Stonesoft was one of the first companies to come out with a highly available (HA) distributed firewall and VPN architecture. Because a VPN is really just a special type of firewall that secures the traffic between two endpoints, it only makes sense that they work together. The problem with deploying them together is you produce a single point of failure.
Eliminating this single point of failure is particularly important in enterprises deploying business-critical functions over the Internet and is an ideal setup for managed service providers. Stonesoft's StoneGate High Availability Firewall and VPN manages to circumvent the single point of failure problem by creating multiple firewall engines that act as failover devices. In this Daily Feature, I will demonstrate how to perform a basic installation of the StoneGate Firewall/VPN on the SPARCstation 20 platform (but it will install and perform well on all SPARCstations) within an existing network.
You can install StoneGate's hardened, integrated Linux OS on standard Intel and SPARC platforms. When you purchase StoneGate, you'll want to make sure that you select the version of the software suitable for your hardware. StoneGate is available for Windows 2000, Windows NT, Linux, and Solaris. For this article, I installed StoneGate on a Sun SPARCstation 20.
Installing all the elements
In the next sections, I will explain in detail the six required steps for installing the StoneGate software:
- Install the Solaris patches (for Management system only).
- Install the StoneGate Management system and Log server.
- Install the StoneGate certificate and license.
- Define and configure the firewall/VPN properties.
- Define the NIC interfaces.
- Install the firewall/VPN engine.
1. Install the Solaris patches
Because the StoneGate Management system uses Java, you'll need to install all the latest security patches and the latest Java patches when you install the Solaris patches. The showrev -p command will tell you which patches are currently installed.
Find out if you have the appropriate patches for your version of Solaris. A good starting point for Solaris patch information is at SunSolve. After you've installed the patches, you’re ready to install StoneGate.
2. Install the Management system and Log server
Put the CD containing StoneGate into your CD-ROM drive, open up a root command prompt, mount the CD-ROM drive, and run /cdrom/setup.sh. Then, you should see the InstallShield Wizard pop up with the version number on it. After accepting the terms of the end-user license agreement (EULA), select the option to install the software in the default directory. You'll be prompted to select whether you want to install the Management system, the Log server, or the Client. For a complete installation, select all three and click Next.
The installation of the Management system and Log server requires that you install a database account, so you'll next be prompted to set up a user name and password for this account.
You'll then be prompted to enter the IP address of the Management system. To further ensure security of the system, do not configure the Management system as one of the VPN endpoints. That way, if your VPN endpoint fails, you will still be able to manage the other endpoints. Make sure, during the initial installation, that you select the option to install the Management system as a service because if you don't, you'll have to start it up manually every time you want to use the VPN. When you install the Management system as a service, it will restart every time the server reboots and will handle requests even when no one is logged in to the Management console, which is ultimately what you want.
At this point, the InstallShield Wizard will prompt you to install the Log server by inputting the Log server’s IP address. I suggest that you use the same server for both the Management system and the Log server unless you already have a consolidated log server set up on a different system so all your administrative data is consolidated on one system. Of course, you can set up a separate Management system and Log server because the Log server can communicate via SSL with the Management system if you install an X.509 certificate for the Management system at the end of the installation.
Be sure you also install the Log server as a service. By default, the Log server will use port 3020. Unless there is some reason particular to your environment to change the port number (e.g., an existing application is using that port number), you should use the default port for security purposes.
The wizard will next prompt you for a destination path for the Log server database files. Unless you already have a log server set up somewhere on your network with an existing path, accept the default path suggestion.
The wizard will ask for a server to deliver SNMP traps to. Typically this would be a third-party network Management console such as HP OpenView, BMC PATROL, or Enterasys NetSight Atlas. If you don't have a third-party network Management console, just tell the wizard to send these trapsto the same path and file as your Log server database files. If you don't want to use the same database for these errors, supply a different path or filename for SNMP traps to be placed. Putting these traps in their own file will save you from having to filter them with grep and awk, and you'll have only one database file to cull through when troubleshooting.
StoneGate will generate mail alerts when it picks up any suspicious activity on your firewall or VPN, so the next screen asks you to provide an e-mail address to send these alerts to. If you have an on-call pager that accepts e-mail, this would be a good e-mail address to use. Naturally, you should put in the e-mail address of the person responsible for administration and support of the firewall/VPN.
The wizard then asks you to review all the options you've selected. Look them over and make sure you've selected the correct options. If you need to make any corrections, use the back button to go to the appropriate section. Then, click Install Now.
3. Install the StoneGate certificate and license
After the installation completes, if you selected different systems for the Log servers and Management systems, you'll need to install a certificate for the Log server. This will allow the Log server and Management system to trust each other to send data from one to the other using encryption. After installing the certificate, log in to the StoneGate Management system using the Superuser account and accept the certificate. The Management system will perform a key exchange with the Log server, and then it will start the license manager.
4. Define and configure the firewall/VPN properties
The StoneGate system uses firewall clustering to ensure failover. To do this, StoneGate employs multiple firewall engines; should one engine fail, another will pick up with little delay. Stonesoft has made the administration of this system simple so you won't have to configure each firewall engine individually. From the StoneGate LaunchPad, click on Network Elements from within the Manage drop-down list. Then, click on the Network icon to bring up the Network Manager Properties screen where you'll define and configure the VPN endpoints.
From the Network Manager Properties screen, click on Single Firewall Properties. I suggest that you name this firewall by its geographic location, such as San Francisco. You'll be prompted to put in the Log server's IP address. On the next screen, where you enter the information unique to your NIC, click the Add Interface button. Enter the appropriate IP address and netmask. Since this interface configuration is the first and primary endpoint, click the Management check box and select the Primary check box.
5. Define the NIC interfaces
Because firewall/VPNs require two interfaces (one for external networking and one for internal networking), you'll need to add an additional interface. Enter the second interface the same way you did the first one, though you will of course need a separate IP address. Deselect the Primary check box, since you're still on the primary endpoint (and haven't entered the address of the system that will serve as the failover backup yet). Since this NIC is the external card, deselect the Management box so no one can get administrative access from the outside. Now click OK.
Your site license is based on the number of IP addresses you have assigned to your company/site, but you're allowed to exclude the second IP address toward the total count. From the Network Element Manager, select the Routing View from the View drop-down box, right-click on one of the NICs, and select Exclude From IP Counting. StoneGate suggests you do this to save your organization some licensing fees.
After you define the network interfaces, you will be returned to the StoneGate Control Panel (the main window). Right-click on the endpoint you just defined and select Save Initial Configuration.
6. Install the firewall/VPN engine
Next you will need to install the firewall/VPN engine on the endpoint systems. Pop in the StoneGate CD-ROM, and when the system boots, press [Enter] at the boot prompt. You'll be presented with the release notes and the keyboard configuration menu. Choose your keyboard language and then you can begin the disk partitioning.
You'll first be prompted to Initialize And Activate The Swap Partition. When partitioning any disk, it's a good idea to configure twice as much RAM as you have on your system for your Swap area. Press [Enter], which will bring you to the screen where you'll select which partition to use for Swap. You should find only one option that looks something like /dev/hda1: Linux Swap.
Another option will allow the installer to check the system for bad blocks. To be safe, ask it to perform the scan, because it would be quite problematic to try to run a VPN on a system with bad blocks. If the bad block scan comes out clean, select Yes to initialize the partition. If the scan doesn’t come back clean, I would suggest using a different drive.
Next you'll be asked if you want to mount the root partition, and you should select Yes. You'll begin installing the hardened Linux OS from the next screen, which is titled StoneGate Gateway Installation Main Menu. From there, select Initialize Operating System Kernel And Modules. You should select CD-ROM as your installation medium and click Continue.
You'll then need to configure the device drivers. From the StoneGate Gateway Installation Main Menu, select Configure Device Driver Modules. The installation program will know what drivers to configure. When it's finished, select Exit, which will return you to the previous menu.
From that menu, select Configure The Hostname, enter a descriptive name, and click OK. Then, select Configure The Base System, select the proper time zone, and press [Enter].
On the next screen, select the proper boot option, which is Make Linux Bootable Directly From Hard Disk. Otherwise, the system will require a boot disk to start. You'll pass through a few more screens that are all straightforward Linux installation configurations.
New to installing Linux? If so, check out Ed Gold’s article “Linux installation made easy.”
The next screen unique to the Stonesoft install will be the StoneGate Task Installer, which will give you two choices:
- StoneGate Gateway SMP
- StoneGate Gateway Uniprocessor
You'll want to select the option for symmetric multiprocessing (SMP) if your system has two or more CPUs. Otherwise, choose the uniprocessor option and click Finish. All the Linux components required to build the firewall/VPN engine will then be installed.
You'll need to reboot the system to begin configuring the network components. When the system reboots, you'll be prompted to choose the network driver appropriate for your system from a list of choices. Click OK, and then click Yes when asked if you want to install the network driver in the kernel. Next, enter the system's IP address and netmask. StoneGate will then calculate a broadcast address.
Your VPN will then be ready to contact the Management system. You'll be asked, Do You Want To Make The Initial Configuration Active? Answer Yes. Also answer Yes when asked if you want to contact the Management system on bootup.
You'll need to confirm the Management system's IP address. Then, you'll be good to go.
The engine will verify the integrity of the connection to the Management system with a one-time password, the SSL fingerprint of the Management system. This password is used once and only once, and it verifies the validity of the SSL fingerprint on the Management system. On the Management system, use the show fingerprint command to obtain the fingerprint, and insert it on the line that asks for the one-time password. The fingerprint will be something like sWF3S413.
This one-time password will allow the verification of the engine's identity with the Management system and will execute a key exchange necessary to begin encrypted communications. Going forward, the Management system will be able to identify from this fingerprint which node is contacting it.
Your endpoint is now set up.
There are a few more things you'll want to do, such as selecting which encryption algorithms you want the VPN tunnel to use and creating VPN access rules (similar to firewall rules) to specify which users should be able to access which resources and when.
For more information
To see how typical Linux firewall rules are written, take a look at Jack Wallen, Jr.'s article “ipchains: A painless way to ensure networking security” and Vincent Danen’s “Migrating from ipchains to iptables.”
You now have your firewall/VPN set up and running. All that is left is to configure your clients to connect to the service, which should be a simple task for most network admins. And don’t forget to check the Log Browser any time you need to monitor the VPN traffic passing back and forth on your network.