Tectia Guardian 3 F2 Administrator Manual

Copyright © 2011 Tectia Corporation

This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. See Appendix E for details. The latest version is always available at http://www.tectia.com/en/Support/Product_Documentation.

This software is protected by international copyright laws. All rights reserved. Tectia® and ssh® are registered trademarks of Tectia Corporation in the United States and in certain other jurisdictions. The SSH and Tectia logos are trademarks of Tectia Corporation and may be registered in certain jurisdictions.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaBit.

The BalaBit Shell Control Box™ name and the BalaBit Shell Control Box™ logo are registered trademarks of BalaBit.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.

The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit.

Linux™ is a registered trademark of Linus Torvalds.

Debian™ is a registered trademark of Software in the Public Interest Inc.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008 and 7 are registered trademarks of Microsoft Corporation.

Linux™ is a registered trademark of Linus Torvalds.

Debian™ is a registered trademark of Software in the Public Interest Inc.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, and Server 2008 are registered trademarks of Microsoft Corporation.

MySQL™ is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.

Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.

All other product names mentioned herein are the trademarks of their respective owners.

Some rights reserved.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

11/14/2011

Table of Contents

Summary of contents
Target audience and prerequisites
Products covered in this manual
Typographical conventions
Contact and support information

1. Introduction

What Guardian is
What Guardian is not
Why is Guardian needed?
Who uses Guardian?

2. The concepts of Guardian

The philosophy of Guardian

Supported protocols and client applications

Modes of operation

Guardian in Bridge mode
Guardian in Router mode
Guardian in Bastion mode
Guardian in Nontransparent mode

Connecting to a server through Guardian

Connecting to a server through Guardian using SSH
Connecting to a server through Guardian using RDP

SSH hostkeys

Authenticating clients using public-key authentication in SSH

The gateway authentication process

4-eyes authorization

Network interfaces

High Availability support in Guardian

Firmware in Guardian

Firmwares and high availability

Versions and releases of Guardian

Accessing and configuring Guardian

3. The Welcome Wizard and the first login

The initial connection to Guardian

Creating an alias IP address (Microsoft Windows)
Creating an alias IP address (Linux)
Modifying the IP address of Guardian

Configuring Guardian with the Welcome Wizard

Logging in to Guardian and configuring the first connection

4. Configuring and managing Guardian

Supported web browsers and operating systems

The structure of the web interface

Elements of the main workspace
Multiple web users and locking

Basic settings

Network settings
Date and time configuration
System logging, SNMP and e-mail alerts
Configuring system monitoring on Guardian
Data and configuration archiving and backups

User management and access control

Managing Guardian users locally
Setting password policies for local users
Managing local usergroups
Managing Guardian users from an LDAP database
Authenticating users to a RADIUS server
Managing user rights and usergroups
Listing and searching configuration changes
Displaying the privileges of users and user groups

Managing Guardian

Controlling Guardian — restart, shutdown
Managing a high availability Guardian cluster
Upgrading Guardian
Troubleshooting Guardian
Accessing the Guardian console
Sealed mode
Out-of-band management of Guardian
Managing the certificates used on Guardian

5. Configuring connections

General connection settings

Configuring connections
Modifying the destination address
Modifying the source address
Creating and editing channel policies
Configuring time policies
Creating and editing user lists
Authenticating users to an LDAP server
Audit policies
Verifying certificates with Certificate Authorities
Signing certificates on-the-fly
Forwarding traffic to an IDS or DLP system
Configuring cleanup for the Guardian connection database

SSH-specific settings

Setting the SSH host keys and certificates of the connection
Supported SSH channel types
Authentication Policies
Server host keys and certificates
Creating and editing protocol-level SSH settings

RDP-specific settings

Supported RDP channel types
Creating and editing protocol-level RDP settings
Joining Guardian into a domain
Using SSL-encrypted RDP connections
Verifying the certificate of the RDP server in encrypted connections
Using Guardian as a Terminal Services Gateway
Configuring Remote Desktop clients for gateway authentication
Usernames in RDP connections

ICA-specific settings

Setting up ICA connections
Supported ICA channel types
Creating and editing protocol-level ICA settings
Guardian deployment scenarios in a Citrix environment
Troubleshooting Citrix-related problems

Telnet-specific settings

Creating and editing protocol-level Telnet settings

VNC-specific settings

Creating and editing protocol-level VNC settings

VMware View connections

6. Browsing log messages and Guardian reports

Using the search interface

Customizing columns

Changelogs of Guardian

The Guardian connection database

Connection metadata
Using and managing search filters

Displaying statistics on search results

Creating statistics from custom database queries

Database tables available for custom queries

Contents of the default reports
Configuring custom reports

Indexing and reporting on audit-trail content

Configuring full-text indexing of audit trails
Monitoring the status of AP indexing services
Creating reports from audit-trail content

7. Viewing session information and replaying audit trails

Installing the Audit Player application

Replaying audit trails

Downloading audit trails from Guardian
Replaying a session with the Audit Player
Replaying SCP and SFTP sessions

Finding specific audit trails
Using projects
Replaying and processing encrypted audit trails
Searching in graphical streams

Troubleshooting the Audit Player

Logging with the Audit Player
Keys and certificates
Keyframe building errors

8. Advanced authentication and authorization techniques

Configuring usermapping policies

Configuring gateway authentication

Configuring outband gateway authentication
Performing outband gateway authentication on Guardian
Performing inband gateway authentication in SSH connections
Performing inband gateway authentication in RDP connections
Troubleshooting gateway authentication

Configuring 4-eyes authorization

Configuring 4-eyes authorization
Performing 4-eyes authorization on Guardian

Using credential stores for server-side authentication

Configuring local Credential Stores
Configuring password-protected Credential Stores
Unlocking Credential Stores
Using Lieberman ERPM to authenticate on the target hosts

9. Best practices and configuration examples

Configuring public-key authentication on Guardian

Configuring public-key authentication using local keys
Configuring public-key authentication using an LDAP server and a fixed key
Configuring public-key authentication using an LDAP server and generated keys

Organizing connections in Bastion mode

Organizing connections based on port numbers
Organizing connections based on alias IP addresses
Accessing the Guardian host in Bastion mode using SSH

Using nontransparent Bastion mode

Restoring Guardian configuration and data

10. Guardian scenarios

SSH usermapping and keymapping in AD with public key

A. About the Secure Shell protocol in a nutshell

The basic operation of SSH
Configuring encryption parameters

B. Package contents inventory

C. Tectia Guardian Hardware Installation Guide

Installing the Guardian hardware
Installing two Guardian units in HA mode

D. Tectia Guardian VMware Installation Guide

Limitations of Guardian under VMware
Installing Guardian under VMware ESXi

E. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

List of Examples

4.1. Configuring NFS on the remote server
7.1. Using the -C switch