Zorp Professional 6 Administrator Guide

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit IT Security Ltd..

The BalaBit Shell Control Box™ name and the BalaBit Shell Control Box™ logo are registered trademarks of BalaBit.

Hadoop™ and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

Linux™ is a registered trademark of Linus Torvalds.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2013 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaBit.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

April 17, 2015


Table of Contents

Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Typographical conventions
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Feedback
1. Introduction
1.1. What Zorp is
1.2. Why is Zorp needed?
1.3. Who uses Zorp?
1.4. Public references for Zorp Professional
2. Concepts of the Zorp Gateway solution
2.1. Main components of the Zorp Gateway solution
2.1.1. Zorp
2.1.2. Zorp Management System (ZMS)
2.1.3. Transfer Agent
2.1.4. Zorp Management Console (ZMC)
2.1.5. Zorp Authentication System (ZAS)
2.1.6. The concept of the ZCV framework
2.1.7. Virtual Private Networking support
2.1.8. Native services
2.1.9. High Availability
2.1.10. Operating system
2.2. The concepts and architecture of Zorp firewalls
2.2.1. Access control
2.2.2. Operation modes of Zorp
2.2.3. Packet filtering in Zorp
2.2.4. Proxying connections
2.2.5. Traffic analysis with proxies
2.2.6. Proxy customization
2.2.7. Modular architecture
3. Managing Zorp hosts
3.1. ZMS and ZMC
3.1.1. Define a new host and start up ZMC
3.2. ZMC structure
3.2.1. Configuration tree
3.2.2. Main workspace
3.2.3. Menu & status bars and Preferences
3.3. Configuration and Configuration management
3.3.1. Configuration process
3.3.2. Configuration buttons
3.3.3. Committing related components
3.3.4. Recording and commenting configuration changes
3.3.5. Multiple access and lock management
3.3.6. Status indicator icons
3.3.7. Copy/Paste and Multiple select in ZMC
3.3.8. Links and variables
3.3.9. Disabling rules and objects
3.3.10. Filtering list entries
3.4. Viewing Zorp logs
3.4.1. The command bar of the log viewer
4. Registering new hosts
4.1. Bootstrapping a new host
4.1.1. Bootstrap a new host
4.2. Reconnecting to a host
4.2.1. Reconnect ZMS to a host
5. Networking, routing, and name resolution
5.1. Configuring networking interfaces
5.1.1. General interface configuration
5.1.2. Configuring virtual networks and alias interfaces
5.1.3. Configuring bond interfaces
5.1.4. Configuring bridge interfaces
5.1.5. Enabling spoof protection
5.1.6. Interface options and activation scripts
5.1.7. Interface status and statistics
5.2. Managing name resolution
5.3. Managing client-side name resolution
5.3.1. Configure name resolution
5.4. The routing editor
5.4.1. Routes
5.4.2. Sorting, filtering, and disabling routes
5.4.3. Managing the routing tables locally
6. Managing network traffic with Zorp
6.1. Understanding Zorp policies
6.2. Zones
6.2.1. Managing zones with ZMC
6.2.2. Creating new zones
6.2.3. Zone hierarchies
6.2.4. Using hostnames in zones
6.2.5. Finding zones
6.3. Zorp instances
6.3.1. Understanding Zorp instances
6.3.2. Managing Zorp instances
6.3.3. Creating a new instance
6.3.4. Configuring instances
6.3.5. Instance parameters — general
6.3.6. Instance parameters — logging
6.3.7. Instance parameters — rights
6.3.8. Instance parameters — miscellaneous
6.3.9. Increasing the number of running processes
6.4. Zorp services
6.4.1. Creating a new service
6.4.2. Creating a new PFService
6.4.3. Creating a new DenyService
6.4.4. Creating a new DetectorService
6.4.5. Routing — selecting routers and chainers
6.5. Configuring firewall rules
6.5.1. Understanding Zorp firewall rules
6.5.2. Transparent and non-transparent traffic
6.5.3. Finding firewall rules
6.5.4. Creating firewall rules
6.5.5. Tagging firewall rules
6.5.6. Configuring nontransparent rules with inband destination selection
6.5.7. Connection rate limiting
6.6. Proxy classes
6.6.1. Customizing proxies
6.6.2. Renaming and editing proxy classes
6.6.3. Analyzing embedded traffic
6.7. Policies
6.7.1. Creating and managing policies
6.7.2. Detector policies
6.7.3. Encryption policies
6.7.4. Matcher policies
6.7.5. NAT policies
6.7.6. Resolver policies
6.7.7. Stacking providers
6.8. Monitoring active connections
6.9. Traffic reports
6.9.1. Configuring Zorp reporting
7. Logging with syslog-ng
7.1. Introduction to syslog-ng
7.1.1. Global options
7.1.2. Sources
7.1.3. Destinations
7.1.4. Filters
7.2. Configuring syslog-ng with ZMC
7.2.1. Configure syslog-ng
7.2.2. Configuring syslog-ng components via ZMC
7.2.3. Configuring TLS-encrypted logging
8. The Text editor plugin
8.1. Using the Text editor plugin
8.1.1. Configure services with the Text editor plugin
8.1.2. Use the additional features of Text editor plugin
9. Native services
9.1. BIND
9.1.1. BIND operation modes
9.1.2. Configuring BIND with ZMC
9.1.3. Setting up split-DNS configuration
9.2. NTP
9.2.1. Configuring NTP with ZMC
9.2.2. Status and statistics
9.3. Postfix
9.3.1. Configuring Postfix with ZMC
9.4. Local services on Zorp
9.4.1. Enabling access to local services
10. Local firewall administration
10.1. Linux
10.2. Login to the firewall
10.3. Editing configuration files
10.4. Network configuration
10.5. System logging
10.6. NTP
10.7. BIND
10.8. Updating and upgrading your Zorp hosts
10.9. Packet filter
10.10. Zorp configuration
10.10.1. Policy.py and instances.conf
10.10.2. Zorp control
11. Key and certificate management in Zorp
11.1. Cryptography basics
11.1.1. Symmetric and asymmetric encryption
11.2. PKI Basics
11.2.1. Centralized PKI system
11.2.2. Digital certificates
11.2.3. Creating and managing certificates
11.2.4. CRLs
11.2.5. Authentication with certificates
11.2.6. Digital encryption in work
11.2.7. Storing certificates and keys
11.3. PKI in ZMS
11.3.1. Committing changes and locking in PKI
11.3.2. The certificate entity
11.3.3. Rules of distribution and owner hosts
11.3.4. Trusted groups
11.3.5. The PKI menu
11.3.6. PKI management
11.3.7. Trusted CAs
11.3.8. Managing certificates
12. Clusters and high availability
12.1. Introduction to clustering
12.2. Clustering solutions
12.2.1. Fail-Over clusters
12.2.2. Load balance clusters
12.3. Managing clusters with ZMS
12.4. Creating clusters
12.4.1. Creating a new cluster (bootstrapping a cluster)
12.4.2. Adding new properties to clusters
12.4.3. Adding a new node to a Zorp cluster
12.4.4. Converting a host to a cluster
12.5. Heartbeat
12.5.1. Functionality of Heartbeat
12.5.2. Heartbeat resources
12.5.3. Configuring Heartbeat
12.5.4. Configuring Heartbeat resources
12.5.5. Configuring a Service IP address
13. Advanced ZMS and Agent configuration
13.1. Setting configuration parameters
13.1.1. Configuring user authentication and privileges
13.1.2. Configuring backup
13.1.3. Configuring the connection between ZMS and ZMC
13.1.4. Configuring ZMS and agent connections
13.1.5. Configuring ZMS database save
13.1.6. Setting configuration check
13.1.7. Configuring CRL update settings
13.1.8. Set logging level
13.1.9. Configuring SSL handshake parameters
13.2. Setting agent configuration parameters
13.2.1. Configuring connections for agents
13.2.2. Configuring connection to engine
13.2.3. Configuring logging for agents
13.2.4. Configuring SSL handshake parameters for agents
13.3. Managing connections
13.3.1. Setting up initial connection with management agents
13.3.2. Configuring connection with agents
13.3.3. Administering connections
13.3.4. Configuring recovery connections
13.4. Handling XML databases
14. Virus and content filtering using ZCV
14.1. Content vectoring basics
14.1.1. Quarantining
14.2. The concept of the ZCV framework
14.2.1. Content vectoring with ZCV
14.2.2. Supported modules
14.3. Content vectoring with ZCV
14.3.1. Creating module instances
14.3.2. Creating scanpaths
14.3.3. Routers and rule groups
14.3.4. Configuring Zorp proxies to use ZCV
14.3.5. Managing ZCV performance and resource use
14.4. Quarantine management in ZMC
14.4.1. Information stored about quarantined objects
14.4.2. Configuring quarantine cleanup
15. Connection authentication and authorization
15.1. Authentication and authorization basics
15.1.1. Inband authentication
15.1.2. Outband authentication
15.2. The concept of ZAS
15.2.1. Supported backends and authentication methods
15.3. Authenticating connections with ZAS
15.3.1. Configuring ZAS
15.3.2. Authentication of Zorp services with ZAS
15.3.3. Authorization of Zorp services
15.3.4. Configuring the authentication agent
15.4. Logging in ZAS
16. Virtual Private Networks
16.1. Virtual Private Networking basics
16.1.1. Types of VPN
16.1.2. VPN topologies
16.1.3. The IPSec protocol
16.1.4. The OpenVPN protocol
16.2. Using VPN connections
16.2.1. Using VPN connections
16.3. Configuring IPSec connections
16.3.1. Configuring IPSec connections
16.3.2. IPSec options
16.3.3. Forwarding IPSec traffic on the packet level
16.4. Configuring SSL (OpenVPN) connections
16.4.1. Configuring SSL connections
16.4.2. SSL options
17. Integrating Zorp to external monitoring systems
17.1. Monitoring Zorp with Munin
17.2. Installing a Munin server on a ZMS host
17.3. Monitoring Zorp with Nagios
A. Packet Filtering
A.1. How packet filtering works
A.2. Packet filtering on Linux
A.3. Understanding Netfilter and IPTables
A.3.1. Hooks
A.3.2. Tables
A.3.3. Chains
A.3.4. Rules
A.3.5. Configuration summary
A.4. Managing packet filter rules in ZMC
A.4.1. Configuration management: iptables-utils
A.4.2. Modifying the ruleset
A.4.3. Understanding the packet filter ruleset
A.4.4. The Rule Search window
B. Keyboard shortcuts in ZMC
B.1. Function keys
B.2. Shortcuts
B.3. Access keys
C. Further readings
C.1. Zorp related material
C.2. General, Linux related material
C.3. Postfix documentation
C.4. BIND Documentation
C.5. NTP references
C.6. SSH resources
C.7. TCP/IP Networking
C.8. Netfilter/IPTables
C.9. General security related resources
C.10. syslog-ng references
C.11. Python references
C.12. Public key infrastructure (PKI)
C.13. Virtual Private Networks (VPN)
D. Zorp Application Level Gateway End-User License Agreement
D.1. 1. SUBJECT OF THE LICENSE CONTRACT
D.2. 2. DEFINITIONS
D.3. 3. LICENSE GRANTS AND RESTRICTIONS
D.4. 4. SUBSIDIARIES
D.5. 5. INTELLECTUAL PROPERTY RIGHTS
D.6. 6. TRADE MARKS
D.7. 7. NEGLIGENT INFRINGEMENT
D.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
D.9. 9. LICENSE FEE
D.10. 10. WARRANTIES
D.11. 11. DISCLAIMER OF WARRANTIES
D.12. 12. LIMITATION OF LIABILITY
D.13. 13.DURATION AND TERMINATION
D.14. 14. AMENDMENTS
D.15. 15. WAIVER
D.16. 16. SEVERABILITY
D.17. 17. NOTICES
D.18. 18. MISCELLANEOUS
E. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

List of Procedures

2.1.6.1. Content vectoring with ZCV
3.1.1. Define a new host and start up ZMC
3.2.1.3.1. Adding new configuration components to host
3.2.3.3.1. View or modify variables
3.2.3.3.2. Define site-wide variables
3.3.1.1. The general process of configuring Zorp
4.1.1. Bootstrap a new host
4.2.1. Reconnect ZMS to a host
5.1.1.1. Configuring a new interface
5.1.2.1. Creating a VLAN interface
5.1.2.2. Creating an alias interface
5.1.3. Configuring bond interfaces
5.1.4. Configuring bridge interfaces
5.1.5.1. Setting spoof protection
5.1.6.1.1. Creating interface activation scripts
5.1.6.2.1. Creating interface groups
5.1.6.3.1. Configuring interface parameter
5.3.1. Configure name resolution
6.2.2. Creating new zones
6.2.3.1. Organizing zones into a hierarchy
6.3.3. Creating a new instance
6.3.4. Configuring instances
6.3.9. Increasing the number of running processes
6.4.1. Creating a new service
6.4.2. Creating a new PFService
6.4.3. Creating a new DenyService
6.4.4. Creating a new DetectorService
6.4.5.1. Setting routers and chainers for a service
6.5.3. Finding firewall rules
6.5.4. Creating firewall rules
6.5.5. Tagging firewall rules
6.5.7. Connection rate limiting
6.6.1.1. Derive a new proxy class
6.6.1.2. Customizing proxy attributes
6.6.2. Renaming and editing proxy classes
6.6.3.1. Stack proxies
6.7.1. Creating and managing policies
6.7.5.1.1. Configuring NAT
6.9.1. Configuring Zorp reporting
7.2.1. Configure syslog-ng
7.2.2.1.1. Set global options
7.2.2.2.1. Create sources
7.2.2.2.2. Create drivers
7.2.2.4.1. Set filters
7.2.2.5.1. Configure routers
7.2.3. Configuring TLS-encrypted logging
8.1.1. Configure services with the Text editor plugin
8.1.2. Use the additional features of Text editor plugin
9.1.2.1. Configuring BIND with ZMC
9.1.3. Setting up split-DNS configuration
9.2.1. Configuring NTP with ZMC
9.3.1.1. Configuring Postfix with ZMC
9.4.1. Enabling access to local services
10.8. Updating and upgrading your Zorp hosts
10.10.1.1. Edit the Policy.py file
11.1.1.4.1. Procedure of encrypted communication and authentication
11.2.3.1. Creating a certificate
11.3.7.2. Creating a new CA
11.3.7.4. Signing CA certificates with external CAs
11.3.8.2. Creating certificates
11.3.8.3. Revoking a certificate
11.3.8.4. Deleting certificates
11.3.8.5. Exporting certificates
11.3.8.6. Importing certificates
11.3.8.7. Signing your certificates with external CAs
11.3.8.8. Monitoring licenses and certificates
12.4.1. Creating a new cluster (bootstrapping a cluster)
12.4.2. Adding new properties to clusters
12.4.3. Adding a new node to a Zorp cluster
12.4.4. Converting a host to a cluster
12.5.3.1. Configure Heartbeat
12.5.3.2. Configure additional Heartbeat parameters
12.5.4. Configuring Heartbeat resources
12.5.5. Configuring a Service IP address
13.1.1.1. Add new users
13.1.1.2. Deleting users
13.1.1.3. Changing passwords
13.1.1.4.1. Editing user privileges
13.1.1.5.1. Modifying authentication settings
13.1.2.1. Configuring automatic ZMS database backups
13.1.2.2. Restoring a ZMS database backup
13.1.3.1. Configuring the bind address and port for ZMS-ZMC connections
1. Using linking for the IP address
13.1.4. Configuring ZMS and agent connections
13.1.5. Configuring ZMS database save
13.1.8. Set logging level
13.1.9. Configuring SSL handshake parameters
13.2.3. Configuring logging for agents
13.2.4. Configuring SSL handshake parameters for agents
13.3.3. Administering connections
13.3.4. Configuring recovery connections
14.2.1. Content vectoring with ZCV
14.3.1.1. Creating a new module instance
14.3.2.1. Creating a new scanpath
14.3.3.1. Creating and configuring routers
14.3.4.1. Configuring communication between Zorp proxies and ZCV
15.1.2.1. Outband authentication using the Zorp Authentication Agent
15.3.1.1.1. Creating a new instance
15.3.2.1. Configuring communication between Zorp and ZAS
15.3.2.2. Configuring Zorp Authentication policies
15.3.3.1. Configuring authorization policies
16.2.1. Using VPN connections
16.3.1. Configuring IPSec connections
16.3.3. Forwarding IPSec traffic on the packet level
16.4.1. Configuring SSL connections
16.4.2.1. Configuring the VPN management daemon
17.1. Monitoring Zorp with Munin
17.2. Installing a Munin server on a ZMS host
17.3. Monitoring Zorp with Nagios
A.4.4.1. Using Rule Search