Zorp 3.4 LTS Installation Guide

Zorp is a component-based, object-oriented, event-driven and modular proxy firewall suite, making it possible to fine tune proxy decisions with its built-in script language, in order to fully analyze complex protocols (like SSL with embedded HTTP connection), and to utilize outband authentication techniques.

Hardened OS: A firewall consists of several important components and one of them is the underlying operating system. It has to be special in many ways. First, it has to be as stable as possible, since the firewall is the gate to the protected network; every part of it is crucial. Breaking into the operating system of the firewall means that the protection evaporates, thus every single daemon or program running on the OS has to be carefully analyzed and modified to meet the requirements. Second, in security less sometimes means more: to minimize the risk only the needed elements are installed, also making the maintenance of the OS more effective. Zorp contains a ZorpOS, a Linux-based operating system hardened for security. ZorpOS is available on the installation media, and the Zorp installer installs it.

Zorp: Zorp is bundled with an operating system customized for firewall needs. ZorpOS provides only the necessary components and its special settings protect it from external compromising. The installation CD-ROM is bootable and boots directly a graphical setup program which makes the installation of the hosting OS and the firewall components very easy.

Flexibility: The firewall configuration should be based on the security policy of the organization and it is a bad idea to limit the security policy according to the restrictions of a given firewall product. The flexibility of Zorp lies in the technology itself, since all details of the protocols are already available, thus customized behavior according to any local security policy is possible. For the purpose of configuration files a descriptive language is necessary that does not restrict the possibilities. BalaBit has chosen a programming language for this task which has already proven itself in many different fields: Python.

Transparent: Internal users do not need to know that all their requests go through a firewall, provided that their requests are allowed by the local security policy enforced by the firewall. No special client program or configuration is required.

Application level gateways: Zorp belongs to the group of application level firewalls, a technology recognized to be the best perimeter defense. The traffic crossing the firewall is processed, analyzed and forwarded by so-called proxies (protocol analyzers). The security provided by an application level firewall can be measured by how well the protocol analysis is done. All proxies in Zorp were developed to perform the best possible analysis. Zorp is able to analyze the following protocols: FTP, HTTP, SSL, POP3, FINGER, WHOIS, MIME, NNTP, IMAP, TELNET, PRINTER, RADIUS, RSH, TFTP, SMTP (both SMTP proxy without queuing capability and Postfix MTA as a native proxy is available), Oracle Net8, LDAP, VIRUSBUSTER, MSRPC, SSH, SIP and TCP/UDP-PLUG. See the Zorp Reference Guide for details on the proxies.

Modularity and subprotocol analysis: Application level protocols often contain further subprotocols. A good example is HTTPS, which is frequently used when transferring sensitive data in e-business systems. It is nothing else but a simple HTTP protocol (which is used for accessing the World Wide Web) wrapped into SSL (Secure Sockets Layer, now also known as TLS) which accomplishes encryption. Other firewall products cannot control the contents of the embedded protocol (HTTP in the example above), leaving you with two options: either banning HTTPS completely or letting the given traffic pass through without any supervision. The modularity of Zorp makes the control of the embedded protocols possible, since all proxies are modules attachable to other proxies. Of course modularity is not limited to HTTPS, processing POP3S, IMAPS is also possible. Virus detection and various content filtering in the data part of the passing traffic can also be performed.

Native proxies: Zorp includes hardened implementations for mail (SMTP), DNS and NTP service.

URL-filtering and screening: Enables you to disallow visiting undesirable websites. You can use a blacklist of these sites and Zorp will block client-queries for those URLs.

Virus scanning: Stackable virus protection module gives virus scanning capability in any protocol.

Session authentication: The basis of access control in Zorp is the zone system that is projected on the IP subnets of the protected network.

However, with the help of ZAS session-level regulation can be accomplished. In this case the user has to authenticate him/herself to access one of the services (e.g. web browsing, ftp use, etc.) provided by the firewall.

ZAS supports "inband" and " outband" authentication. "Inband" authentication can be used for protocols that are prepared for authentication (for example HTTP which supports proxy authentication). In case the service does not aid authentication at the protocol level, the "outband" method can be adopted. In such cases a program called Satyr is used on the client computers of the protected network. As the client establishes connection through the firewall (uses one of its services), the user has to authenticate him/herself with the help of Satyr. The session can pass through the firewall if and only if the authentication was successful.

ZAS supports the following authentication methods: username/password, CRYPTOCard RB-1, S/key one-time-password, X.509, Kerberos Tickets.

ZAS can be integrated into the following authentication back-ends: Radius, LDAP, PAM, HTPASS.

Centralized log management: Zorp is bundled with syslog-ng providing a reliable solution for remote logging. Syslog-ng offers flexible filtering and categorizing features and therefore it is one of the most widely deployed logging software used for central log management implementations. A further advantage is that in contrast with traditional syslog implementations, syslog-ng allows the use of TCP, getting rid of the unreliability of the UDP protocol.

Logging can be an efficient mechanism for the detection of intrusion attempts. With the help of logging invaluable information about the state of our network, intentions of the attackers, and possibly their identities can be obtained. If all log information is collected into one central server the analysis of the log files shows an overall picture about the state of the whole system.

VPN: Firewall to firewall and firewall to client VPN (Virtual Private Network) offers privacy and integrity protection for network traffic between your internal private network and remote corporate sites or networks. Zorp includes an IPSEC compliant VPN implementation featuring high security encryption with key length over 128 bits.

Zorp Management System: ZMS is a central management system that handles the firewall as a whole, which means that in addition to the functions of Zorp you can also configure almost all elements of the host it is running on: system logging, operating system settings, network interfaces, packet filtering and so on. ZMS also includes system health monitoring functionality which further increases availability as alerts are sent whenever a system condition becomes critical.

Another important property of a product is how it suits the demands of the administrators when used daily. The two most commonly used methods for management are the graphical interface and the command line - both of them available in Zorp. The graphical interface is the command center of the complete firewall solution including the operating system, VPN tunnels, key management, hardware and software monitoring and Zorp itself. The other method, changing and editing configuration files directly through the command line is also possible. The system consists of the management console (ZMC) that is running on an administrative workstation (Windows or Linux), the Management Server (ZMS) that stores and manages the configurations, and the firewall(s). While the management server and firewall can be installed on the same host, this is not possible with the management console. Naturally, the security of the communication between various components is always accomplished at the highest possible level, meaning that the traffic is encrypted using SSL and the endpoints are authenticated by X.509 certificates to each other. ZMS is suitable for the centralized management of several firewalls, firewall clusters in accordance with the requirements of the organization.

PKI management: Encrypted communication has no point without strong authentication of the remote peer. In SSL/TLS - the protocol used by Zorp management protocols - an X.509 certificate is used for authentication purposes.

All the elements of Zorp and ZMS were made to fit into enterprise PKI systems, though it is also possible to generate all keys and certificates with the CA functionality built into ZMS. The CA module supports the management of keys, certificates and revocation lists for IPSec VPN endpoints, session authentication, SSL links and management devices. The solution also supports cooperation with an already deployed PKI system as it can receive the necessary data (key, lists, etc.) from an external CA.

Clustering: Clustering is a commonly used technique to provide a more reliable service via increased availability. The aim is to minimize the downtime caused by hardware or software based problems.

This can be accomplished by using an additional software together with two or more computers, to remove any possible SPOF (Single Point of Failure) situations. The cluster is customizable according to the required availability. The choice of the number of computers, the make of the individual computers and environmental conditions all affect the cost and availability.

As the firewall supervises traffic going in or out of the protected networks its outage is not acceptable, thus Zorp supports clusters in two different ways:

Support: You can obtain support directly from BalaBit IT Ltd. or from authorized partners. All sold copies contains a free 30-day support package via e-mail with warranted response time, and free bugfixes for the given major version. Other support options are available, please contact us for details.

Minimal hardware configuration: Zorp currently runs best on 64bit capable x86-based computers, equipped with at least a 233MHz Pentium class processor, at least 512MB main memory, and 8GB hard disk space for the operating system and virtual memory. Additional disk space is needed for the mail queue and log files, both depending on the traffic mediated through the firewall.

	Tip
	For increased performance use fast SCSI disks, possibly using separate disks for the system and variable data.

Correctly sizing the hardware is a difficult task. Actual hardware requirements of a running system depend on many things, and taking everything into account is rarely possible. The three most demanding aspects of transmitted traffic are: number of new/parallel sessions, bandwidth, and log subsystem settings.

The number of parallel sessions directly affects memory and CPU usage. In addition to standard operating system memory requirements, Zorp uses memory for each established session. 64-128MB is sufficient for the OS to operate. For each and every running Zorp instance about 10-20MB is required depending on the complexity of the configuration (zones, proxies, services etc.). For each additional session about 200kB is needed (kernel socket buffers, thread specific data, dynamic proxy state information etc.). On an average firewall handling 500 sessions in 10 instances approximately 256-768MB RAM is required. The required memory really depends on the complexity of the policy (content filtering can really increase the needs due to the various data buffers).

The question now is how many sessions a given number of clients generate. It can be assumed that peak load is caused by HTTP traffic, which is the most demanding application on the Internet today. Each object on the World Wide Web is fetched by a separate session of HTTP if keep-alive connections are not allowed, and a single web page consists of many objects as each picture is an object on its own. If keep-alive is allowed then only a few sessions are used by a client, and a good estimate is that a single browser opens four sessions simultaneously to fetch a page and additional graphics. So if you had 100-120 clients browsing constantly, your firewall would have to handle 400-480 sessions at a time as a peak.

Bandwidth adds another aspect to hardware requirements. You might need a single session only, but that single session could require 155Mbit/sec fully saturated. This defines CPU requirements, but this is much more difficult to estimate. The CPU power is required mainly by session startup and by complex policies (like lot of customization). Of course the bandwidth is important as well. An average 2-3GHz CPU with enough memory can handle about 50-100-150 new sessions per second depending on the type of traffic. For performance tests please consult your Zorp support partner.

Default log settings of Zorp generate about 3-400 bytes of log messages for a single session. On a firewall serving 100000 sessions a day, this means 30-40MB of log. Increasing the verbosity level adds to this amount. You should carefully fine tune the logging subsystem by selecting the messages you are really interested in, thus decreasing both storage and runtime demands.

	Tip
	Use reliable/brand hardware for your firewall with dual power supply and UPS. It can spare you a good amount of work and headache.

Hardware compatibility: As Zorp runs on the top of Linux, any hardware supported by Linux is also supported by Zorp.

Minimal hardware configuration: The management server currently runs best on x86 based computers, equipped with at least a 500MHz Pentium class processor, at least 512MB main memory, and 1GB hard disk space for the operating system and virtual memory. Additional disk space is needed for the database and for the log files.

Content vectoring consumes significantly more resources then a simple Zorp host. The exact requirements depend heavily on the actual traffic and the type and extent of the content analysis.

Minimal hardware configuration: At least a Pentium 4 class processor and 1GB RAM is required for ZCV to run efficiently. The minimal hard disk requirement is 2 GB, but significant amount of additional space can be required for quarantining, temporarily unpacking archives, and logging.

Minimal hardware configuration: ZMC currently runs best on x86 based computers with a graphical operating system. ZMC runs on Debian GNU/Linux with X Window System, and on Microsoft Windows 2000 or XP operating systems. A 600MHz CPU with at least 192MB RAM is needed, but for larger configurations a 2GHz CPU with 512MB RAM is recommended.

Zorp can handle most modern hardware components commonly found in gateways and servers. For a complete list of supported hardware components, visit the BalaBit website.

The ZorpOS operating system can be auto-booted from the Zorp DVD and the installation starts automatically.

	Note
	The BIOS settings of the computer may have to be modified to enable booting from the DVD. If unsure how to do it, please consult the documentation of your motherboard. After successfully adjusting the boot sequence, insert the DVD and restart the computer.

	Warning
	Hazard of data loss! It is highly recommended to install Zorp on a dedicated computer. If there is any data on the computer that has to be retained, be sure to use manual partitioning during the installation (see Section 3.9, Manual partitioning), else all data will be lost when the installation process overwrites the whole hard disk.

After booting from the DVD, the installer menu is displayed. The menu is visible both from a local terminal and from a serial console, allowing remote installations.

Figure 3.1. The Installer menu

Select one of the available installation modes:

During normal configuration the installation steps follow each other automatically; in Expert mode they are displayed as a list.

	Note
	The Zorp Installer automatically uses the 2.6.32 kernel during the installation process.

	Note
	In Expert mode, some of the menuitems do not have any parameters that can be modified. Nevertheless, these steps must be executed as well, as they are configured using default parameters, or they represent distinct steps of the installation that cannot be influenced, but must be completed.

After the kernel has been loaded, the installer displays the End-User License Agreement.

The following options useful for troubleshooting are also available from the installer menu:

	Warning
	Expert installation and the modifying kernel parameters is recommended only for advanced users. Do not experiment with it unless you know exactly what you are doing.

Figure 3.3. The End-User License Agreement

The End-User License Agreement must be accepted before the actual installation is started. The complete text of the EULA is also available in Appendix 2, Zorp Application Level Gateway End-User License Agreement. After reading and understanding the license accept its terms and conditions.

Zorp has an easy-to-use text-based installer requiring only a keyboard (mouse is not needed nor supported by the installer). Navigation between the different options of a screen is possible using the cursor buttons. Selected actions (for example Go back or Continue) is highlighted in red. When multiple selection is possible use space to select/deselect a given item (for example when selecting the Zorp modules to be installed).

Figure 3.4. Choosing a continent or region

Select the continent or region from the list where the installed machine will be located.

Figure 3.5. Choosing language

Select the region or country from the list where the installed machine will be located. This will also affect time zone settings.

Expert mode: Select your locale. Additional locales can also be selected.

Figure 3.6. Selecting keyboard layout

Expert mode: Select the type (PS2, USB, or no keyboard) of the keyboard used.

Select the layout of the keyboard used. The default keyboard layout is USA. If there are more than one possible keyboard layouts for the selected location, more options are displayed. Select the most appropriate.

The installer tries to detect the DVD drive containing the Zorp Installation disk.

Figure 3.7. Optical drive detection

Expert mode: Select which kernel modules to load from the ones that were detected as matching your hardware. If requested, the installer can prompt when a module that is accepting load-time parameters is about to be loaded, enabling the customization of the given module.

Expert mode: Configure hdparm if you want to optimize DVD access. Leave the field blank to continue without using hdparm.

This step is available in expert mode only. Most components are loaded automatically, the ones listed here are low priority and are optional. Select the ones you wish to load. Dependencies will be loaded automatically.

Figure 3.10. Configuring the clock

Ensure that the time zone displayed is the correct time zone for the machine. If it is correct, select Yes.

The installer detects the available hard disks automatically. The next step of the installation is to prepare, partition and format the hard disk(s). The minimal storage capacity required by Zorp is 8GB.

Partitioning can be performed either automatically or manually. Guided partitioning is described below, for the details of manual partitioning, see Section 3.9, Manual partitioning.

Figure 3.11. Selecting the partitioning method

	Note
	If there is already a partition existing on the hard drive, the installer also displays an option of Guided - resize. Select this option only if you know what you are doing. It is advised to select the Guided - use entire disk option.

Automatic partitioning utilizes the total capacity of a single hard disk. The hard disk is partitioned as follows:

The default filesystem used by ZorpOS is ext3. In order to use another filesystem, partitioning must be performed manually.

Please note that automatic partitioning partitions only a single hard disk; any additional disks have to be partitioned manually.

	Note
	The hard disk DMA has to be supported by the kernel. If the kernel does not support your chipset the writing of the partition table and formatting the hard disk can take several minutes.

Figure 3.12. Selecting the disk to partition

Select the disk to partition.

Figure 3.13. Partitions to be formatted

For the changes listed to be written to the disk, select Yes.

	Warning
	Hazard of data loss! The listed partitions are going to be formatted, and all data will be destroyed on them. Proceed only if you have ensured that there is no valuable data on the disk.

Figure 3.14. Partitions to be formatted

For the changes listed to be written to the disk, select Yes.

	Warning
	Hazard of data loss! The listed partitions are going to be formatted, and all data will be destroyed on them. Proceed only if you have ensured that there is no valuable data on the disk.

Figure 3.15. Finishing partitioning

The installer displays an overview of the currently configured partitions and mount points. To finish partitioning, select Finish partitioning and write changes to disk.

Figure 3.16. Booting with degraded RAID

Select whether you want to boot your system if RAID becomes degraded. The default option is No, but it is advised to select Yes, if you do not have physical access to the server console to use the recovery shell, to enable the system to boot unattended.

Figure 3.17. RAID partitions change list

Select Yes to write the changes to the disks.

This step is available in Expert mode only. When using RAID devices, the mdadm management utility has to be configured. The following options are available:

In normal mode, RAID devices and the RAID monitor daemon are started automatically, e-mail notifications are sent to the root user.

Figure 3.18. Setting up the user account and password

Provide the full name of the user with the normal account, and then the username. After this, enter and verify the password for the normal user account.

	Tip
	Use the following guidelines for the password. It should: be at least 8 characters long; contain both small and capital letters; contain special characters like: $#@;?.; changed on a regular basis, but without reusing old passwords. The installer will display a warning if you were trying to to use a weak password.

	Note
	Zorp uses SHA-512 password encryption and shadow passwords.

	Tip
	Remote root access in Zorp is automatically disabled by default. To run a command as administrator (root), use sudo <command>.

In this step the base components of ZorpOS are copied to the hard drive. Depending on the hardware, this can take several minutes.

Figure 3.19. Selecting the Zorp modules to be installed

The Zorp modules to be installed can be selected on the following screen. The following modules are available on the installation media:

For further information on the different modules see the Introduction chapter of the Zorp Installation Guide and the relevant chapters of the Zorp Administration Guide.

Below are some guidelines about which modules should be installed on the different types of machines.

	Note
	The Zorp Management Console and the Zorp Authentication Agent (also called Satyr) applications are client–side components that cannot be installed on Zorp hosts. Their installation is discussed in Section 3.7, Installing the Zorp Management Console and Section 3.8, Installing the Zorp Authentication Agent (Satyr), respectively.

After choosing the modules to be installed hit Continue.

	Note
	When you continue the installation, some steps may not appear for you, depending on the components you have selected to install.

Figure 3.20. Configuring Postfix

Zorp uses Postfix as a native service for handling emails. A mail transferring agent (MTA) must be installed on the machine at least for delivering the locally generated messages.

Figure 3.21. General Postfix configuration

The basic operation of mail handling on the host should be specified. The following options are available:

Figure 3.22. Specifying the mailname

Set the name that should appear in the domain part of outgoing mail (that is, after the @ sign).

zorp-utils includes tools used by Zorp: zavupdate is a tool that updates the databases of the virus filtering engines. In this step these tools are configured. zavupdate has the following options:

The section below describes the configuration options of the NOD32 virus filtering module.

	Note
	This module is installed only if it was selected in Section 3.4.1, Installing Zorp modules.

Figure 3.29. Providing username and password for the NOD32 module

Provide the username and password received from your distributor. If not available at the time of installation, it can be entered later by issuing the dpkg-reconfigure libesets command, or by manually editing the /etc/nod32/nod32.auth file.

Figure 3.30. Deleting the virus database

Select Yes if you want to delete the virus database if you remove the NOD32 package.

The databases of the NOD32 module can be instantly updated from the official NOD32 webserver if the machine being installed has network access. Otherwise, an update can be manually initiated by issuing the zavupdate command.

Configure the e-mail notification sending of the Zorp Management Server monitoring subsystem. Provide the e-mail address of the administrator who will receive the notifications.

Openswan is an IPSec implementation used in Zorp for building VPN connections.

3.4.6.2. Opportunistic encryption

Figure 3.31. Enabling Opportunistic encryption

Select if Opportunistic encryption should be enabled. Opportunistic encryption stores IPSec authentication information (that is, RSA keys) in secure DNS records. However, since this is not yet widely used, it may introduce significant slowdown for new outgoing connections and may break existing connections when pluto, the Openswan keying daemon is started.

3.4.6.3. Creating keys and certificates for Openswan

Creating RSA keypair for the host

Figure 3.32. Creating RSA keys

Openswan can create an RSA public/private keypair for the host. This keypair can be used to authenticate secure IPSec connections. Another, but significantly less secure solution is to use passwords.

The section below describes the configuration options of Zorp Management Server.

3.4.7.1. The ZMS database

Deleting the database

ZMS stores the configurations of the managed hosts in a database. This database can be automatically deleted (Yes option) when purging ZMS.

E-mail notifications of ZMS monitoring

Figure 3.33. E-mail notifications of ZMS monitoring

ZMS can monitor the hosts it manages. In case of an error, the administrators can be notified. Provide a default e-mail address for such notifications.

3.4.7.2. Naming the Site

Figure 3.34. Selecting corporate name

The hosts managed by ZMS are organized into sites. When installing ZMS, the name of the site that the ZMS host will belong to has to be defined. Use a descriptive for the site, for example the name of the organization.

3.4.7.3. Name of the ZMS host

Figure 3.35. Specifying the ZMS engine supervising the Zorp host

The name of the host the ZMS will be installed on. It is recommended to use the normal name of the host, but do not use FQDN here. This name is stored in the ZMS database and is complicated to modify later.

3.4.7.4. Key management

ZMS includes PKI management as well to ensure that each element of the firewall system (ZMS module, VPNs, users) can be authenticated with X.509 keys. During this stage of the installation the root CA is created and configured. To achieve this the install program requests the following parameters:

Figure 3.36. Creating the root Certificate Authority

• Country ID (two characters only, for example US, HU, DE)

• State (for example Nevada), optional field, US only

• City (for example Las Vegas), optional field

• Corporate name (for example BalaBit Ltd.), optional field

• Organization unit name (for example HQ), optional field

Answer the questions without accents according the X400/X500 standard.

3.4.7.5. ZMS monitoring database setup

Figure 3.37. Setting up monitoring database

ZMS monitoring can store the data in a PostgreSQL database. This database can be created either manually or automatically. Answer No also if ZMS monitoring should not store the data.

The database used can be either local or remote. The database server has to allow MD5 encrypted password authentication and ident authentication using Unix sockets. The database installed by Zorp is automatically configured that way; when using a custom server, this has to be performed manually.

When setting up the local database, Zorp installer will automatically create a database and set a password for the ZMS database user.

Figure 3.38. Setting up local database

Figure 3.39. Enter a password for the monitoring database

3.4.7.6. Configuring the ZMS engine

In this section the ZMS engine will be configured. Various passwords and the parameters of the local Certificate Authority will be set.

Administrative password of ZMS

Figure 3.40. Specifying the initial administrative password of ZMS

The ZMS administrator password is used to login to ZMS from the Zorp Management Console as an administrator. The username of the administrator by default is admin, which can be modified later. Assign a password which conforms to the secure password generation standards of your organization. The password can be changed any time later.

Setting up the Certificate Authority of ZMS

Figure 3.41. Specifying the CA password of ZMS

In this stage a secure password for the formerly initialized CA of ZMS has to be set. Assign a password which conforms to the secure password generation standards of your organization. It is possible, though difficult to change the CA password later.

The system date of the computer will be displayed. Check the date carefully and verify that it is correct.

Figure 3.42. Verifying system date

	Warning
	If the system date is incorrect, it is possible that the validity of the certificates used by ZMS to communicate with the Zorp hosts cannot be verified and the system will not operate correctly.

3.4.7.8. Setting up VirusBuster

Figure 3.43. Updating VirusBuster's database

To update VirusBuster's database, select Yes.

Figure 3.44. Installing the license keys

License keys can be downloaded from the BalaBit website using a MyBalaBit account. The installer can copy them from a 3.5" floppy disk, an USB drive, or it can download them from a webserver using HTTP if network connection for the machine is available during the installation. Beside the license file(s), no online activation or similar is required.

3.4.8.1. Installing the license keys from USB or floppy

Attach the USB drive to an USB port of the host, or insert the floppy containing the license file into the 3.5'' drive of the computer. Choose the USB or Floppy drive option. If not detected automatically, select the drive containing the license, or select the Re-scan devices option.

Note

When accessing the licenses, the directory structure is important: for each Zorp component licensed there is a separate subdirectory named after the component (for example, Zorp, ZMS, ZAS) containing a license file named license.txt. Make sure that all file and directory names are in lowercase. When downloading the licenses from an internal Webserver, the same directory structure must be reproduced on the server. These directories need not be placed in the root folder of the Webserver, a virtual directory is also suitable. The license files of 3rd-party engines are not necessary called license.txt

Warning

The directory structure of the webserver, floppy, or USB drive must be identical to the one of the Zorp License Media you received from BalaBit or your local distributor. If you fail to install the new licenses during the upgrade, you must copy the license files to the host manually to the following locations: Zorp Management Server (ZMS): /etc/zms/license.txt Zorp Application Level Firewall (Zorp): /etc/zorp/license.txt Zorp Authentication Server (ZAS): /etc/zas/license.txt Zorp Content Vectoring Server (ZCV): /etc/zcv/license.txt NOD32 Antivirus engine: /etc/nod32/license/ Zorp and its components will not operate without the new license files.

3.4.8.2. Installing the license keys from the network

Figure 3.45. Installing license keys from the network

If the computer does not contain a 3.5" floppy drive, or the installation program does not recognize it for some reason, it is possible to install the licenses via HTTP from your local webserver. BalaBit does not provide online access to license keys. Choose the HTTP option and enter the URL where the license is accessible. The URL may use the domain name or IP address of the server. If the installation of the licenses fails for any reason, they may also be installed manually at a later date.

Note

When accessing the licenses, the directory structure is important: for each Zorp component licensed there is a separate subdirectory named after the component (for example, Zorp, ZMS, ZAS) containing a license file named license.txt. Make sure that all file and directory names are in lowercase. When downloading the licenses from an internal Webserver, the same directory structure must be reproduced on the server. These directories need not be placed in the root folder of the Webserver, a virtual directory is also suitable. The license files of 3rd-party engines are not necessary called license.txt

In case of an HTTP option, select Yes if you want to use a proxy server to download the licenses from an HTTP server. Then specify the HTTP proxy in the next window. If you do not want to use a proxy server, leave the field blank or enter NONE.

3.4.8.3. Setting up host roles

The iptables utility included in ZorpOS is configured by default to deny any traffic going through or to the machine. During the installation process the role of the host has to be defined: iptables will be configured according to the role of the host. This selection has effect only during the first installation of the host, it will not modify an existing iptables configuration. The following roles are available:

Figure 3.46. Selecting the role of the host

• FIREWALL: ZMS agent and remote shell (SSH) communication will be enabled. This technically means ports TCP/1311 and TCP/22.

• ZMSHOST: ZMC to engine communication and remote shell communication will be allowed on ports TCP/1314 and TCP/22, respectively.

• NONE: All IP traffic will be dropped by default, therefore all remote administration attempts will fail. All allowed traffic has to be enabled manually from a local terminal.

If installing the Zorp firewall suite and ZMS on the same host, choose ZMSHOST as the host role.

Depending on the selected host role, the following IP addresses also have to be provided:

• FIREWALL: The IP address of the ZMS host used to manage the firewall.

• 

  Figure 3.47. Specifying the IP addresses of the machines running ZMC

  
  

  ZMSHOST: The IP address(es) of the ZMC console(s) used to manage the ZMS host (that is, the machines from where the firewall administrators will connect to Zorp or ZMS). If managing ZMS is allowed from multiple ZMCs, list the IP addresses separated by spaces.

	Warning
	The IP adresses of the ZMS/ZMC hosts must be typed correctly, otherwise the machine will not be accessible from ZMS/ZMC. In this case, the configuration of iptables must be corrected manually. See man iptables-utils for details.

3.4.8.5. Installing a boot loader

Figure 3.48. Installing GRUB

Install a boot loader to the selected partition of the hard drive. By default, the GRUB boot loader is installed to the machine.

	Tip
	Usually the easiest and most convenient solution is to install the boot loader to the master boot record of the primary hard drive.

Expert mode: Enter a password for the boot loader if you wish.

	Warning
	Password-protecting the boot loader means that the password must be entered locally after every reboot. This means that the host will not boot (thus it will not function) until the password is entered, therefore it is not recommended on firewall host.

3.4.8.6. Rebooting the system

After the installation is finished, the computer is rebooted.

Figure 3.49. Finishing the installation

If the installation was finished successfully and you have installed the licenses via HTTP, do not forget to delete the electronic license(s) from the web server to prevent unauthorized downloads.

Figure 3.50. Rebooting the machine

Install the dynamically linked version of the zms-transfer-agent.

apt-get install zms-transfer-agent-dynamic

Install the dynamically linked version of the zms-monitor-agent .

apt-get install zms-monitor-agent-dynamic

Install the zms-engine.

apt-get install zms-engine

Install the zmc graphical administration tool to a client. zmc cannot be installed on a Zorp host.

apt-get install zmc

	Note
	Note that zmc requires the X environment.

Other components can be installed similarly.

	Note
	Before you start installing ZMC, the X graphical tool must already be configured and running on the machine on which you install ZMC.

Start the installer for your platform:

To install ZMC from the command line, navigate to the directory where the installation package is located, and issue the ./zmc-<version_number>-linux-i386.run command.

The installer allows you to set the installation path, and optionally to install the Zorp Administrator's Guide and the Zorp Reference Guide.

After the installation if finished, you can start ZMC from the Network or Internet menu of your desktop environment, or from the console by executing the following command: ./<installation-directory>/bin/zmc.

Zorp Management Console installation starts simply by running zmc-setup-<version-number>.exe. Make sure you have Administrator privileges or the necessary rights to perform the installation.

After the setup wizard welcomes you, it is required to agree the End-User License Agreement (EULA). Please read it carefully before accepting it.

The following step is to define the installation path. By default the setup wizard offers "C:\Program Files\Zmc" but this can be modified.

During and after the installation process, you can monitor the files and drivers the setup wizard installed.

When the installation process is finished, Zorp Management Console can be started from Windows Start menu. The Windows version of ZMC automatically installs the HTML version of the Zorp Administrator's Guide and Zorp Reference Guide.

3.7.2.1. Upgrading the Windows version of ZMC

To download the latest Windows version of ZMC, log on to BalaBit's website.

Use the same username/password pair that is used with apt.

ZMC can be downloaded from https://www.balabit.com/network-security/zorp-gateway/download.

	Note
	Version numbers can differ according to the product development cycle.

During the installation of the Satyr Client 3.4 LTS the pre-configured Debian system will be amended with certain packages and their dependencies. If the dependencies are already installed or an online Debian repository is accessible the Satyr Client can be installed from the Zorp Install DVD as well.

Insert the Zorp Installation DVD into the DVD drive and mount it. In the root of the Install DVD you find an install.sh script, which can be used to install Satyr on the host. Do not use apt-cdrom to setup the sources.list as it will mix up the apt database.

Finally you need to install the necessary CA certificates into your /etc/satyr/ca/ directory. The Satyr client and the Satyr multiplexer will start automatically.

Satyr is available for Debian etch and Ubuntu 8.04 from the following repositories:

Make sure the following lines are in your /etc/apt/sources.list file:

deb https://USERNAME:PASSWORD@apt.balabit.com/zorp-os debian-etch/zorp-3.4 LTSlatest satyr

deb https://USERNAME:PASSWORD@apt.balabit.com/zorp-os ubuntu-hardy/zorp-3.4 LTSlatest satyr

Installation of Satyr client can be started by running satyr-setup-3.4 LTS.X.exe. The installation requires administrator privileges.

After Satyr Client setup wizard welcomes you, it is required to accept End-User License Agreement (EULA). Please read it carefully before accepting it.

The following step is to define the installation path. By default the setup wizard offers "C:\Program Files\Satyr Client", but this can be modified as needed. The Satyr client requires about 4MB of free disk space.

During and after the installation progress, you can monitor the files and drivers that the setup wizard installs.

When the installation process is finished, the Satyr client and the Satyr multiplexer will start automatically.

Finally you need to install the CA Certificate which was used to sign the firewall's certificate. You need to export the certificate in Definite Encoding Rules (DER) format from ZMS (using the Zorp Management Console) and install it under Satyr using addcert.exe, which is distributed with the Satyr Client. Please refer to the PKI chapter of the Zorp Administration Guide for further details.

To create a new partition, select the line indicating the free space of the hard disk and hit Enter, and select the Create a new partition option.

Figure 3.52. Creating a new partition

The following parameters of the partition have to be specified:

The exact use of the partition can be configured on the next screen.

Figure 3.55. Configuring a partition

After you have finished the configuration select Finish partitioning and write changes to disk from the main partitioning screen.

	Warning
	Important! Without the root and the swap partitions the system cannot work, thus creating them is compulsory. The root partition must also physically contain /etc, /bin, /sbin, /lib and /dev, otherwise it will not be possible to boot from the device.

There is no required partitioning schema for ZorpOS: the number and size of partitions depend on the future role of the machine.

	Tip
	If the machine is intended to be a Zorp firewall with the native Postfix service configured and used for mail delivery, it is recommended to create a large /var partition. This is also beneficial if local virus filtering will be performed or system log files will be stored locally.

To modify an existing partition, select it from the main partitioning screen. A menu identical to the one discussed in Section 3.9.1, Creating a partition will appear, allowing you to modify the different parameters of the partition.

RAID (Redundant Array of Independent Disks) is a solution of combining multiple hard disks in order to achieve fault tolerance and/or high performance. ZorpOS supports three versions of RAID, RAID 0 (data striping), RAID 1 (mirroring), and RAID 5 (distributed data storage with distributed parity). RAID 0 and 1 require at least two hard disks, while RAID 5 needs at leasts three.

	Note
	Software RAID can be very CPU intensive and might reduce the general performance of the system.