Copyright Notice Copyright (c) 2004-2011, Barracuda Networks, Inc., 3175 S. Winchester Blvd, Campbell, CA 95008 USA www.barracuda.com vSP4-110722-30-0722 All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice. Trademarks Barracuda NG Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders.
Barracuda NG Network Access Client Chapter 1 - I n t r o d u c t i o n . . . . . . . . . . . . . . . . . . . . . . . . . 4 Endpoint Security and Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction to Barracuda NG Network Access Client . . . . . . . . . . . . . . . . . . . . . . . . 4 What can Barracuda NG Network Access Client be used for?. . . . . . . . . . . . . . . . . . . . . . . . . . 6 Licensing Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 6 - U p d a t e o r M i gra t io n . . . . . . . . . . . . . . . . . . . 81 General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Chapter 7 - U n i n s t a l l . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Chapter 1 2 - P r e - C o n n e c t o r a n d Re mo t e VPN . . . . . . . . 1 67 General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 VPN Connector . . . . . . . . . .
Chapter 1 Introduction 1.1 Endpoint Security and Network Access Control With the advent of novel technologies, work habits have changed dramatically throughout the past decades. Notebooks and netbooks, smartphones and vast amounts of data easily portable on USB sticks and miniature storage cards, ubiquitous wireless network access, personal area networking, they all have attributed to the fact that endpoints in corporate networks have become an increasingly hard to control hazard.
Before we have a closer look at the interplay of the various components and their roles let us briefly study what has inspired the design of the Barracuda NG Network Access Client endpoint security framework. The originally very long list of requirements reads as follows in a slightly more condensed fashion: • • • • • • • We want to create an endpoint security solution that is effective and yet still simple enough to be implemented and operated in a cost efficient manner.
Fig. 1–1 Barracuda NG Network Access Client environment Since the NG Network Access Clients are communicating with the Access Control Server in cyclic intervals, the Access Control Server should be placed as close as possible to the NG Network Access Clients. This helps reducing network traffic and getting better response times. 1.2.1 What can Barracuda NG Network Access Client be used for? It can be used to implement an endpoint security policy on Windows based endpoints within a corporate network.
The remediation server is the component from which policy attributes, such as firewall rule sets, welcome messages, and bitmaps as well as client software components required for updates can be obtained. It can be run on the same Barracuda NG Firewall system as the SHV or, for load balancing reasons, it can be spread out over several Barracuda NG Firewall systems. SHV and remediation server must always remain accessible to all endpoints regardless of the currently active firewall rule set.
seemingly complex procedure is rather straightforward and easy to understand. As autonomous machine authentication is rather uncommon in the VPN context, the "limited access" and the "local machine" firewall rule sets and policies need to be provided together with the actual VPN rule set. The "local machine" rule set thus acts as a VPN-offline rule set that can be used to centrally control the network access rights of the mobile user even when they are not connected to the corporate LAN.
on the client system is assumed untrusted and a configured "untrusted access" firewall rule set and client message applies. Nevertheless, Barracuda Networks recommends to configure a catch-all rule at the end of the policy rule set. An explicit catch-all rule allows a better control of the required client health-state and gives more details to the end user. In addition more details in the server-side visualisation will be available. Each policy rule consists of three parts: 1.
Fig.
1.) Determine the applicable rule set First of all, the NG Network Access Client determines in which context it is started and how it connects to the Access Control Service. The following three contexts are available: • • • Local Machine context The local machine context is available in case no user has logged in. This applies during the startup of a Windows computer as well as after user logout.
The available identity information is sequentially matched from top to bottom with the identity conditions of the individual policies. Each policy can be configured to match if all configured identity criteria apply or if only one of the configured criteria applies.
1.4.1 Health State "Untrusted" As soon as the identity match is finished and the client's identity can not be validated, the health state changes to "Untrusted". Untrusted does not necessarily mean that the client may be a guest client but only that the Access Control Service can not determine the client's identity. Nevertheless the configuration parameter Access Control Service Trustzone > Settings > No Rule Exception allows to assign a set of client attributes. 1.4.
If the client fails during a specific time it's state is changed to "Unhealthy". In other terms the client is put into quarantine. This means that the client enables it's latest quarantine rule set. On the Barracuda NG Firewall the proper state is propagated to the firewall engine where limited access can therefore be enforced. Even the quarantine rule set must at least enable the client to connect to the Access Control Service, to the Microsoft active directory, and to the remediation servers.
Furthermore the update service provides the information necessary to diagnose the up-to-dateness of the client's signature databases and engine versions.. As a prerequisite, either the Access Control Service (standalone Barracuda NG Firewall) or the CC (for managed Barracuda NG Firewalls) must have access to the internet. 1.
An important aspect related to trust zone crossing is the synchronization of authentication data. Basically, trust zones need to have a consistent and up-to-date view of the clients' authentication information that is shared across the whole network. In this line the CC ensures that changes are replicated and synchronized across the various available servers and databases, so that identity federation is achieved. Fig.
Chapter 2 Server Config – Access Control Service 2.1 General For proper operation, both components of the Barracuda NG Network Access Clients framework, Access Control Service and Baracuda NG Network Access Client that is, depend on up-to-date information regarding AV and AS products. Barracuda Networks provides an online updating service that helps the Access Control Service verifying the up-to-dateness of the client’s signature databases.
List 2–2 Access Control Server - Access Control Server Settings - System Health-Validator – section General Parameter Description Start System Health-Validato r Setting to yes starts the Access Control Server module before VPN health validation. Health State Validity (min.) This value restricts validity time of a health state. If the client does not re-evaluate its health state within that period, all assigned “network access rights” will be dropped. Health State Probation (min.
List 2–6 Access Control Server - Access Control Server Settings - System Health-Validator – section Referrals Parameter Description VPN Remediation Service IPs Define where the Access Control Service remediation service module is reachable for VPN clients. Note: This IP address must not be the same IP address as already used as an Internal or External Remediation Service IP address. Example: For the internal Clients the Access Control Service listening socket is on 10.0.8.
List 2–9 Access Control Server - Access Control Server Settings - 802.1X – section 802.1X Parameter Description Debug Log Enable debugging log here. A service restart is required. (parameter is only visible in Advanced View mode) List 2–10 Access Control Server - Access Control Server Settings - 802.1X – section Radius Clients Parameter Description NAS identifiers Network access servers (NAS alias switch) which are allowed to access the RADIUS server. Parameter description see list 2–11.
List 2–15 Access Control Server - Access Control Server Settings - Advanced – section General Parameter Description Sync Access Cache to CC By enabling this parameter, the access cache entries of this Access Control Service are synced to the Barracuda NG Control Center. Thus a consolidated health status of multiple Access Control Services will be available. Additionally the appropriate Barracuda NG Network Access Client service must be introduced on the CC.
For those already familiar with Barracuda NG VPN, the Access Control Objects are similar to the objects available for Client to Site VPN. Fig. 2–1 Access Control Objects – Configuration tree - Access Control Objects • Welcome Messages can be used to display customized messages to welcome end-users to the corporate network, inform them about security policies, or display administrator contact details. For each policy rule may a different "welcome" message be displayed to individual groups of users.
Assigned pictures are displayed in the client after successfully connecting to the Access Control Service. Fig. 2–3 Access Control Objects – Access Control Service Bitmaps Keep the size of your picture small since the picture will be transferred to all clients. Pictures larger than 167x90 pixels are scaled down on the Barracuda NG NAC anyway. • Personal Firewall Rules The details of a Barracuda NG Personal Firewall rule set is explained in Server Config – Personal Firewall Rules, page 41. Fig.
• Registry Check Objects These objects allow an administrator to define registry checks to be performed on the client. This allows to validate registry keys and values just like taking action in case of failed validation. Available actions are "Repair", "Notify", or "Fail". In case of action type "Fail" the Access Control Service health validation will fail if the specified registry keys are not set appropriately. "Notify" generates appropriate log messages on the Barracuda NG Firewall.
Access Control Objects provide an hierarchical override mechanism. Objects on cluster level sharing the same name as global or range objects override the global definition(s). This mechanism works like the one using global firewall objects for the Barracuda NG Firewall. 2.4 Access Control Service Trustzone Each Access Control Service belongs to a so-called trustzone.
The pre-defined Access Control Service Trustzones can be referenced within the configuration dialogue Virtual Servers > > Assigned Services > (ACS) > Access Control Service Settings > System Health-Validator view > Trustzone section. Fig. 2–8 Access Control Service Trustzone - Configuration dialogue The Barracuda NG Control Center automatically links the Trustzone to the appropriate global / range / cluster object.
2.4.1 Rules The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and three policy rule sets on the right (1.3 What is a Policy Rule Set?, page 8). Fig. 2–9 Access Control Service Trustzone - Rules 2.4.2 Identity Matching - Basic The first step when processing a policy rule set (either local machine, current user, or VPN) is to determine the client's identity.
If the identity match fails, the next rule is taken into account. Fig. 2–10 Access Control Service Trustzone - Rules - Identity Matching Basic List 2–20 Access Control Service Trustzone - Rules - Identity Matching Basic – section Basic Identity Matching Parameter Description Policy Name The name of the policy. This name is visible in the log file and in the access cache. Deactivate Policy Selecting the checkbox disables the configured policy.
List 2–21 Access Control Service Trustzone - Rules - Identity Matching Basic – section Basic Matching Parameter Description Policy Matching • All-of-following • One-of-following Set this option to All-of-following if all of the identity matching parameters (basic and advanced), except the empty ones, must match for a successful identity verification.
2.4.3 Identity Matching - Advanced Fig. 2–11 Access Control Service Trustzone - Rules - Identity Matching Advanced List 2–22 Access Control Service Trustzone - Rules - Identity Matching Advanced – section Advanced Identity Matching Parameter Description MAC Addresses Enter MAC addresses here. Patterns may be used. Microsoft Machine SIDs Enter Microsoft Machine SIDs here. A SID is a - from the Microsoft OS generated - world wide unique machine identifier.
2.4.4 Required Health State - Basic Fig. 2–12 Access Control Service Trustzone - Rules - Required Health State Basic After successful verification of the client’s identity, this configuration entity is used for determining the client’s health state. Some of the parameters provide the following options: • Not required The result of the health evaluation doesn’t depend on this parameter. • Required If a Required parameter does not match, the user is notified and manual action is required.
In case of third-party products (for example Virus scanner), Auto-Remediation may not work with all available engine versions. As fallback, the client always requests manual action. List 2–24 Access Control Service Trustzone - Rules - Required Health State Basic – section Service Settings Parameter Description NG Personal Firewall On • Required • Required • Not Required (default) Set to Required if a client must have the personal firewall up and running to be healthy.
List 2–27 Access Control Service Trustzone - Rules - Required Health State Basic – section Antivirus Parameter Description Last AV Scan Action • Manual • Auto Remediation Depending on this parameter either the user gets informed to manually perform a full AV system scan or that the client tries to execute a full system scan automatically. AV Engine Required • • • • Ignore Latest (default) Previous Last-2 Set to Ignore if the clients’ Virus Scanner version should not be checked.
List 2–28 Access Control Service Trustzone - Rules - Required Health State Basic – section Antispyware Parameter Description AS Pattern Definitions Required • • • • Ignore Latest (default) Previous Last-2 Set to Ignore if the clients anti spyware pattern definitions should not be checked. Be aware of the fact that in this case the client may be healthy without having any anti spyware patterns installed. Set to Latest if the client’s anti spyware patterns must be up to date to be healthy.
Select New (context menu) to create a new entry. The configuration dialog provides following entries: Fig. 2–14 Access Control Service Trustzone - Rules - Required Health State Advanced - Allowed Health Suite Versions List 2–29 Access Control Service Trustzone - Rules - Required Health State Advanced - Allowed Health Suite Versions Parameter Description Name Specify a name. Define allowed or explicitly denied client health suite version.
2.4.6 Policy Assignments Fig. 2–15 Access Control Service Trustzone - Rules - Policy Assignments List 2–30 Access Control Service Trustzone - Rules - Policy Assignments – section Attributes Parameter Description Personal • Ruleset Name Firewall Settings Choose one of the created Personal Firewall Rule objects here.
List 2–31 Access Control Service Trustzone - Rules - Policy Assignments – section Exceptions Parameter Description User Authentication Required • Yes • No • Like Service Settings (Default) Only available for local machine rule set. If set to "No", user authentication is not performed even if a user logs in. List 2–32 Access Control Service Trustzone - Rules - Policy Assignments – section Radius Attributes Parameter Description 802.1X • Use 802.1x Enforces the usage of 802.
Fig. 2–16 Access Control Service Trustzone - Settings List 2–33 Access Control Service Trustzone - Settings – section No Rule Exception Parameter Description Bitmap Here choose one of the Picture objects. The client will be advised to get the bitmap from the remediation server. Limited Access Ruleset Name Description see parameter Limit Access, table 2–30, page 36.
List 2–34 Access Control Service Trustzone - Settings – section Identity Parameter Description Health Passport Here set the RSA public key for verifying a digital passport signature. Verification Key If one Access Control Server instance is a remediation server exclusively it is not necessary to set the Signing Key, but only the Passport Verification Key. List 2–35 Access Control Service Trustzone - Settings – section 802.1X Parameter Description 802.1X Description see parameter 802.
2.4.8 Support Chart This view provides information concerning Antivirus and Antispyware vendors and versions that are supported. The Support Chart is automatically downloaded from the Barracuda Networks update service mentioned above and distributed to Barracuda NG Admin on connect. Thus, the Support Chart reflects the current capabilities of the Access Control Service.
Chapter 3 Server Config – Personal Firewall Rules 3.1 General To configure the personal firewall rules browse to Client to Site and select the VPN FW tab. (Config > Box > Virtual Servers > > Assigned Services > (vpnserver) > Client to Site). Double-click the appropriate VPN Firewall Rule Set. 3.2 Tab This tab allows manual rule configuration, testing, and setting the options. Personal Firewall rule sets do not support Revision Control System (RCS).
Fig.
3.2.1 Rules Incoming / Outgoing Rules controlling incoming traffic are arranged in the Rules Incoming view, rules controlling outgoing traffic are arranged in the Rules Outgoing view (figure 3–1). Fig. 3–2 Rules Outgoing 3.2.2 Context Menu Select and right-click a list entry to display the following context menu: Table 3–1 Rule window - Context menu Item Description Show Source Addresses … Opens a window displaying all source addresses affected by the selected rule.
Table 3–1 Rule window - Context menu Item Description New … Opens the rule configuration dialog for a new rule (3.2.4 Rule Configuration, page 45). Delete Deletes the selected rule(s). Copy Copies the selected rule(s) to the clipboard. Paste Pastes the selected rule(s) from the clipboard. 3.2.3 Button Bar Fig. 3–3 Rules Outgoing – Button bar In the button bar, the Up and Down buttons complement options are available in the context menu.
3.2.4 Rule Configuration Select New … from the context menu to create a new rule. Fig. 3–4 Edit/Create Rule Object Configure the following connection details in the Rules view of the Rule Object window: List 3–1 Edit/Create Rule Object - Options in the Rules view Item / Parameter Description Action Select Name Insert a rule name into this field. Pass to enable a connection request, select Block to prevent it. Note: The maximum length of this parameter is 50 characters.
Modifying an object is a global action. For example, any other rule using the specific object will be affected by the modification. This applies only for referenced objects, not for objects of type . Explicit objects are only available for the current rule. Table 3–2 Edit/Create Rule Object – Sections Section Description Adapter Specify an adapter for the connection request. In the list all Adapter Objects that have been defined in the Adapter window are available (3.3 Adapters, page 51).
Fig. 3–5 Time restriction dialog 3.2.5 Tester The Tester view allows testing rule sets for consistency. Fig.
The following entities are available for rule testing: List 3–4 Rule Tester parameters – section TEST CONNECTION Parameter Description Direction This is the direction of the traffic policy (Incoming or Outgoing). Application To query for an arbitrary application leave the asterisk (*), which is set as default value. Click the Application link and Select Update Applications to reset the field to the default value. From: IP / Port Insert Source IP and corresponding connection port.
Changing any parameter in any configuration area that influences the result of a test report leads to a status icon change in the overview window. Green icons ( ) will become red ( ). To apply the new conditions to an already existing test report, select the data set in the overview window of the Test Reports window and click Rectify. Subsequently to this action, the status icons will no longer indicate if an action has been successful or not, but instead if rectification has been applied.
List 3–6 Barracuda NG Network Access Client Parameter Description ICMP Parameters This tab allows you to configure blocking of ICMP packets. Connect to the Internet with ADSL (PPTP) Setting to yes creates a pass rule named ADSL in the Outgoing tab of the firewall configuration that is needed for Internet connections via ADSL. The service object used in this rule amongst others implements the services and protocols listed in table 3–3, page 50.
3.3 Adapters The Adapters tab allows you to view and configure network adapters available on the system. Adapters may be employed in firewall rules, in order to restrict rule processing to a specific adapter or a set of adapters only. Fig. 3–8 Adapter view The listing is divided into the following columns: Table 3–4 Adapter view details Column Description Name Name of the adapter object.
This object summarizes all wireless adapters available on the system (for example, WLAN cards). Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi. These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all available dial-up or wireless adapters.
List 3–7 Edit/Create Adapter Object options Parameter Description Comment Optionally, insert an adapter description Trust Type Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network in the Administration > Firewall Settings (Trusted Network, page 120). If you do not want to create a reference, select Untrusted.
3.4 User Objects The User Objects tab allows you to create User and User Group objects, which may be employed in rule sets. Click New … to open the Edit/Create User Object dialog: Fig. 3–10 User Object dialog An user object is automatically created when a connection attempt is processed by the firewall. The object is then inserted into the corresponding rule. In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda NG Firewall are available for selection.
3.5 Net Objects The Net Objects tab facilitates IP address/network management. Use this tab for the following purposes: • • Assigning of names to single IP addresses Combining multiple IPs/networks/references into networking objects For a clearly arranged network management rather make use of referencing Network Objects than explicit IPs when configuring firewall rule sets. Fig.
Net-[Network Connection name] objects may be used to set up abstract rule sets. • InterNet The InterNet object may be used for outbound connections to the Internet (network 0.0.0.0/0). • TrustedNet Use the TrustedNet object to refer to trustworthy networks. The content of this object is dependent on assignment of an adapter as trusted or untrusted (3.3 Adapters, page 51). When an adapter is specified as trusted the IP addresses living on it are added to the TrustedNet object.
Click New … to open the Net Object dialog. Fig. 3–12 Net Object dialog Insert Name and Description of the Net Object for easier identification. In the Entry section insert IP/network address(es) of the new Net Object and/or specify a Reference to the Net Object, for example select an existing Net Object to refer to a new one. The Excluded Entry section allows excluding specific networks from a network object. For transparency and consistency reasons, references are not available in this section.
3.6 Service Objects The Service Objects tab facilitates port and protocol management. Use the Services window to • • assign port and protocol to specific services and merge multiple services to one service object using references. Properties of Service Objects are described in detail in the Barracuda NG Firewall Administrator’s Guide. Fig.
The following services are available in the Barracuda NG Personal Firewall by default: Table 3–5 Service Objects available in the Personal Firewall Service Name 3.7 Port Protocol Connection Description ICMP O/I Internet Control Message Protocol; ICMP messages, delivered in IP packets are used for out-of-band messages related to network operation, or misoperation. DNS 53 TCP/UDP O Domain Name Service; method by which the Internet addresses in mnemonic form (for example barracuda.
Fig. 3–14 Application Object dialog • • • • • • Insert Name and Application Object Description for easier identification. Again, click New … to specify an application. The Application Entry Parameters window opens. Click Browse and select the file you want to create the object for. After selection, the path to the file and its inherent file description will be displayed in the Path and Description fields below. Optionally, insert a file description into the Comment field.
Consider that when an application equipped with an MD5 Hash is used on multiple clients, file versions need to match exactly. Otherwise, the application object will not be applicable. Click Clear to delete the hash. In addition to the application, first level DLLs are taken into consideration. This provides additional security. However, DLLs used by first level DLLs are not monitored.
Chapter 4 Operating & Monitoring Barracuda NG NAC 4.1 Box – Monitoring and Real-time Information The Access Control Service provides extensive information about the currently available endpoints and their status. Both, real-time and historical information are displayed when logging into the status window. The following tabs are available for operational purposes: • • • • 4.1.
Summary of the client's health status or more details of a failed connection. Values could be "Client is healthy". If the client is unhealthy, the column "Information" contains details about the failed health checks. "No rule matched", another possible information, means that identity matching failed. • Healthstate Last health state, which could be one of the four "Healthy", "Unhealthy", "Probation", or "Untrusted". • IsolationState Possible values are Access", "Not Restricted", or "Probation". • Auth.
• Isolation The categories "Not restricted", "Restricted", and "Probation" are available as filter criteria. • IP Filters the list for specific IP addresses. • User Filters the list for specific user entries. • Type Filters the list for entries of type "Health Evaluator", "Authenticator", or "Remediation", depending on the Access Control Service module which created the entry. • Client Filters the list for entries of type "Local Machine", "VPN", or "User".
By selecting this context menu entry on a selected entry all entries with the selected client are displayed in a new tab. Criteria for identifying a computer is the computer's local machine secure identifier (SID). • Visualize this Computer … This entry visualizes the health state of the selected client. The graphical status at the top of the main window displays the summarized health state per day. Selecting multiple entries displays statistics of clients in state "Unhealthy", "Probation", and "Healthy".
• • • Entry This Computer -ALL- Removes either the selected entry, or all entries belonging to the selected client, or all entries from the cache. • Ungroup Displays all entries in a flat list instead of the default group view. • Group by > For better lucidity, status entries may be grouped by their essential attributes such as time, IP address, or rule name. Entries are arranged in pop-up menus topped by a labelled title bar.
modifications or re-installation of the operating system. This means that the Access Control Service can assign health states to the proper client even if the IP address changes or a user performs a logout. The status tab displays only the last health status of a client. To get an overview of historical information, e.g. in order to display different states for a client but cumulate states if they were identical, change the view to the Access tab. Fig.
Chapter 5 Client Installation Installation files for VPN client installation are provided on the Barracuda NG Firewall Application CD-ROM. You may alternatively download the installation package from Barracuda Networks. An MSI file is additionally provided for software distribution systems. Copy the installation files onto the local hard disk before commencing installation. Double-click setup.exe to start the installation routine.
• • • Barracuda NG VPN Client Barracuda NG SSL VPN and NAC Client (complete installation) Custom A way to perform remote installation procedures is provided through customizable script files. Refer to the following chapters if you intend installing and configuring multiple clients remotely. • Unattended Setup See 5.3 Unattended Setup, page 70 • Customer Setup See 5.4 Customer Setup, page 73 5.
List 5–1 Complete Installation — section Barracuda NG Access Monitor – default settings Parameter Default 802.
Barracuda NG Network Access Client specific properties. The available options for this purpose are listed in table 5–1 and table 5–2. Save the following to a .cmd file and execute this file to trigger an unattended setup. Separate multiple specific properties with spaces: Fig. 5–2 Exemplary silent.cmd file for unattended setup @echo off setup.exe /s /v"/qr CUSTOMER_INF=customer.inf PROGTYPE=R8 FW_NOTINSTALL=1" Specific properties must be inserted into one row.
• Connect to the Internet with ADSL (PPTP) see description for parameter Connect to the Internet with ADSL (PPTP), page 120 • Ask for adapter update confirmation see description for parameter Ask for adapter update confirmation, page 120 • Access Control Server Address This parameter defines the Access Control Server to be used. • Ask for unknown outgoing/incoming connections Selecting these checkboxes causes a dialog to pop up for each unknown connection.
5.4 Customer Setup The customer setup is only available for NG VPN Client Customer setup is a comprehensive installation method, allowing you to fully preconfigure all NG Network Access Client settings on multiple installation systems remotely. Customer setup addresses the experienced system administrator. In addition to pure installation and basic configuration, it allows you to: • • • Preconfigure an arbitrary number of connection profiles on the NG Network Access Client. Import license (.
The customer.inf file directs copying of required files and insertion of registry entries. It is divided into three sections of interest ("Customer Areas"): • • • Customer Area [CustomerCopyFiles], page 74 Customer Area [CustomerReg], page 75 Customer Area [SourceDisksFiles], page 78 The content of the customer.inf file is treated case sensitive. Do NOT rename the customer.inf file. Remove nonessential parameters from the customer.inf file before applying it for Customer Setup. The files customer.
Table 5–3 File-directives applicable in the Customer Area" / [CustomerCopyFiles] Directive Comment 0x00000800 (COPYFLG_NODECOMP) Copy the source file to the destination directory without decompressing the source file if it is compressed. 0x00000008 (COPYFLG_FORCE_FILE_IN_USE) Force file-in-use behavior: do not copy over an existing file of the same name if it is currently open. Instead, copy the given source file with a temporary name so that it can be renamed and used when the next reboot occurs.
This section is used for creating profiles and defining default values. Table 5–4 Directives applicable in the "Customer Area" / [CustomerReg] Directive Comment reg-root Identifies the root of the registry tree for other values supplied in this entry.
Table 5–4 Directives applicable in the "Customer Area" / [CustomerReg] Directive Comment value This optionally specifies a new value for the specified value-entry-name to be added to the given registry key.
5.4.4 Section "3. Customer Area" / [SourceDisksFiles] Fig. 5–5 Example for section [SourceDisksFiles] [SourceDisksFiles] ; Files for disk Customer Files #1 ; filename = diskid[,[ subdir][, size]] customer.inf,,,1 customer.lic,,,1 active.
For an overview of specific properties see table 5–1, page 71.
5.5 System Restore Barracuda NG Network Access Clients installation and removal processes create restore points in the Windows System Restore area that you may use to restore your system to a previous state. Fig. 5–7 System Restore Refer to the OS help for details.
Chapter 6 Update or Migration 6.1 General In case you are updating from predecessor versions, simply execute the setup executable and follow the on-screen instructions. If you have particular questions regarding the migration process, then please contact the Barracuda Networks support. For migration, it is mandatory to have the setup file locally on your system. A network installation is NOT possible. If the Personal Firewall is installed, make sure to disable the Internet connection prior to migration.
Chapter 7 Uninstall 7.1 General Close all applications including the VPN client before uninstalling. You will be prompted to restart the system after uninstallation has completed. 7.2 Procedure To uninstall the client, browse to Start > Control Panel > Add or Remove Programs > Barracuda NG Network Access Client and click Remove.
Chapter 8 VPN Configuration 8.1 Overview Virtual Private Networks are an efficient and cost-saving way to use the internet as a transport alternative to dedicated lines or dial-up RAS overcoming the security risks of internet communications. There are two well-established technologies for data encryption: IPSec and SSL (Secure Socket Layer). Most VPN implementations rely solely on IPSec, which has several disadvantages in modern network topologies.
Optionally, the Barracuda NG SSL VPN and NAC subscription license is availabe. It enables SSL VPN functionality and includes Barracuda NG Network Access Client with the full client including the centrally managed Barracuda NG Personal Firewall.
Table 8–3 Policy matching capabilities Function Comment Antivirus (AV) product installed AV active AV realtime protection active Last AV scan time Enforce overdue AV scan AV engine version AV pattern version AV pattern max age Enforce overdue AV engine/pattern update AntiSpyware (AS) product installed AS active AS realtime protection active Last AS scan time Enforce overdue AS scan AS engine version AS pattern version AS pattern max age E
• Architecture Table 8–5 Architecture Function Barracuda NG VPN Client Barracuda NG SSL VPN and NAC Integrated health agent – Integrated VPN client Integrated personal firewall – managed Full entegra policy support • OS requirements Table 8–6 OS Requirements Function Barracuda NG VPN Client Operation systems Windows XP (32-Bit), Windows Vista (32-bit/64-bit), Windows 7 (32bit/64bit) Disk space 30 MB RAM 512 MB / 1024 MB (Vista) Processor Intel 1.
Chapter 9 Barracuda NG Personal Firewall 9.1 Overview The Barracuda NG Personal Firewall is a lighter version of the Barracuda NG Firewall especially designed for client usage. Nevertheless, most configuration options of the Barracuda NG Firewall are available. When connected to an Access Control Service or via VPN, the Barracuda NG Personal Firewall can accept rule sets sent from the Barracuda NG Firewall (depending on the used client license).
• Modify objects and rules that have been created in the History view by selecting Add Pass/Block - Traffic Policy … from the context menu (9.6.3 History, page 97) Firewall administration experience is recommendable before manipulating the Barracuda NG Personal Firewall manually. 9.1.1 Integration within Windows 7 The Barracuda NG Personal Firewall integrates with Windows 7’s intrusion control system.
9.2 Rule Set Selection Fig. 9–2 Rule set selection Click Rule Set Selection … to select one of the available rule sets for viewing. The Local Rule Set is selected by default. Only the Local Rule Set may be edited in the Barracuda NG Personal Firewall.
9.3 User Interface The graphical user interface of the Barracuda NG Personal Firewall is built up of the following items: Fig.
9.4 General Firewall Settings and Tasks (Menu Bar) The following configuration items of the Barracuda NG Personal Firewall are accessible through the Menu Bar (use the ALT key to open/close the menu bar): • Firewall see 9.4.1 Firewall Menu, page 91 • View see 9.4.2 View Menu, page 93 • Security Mode see 9.4.3 Security Mode Menu, page 94 9.4.1 Firewall Menu • Save Configuration Select this item to save configuration changes immediately.
List 9–3 Firewall Settings > Network Objects Parameter Description Automatic Adapter Assignment Selecting this checkbox (default: selected) activates dynamic update of network interface adapters. When active, network adapters are automatically added to the Adapter Objects configuration area, when they are used the first time (9.8.6 Adapters, page 108).
• Export Firewall Rule Set … This item allows you to export the rule set from the Barracuda NG Personal Firewall to a text file. • Import Firewall Rule Set … This item allows you to import a rule set into the NG VPN client. The rule set may either originate from another Barracuda NG Personal Firewall or from a firewall configured on a Barracuda NG Firewall. • Close Firewall Window Selecting this item closes the Barracuda NG Personal Firewall configuration window. Fig. 9–5 Logging syntax of the phlog.
Displays every Access Control Server the client knows of. Fig. 9–7 Access Control Server IPs 9.4.3 Security Mode Menu The items in the Security Mode menu allow you to adjust the security level of the Barracuda NG Firewall. • Block All Prohibit all traffic. • Disable Firewall (Allow All Traffic) Turn the firewall off and allow all traffic. • Barracuda Networks Secure Mode Activate customized firewall rule sets.
9.6 NG Control Center - Monitoring Firewall Activities Items arranged in the NG Control Center give a review of application activities in the Barracuda NG Personal Firewall. The NG Control Center is divided into the following sub-items: • Summary see 9.6.1 Summary, page 95 • Events see 9.6.2 Events, page 96 • History see 9.6.3 History, page 97 • Live Activity see 9.6.7 Live Activity, page 100 9.6.
9.6.2 Events The Events view details all applications that are currently or have been executed on the machine, irrespective, if they have requested passing the firewall. Double-click a list entry to view event details. Select Reload Logs from the context menu to reload the display of logged entries. Fig. 9–10 NG Control Center: Events window The listing is divided into the following columns: Table 9–1 Event view details Column Description Date Date and time the connection has been initiated.
9.6.3 History The History view details the entire network traffic (established connections and connection attempts) since the last system boot. Fig. 9–11 NG Control Center: History window 9.6.4 Listing and Context Menu The listing is divided into the following columns: Table 9–2 History window details Column Description Direction Flags the connection direction ( Connection State Flags the connection state ( granted connections; Date/Time Date and time of traffic initiation.
Table 9–2 History window details Column Description Destination Destination IP of the connection. Port Connection port. User Name of the user who has initiated the connection attempt. Traffic Policy Name of the effective firewall rule. Info Connection status (passed, blocked, failed). Count Total number of connections processed over this slot. Last Expired time since last traffic over this slot. Service Affected service object or UUID (Universal Unique IDentifier).
Translates IP addresses into hostnames, if possible. After each selection change, click entries by topic. 9.6.6 to refresh the view. Click the Group History by link to sort listing History Filter Tab In the History Filter tab, filter conditions can be set to confine the view to the minimum wanted amount of entries. If filters apply, the History Filter tab is highlighted in yellow ( ). Select the checkbox on the right side of an available filter to activate it and insert the condition to apply.
9.6.7 Live Activity The Live Activity view details all currently active connections. Fig.
9.6.8 Listing and Context Menu The listing is divided into the following columns: Table 9–4 Live Activity window details Column Description Direction Flags the connection direction ( Load Displays the current connection load ( to Date/Time Date and time of traffic initiation. Application Application name and its PID (Process ID). Protocol Protocol assigned to the application. Source Source IP of the connection. Destination Destination IP of the connection. Port Connection port.
9.6.9 Filter Conditions Click the filter button ( ) to open the Filter Condition window. This allows you to specify filter conditions in order to confine the view to the minimum wanted amount of entries. Fig. 9–13 Filter condition Click Activate to activate the filter settings. Click Disable to deactivate the filter settings. After having specified a filter, click to refresh the view. Click Capture to record traffic processed over the network interface.
The data acquired is saved as a CAP file in the local folder of the VPN client (C:\Program Files\BarracudaNG). A special viewer is needed (for example wireshark; www.wireshark.org, for viewing network traffic recorded in .cap files. 9.7 Current State - Setting the Security Mode Clicking the link below this navigation item changes the effective state of the Barracuda NG Personal Firewall.
9.8.2 Rules The Rules view allows manual rule configuration. Rules controlling incoming traffic are arranged in the Incoming tab, rules controlling Outgoing traffic are arranged in the Outgoing tab (figure 9–16). Personal Firewall rule sets are not capable of RCS. Fig. 9–16 Rules window Button bar 9.8.
Table 9–6 Rule window - Context menu Item Description Paste Pastes the selected rule(s) from the clipboard. 9.8.4 Button Bar In the button bar, the Up and Down buttons complement options are available in the context menu (see above). Select a rule and click one of the buttons, to shift the rule further up or down within the rule set. Alternatively, you can use drag&drop.
Configure the following connection details in the Rules view of the Rule Object window: List 9–5 Rule Object - Options in the Rules view Item / Parameter Description Action Select Name Insert a rule name into this field. Comment For easier identification, insert a rule description (optional). inactive checkbox Select the Pass to enable a connection request, select Block to prevent it. inactive checkbox to disable a rule (default: unselected).
Configure the following connection details in the Advanced view of the Rule Object window: List 9–6 Edit/Create Rule Object - Options in the Advanced view – section Rule Mismatch Policy Parameter Description Source / Service/ Destination / Application / User / Adapter • Continue on Mismatch (default) Process the rule, even if the corresponding object does not match the configured setting. • BLOCK on Mismatch Do not process the rule if the corresponding object does not match the configured setting.
9.8.6 Adapters The Adapters view allows you to view and configure network adapters available on the system. Adapters may be employed in firewall rules, in order to restrict rule processing to a specific adapter or a set of adapters only. Fig. 9–19 Adapter objects window The listing is divided into the following columns: Table 9–8 Adapter Object view details Column Description Name Name of the adapter object.
This object summarizes all wireless adapters available on the system (for example, WLAN cards). Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi. These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all available dial-up or wireless adapters.
The following options are available: List 9–8 Edit/Create Adapter Object options Parameter Description Name Specify a name for the adapter object. Comment Optionally, insert an adapter description Trust Type Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network in the Administration > Firewall Settings (Trusted Network, page 120). If you do not want to create a reference, select Untrusted.
In the Network Objects window, a number of dynamic network objects (flagged with the preconfigured. icon) are Dynamic objects are updated at runtime when network configuration changes and cannot be edited manually. For dynamic update to work, Automatic Adapter Assignment must be selected in the Firewall Settings (9.4.1 Firewall Menu, page 91). • localIP The localIP object contains all IPs that are configured on trusted adapters, and a reference to the Net-Broadcast object.
This object includes the Multicast network 239.255.0.0/16. Click New … to open the Net Object dialog. Fig. 9–22 Net Object dialog Insert Name and Description of the Net Object for easier identification. In the Entry section insert IP/network address(es) of the new Net Object and/or specify a Reference to the Net Object, for example select an existing Net Object to refer to a new one. The Excluded Entry section allows excluding specific networks from a network object.
• Merging multiple services to one service object using references. Properties of Service Objects are described in detail in the Barracuda NG Firewall Administrator’s Guide. Fig.
Table 9–9 Service Objects available in the Personal Firewall Service Name Port Protocol Connection Description BOOTPS 67 UDP O Bootstrap protocol; also used for DHCP (Dynamic Host Configuration) Kerberos 88 TCP/UDP O Protocol for authentication in Windows 2000 environment NTP 123 UDP O Network Time Protocol; used to synchronize the time of a computer client or server to another server or reference time source LOC-SRV/EPMAP 135 TCP O NETBIOS-NS 137 UDP O/I NETBIOS; very common proto
Fig. 9–24 Application Object dialog • • • • • Insert Name and Application Object Description for easier identification. Again, click New … to specify an application. The Application Entry Parameters window opens. Click Browse and select the file you want to create the object for. After selection, the path to the file and its inherent file description will be displayed in the Path and Description fields below. Optionally, insert a file description into the Comment field.
• Click Generate to create an MD5 Hash in order to clearly identify the selected file as soon as it is executed. MD5 Hash creation is recommended in order to avoid corrupt file and a vulnerable PC after an attack. Consider that when an application equipped with an MD5 Hash is used on multiple clients, file versions must match exactly. The application object will otherwise not be applicable. To delete the hash, click Clear. In addition to the application, first level DLLs are taken into consideration.
9.8.10 Users The Users view allows you to create User and User Group objects, which may be employed in rule sets. Click New … to open the User Object window: Fig. 9–25 User Object dialog An user object is automatically created when a connection attempt is processed by the firewall. The object is then inserted into the corresponding rule. In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda NG Firewall are available for selection.
9.8.11 Rule Tester The Rule Tester view allows testing rule sets for consistency. Fig. 9–26 Rule Tester The following entities are available for rule testing: List 9–9 Rule Tester parameters – section TEST CONNECTION Parameter Description Direction This is the direction of the traffic policy (Incoming or Outgoing). Application To query for an arbitrary application leave the asterisk (*), which is set as default value.
List 9–9 Rule Tester parameters – section TEST CONNECTION Parameter Description Test Click Test to test the connection and display the test result in the section below. List 9–10 Rule Tester parameters – section TEST RESULT Parameter Description Test Status Icon / Action A connection attempt with the given values can either have failed or have been successful if a rule is applicable. A failed connection will be indicated by symbol and Action field Block symbol and Action field Pass .
Select a report and click Delete to delete the report from the Test Report window. 9.9 Administration - Firewall Settings Wizard Options available in the Firewall Settings view allow you to adjust the preconfigured local rule set of the Barracuda NG Personal Firewall. Setting changes triggers either rule creation, deletion or traffic policy change. Use this configuration area to customize the preconfigured rule set easily.
Table 9–11 Services and protocols employed by the ADSL rule Port 1723 9.9.
9.9.2 Automatic Rule Configuration If Ask for unknown outgoing/incoming connections has been activated in the Firewall Settings view (9.9 Administration - Firewall Settings Wizard, page 120), an unknown application/service requesting network connection will trigger a Security Alert pop-up window requesting authorisation. Fig.
Selecting the checkbox also makes the Advanced Policy … link available. Click the link to customize further connection details: Fig. 9–29 Security Alert - Advanced Policy Table 9–13 Security Alert – Advanced Policy options Column Description Only this Destination/Source This option binds the outgoing/incoming connection to a specific IP address. All Destinations/Sources Select this option to detach connection binding from a specific IP address (default).
Chapter 10 VPN Component Configuration 10.1 Create a New Profile Using the Profile Wizard For your convenience, you may use the Profile Wizard to easily create and configure a new VPN profile. Fig. 10–1 VPN Profile Wizard Context Menu Item To start the wizard, right-click anywhere within the empty white space in the Barracuda NG VPN Control window, followed by choosing New (Wizard)... from the context menu.
Fig. 10–2 VPN Profile Wizard > Profile Wizard The next window is titled Authentication Method. You can later change a different method for authentication in case you have chosen the wrong one. Choosing Username and Password or SecurID will enable the Finish button, allowing you to complete the configuration process at this point. Fig.
If you have chosen Barracuda personal License, you will see the following window of the same title. To finish the configuration wizard, browse for the license file, then click Finish. Fig. 10–4 VPN Profile Wizard > Enter personal License If you have chosen Certificate, you will be taken to this dialog of the same title. Enter your certificate data and click Finish to complete the wizard. Fig.
You can later call the wizard again by right-clicking Modify Profile (Wizard) ... at the respective VPN profile entry. Fig. 10–6 VPN Profile Wizard - Modify Existing Profile Using the Wizard 10.2 Configure a New Profile Manually Double-click the Barracuda NG Network Access Client icon ( ) in the system tray to open the VPN component. This will bring up the client’s status window which is attached to the tray. Fig.
On the first start or If no working VPN profile for automated connecting has been defined before, the client will show up with the Default profile’s Connect dialog als shown below: Fig. 10–8 NG VPN client – Connect dialog The VPN profile can be chosen using the Profile dropdown. Clicking Connect either left-hand or at the bottom would then initiate a connection using the chosen profile: Fig.
Clicking Preferences... will bring up the Barracuda NG VPN Control dialog wherein the necessary configurations can be made: Fig. 10–10 NG VPN client – Connect dialog The space on the right side of this screen is reserved for a list of VPN profiles. It will be empty on the first start. You may now create a new VPN profile by clicking New... which will bring up another window for configuring the profile. Insert a name for the connection entry into the Description field at the top.
• • a browse button including a context menu a dropdown list (figure 10–11) Fig. 10–11 Editing options of the VPN client dialog 10.2.1 Functional Elements of the Barracuda NG Network Access Client’s System Tray Icon Installing Barracuda NG Network Access Clients adds a new icon to the system tray providing quick access to the main elements of VPN client and Barracuda NG Firewall R8. Double-click the icon to open the VPN client Connection dialog (10.3 Connection Dialog, page 132).
Fig. 10–13 Close NG VPN Client informational window Shutting down the client will also disable the personal firewall, Take that into account especially if this is the only local firewall you’re using. The whole Windows system needs to be restarted in order to restart the services. • NG Access Monitor … Opens the Barracuda NG Access Monitor which provides information concerning the health state of the system.
• Close Closes the NG VPN Client window. 10.3 Connection Dialog The NG VPN Client can be started in the following ways: • • • • Click Connect after left-clicking the icon in the system tray. Use Start > All Programs > Barracuda NG Network Access Client > VPN Connector. Use the Pre-Connector (12.2 VPN Connector, page 167). For using the Pre-Connector, a profile must already be configured. Execute rvpn.exe (12.3 Remote VPN (rvpn), page 169). Before using Remote VPN, a profile must be configured.
• Use a proxy server to connect checkbox When use of a proxy server has been defined at profile creation time (10.6 Barracuda Networks Control / Preferences Dialog, page 137), then this checkbox will be selected by default, User/Password and Proxy Server will be displayed in the fields below at the same time. If the proxy server requires a password, you need to insert it into the respective field.
10.4 Status Dialog Use the Status dialog window to view properties of an established connection. Click Connect to establish a connection through the Status dialog. A profile for the connection needs to be chosen in the Connection dialog (10.3 Connection Dialog, page 132), though. Fig. 10–15 Status Dialog Technical Details tab: Technical Details section: • Client IP The assigned VPN client IP address (Source) and gateway IP address. • Domain The assigned domain.
Secure Routes section: If secured routes have been assigned to the client by the VPN server, then their values will be displayed in the fields Network and Subnet Mask. Connection tab: Connection section: • Status Status information on the current connection, may it be active, initiating or shutting down. • Duration The uptime for the current connection. • VPN Server The VPN server to which the client currently is connected. • VPN Server Time Local time on the VPN server.
• Tunnel Mode The currently used transport mode for the VPN tunnel. Can display a value of TCP, UDP or Hybrid. Cancel button: Use this button to terminate a connection. Only shown if a connection is currently active. Connect button: Click this button to initiate a connection. Close button: Click this button to close the VPN client window. The VPN control window will remain open.
10.6 Barracuda Networks Control / Preferences Dialog Click Preferences to open the Barracuda Networks Control panel. Barracuda Networks Control is the user interface for configuration of profiles and Barracuda NG VPN adapter settings and the management of certificates. Barracuda Networks Control is also accessible via the Windows Control panel. Shortcut icons reside within the Network and Internet Connections and the Security Center.
• Store The store into which the certificate was saved. • Status The connection status. If you are not connected, you may click Connect … in the context menu in order to establish a connection. On the other hand, if you are connected, then you can click Disconnect in the context menu to terminate a connection. • ID This is the profile ID. Options menu: • Connect... Select a VPN profile and click Connect to connect to a VPN server. • • • Modify Profile … Copy Profile... Delete Profile...
Options section: • View … Opens a window with detailed certificate information. • Remove … Deletes the selected certificate from the certificate store. • Import … Imports the certificate to the certificate store. Supported certificate types are: DER encoded binary x.509, PKCS #12 certificates, PEM encoded binary x.509 Export Certificate To section: • • File … Clipboard Exports the certificate to a text file or to the clipboard for further use in another place.
General VPN Settings section: • Direct Access The VPN client can be configured so that it automatically reconnects to different gateways, if available. Upon an unwanted disconnection, reconnecting to the same gateway will be tried for three times. If this fails, a so-called "path finder connection" will be initiated, trying a variety of pre-defined gateways and finding the fastest one. This gives mobile users seamless access to corporate networks wherever they have Internet access.
10.6.4 Connection Entries Tab Fig. 10–19 Connection Entries tab • Enter a description of this connection entry field Insert a profile name into this field. The name entered will be displayed as profile name in the Connection dialog window. Certificate section: Choose the authentication method required by the VPN server. The chosen authentication type appoints further configuration parameters. Remote Server section: • Host names or IP addresses of remote server: The VPN server’s address.
10.6.5 Barracuda Authentication Barracuda Authentication requires a valid certificate file (*.lic). The .lic file must be saved locally on the client system using it. The following parameters are available for Barracuda Authentication: List 10–1 Parameters used with Barracuda NG authentication Parameter Description File Select the certificate (*.lic) file needed for authentication at the VPN server. Hash READ-ONLY After a certificate has been loaded, its hash is displayed in this field.
List 10–2 Parameters available for use with X509 authentication Description Description External File Path to the external X.509 certificate. 10.6.
List 10–5 Advanced Settings tab – Data integrity and encryption (ESP) section Parameter Description Encryption algorithm [AES] The algorithm to be used for encryption. Tunnel Mode [Response (UDP)] The protocol to be used for tunnel traffic.
List 10–6 Advanced Settings tab – Tunnel Settings section Parameter Description Terminate Countdown (sec.) [2] Period in seconds to wait until a VPN connection is terminated. After reconnect adapter reset Reset the virtual adapter after reconnecting. This may help resolving connectivity issues. Connect retry time (sec) [Default: 60] A timeout period in seconds which will be used for reconnection attempts to the given profile.
10.6.9 Adaptation of Profile Creation using an .ini file (Barracuda NG Authentication only) Some parameters configurable in the Connection Entries and Advanced Settings (10.6.3 Advanced, page 139) tabs can be passed to the NG VPN Client through an .ini file. When a profile with Barracuda NG authentication is created the Barracuda NG Firewall Connector looks for an .ini file in the same directory as the .lic file is retrieved from. The .ini file is expected to be named equally to the .
Behavior of a DHCP client. Possible options are: 2 IP address is assigned directly (using Windows Management Instrumentation) 1 IP address is assigned dynamically (DCHP) 0 IP address is configured statically • connectmode [corresponds to Tunnel Mode dropdown list in the Advanced Settings tab] This parameter specifies the used connection mode. By default, this parameter is set to tcp. The alternatively available modes are shown in brackets ([]).
• Module row The module the respective log entry refers to. • Status row The status of several actions such as Internal loop, Add Routes (added routes), Refresh IP (client IP), etc.
Chapter 11 Barracuda NG Access Monitor 11.1 Overview 11.1.1 Access Monitor The Access Monitor is the key component of Barracuda NG Network Access Client. Its responsibilities include: • Collecting information from the client computer necessary for health evaluation, including • • • • • Communication with the Access Control Server Taking security measurements dependent on the health evaluation result returned by the Access Control Server. This includes • • • 11.1.
11.2 Monitoring 11.2.1 Health Agent Fig. 11–1 Barracuda NG Access Monitor The Barracuda NG Access Monitor provides all necessary information regarding the client computers health state and network restriction.
Table 11–1 Barracuda NG Access Monitor Property Description Client Origin • Local Computer Health evaluation for the client computer is mandatory; if the health evaluation for the client computer is not successful, evaluation based on user credentials is not possible. • Current User When multiple users use the same computer it is possible to start health evaluation based on user credentials, matching each user with its own policy depending on his role in the network.
11.2.2 Advanced Status information If more information is required, the Barracuda NG Access Monitor provides additional information through the Barracuda NG Access Monitor Advanced dialog. This can be opened by either clicking the Health Condition link (see: Health Condition, table 11–1, page 150) or the Quarantine Status link (see: Quarantine Status, same table) in the Health Agent view. Fig. 11–2 Barracuda NG Access Monitor Advanced 11.2.
11.2.4 Communication Status Whenever the Barracuda NG Access Monitor is working, a status message is displayed below the message of the day group (figure 11–4). While the Barracuda NG Access Monitor is communicating it is not possible to start a health evaluation. There are following communication states for the Barracuda NG Access Monitor: Table 11–2 Health Agent states State Description Initializing The Barracuda NG Access Monitor is initializing before entering operational state.
• Configure a valid Access Control Server IP address locally ( see 11.3.2 Access Control Server IPs from Registry, page 160) Use these instead if the Access Control Server IP addresses are distributed by DHCP: • • By using the Emergency Network Adapter Repair function/button ( see 11.3.
Fig.
11.2.6 802.1X Authentication - Port Security 11.2.7 Network Interfaces As seen in figure 11–7, the Port Security view lists all network interfaces available for 802.1X authentication in two groups: • • Managed Unmanaged Fig. 11–7 Port Security Managed network interfaces have been activated for the use of 802.1X authentication. The Barracuda NG Access Monitor provides several actions for all managed network interfaces when a wpa_supplicant is running for the network interface.
Table 11–4 Barracuda NG Access Monitor information for unmanaged network interfaces Column Description Status Shows the device status of the network interface, these include: • Network cable unplugged • Not connected • Disconnected • Connecting • Connected PAE state Port Access Entity status EAP state Extensible Authentication Protocol status Device Name The name of the device made up by the manufacturer. IP Address IP Address the network interface is using. 11.2.
11.2.9 EAP Tracer Fig. 11–9 EAP Tracer The EAP Tracer allows you to view EAP and EAPOL packets captured by the Barracuda NG Access Monitor for every network interface which has the option Trace EAP Packets enabled (see 11.3.13 Capture 802.1X Traffic (EAP), page 164).
11.3 Configuration Fig. 11–10 Barracuda NG Access Monitor Advanced Settings List 11–1 Configuration – Advanced Settings Parameter Description Access Control Server IPs from Registry See 11.3.2 Access Control Server IPs from Registry, page 160 Access Control Server IPs from DHCP See 11.3.3 Access Control Server IPs from DHCP, page 160 ICMP Connectivity Checking See 11.3.4 ICMP Connectivity Checking, page 161 Offline Checkl See 11.3.5 Offline Check, page 161 Use Basic Authentication See 11.3.
11.3.1 Health Agent Connectivity This section holds all configuration section regarding the connectivity of the Barracuda NG Access Monitor. 11.3.2 Access Control Server IPs from Registry As shown in figure 11–11, the dialog allows creating, editing and deleting of Access Control Server IP addresses, which are stored in the registry. It is possible to configure as many Access Control Server IP addresses as required to ensure to ensure continuous connectivity.
Edit… button. If required, clear the Access Control Server IP addresses, which are received through DHCP, with the button Clear Policy IPs. Fig. 11–12 Access Control Server IP addresses, received by DHCP. 11.3.4 ICMP Connectivity Checking As an advanced feature, the Barracuda NG Access Monitor is able to determine the connectivity to the Access Control Server using ICMP packets.
To edit this option manually, modify the following registry key: Table 11–7 Registry entry for ICMP connectivity Item Description Path .DEFAULT\Software\Phion\phionha\settings\ Key UseConnectionState Value (Default=1) 0 - disabled 1 - enabled 11.3.6 Health Agent Authentication 11.3.7 Use Basic Authentication This option specifies if basic user-password or certificate authentication should be used, in case the NTLM authentication fails.
11.3.9 802.1X Settings 11.3.10 IEEE 802.1X Authentication This option enables or disables the use of 802.1X authentication. When enabled, the Client will automatically start a wpa_supplicant for all network interfaces configured to use 802.1X authentication. To edit this option manually, modify the following registry key: Table 11–10 Registry entry for 802.1X authentication Item Description Path HKEY_USERS\.
Table 11–12 Registry entry for emergency network adapter repair Item Description Key AllowEmergencyRepair Value (Default=1) 0 - disabled 1 - enabled 11.3.13 Capture 802.1X Traffic (EAP) If enabled, the Barracuda NG Access Monitor will capture all EAP (Extensible Authentication Protocol) and EAPOL (Extensible Authentication Protocol) packets and save them in the log directory located in the Barracuda NG Network Access Client installation directory. These files can be viewed using the EAP Tracer.
11.3.14 Log Settings For proper analysis verbose output is essential, thus it is possible to enable logging for both the Health Agent service and the Barracuda NG Access Monitor service to receive detailed information, see 11.4 Log Files, page 165 for more information. 11.3.15 Barracuda NG Health Agent Logging To edit this option manually, modify the following registry key: Table 11–14 Registry entry to log clients Item Description Path HKEY_USERS\.
Table 11–16 Log Files File Description client.xml Xml file containing the information sent to the Access Control Server containing information about the client computer when perform user based health evaluation. connect.xml Information about connectivity and connection errors. download.xml Contains data from the last download such as rule set, message of the day, … downloadLocal.xml Contains data received when a local computer based health evaluation succeeded. downloadUser.
Chapter 12 Pre-Connector and Remote VPN 12.1 General Pre-connectors and Remote VPN are tools that are meant to simplify/automate logon procedure. Optionally, combined with a prior dial-up connection, they may also be used to log on to a domain remotely. 12.2 VPN Connector Create a connector to achieve following: • • • Enable a user to gain quick access to a preconfigured profile or multiple profiles. Place shortcuts to the connectors on the client’s desktop.
12.2.1 Creating a Connector Prior to creating a Barracuda NG VPN connector, the connection profile must be configured (10.6.8 Advanced Settings Tab, page 143). The connector may then be created using one of two possible methods. Fig.
12.2.2 Connecting And Disconnecting using the Barracuda NG VPN Client To connect using the Barracuda NG VPN Client, double-click the corresponding shortcut (if available) or select the connector in Start > Control Panel > Network Connections. Enter the necessary information and click OK to start the VPN tunnel. To disconnect, double-click the corresponding shortcut (if available) or select the connector in Start > Control Panel > Network Connections and click Disconnect. 12.2.
List 12–1 Parameters contained in an rvpn profile Parameter Description -a [X, *] Local password [Certificate Password] (if any) -aa Pop-up for local password -cs [X] Client shutdown password protection. Prompts for the password definied in [X] whenever a user tries to shut down the VPN client. Leaving the password value blank deactivates this feature.
The following steps are carried out when a connection is to be established: 1.) Client opens a socket on the server, starts authentication and requests configuration 2.) Client receives configuration (IP, subnet mask, WINS, DNS, …) 3.) Client sends received information to the SPAC 4.) Client triggers ipconfig/renew for the Barracuda NG VPN Virtual Adapter 5.) SPAC answers DHCP requests for the Adapter with the configuration data 6.) Operating system reconfigures the Virtual Adapter 7.
Chapter 13 Example Configuration Introducing an up-and-running Barracuda NG Network Access Client environment involves several components, like global objects, trustzone settings, Access Control Service and gateway firewall configuration. This section presents an overview how simple an environment can be set up. For further details of individual parameters please refer to the appropriate sections. Beginning to use Barracuda NG Network Access Client does not necessarily require complex policy rule sets.
13.1 Introduce Access Control Objects As a first step it is recommended to prepare the Access Control Objects. These objects should be ready for referencing during trustzone configuration. At the beginning, setting up an Barracuda NG Network Access Client infrastructure usually starts with two different Welcome messages, two different Personal Firewall rule sets, and one Picture.
• Allow HTTP/HTTPS connections to the internet. Some antivirus products use HTTP/HTTPS to download up-to-date engines and patterns. Fig. 13–2 Example configuration – Personal Firewall rule set – Access Control Service - Rules – Outgoing tab example view Next create and edit the unrestricted rule set: • • For the unrestricted rule set, the Outgoing rules allow connections to the whole internal network. Add a pass rule using "LocalIPs" as source and "10.0.0.0/8" plus "172.16.0.0/24" as destination.
Administrators of stand-alone Barracuda NG Firewalls can avoid making this decision - you simply configure your trustzone within the Access Control Service > Trustzone node. As a guideline for a simple setup using a CC, we recommend to use global trustzones or alternatively switch to range trustzones. For range or cluster based Access Control Services note that they can only reference trustzones within the same administrative scope (not from another range/cluster).
13.4 Configure an Access Control Service Trustzone The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and the three policy rule sets on the right. To guarantee that our policy trustzone has a public/private key pair to properly authenticate clients to all participating Access Control Services, we initially need to create a Health Passport Signing Key (Settings > Identity > Health Passport Signing Key).
For the Identity Matching and Required Health State views, Basic and Advanced configuration dialogs exist. Fig.
First start with defining the criteria for Identity Matching: Since the Access Control Service in this sample setup is only reachable using private IP addresses we can restrict the Networks section to the private address ranges. The option Policy Matching (section Basic Matching) is set to One-of-following. Therefore you don't need to specify further matching criteria. As a next step define the required health conditions.
For the AV engine and for the AV patterns the settings above accept the current version and also two versions before. Usually companies already have mechanisms to perform regular updates of their AV engines and patterns - in the sample you can thus leave the setting AV Engine/Pattern Action to Manual. Fig.
In the sample you are not required to manually add "Network Access Policies". Instead you can set up your firewall rules of the gateway firewall using the implicit roles unhealthy, healthy, probation and untrusted. Fig.
13.5 Configure Forwarding Firewall Rule Set Enforcement of the security policy is provided by the Barracuda NG Network Access Client software installed on the endpoint itself. Whenever leaving the local collision domain, Barracuda NG Firewalls can provide additional protection. To enforce the health policy, Barracuda NG Firewalls may interpret the access policy attribute assigned to the endpoint within their rule sets.
Fig. 13–8 Example configuration – Configure forwarding firewall rule set – Edit Rule: Healthy-Access-to-protected-Servers[Rule] Fig. 13–9 Example configuration – Configure forwarding firewall rule set – Firewall - Rules If the user authentication is assigned to the firewall rule, only clients either fully conforming to the policy ("healthy") or clients being in "probation" state are allowed to access the protected network.
Chapter 14 802.1X – Technical Guideline 14.1 Overview Barracuda NG Network Access Client features the IEEE 802.1X standard for port-based network access control. The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.
Necessary for authentication, validates the client computer's identity information forwarded by the switch and notifies the switch which VLAN the client computer is assigned to. Due to the switch's functionality as proxy the authentication service is transparent to the client. • Access Control Server The Access Control Server is required to determine the health state of the client computer based on the information provided by the Barracuda NG Access Monitor service.
14.2.2 Using the Barracuda NG Access Monitor for Analysis The Barracuda NG Access Monitor provides within its port security section a listing of all network interfaces capable of 802.1X, displaying the current status. Additionally, the Barracuda NG Access Monitor allows opening a command-line interface for the selected device.
To enable or disable verbose the below registry needs to be set: Table 14–4 Key Logging Item Description Path HKEY_USERS\.Default\Software\phion\phionvpn\settings Key Logging Value Enables or disables verbose output to be written (Default=0). • 0 - disabled • 1 - enabled Changing this value takes effect immediately. This value may also be changed through the Advanced Settings of the Barracuda NG Access Monitor. 14.2.
• ReAuthPeriod see 14.3.9 Periodic client re-authentication by the switch, page 193 • Guest-Vlan see 14.3.11 Authentication Message Exchange, page 194 • AuthFail-Vlan see 14.3.11 Authentication Message Exchange, page 194 • AuthFail-Max-Attempts see 14.3.11 Authentication Message Exchange, page 194 • QuietPeriod see 14.3.12 VLAN Assignment, page 195 The output following is the status of a network interface on the switch a client computer is connected to.
14.2.5 Switch Console Interface For either administrative or informative purposes it is possible to connect to the switch using a telnet session. By default the console interface shows only little output. To enable higher verbosity it is recommended to enable debug information, as seen in the example, for various topics. To enable or disable debug logs it is required to enter the privileged exec mode.
• • • Token Ring FDDI Point-to-Point 14.3.2 Operational Sequence 14.3.3 Startup 1.) NG NAC services start 2.) Disabling Microsoft Windows 802.1X compliant software 3.) Starting the WPA supplicant 4.) WPA supplicant configuration 5.) WPA supplicant running 14.3.4 Runtime 1.) Re-authentication by the Client Service 2.) Re-authentication by the switch 3.) Re-authentication by the user using the command line 4.) Authentication Message Exchange 5.) VLAN Assignment 14.3.5 Shutdown 1.
2.) Disabling Microsoft Windows 802.1X compliant software Since Microsoft Windows ships with its own 802.1X compliant client software, the Client service needs to disable it before starting the WPA supplicant. The Microsoft 802.1X compliant client software consists of: Table 14–5 Microsoft 802.
This value can also be changed within the Advanced Settings of the Barracuda NG Access Monitor, IEEE 802.1X Authentication parameter. Table 14–7 Key {adapter_uid} Item Description Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phionuio\Parameters\Adapters\ Key {adapter_uid} Value Enables or disables 8021X authentication for the adapter with the specified adapter_uid (Default=0) • 0 - disabled • 1 - enabled Changes of this value take effect immediately.
To resolve this problem proceed following steps: • Delete the corrupted configuration file You will require elevated privileges to perform this step. • Kill the process wpa_supplicant.exe You will require elevated privileges to perform this step. The Client service will generate the configuration file based on the template. 5.) wpa-supplicant running A successful start of the wpa-supplicant can be verified by: • • The Process Explorer or Task Manager will show for every network interface using 802.
14.3.8 Re-authentication by the client service The client service is able to enforce a re-authentication, given the configured interval (see 2.0.A), independent of the switch's configuration. After the configured amount of seconds elapsed the Client service will start the authentication sequence. By sending a EAPOL Start packet (see: 2.3.I) and waiting for the identity request starting the authentication sequence (see: 2.3.II). Table 14–10 Registry entry for 802.
To disable periodic re-authentication, use the no dot1x re-authentication interface configuration command. To return to the default number seconds between re-authentication attempts, use the no dot1x timeout reauth-period interface configuration command. Fig. 14–5 Example Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x reauth-period 4000 The re-authentication started by the switch is illustrated in 2.3.II. 14.3.
• A re-authentication is triggered manually on the switch by a user through the command-line interface. Finally, section III shows the way the logoff command is sent to the switch in order to disable the line protocol on the port. There are several possibilities for the log-out process: • • • The user shuts down the operating system on the client computer. The user logged off the operating system on the client computer.
• interface Specify the port to be configured, and enter the interface configuration mode • dot1x timeout quiet-period Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is from 1 to 65535 seconds, the default is 60. • end Return to the privileged EXEC mode. • show dot1x interface Verify your entries. To restore the default quiet time, use the no configuration command.
This value may also be changed by using the Advanced Settings screen within the Barracuda NG Access Monitor.
14.3.16 Shutdown 14.3.17 Operating System Shutdown When the client computer is been shut down, the Barracuda NG Access Monitor will send a logoff command to switch, causing the line protocol being disabled by the switch. 14.3.18 Operating System Logoff When a user logs off his account from the operating system, the Barracuda NG Access Monitor follows the same procedure as above. 14.3.19 Manual Logoff It is possible, if required, to logoff manually using the Barracuda NG Access Monitor.
14.4 Addendum 14.4.
Table 14–18 WPA Supplicant Log File Identifiers 009 009 001 001 000 starting to reset 802.1x registry setting 002 stating session live time 010 finished resetting 802.1x registry settings 002 class C8021X Monitor 000 009 009 009 009 009 002 002 002 002 002 constructor 000 starting constructor 010 leaving constructor 003 reloading adapters 002 adding adapter to list to start supplicants 004 removing adapter from list to start supplicants 099 thread-id's of 802.
Table 14–18 WPA Supplicant Log File Identifiers 009 009 009 002 002 008 000 starting CheckAndStopService 001 error opening service manager 002 service %s not running 003 error opening service %s 004 service status for service %s 005 error in status query for service %s 006 stopped service %s 007 error stopping service %s 008 finished waiting for service to stop 009 error in status query for service %s while waiting to stop 010 leaving CheckAndStopService 009 shutdown / deletion
Table 14–18 WPA Supplicant Log File Identifiers 009 009 009 009 009 003 003 003 003 003 003 004 005 007 user authentication 001 logging in as user username 002 reassociation loop 002 VLAN changed/unchanged, reassociate 004 switched 802.
Table 14–18 WPA Supplicant Log File Identifiers 009 004 004 14.4.
In order for the RADIUS authentication to succeed with the above mentioned switch and software, "Authentication, Authorization and Accounting" need to be disabled. This can be done by following procedure: Command: • configure terminal Enter global configuration mode • no aaa accounting dot1x default group Disable accounting for 802.1X. The parameter sets the default group holding the attributes for RADIUS authentication. The group is configured and available by default.
Chapter 15 Appendix 15.1 customer.inf File Template Table 15–23 customer.inf File Template Customer Install Files Template code ready for copy-and-paste is listed below this table. ; ; ; ; ; ; ; ; ; -------------------------------------------------------------------------------------------customer.
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 206 Appendix 1 -> X509 authentication 2 -> User / Password File: license (0x00000000) Subject: license (0x00000000) Microsoft Certificate Store Lookup: CertSearchOrder (0x00010001) 0 -> Lookup with Subject 1 -> Lookup with Issuer Use Serial Number: certserialnumber (0x00000000) Private Encrypt: PrivateEncrypt (0x00010001) Probe Encryption: ProbeEncryption
; Trust -> Trust ; CA -> CA ; ; Terminate Countdown (sec.): TerminateCountdown (0x00010001) ; Show Popup: ShowPopup (0x00010001) ; Close after Connect: CloseOnConnect (0x00010001) ; ----------------------------------------------------------------------------[PhionCustomerReg] ; reg-root, [subkey], [value-entry-name], [flags], [value] HKU, .DEFAULT\Software\Phion\phionvpn, ; important, do not remove ; ; ; ; ; ; ; CustomerINF, 0x00000000, "%65600%\customer.inf" Profile 1 Example with phion.
[DestinationDirs] PhionCustomerCopyFiles = 65600 [SourceDisksNames] 1 = %DiskId1%,,,"" ;---------------------------------------------------------------------------; Localizable Strings ; [Strings] ph = "Phion" DisplayClassName = "Phion Customer Files" Phion = "Phion AG" *Phiond.DeviceDesc = "Phion Customer Files" Phion.DeviceDesc = "Phion Customer Files" *Phion.DeviceDesc = "Phion Customer Files" phionvpn.Service.
15.
Table 15–24 VPN Profile Registry Keys VPN Profile Registry Keys "; Encryption Algorithm: encryption (0x00010001)" "; 1 -> None" "; 2 -> 3DES" "; 4 -> AES" "; 8 -> Cast" "; 16 -> Blowfish" "; 32 -> DES" "; 64 -> AES256" ";" "; Tunnel Mode: mode (0x00010001)" "; 1 -> Reliability (TCP)" "; 2 -> Response (UDP)" "; 3 -> Optimized (Hybrid)" ";" "; Virtual Adapter Configuration: dhcp (0x00010001)" "; 0 -> Assign IP address manually" "; 1 -> Use internal DHCP assignment (default)" "; 2 -> D
Table 15–24 VPN Profile Registry Keys VPN Profile Registry Keys ";" "; Certificate Store: store (0x00000000)" "; MY -> MY" "; Root -> Root" "; Trust -> Trust" "; CA -> CA" ";" "; Terminate Countdown (sec.): TerminateCountdown (0x00010001)" "; Show Popup: ShowPopup (0x00010001)" "; Close after Connect: CloseOnConnect (0x00010001)" 15.3 Profile Registry Keys "Hardcoded Access Control Server IPs" [HKEY_USERS\.DEFAULT\Software\Phion\phionha\PolSrv] "1"="172.22.1.162" [HKEY_USERS\.
• The message VPN Gateway not reachable via VPN tunnel is logged to the events window Open the Expert tab (10.6.8 Advanced Settings Tab, page 143) and change from Virtual Adapter Configuration to Direct assignment or the other way around. • The message Session PHS: signature check failed (bad decrypt) is logged to the events window. Deactivate Private Encrypt (10.3 Connection Dialog, page 132, Parameters available for use with X509 authentication, page 142).
15.5 Configuration Parameters 802.1X [2] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1X [2] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1x Enable [5] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Direction [9] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disable Barracuda NG Personal Firewall [5] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disable Windows Firewall [9] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PHIBS Authentication Scheme [2] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PlugIn [3]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PlugIn [9]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Access Control Service [10] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Use Basic Authentication [11] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use NTML Authentication [11] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15.
Chapter 6 Update or Migration Chapter 7 Uninstall Chapter 8 VPN Configuration Chapter 9 Barracuda NG Personal Firewall List 9–1 List 9–2 List 9–3 List 9–4 List 9–5 List 9–6 List 9–7 List 9–8 List 9–9 List 9–10 List 9–11 List 9–12 Firewall Settings > Protocol Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewall Settings > Protocol File . . . . . . . . . . . . . . . . .
15.7 Figures Chapter 1 Introduction Figure 1–1 Figure 1–2 Figure 1–3 Barracuda NG Network Access Client environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client-Server actions during connection, health validation and assigning network access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 9 Barracuda NG Personal Firewall Figure 9–1 Figure 9–2 Figure 9–3 Figure 9–4 Figure 9–5 Figure 9–6 Figure 9–7 Figure 9–8 Figure 9–9 Figure 9–10 Figure 9–11 Figure 9–12 Figure 9–13 Figure 9–14 Figure 9–15 Figure 9–16 Figure 9–17 Figure 9–18 Figure 9–19 Figure 9–20 Figure 9–21 Figure 9–22 Figure 9–23 Figure 9–24 Figure 9–25 Figure 9–26 Figure 9–27 Figure 9–28 Figure 9–29 Windows 7 Windows Firewall and Action Center screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 13 Example Configuration Figure 13–1 Figure 13–2 Figure 13–3 Figure 13–4 Figure 13–5 Figure 13–6 Figure 13–7 Figure 13–8 Figure 13–9 Example configuration – environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example configuration – Personal Firewall rule set – Access Control Service - Rules – Outgoing tab example view . . . . . . . . . . . . . . . .
Barracuda Networks Warranty and Software License Agreement 0.1 Barracuda Networks Limited Hardware Warranty 1. Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Distributor selling the Barracuda Networks product, if sale is not directly by Barracuda Networks, Inc.
FOR AND BIND THE ENTITY. IF YOU ARE NOT AUTHORIZED TO SIGN FOR AND BIND THE ENTITY OR DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE YOU MAY RETURN THE SOFTWARE OR HARDWARE CONTAINING THE SOFTWARE FOR A FULL REFUND TO YOUR PLACE OF PURCHASE. 1.
RESOURCES, ABNORMAL OPERATING CONDITIONS (IN PARTICULAR DEVIATIONS FROM THE INSTALLATION CONDITIONS) AS WELL AS BY TRANSPORTATION DAMAGE. IN ADDITION, DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES NOT WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH THE SOFTWARE IS USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK.
13. Assignability. You may not assign any rights or obligations hereunder without prior written consent from Barracuda Networks. 14. Billing Issues. You must notify Barracuda of any billing problems or discrepancies within sixty (60) days after they first appear on the statement you receive from your bank, Credit Card Company, other billing company or Barracuda Networks.
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it.
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.
legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms.
Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.
each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License.
the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number.
think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price.
The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".
If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library".
b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License.
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution provided that you do not advertise this Package as a product of your own. You may embed this Package's interpreter within an executable of yours (by linking); this shall be construed as a mere form of aggregation, provided that the complete Standard Version of the interpreter is so embedded. 6.
1.7 "Larger Work'' means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8 "License'' means this document. 1.9 "Modifications'' means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When Covered Code is released as a series of files, a Modification is: • A. Any addition to or deletion from the contents of a file • containing Original Code or previous Modifications. • B.
(d) Notwithstanding Section 2.
3.6. Distribution of Executable Versions. You may distribute Covered Code in Executable form only if the requirements of Section 3.1-3.5 have been met for that Covered Code, and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You have fulfilled the obligations of Section 3.2.
8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that: (a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections 2.1 and/or 2.
EXHIBIT A -Mozilla Public License. "The contents of this file are subject to the Mozilla Public License Version 1.1 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/ Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License.
list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the John Lim nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity.
NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CODE PROJECT OPEN LICENSE ("LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HEREIN, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE AUTHOR GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
e. You may distribute the Executable Files and Source Code only under the terms of this License, and You must include a copy of, or the Uniform Resource Identifier for, this License with every copy of the Executable Files or Source Code You distribute and ensure that anyone receiving such Executable Files and Source Code agrees that the terms of this License apply to such Executable Files and/or Source Code.
Barracuda Networks Products may contain programs and software that are Copyright (c) 1999-2001, Angelos D. Keromytis. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2.
Barracuda Networks Products may contain programs and software that are Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo". 4.
(tjh@cryptsoft.com)". THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ’’AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----Portions of this code are copyright (c) 2001, Cambridge Broadband Ltd. All rights reserved.
a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b) accompany the distribution with the machine-readable source of the Package with your modifications.
HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
or use of this software must display the following acknowledgement: "This product includes software developed by Yen Yen Lim and North Dakota State University" 4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
Portions Copyright 1989 by Carnegie Mellon.
a) If you make changes to Vim yourself, you must clearly describe in the distribution how to contact you. When the maintainer asks you (in any way) for a copy of the modified Vim you distributed, you must make your changes, including source code, available to the maintainer without fee. The maintainer reserves the right to include your changes in the official version of Vim. What the maintainer will do with your changes and under what license they will be distributed is negotiable.
EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 2.4 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 2.4 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 2.
Barracuda Networks makes available the source code used to build Barracuda products available at source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda products. Obviously not all of these programs are utilized, but since they are distributed on the Barracuda product we are required to make the source code available. (v2.
264