reports displayed on portal home page
Description
Select Enabled.
From the drop-down list, select the number of reports you want to display on the portal’s home page.
NITO will display the most often viewed reports.
Browse to the bottom of the page and click Save to save the settings and make the reports available on the portal.
151
NITO Services
Working with User Portals
Enabling Groups to Block Users’ Access
1.
You can enable users in a specific group which can access the portal to block individual user web access.
To authorize blocking:
Browse to the Services > User portal > Portals page and, in the Portals area, configure the following settings:
2.
Portals
Setting Description
From the drop-down list, select the portal on which you want to authorize groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Enabled
Allow control of groups
Description
Select Enabled.
Select this option and, in the list of groups displayed, select the group(s) containing the users that the group is authorized to block from accessing the web.
To select consecutively listed groups, hold down the Shift key while selecting. To select non-consecutively listed groups, hold down the Ctrl key while selecting.
3.
Browse to the bottom of the page and click Save to save the settings.
Enabling Groups to Block Location-based Web Access
1.
You can enable users in a specific group which can access a NITO portal to block specific locations from
accessing the other networks or external connections. For information on locations, see Chapter 9,
Working with Location Objects on page 85.
To enable a group to block users:
Browse to the Services > User portal > Portals page and, in the Portals area, configure the following settings:
2.
Setting
Portals
Description
From the drop-down list, select the portal on which you want to enable groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Enabled
Select Enabled.
Description
152
Nomadix NITO
User Guide
Setting
Allow control of locations
Description
Select this option and, in the list of locations displayed, select the location(s) that the group is authorized to block from accessing the web.
To select consecutively listed locations, hold down the Shift key while selecting. To select non-consecutively listed locations, hold down the Ctrl key while selecting.
3.
Browse to the bottom of the page and click Save to save the settings.
Configuring a Welcome Message
1.
NITO enable you to display a customized welcome message when a user visits a portal.
To display a welcome message on a portal:
Browse to the Services > User portal > Portals page and, in the Welcome message area, configure the following settings:
Setting
Welcome message
Description
Select to display the message on the portal.
In the text box, enter a welcome message and/or any information you wish the user to have, for example regarding acceptable usage of the portal.
2.
Browse to the bottom of the page and click Save to save the settings.
1.
2.
Assigning Groups to Portals
The following section explains how to assign a group of users to a portal so that they can access it.
To assign a group to a portal:
Browse to the Services > User portal > Groups page.
Configure the following settings:
Setting
Group
Portal
Description
From the drop-down menu, select the group you want to allow access to the portal. For
more information on groups, see Chapter 14, Managing Groups of Users on page 186.
From the drop-down menu, select the portal you want the group to access.
3.
Click Add. NITO will allow members of the group to access the specified portal.
Making User Exceptions
You can configure NITO so that a user uses a specific portal. This setting overrides group settings.
153
NITO Services
Working with User Portals
1.
To make user exceptions on a portal:
Browse to the Services > User portal > User exceptions page.
2.
Configure the following settings:
Setting
Username
Portal
Description
Enter the username of the user you want to access the portal.
From the drop-down list, select the portal you want the user to access.
3.
Click Add. NITO gives the user access to the portal.
2.
3.
Accessing Portals
1.
The following section explains how to access a portal.
To access a portal:
In the browser of your choice, enter the URL to the portal on your NITO system, for example: http://
192.168.72.141/portal/
Accept any certificate and other security information. NITO displays the login page for the portal.
Enter a valid username and password and click Login. The portal is displayed.
1.
2.
3.
Editing Portals
4.
The following section explains how to edit a portal.
To edit a portal:
Browse to the Services > User portal > Portals page.
From the Portals drop-down list, select the portal you want to edit.
Make the changes you require, see Configuring a Portal on page 151 for information on the settings
available.
Click Save to save the changes.
Deleting Portals
The following section explains how to delete a portal.
154
Nomadix NITO
User Guide
1.
2.
3.
To delete a portal:
Browse to the Services > User portal > Portals page
From the Portals drop-down list, select the portal you want to delete.
Click Delete. NITO deletes the portal.
SNMP
1.
Simple Network Management Protocol (SNMP) is part of the IETF’s Internet Protocol suite. It is used to enable a network-attached device to be monitored, typically for centralized administrative purposes.
NITO’s SNMP service operates as an SNMP agent that gathers all manner of system status information, including the following: z
System name, description, location and contact information z z z z
Live TCP and UDP connection tables
Detailed network interface and usage statistics
Network routing table
Disk usage information z
Memory usage information.
In SNMP terminology, NITO can be regarded as a managed device when the SNMP service is enabled.
The SNMP service allows all gathered management data to be queried by any SNMP-compatible NMS
(Network Management System) devices, that is a member of the same SNMS community.
The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other.
To enable and configure the SNMP service:
Navigate to the Services > SNMP > SNMP page.
2.
3.
Select Enabled and enter the SNMP community password into the Community text field. The default value public
is the standard SNMP community.
Click Save.
Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP management tool is required. For specific details about how to view all the information made accessible by NITO’s SNMP service, please refer to the product documentation that accompanies your preferred
SNMP management tool.
Note: To access the SNMP service, remote access permissions for the SNMP service must be configured. For
further information, see Chapter 16, Configuring Administration and Access Settings on page 224.
155
NITO Services
DNS
DNS
The following sections discuss domain name system (DNS) services in NITO.
Adding Static DNS Hosts
NITO can use a local hostname table to resolve internal hostnames. This allows the IP addresses of a named host to be resolved by its hostname.
Note: NITO itself can resolve static hostnames regardless of whether the DNS proxy service is enabled.
To add a static DNS host:
1.
Navigate to the Services > DNS > Static DNSpage.
2.
Configure the following settings:
Control Description
IP address
Enter the IP address of the host you want to be resolved.
Hostname
Enter the hostname that you would like to resolve to the IP address.
Comment
Enter a description of the host.
Enabled
Select to enable the new host being resolved.
3.
Click Add. The static host is added to the Current hosts table.
Editing and Removing Static Hosts
To edit or remove existing static hosts, use Edit and Remove in the Current hosts area.
Enabling the DNS Proxy Service
The DNS proxy service is used to provide internal and external name resolution services for local network hosts.
In this mode, local network hosts use NITO as their primary DNS server to resolve external names, if an external connection is available, in addition to any local names that have been defined in the NITO’s static
DNS hosts table.
156
1.
To enable the DNS proxy service on a per-interface basis:
Navigate to the Services > DNS > DNS Proxy page.
Nomadix NITO
User Guide
2.
Select each interface that should be able to use the DNS proxy and click Save.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup process of
NITO, the system will use the DNS proxy for name resolution.
Censoring Instant Message Content
NITO enables you to create and deploy policies which accept, modify, block and/or log content in instant messages.
Configuration Overview
Configuring an instant message censor policy entails: z
Defining custom categories required to cater for situations not covered by the default NITO phrase
lists, for more information, see Managing Custom Categories on page 157
z z z
Configuring time periods during which policies are applied, for more information, see Setting Time
Configuring filters which classify messages by their textual content, for more information, see
Configuring and deploying a policy consisting of a filter, an action, a time period and level of
severity, see Creating and Applying Message Censoring Policies on page 161.
Managing Custom Categories
Custom categories enable you to add phrases which are not covered by the default NITO phrase lists. The following sections explain how to create, edit and delete custom categories.
Creating Custom Categories
The following section explains how to create a custom category.
157
NITO Services
Censoring Instant Message Content
1.
To create a custom category:
Browse to the Services > Message censor > Custom categories page.
2.
Configure the following settings:
Setting
Name
Comment
Phrases
Description
Enter a name for the custom category.
Optionally, enter a description of the category.
Enter the phrases you want to add to the category.
Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase)
– NITO matches exact phrases without taking into account possible spelling errors.
(example-approximate-phrase)(2)
– For the number specified, NITO uses
‘fuzzy’ matching to take into account that number of spelling mistakes or typographical errors when searching for a match.
3.
Click Add. NITO adds the custom category to the current categories list and makes it available for selection on the Services > Message censor > Filters page.
1.
2.
3.
4.
Editing Custom Categories
The following section explains how to edit a custom category.
To edit a custom category:
Browse to the Services > Message censor > Custom categories page.
In the Current categories area, select the category and click Edit.
In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes.
At the top of the page, click Restart to apply the changes.
158
Nomadix NITO
User Guide
1.
2.
3.
Deleting Custom Categories
The following section explains how to delete custom categories.
To delete custom categories:
Browse to the Services > Message censor > Custom categories page.
In the Current categories area, select the category or categories and click Remove.
At the top of the page, click Restart to apply the changes.
Setting Time Periods
1.
You can configure NITO to apply policies at certain times of the day and/or days of the week.
To set a time period:
Browse to the Services > Message censor > Time page.
2.
Configure the following settings:
Setting
Active from
– to
Name
Comment
Description
From the drop-down lists, set the time period.
Select the weekdays when the time period applies.
Enter a name for the time period.
Optionally, enter a description of the time period.
3.
Click Add. NITO creates the time period and makes it available for selection on the Services > Message censor > Policies page.
1.
2.
3.
Editing Time Periods
The following section explains how to edit a time period.
To edit a time period:
Browse to the Services > Message censor > Time page.
In the Current time periods area, select the time and click Edit.
In the Time period settings, edit the settings. When finished, click Add to save your changes.
159
NITO Services
Censoring Instant Message Content
4.
At the top of the page, click Restart to apply the changes.
1.
2.
3.
Deleting Time Periods
The following section explains how to delete time periods.
To delete time periods:
Browse to the Services > Message censor > Time page.
In the Current time periods area, select the period(s) and click Remove.
At the top of the page, click Restart to apply the changes.
Creating Filters
1.
NITO uses filters to classify messages according to their textual content. NITO supplies a default filter.
You can create, edit and delete filters. You can also create custom categories of phrases for use in filters, for more information, see Creating Custom Categories on page 157.
To create a filter:
Browse to the Services > Message censor > Filters page.
2.
Configure the following settings:
3.
Setting
Name
Comment
Custom phrase list
Description
Enter a name for the filter.
Optionally, enter a description of the filter.
Select the categories you want to include in the filter.
Click Add. NITO creates the filter and makes it available for selection on the Services > Message censor >
Policies page.
160
Nomadix NITO
User Guide
1.
2.
3.
4.
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
Browse to the Services > Message censor > Filters page.
In the Current filters area, select the filter and click Edit.
In the Custom phrase list area, edit the settings. When finished, click Add to save your changes.
At the top of the page, click Restart to apply the changes.
1.
2.
3.
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
Browse to the Services > Message censor > Filters page.
In the Current filters area, select the filter(s) and click Remove.
At the top of the page, click Restart to apply the changes.
Creating and Applying Message Censoring Policies
1.
The following section explains how to create and apply a censor policy for IM content. A policy consists of a filter, an action, a time period and a level of severity.
To create and apply a censor policy:
Browse to the Services > Proxies > Instant messenger page and, in the Instant Messaging proxy area, configure the following settings:
Setting
Enabled
Enable Message
Censor
Description
Check that instant messaging proxying is enabled.
Select this option to enable censoring of words usually considered unsuitable.
161
NITO Services
Censoring Instant Message Content
2.
Browse to the Services > Message censor > Policies page.
3.
Configure the following settings:
4.
Setting Description
Service
Filter
From the drop-down menu, select one of the following options:
IM proxy incoming – Select to apply the policy to incoming instant message content.
IM proxy outgoing – Select to apply the policy to outgoing instant message content.
Click Select to update the policy settings available.
From the drop-down menu, select a filter to use. For more information on filters, see
From the drop-down menu, select a time period to use, or accept the default setting. For
more information on filters, see Setting Time Periods on page 159.
Time period
Action
Log severity level
From the drop-down menu, select one of the following actions:
Block – Content which is matched by the filter is discarded.
Censor – Content which is matched by the filter is masked but the message is delivered to its destination.
Categorize – Content which is matched by the filter is allowed and logged.
Allow – Content which is matched by the filter is allowed and is not processed by any other filters.
Based on the log severity level, you can configure NITO to send an alert if the policy is violated.
From the drop-down list, select a level to assign to the content if it violates the policy.
See Chapter 18, Configuring the Inappropriate Word in IM Monitor Alert on page 261
for more information.
Comment
Optionally, enter a description of the policy.
Enabled
Select to enable the policy.
Click Add and, at the top of the page, click Restart to apply the policy. NITO applies the policy and adds it to the list of current policies.
162
Nomadix NITO
User Guide
1.
2.
3.
Editing Polices
4.
You can add, change or delete a policy.
To edit a policy:
Browse to the Services > Message censor > Policies page.
In the Current policies area, select the policy and click Edit.
Edit the settings as required, see Creating and Applying Message Censoring Policies on page 161 for
information on the settings available. When finished, click Add to save your changes.
At the top of the page, click Restart to apply the changes.
1.
2.
3.
Deleting Policies
You can delete policies which are no longer required.
To delete policies:
Browse to the Services > Message censor > PServices > Message censor > Policies page.
In the Current policies area, select the policy or policies and click Remove.
At the top of the page, click Restart to apply the changes.
Managing the Intrusion System
NITO’s intrusion system performs real-time packet analysis on all network traffic in order to detect and prevent malicious network activity. NITO can detect a vast array of well-known service exploits including buffer overflow attempts, port scans and CGI attacks.
All violations are logged and the logged data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs.
About the Default Policies
By default, NITO comes with a number of intrusion policies which you can deploy immediately. The default policies will change as emerging threats change and will be updated regularly.
Deploying Intrusion Detection Policies
NITO’s default policies enable you to deploy intrusion detection immediately to identify threats on your network.
163
NITO Services
Managing the Intrusion System
1.
To deploy an intrusion detection policy:
Browse to the Services > Intrusion system > IDS page.
2.
3.
Configure the following settings:
Click Add. NITO deploys the policy and lists it in the Current IDS policies area.
1.
2.
3.
Removing Intrusion Detection Policies
To remove an intrusion detection policy from deployment:
Browse to the Services > Intrusion system > IDS page.
In the Current IDS policies area, select the policy you want to remove.
Click Remove. NITO removes the policy.
Deploying Intrusion Prevention Policies
1.
NITO enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day attacks, undesired access and denial of service.
To deploy an intrusion prevention policy:
Browse to the Services > Intrusion system > IPS page.
2.
3.
Configure the following settings:
Click Add. NITO lists the policy in the Current IPS policies area.
164
Nomadix NITO
User Guide
4.
Browse to the Networking > Firewall > Port forwarding page and configure a port forwarding rule with
1.
2.
3.
Removing Intrusion Prevention Policies
To remove an intrusion prevention policy from deployment:
Browse to the Services > Intrusion system > IPS page.
In the Current IPS policies area, select the policy you want to remove.
Click Remove. NITO removes the policy.
165
NITO Services
Managing the Intrusion System
Creating Custom Policies
1.
By default, NITO contains a number of policies which you can deploy to detect and prevent intrusions. It is also possible to create custom policies to suit your individual network.
To create a custom policy:
Browse to the Services > Intrusion system > Policies page.
166
Nomadix NITO
User Guide
Tip:
If the list of signatures takes some time to load, try upgrading to the latest version of your browser to speed the process.
2.
Configure the following settings:
3.
Click Add. NITO creates the policy and lists it in the Current policies area.
The policy is now available when deploying intrusion detection and intrusion prevention policies. For more information, see Deploying Intrusion Detection Policies on page 163 and Deploying Intrusion
Prevention Policies on page 164.
Uploading Custom Signatures
1.
NITO enables you to upload custom signatures and/or Sourcefire Vulnerability Research Team (VRT) signatures and make them available for use in intrusion detection and prevention policies.
To upload custom signatures:
Navigate to the Services > Intrusion system > Signatures page.
2.
Configure the following settings:
Setting
Custom signatures
Use syslog for
Intrusion logging
Description
Click Browse to locate and select the signatures file you want to upload.
Click Upload to upload the file. NITO uploads the file and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page.
Note: Use custom signatures with caution as NITO cannot verify custom signature integrity.
Select this option to enable logging intrusion events in the syslog.
167
NITO Services
DHCP
Setting
Oink code
Description
If you have signed-up with Sourcefire to use their signatures, enter your Oink code here.
Click Update to update and apply the latest signature set. NITO downloads the signature set and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page.
Note: Updating the signatures can take several minutes.
3.
Click Save. Any custom signatures you have uploaded to NITO or Sourcefire VRT signatures you have downloaded to NITO will be listed on the Services > Intrusion system > Policies page. For information on deploying intrusion policies, see Deploying Intrusion Detection Policies on page 163 and Deploying
Intrusion Prevention Policies on page 164.
Deleting Custom Signatures
It is possible to delete custom signatures that have been made available on the Services > Intrusion system
> Policies page.
Note: If you choose to delete custom signatures, NITO will delete all custom signatures. If there are detection or prevention policies which use custom signatures, the signatures will be deleted from the policies.
To delete custom signatures:
1.
2.
On the Services > Intrusion system > Signatures page, click Delete.
NITO prompts you to confirm the deletion. Click Confirm, NITO deletes the signatures.
DHCP
NITO's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings.
NITO DHCP provides a fully featured DHCP server, with the following capabilities: z z z
Support for 2 DHCP subnets
Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet
Automate the creation of static assignments using the ARP cache
168
Nomadix NITO
User Guide
Enabling DHCP
1.
To enable DHCP:
Navigate to the Services > DHCP > Global page.
2.
Configure the following settings:
Setting
Enabled
Server
Relay (forwarding proxy)
Enable logging
Description
Select to enable the DHCP service.
Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts.
Select to set the DHCP service to operate as a relay, forwarding DHCP requests to another DHCP server.
Select to enable logging.
3.
Click Save to enable the service.
Creating a DHCP Subnet
The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic and static IP ranges defined.
169
NITO Services
DHCP
1.
To create a DHCP subnet:
Navigate to the Services > DHCP > DHCP server page.
2.
Configure the following settings:
Setting
DHCP Subnet
Subnet name
Network
Netmask
Primary DNS
Description
From the drop-down menu, select Empty and click Select.
Enter a name for the subnet.
Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. For example:
192.168.10.0
.
Define the subnet range by entering a network mask, for example
255.255.255.0
.
Enter the value that a requesting network host will receive for the primary DNS server it should use.
170
Nomadix NITO
User Guide
Setting Description
Secondary DNS
Default gateway
Optionally, enter the value that a requesting network host will receive for the secondary DNS server it should use.
Enter the value that a requesting network host will receive for the default gateway it should use.
Enabled
Determines whether the DHCP subnet is currently active.
Click Advanced to access the following settings:
Primary WINS
Secondary WINS
Optionally, enter the value that a requesting network host will receive for the secondary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Primary NTP
Optionally, enter the value that a requesting network host will receive for the primary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Optionally, enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature.
Tip:
Enter NITO’s IP address and clients can use its time services if enabled.
See Chapter 16, Setting Time on page 221 for more information.
Secondary NTP
Optionally, enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature.
Tip:
Enter NITO’s IP address and clients can use its time services if enabled.
See Chapter 16, Setting Time on page 221 for more information.
Default lease time
(mins)
Max lease time
(mins)
TFTP server
Enter the lease time in minutes assigned to network hosts that do not request a specific lease time. The default value is usually sufficient.
Enter the lease time limit in minutes to prevent network hosts requesting, and being granted, impractically long DHCP leases. The default value is usually sufficient.
Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network.
Network boot filename
Domain name suffix
Automatic proxy config URL
Custom DHCP options
Specify to the network booting client which file to download when booting off the above TFTP server.
Enter the domain name suffix that will be appended to the requesting host's hostname.
Specify a URL which clients will use for determining proxy settings. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature.
Any custom DHCP options created on the Services > DHCP > Custom options page are listed for use on the subnet. For more information, see Creating Custom
DHCP Options on page 174.
3.
Click Save.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration is required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts.
171
NITO Services
DHCP
1.
2.
3.
4.
Editing a DHCP subnet
To edit a DHCP subnet:
Navigate to the Services > DHCP > DHCP server page.
From the DHCP Subnet drop-down list, select the subnet and click Select.
Edit the settings displayed in the Settings area.
Click Save.
1.
2.
3.
Deleting a DHCP subnet
To delete a DHCP subnet:
Navigate to the Services > DHCP > DHCP server page.
From the DHCP Subnet drop-down list, select the subnet and click Select.
Click Delete.
1.
2.
3.
4.
Adding a Dynamic Range
Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts.
To add a dynamic range to an existing DHCP subnet:
Navigate to the Services > DHCP > DHCP server page.
Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select.
In the Add a new dynamic range, configure the following settings:
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
1.
2.
3.
4.
Adding a Static Assignment
Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing the unique MAC address of the requesting host’s network interface card. This is used to ensure that certain hosts are always leased the same IP address, as if they were configured with a static IP address.
To add a static assignment to an existing DHCP subnet:
Navigate to the Services > DHCP > DHCP server page.
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
Scroll to the Add a new static assignment area and configure the following settings:
Click Add static. The static assignment is added to the Current static assignments table.
1.
2.
3.
4.
Adding a Static Assignment from the ARP Table
In addition to the previously described means of adding static DHCP assignments, it is possible to add static assignments automatically from MAC addresses detected in the ARP table.
To add a static assignment from the ARP cache to an existing DHCP subnet:
Navigate to the Services > DHCP > DHCP server page.
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
Scroll to the Add a new static assignment from ARP table area:
Select one or more MAC addresses from those listed and click Add static from ARP table.
172
Nomadix NITO
User Guide
5.
Click Save.
Editing and Removing Assignments
To edit or remove existing dynamic ranges and static assignments, use the options available in the Current dynamic ranges and Current static hosts areas.
Viewing DHCP Leases
1.
To view free leases:
Navigate to the Services > DHCP > DHCP leases page.
2.
Select Show free leases and click Update. The following information is displayed:
Field Description
IP address
The IP address assigned to the network host which submitted a DHCP request.
Start time
The start time of the DHCP lease granted to the network host that submitted a DHCP request.
End time
The end time of the DHCP lease granted to the network host that submitted a DHCP request.
MAC address
The MAC address of the network host that submitted a DHCP request.
Hostname
The hostname assigned to the network host that submitted a DHCP request.
State
The current state of the DHCP lease.
The state can be either Active, that is, currently leased; or Free, the IP address is reserved for the same MAC address or re-used if not enough slots are available.
173
NITO Services
DHCP
DHCP Relaying
1.
NITO DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host.
To configure DHCP relaying:
Connect to NITO and navigate to the Services > DHCP > DHCP relay page.
2.
Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary
DHCP server and Secondary DHCP server fields. Click Save.
Note: DHCP relaying must be enabled on the Services > DHCP > Global page.
Creating Custom DHCP Options
1.
NITO enables you to create and edit custom DHCP options for use on subnets.
For example, to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server.
To create a custom option:
Browse to the Services > DHCP > Custom options page.
174
Nomadix NITO
User Guide
1.
Configure the following settings:
Setting Description
Option code
From the drop-down list, select the code to use.
The codes available are between the values of 128 and 254, with 252 excluded as it is already allocated.
Option type
From the drop-down list, select the option type.
IP address – Select when creating an option which uses an IP address.
Text – Select when creating an option which uses text.
Description
Enter a description for the option. This description is displayed on the Services >
DHCP > DHCP server page.
Comment
Enabled
Optionally, enter any comments relevant to the option.
Select to enable the option.
2.
Click Add. NITO creates the option and lists it in the Current custom options area. For information on using custom options, see Creating a DHCP Subnet on page 169.
175
NITO Services
DHCP
176
14
Authentication and User
Management
In this chapter: z
Managing local users z z
Configuring login time-out
Managing temporarily banned users z z z z z z
Viewing user activity
Authenticating users with SSL login
Working with Kerberos keytabs
Managing groups
Working with directory servers
Managing the authentication system and running diagnostics.
Managing Local Users
NITO stores user account information comprised of usernames, passwords and group membership, in its local user database, so as to provide a standalone authentication service for network users.
Administrators can quickly add, view, edit, import, export and delete users to or from the local user database and map local users to a local authentication group.
177
Authentication and User Management
Managing Local Users
Adding Users
1.
To add a user to the local user database:
Navigate to the Services > Authentication > Local users page.
2.
Configure the following settings:
Setting
Username
Password
Repeat password
Select group
Description
Enter the user account name.
Enter the password associated with the user account. Passwords must be a minimum of six characters long.
Re-enter the password to confirm it.
From the drop-down menu, select a group to assign the user account to.
3.
Click Add. NITO saves the information and lists the user in the Current users area.
1.
2.
Viewing Local Users
To view existing users from the local user database:
Navigate to the Services > Authentication > Local users page.
Review the Current users area of the page. Users are listed alphabetically by username.
1.
2.
Editing Local Users
To edit an existing user's details:
Navigate to the Services > Authentication > Local users page.
In the Current users area, locate and select the user you wish to edit.
178
Nomadix NITO
User Guide
3.
4.
5.
Click Edit user. Once this button has been clicked, the user will be suspended, and physically removed from the user list. The user's details are displayed in the Add a user area.
Edit the user’s details as required. For more information, see Adding Users on page 178.
Click Add. NITO updates the information and re-lists the user in the Current users area.
Note: Once you click Edit, the user is effectively removed from the user list. If you do not re-add the user, his/her information is permanently lost.
Importing New Users
New users can be imported into the local user database using a comma-separated text file in the following format: username1,password1 username2,password2
...
Note: The username and password must not contain special characters or spaces. You must include the comma to separate the columns. If the password is in clear text, i.e. not encrypted, it will automatically be encrypted when the user is added. We recommend that you test importing a few users to confirm that you are getting the results you expect.
To import users to the local user database:
1.
Navigate to the Services > Authentication > Local users page.
2.
3.
In the Import users area, click Browse, navigate to and select the text file containing the user information and click Open.
Click Import users. NITO imports the user information into the local user database.
1.
2.
Exporting Local Users
3.
Existing groups of users can be exported from the local user database to a comma-separated file in the following format:
Username1:ENCRYPTED_PASSWORD
Username2:ENCRYPTED_PASSWORD
...
An example line in the export file might resemble something like the following: testuser:$apr1$Np4hD...$2eNu.nSQuj8b2apdZufcz0e
To export a group of users:
Navigate to the Services > Authentication > Local users page.
In the Export users area, from the Select group drop-down list select the group containing the users you want to export and click Export users users.
Select the Save to disk or equivalent option from the dialog box displayed by your browser and click its
OK, Save or equivalent button.
The exported users will be saved to a text file called users.txt
. Files exported in this format can be imported back into the local user database using the import facility.
1.
2.
3.
Deleting Users
To delete users:
Navigate to the Services > Authentication > Local users page.
In the Current users area, locate and select the user or users you want to delete.
Click Delete user(s). NITO deletes the user(s).
179
Authentication and User Management
Managing Temporarily Banned Users
1.
4.
5.
2.
3.
Moving Users between Groups
To change the group mapping:
Navigate to the Services > Authentication > Local users page.
Locate and select the user or users you wish to move in the Current users area of the page.
In the Current users area, locate and select the user or users you want to move.
From the Group to move users to drop-down list, select the group to move the user or users to.
Click Move user(s). NITO moves the user(s).
Managing Temporarily Banned Users
NITO enables you to temporarily ban specific user accounts. When temporarily banned, the user is added to the Banned users group.
Note: You can apply any web filtering policy to the Banned users group.
Creating a Temporary Ban
Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more
information, see Chapter 16, Administrative User Settings on page 227.
To ban an account temporarily:
1.
Navigate to the Services > Authentication > Temporary bans page.
2.
Configure the following settings:
3.
Setting Description
Username
Comment
Enter the user name of the account you want to ban.
Optionally, enter a comment explaining why the account has been banned.
Ban expires
From the drop-down lists, select when the ban expires.
Enabled
Click to enable the ban.
Click Add. NITO lists the ban in the Current rules area and enforces the ban immediately.
180
Nomadix NITO
User Guide
Tip:
You can edit the block page displayed to banned users so that it gives them information on the ban in force.
See Chapter 11, Managing Block Pages on page 137 for more information.
Tip:
There is also a ban option on the Services > Authentication > User activity page, for more information, see
Viewing User Activity on page 181.
1.
2.
Removing Temporary Bans
To remove a ban:
Navigate to the Services > Authentication > Temporary bans page.
In the Current rules area, select the ban and click Remove. NITO removes the ban.
1.
2.
Removing Expired Bans
To remove bans which have expired:
Navigate to the Services > Authentication > Temporary bans page.
In the Current rules area, click Remove all expired. NITO removes all bans which have expired.
Viewing User Activity
1.
NITO enables you to see how many users are logged in, who is logged in and who has recently logged out.
To view activity:
Navigate to the Services > Authentication > User activity page.
2.
NITO displays the number of users currently logged in, who is logged in and which users have either recently logged themselves out or been logged out by NITO because of inactivity.
You can configure the following settings:
Setting
Most recent users to show
Description
From the drop-down list, select the number of users to display and click Show. NITO displays the specified number in the User activity area.
181
Authentication and User Management
Authenticating Users with SSL Login
Setting
Ban
Logout
Description
Click to ban a user. NITO copies the user’s information and displays it on the
temporary ban page. For more information, see Creating a Temporary Ban on page 180.
Click to log out a user immediately. NITO logs the user out and lists him/her in the
Recently logged out users area.
Note: Logging a user out is not the same as blocking a user from accessing web content. Connection-based authentication will automatically log the user back in. If the user is using SSL login, they will be prompted to authenticate again.
Authenticating Users with SSL Login
NITO provides SSL Login as a built-in authentication mechanism which can be used by authenticationenabled services to apply permissions and restrictions on a customized, per-user basis.
When SSL Login is enabled, network users requesting port 80 for outbound web access will be automatically redirected to a secure login page, the SSL Login page, and prompted for their user credentials.
The SSL Login page can also be manually accessed by users wishing to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service, for example, group bridging, or where only a small subset of users require authentication.
SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login.
182
Enabling SSL Login
1.
SSL Login authentication is enabled on a per-interface basis.
To enable SSL Login:
Navigate to the Services > Authentication > SSL login page.
Nomadix NITO
User Guide
2.
3.
In the SSL Login redirect interfaces area, select each interface that the SSL Login should be active on.
Click Save. NITO enables SSL Login for the selected interfaces.
3.
4.
1.
2.
Creating SSL Login Exceptions
SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets from being automatically redirected to the SSL Login page. This is mostly useful to avoid the need for servers to authenticate.
To create an SSL login exception:
On the Services > Authentication > SSL login page, locate the SSL Login redirect interfaces area.
In the Exception local IP addresses field, enter an IP address, IP range or subnet that should not be redirected to the SSL Login.
Repeat the step above on a new line for each further exception you want to make.
Click Save.
Customizing the SSL Login Page
You can customize the title graphic, background image and message displayed on an SSL login page.
Customizing the Title Graphic
It is possible to customize the title graphic displayed on the SSL login page.
183
Authentication and User Management
Authenticating Users with SSL Login
2.
3.
Note: The title graphic must be in jpeg format and must be 500 x 69 pixels.
To upload a title graphic for the login page:
1.
On the Services > Authentication > SSL login page, in the Upload SSL Login page images area, adjacent to Custom title image, use your browser’s controls to locate and select the file.
Click Upload. NITO uploads the file.
In the Customize SSL Login page area, select Use custom title jpeg. NITO replaces the current file and uses it on the SSL login page.
Customizing the Background Image
2.
3.
It is possible to customize the background image used on an SSL login page.
Note: The background image must be in jpeg format and must be 500 x 471 pixels.
To upload a background image:
1.
On the Services > Authentication > SSL login page, in the Upload SSL Login page images area, adjacent to Custom background image, use your browser’s controls to locate and select the file.
Click Upload. NITO uploads the file.
In the Customize SSL Login page area, select Use custom background jpeg. NITO replaces the current file and uses it on the SSL login page.
1.
2.
3.
Removing Custom Files
To remove a custom file:
Browse to the Services > Authentication > SSL login page.
To remove the title image, adjacent to Custom title image, click Remove.
To remove the background image, adjacent to Custom background image, click Remove.
1.
2.
3.
Customizing the Message
It is possible to provide users with a customized message containing instructions.
To customize the login message:
Navigate to the Services > Authentication > SSL login page.
In the Customize SSL Login page area, enter your custom message in the Message text box.
Click Save to apply the new message.
Reviewing SSL Login Pages
1.
You can review SSL Login pages.
To review the SSL Login page:
In the web browser of your choice, enter your NITO system’s IP address and
/login
. For example: http://192.168.72.141/login displays the SSL login page.
or, using HTTPS, https://192.168.72.141:442/login
. NITO
184
Nomadix NITO
User Guide
Managing Kerberos Keytabs
Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For other directory servers, it is necessary to import keytabs manually, see the following section for information on how to do this.
A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By importing and using Kerberos keytabs, NITO services, such as authentication, can use the interoperability features provided by Kerberos.
Creating Authentication Policies on page 105.
Importing Keytabs
1.
The following section explains how to import Kerberos keytabs into NITO.
For information on generating keytabs, consult the documentation delivered with your directory server; also, available at the time of writing, see
http://technet.microsoft.com/en-us/library/ cc753771%28v=WS.10%29.aspx
which discusses how to get a keytab from Active Directory.
To import a keytab:
Browse to the Services > Authentication > Kerberos keytabs page.
2.
Configure the following settings:
Setting
Name
File
Description
Enter a descriptive name for the keytab.
Using your browser, locate and select the keytab.
3.
4.
Click Save. NITO imports and saves the keytab and lists it in the Installed Kerberos keytabs area.
Repeat the steps above for any other keytabs you need to import.
185
Authentication and User Management
Managing Groups of Users
Managing Keytabs
The following sections explain how to enable, view, edit and delete Kerberos keytabs.
1.
2.
Enabling Keytabs
Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required, for example, when troubleshooting.
To disable a keytab:
Browse to the Services > Authentication > Kerberos keytabs page.
In the Installed Kerberos keytabs area, click on the Enabled button. Click Save to save the setting. NITO enables the keytab.
1.
2.
Viewing Keytab Content
It is possible to view the contents of a Kerberos keytab.
To view a Kerberos keytab:
Browse to the Services > Authentication > Kerberos keytabs page.
In the Installed Kerberos keytabs area, click on the name of the Kerberos keytab you want to view. NITO displays the content in a new browser tab.
1.
2.
Editing Keytabs
3.
It is possible to change the name of the Kerberos keytab file.
To change the name of the Kerberos keytab file:
Browse to the Services > Authentication > Kerberos keytabs page.
In the Installed Kerberos keytabs area, locate the Kerberos keytab and click on Edit keytab. NITO makes the information available in the Import Kerberos keytab area.
Change the name as required and click Save to save the change. NITO changes the name and lists the
Kerberos keytab in the Installed Kerberos keytabs area
1.
2.
Deleting Keytabs
3.
It is possible to delete Kerberos keytabs that are no longer require.
To delete a Kerberos keytab:
Browse to the Services > Authentication > Kerberos keytabs page.
In the Installed Kerberos keytabs area, locate the Kerberos keytab you want to delete and click on Delete
keytab. NITO displays the content of the keytab and prompts you to confirm that you want to delete the keytab.
Click Delete. NITO deletes the keytab.
Managing Groups of Users
The following sections discuss groups of users and how to manage them.
About Groups
NITO uses the concept of groups to provide a means of organizing and managing similar user accounts.
Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis.
186
Nomadix NITO
User Guide
Local users can be added or imported to a particular group, with each group being organized to mirror an organization’s structure. Groups can be renamed by administrators to describe the users that they contain.
Currently, NITO supports up to 100 groups and by default, contains the following groups:
Group Description
Unauthenticated IPs
Default Users
The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated.
Note: This group cannot be renamed.
Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for users that are not specifically mapped to an NITO group, i.e. users that can be authenticated, but who are not mapped to a specific
NITO authentication group.
Note: This group cannot be renamed.
Banned Users
This purpose of this group is to contain users who are banned from using an authentication-enabled service.
The Banned Users group can be renamed.
Network Administrators
This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service.
Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authenticationenabled services to enforce any kind of permissions or restrictions.
Configuring the Number of Groups
1.
NITO enables you to set the number of groups available.
To configure the number of groups available:
Navigate to the Services > Authentication > Groups page.
2.
From the Number of groups drop-down list, select the number you require.
Note: When you select the number of groups, NITO calculates the amount of memory available. If the number of groups you select requires more memory than is available to NITO, NITO will require you to select fewer groups.
3.
Click Save and Restart to save the change.
187
Authentication and User Management
Configuring Authentication Settings
Renaming a Group
1.
All groups, except the Unauthenticated IPs and Default Users groups, can be renamed.
To rename a group:
Navigate to the Services > Authentication > Groups page and configure the following settings:
Setting
Existing name
New name
Description
From the drop-down list, select the group you want to rename.
Enter the new group name.
2.
Click Rename. NITO renames the group.
Configuring Authentication Settings
Configuring authentication settings entails setting login timeout, the number of logins allowed, the type of authentication logging you require and configuring directory servers.
Configuring Login and Logging Settings
1.
You can configure NITO to require users to log-in again after a specific period of inactivity. For more
or restrict the number of logins per user.
Depending on your logging requirements, you can configure NITO to log a minimum of authentication information or more verbose information when troubleshooting.
To configure login and logging settings:
Navigate to the Services > Authentication > Settings page.
188
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting Description
Login timeout
Accept the default or enter the time out period.
Note: Setting a short login timeout increases the load on the machine, particularly when using transparent NTLM or SSL Login. It also increase the rate of re-authentication requests.
Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out.
The behavior of some authentication mechanisms is automatically adjusted by the time-out period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time-out.
Concurrent logins
Concurrent login settings determine how many logins you want to allow per user.
The following options are available:
Allow unlimited logins – Select this option to allow an unlimited number of logins per user.
Restrict each user to – Enter the number of logins you want to allow users.
Logging
Logging settings determine the type of authentication logging you want. The following options are available:
Normal logging – Select this option to log user login and LDAP server information.
Verbose logging, for troubleshooting – Select this option to log user login and
LDAP server information, request, response and result information. This option is useful when troubleshooting possible authentication issues.
3.
Click Save, navigate to the Services > Authentication > Control page and click Restart.
Tip:
Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur.
About NITO and Directory Servers
The NITO authentication service is designed to enable NITO to connect to multiple directory servers in order to: z
Retrieve groups configured in directories and apply network and web filtering permissions to users based on group membership within directories z
Verify the identity of a user who is trying to access network or Internet resources.
If multiple directories exist, NITO tries them in the order they are listed.
If most of your users are in one directory, list that directory first so as to reduce the number of queries required.
If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the
RADIUS server first.
Once the connection to a directory service has been configured, NITO retrieves a list of groups configured in the directory and maps them to the groups available in NITO.
When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership.
For information on how authentication works and interacts with other systems, see Appendix A,
The following sections explain how to configure NITO for use with directory servers.
189
Authentication and User Management
Configuring Authentication Settings
Supported Directory Servers
Currently, NITO supports the following directory servers:
Directory
Microsoft Active Directory
Description
Microsoft’s Active Directory, for more information, see Configuring
a Microsoft Active Directory Connection on page 190.
For information on using the legacy method to connect to Active
Directory, see Configuring an Active Directory Connection – Legacy
Method on page 194.
Various directories which support the LDAP protocol, for more information, see Configuring an LDAP Connection on page 191
Novell eDirectory
Apple Open Directory/Open
LDAP
Sun Directory
Fedora Directory
Red Hat Directory
Netscape Directory
RADIUS
Remote Authentication Dial In User Service, for more information, see Configuring a RADIUS Connection on page 193.
Configuring a Microsoft Active Directory Connection
The following sections explain the prerequisites for Microsoft Active Directory and how to configure NITO to work with Microsoft Active Directory.
Prerequisites for Active Directory
Before you configure any settings for use with Active Directory: z
On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the secondary, DNS server containing the Active Directory information is specified correctly. This DNS
z
In Active Directory, choose or configure a non-privileged user account to use for joining the domain. Because NITO stores this account’s credentials, for instance, when backing-up and replicating settings
Note: We strongly recommend that you do not use an administrator account.
The account that you use needs permission to modify the Computers container. To delegate these permissions to a non-privileged user account, choose Delegate Control on the Computers container, create a custom task to delegate, and for Computer objects grant the full control, create, and delete privileges.
z
Ensure that the times set on NITO and your Active Directory server are synchronized using NTP.
See Chapter 16, Setting Time on page 221 for more information.
1.
2.
Configuring an Active Directory Connection
Configuring an Active Directory connection entails specifying domain and account details and, optionally, comments and advanced cache timeout.
To configure the connection:
Navigate to the Services > Authentication > Settings page.
In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next.
190
Nomadix NITO
User Guide
3.
Configure the following settings:
Setting
Domain
Username
Password
Comment
Enabled
Description
Enter the full DNS domain name of the domain. Other trusted domains will be accessible automatically.
Enter the user name of the user account.
Enter the password for the user account.
Optionally, enter a comment describing the connection.
Select to enable the connection.
4.
Optionally, click Advanced to access and configure the following setting:
Setting
Cache timeout
Description
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed.
5.
the Authentication System on page 198 for more information.
1.
2.
Configuring an LDAP Connection
3.
The following section explains what is required to configure a connection to an LDAP directory server.
To configure the connection:
Navigate to the services > authentication > settings page.
In the Add directory server area, from the Directory server drop-down list, select the directory server you want to connect to and click Next.
Configure the following settings:
Setting
LDAP server
Bind method
Description
Enter the directory’s IP address or hostname.
Note: If using Kerberos as the bind method, you must enter the hostname.
Accept the default bind method, or from the drop-down list, select one of the following options:
TLS (with password) – Select to use Transport Layer Security (TLS).
Kerberos – Select to use Kerberos authentication.
Simple bind – Select to bind without encryption. This is frequently used by directory servers that do not require a password for authentication.
191
Authentication and User Management
Configuring Authentication Settings
Setting Description
Server username
Enter the username of a valid account in the LDAP notation format
The format depends on the configuration of the LDAP directory. Normally it should look something like this: cn=user,ou=container,o=organization
This is what is referred to in the Novell eDirectory as tree and context. A user part of the tree
Organization
and in the context
Sales
would have the LDAP notation: cn=user,ou=sales,o=organization
For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org
Consult your directory documentation for more information.
Server password
Enter the password of a valid account.
Note: A password is not required if using simple bind as the bind method.
Kerberos realm
If using Kerberos, enter the Kerberos realm. Use capital letters.
User search root
Enter where in the directory, NITO should start looking for user accounts.
Usually, this is the top level of the directory.
For example: ou=myusers,dc=mydomain,dc=local
In LDAP form, this is seen in the directory as dc=mycompany,dc=local
.
OpenLDAP based directories will often use the form o=myorganization
Apple Open Directory uses the form: cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form as the
OpenLDAP-based directories o=myorganization
.
Note: In larger directories, it may be a good idea to narrow down the user search root so NITO does not have to look through the entire directory.
For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding
ou=userunit
in front of the domain base.
Note: When working with multi domain environments, the user search root must be set to the top level domain.
Group search roots
Enter where in the directory, NITO should start looking for user groups. Usually this will be the same location as configured in the user search root field.
For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form: cn=groups,dc=example,dc=org
Note: With larger directories, it may be necessary to narrow down the group search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting.
If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section.
Comment
Enabled
Optionally, enter a comment about the connection.
Select to enable the connection.
4.
Optionally, click Advanced to access and configure the following settings:
Setting
LDAP port
Description
Accept the default, or enter the LDAP port to use.
Note: LDAPS will be automatically used if you enter port number 636.
192
Nomadix NITO
User Guide
Setting
Cache timeout
Discover
Kerberos using
DNS
Extra user search roots
Extra group search roots
Extra realms
Description
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover Kerberos realms.
Using DNS to discover realms configures NITO to try to find all the domains in the directory server by querying the DNS server that holds the directory information. For this to work, NITO needs to have a configured hostname in the directory domain.
For example:
Directory domain: domain.local
NITO hostname: system.domain.local
The hostname is needed so NITO knows what domain to query for subdomains.
This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users.
Enter search roots one per line.
Optionally, enter where in the directory, NITO should start looking for more user groups.
Enter search roots one per line.
For more information, see Appendix A, Working with Large Directories on page 283.
This setting enables you to configure subdomains manually, as opposed to automatically, using DNS.
5.
the Authentication System on page 198 for more information.
Configuring a RADIUS Connection
You can configure NITO to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service.
Prerequisites
Before you configure any settings: z
Configure the RADIUS server to accept queries from NITO. Consult your RADIUS server documentation for more information.
1.
2.
Configuring the Connection
To configure the connection:
Navigate to the services > authentication > settings page.
In the Add directory server area, from the Directory server drop-down list, select RADIUS and click
Next.
193
Authentication and User Management
Configuring Authentication Settings
3.
Configure the following settings:
Setting
Server
Secret
Port
Obtain groups from RADIUS
If login attempt fails
Cache timeout
Enabled
Description
Enter the RADIUS server’s domain name
Enter the secret shared with the server.
Accept the default port, or enter the port to use.
IF the RADIUS server can provide group information, select this option to enable
NITO to use the group information in the RADIUS Filter-Id attribute.
The Filter-Id attribute must have the following format:
GROUPn
, e.g.
GROUP5
or
GROUP16
.
When not enabled, NITO will use group information from the next directory server in the list. If there are no other directories in the list, NITO will place all users in the Default Users group.
Try next directory server, if any – Select this option if users in RADIUS are unrelated to users in any other directory server.
Deny access – Select this option if the RADIUS password should override the password set in another directory server, for example when using an authentication token.
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Select to enable the connection
4.
the Authentication System on page 198 for more information. For information on groups and directory
servers, see Mapping Groups on page 197.
Configuring an Active Directory Connection – Legacy Method
Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection on page 190 for more information.
The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure NITO to work with Microsoft Active Directory.
Prerequisites for Active Directory
Before you configure any settings for use with Active Directory: z
Run the NITO Setup program and check that the DNS server containing the Active Directory information is specified correctly. This DNS server is used by NITO for name lookups. For more
information, see Appendix A, NITO and DNS on page 282 and the NITO Installation and Setup
Guide.
z z
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active
Directory servers.
Ensure that the times set on NITO and your Active Directory server are synchronized.
Note: Do not use the administrator account as the lookup user. Often the administrator account will not have a
Windows 2000 username, preventing the account from being used by the authentication service.
194
Nomadix NITO
User Guide
1.
2.
Configuring an Active Directory Connection
3.
Configuring an Active Directory connection entails specifying server details, the Kerberos realm to use, search roots and any optional advanced settings required.
To configure the connection:
Navigate to the services > authentication > settings page.
In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. NITO displays the settings for Active Directory.
Configure the following settings:
Setting Description
LDAP server
Enter the directory server’s full hostname.
Note: For Microsoft Active Directory, NITO requires DNS servers that can resolve the Active Directory server hostnames. Often, these will be the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the
Active Directory servers for a successful lookup to be able to take place.
Refer to the Microsoft DNS server help if you need assistance in setting up
a reverse lookup zone. See also, Appendix A, NITO and DNS on page 282
for more information.
Server username
Enter the username of a valid account.
Enter the username without the domain. The domain will be added automatically by NITO.
In a multi domain environment, the username must be a user in the top level
domain. For more information, see Appendix A, Active Directory on page 283.
Server password
Enter the password of a valid account.
Kerberos realm
Enter the Kerberos realm in capital letters.
Use default search roots
Use custom search roots
Comment
Enabled
Select this option to configure NITO to start looking for user accounts at the top level of the directory.
Tip:
In larger directories, it may be a good idea to use the Use custom search
roots option, to narrow the user search root so NITO does not have to look
through the entire directory. See below for more information.
Select this option to specify where in the directory NITO should start looking for user accounts and groups.
Custom user search root – Enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local
Note: When working with multi-domain environments, the user search root must be set to the top level domain.
Custom group search root – Enter where in the directory, NITO should start looking for user groups, for example: ou=mygroups,dc=mydomain,dc=local
Note: Some directories will not return more than 1 000 results for a search, so if there are more than 1 000 groups in the directory, a more specific group search root needs to be configured.
Optionally, enter a comment about the directory server and the settings used.
Select this option to enable the connection to the directory server.
195
Authentication and User Management
Configuring Authentication Settings
4.
Optionally, click Advanced to access and configure the following settings:
Setting
LDAP port
Cache timeout
Discover
Kerberos using
DNS
Description
Accept the default, or enter the LDAP port to use.
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed.
Select this option to use DNS to discover Kerberos realms.
Using DNS to discover realms configures NITO to try to find all the domains in the Active Directory by querying the DNS server that holds the Active Directory information. For this to work, NITO needs to have a configured hostname in the
Active Directory domain.
For example:
Active Directory domain: domain.local
NITO hostname: system.domain.local
The hostname is needed so NITO knows what domain to query for subdomains.
This setting applies when using Microsoft Windows NT4 or older installations.
Enter the sAMAccountName to override the userPrincipleName.
Use sAMAccountNam e
NetBIOS workgroup
Extra user search
Roots
Extra group search roots
Extra realms
This setting applies when using NTLM authentication with Guardian.
NITO cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or pre-Windows 2000 domain name, is not the same as the Active Directory domain.
Here you can enter a NetBIOS domain name and set this as the value when joining the workgroup.
This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users.
Enter search roots one per line.
Optionally, enter where in the directory, NITO should start looking for more user groups.
Enter search roots one per line.
For more information, see Appendix A, Working with Large Directories on page 283.
This setting enables you to configure subdomains manually, as opposed to automatically, using DNS.
This can be useful if the Active Directory is in a state where orphaned domains are referenced or only certain subdomains are needed for user authentication.
5.
the Authentication System on page 198 for more information.
196
Nomadix NITO
User Guide
1.
2.
Reordering Directory Servers
If multiple directory servers exist, NITO tries them in the order they are listed.
If most of your users are in one directory, list that directory first so as to reduce the number of queries required.
To reorder directory servers:
Navigate to the services > authentication > settings page.
In the Directory servers area, select the directory server you want to move and click Up or Down until the servers are in the order you require.
1.
2.
Editing Removing Directory Servers
To remove a directory server:
Navigate to the services > authentication > settings page.
In the Directory servers area, select the directory server you want to remove and click Remove. NITO removes the server.
Mapping Groups
1.
Once you have successfully configured a connection to a directory you can map the groups NITO retrieves from the directory to apply permissions and restrictions to the users in the groups.
To map directory groups to NITO groups:
After configuring the connection to the directory, see About NITO and Directory Servers on page 189, go to the services > authentication > groups page.
Note: Only directory servers containing groups that are mapped will be displayed. RADIUS groups are fixed.
Tip:
When working with a large number of groups, you can use the Filter option to limit searches to specific groups.
2.
In the Available groups tree, navigate to and highlight the group you want to map and click Select. NITO lists the group in the Mapped groups area. By default, NITO maps all groups to the Unauthenticated IPs
group. For more information on groups, see About Groups on page 186.
3.
From the Mapped group drop-down list, select the group you want to map the group to and click Save.
4.
Repeat the step above to map any other groups required.
Remapping Groups
1.
2.
3.
It is possible to change group mappings.
To remap groups:
Navigate to the services > authentication > groups page and in the Mapped groups area, locate the directory server group you want to remap.
From the Mapped group drop-down list, select the NITO group you want to remap the directory server group to. Tick the Mark check box.
Click Save. NITO remaps the group.
Managing the Authentication System
NITO’s authentication system can be stopped, started and monitored.
197
Authentication and User Management
Managing the Authentication System
1.
To access the authentication system controls:
Navigate to the Services > Authentication > Control page.
See the sections below for information on restarting, stopping and reviewing the service.
Restarting the Authentication System
1.
It may be necessary to restart the authentication system if unapplied configuration changes have been made. In this situation, a warning will be displayed at the top of all authentication pages as a reminder that a restart is required.
A full restart normally takes a few seconds to complete, after which users will be required to reauthenticate. A restart will also cause all active downloads to be terminated.
To restart the authentication system:
Navigate to the Services > Authentication > Control page and click Restart.
Note: It is a good idea to only restart the authentication system at a convenient time for network users.
1.
2.
Stopping the Authentication System
There are no reasons to stop the authentication system in normal operation. This procedure should only be carried out if instructed by the Nomadix support team.
To stop the authentication system:
On the Services > Authentication > Control page.
Click Stop in the Manual control area.
1.
2.
Viewing System Status
To display the current status of the authentication system:
Navigate to the Services > Authentication > Control page.
Click Refresh in the Manual control area. The current status will be displayed in Current status field and can be either Running or Stopped.
Running Diagnostics
To check that the authentication system is operating correctly, diagnostic tests can be run.
198
1.
Nomadix NITO
User Guide
To run authentication diagnostics:
On the Services > Authentication > Control page, click Run. NITO runs the tests and displays the results.
Test
Authentication service self test
Description
Checks to see if the authentication service can be contacted.
199
Authentication and User Management
Managing the Authentication System
200
15
Reporting
In this chapter: z
About the Summary page z z
Working with NITO reports
Managing report data databases.
About the Summary Page
1.
The summary page displays a customizable list of reports.
To access the summary page:
Navigate to the Logs and reports > Reports > Summary page.
Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 16, Configuring the User Interface on page 220.
201
Reporting
Accessing Reporting
Accessing Reporting
1.
NITO can produce many types of reports which provide information on almost every aspect of NITO.
To access reporting:
Navigate to the Logs and reports > Reports > Reports page.
Generating Reports
1.
NITO contains a broad range of reports which can be generated immediately.
To generate a report:
Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the report you want to generate.
2.
4.
Click on the report to access its options. NITO displays the options available.
Tip:
Click Advanced to see a description of the report, access advanced options and portal publication
3.
If applicable, set the time interval for the report and enter/select any option(s) you require.
Click Run report to generate the report. NITO displays the report.
1.
2.
Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
Generate the report, see Generating Reports on page 202.
When the report progress bar is displayed, click Cancel. NITO cancels the report.
Saving Reports
1.
If you want permanent access to a report, you must save it.
To save a report:
Generate the report, see Generating Reports on page 202.
202
Nomadix NITO
User Guide
2.
In the Save as field, enter a name for the report and click Save. You can access the report on the Logs and reports > Reports > Recent and saved page.
About Recent and Saved Reports
You can access all reports generated in the last three days on the Logs and reports > Reports > Recent and saved page.
You can also save recently generated reports and change report formats on this page.
Changing Report Formats
1.
NITO enables you to change reports viewed and/or saved in one format to another.
To change a report format:
Navigate to the Logs and reports > Reports > Recent and saved page.
2.
Locate the report you want to change and click on the format you want to change the report to. The following formats are available:
Format csv excel pdf pdfbw tsv
Description
The report will be generated in comma separated text format.
The report will be generated in Microsoft Excel format.
The report will be generated in Adobe’s portable document format.
The report will be generated in black and white in Adobe’s portable document format.
The report will be generated in tab separated text (tsv) format.
Managing Reports and Folders
The following sections explain how to create, delete and navigate reports and folders in NITO.
Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in a folder or sub-folder contained on the page.
203
Reporting
Generating Reports
2.
3.
1.
To create a folder:
On the Logs and reports > Reports > Reports page, determine where you want to create the folder, on the page or in an existing folder.
Click the Create a new folder button. NITO creates the folder.
Enter a name for the folder and click Rename.
Deleting Folders
1.
To delete a folder:
On the Logs and reports > Reports > Reports page, locate the folder.
2.
Click the Delete button. NITO deletes the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete the folder.
1.
2.
Deleting Reports
To delete a report:
Navigate to the Logs and reports > Reports > Recent and saved page.
Locate the report and click the Delete button.
Report Permissions
2.
3.
Making Reports Available to Other Portals
1.
4.
You can make reports generated on one portal available to other portals.
To make the report available:
Navigate to the Logs and reports > Reports > Reports page and locate the report you want to publish to other portals.
On the Permissions tab, click Automatic Access.
In the Automatic Access area, from the Add access drop-down list. select the portal you want to publish the generated report on and click Add.
Click Close to close the dialog box. NITO publishes the report to the portal.
204
Scheduling Reports
1.
NITO can generate and deliver reports to specified user groups at specified intervals.
To schedule a report:
Navigate to the Logs and reports > Reports > Scheduled page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
Start date
Time
Repeat
Enabled
Description
Select the month and day on which to create and deliver the report.
If the report is to be repeated, enter the date on which the first report should be created and delivered.
Select the hour and minute at which to deliver the report.
Scheduled reports can be generated and delivered more than once. Select from the following options:
No Repeat – The report will be generated and delivered once on the specified date at the specified time.
Daily Repeat – The report will be generated and delivered once a day at the specified time starting on the specified date.
Weekday Repeat – The report will be generated and delivered at the specified time, Monday to Friday, starting on the specified date.
Weekly Repeat – The report will be generated and delivered at the specified time, once a week, starting on the specified date.
Monthly Repeat – The report will be generated and delivered at the specified time, once a month, starting on the specified date.
Select to enable the scheduled report.
205
Managing Report Data
Setting Description
Comment
Report
Report shows period
Save report
Optionally, enter a description of the scheduled report.
From the drop-down list, select the report.
From the drop-down list, select how long to collate data for this report.
Select this option if you want to save the scheduled report after it has been generated. The report will be available on the Logs and reports > Reports >
Recent and saved page.
Report name
Publish from portal
Optionally, from the drop-down menu, select a portal to publish the report from.
Email report
Group
Enter a name for the scheduled report.
Select this option if you want to email the report to a group of users.
From the drop-down list, select the group you want to deliver the report to. For
more information, see Chapter 18, Configuring Groups on page 274.
3.
Click Add. NITO schedules the report and lists it in the Scheduled reports area.
Managing Report Data
1.
To manage a local report database:
Navigate to the Logs and reports > Settings > Database settings page.
2.
Configure the following settings:
Setting
Database
Description
Enter the following information:
Username – Accept the default user name or enter a new user name.
Password – Enter a password for the database.
206
Nomadix NITO
User Guide
Setting
Pruning
Description
Select if you want to prune entries in the database at specified intervals to save storage space or potentially speed up information processing.
Don’t prune – Select to not remove any enties from the database.
Over a month – Select to remove entries that are more than one month old and repeat every month.
Over three months – Select to remove entries that are more than three months old and repeat every month.
Over six months – Select to remove entries that are more than six months old and repeat every month.
3.
Click Save to save the database management settings.
Storing Report Data Remotely
1.
NITO can be configured to store report data remotely in the database of a compatible system. Storing data in a remote database entails: z
First configuring the remote database management system with username and password information z
Then configuring the local system with the IP address of the remote database.
To store reports remotely:
On the remote, compatible system which will store the data, navigate to the Logs and reports > Settings >
Database settings page.
2.
3.
4.
Configure the following settings:
On the local NITO, navigate to the Logs and reports > Settings > Database settings page and configure the following settings:
Click Save. NITO starts to store data on the remote system.
Managing Disk Space
Using NITO, you can review how disk space is used to store log and database information, optimize, empty or prune the database and back-up data in an archive.
207
Reporting
Managing Disk Space
About Disk Usage
1.
NITO displays information on how much data and the type of data being stored on the system’s hard disk.
To review information on disk usage:
Browse to the Logs and reports > Settings > Database backup page.
The following information is available:
Disk information
Log and database partition usage summary
Usage broken down by module/category
Description
In this area, NITO shows a summary of how much disk space there is, how much has been used and how much is free.
In this area, NITO shows how much disk space is being used to store information by module and type of storage.
NITO updates the information every 60 minutes and all figures shown are approximate.
Monitoring Log Insertion
NITO enables you to monitor the process of inserting log information into the database.
208
1.
Nomadix NITO
User Guide
To monitor log insertion:
Browse to the Logs and reports > Settings > Database backup page. Current information is displayed in the Log insertion process area.
Optimizing, Emptying and Pruning Databases
It is possible to optimize, empty and prune databases in order to improve performance and use disk space in the best possible way.
Tip:
Run the Reporting database health report, to determine the database’s status before using any of the
Optimizing a Database
Note: Optimizing a database can take a long time to complete and may have an impact on the system’s performance.
To optimize a database:
1.
Browse to the Logs and reports > Settings > Database backup page and click Optimize database.
2.
When prompted, click Continue to confirm. The database is optimized.
Emptying a Database
Note: Emptying a database removes all data from the database and can take a long time to complete.
To empty a database:
1.
Browse to the Logs and reports > Settings > Database backup page and click Empty database.
2.
When prompted, click Continue to confirm. The database is emptied.
Pruning a Database
Note: Pruning a database can take a long time to complete and may have an impact on the system’s performance.
To prune a database:
1.
Browse to the Logs and reports > Settings > Database backup page and click Prune now.
2.
When prompted, click Continue to confirm.The database is pruned.
1.
2.
3.
Backing up Data
It is possible to back up your report data in an archive. This enables you to restore data, for example, when recovering from hardware failure.
To back up data:
Browse to the Logs and reports > Settings > Database backup page.
In the Backup area, click Backup, the data is backed up in an archive and listed it in the Backup area.
In the Backup area, select the archive and click Download. When prompted, save the archive in a secure location for use if you need to restore data.
Restoring Data
The following section explains how to restore data.
209
Reporting
Managing Disk Space
Note: When you restore data, the database is not emptied. Therefore, if the database is not empty, restoring data can cause duplicate data. We recommend that you always ensure that the database is empty to avoid duplicate data. See Emptying a Database on page 209 for information on how to empty a database.
To restore data:
1.
Browse to the Logs and reports > Settings > Database backup page.
2.
3.
4.
In the Upload area, click Browse. In the File Upload dialog box, navigate to where the backup archive stored, select it and click Open.
Click Upload. The file is uploaded and listed it in the Backup area.
Select the file and click Restore. The data is restored.
About Migrating from Earlier Versions
When updating to the latest version, existing data stored in the database may not be accessible for reporting.
If this is the case, a warning message will be displayed. The data is safe but not accessible in its current format. To make it accessible, create a backup archive and restore it. For more information, see Backing up
Data on page 209 and Restoring Data on page 209.
210
16
Managing Your NITO
In this chapter: z
Managing system and security updates z z
Managing module installations and product licensing
Creating and restoring archives z z z z z
Scheduling automatic maintenance
Producing diagnostic support files
Managing certificates
Shutting down and restarting NITO
How to use NITO’s network tools to perform a variety of everyday network maintenance tasks.
Managing Updates
Administrators should use NITO's update facility whenever a new update is released. Updates are typically released in response to evolving or theoretical security threats, as and when they are discovered. System updates may also include general product enhancements, as part of Nomadix’s commitment to continuous product improvement.
NITO must be connected to the Internet in order to discover, download and install system updates.
Nomadix’s support systems are directly integrated with NITO’s system update procedure, allowing the
Nomadix support department to readily track the status of your system.
211
Managing Your NITO
Managing Updates
1.
To manage updates:
Navigate to the System > Maintenance > Updates page.
2.
Configure the following settings:
Setting/button
Refresh update list
Download updates
Clear download cache
Install updates
Install at this time
Description
Click to get a list of available updates. Any updates available will be listed in the Available updates area.
Click to download all available updates. Once downloaded, the updates are listed in the Pending updates area.
Click to clear any downloaded updates stored in the cache.
Click to install all updates in the Pending updates area immediately
Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time.
3.
If the update requires a reboot, reboot the system on the System > Maintenance > Shutdown page.
1.
4.
5.
2.
3.
6.
Installing Updates Manually
The Install new update area enables you to install system updates manually.
To manually install an update:
Navigate to the System > Maintenance > Updates page and click Refresh update list.
In the Available updates list, locate the update and click Info. The Nomadix Updates page opens.
Download the update to a suitable location.
On the System > Maintenance > Updates page, click Advanced.
In the Install new update area, click Browse to find and open the update.
Click Upload to upload and install the update file.
212
Nomadix NITO
User Guide
Managing Modules
NITO's major system components are separated into individually installed modules. Modules can be added to extend NITO’s capabilities, or removed in order to simplify administration and reduce the theoretical risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your NITO serial number before they can be installed and used. For further information, please consult your Nomadix partner or, if purchased directly, Nomadix.
NITO must be connected to the Internet in order to install modules.
1.
To install a module:
Navigate to the System > Maintenance > Modules page.
2.
In the Available modules area, locate the module and click Install.
Note: Some module installations require a full reboot of NITO. Please read the module description carefully prior to installation.
1.
2.
3.
Installing Modules Manually
To install a module manually:
Navigate to the System > Maintenance > Modules page and click Advanced.
In the Upload module file area, browse to and select the module.
Click Upload. The module is uploaded and installed
1.
2.
3.
Removing a Module
To remove a module:
Navigate to the System > Maintenance > Modules page.
In the Installed modules area, locate the module and click Remove.
Reboot NITO on the System > Maintenance > Shutdown page.
213
Managing Your NITO
Licenses
Licenses
1.
NITO contains information on licenses and subscriptions.
To view license information:
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the Nomadix product you are using.
Installing Licenses
1.
You can buy additional licenses from Nomadix or an approved Nomadix partner. License, installation and activation is an automated process, initiated via a secure request to Nomadix licensing servers.
To install additional licenses:
Navigate to the System > Maintenance > Licenses page.
2.
Click Refresh license list. This will cause the available license information to be updated via the Internet, and any new licenses will be installed.
Note: The Subscriptions area is used to manage blocklists used by add-on modules. For more information, see the documentation delivered with your Nomadix add-on module.
Archives
The Archives page is used to create and restore archives of system settings. Archives can be saved on removable media and used when restoring a NITO system. They can also be used to create clones of existing systems.
About Archive Profiles
You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive.
You can create and assign up to 20 profiles and generate their archives automatically.
17, Centrally Managing Nomadix Systems on page 245.
214
Creating an Archive
1.
To create an archive:
Navigate to the System > Maintenance > Archives page.
Nomadix NITO
User Guide
2.
Configure the following settings:
3.
Settings Description
Profile
Profile name
Comment
To create a new profile, from the drop-down list, select Empty and click
Select.
To reuse or modify an existing profile, from the drop-down list select the profile and click Select.
Enter a name for the profile.
Enter a description for the archive.
Automatic backup
Select if you want to archive settings automatically.
Settings
Settings available include general settings for NITO and replicable settings which can be used in a Nomadix system.
Indicates that the setting can be replicated.
Select the components you want to archive or select All to select and archive all settings.
For more information on replication in Nomadix systems, see Chapter 17,
Centrally Managing Nomadix Systems on page 245
Logs
Select the log files you want to archive or select All to select and archive all logs.
Click Save and backup to create the archive.
215
Managing Your NITO
Scheduling
1.
2.
Downloading an Archive
To download an archive:
In the Archives area, select the archive.
Click Download and save the archive to disk using the browser's Save as dialog box.
1.
2.
3.
Restoring an Archive
To restore an archive:
In the Archives area, select the archive.
Click Restore. The archive contents are displayed.
Select the components in the archive that you want to restore and click Restore.
Deleting Archives
1.
To delete an archive:
In the Archives area, select the archive and click Delete.
1.
2.
3.
Uploading an Archive
This is where you upload archived settings from previous versions of NITO and Nomadix modules so that they can be re-used in the current version(s).
To upload an archive:
In the Upload area, enter the name of the archive and click Browse.
Navigate to and select the archive.
Click Upload to upload the archive.
Scheduling
You can configure NITO to automatically discover and download system updates, modules and license upgrades using the scheduler.
You can also use the scheduler to create and remotely archive automatic backups. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks.
216
1.
To create a schedule of tasks:
Navigate to the System > Maintenance > Scheduler page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
Day
Hour
Check for new updates
Download updates
Check for new modules
Check for license upgrades
Description
From the drop-down list, select the day of the week that the tasks will be executed.
From the drop-down list, select the time of day at which the tasks will be executed.
Select to check for new system updates.
Select to download available updates.
Select to check for new modules.
Select to discover and install license upgrades.
217
Managing Your NITO
Scheduling
Setting
Prune archives
Description
Options here enable you to schedule archive pruning if you require it.
Select one of the following options:
Don’t prune – This is the default option, archives are never pruned.
Over a month – Select this option to prune archives that are older than one month.
Over 2 months – Select this option to prune archives that are older than two months.
Over 3 months – Select this option to prune archives that are older than three months.
3.
Click Save.
1.
2.
3.
Scheduling Remote Archiving
4.
Scheduled remote archiving uses SSH keys to allow NITO to securely copy files to a remote SSH server without the need for passwords.
The use of SSH keys requires NITO to generate a key pair which it will use to encrypt all file transfers sent to the SSH server.
The SSH server must be configured to accept connections from NITO in this manner – it requires the public half of the key pair to be installed.
To schedule remote archiving:
Navigate to the System > Maintenance > Scheduler page.
In the Remote archive destinations area, click Export Public Backup Key.
Install the public key on the remote SSH server – for details on how to do this, please consult the administrator's guide of the SSH server in use.
In the Remote archive destinations area, enter the following information:
5.
Setting Description
Name
Username
Remote path
Server
Port Number
Enter a name to identify this destination.
Specify the user name of the account on the SSH server that will be used. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path.
Enter the path where archives are to be stored on the remote SSH server, for example:
/home/mypath/
If left blank, NITO uses the default home directory of the specified remote user.
Set the IP address of the SSH server.
Set the port number used to access the SSH server (normally port 22).
Transfer Speed Limit
Specify the maximum transfer speed when automatic archiving occurs. This control is useful for preventing the automatic remote archiving system adversely affecting the performance of other network traffic.
Comment
Enter a description of the destination.
Click Add.
218
Nomadix NITO
User Guide
6.
7.
Repeat the steps above to make other destinations available.
In the Remote archival area, enter the following information:
Setting
Day
Hour
Archive destination
Archive profile
Enabled
Comment
Select to enable the archive.
Description
The day of the week to carry out the archive.
The hour of the day to carry out the archive.
From the drop-down list, select a destination as configured in the Remote archive destinations area.
From the drop-down list, select an archive profile as configured on the archives page.
Enter a description of the archive.
8.
9.
Click Add.
Repeat the steps above to configure other archives for scheduled remote archive.
Note: A local copy of the archive is also created and stored.
Editing Schedules
1.
To edit a schedule:
In the appropriate area, select the destination or task and click Edit or Remove.
Shutting down and Rebooting
1.
NITO can be shutdown or restarted immediately, after a specified delay or at a pre-determined time.
To shut down or reboot:
Browse to the System > Maintenance > Shutdown page.
219
Managing Your NITO
Shell Access
2.
Configure the following settings:
Setting
Immediately
Delay action for
At the following time
Description
Select to shut down or reboot immediately.
Select to shut down or reboot after a specified length of time.
From the drop-down menu, select the length of time.
Select to shut down or reboot at a specified length of time.
From the drop-down menu, select the hour and minute at which to shut down or reboot.
3.
Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time
Shell Access
2.
3.
The web-based secure shell (SSH) remote access tool enables command line administration of the NITO system through a web browser.
The browser that is connected to the NITO system is required to have a Java Virtual Machine capability installed. For details on setting your browser up in this way, consult your browser help system.
1.
To use the shell tool:
Navigate to the System > Maintenance > Shell page.
Click on the shell window once the Java applet has loaded.
Enter the following information:
Information
User name
Password
Enter root
.
Enter the root account’s password.
Description
4.
Click Login.You gain access to the shell.
Setting System Preferences
The following sections discuss how to configure the user interface, time settings and a web proxy if your
ISP requires you use one.
Configuring the User Interface
NITO can be customized in different ways, dependent on how you prefer working. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. It is also possible to alter the system's description.
220
1.
To configure the user interface:
Browse to the System > Preferences > User interface page.
Nomadix NITO
User Guide
2.
Configure the following settings:
3.
Setting Description
Host information
In the description field, enter a description to identify NITO. This will be displayed in the title bar of the browser window.
System Control page
From the Report to show drop-down list, select the report you want displayed on the Dashboard.
Dashboard sections
Determines what, if any, information is displayed in the System Services area on the Dashboard.
Click Save.
Setting Time
NITO's time zone, date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server, typically located on the Internet.
NITO can also act as an NTP server itself, allowing network wide synchronization of system clocks.
221
Managing Your NITO
Setting System Preferences
1.
To set the time:
Navigate to the System > Preferences > Time page.
2.
Configure the following settings:
Setting
Timezone
Time and date
Network time retrieval
Description
1.
2.
From the drop-down list, select the appropriate time zone.
1.
To manually set the time and date:
Select Set and use the drop-down lists to set the time and date.
3.
4.
To automatically retrieve time settings:
Select Enabled in the Network time retrieval area.
Choose the time retrieval frequency by selecting an interval from the Interval drop-down list.
Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock).
Choose one of the following network retrieval methods:
Multiple random public servers – select to set the time as the average time retrieved from five random time servers
Selected single public server –select from the drop-down list a public time server to use to set the time
User defined single public or local server – Enter the address of a specific local or external time server.
222
Nomadix NITO
User Guide
Setting
Network time service interfaces
Description
NITO can be used to synchronize the system clocks of local network hosts by providing a time service.
To synchronize the network time service:
1.
Enable network time retrieval.
2.
Select each internal network interface that the network time service should be available from.
3.
Click Save.
Configuring Registration Options
1.
NITO enables you to use an upstream registration proxy if your ISP requires you to use one, and optionally, supply information about the status of your system and web filtering statistics.
To configure registration options:
Navigate to the System > Preferences > Registration options page.
2.
Configure the following settings:
Setting Description
Upstream registration proxy
Server – Enter the hostname or IP address of the proxy server.
Port – Enter the port number to use.
Username – Enter the username provided by your ISP.
Password – Enter the password provided by your ISP.
Note: The upstream proxy has no bearing on NITO proxy services.
223
Managing Your NITO
Configuring Administration and Access Settings
Setting
Extended registration informatio n
Provide filtering feedback informatio n
Description
•
•
•
When registering, updating and/or installing add-on modules, NITO sends information about licences, subscription and add-on modules to Nomadix.
When this option is enabled and depending on which add-on modules are installed, the following information is also sent:
Enabled status for optional services
The number of configured interfaces and whether they are internal or external
Authentication service settings and the LDAP server type
•
• Guardian transparent mode and authentication service settings mode
Manufacturer name and product name – from dmidecode
• Main board manufacturer and main board product name – from dmidecode.
Note: No usernames, passwords or sensitive information are sent and any potentially identifying data is summarized before sending.
When enabled, NITO will periodically send information about web filtering accuracy and a list of the domains of any web sites which could not be classified.
Nomadix will take every available measure to ensure data cannot be associated with your organization and no personal information is ever sent.
3.
Click Save. NITO starts to use the configured upstream proxy and, if enabled, send registration and/or filtering information.
Configuring the Hostname
1.
You can configure NITO’s hostname. A hostname should usually include the name of the domain that it is within.
To change the hostname:
Browse to the System > Preferences > Hostname page.
2.
Enter a new value in the Hostname field and click Save.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in its
Common Name field.
Configuring Administration and Access Settings
The following sections discuss administration, external access and account settings.
224
Nomadix NITO
User Guide
Configuring Admin Access Options
1.
You can enable and disable remote access to NITO’s console via Secure Shell (SSH) and configure remote access referral checking.
To access NITO via remote SSH, the following criteria must be met: z
The host must be from a valid network zone z z z z
The host must be from a valid source IP
The SSH service must be enabled
Admin access must be set to enabled
The setup or root username and password must be known.
z
To use NITO's web-based SSH shell, the host browser must have a Java Virtual Machine installed.
To permit access to the console via SSH:
Navigate to the System > Administration > Admin options page.
2.
Select SSH and click Save.
Note: Terminal access to NITO uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in administrator, and not some third party web page, you can enable remote access referral checking.
When enabled, administration requests are only processed if the referral URL contains the local IP address, the local hostname, or the external IP address where applicable.
If the referral is not from a NITO page, the request is ignored and reported in the general Nomadix log file.
225
Managing Your NITO
Configuring Administration and Access Settings
Note: This function prevents NITO from being accessed remotely via a DNS or a Dynamic DNS address. To remotely manage an NITO system via a DNS or a Dynamic DNS address, the referral URL check must be disabled.
To enable referral checking:
1.
Navigate to the System > Administration > Admin access page.
2.
3.
Select Allow admin access only from valid referral URLs in the Remote Access area.
Click Save.
Configuring External Access
1.
External access rules are used to determine which interfaces, services, networks and host systems can be used to administer NITO.
The default external access rule allows administrators to access and configure NITO from any source IP that can route to the system's first (default) network interface.
This default rule allows administrators to access any of the following admin services: z z z
SSH admin – Access to the system console using port 222. Requires the SSH access to be enabled,
see Configuring Admin Access Options on page 225.
HTTP admin – Access to the web-based interface on port 81.
HTTPS admin – Access to the web-based interface on port 441.
To enable external access:
Browse to the System > Administration > External access page.
2.
Configure the following settings:
226
Setting
Interface
Source IP, or network
Description
From the drop-down list, select the interface that access is permitted from.
Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted to use admin access.
For a range of hosts, enter an IP address range, for example,
192.168.10.1-
192.168.10.50
.
For a particular subnet of hosts, enter a subnet range, for example,
192.168.10.0/
255.255.255.0
or
192.168.10.0/24
.
If no value is entered, any source IP can access the system.
Nomadix NITO
User Guide
Setting
Service
Select the permitted access method.
Comment
Enter a description for the access rule.
Enabled
Select to activate access.
Description
3.
Click Add. The access rule is added to the Current rules table.
Note: Do not remove the default external access rule, it provides access to the default internal network.
Editing and Removing External Access Rules
To edit or remove access rules, use Edit and Removes in the Current rules area.
Administrative User Settings
1.
NITO supports different types of administrative accounts.
To manage accounts:
Navigate to the System > Administration > Administrative users page.
2.
Configure the following settings:
Setting
Username
Password
Again
Description
Enter a name for the user account.
Enter a password. Passwords are case sensitive and must be at least six characters long.
Re-enter the password to confirm it.
227
Managing Your NITO
Hardware
Setting Description
Permissions
Select the account permissions you want to apply to the account.
Administrator – Full permission to access and configure NITO.
Guardian temporary bypass – gives the account user access to the temporary bypass buttons on the block page.
Guardian – enables access to the guardian tab on the web interface.
Log – Permission to view the system log files.
Operator – Permission to shutdown or reboot the system.
Portal User – Permission to access the user portal pages.
SMTP quarantine – Permission to access and manage the SMTP quarantine pages.
Realtime logs – Permission to view realtime logs.
Reporting system – Permission to access the reporting system.
Guardian room block controls – Permission to manage blocking of location contents.
Rule editor user – Permission to edit rules.
Temp ban – Permission to access and change temporary ban status.
Guardian unblock controls – gives the account user access to the unblock controls on the block page.
3.
Click Add to add the account.
1.
2.
3.
4.
Changing a User's Password
To set or edit a user's password:
Browse to the System > Administration Administrative users page.
In the Current users area, select the user and click Edit.
Enter and confirm the new password in the Password and Again fields.
Click Add to activate the changes.
Hardware
The following sections discuss UPS, modem and firmware settings
UPS Settings
NITO can be connected to a local Uninterruptible Power Supply (UPS) device to protect the system against power cuts. With this arrangement, local UPS status monitoring can be configured, and the system can be configured to automatically react when it detects that it is using UPS battery power. In this mode, it is also possible for NITO to act as a UPS master, and broadcast power status messages to other appropriately configured UPS systems or devices so that they too can react to power changes.
Alternatively, NITO can be configured as a UPS device to an appropriately configured master UPS system or device. In this mode, the status of the UPS service will be updated over the network, whenever the UPS master device alerts the NITO system. This mode also allows NITO to react when it is informed that UPS battery power is being used.
228
Enabling UPS Monitoring
1.
To enable UPS monitoring:
Navigate to the System > Hardware > UPS page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
Enable UPS monitor support
UPS connection type
Select to enable support.
Description
Select one of the following options:
Local connection – select to monitor a UPS device which is directly connected
to the NITO system. For more information, see Configuring a Local UPS
Network connection – select to monitor a UPS device that is connected to the
network. For more information, see Connecting to a Network UPS on page 230.
3.
Click Save.
Configuring a Local UPS Connection
Once UPS monitoring is enabled and operating in Local connection mode, the appropriate local UPS settings are configured using the Local UPS Configuration area:
229
Managing Your NITO
Hardware
The following controls are used to configure a local UPS connection:
Control Description
Select UPS type
Used to set the manufacturer, model or compatible setting for the local UPS device (refer to the UPS device's technical documentation if this is not readily known).
Select UPS COM port
Used to set the serial or USB port that the UPS device is attached to.
Select UPS cable type
Used to set the type of cable that connects to the UPS device (refer to the
UPS device's technical documentation if this is not readily known).
3.
4.
5.
1.
2.
To configure a local UPS connection:
Navigate to the System > Hardware > UPS page.
Choose the manufacturer, model or compatible setting for the UPS device from the Select UPS type dropdown list.
Choose the serial or USB port that the UPS device is attached to from the Select UPS COM port dropdown list.
Choose the cable type that the UPS device is attached by from the Select UPS cable type drop-down list.
Click Save.
Connecting to a Network UPS
Once UPS monitoring is enabled and operating in Network connection mode, the appropriate network
UPS settings are configured using the Network UPS Configuration area:
The following controls are used to configure a network UPS connection:
Control
Master IP
Address
Port
Description
The IP address of the 'master' UPS device.
The numeric port number of the master UPS device's network service.
1.
2.
3.
4.
To configure a network UPS connection (with NITO acting as a UPS device):
Navigate to the System > Hardware > UPS page.
Enter the IP address of the UPS device into the Master IP Address field.
Enter the port number that the UPS device uses into the Port field.
Click Save.
Customizing UPS Behavior
Once UPS monitoring is enabled and an appropriate connection to a remote or local UPS device has been configured, UPS behavior can be customized. The Action to take when UPS on battery area is used for this purpose.
230
Nomadix NITO
User Guide
The following controls are used to customize UPS behavior:
Control Description
Action to take...
Force shutdown...
Provides a combination of choices that configure different logging, shutdown and continue options in the event of a switch to battery power.
Used to forcibly shutdown the system once battery power falls below a set level
(between 5% and 30%). This feature will only work with UPS devices that support UPS
'Smart' mode (refer to the UPS device's technical documentation to determine if functionality is supported).
1.
2.
3.
4.
To customize UPS behavior:
Navigate to the System > Hardware > UPS page.
Choose what action should be taken when using battery power using the Action to take drop-down list.
If the UPS device operates in Smart mode, use the Force shutdown drop-down list to choose the battery power level that will trigger the NITO system to be forcibly shutdown.
Click Save.
Viewing UPS Device Status
If UPS monitoring is enabled and all UPS configuration is correct, the UPS area can be used to view a variety of UPS status information. The following information fields are displayed:
Field
Status
UPS monitor daemon
Time and date of listed status information
Model
Serial number
Cable type
Load percentage
Battery charge
Estimated battery run time
Time been on battery
Line supply voltage
Line supply frequency
UPS internal temperature
Description
The current status of the UPS device.
The current status of the system's UPS monitoring service.
The time of the last update.
The model description of the UPS device.
The serial number of the UPS device.
The UPS device's cable connection type.
The current load required from the UPS as a percentage of the total UPS output capacity.
The amount of charge currently stored in the UPS device's battery.
The estimated duration that battery power can be sustained while being used.
The amount of time that the UPS device has used battery power for (if currently running on battery).
The mains voltage.
The mains frequency.
The internal temperature of the UPS device.
231
Managing Your NITO
Managing Hardware Failover
Field
Last reason for switching to battery
Last time was on battery
Last time came off battery
Description
The last reason for switching to battery power.
The last date and time that the UPS device's battery was used.
The last date and time that the UPS device's switched from battery to mains.
1.
2.
3.
Acting as a UPS Master Device
4.
NITO can be configured to operate as a UPS master device, allowing it to connect to appropriately configured UPS devices and send them UPS status updates.
UPS devices can be daisy-chained to propagate UPS status updates. This means that the system can operate as both a UPS device and a master, i.e. the system connects as a UPS device to a UPS system or device over a network and receives UPS status updates. Following each update, the system acts as a master by sending status information to its UPS devices.
To act as a UPS master device, UPS monitoring must be enabled and a local or network UPS connection must be configured and working correctly. The Local UPS configuration area is then used to enter appropriate configuration settings:
To act as a UPS master:
Navigate to the System > Hardware > UPS page.
Enter the port number that UPS devices can connect to into the Port field.
Enter up to five IP addresses into the appropriate Slave IP Address fields. Each IP address should belong to a UPS device.
Click Save.
Managing Hardware Failover
NITO’s hardware failover enables you to configure a failover NITO system which, in the event of hardware failure, provides all the protection and services your master NITO usually provides.
How does it work?
When configured and enabled, the failover NITO runs in a standby mode monitoring the master NITO for a heartbeat communication. Heartbeat is the name of a suite of services and configuration options that enable two identical NITO systems to be configured to provide hardware failover.
The master periodically copies settings to the failover unit to ensure that the failover unit can provide a fully configured service if the master fails.
Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few minutes behind configuration changes made to the master.
If the master fails, it stops responding to the failover unit’s heartbeat and the failover unit therefore determines that the primary system is no longer available. This will occur somewhere between 0 seconds and the keep-alive time specified when configuring failover.
The failover unit then enters a more responsive mode where it monitors the master for its revival. It remains in this mode for the length of dead time you have configured. This stage is designed principally to cope with intermittent failures within the communication system, such a heavily loaded master.
Once the dead time has expired, the failover unit awakens from its standby mode and begins re-instating the settings and services which allow it to take over operations from the master. Since part of this
232
Nomadix NITO
User Guide
information includes the IP addresses for each of the master interfaces, the failover unit will essentially provide a drop-in replacement and the transition will generally go unnoticed.
When the master starts to respond again, be it minutes, days or weeks later, assuming that auto-failback is enabled, the failover unit hands over control to the master, de-activates its configuration and services and returns to standby mode.
Prerequisites
The following must be in place for hardware failover to work: z
A private network consisting of only two NITO systems connected via their heartbeat interfaces preferably using a crossover cable z z
The failover unit must be plugged into all the switches the master is plugged into
Configuring Hardware Failover
Configuring hardware failover entails: z z
On the master, specifying a network interface for the heartbeat and configuring and generating a failover archive to deploy on the failover unit
On the failover unit, via SSH, running the setup program and deploying the failover archive.
Configuring the Master
1.
To configure the master NITO:
Navigate to the Networking > Interfaces > Interfaces page.
233
Managing Your NITO
Managing Hardware Failover
2.
From the Heartbeat interface drop-down list, select a network interface to use for the heartbeat communication between the master and failover unit.
Note: The master and failover unit systems are connected via their heartbeat interfaces on a private network. It is critically important that this network is not congested and suffers as little latency as is possible. For these reasons, we strongly recommend that this connection be a crossover cable.
Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail.
3.
Click Save and Restart to save the setting and restart networking.
Note: If NITO is connected to the Internet, you must disconnect before you can restart networking.
4.
Navigate to the System > Hardware > Failover page.
5.
Configure the following settings:
Setting Description
Enabled
Auto failback
Select to enable failover.
Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. The failover unit will hand over control to the master, deactivate its configuration and services and return to standby status.
Keep-alive internal
Set the interval after which the master and failover unit communicate to ensure the master is still working. The default is 1 second.
In non-congested networks, we recommend a very short interval which is undetectable in terms of system performance.
Dead time
Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master.
Master heartbeat IP
Enter an IP address for the master.
Note: We recommend that this network be private and only used by the master and failover units.
Slave heartbeat IP
Enter an IP address for the failover unit.
Note: We recommend that this network be private and only used by the master and failover units.
Netmask
Enter a netmask.
Note: We recommend that this network be private and only used by the master and failover units.
234
Nomadix NITO
User Guide
6.
7.
Click Save.
Browse to the System > Maintenance > Shutdown page, select Immediately and click Reboot. Wait a couple of minutes for the system to reboot and then log in again.
The next step is to generate the failover archive to deploy on the failover unit.
Generating a Failover Archive
1.
A failover archive contains the settings required to configure the failover unit to provide hardware failover for NITO.
To generate a failover archive:
Navigate to the System > Hardware > Failover page and configure and save the failover settings. See
Configuring the Master on page 233.
2.
3.
Click Generate slave setup archive. NITO generates the archive and prompts you to specify where to save it.
Save the archive on USB storage media. The next step is to use the archive to implement the failover settings on the failover unit.
Note: The size of the failover unit archive varies depending on the Nomadix modules installed. 50 M bytes is an average size.
4.
5.
2.
3.
6.
7.
Implementing Failover Settings on the Failover Unit
1.
Implementing failover on the failover unit entails running the setup program and using the restore options to apply the settings.
To implement failover on the failover unit:
Access the failover unit using one of the following methods: z z
The built-in Java shell client on the System > Maintenance > Shell page, see
An alternative SSH client such as PuTTY
On the command line, enter setup
to start the NITO Setup program.
From the Setup menu, select Restore configuration and press Enter.
Select USB storage media and press Enter. You are prompted to insert the media.
Insert the USB storage media in the USB port located on NITO’s front panel and press Enter.
Select the archive and press Enter. The failover settings are installed.
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically enter standby mode.
Administering Failover
There are no noticeable differences between administering NITO used as a master and one which is not used as a master.
There should be little or no need to administer the failover unit on a day to day basis. However, from time to time, you will need to install updates.
Updates are not automatically applied in order to ensure that the failover unit can provide a known good system to failover to in case of any issues resulting from updates to the master.
235
Managing Your NITO
Configuring Modems
Accessing the Failover Unit
With failover implemented, the active NITO system is always accessed via the usual address, whether services and protection are being supplied by the master or the failover unit.
When you need to access the failover unit directly you can do so using a variation of the address for master. For example, to access the master's Update page the address would usually look as follows: https://192.168.72.142:441/cgi-bin/admin/updates.cgi
To access the settings on the failover unit, the address would be: https://192.168.72.142:440/cgi-bin/admin/updates.cgi
All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441.
The address used, in the example above:
192.168.72.142
, is the address of the master, as when in standby mode the failover unit has no effective presence on any of the local or remote networks.
Testing Failover
1.
In order to test failover, you can force the master to enter standby mode.
To test failover:
On the master, go to the System > Hardware > Failover page and click Enter standby mode. After a short period of time the failover unit will take over from the master.
2.
To restore operations to the master, on the active system, go to theSystem > Hardware >
FailoverFailover page and click Enter standby mode. Operations will be transferred to the master.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force the failover unit into standby mode.
Manual Failback
1.
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but the master system has become available again after corrective action has been taken you can manually failback to the master.
To manually failback:
On the failover unit, go to the System > Hardware > Failover page and click Enter standby mode to restore the system to normal operation.
Configuring Modems
NITO can store up to five modem profiles.
236
1.
To configure a modem profile:
Browse to the System > Hardware > Modem page.
Nomadix NITO
User Guide
2.
Configure the following settings:
3.
Setting
Profiles
Profile name
Interface
Computer to modem rate
Modem speaker on
Dialing mode
Init
Hangup
Speaker on
Speaker off
Tone dial
Pulse dial
Connect timeout
Description
From the drop-down list, select Empty to create a modem profile.
Enter a name of the modem profile.
Select the serial port that the modem is connected to.
Select the connection speed of the modem. A standard 56K modem is usually connected at the default 115200 rate.
Select to enable audio output during the modem dialing process, if the modem has a speaker.
Select the dialing mode.
Tone – Select if your telephone company supports tone dialing.
Pulse – Select if your telephone company supports pulse dialing.
Enter the commands required to initialize the modem.
Enter the commands required to end a connection.
Enter the commands required to turn the speaker on.
Enter the commands required to turn the speaker off.
Enter the commands required to turn tone dialing on.
Enter the commands required to turn pulse dialing on.
Enter the amount of time in seconds to allow the modem to attempt to connect.
Click Save to save your settings and create the profile.
237
Managing Your NITO
Installing and Uploading Firmware
Installing and Uploading Firmware
1.
NITO can upload the third-party mgmt.o
file to the system. Without this file, Alcatel SpeedTouch USB
ADSL modems will not work.
To upload and install the Alcatel firmware:
Navigate to the System > Hardware > Firmware upload page.
2.
3.
Click Browse adjacent to Upload file field.
Use the browser's Open dialog to find and open the mgmt.o
firmware update file.
4.
Click Upload to upload the firmware update.
Note: Once this process has been completed, the system must be rebooted before the new firmware is activated.
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The Configuration tests page is used to ensure that your current NITO settings are not likely to cause problems.
Components installed on your NITO add tests to this page which, when run, highlight problem areas. For example, DNS resolution is checked, gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems.
238
1.
To test your configuration:
Navigate to the System > Diagnostics > Configuration tests page.
Nomadix NITO
User Guide
2.
Click Perform tests. The results are displayed in the Details area.
Generating Diagnostics
1.
NITO provides diagnostics facilities, typically used to provide Nomadix support engineers with complete system configuration information to aid problem solving.
To generate a diagnostics file:
Navigate to the System > Diagnostics > Diagnostics page.
2.
Configure the following settings:
Setting
System
Modules
Description
Select All to include all system components, or individually select the components you want to include in the diagnostics results.
Select All to include all modules, or individually select the modules you want to include in the diagnostics results.
239
Managing Your NITO
Diagnostics
3.
Click Generate. When prompted, save the results in a suitable location for review.
IP Tools
•
•
The IP tools page is used to check connectivity, both from NITO to computers on its local networks and to hosts located externally on the Internet. There are two IP Tools:
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that NITO can communicate with hosts its local networks and external hosts on the Internet.
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to another. A greater number of hops indicates a longer (and therefore slower) connection.
The output of these commands is as it would be if the commands were run directly by the root user from the console of the NITO system. It is of course, more convenient to run them from this page.
Using Ping
1.
To use Ping
Navigate to the System > Diagnostics > IP tools page.
2.
3.
4.
Select the Ping option from the Tool drop-down list.
Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field.
Click Run. The result of the ping command is displayed.
1.
2.
3.
4.
Using Traceroute
To use Traceroute:
Navigate to the System > Diagnostics > IP tools page.
Select the Traceroute option from the Tool drop-down list.
Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field.
Click Run. The result of the traceroute command is displayed.
Whois
Whois is used to display ownership information for an IP address or domain name. A major use for this is to determine the source of requests appearing in the firewall or
240
1.
Detection System logs. This can assist in the identification of malicious hosts.
To use Whois:
Navigate to the System > Diagnostics > Whois page.
Nomadix NITO
User Guide
2.
3.
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field.
Click Run. The output of Whois is as it would be if it were run directly by the root user from the console of the NITO system.
Analyzing Network Traffic
1.
The Traffic analysis page displays detailed information on what traffic is currently on the network.
To analyze traffic:
Navigate to the System > Diagnostics > Traffic analysis page.
2.
3.
4.
From the Interface drop-down list, select the interface.
From the Time to run for drop-down list, select how long to analyze the traffic.
Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and services have been used is presented, as well as specific information on connections made. It is possible to view a complete transcript of TCP and UDP sessions, including pictures sent or received on web requests.
241
Managing Your NITO
Managing CA Certificates
Managing CA Certificates
When NITO’s instant messenger proxy and/or Guardian are configured to intercept SSL traffic, certificates must be validated. NITO validates the certificates by checking them against the list of installed Certificate
Authority (CA) certificates on the System > Certificates > Certificate authorities page.
The following sections describe how you can import new CA certificates, export existing CA certificates and edit the list to display a subset or all of the CA certificates available.
2.
3.
Reviewing CA Certificates
1.
By default, NITO comes with certificates issued by well-known and trusted CAs.
To review the certificates:
Browse to the System > Certificates > Certificate authorities page. NITO displays the certificates available. It also displays which certificates are valid and which are built-in, i.e. included in NITO by default.
To review a specific certificate, click on its name. NITO displays it.
Click your browser’s Back button to return to NITO.
2.
3.
Importing CA Certificates
1.
To import CA certificates:
Navigate to the System > Certificates > Certificate authorities page and locate the Import Certificate
Authority certificate area.
Click Browse, navigate to the certificate and select it.
Click the import option. NITO imports the certificate and displays it at the bottom of the list.
1.
2.
Exporting CA Certificates
To export certificates:
On the System > Certificates > Certificate authorities page, select the certificate.
From the Export format drop-down list, select one of the following options:
Option Description
CA certificate in PEM
Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems.
CA certificate in BIN
Export the certificate in a binary certificate format.
3.
Click Export and save the certificate on suitable medium.
Deleting and Restoring Certificates
1.
You can remove built-in certificates from the list on the System > Certificates > Certificate authorities page. You can also restore them to the list if required.
To delete certificates:
On the System > Certificates > Certificate authorities page, select the certificate(s) and click Delete.
NITO removes the certificate(s).
242
1.
Nomadix NITO
User Guide
To restore the built-in list:
On the System > Certificates > Certificate authorities page, click Clear built-in deleted list. NITO restores any built-in certificates which have been deleted from the list.
243
Managing Your NITO
Managing CA Certificates
244
17
Centrally Managing Nomadix
Systems
In this chapter: z
About centrally managing Nomadix systems z z z
Pre-requirements
Setting up a Nomadix system
Managing nodes in a system.
About Centrally Managing Nomadix Systems
NITO’s central management enables you to monitor and manage nodes in a Nomadix system.
A Nomadix system is comprised of an instance of a Nomadix product running as a parent node and one or more compatible Nomadix products running as child nodes being managed by the parent node.
Configuring and managing a Nomadix system entails: z
Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally
Managed Nomadix System on page 246
z z z
Applying updates, for more information, see Scheduling and Applying Updates to One or More
Nodes on page 252
Rebooting nodes as required, for more information, see Rebooting Nodes on page 253
z z
Disabling nodes as required, for more information, see Disabling Nodes on page 253
Pre-requirements
Before you start to set up a centrally managed Nomadix system: z
Check that all the Nomadix machines you intend to include in the system have the latest updates
applied. For more information, see Chapter 16, Managing Updates on page 211
z z
Check that you have administrator access to all of the computers you want to include in the system
Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system.
245
Centrally Managing Nomadix Systems
Setting up a Centrally Managed Nomadix System
Setting up a Centrally Managed Nomadix System
Setting up a centrally managed Nomadix system entails: z
Configuring the parent node in the system z z
Configuring child nodes settings, installing the central management key and enabling SSH on child nodes
Adding child nodes to the system.
1.
2.
Configuring the Parent Node
The first step when configuring a Nomadix system is to configure the parent node in the system.
To configure the parent node:
Log in to the instance of NITO you want to function as the parent node.
Browse to the System > Central management > Local node settings page.
3.
Configure the following settings:
Setting
Local node options
Description
Parent node – Select this option to enable central management and configure this instance of NITO as the parent node in the Nomadix system.
4.
Click Save. This instance of NITO becomes the parent node and can be used to centrally manage the
Nomadix system.
246
Nomadix NITO
User Guide
Configuring Child Nodes
1.
Every child node in a Nomadix system must have a central management key installed and SSH enabled.
To configure a child node:
On the system’s parent node, browse to the System > Central management > Local node settings page.
2.
Configure the following settings:
Setting
Local node options
Manage central management keys
Description
Parent node – Check that this option is selected so that you can generate a central management key for installation on child nodes.
Central management key – Click Download to download and save the central management key in a secure, accessible location for distribution to the child nodes in the system.
3.
On the Nomadix product you want to add to as a child node, browse to the System > Central
management > Local node settings page and configure the following settings:
Setting
Local node options
Manage central management keys
Description
Child node – Select this option to configure this machine as a child node in the system. Click Save to save this setting.
Upload central management key – Using your browser’s controls, browse to and select the key. Click Save to upload the key to the child node.
4.
5.
On the System > Administration > Admin options page, select SSH and click Save.
Repeat step 3. and step 4. above on any other machines you want to add to the system.
247
Centrally Managing Nomadix Systems
Setting up a Centrally Managed Nomadix System
Adding Child Nodes to the System
When you have installed the central management key and enabled SSH on all child nodes, you are ready to add them to the system.
You can add nodes: z z
Manually by adding each node separately, see Manually Adding Child Nodes on page 248
By importing node information from a CSV file, for more information, see Importing Nodes into the
Manually Adding Child Nodes
1.
Adding child nodes manually entails entering the information for each node separately.
To add child nodes manually:
On the parent node, browse to the System > Central management > Child nodes page.
2.
Click Add node and configure the following settings:
Setting
Node details
Node settings
Description
Node name – Enter a unique name to identify the node. Node names may only consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported.
IP/hostname – Enter the IP address or hostname of the child node.
Comment – Optionally, enter a comment describing the child node.
Replication profile – From the drop-down list, select the replication profile to be deployed on the child node. The replication profile enables the sharing of system settings between nodes. For information on configuring a replication
profile, see Chapter 16, Creating an Archive on page 215.
Central logging – Select to enable central logging on the child node.
Allow parent to monitor status – Select to enable central monitoring for the child node.
Allow parent to manage resources – Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. When enabled and quotas have been used in a web filtering policy, the parent ensures that users cannot access content for longer than allowed by using different child nodes.
248
Nomadix NITO
User Guide
3.
4.
5.
Select Enable node and click Confirm. When prompted, review the node details and then click Save to add the node.
Repeat step 2. and step 3. for each node you want to add to the system.
When you have added all of the nodes, browse to the System > Central management > Overview page.
The parent node lists the child nodes and displays their current status. For more information, see
Monitoring Node Status on page 251.
Importing Nodes into the System
If child node information is available in a comma separated format (CSV) file, you can import it directly into the parent node.
About the CSV File
Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered as follows:
Name,IP/hostname,Centrallogging,Monitorstatus,Centralresources
Replicationprofile,Enabled,Comment
The possible values for the fields are as follows:
Name
IP/hostname
Central logging
Monitor status
Central resources
Replication profile
Enabled
Field
Comment
Value
The node name. This field is required.
Note: If the name is the same as that of a child node already in the system, the child node in the system will be overwritten.
A node name may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported.
The IP or hostname of the node. This field is required.
Determines if central logging is enabled or disabled. This field is required.
Enabled – Enter: yes
, on
, or
1
.
Disabled – Enter: no
, off
, or
0
.
Determines if central monitoring is enabled or disabled. This field is required.
Enabled – Enter: yes
, on
, or
1
.
Disabled – Enter: no
, off
, or
0
.
Determines if resources are managed by the parent. This field is required.
Enabled – Enter: yes
, on
, or
1
.
Disabled – Enter: no
, off
, or
0
.
Note:
The name of the replication profile used on the node. This field is optional and may be empty.
For more information, see Chapter 16, About Archive Profiles on page 214.
Determines if the node settings are enabled or disabled. This field is required.
Enabled – Enter: yes
, on
, or
1
.
Disabled – Enter: no
, off
, or
0
.
A comment. This field is optional.
It may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported.
For full information on what the settings do, see Manually Adding Child Nodes on page 248.
249
Centrally Managing Nomadix Systems
Managing Nodes in a Nomadix System
Importing Node Information
1.
The following steps explain how to import node information from a CSV file. For more information on CSV
files, see About the CSV File on page 249.
To import node information from a CSV file:
On the parent node, browse to the System > Central management > Child nodes page.
2.
3.
Click Import CSV, browse to the file and select it. Click Import to import the contents of the file.
The parent node displays the contents of the file and notifies you of any errors in the file.
Note: Importing settings from a CSV file will overwrite existing nodes with the same name.
4.
Click Confirm to import the information in the file. The parent node imports the node information and displays it.
Editing Child Node Settings
1.
2.
3.
When required, it is possible to edit child node settings.
To edit a child node’s settings:
Browse to the System > Central management > Child nodes page, locate the node you want to edit and click Edit node.
Make the changes required, see Manually Adding Child Nodes on page 248 for full information on the
settings.
Click Confirm, review the changes and then click Save to save and implement the changes.
Deleting Nodes in the System
1.
2.
It is possible to delete nodes that are no longer required in the system.
To delete a node:
On the System > Central management > Child nodes page, locate the node you want to delete and click
Delete node. When prompted, click Delete to confirm the deletion.
Repeat the step above for any other nodes you want to delete.
Managing Nodes in a Nomadix System
Managing nodes in a Nomadix system entails: z
Monitoring node status z z
Applying updates to nodes
Scheduling updates for application at a specific time z z
Rebooting nodes when necessary
Disabling nodes when necessary
250
Nomadix NITO
User Guide
Monitoring Node Status
1.
The central management node overview on the parent node displays a list of all of the nodes in the Nomadix system. It also displays the nodes’ current status and whether updates for the nodes are available.
To monitor node status:
On the parent node, browse to the System > Central management > Overview page. The parent node displays current node status, for example:
Node information is contained in the following fields:
Field
Name
Status
Updates
Description
The Name field displays the name of the node. Click on the name to log in to the node.
The Status field displays the current state of the node. Click on the Status text to
display detailed information on the node. For more information, see Accessing the
Node Details Page on page 251.
The following statuses are possible:
OK – the node is functioning and does not require attention.
Critical – the node requires immediate attention. Click on the node’s stautus field for more information.
Warning – the node does not require immediate attention but should be checked for problems. Click on the node’s status field for more information.
The Updates field enables you to schedule the application of available updates. For more information, see Scheduling and Applying Updates to One or More Nodes on page 252.
Click on the Updates text to display detailed information on the node.
3.
4.
5.
1.
2.
Accessing the Node Details Page
It is possible to view detailed information on a node by accessing the node details page.
To access a node details page:
On the parent node, browse to the System > Central management > Overview page.
Locate the node you want more information on and click on its Status text. NITO displays the node details page
Click on the displayed headings for more information.
Click Refresh node to refresh the information displayed.
Click Reboot node to reboot the node.
251
Centrally Managing Nomadix Systems
Managing Nodes in a Nomadix System
Working with Updates
You can review and apply updates to a node as they become available. You can also apply updates to one ore more nodes immediately or at a later date.
1.
2.
3.
Reviewing and Applying Available Updates to a Node
4.
You can review and apply updates to a node as they become available.
To review and apply updates:
On the parent node, browse to the System > Central management > Overview page.
Click the Updates tab and then click the Status field of the node. The node details are displayed.
Click on the Updates line to review detailed information about the updates available. To apply the updates to the node, click Schedule update. The Schedule node update page is displayed.
In the Install updates area, select one of the following options:
Option
Now
Later
Description
Select to apply the updates to the node immediately.
From the drop-down list, select when you want the updates applied to the node.
5.
Click Schedule update. The updates are applied to the node as specified in the previous step and the node is rebooted.
1.
2.
Scheduling and Applying Updates to One or More Nodes
3.
You can apply updates to one or more nodes immediately or schedule them for application later.
To apply updates:
On the parent node, browse to the System > Central management > Overview page.
Locate and select the node(s) that require updates and click Schedule update. The Schedule node update page is displayed.
In the Install updates area, select one of the following options:
Option
Now
Later
Description
Select to apply the update(s) to the node(s) immediately.
From the drop-down list, select when you want the update(s) applied to the node(s).
4.
Click Schedule update. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted.
Clearing Schedule Updates
1.
2.
It is possible to clear any scheduled updates.
To clear scheduled updates:
On the System > Central management > Overview page or the node details page, under Updates, click
Clear schedule.
NITO displays the updates that are currently scheduled. Click Clear schedule to clear the updates.
252
Nomadix NITO
User Guide
1.
2.
3.
Rebooting Nodes
When required, you can reboot a child node from the system’s parent node.
To reboot a child node:
On the parent node, browse to the System > Central management > Overview page.
Locate the node you want to reboot and click on the Status text. The node details are displayed.
Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of the following options:
Option
Now
Later
Description
Select to reboot the node immediately.
From the drop-down list, select when you want to reboot the node.
4.
Click Schedule reboot. The node is rebooted.
Disabling Nodes
It is possible to disable nodes locally and system-wide.
Disabling Nodes Locally
1.
You may need to work on a child node in a system and, e.g. want to stop replication settings from being applied by the parent. You can do this by disabling the child node locally.
To disable a node locally:
On the node you want to disable, browse to the System > Central management > Local node settings page.
2.
3.
In the Local node options area, select Disable and click Save.
Repeat the step above for any other nodes in the system that you want to disable.
Note: On the parent node, on the System > Central management > Overview page, nodes that have been disabled locally will be listed as
Node uncontactable
.
1.
2.
3.
Disabling Nodes System-wide
You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do this by disabling the child node system-wide.
To disable a node system-wide:
On the parent node, browse to the System > Central management > Child nodes page.
Locate the node you want to disable area, select Disable and click Save.
Repeat the steps above for any other nodes in the system that you want to disable system-wide.
Configuring Child Node Log Retention
1.
It is possible to configure how long child node logs are retained on the parent node.
To configure child node log retention:
Browse to the System > Central management > Local node settings page.
253
Centrally Managing Nomadix Systems
Managing Nodes in a Nomadix System
2.
Configure the following settings:
Setting
Manage central management local log retention
Description
•
•
Local log retention – This setting determines how long a copy of the child node’s logs is kept on the parent node. From the drop-down list, select the length of time to retain the logs.
The information in the retained logs can be used in:
Zap (email) user activity summary report which generates a summary of a users/domains incoming and outgoing mail
Guardian3 user activity report which generates a report on the browsing activity of local users by the number of sites visited or the amount of data received.
3.
Click Save. NITO applies the settings you have configured.
254
18
Information, Alerts and Logging
In this chapter: z
About the dashboard, registration and initial setup pages z
Viewing, analyzing and configuring alerts, realtime information and log files.
About the Dashboard
1.
The dashboard is the default home page of your NITO system. The dashboard displays a to-do list for getting started, service information, external connectivity controls and a number of summary reports.
To access the dashboard:
Browse to Dashboard.
About the About Page
1.
The About page displays product, registration, copyright and trademark information. It also displays acknowledgements.
To access the About page:
Browse to the bottom of the page you are on and click About.
255
Alerts
NITO contains a comprehensive set of incident alerting controls.
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events, for example, an administrator login failure, or a series of events occurring over a particular time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity.
Some situations are constantly monitored, particularly those relating to critical failures, for example, UPS and power supply alerts.
It is possible to specify two trigger conditions for some alerts – the first acts as a warning alert, and, in more critical circumstances, the second denotes the occurrence of an incident.
Available Alerts
Note: or information on Guardian alerts, see Chapter 12, About Alerts on page 143.
You access the alerts and their settings on the Logs and reports > Alerts > Alerts page.
Alert Description
Hardware failure alerts, harddisk failure
License expiry status warnings
UPS, Power Supply status warnings
Generates messages when hardware problems are detected.
Generates messages when the license is due for renewal or has expired.
Monitored once an hour.
Generates messages when server power switches to and from mains supply. Constant monitoring.
System Resource Monitor
These alerts are triggered whenever the system resources exceed predefined limitations. Monitored once every five minutes.
Firewall Notifications
Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports.
Constant monitoring.
System Service
Monitoring
Health Monitor
This alert is triggered whenever a critical system service changes statues, i.e. starts or stops. Monitored once every five minutes.
Checks on remote services for activity.
Output System Test
Messages
Administration Login
Failures
Update Monitoring
System Boot (Restart)
Notification
Catches test alerts generated for the purposes of testing the NITO
Output systems. Constant Monitoring.
Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Constant Monitoring.
Monitors the system for new updates once an hour.
This alert is generated whenever the system is booted; i.e. is turned on or restarted. Monitored once every five minutes.
256
Enabling Alerts
Note: or information on Guardian alerts, see Chapter 12, About Alerts on page 143.
NITO contains a comprehensive set of incident alerting controls.
1.
To enable alerts:
Browse to the Logs and reports > Alerts > Alerts page.
2.
Configure the following settings:
Setting
Group name
Enable instantaneous alerts
Description
From the drop-down list, select a group of recipients and click Select. For
information on creating a group, see Configuring Groups on page 274.
By default, NITO queues alerts in two minute intervals, and then distributes a merged notification of all alerts.
Select this option to send the alert(s) individually as soon as they are triggered.
3.
4.
For each alert you want to send, select the delivery method: SMS or Email.
Click Save.
Looking up an Alert by Its Reference
1.
To view the content of an alert that has already been sent:
Enter the alert’s unique ID into the Alert ID field and click Show. The content of the alert will be displayed on a new page.
Configuring Alert Settings
Note: For information on Guardian alerts, see Chapter 12, About Alerts on page 143.
The following sections explain how to configure NITO alert settings.
257
1.
To access the alert settings:
Browse to the Logs and reports > Alerts > Alert settings page.
Configuring the System Resource Alert
1.
This alert is triggered whenever particular system resources exceed some predefined limitations.
To adjust the settings:
Enter or choose appropriate settings for each of the following controls:
Setting Description
System load average
Used to set a threshold for the average number of processes waiting to use the processor(s) over a five minute period.
A system operating at normal performance should record a load average of between 0.0 and 1.0. While higher values are not uncommon, prolonged periods of high load (for example, averages greater than 3.0) may merit attention.
Disk usage
Used to set a disk space usage percentage threshold, that generates an alert once exceeded. Low amounts of free disk space can adversely affect system performance.
System memory usage
Used to set a system memory usage percentage threshold, that generates an alert once exceeded. NITO uses system memory aggressively to improve system performance, so higher than expected memory usage may not be a concern. However, prolonged periods of high memory usage may indicate that the system could benefit from additional memory.
2.
Click Save.
Configuring the Firewall Notifications Alert
This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports.
258
1.
To adjust the settings:
Enter or choose appropriate settings for each of the following controls:
Setting
Monitor Source
(remote) IP addresses
Monitor Source
(remote) Ports
Monitor
Destination (local)
IP Addresses
Monitor
Destination (local)
Ports
Description
Detects suspicious inbound communication from remote IP addresses. Alerts will be generated if a rapid series of inbound requests from the same remote IP address is detected.
Detects suspicious inbound communication from remote ports. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected.
Detects suspicious inbound communication to local IP addresses. Alerts will be generated if a rapid series of inbound requests to the same local IP address is detected.
Detects suspicious inbound communication to local ports. Alerts will be generated if a rapid series of inbound requests to the same local port is detected.
2.
Click Save.
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels at which alerts are generated for each type of activity.
Note: To exempt particular ports from monitoring, enter a comma separated list of ports into the appropriate
Ignore fields.
1.
2.
Configuring the System Service Alert
This alert is triggered whenever a critical system service changes states, i.e. starts or stops.
To adjust the settings for this alert:
Select the components, modules and services that should generate alerts when they start or stop.
Click Save.
Configuring the Health Monitor
This alert is triggered whenever a remote service fails to report activity.
Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of NITO.
The health monitor provides the following checks and alerts:
259
Web Servers (HTTP)
When enabled, tries to retrieve the specified web page and check that it contains specific keywords. This is for detecting defacement.
Setting Description
Request
URL
Enter the URL of the web page you want retrieved and checked for keywords, for example: example.com/index.htm
Note: Omit
http://
when entering the URL.
No of tries
Enter the number of times NITO should try to retrieve the page.
Keywords
Enter the keywords to be checked in the page.
Assuming the page has been retrieved and the keywords are missing, an alert is generated.
Other Services
Checks that the specified port is open and offering a service.
Setting Description
IP Address
Enter the IP address.
Port
Enter the port number.
Protocol
From the drop-down list, select the protocol of the service you want to check for a response. Select Other to check that there is any response to connections on the associated port.
No of tries
Enter the number of times NITO should check the address and not receive a response before generating an alert.
DNS Name Resolution
Checks that a domain has not expired or been hijacked.
1.
2.
3.
4.
Setting
Name
Address
Enter the domain name.
Enter the domain address.
Description
To configure the alert:
For the services, enter the URL, IP address or name.
Enter keywords, port numbers and number of tries, if applicable.
Select the protocol.
Click Add for each service.
260
Configuring the Inappropriate Word in IM Monitor Alert
1.
These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations.
To configure the alert:
Configure the following settings:
Setting
Enabled on received text
Enabled on sent text
Generate alert for each message which exceeds the
Message Censor severity threshold
Generate alert when users exceed the rate of inappropriate messages
Number of inappropriate messages in 15 mins
Description
Select to generate the alert when an inappropriate word is used in a message received from a remote user.
Select to generate the alert when an inappropriate word is used in a message sent by a local user.
Select to generate an alert when the Message Censor threshold is exceeded. For information on the Message censor threshold, see
Chapter 13, Censoring Instant Message Content on page 157.
From the drop-down list, select the threshold above which an alert will be generated.
Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period.
Specify how many inappropriate messages to allow in a 15 minute period before generating an alert.
2.
Click Save to save the settings.
Realtime
The realtime pages provide access to realtime information about your system.
System Information
The System page is a realtime version of the system log viewer with some filtering options.
261
1.
To access the system page:
Browse to Logs and reports > Realtime > System page.
1.
By default, all information in the system log is displayed and updated automatically approximately every second.
To display information on specific components:
From the Section drop-down list, select the component and click Update. If there is information on the component available in the system log, it is displayed in the Details area.
Firewall Information
1.
The Firewall page is a realtime version of the firewall log viewer with some filtering options. All entries in the firewall log are from packets that have been blocked by NITO.
To access the page:
Browse to Logs and reports > Realtime > Firewall page.
262
1.
By default, information is displayed and updated automatically approximately every second.
To display information on specific sources and destinations:
Enter a complete or partial IP address and/or port number in the fields and click Update.
Portal Information
1.
The Portal page displays realtime information on users accessing NITO portals.
To access the portal page:
Browse to Logs and reports > Realtime > Portal page.
For more information on portals, see Chapter 13, Working with User Portals on page 149.
Traffic Graphs
The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface.
263
1.
To access the traffic graphs page:
Browse to Logs and reports > Realtime > Traffic graphs page.
The Interfaces area displays a list of the active interfaces on NITO. Clicking on an interface displays its current traffic.
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth.
Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth.
Logs
The log pages display system, firewall, IPsec, intrusion system and proxy information.
264
System Logs
1.
The system logs contain simple logging and management information.
To access system logs:
Browse to the Logs and reports > Logs > System page.
The following filter criteria controls are available in the Settings area:
Control
Section
Month
Day
Export format
Description
Used to select which system log is displayed. The following options are available:
Authentication service– Log messages from the authentication system, including service status messages and user authentication audit trail.
Kernel – Log messages from the core NITO operating system.
Message censor – Displays information from the message censor logs.
NTP – Log messages from the network time system.
SystemD – Log messages from the system super server.
SSH – Log messages from the SSH system.
System – Displays server log information.
Monitor – Displays monitoring system information including service status and alert/ report distribution audit trail.
System – Simple system log messages, including startup, shutdown, reboot and service status messages.
UPS – Log messages from the UPS system, including service status messages.
Update transcript – Displays information on update history.
Used to select the month that log entries are displayed for.
Used to select the day that log entries are displayed for.
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format.
You will need an Excel-compatible spreadsheet application to view these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
265
Control
Export all dates
Description
Exports the currently displayed log for all available dates.
1.
To view specific information:
Select the filtering criteria using the Settings area and click Update.
A single column is displayed containing the time of the event(s) and descriptive messages.
Firewall Logs
1.
The firewall logs contain information on network traffic.
To view the firewall logs:
Browse to the Logs and reports > Logs > Firewall page.
Filtering Firewall Logs
The following filter criteria controls are available in the Settings area:
Control
Section
Month
Day
Compression
Description
Used to select which firewall log is displayed. The content of each section is discussed below.
Used to select the month that log entries are displayed for.
Used to select the day that log entries are displayed for.
Used to ghost repeated sequential log entries for improved log viewing.
266
Control Description
Source
Src port
Destination
Dst port
Enter an IP address and click Update to display log entries for that source address.
This drop-down list is populated with a list of all source ports contained in the firewall log. Select a port and click Update to display log entries for that port.
Enter an IP address and click Update to display log entries for that destination address.
This drop-down list is populated with a list of all destination ports contained in the firewall log. Select a port and click Update to display log entries for that port.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
The list of possible sections that can be viewed are as follows:
Section
Main
Incoming audit
Forward audit
Outgoing audit
Description
All rejected data packets.
All traffic to all interfaces that is destined for the firewall – if Direct incoming traffic is enabled on the Networking > advanced page.
All traffic passing through one interface to another – if Forwarded traffic is enabled on the Networking > Settings > Advanced page.
All traffic leaving from any interface – if Direct outgoing traffic is enabled on the
Networking > Settings > Advanced page.
Viewing Firewall Logs
To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update. The following columns are displayed:
Column
Time
In
Out
Protocol
Description
The time that the firewall event occurred.
The interface at which the data packet arrived.
The interface at which the data packet left.
The network protocol used by the data packet.
267
Column Description
Source
Src Port
The IP address of the data packet's sender.
The outbound port number used by the data packet.
Destination The IP address of the data packet's intended destination.
Dst port
The inbound port number used by the data packet.
1.
2.
3.
Looking up a Source IP – whois
The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool.
To use whois:
Navigate to the Logs and reports > Logs > Firewall page.
Select a particular source or destination IP in Source and Destination columns.
Click Lookup. A lookup is performed and the result displayed on the System > Diagnostics > whois page.
1.
2.
3.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
Navigate to the Logs and reports > Logs > Firewall page.
Select one or more source or destination IPs.
Click Add to IP block list.
The selected source and destination IPs will be automatically added to the IP block list which you can
information.
Exporting Logs
To export and download all log entries generated by the current settings, click Export.
Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.
Viewing and Sorting Log Entries
The following columns are displayed in the Web log region:
Column
Time
Name
The time the tunnel activity occurred.
The name of the tunnel concerned.
Description
268
Column Description
Description Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction.
IDS Logs
1.
The IDS logs contain details of suspicious network activity detected by Advanced Firewall’s intrusion detection system (IDS).
To view the IDS logs:
Navigate to the Logs and reports > Logs > IDS page.
NITO displays the results.
Option
Month
Day
Export format
Export all dates
Select to:
Specify which month you wish to view logs for.
Specify which day you wish to view logs for.
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Exports the currently displayed log for all available dates.
269
1.
2.
3.
Exporting Logs
To export logs:
Filter the logs to show the information you want to export.
Select the export format and if you want to export all dates.
Click Export. To save the exported log, use the browser's File, Save As option.
IPS Logs
1.
The IPS logs contain details of suspicious network activity prevented by Advanced Firewall’s intrusion prevention system (IPS).
To view the IDS logs:
Navigate to the Logs and reports > Logs > IPS page.
NITO displays the results.
Option
Month
Day
Export format
Export all dates
Select to:
Specify which month you wish to view logs for.
Specify which day you wish to view logs for.
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Exports the currently displayed log for all available dates.
270
User Portal Logs
1.
The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
Browse to the Logs and reports > Logs > User portal page.
NITO displays the information.
Configuring Log Settings
1.
NITO can send logs to an external syslog server, automatically delete log files when disk space is low and set the maximum log file retention settings.
To configure logging settings:
Browse to the Logs and reports > Logs > Log settings page.
2.
In the Syslog logging area, select the logging you require.
271
3.
To enable and configure remote logging, configure the following settings:
4.
5.
Setting
Remote syslog
Syslog server
Default retention
Description
To send logs to an external syslog server, select this setting.
If you have selected the Remote syslog option, enter the IP address of the remote syslog server.
To set default log retention for all of the logs listed above, select one of the following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.
Optionally, to set an individual retention period for specific logs, click Advanced and configure the settings displayed.
Click Save. NITO will log and retain the information you have specified and, if configured, send logs to the remote syslog server.
Configuring Other Log Settings
1.
NITO enables you to configure retention settings for other logs.
To configure other logs:
Browse to the Logs and reports > Logs > Log settings page.
272
2.
In the Other logging area, configure the following settings:
3.
Setting
Default retention
Description
To set default log retention for all of the logs listed in the table below, select one of the following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.
Click Advanced to see what other logs are available and to determine if you want to set individual log retention settings.
Setting
Default retention
Intrusion detection logs
Intrusion prevention logs
IM logs
Description
From the drop-down menu, select the default retention period you want to use for advanced logging settings. To set individual retention periods, configure the settings below.
From the drop-down menu, select how long you want to keep intrusion detection logs.
From the drop-down menu, select how long you want to keep intrusion prevention logs.
From the drop-down menu, select how long you want to keep instant messaging logs.
4.
Click Save. NITO will now retain the logs as you have specified.
Managing Automatic Deletion of Logs
1.
NITO can be set to automatically delete log files if there is a limited amount of free disk space available.
To configure automatic log deletion:
Browse to the Logs and reports > Logs > Log settings page.
273
2.
In the Automatic log deletion area, configure the settings:
Setting
Delete old logs when free space is low
Amount of disk space to use for logging
Description
Select to automatically delete logs when the specified amount of disk space has been used.
From the drop-down list, select the level at which NITO will delete logs.
3.
Click Save. NITO will delete the logs when the specified amount of disk space has been used.
Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated alerts and reports.
Creating Groups
1.
To create a group of users:
Browse to the Logs and reports > Settings > Groups page.
2.
Configure the following settings:
Setting Description
Group name
From the Group name drop-down list, select Empty and click Select.
Name
Enter a name for the group.
274
3.
Click Save. NITO creates the group. In the Add user area, configure the following settings:
Setting
Name
SMS number
Comment
Email address
Enable HTML Email
Description
Enter a user's name.
If required, enter the user’s SMS number details
Optionally, enter a description or comment.
If required, enter the user's email address.
Select if you want emailed reports to be sent in HTML format.
4.
5.
Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.
Click Add. The user's details will be added to the list of current users in the Current users region.
1.
2.
Editing a Group
3.
To edit a group:
Browse to the Logs and reports > Settings > Groups page.
Choose the group that you wish to edit using the Group name drop-down list. Click Select to display the group.
Make any changes to the group using the controls in the Add a user and Current users areas.
1.
2.
3.
Deleting a Group
To delete a group:
Browse to the Logs and reports > Settings > Groups page.
Select the group to be deleted using the Group name drop-down list.
Click Delete.
275
Configuring Output Settings
1.
Reports and alerts are distributed according to NITO’s output settings. In order to send reports and alerts,
NITO must be configured to operate with mail servers and email-to-SMS gateway systems.
To access output settings:
Browse to the Logs and reports > Settings > Output settings page.
About Email to SMS Output
NITO generates SMS alerts by sending emails to a designated email-to-SMS gateway. When an email-to-
SMS gateway receives an email, it extracts the information it needs and composes an SMS message which is then sent.
A wide variety of different email-to-SMS gateway services are available. Unfortunately, each has its own definition of the format that an email should arrive in. While there are a few conventions, usually the destination SMS number is placed in the email's subject line, it is necessary to configure NITO so that it can format email messages in the format specified by your email-to-SMS gateway service provider.
About Placeholder Tags
To allow easy configuration of message formats for different service providers, NITO uses placeholder tags that can be incorporated into an email template. The placeholder tags available are as follows:
Placeholder
%%ALERT%%
%%SMS%%
The content of the alert message.
The recipient SMS number.
Description
276
Placeholder Description
%%EMAIL%%
%%HOSTNAME%%
The recipient's email address.
The hostname of the NITO system (useful when using multiple firewall systems).
%%DESCRIPTION%%
The description of the NITO system (useful when using multiple firewall systems).
%%--%%
A special placeholder that indicates that all text following it should be truncated to 160 characters.
This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option).
For example, if an email-to-SMS gateway requires emails to be sent to:
<telephone number>@sampleSMS.com
, the following configuration would provide this:
%%SMS%%@sampleSMS.com
If the content of the message should be entered in the email message body, the following configuration would provide this:
%%ALERT%%
Networks with multiple NITO systems may wish to include detail of the system that the alert was generated by, the following examples would provide this:
%%ALERT%% - From: %%HOSTNAME%%
%%ALERT%% - From: %%HOSTNAME%% (%%DESCRIPTION%%)
%%ALERT%% - From: %%DESCRIPTION%%
%%ALERT%% -%%HOSTNAME%%
%%ALERT%% :%%DESCRIPTION%% (%%HOSTNAME%%)
Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters.
NITO can be configured to truncate messages – in this mode, all characters past position 155 are removed and the text:
.. +
is appended to the message to indicate that truncation has occurred.
A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. In situations where truncation is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To compensate for this, insert the special
%%--%%
placeholder at the start of the actual message content, so that any truncation is only applied to the actual alert content.
1.
2.
Configuring Email to SMS Output
To configure NITO's SMS settings:
Browse to Logs and reports > Settings > Output settings.
In the Email to SMS Output System area, configure the following settings:
Setting Description
SMTP server
Enter the hostname or IP address of the SMTP server to be used by
NITO.
Sender's email address field
Enter the sender's email address.
This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
277
Setting
SMS to address
Truncate SMS messages to
160 characters
Enable SMTP auth
Username
Password
SMS subject line
SMS message body
Description
Specify the formatting of the email's To: address according to the format required by your service provider.
This may be a regular email address, or it may require additional placeholders such as
%%SMS%%
to identify the destination of the SMS.
Select if you want the content of SMS message body to be truncated to
160 characters or if your email-to-SMS gateway service provider instructs you to do so.
Select to use SMTP auth if required.
If using SMTP auth, enter the username.
If using SMTP auth, enter the password.
Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider.
This will often contain the
%%SMS%%
placeholder as many email-to-
SMS gateways use the subject line for this purpose.
Enter additional parameters and the content of the alert message.
If the truncation is required from a particular point onwards, use the
%%--%%
placeholder to indicate its start position.
3.
Click Save.
1.
2.
Testing Email to SMS Output
To test the output system:
In the Send test to: field, enter the cell phone number of the person who is to receive the test.
Click Send test.
1.
2.
Output to Email
To configure email settings:
Browse to Logs and reports > Settings > Output settings.
In the SMTP (Email) Output System area, configure the following settings:
Setting
SMTP server
Sender's email address
Enable SMTP auth
Username
Description
Enter the hostname or IP address of the SMTP server to be used by
NITO.
Enter the sender's email address.
This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
Select to use SMTP auth if required.
If using SMTP auth, enter the username.
278
Password
Setting Description
If using SMTP auth, enter the password.
3.
Click Save.
1.
2.
Generating a Test Alert
To generate a test alert:
Configure Email to SMS output and/or SMTP (Email) output.
Click Generate test alert.
279
280
A
Authentication
In this appendix: z
Authentication methods.
Overview
NITO's authentication system enables the identity of internal network users to be verified, such that service permissions and restrictions can be dynamically applied according to a user's group membership. z z
Identity verification – authenticate users by checking supplied identity credentials, e.g. usernames and passwords, against known user profile information.
Identity confirmation – provide details of known authenticated users at a particular IP address.
Verifying User Identity Credentials
In order to authenticate users, NITO must be able to verify the identity credentials, usernames and passwords, supplied by network users. Credentials are verified against the authentication system's local user database.
Network users must provide their identity credentials when using an authentication-enabled service for the first time. If the credentials cannot be verified by the authentication system, i.e. a matching username and password cannot be found in the local user database, the user's identity status will be set to
'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no, access to authentication-enabled services.
A user that is authenticated can be described as being logged in.
About Authentication Mechanisms
All authentication-enabled services use the authentication system to discover what users are accessing them. Once a particular user is known, an authentication-enabled service can enforce customized permissions and restrictions. Authentication-enabled services can interact with the authentication system in the following ways: z
Passive interrogation of whether there is an already-authenticated user at a particular IP address, and if so their details z
Active provision of user-supplied identity credentials, for onward authentication.
The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism.
281
NITO and DNS
The Core Authentication Mechanism
This is a special type of authentication mechanism that uses the first interaction method exclusively, i.e. it only ever asks the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the user's status is returned by the authentication system as 'Unauthenticated'.
Other Authentication Mechanisms
All other authentication mechanisms use a combination of the previously discussed interactions. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. If the user has been authenticated, appropriate permissions and restrictions can be enforced by the requesting service.
However, if the user is currently unauthenticated, the second type of interaction occurs – i.e. the requesting service pro-actively provides end-user identity credentials to the authentication system, for onward authentication. Thus, it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials.
Choosing an Authentication Mechanism
As discussed in the preceding sections, all authentication-enabled services must use some kind of authentication mechanism to interact with the authentication system. Some authentication-enabled services offer no choice of mechanism used – in such cases, the authentication mechanism will always be
'Core authentication'.
About the Login Time-out
The login time-out is the length of time that a user's authenticated status will last once they are authenticated. Time-out does not occur if NITO can determine that the same user is still active – for example, by seeing continued web browsing from the same user. However, if NITO sees no activity from a particular user for the length of time specified by the time-out period, the user's authenticated status will be invalidated.
The login time-out affects the load on the local system. Lower time-out values increase the frequency of re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values that are too low may adversely affect system performance, resulting in failed login attempts. However, longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights, if the original user fails to pro-actively log-out.
NITO and DNS
NITO’s authentication service uses internal DNS servers for name lookups. Internal DNS servers are specified using NITO’s setup program.
NITO’s DNS proxy server uses external DNS servers for name lookups. External DNS servers are specified when setting up an NITO connectivity profile.
In this way, NITO can be configured to use an internal DNS server and the internal DNS server can, in turn, be configured to use NITO as its DNS forwarder.
A Common DNS Pitfall
Often NITO is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server.
This is not the correct way to configure DNS servers on any client. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various
282
Nomadix NITO
User Guide
registered domains on the public Internet. This means the client assumes that it does not matter which DNS server it uses, as all DNS servers will have access to the same information. With the proliferation of private networks and internal DNS zones, this no longer is the case.
A DNS client will behave in the following way when looking up a host: z z
If a reply of “host not found” is received, the client will NOT ask other DNS servers
If the DNS is not answering, the client will try to ask another DNS server z
The client will ask randomly between configured DNS servers
Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work, or at least, will not work reliably.
The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. The easiest way to do this is to configure the DNS server to use a forwarder, like NITO’s DNS proxy server.
Working with Large Directories
The Additional Group search roots option enables you to specify several OUs in which to search for groups.
When dealing with large directories, a search through the entire directory can take a long time and make the NITO Include groups page unwieldy to manage.
Normally, a specified group search root can help in narrowing the scope of where to search for groups, but if groups are distributed in multiple OUs, one group search root may not be enough.
Consider, for example, a directory with 5000 users and 2500 groups.
Setting the group search root to the top level of the directory would result in an Include groups page with
2500 entries. This would probably take a long time to load and be hard to get an overview of.
The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are located.
In the groups search root, the administrator enters the path for the primary OU and in the additional groups search, the second OU is entered:
User search root: dc=domain,dc=local
Group search root: ou=guardiangroups,dc=domain,dc=local
Additional group search root: ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local
The above example is for a multi domain Active Directory installation, where the second OU is in the subdomain sub1. Remember that multiple groups can be mapped to the same NITO permissions group.
Active Directory
The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication.
Active Directory Username Types
A user account on a Windows 2000+ server will have 2 types of usernames: z
A Windows 2000+ username, which takes the form of [email protected]
z
An old style Windows NT 4 username, which has no domain attached to it.
When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain, the Windows
NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames.
In order for NITO authentication to be able to successfully look up and authenticate Windows users, a
Windows 2000+ username needs to be present.
283
About Kerberos
Accounts and NTLM Identification
When using NTLM identification on an Active Directory server that has been set up with no pre-Windows
2000 access permissions, the server lookup user account needs to be a member of the Pre-Windows 2000
Compatible Access group. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in.
About Kerberos
The following sections document Kerberos pre-requisites and list some points to try if troubleshooting.
Kerberos Pre-requisites and Limitations
The following are pre-requisites and known limitations when using Kerberos as an authentication method: z
Forward and reverse DNS must be working z z
All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail
Internet E6 will not work in non-transparent mode.
Troubleshooting
Check the following when troubleshooting a service that uses Kerberos: z
z z z z z
Try another browser for fault-finding
In Safari, try the fully qualified domain name (FQDN) if the short form does not work
Check if the user logged on before the keytab was created? Try logging off then on again.
Check if the user logged on before NITO joined the domain? Try logging off then on again.
Double check you are logged on with a domain account z
When exporting your own keytabs:
• Make sure the keytab contains keys with the same type of cryptography as that used by the client
• The “
HTTP
” in the service principal name (SPN) must be in uppercase
• The keytab should contain SPNs containing the short and fully qualified forms of each hostname.
284
B
Understanding Templates and
Reports
In this chapter: z
How to use custom reporting
Programmable Drill-Down Looping Engine
The NITO reporting system is divided into two conceptually different ideas, those of templates and reports. A template is a series of report sections and their configuration which contains instructions for extracting and manipulating data from NITO and producing a report by filling in the template’s sections.
A template is as described above nothing more than a structured series of sections. A report section can be considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. It has shape, color and provides some information however its power is better expressed when used in combination with other blocks to build more complicated and more interesting shapes.
A template in that metaphor is analogous to the instruction sheet for the building blocks, it shows how to assemble the blocks together to produce the report which is analogous to the finished model. The act of building it takes the template and finds each of the individual blocks, retrieving data as appropriate and assembling it as the template dictates.
To this extent a section has a variety of inputs and a number of outputs. These can be connected to each other where the input and output types are equivalent in the way that jigsaw pieces can be connected if their input and output facets match.
285
Programmable Drill-Down Looping Engine
Example Report Template
Example Report
Report Templates, Creation and Editing
Creating report templates is done via the NITO custom page, which gives rise to the ability to add, remove and manipulate the sections which it contains. The description of how to do this is covered elsewhere however there are a few details which allow for some level of flexibility.
Each report template can be assigned an icon, name and description. The name is clearly the name of the report template as it appears in the reports section, the description and icon options are equally obvious as to their use. The description field is actually unlimited in length and reasonably permissive in the characters it may contain. Long descriptions will be truncated in the interface for brevity however the full version of the description will appear under the report template’s advanced options.
Once a report template has been created it may be edited (including changing its name) via the edit this report link under the report icon on the reports page.
While editing a report template is a useful feature, there are occasions when it would be better to simply alter or manipulate an exact copy of a report template, for this purpose the edit a copy of this report option should be used. This will take a copy of all the report’s options and sections while leaving the original report template unchanged.
When editing a report template, or a copy of a report template the preview button may be used without making changes to the existing template. Changes will only be saved to the desired report template when the create report option is used.
Note again that the Edit report option on the Report display page (seen while viewing a rendered report) is analogous to the edit a copy of this report option seen from the reports page.
Viewing Reports, Exporting and Drill Down Reporting
The term reports has been made deliberately ambiguous and is now used to describe both a report and what was formerly known as a template, with the terms report and report template are used in this appendix where the distinction between the two is deemed important.
For the bulk of users, the distinction between what is a report and what is a report template is unimportant, each will eventually show them a set of details about what their system is doing, what it has been doing historically and where their users may have been attempting things with nefarious end.
The difference between the two is perhaps moot for the most part, however the key difference is that a report is a combination of several things, the report template used to create it and the data which was extracted and interpreted along with its interpretation.
In the building block metaphor a report template is the instructions alone, NITO is the warehouse full of bins of pieces and a report is the final boxed model ready for building. It has the instructions and the pieces but is still not quite ready for a user to play with.
This should leave the question so when does the model actually get built, the answer to which is reasonably simple, basically the construction of a rendered report requires the following steps to be undertaken, again using the building-block metaphor.
286
1.
2.
3.
4.
Nomadix NITO
User Guide
Retrieve assembly instructions.
Collect necessary parts from warehouse.
Place all the required pieces into a box along with its instructions.
Assemble the model and present to the awaiting small child.
A report template provides the first stage of this process, i.e. it is the instruction sheet for building the model, executing it, i.e. generating a report will conduct steps 2 and 3. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods, i.e. this renders the report out into HTML, PDF, Excel, CSV or other formats.
These stages are always transparent to the user, but do deserve some explanation. The Reports page lists the report templates or instruction sheets. The Recent and saved page shows the list of boxed models ready for assembly, clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model.
Changing Report Formats
The reporting system provides multiple output formats, while HTML output is the most commonly used there are additional formats which might allow for further analysis or interpretation of data.
The formats available are: z z z
Adobe PDF Format
Adobe PDF Format (suitable for black and white printers)
Microsoft Excel format z z
Comma Separated Value (csv format)
Tab Separated Value (tsv format)
Due to the nature of a report and the rendering options, changing the rendering method does not regenerate the report, only the way it is presented. Thus any saved reports can be exported exactly as is without the need to regenerate them, making the export process relatively quick in comparison to the generation process.
Changing Report Date Ranges
From the reports page, and while viewing a rendered report it is possible to change the date range over which the report data is accrued. Note this would require the regeneration of the report data afterwards.
287
Programmable Drill-Down Looping Engine
From the report page, clicking on either the report template name, its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page.
From viewing a report the date controls appear at the top right of the page next to the table of contents view, the preview button here will regenerate a new report according to those date ranges.
Note again, that both these actions will generate a new report, which may be saved accordingly.
Navigating HTML Reports
The HTML rendered version of a report contains a table of contents for quick and easy navigation within the report. This table is accessed by clicking on the contents button in the top left hand corner of the report when it is being viewed.
The table of contents is automatically generated and is based upon the sections contained within the report itself. Features such as feed-forward and iterative reporting are reflected as titles within the report and consequently as a level of indentation in the table of contents.
At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be used to skip back to the top of the page where both the table of contents and rendering format options are presented.
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be apparent from the result itself. For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared; URLs too can contain more information than is immediately apparent from viewing the URL.
To activate the NITO’s advanced interpreter simply hover the mouse over the desired result, this will produce a tool-tip which contains more information about the result.
288
Nomadix NITO
User Guide
For example:
In this example, the user has used the advanced interpreter to show the result for a YouTube video. The
URL in question has been truncated to show only the immediately relevant information (the protocol, domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL, any associated parameters but has also retrieved the video title, description and thumbnail from the YouTube server.
The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day.
It is also important to note that a saved report is format-less and as such can be rendered to HTML, pdf, csv etc as desired.
Saved reports are listed on the Recent and saved page under the reporting section, and can be viewed, deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report.
Changing the Report
Once a report has been generated the report template used to create it is stored alongside the report data itself, and can therefore be used to produce a new report with refined options, alternative date ranges or saved to appear on the reports page.
This is achieved in numerous ways depending upon location. When viewing the recent and saved page, underneath the report’s icon is a link to Edit report. This option will present the Custom page with the report template used to generate this report already loaded. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself.
While viewing a report there is an edit report button presented underneath the table of contents which leads to the Custom page with the report template used to generate the viewed report already loaded. Note again that this is a copy of the report template and so may be manipulated as desired.
289
Programmable Drill-Down Looping Engine
Investigating Further (Drill down)
Each report section when it is generated can present a series of related or drill down reports; these are predetermined report templates which will allow further investigation relevant to the item in the section in question.
To better illustrate this behavior, imagine a report taken from Guardian which lists the top users who have requested internet sites via the Guardian content filter. This list would present a series of usernames, suggested drill down reports might allow for a report on the actual sites visited by an individual user, the full web activity for that user and so on. This is in a way analogous to the feed-forward reporting which will be discussed later, however this is a manual process which allows for a particular result to be investigated further.
Drill down reports will be stored notionally underneath the report in the recent and saved section.
Related reports are presented in a variety of ways depending upon the number of options available, and the section which is being used, when a particular result has only one related report available clicking on the result itself will lead to the related report for that result. When a result has more than one related report associated with it then clicking on the result will produce a menu of the available related reports, clicking on the relevant option will result in generating the relevant related report.
Note the list of related reports is determined by the report section and cannot be altered.
290
Creating Template Reports and Customizing Sections
Nomadix NITO
User Guide
Report templates and customized sections are managed and manipulated from the Custom page on your
NITO’s interface.
Creating templates is a matter of choosing, grouping and refining a number of sections into the correct set of instructions for the NITO’s reporting engine to interpret and use to extract and manipulate data from the
NITO’s logs.
A list of available sections is included on the Custom page under the heading Available sections, existing template reports are also included in this list so that, once created they can be included into new report templates without having to redefine them.
The available sections list is structured as a simple tree, with the sections belonging to each module categorized accordingly, the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above.
It should be noted that when a template report is included within another template report its options, and sections are copied into the template at the time of its inclusion. Subsequent modifications to the template will not update any other templates that include it.
On the right of the available sections list is the included sections list, which shows a simplified form of the sections currently included in the template report being edited. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured. Groups are shown as folders in the included sections list.
To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. Note multiple sections can be added at once, and that sections can appear more than once in a template report.
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report and ordered to make logical sense to the reader. To reorder a section simply select it from the Included sections list and press either move up or move down depending upon which direction you wish to move it. Note that sections cannot be moved outside of their containing folders.
291
Programmable Drill-Down Looping Engine
Grouped Sections
Many of the underlying concepts in NITO’s reporting system are based around the notion of grouped sections. A section group is a logical construct which allows for logically connected sections to be collated together.
Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used.
Primarily grouping options is done to allow multiple, logically similar sections to share options. For example, the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user, a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet.
Both of these sections have a username field, these sections could be grouped together and share the username option, allowing for it to be entered only once when the report is generated.
Groups also form the basis of both iterative reports and feed-forward reports, which are simply special cases of section groups. For iterative groups, the variable to iterate over can be chosen from the options common to the grouped sections. For feed-forward groups, a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section.
Groups can contain other groups, which may of course be standard groups, iterative or feed-forward groups. They may also contain single sections. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview.
Understanding Groups and Grouped Options
The first details shown in a group are a text entry field allowing for the group name to be changed, this name provides a group to be given a title which will help with understanding the template structure, and does not bear any influence on the report creation.
The second option is a drop down list of repeat options; this is used for controlling iterative and feedforward reporting and will be discussed in the appropriate sections.
When options are grouped together they will be presented as an option in the group under a section called grouped options. They may also have a small visual indicator shown next to them in both the grouped options section as well as the regular options panel for each section. This indicator shows which options are grouped together and allows for them to be quickly collated together, for example if two options are given slightly different names, but require the same value.
The list of sections contained within the group is listed below the grouped options each in its own collapsible section.
Grouped options will be included for each section here alongside regular per-section options, with a visual indicator allowing them to be related to their grouped counterparts.
Each option may be overridden by means of ticking the corresponding checkbox. An option with an override will use the value given to that option rather than the option it receives from its grouped parent, thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them.
Next to the override option is a small description denoting why the option is inherently disabled, and where the value comes from. This may be grouped, feed-forward or repeating, meaning that the value will be assigned by the parent group, the results of a feed-forward section or from one of the list provided in an iterating group.
Options which are not grouped, fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. This may be any number of common user interface elements
(checkboxes, select boxes, text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value.
292
Nomadix NITO
User Guide
Any overridden options will also be displayed and entered in this manner and, when provided will replace values as would be expected.
Feed-Forward Reporting
Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired, rather than the complete picture. To allow for this the reporting template system in NITO allows for a section’s results to be used as the source of options for subsequent sections.
To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These in turn can be used to show a list of all network interfaces which are configured on NITO, or those which are configured for internal or external networking. This information provides limited details for the network interface such as its IP address and other details; however it does not show monthly usage statistics.
The Individual Network Interfaces section can provide this information, but needs to be supplied with the name of the interface for which to provide details for.
These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. In this example the Network Interfaces report can produce one or more Interfaces, which is one of the options for the Individual Network Interfaces section.
By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for NITO, and then display the advanced usage and bandwidth statistics from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for example. For this reason it may be desired to repeat a section using mostly the same options, but with one particular option changed each time.
For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. Note that there is potential overlap here, and if the desired result is a list of all the local interfaces then feed-forwarding could be used instead. However, feed-forward would produce a list of all internal interfaces, as well as include the
Network Interfaces report.
Note that while it was covered first, feed-forward is actually a special case of iteration, where the list of values to be iterated over is produced as the list of answers from a particular report section.
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. There are exceptions to this rule however.
Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated.
Naturally a feeder must be included before the sections it is feeding, and therefore it is removed from the normal section ordering and placed above the grouped options list in the group’s display.
Grouping Sections
To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Note that only sections at the same level in the included sections tree can be grouped together, although a group can contain any number of items including other groups.
Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. Ungrouping a group will disband that group, moving all its contained sections to the
293
Programmable Drill-Down Looping Engine
same level on the included sections tree that the group previously occupied, the group folder will then be removed.
Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from.
Note, ungrouping sections will remove any properties that the group contains, and so may affect any feedforward, iterative or grouped options.
Creating Feed-forward and Iterative Groups
Creating a group construct for use with feed-forward or iterative operations is done in the same way as creating a normal group. It should be noted that when feed-forward is desired the section producing results should be included in the group when it is first created, this will form the basis of the feed-forward.
To create an iterative group, the desired sections should be grouped and the option which will form the basis of the iteration selected from the Repeat drop-down which can be found immediately above the grouped options section for that group.
Options which may be used in this way are included under a heading (in the drop down menu) of based upon grouped option and the list will contain most of the options that the grouped options section contains.
When iterating over a grouped option, that option is no longer available in the group.
Creating a feed-forward enabled group is done in a similar manner; however this time under the Repeat drop down a list of sections is included under the title using results from a section. The results returned by each section are visible under the results tab on the section in question, as well as the bottom right hand side of the section’s description in the available sections list.
By choosing a section to feed-forward the results from, this section is removed from the normal flow within the group and is instead included as a feeder section. This is due to the nature of feed-forwarding reports, that they must produce the list of results to iterate over prior to iterating over them.
Feed-forward results pass from one variable into another, however the variables are named in a way which makes them human readable, but not always identically for the sake of clarity. For example, the Network
ARP Table section produces a list of interfaces which the connection is on. The result is labelled as
Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section.
Some care should be taken when choosing sections to flow into each other, however generally results such as username should be taken to be suitable for feeding a username field.
Additional caution should be taken when considering feed-forward reports as to the volume of data produced, along with the potential work load that this would require on NITO.
For example, a report which shows the top 20 groups within an organization, the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible.
However, this would result in the following execution tree.
Group Activity Section
20 x User Activity Section
50 x URL Activity Section
100 URLs
Hence, 20x50x100 URLs, or potentially the results for a thousand users, and hundred thousand URLs. It would also require the execution and calculation of the top URLs section up to a thousand times, assuming a reasonable time period for the calculation of each, such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it.
294
Nomadix NITO
User Guide
Exporting Options
Each report section provides a list of options which define its behavior. This behavior may be defined at a later stage to make the report template truly flexible. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned.
Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. It is for this purpose that section options may be exported. In this particular example a domain activity section could be included in a report template, and have its Denied status checkbox enabled.
Swapping to the export tab would show a list of all the available options for this report, choosing to export the username field prior to creating the report template would mean that the username field is present for this template report on the reports tab on the NITO main interface (Logs and reports > Reports >
Reports).
Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page), however it would also have the added effect of allowing a user to turn this option off when using the template, similarly typing a username into the section’s username option (on the options tab) allows the template report to create a default username, which can be changed by the person using the report template.
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template. Report templates are structured into one of the following folders on a standard NITO installation.
Firewall and networking
System
295
Reporting Folders
Trends
Users IP address analysis
IP address analysis per web content category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Web content
Top IP addresses
Top users
User analysis
User analysis per web content category
Per category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Blogs Blogger
Blogs
WordPress
Category analysis
296
Nomadix NITO
User Guide
Image and video sharing
News
Reference and educational
Shopping and online auctions
Dailymotion
Flickr
Fotolog
ImageShack
ImageVenue
YouTube
BBC News
CNet
CNN
News
Slashdot
IMDB
Wikipedia
Amazon
Craiglists
Ebay
Shopping and online auctions
Delicious Social bookmarking
Digg
Stumbleupon
Social networking Bebo
Friendster
Hi5
Myspace
Orkut
Social networking
297
Reporting Folders
Sport
Web portals and search engines
BBC Sport
ESPN
Sport
AOL
Search engines
Windows Live and
MSN
Yahoo
Site analysis
Top categories
Top domains
Top URLs
Top web searches
The destination folder for a report template can be set when creating the report template itself by means of the Location option. This option contains an indented drop-down list of available folders, report templates can be placed in any folder as desired.
Folders can be created or deleted from the reports page, which is the main location to use to find report templates and report folders. It also provides the ability to rename folders and edit and remove report templates.
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the top of the Reports page which allows users to navigate the folder structure. Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar, this will create a new folder called new folder with the ability to rename it.
Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder.
A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note that report folder names must be unique at the same level.
298
Nomadix NITO
User Guide
Renaming Folders
Deleting Folders
Folders can be deleted from the Reports page by pressing the red cross icon immediately below the folder image. Only empty folders can be deleted, so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder.
Note, this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded.
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email.
Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled.
Options exported to the Reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template.
Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals available are: z z
Daily – each day at the time allocated
Weekday – each working day (Monday to Friday) at the allocated time z z
Weekly – every week at the allocated time on the same day of the week as the first report.
Monthly – every month at the allocated time on the same day of the month as the first report.
Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
299
Reporting Sections
Reporting Sections
Generators and Linkers
Reporting sections can be divided into principally two types, generators and linkers.
While all report sections generate results, and display those results in the final rendered report, some sections generate results which are intended for use in feed-forward reports and are only really useful in that context.
For example, the Guardian module provides a report section entitled Per user Client IP addresses. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs. It will also show the timestamps that these hits occurred at.
By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time period during which they were using it.
This information is perhaps informative, but not particularly. However the results, Client IP address and
Time-Period are both filters which can be applied to other reports, reports which might not be able to associate activity with a particular username.
General Sections
The bulk of NITO’s reporting sections are reasonable easy to describe and are detailed quite well by their descriptions, there are however several big reports which defy such description and require a more in depth discussion, these will be covered later.
300
Nomadix NITO
User Guide
Standard sections will show up in the available sections list in a manner similar to the following.
This shows the section’s description, title and any results that are returned for use in the system’s feedforward ability.
Network Interfaces
A list of the configured internal and external network interfaces on the system. Includes details about the hardware, configuration and recent network activity for each interface.
This report section lists the interfaces available on NITO, including any internal NIC interfaces, External
NIC interfaces, modems, VLANs and VPN interfaces.
The options available to this interface allow you to discriminate between Internal, External and VPN interfaces as well as the ability to show or hide any disconnected interfaces.
This section returns an interface which may be passed into a report section such as the Individual network interface report section.
The Anatomy of a URL
URL processing in the NITO reporting system is achieved via a series of mechanisms which automatically split a URL into a number of internal parameters which are used to speed up data processing and achieve the desired results efficiently and with minimal need to understand the dynamics of how an individual web site is constructed. However some explanation is required as several of the more advanced features of the
Guardian reports require some manipulation of the URL.
A NITO reporting URL is extracted into three distinct components, the protocol, domain and parameters.
As can be seen, a URL entered into the NITO reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from.
301
Reporting Sections
URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol, protocol and domain, domain and parameters or the parameters themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired.
Separation is effectively done from the right hand side backwards, so any URL starting with
/
would be viewed as simply the parameters.
A URL which starts with a character other than / and does not end with
://
is viewed as being the domain.
A URL fragment starting with characters and ending with the string
://
will be interpreted as a protocol.
Deciphering a URL can however be a none trivial task, especially due to some web sites, companies and organizations using a variety of load balancing techniques, curious URLs, sub-domains and a variety of techniques which can only have been considered a good idea at the time.
For example, StumbleUpon a Social bookmarking site exists not only at the domain www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the absence of www
. However it also receives some of its content from cdn.stumble-upon.com and stumbleupon.stumble-upon.com.
For this reason it is possible to switch the URL recognition options in the NITO reporting system into dealing with URLs as regular expression matches rather than strict matching.
These options can be turned on individually for the protocol, domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible.
HTTP Request Methods and HTTPS Interception
The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no differently to a non-HTTPS site in terms of its logging, indeed, other than the protocol there is nothing to distinguish HTTP and HTTPS methodology.
Guardian however also logs connections made to HTTPS servers where the content of that communication has not been intercepted. To differentiate between the two it is possible to set the HTTP request method
(optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted and that which has not.
HTTPS connections start with a HTTP CONNECT request, if the connection is not being intercepted this is the only part of the communication which is logged. If the connection is being subjected to HTTPS interception then the requests within the connection are additionally logged.
302
Nomadix NITO
User Guide
Hence, searching for options other than CONNECT will provide results which may have been subjected to
HTTPS interception. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT.
Guardian Status Filtering
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports.
A URL may contain one or more of the following status messages, those being Almost blocked, Denied (or blocked), Exception, Infected or Modified. The meaning of these is covered below.
Almost blocked – This denotes any result whose score for phrase analysis was between 90 and 100 (the default score over which a result is blocked). This shows content which contained a number of phrases which elevated its score, but did not quite cause the site to be blocked.
Denied – This denotes sites which were blocked by the phrase or URL filtering in the Guardian product.
The reasoning why the page was banned can be determined by adding the include status option on those reports which support it. Note however that this can change the ordering of the results.
Exception – The site in question was not filtered for one of several reasons, it may be that it is whitelisted, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc.
Modified – Determines content which was modified as it passed through the Guardian filter. This might be due to a security rule (such as removing JavaScript etc), or to enforce AUP concepts such as safe search.
Search Terms and Search Phrases
There are three facets to the search term reporting on a Guardian system, searching of search terms, filtering by search term and selecting banned search terms.
Discovering search terms and showing them is achieved with the search engine search strings and terms report section.
This section has a few peculiarities to its options which will be covered below, however the section is essentially designed to show the top search terms, or phrases that have been encountered within the
Guardian filtered URLs.
Search terms are denoted as being either an individual word, or the entire phrase which was searched for.
For example:
303
Reporting Sections
Searching for ‘babylon 5’ earth destroyer would be considered to be three search words, ‘babylon 5’,
‘earth’ and ‘destroyer’ and one search phrase. Note that the search term reporting will treat any quoted strings as a single search word.
Search words and phrases are assumed to be case insensitive, as the vast majority of searches are done regardless of capitalization, however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report.
Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options.
Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop words.
Words such as ‘and’, ‘of’ and ‘the’ are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching dropdown box.
The list of common search terms is taken to be the list of words omitted by the Google search engine, this list is as follows: ‘i’, ‘a’, about’, ‘an’, ‘are’, ‘as’, ‘at’, ‘be’, ‘by’, ‘com’, ‘de’, ‘en’, ‘for’, ‘from’, ‘how’, ‘in’,
‘is’, ‘it’, ‘la’, ‘of’, ‘on’, ‘or’, ‘that’, ‘the’, ‘this’, ‘to’, ‘was’, ‘what’, ‘when’, ‘where’, ‘who’, ‘will’, ‘with’,
‘und’, ‘the’ and ‘www’.
Additional filtering options for username, group, client IP address and Guardian status are presented for this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options.
Filtering by Search Terms
As explained earlier individual Guardian reports can be filtered by the search terminology they contain.
For example it is possible to show the top ten domains which contained a search request for the word badger.
This filtering is achieved by using the individual report sections Search term matching options presented under an individual section’s advanced options.
Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase.
To search for blocked search terms this filter can be used in combination with the Guardian status filters.
304
Nomadix NITO
User Guide
URL Extraction and Manipulation
The NITO reporting system for Guardian contains an advanced reporting section called URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract information from the Guardian logs.
This reporting section has a lot of reasonably complicated options, however only a few of them are relevant to the discussion of its operation, those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results, changing the number of results or any username, client IP address or group filter etc.
The most important option for this report section is the URL, which in this example is a regular expression
URL which refers to the BBC news web site. The protocol and domain fields in the URL in this example are reasonably straight forward, they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section.
The parameters field however does contain two regular expression matches, the parts between the opening and closing brackets,
( )
. The parts of the URL extracted by these matching parts of the URL regular expression are labelled
1
and
2
respectively and the appropriately labelled term will be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL.
In this example, there are two matches which are extracted from the URL, in this case, if a BBC news article URL is considered: http://news.bbc.co.uk/1/hi/technology/7878769.stm
The two matches would provide technology
and
7878679
as matches.
Of these two parameters one is the section from the BBC news site this article is from, the other is the article name.
The Match to extract from domain and Match to extract from parameters options present which regular expression match (
$1, $2, $3
etc) to extract from the URL for the purposes of identifying unique content, in this example we can see that the parameter match 2, would be used to uniquely identify this
URL, being the value of 7878769 or the article number. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches, in this case, the top news articles.
Rebuild and include example URL – As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. When this option is ticked, this reconstructed URL is included in the report alongside the match.
305
Reporting Sections
Note, some sites such as YouTube for example can host several different URLs for the same video ID. In these cases the reconstructed URL is a potential URL that might have been used, even if it is not the actual
URL that was encountered. To elaborate on this matter both of the following URLs: http://www.youtube.com/get_video?video_id=6rNgCnY1lPg http://www.youtube.co.uk/get_video?video_id=6rNgCnY1lPg are for the same video, and could be matched accordingly (giving two hits for this video), however the system would then have to construct a probable URL for the content, which would in this example reference either the
.com
or
.co.uk
address version.
Recognise common URLs – This option allows the reporting system to recognise common URLs for known sites. This includes the ability to extract a YouTube video name from a YouTube video ID, or the ability to extract a page title from a HTML page’s header.
In this example we can see that the option is enabled, thus for each of the reconstituted URLs the system would retrieve the HTML (
.stm
) page from the BBC News web site, extract the <title> section from the page header and include it in the report.
Domain match and Parameter match – these options allow for additional information to be fed into the searching and will replace particular matches in the URL with the appropriate values. The options of
Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL.
In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL.
This would mean that entering the option technology into the Parameter match field would produce the top
50 news articles from the technology section of the BBC News web site.
Results title – This report section is feed-forward enabled and can produce a list of regular expression
URLs to identify and extract matching content. However, the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results.
For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box. This can be straight text, or can reference one of the result’s feed-forward values by means of a wildcard.
In the above example, we can see that
%matchtitle%
is used as the value, which would present the feedforward result of matchtitle as the title for any feed-forward sections. In this case,
%matchtitle%
would be the <title> extracted from the relevant HTML page. Alternatively values of
%domainmatch%
,
%parametermatch%
or
%url%
could be used.
In this manner, the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no inbuilt understanding of the site. This means that the section can easily be tailored to accommodate new web sites, or internal web sites which may be processed by
Guardian but outside of the scope of the standard templates.
306
Nomadix NITO
User Guide
In this example the URL extraction section is being used to display the top 50 video results from the
YouTube site.
The URL once again contains a series of regular expression matches, this time the domain also includes a series of wildcards (
.*
) to accommodate YouTube being hosted via multiple domains, sub-domains and
TLDs.
Origin Filtering
NITO contains the ability to aggregate reports over several different machines, Several NITOs for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter.
When these results are aggregated onto a central reporting NITO system they each contain a unique identifier to state where they came from. This identifier can be used to filter particular results to have originated from a particular machine, or class of machines.
The origin filter on a NITO report allows for the class of machine or in some cases the individual machine to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations as there may be several dozen or more of these.
Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.
307
Reporting Sections
308
C
Hosting Tutorials
In this appendix: z
Examples of hosting using NITO.
Basic Hosting Arrangement
1.
2.
3.
In this example, a DMZ has been configured with a network address of
192.168.1.0/24
, i.e. it can support host IP addresses of
192.168.1.1
through to
192.168.1.254
.
Within the DMZ there are two servers:
Web server .2
– This server will have an internal IP address of
192.168.1.2
and present an external
IP address of
216.1.1.2
.
Mail server .3
– This server will have an internal IP address of
192.168.1.3
and present an external
IP address of
216.1.1.3
.
To configure this scenario:
First create the external aliases:
Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Comment: External Alias .3
Next, add the port forwards:
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .3 SMTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .3 POP3
Finally, add the source mappings:
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
309
Extended Hosting Arrangement
Comment: Mail Server .3
Extended Hosting Arrangement
1.
2.
In this example, a DMZ has been configured with a network address of
192.168.1.0
, i.e. it can support host IP addresses of
192.168.1.1
through to
192.168.1.254
.
Within the DMZ are three servers:
Web server .2
– This server will have an internal IP address of
192.168.1.2
and present an external
IP address of
216.1.1.2
. It supports both HTTP and HTTPS.
Web server .3
– This server will have an internal IP address of
192.168.1.3
and present an external
IP address of
216.1.1.3
. It should only be accessible to external hosts in the range
100.100.100.0/24 and
100.100.101.0/24
.
Mail server .4
– This server will have an internal IP address of
192.168.1.4
and present an external
IP address of
216.1.1.4
To configure this scenario:
First create the external aliases:
Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Comment: External Alias .3
Alias IP: 216.1.1.4 | Netmask: 255.255.255.0
Comment: External Alias .4
Next, add the port forwards:
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTPS (443)
Destination port: HTTPS (443)
Comment: Web Server .2 HTTPS
Protocol: TCP
External IP: 100.100.100.0/24
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .3 HTTP
Protocol: TCP
External IP: 100.100.10.0/24
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .3 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.1.4
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .4 SMTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.1.4
Source port: POP3 (110)
310
Nomadix NITO
User Guide
3.
Destination port: POP3 (110)
Comment: Mail Server .4 POP3
Finally, add the source mappings:
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
Comment: Web Server .3
Source IP: 192.168.1.4 | Alias IP: 216.1.1.4
Comment: Mail Server .4
More Advanced Hosting Arrangement
1.
2.
In this example, a DMZ has been configured with a network address of
192.168.1.0
, i.e. it can support host IP addresses of
192.168.1.1
through to
192.168.1.254
.
A local private network,
192.168.10.0/24
contains 3 servers:
SQL Server .2
– Internal IP:
192.168.10.2
Mail Server [int] .3
– Internal IP:
192.168.10.3
Intranet Web Server .4
– External IP:
216.1.1.4
, Internal IP:
192.168.10.4
, restricted users.
A DMZ network,
192.168.1.0/24
contains 5 servers:
Web Server .2
– External IP:
216.1.1.2
, Internal IP:
192.168.1.2
, bridged to
SQL Server .2
.
Web Server .3
– External IP:
216.1.1.3
, Internal IP:
192.168.1.3
.
Virtual Web Server .5
Virtual Web Server .6
– External IP:
216.1.1.5
, Internal IP:
192.168.1.5
, same physical host as
.
Virtual Web Server .6
Virtual Web Server .5
– External IP:
216.1.1.6
, Internal IP:
192.168.1.5
, same physical host as
.
Mail Server [ext. out]
– External IP:
216.1.1.7
, Internal IP:
192.168.1.6
, for outgoing mail.
Mail Server [ext. in]
– External IP:
216.1.1.7
, Internal IP:
192.168.1.7
, relaying to
Server [int] .3
.
To configure this scenario:
First create the external aliases:
Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Comment: External Alias .3
Alias IP: 216.1.1.4 | Netmask: 255.255.255.0
Comment: External Alias .4
Alias IP: 216.1.1.5 | Netmask: 255.255.255.0
Comment: External Alias .5
Alias IP: 216.1.1.6 | Netmask: 255.255.255.0
Comment: External Alias .6
Alias IP: 216.1.1.7 | Netmask: 255.255.255.0
Comment: External Alias .7
Next, add the port forwards:
Port forwards for example 3.
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
311
More Advanced Hosting Arrangement
3.
4.
External IP: <BLANK>
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .3 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.10.4
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Intranet Web Server .4 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.5
Destination IP: 192.168.1.5
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Virtual Web Server .5 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.6
Destination IP: 192.168.1.5
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Virtual Web Server .6 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.7
Destination IP: 192.168.1.7
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .7 SMTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.7
Destination IP: 192.168.1.7
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .7 POP3
Next, add the zone bridges:
Zone bridging for example 3.
Source interface: Eth1
Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.2
Destination IP: 192.168.10.2
Destination port: User defined, 3306
Comment: Web Server .2 to SQL Server .2
Source interface: Eth1
Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.7
Destination IP: 192.168.10.3
Destination port: SMTP (25)
Comment: Mail Server [ext. in] .7 to Mail Server [int.] .3
Finally, add the source mappings:
Source mapping for example 3.
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
Comment: Web Server .3
Source IP: 192.168.10.4 | Alias IP: 216.1.1.4
Comment: Intranet Web Server .4
Source IP: 192.168.1.5 | Alias IP: 216.1.1.5
Comment: Virtual Web Server .5 & .6
Source IP: 192.168.1.6 | Alias IP: 216.1.1.6
Comment: Mail Server [ext. out] .6
312
Nomadix NITO
User Guide
313
More Advanced Hosting Arrangement
314
Glossary
Numeric
2-factor authentication.
The password to a token used with the token. In other words: 2-factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together.
3DES.
A triple strength version of the DES cryptographic standard, usually using a 168-bit key.
A
Acceptable Use Policy.
See AUP
Access control.
The process of preventing unauthorized access to computers, programs, processes, or systems.
Active Directory.
Microsoft directory service for organizations. It contains information about organizational units, users and computers.
ActiveX*.
A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser.
AES.
(Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for DES and
3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance across multiple platforms.
AH.
(Authentication Header) Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy.
Algorithm.
In Nomadix products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it.
Alias.
or External Alias – In Nomadix terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface.
ARP.
(Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses.
ARP Cache.
Used by ARP to maintain the correlation between IP addresses and MAC addresses.
AUP.
(Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization’s email and Internet systems. The policy explains the organization’s position on how its users should conduct communication within and outside of the organization both for business and personal use.
Authentication.
The process of verifying identity or authorization.
B
Bandwidth.
Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps.
BIN.
A binary certificate format, 8-bit compatible version of PEM.
315
Buffer Overflow.
An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code.
C
CA.
(Certificate Authority) A trusted network entity, responsible for issuing and managing x509 digital certificates.
Certificate.
A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs.
Cipher.
A cryptographic algorithm.
Ciphertext.
Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm.
Client.
Any computer or program connecting to, or requesting the services of, another computer or program.
Cracker.
A malicious hacker.
Cross-Over Cable.
A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection.
Cryptography.
The study and use of methods designed to make information unintelligible.
D
Default Gateway.
The gateway in a network that will be used to access another network if a gateway is not specified for use.
Denial of Service.
Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt while it attempts to respond to each request.
DER.
(Distinguished Encoding Rules) A certificate format typically used by Windows operating systems.
DES.
(Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST.
DHCP.
(Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts joining a network.
Dial-Up.
A telephone based, non-permanent network connection, established using a modem.
DMZ.
(Demilitarized Zone) An additional separate subnet, isolated as much as possible from protected networks.
DNS.
(Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa.
Domain Controller.
A server on a Microsoft Windows network that is responsible for allowing host access to a
Windows domain's resources.
Dynamic IP.
A non-permanent IP address automatically assigned to a host by a DHCP server.
Dynamic token.
A device which generates one-time passwords based on a challenge/response procedure.
E
Egress filtering.
The control of traffic leaving your network.
Encryption.
The transformation of plaintext into a less readable form (called ciphertext) through a mathematical
316
Nomadix NITO
User Guide
process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it.
ESP.
(Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption services for tunnelled data.
Exchange Server.
A Microsoft messaging system including mail server, email client and groupware applications
(such as shared calendars).
Exploit.
A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service.
F
Filter.
A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser.
FIPS.
Federal Information Processing Standards. See NIST.
Firewall.
A combination of hardware and software used to prevent access to private network resources.
G
Gateway.
A network point that acts as an entrance to another network.
Green.
In Nomadix terminology, green identifies the protected network.
H
Hacker.
A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent.
Host.
A computer connected to a network.
Hostname.
A name used to identify a network host.
HTTP.
(Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web.
HTTPS.
A secure version of HTTP using SSL.
Hub.
A simple network device for connecting networks and network hosts.
I
ICMP.
(Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.
IDS.
Intrusion Detection System
Internet Protocol
IPS.
Intrusion Prevention System
IP Address.
A 32-bit number that identifies each sender and receiver of network data.
IPtables.
The Linux packet filtering tool used by Nomadix to provide firewalling capabilities.
317
IPSec.
(Internet Protocol Security) An internationally recognized VPN protocol suite developed by the Internet
Engineering Task Force (IETF).
IPSec Passthrough.
A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through.
ISP.
An Internet Service Provider provides Internet connectivity.
K
Key.
A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext.
Kernel.
The core part of an operating system that provides services to all other parts the operating system.
Key space.
The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space.
L
L2F.
(Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
L2TP.
(Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco
Systems L2F tunnelling protocols.
LAN.
(Local Area Network) is a network between hosts in a similar, localized geography.
Leased Lines.
(Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company.
Lockout.
A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user.
M
MAC Address.
(Media Access Control) An address which is the unique hardware identifier of a NIC.
MX Record.
(Mail eXchange) An entry in a domain name database that specifies an email server to handle a domain name's email.
N
NAT-T.
(Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough.
NIC.
Network Interface Card
NIST.
(National Institute of Standards and Technology) NIST produces security and cryptography related standards and publishes them as FIPS documents.
NTP.
(Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers.
318
Nomadix NITO
User Guide
O
OU.
An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization.
P
Password.
A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data.
PEM.
(Privacy Enhanced Mail) A popular certificate format.
Perfect Forward Secrecy.
A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised.
PFS.
See Perfect Forward Secrecy
Phase 1.
Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement.
Phase 2.
Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up.
Ping.
A program used to verify that a specific IP address can be seen from another.
PKCS#12.
(Public Key Cryptography Standards # 12) A portable container file format for transporting certificates and private keys.
PKI.
(Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates.
Plaintext.
Data that has not been encrypted, or ciphertext that has been decrypted.
Policy.
Contains content filters and, optionally time settings and authentication requirements, to determine how
NITO handles web content and downloads to best protect your users and your organization.
Port.
A service connection point on a computer system numerically identified between 0 and 65536. Port 80 is the
HTTP port.
Port Forward.
A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.
PPP.
(Point-to-Point Protocol) Used to communicate between two computers via a serial interface.
PPTP.
(Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be relatively insecure.
Private Circuits.
See Leased Lines.
Private Key.
A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key.
Protocol.
A formal specification of a means of computer communication.
Proxy.
An intermediary server that mediates access to a service.
PSK.
(Pre-Shared Key) An authentication mechanism that uses a password exchange and matching process to determine authenticity.
Public Key.
A publicly available encryption key that can decrypt messages encrypted by its owner's private key.
A public key can be used to send a private message to the public key owner.
319
PuTTY.
A free Windows / SSH client.
Q
QOS.
(Quality of Service) In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth.
R
RAS.
(Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from other
LANs or individual users. RAS has been largely superseded by VPNs.
Red.
In Nomadix, red is used to identify the Unprotected Network (typically the Internet).
RIP.
(Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are.
Road Warrior.
An individual remote network user, typically a travelling worker 'on the road' requiring access to a organization’s network via a laptop. Usually has a dynamic IP address.
Route.
A path from one network point to another.
Routing Table.
A table used to provide directions to other networks and hosts.
Rules.
In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another.
S
Security policy.
A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances.
Server.
In general, a computer that provides shared resources to network users.
SIP.
(Session Initiation Protocol) A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality.
Commonly used in VOIP applications.
Single Sign-On.
(SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password.
Site-To-Site.
A network connection between two LANs, typically between two business sites. Usually uses a static
IP address.
Smart card.
A device which contains the credentials for authentication to any device that is smart card-enabled.
Spam.
Junk email, usually unsolicited.
SQL Injection.
A type of exploit whereby hackers are able to execute SQL statements via an Internet browser.
Squid.
A high performance proxy caching server for web clients.
SSH.
(Secure Shell) A command line interface used to securely access a remote computer.
SSL.
A cryptographic protocol which provides secure communications on the Internet.
SSL VPN.
A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client
320
Nomadix NITO
User Guide
configuration.
Strong encryption.
A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame.
Subnet.
An identifiably separate part of an organization’s network.
Switch.
An intelligent cable junction device that links networks and network hosts together.
Syslog.
A server used by other hosts to remotely record logging information.
T
Triple DES (3-DES) Encryption.
A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES.
Tunneling.
The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network.
U
User name / user ID.
A unique name by which each user is known to the system.
V
VPN.
(Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet.
VPN Gateway.
An endpoint used to establish, manage and control VPN connections.
X
X509.
An authentication method that uses the exchange of CA issued certificates to guarantee authenticity.
321
322
Index
A
accessing
active directory extra realm
group search root
kerberos discover
kerberos realm
multiple user search roots
,
netbios domain name
port
sam account name
server password
server username
admin
admin options
administration
administration login failures
administrative users
adsl modem settings
advanced
alerts
administration login failures
email to sms
firewall notifications
guardian upstream proxy status
guardian URL violations
hardware failure alerts
health monitor
license expiry status
output system test messages
settings
system boot (restart) notification
system resource monitor
system service monitoring
update monitoring
ups, power supply status warning
url violations
application helper
ftp
h323 passthrough support
irc
pptp client support
archives
authentication
choosing
core
diagnostics
,
identification by IP
mechanisms
NTLM
,
SSL background tab
session cookie
SSL login
time-out
authentication system diagnostics
managing
restarting
status
stopping
B
banned users
BitTorrent
blogs
bridging groups
rules
zones
C
category analysis
central management
about
configure
pre-requirements
central management key
centrally manage
child node
cluster
configuration tests
connection methods
dial-up modem
ethernet
ethernet/modem hybrid
isdn modem
modem
connection profiles
creating
deleting
modem
modifying
connection tracking
connections
connectivity
console connecting via
control
control page
Copyright
create
csv
importing nodes
csv files
custom categories
custom signatures
D
database
backup
disk usage
323
Index
password
pruning
remote
settings
username
default interface
users
denial of service
detection policies
dhcp ethernet
settings
diagnostics
dial-up modem
directory settings
prerequisites
,
,
disk usage
dns
proxy service
static
documentation
DoS
E
ECN
eDonkey
email to sms
enable filtering
ethernet
external access
aliases
external services
,
editing
removing
F
failover
,
failover unit
master
filtering
filters
about
firewall
accessing browser
connecting
notifications
ftp
G
global settings
configuring
Gnutella
group bridging
group search root additional
groups
banned users
default users
mapping
network administrators
324 renaming
unauthenticated ips
H
h323 passthrough support
hardware
failover
hardware Failover
hardware failure alerts
health monitor
heartbeat
hostname
https
hybrid
I
icmp
ICMP ping
ICMP ping broadcast
identification ids
NTLM
igmp
IGMP packets
image and video sharing
information
interfaces
internal aliases
inter-zone security
intrusion system
custom policies
detection policies
policies
prevention policies
ip address defining
block
tools
ips
irc
isdn modem
settings
isp
K
KaZaA
kerberos
extra realms
kerberos realm
L
leak client ip with x-forwarded-for header
license expiry status
licenses
load balancing
local users
activity
adding
deleting
editing
exporting
importing
managing
moving
viewing
log settings
logging
logs
enable remote syslog
inserting
remote syslog server
retention
M
mac spoof
maintenance
master
message censor
custom categories
filters
time
message censor filtering enable
modem
settings
modem profile
modules
multicast traffic
multiple user search roots
,
N
netbios domain name
network administrators
interface
networking
restart
source mapping
news
node
add
child
child delete
child edit
configure child
csv
delete
disable
edit
import
local settings
logging
manage
monitor
parent
reboot
review
update
O
outbound access port rules
source rules
outgoing
output settings
output system test messages
P
pages central management
guardian block page policies block pages
manage policies
policy wizard
content modification policies manage policies
policy wizard
https inspection policies manage policies
policy wizard
settings
policy objects category groups
locations
quotas
time slots
user defined
quick links getting started
quick block/allow
shortcuts
web filter policies exceptions
location blocking
manage policies
outgoing
policy wizard
info alerts
alerts
custom
logs
firewall
ids
ips
system
realtime
firewall
portal
system
traffic graphs
reports reports
saved
scheduled reports
settings alert settings
database backup
database settings
groups
log settings
output settings
user portal
information
Nomadix NITO
User Guide
325
Index
326 main
networking
filtering
group bridging
ip block
zone bridging
firewall
advanced
port forwarding
source mapping
interfaces
connectivity
external aliases
interfaces
internal aliases
ppp
secondaries
outgoing
external services
groups
ports
sources
routing
ports
rip
sources
subnets
settings advanced
port groups
services authentication
control
groups
local users
settings
ssl login
temporary bans
user activity
message censor
user portal
groups
portals
user exceptions
system administration
admin options
administrative users
external access
central management child nodes
local node settings
overview
diagnostics
configuration tests
diagnostics
ip tools
traffic analysis
whois
hardware
ups
maintenance
archives
licenses
modules
scheduler
shell
shutdown
updates
preferences
hostname
registration options
time
web proxy authentication exceptions
ident by location
manage polices
policy wizard
mobile proxy exceptions
proxies
settings
upstream proxy filters
manage policies
proxies
web proxy automatic configuration
bandwidth limiting
settings
wccp
parent node
passwords
permissive
policies
intrusion
port forwarding
port forwards
comment
creating
criteria
destination address
destination port
editing
enabled
external ip
logging
protocol
removing
source IP
source port
user defined
port groups
port rules
creating
deleting
editing
modes
permissive
preset
restrictive
stealth
viewing
portal
,
access
configure
delete
edit
groups
user except
portals
ports
ppp
ppp over ethernet settings
ppp profile
creating
pptp client support
pptp over ethernet settings
preferences
prevention policies
primary dns
Product Information
proxies dns
pruning
Q
quotas
R
realtime
reboot
reference and educational
registration options
reports
blogs
category analysis
custom
database
image and video sharing
news
reference and educational
reports
scheduled
shopping and online auctions
social bookmarking
social networking
sport
web portals and search engines
restrictive
rip
routing
rules assigning
external access
external service
group bridging
internal alias
ip blocking
port
port forward
source
source mapping
subnet
zone bridging
S
sam account name
scheduled reports
scheduler
secondaries
secondary dns
selective ACK
server password
server username
services authentication
dhcp
dns
dns proxy
intrusion system
message censor
portal
rip
snmp
settings
shell
shopping and online auctions
shutdown
site address
snmp
social bookmarking
social networking
source mapping
source rules
creating
editing
rejection logging
removing
settings
sources
,
sport
ssh
client
web-based
ssl login
accessing the page
customizing
enabling
exceptions
static ethernet settings
stealth
subnets
SYN backlog queue
SYN cookies
SYN+FIN packets
system
system boot (restart) notification
system resource monitor
system service monitoring
T
TCP timestamps
telephony settings
Nomadix NITO
User Guide
327
Index
temporary ban
temporary bans
time
time out
time slots
time-out
Trademarks
traffic analysis
graphs
traffic audit
tutorial zone bridging
U
unauthenticated ips
unknown entity
updates
ups
ups, power supply status warning
upstream proxies
allow direct connections
default proxy
leak client ip with x-forwarded-for header
load balancing
url violations alert
user activity
identity
user exceptions
user portal
users banned
default
local
network administrators
temporary ban
unauthenticated IPs
W
web filter
web filtering configuring manual
web portals and search engines
whois
window scaling
Z
zone bridge narrow
rule create
settings
tutorial
wide
zone bridging
328
advertisement
Related manuals
advertisement