Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

NITO User Guide

NITO User Guide
Nomadix publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Nomadix Internet Traffic Optimizer (NITO).
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Nomadix
Nomadix and the Nomadix Pinwheel Design Logo are registered trademark of Nomadix, Inc. Smoothwall
is a registered trademark of Smoothwall Ltd. Microsoft, Active Directory, Internet Explorer, Windows 95,
Windows 98, Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 are either
registered trademarks or trademarks of Microsoft Corporation. Netscape is a registered trademark of
Netscape Communications Corporation. Apple, Mac, iPad and iPhone are registered trademarks of Apple
Computer Inc. Android is a trademark of Google Inc. eDirectory is a trademark of Novell, Inc. Linux is a
trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire, Inc. Intel and Core are
registered trademarks of Intel Corporation. VIPRE is a registered trademark of GFI Software.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their
respective owners in the US, UK and/or other countries.
Copyright © 2012 Smoothwall Ltd. All Rights Reserved.
Nomadix NITO
User Guide
Trademarks
The
symbol,
and Nomadix Service Engine™ are trademarks of Nomadix,
Inc. All other trademarks and brand names are marks of their respective holders.
Product Information
Telephone: +1.818.597.1500
Fax: +1.818.597.1502
Write your product serial number in this box:
Disclaimer
Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied
warranties of merchantability and fitness for a particular purpose, regarding the product described herein.
In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential
damages in connection with or arising from the use of Nomadix, Inc. products.
WARNING
CAUTION
Risk of electric shock; do not open; no user-serviceable
parts inside.
Read the instruction manual prior to operation.
AVERTISSEMENT
Risque de choc electrique; ne pas ouvrir; ne pas tenter de
demontre l’appareil.
WARNUNG
Nicht öffnen; elektrische Bauteile.
AVISO
Riesgo de shock eléctrico. No abrir. No hay piezas
configurables dentro.
ATTENTION
Lire le mode d’emploi avant utilisation.
ACHTUNG
Lesen Sie das Handbuch bevor Sie das Gerät in Betrieb
nehmen.
PRECAUCIÓN
Leer el manual de instrucciones antes de poner en
marcha el equipo.
30851 Agoura Rd, Suite 102, Agoura Hills, CA 91301 USA (head office)
Table of Contents
Chapter 1: Introduction ....................................................................................................................... 1
Overview of NITO ..................................................................................................................................... 1
Who should read this guide?..................................................................................................................... 1
Other Documentation and User Information............................................................................................ 1
Chapter 2: NITO Overview ................................................................................................................. 3
Accessing NITO......................................................................................................................................... 3
Dashboard................................................................................................................................................. 4
Logs and reports ....................................................................................................................................... 4
Networking ................................................................................................................................................ 6
Services ..................................................................................................................................................... 8
System........................................................................................................................................................ 9
Guardian ................................................................................................................................................. 12
Web Proxy ............................................................................................................................................... 14
Configuration Guidelines........................................................................................................................ 15
Connecting via the Console .................................................................................................................... 17
Secure Communication ........................................................................................................................... 18
Chapter 3: Working with Interfaces ................................................................................................. 19
Managing Network Interfaces.................................................................................................................
Changing the IP Address ........................................................................................................................
About Connection Methods and Profiles ................................................................................................
Creating a Connection Profile ................................................................................................................
Creating a PPP Profile ...........................................................................................................................
Modifying Profiles...................................................................................................................................
Deleting Profiles .....................................................................................................................................
19
20
21
21
27
28
29
Chapter 4: Managing Your Network Infrastructure ...................................................................... 31
Creating Subnets .....................................................................................................................................
Using RIP ................................................................................................................................................
Sources ....................................................................................................................................................
Ports ........................................................................................................................................................
Creating an External Alias Rule .............................................................................................................
Creating a Source Mapping Rule............................................................................................................
Managing Internal Aliases......................................................................................................................
Working with Secondary External Interfaces .........................................................................................
31
32
34
35
36
38
39
40
Chapter 5: General Network Security Settings................................................................................ 43
Blocking by IP .........................................................................................................................................
Configuring Advanced Networking Features..........................................................................................
Enabling Traffic Auditing .......................................................................................................................
Working with Port Groups ......................................................................................................................
43
44
46
47
Chapter 6: Configuring Inter-Zone Security ................................................................................... 51
About Zone Bridging Rules .....................................................................................................................
Creating a Zone Bridging Rule ...............................................................................................................
Editing and Removing Zone Bridge Rules ..............................................................................................
A Zone Bridging Tutorial ........................................................................................................................
Group Bridging .......................................................................................................................................
51
51
53
53
55
i
Table of Contents
Chapter 7: Managing Inbound and Outbound Traffic ................................................................... 59
Introduction to Port Forwards – Inbound Security ................................................................................
Advanced Network and Firewall Settings ...............................................................................................
Outbound Access.....................................................................................................................................
Managing External Services ...................................................................................................................
Assigning Rules to Groups ......................................................................................................................
59
61
63
68
69
Chapter 8: Deploying Web Filtering ................................................................................................. 71
Getting Up and Running ......................................................................................................................... 71
About NITO’s Default Policies ............................................................................................................... 75
Chapter 9: Working with Policies ..................................................................................................... 77
An Overview of Policies .......................................................................................................................... 77
Working with Category Group Objects................................................................................................... 80
Working with Time Slot Objects.............................................................................................................. 84
Working with Location Objects............................................................................................................... 85
Working with Quota Objects................................................................................................................... 86
Managing Web Filter Policies ................................................................................................................ 88
Managing HTTPS Inspection Policies .................................................................................................... 92
Managing Content Modification Policies ............................................................................................... 97
Working with Policy Folders ................................................................................................................ 100
Censoring Web Form Content .............................................................................................................. 101
Chapter 10: Managing Authentication Policies ............................................................................. 105
About Authentication Policies...............................................................................................................
Creating Authentication Policies ..........................................................................................................
Managing Authentication Policies........................................................................................................
Managing Authentication Exceptions ...................................................................................................
Identification by Location .....................................................................................................................
Connecting to NITO ..............................................................................................................................
Authentication Scenarios ......................................................................................................................
105
105
113
114
114
115
117
Chapter 11: Managing Web Security.............................................................................................. 119
Overview of NITO’s Web Proxy............................................................................................................
Using PAC Scripts.................................................................................................................................
Limiting Bandwidth...............................................................................................................................
Configuring WCCP ...............................................................................................................................
Managing Upstream Proxies ................................................................................................................
Managing Blocklists..............................................................................................................................
Managing Block Pages .........................................................................................................................
119
124
126
128
129
136
137
Chapter 12: NITO Alerts, Logs and Reports ................................................................................. 143
About Alerts...........................................................................................................................................
Realtime Web Filter Information ..........................................................................................................
Web Filter Logs.....................................................................................................................................
Guardian Reports..................................................................................................................................
143
145
146
148
Chapter 13: NITO Services .............................................................................................................. 149
Working with User Portals....................................................................................................................
SNMP ....................................................................................................................................................
DNS .......................................................................................................................................................
Censoring Instant Message Content .....................................................................................................
Managing the Intrusion System.............................................................................................................
DHCP....................................................................................................................................................
ii
149
155
156
157
163
168
Nomadix NITO
User Guide
Chapter 14: Authentication and User Management...................................................................... 177
Managing Local Users..........................................................................................................................
Managing Temporarily Banned Users..................................................................................................
Viewing User Activity............................................................................................................................
Authenticating Users with SSL Login ...................................................................................................
Managing Kerberos Keytabs.................................................................................................................
Managing Groups of Users...................................................................................................................
Configuring Authentication Settings .....................................................................................................
Managing the Authentication System....................................................................................................
177
180
181
182
185
186
188
197
Chapter 15: Reporting...................................................................................................................... 201
Accessing Reporting..............................................................................................................................
Generating Reports ...............................................................................................................................
Scheduling Reports................................................................................................................................
Managing Report Data .........................................................................................................................
Managing Disk Space ...........................................................................................................................
202
202
205
206
207
Chapter 16: Managing Your NITO................................................................................................. 211
Managing Updates ................................................................................................................................
Managing Modules................................................................................................................................
Licenses .................................................................................................................................................
Archives.................................................................................................................................................
Scheduling .............................................................................................................................................
Shutting down and Rebooting ...............................................................................................................
Shell Access...........................................................................................................................................
Setting System Preferences ...................................................................................................................
Configuring Administration and Access Settings..................................................................................
Hardware ..............................................................................................................................................
Managing Hardware Failover ..............................................................................................................
Configuring Modems.............................................................................................................................
Installing and Uploading Firmware .....................................................................................................
Diagnostics............................................................................................................................................
Managing CA Certificates.....................................................................................................................
211
213
214
214
216
219
220
220
224
228
232
236
238
238
242
Chapter 17: Centrally Managing Nomadix Systems ..................................................................... 245
About Centrally Managing Nomadix Systems....................................................................................... 245
Setting up a Centrally Managed Nomadix System................................................................................ 246
Managing Nodes in a Nomadix System................................................................................................. 250
Chapter 18: Information, Alerts and Logging ............................................................................... 255
About the Dashboard ............................................................................................................................
About the About Page............................................................................................................................
Alerts .....................................................................................................................................................
Realtime.................................................................................................................................................
Logs .......................................................................................................................................................
Configuring Log Settings ......................................................................................................................
Configuring Groups ..............................................................................................................................
Configuring Output Settings .................................................................................................................
255
255
256
261
264
271
274
276
Appendix A: Authentication ............................................................................................................. 281
Overview ...............................................................................................................................................
NITO and DNS ......................................................................................................................................
Working with Large Directories ...........................................................................................................
Active Directory ....................................................................................................................................
About Kerberos .....................................................................................................................................
281
282
283
283
284
iii
Table of Contents
Appendix B: Understanding Templates and Reports..................................................................... 285
Programmable Drill-Down Looping Engine ........................................................................................
Reporting Folders .................................................................................................................................
Scheduling Reports................................................................................................................................
Reporting Sections ................................................................................................................................
285
295
299
300
Appendix C: Hosting Tutorials......................................................................................................... 309
Basic Hosting Arrangement .................................................................................................................. 309
Extended Hosting Arrangement ............................................................................................................ 310
More Advanced Hosting Arrangement.................................................................................................. 311
Glossary............................................................................................................................................... 315
Index .................................................................................................................................................... 323
iv
1
Introduction
In this chapter:
z
An overview of NITO
z
Who should read this guide
z
Support information.
Overview of NITO
Nomadix Internet Traffic Optimizer (NITO) delivers a complete Unified Threat Management solution in a
single, powerful, state-of-the-art appliance.
NITO provides:
z
Firewall: stateful packet inspection with Layer 7 content analysis and Intrusion Detection
z
Web security: content filtering and browser exploit detection
NITO’s powerful hardware supports the processor and system intensive web content analysis functions onbox, rather than compromise effectiveness by using less demanding off-box solutions.
Who should read this guide?
System administrators maintaining and deploying NITO should read this guide.
Other Documentation and User Information
Apart from this guide, the following documentation is available:
z
http://www.nomadix.com/support_overview.php contains support, self-help and training
information as well as product updates and the latest product manuals.
1
Introduction
Other Documentation and User Information
2
2
NITO Overview
In this chapter:
z
How to access NITO
z
An overview of the pages used to configure and manage NITO.
Accessing NITO
1.
In the browser of your choice, enter the address of your NITO, for example:
https://192.168.110.1:441
Note: The example address above uses HTTPS to ensure secure communication with your NITO. It is possible to
use HTTP on port 81 if you are satisfied with less security.
Note: The following sections assume that you have registered and configured NITO as described in the NITO
Getting Started Guide.
To access NITO:
1.
Accept NITO’s certificate.The login screen is displayed.
2.
Enter the following information:
Field
Information
Username
Enter admin This is the default NITO administrator account.
Password
Enter nomadix This is the default NITO password.
3
NITO Overview
Dashboard
3.
Click Login. The Dashboard opens.
The following sections give an overview of NITO’s default sections and pages.
Dashboard
The dashboard is the default home page of your NITO system. It displays a to-do list for getting started,
service information and a customizable number of summary reports.
Logs and reports
The Logs and reports section contains the following sub-sections and pages:
Reports
Pages
4
Description
Summary
Displays a number of generated reports. For more information, see Chapter 15, About
the Summary Page on page 201.
Reports
Where you generate and organize reports. For more information, see Chapter 15,
Generating Reports on page 202.
Recent and
saved
Lists recently-generated and previously saved reports. For more information, see
Chapter 15, Saving Reports on page 202.
Scheduled
Sets which reports are automatically generated and delivered. For more information, see
Chapter 15, Scheduling Reports on page 205.
Custom
Enables you to create and view custom reports. For more information, see Appendix B,
Understanding Templates and Reports on page 285.
Nomadix NITO
User Guide
Alerts
Pages
Description
Alerts
Determine which alerts are sent to which groups of users and in what format. For more
information, see Chapter 18, Alerts on page 256.
Alert
settings
Settings to enable the alert system and customize alerts with configurable thresholds and
trigger criteria. For more information, see Chapter 18, Configuring Alert Settings on
page 257.
Realtime
Pages
Description
System
A realtime view of the system log with some filtering options. For more information, see
Chapter 18, System Information on page 261.
Firewall
A realtime view of the firewall log with some filtering options. For more information,
see Chapter 18, Firewall Information on page 262.
Portal
A realtime view of activity on user portals. For more information, see Chapter 18,
Portal Information on page 263.
Web filter
A realtime version of the web filter log viewer with some filtering options. For more
information, see Chapter 12, Realtime Web Filter Information on page 145.
Traffic
graphs
Displays a realtime bar graph of the bandwidth being used. For more information, see
Chapter 18, Traffic Graphs on page 263.
Logs
Pages
Description
System
Simple logging information for the internal system services. For more information, see
Chapter 18, System Logs on page 265.
Firewall
Displays all data packets that have been dropped or rejected by the firewall. For more
information, see Chapter 18, Firewall Logs on page 266.
IDS
Displays network traffic detected by the intrusion detection system (IDS). For more
information, see Chapter 18, IDS Logs on page 269.
IPS
Displays network traffic detected by the intrusion detection system (IPS). For more
information, see Chapter 18, IPS Logs on page 270.
Web filter
Displays detailed analysis of web proxy and filtering activity. For more information,
see Chapter 12, Web Filter Logs on page 146.
User portal
Displays information on access by users to portals. For more information, see Chapter
18, User Portal Logs on page 271.
5
NITO Overview
Networking
Pages
Log settings
Description
Settings to configure the logs you want to keep, an external syslog server, automated
log deletion and rotation options. For more information, see Chapter 18, Configuring
Log Settings on page 271.
Settings
Pages
Description
Database
settings
Settings to manage the database storing NITO report data. For more information, see
Chapter 15, Managing Report Data on page 206.
Database
backup
Enables you to back-up and restore report data as well as optimize, empty and prune
databases. For more information, see Chapter 15, Backing up Data on page 209.
Groups
Where you create groups of users which can be configured to receive automated alerts
and reports. For more information, see Chapter 18, Configuring Groups on page 274.
Output
settings
Settings to configure the Email to SMS Gateway and SMTP settings used for delivery
of alerts and reports. For more information, see Chapter 18, Configuring Output
Settings on page 276.
Networking
The Networking section contains the following sub-sections and pages:
Filtering
Pages
Description
Zone
bridging
Used to define permissible communication between pairs of network zones. For more
information, see Chapter 6, About Zone Bridging Rules on page 51.
Group
bridging
Used to define the network zones that are accessible to authenticated groups of users.
For more information, see Chapter 6, Group Bridging on page 55.
IP block
Used to create rules that drop or reject traffic originating from or destined for single or
multiple IP addresses. For more information, see Chapter 5, Creating IP Blocking Rules
on page 43.
Routing
Pages
Subnets
6
Description
Used to generate additional routing information so that the system can route traffic to
other subnets via a specified gateway. For more information, see Chapter 4, Creating
Subnets on page 31.
Nomadix NITO
User Guide
Pages
Description
RIP
Used to enable and configure the Routing Information Protocol (RIP) service on the
system. For more information, see Chapter 4, Using RIP on page 32.
Sources
Used to determine which external network interface will be used by internal network
hosts for outbound communication when a secondary external connection is active. For
more information, see Chapter 4, Sources on page 34.
Ports
Used to create rules to set the external interface based on the destination port. For more
information, see Chapter 4, Ports on page 35.
Interfaces
Pages
Description
Interfaces
Configure and display information on your NITO’s internal interfaces. For more
information, see Chapter 3, Managing Network Interfaces on page 19.
Internal aliases
Used to create aliases on internal network interfaces, thus enabling a single physical
interface to route packets between IP addresses on a virtual subnet – without the
need for physical switches. For more information, see Chapter 4, Managing Internal
Aliases on page 39.
External
aliases
Used to create IP address aliases on static Ethernet external interfaces. External
aliases allow additional static IPs that have been provided by an ISP to be assigned
to the same external interface. For more information, see Chapter 4, Creating an
External Alias Rule on page 36.
Connectivity
Used to create external connection profiles and implement them. For more
information, see Chapter 3, Creating a Connection Profile on page 21.
PPP
Used to create Point to Point Protocol (PPP) profiles that store PPP settings for
external connections using dial-up modem devices. For more information, see
Chapter 3, Creating a PPP Profile on page 27.
Secondaries
Used to configure an additional, secondary external interface. For more information,
see Chapter 4, Working with Secondary External Interfaces on page 40
Firewall
Pages
Description
Port
forwarding
Used to forward incoming connection requests to internal network hosts. For more
information, see Chapter 7, Introduction to Port Forwards – Inbound Security on
page 59.
Source
mapping
Used to map specific internal hosts or subnets to an external alias. For more information,
see Chapter 4, Creating a Source Mapping Rule on page 38
Advanced
Used to enable or disable NAT-ing helper modules and manage bad external traffic. For
more information, see Chapter 7, Network Application Helpers on page 61.
7
NITO Overview
Services
Outgoing
Pages
Description
Sources
Used to assign outbound access controls to IP addresses and networks. For more
information, see Chapter 7, Source Rules on page 66.
Groups
Used to assign outbound access controls to authenticated groups of users. For more
information, see Chapter 7, Assigning Rules to Groups on page 69.
Ports
Used to define lists of outbound destination ports and services that should be blocked or
allowed. For more information, see Chapter 7, Outbound Access on page 63.
External
services
Used to define a list of external services that should always be accessible to internal
network hosts. For more information, see Chapter 7, Managing External Services on
page 68.
Settings
Pages
Description
Port
groups
Create and edit groups of ports for use throughout NITO. For more information, see
Chapter 5, Working with Port Groups on page 47.
Advanced
Used to configure advanced network and traffic auditing parameters. For more
information, see Chapter 5, Configuring Advanced Networking Features on page 44.
Services
The Services section contains the following sub-sections and pages:
Authentication
Pages
8
Description
Control
Used to view the current status of the authentication system, and to restart and stop the
service. It also allows diagnostic tests to be performed against different areas of the
authentication service. For more information, see Chapter 14, Authentication and User
Management on page 177.
Settings
Used to set global login time settings. For more information, see Chapter 14,
Configuring Authentication Settings on page 188.
Groups
Used to customize group names. For more information, see Chapter 14, Managing
Groups of Users on page 186.
Temporary
bans
Enables you to manage temporarily banned user accounts. For more information, see
Chapter 14, Managing Temporarily Banned Users on page 180
Nomadix NITO
User Guide
Pages
Description
Local users
Used to add, import and export user profiles, for example: usernames and passwords, to
and from the system’s own local user database. For more information, see Chapter 14,
Managing Local Users on page 177.
User
activity
Displays the login times, usernames, group membership and IP address details of
recently authenticated users. For more information, see Chapter 14, Viewing User
Activity on page 181.
SSL login
Used to customize the end-user login page. For more information, see Chapter 14,
Enabling SSL Login on page 183.
Kerberos
keytabs
This is where Kerberos keytabs are imported and managed. For more information, see
Chapter 14, Managing Kerberos Keytabs on page 185.
User Portal
Pages
Description
Portals
This page enables you to configure and manage user portals. For more information, see
Chapter 13, Working with User Portals on page 149.
Groups
This page enables you to assign groups of users to portals. For more information, see
Chapter 13, Assigning Groups to Portals on page 153.
User
exceptions
This page enables you to override group settings and assign a user directly to a portal.
For more information, see Chapter 13, Making User Exceptions on page 153.
Message Censor
Pages
Description
Policies
Enables you to create and manage filtering policies by assigning actions to matched
content. For more information, see Chapter 13, Creating and Applying Message
Censoring Policies on page 161.
Filters
This is where you create and manage filters for matching particular types of message
content. For more information, see Chapter 13, Creating Filters on page 160.
Time
This is where you create and manage time periods for limiting the time of day during
which filtering policies are enforced. For more information, see Chapter 13, Setting
Time Periods on page 159.
Custom
categories
Enables you to create and manage custom content categories for inclusion in filters.
For more information, see Chapter 13, Managing Custom Categories on page 157.
System
The System section contains the following sub-sections and pages:
9
NITO Overview
System
Maintenance
Pages
Description
Updates
Used to display and install available product updates, in addition to listing currently
installed updates. For more information, see Chapter 16, Managing Updates on
page 211.
Modules
Used to upload, view, check, install and remove NITO modules. For more information,
see Chapter 16, Managing Modules on page 213.
Licenses
Used to display and update license information for the licensable components of the
system. For more information, see Chapter 16, Licenses on page 214.
Archives
Used to create and restore archives of system configuration information. For more
information, see Chapter 16, Archives on page 214.
Scheduler
Used to automatically discover new system updates, modules and licenses. It is also
possible to schedule automatic downloads of system updates and create local and remote
backup archives. For more information, see Chapter 16, Scheduling on page 216.
Shutdown
Used to shutdown or reboot the system. For more information, see Chapter 16, Shutting
down and Rebooting on page 219.
Shell
Used to access the NITO’s system console via a Java-based SSH shell. For more
information, see Chapter 16, Shell Access on page 220.
Central Management
Pages
Description
Overview
This is where you monitor nodes and schedule updates in a Nomadix system. For more
information, see Chapter 17, Managing Nodes in a Nomadix System on page 250.
Child
nodes
This is where you add and configure nodes in a Nomadix system. For more information,
see Chapter 17, Configuring Child Nodes on page 247.
Local node
settings
This is where you configure a node to be a parent or child in a Nomadix system and
manage central management keys for use in the system. For more information, see
Chapter 17, Setting up a Centrally Managed Nomadix System on page 246.
Preferences
Pages
10
Description
Time
Used to manage set NITO’s time zone, date and time settings. For more information,
see Chapter 16, Setting Time on page 221.
Registration
options
Used to configure a web proxy if your ISP requires you use one. Also, enables you
configure sending extended registration information to Nomadix. For more
information, see Chapter 16, Configuring Registration Options on page 223.
Nomadix NITO
User Guide
Pages
Description
Hostname
Used to configure NITO’s hostname. For more information, see Chapter 16,
Configuring the Hostname on page 224.
Administration
Pages
Description
Admin options
Used to enable secure access to NITO using SSH, and to enable referral checking.
For more information, see Chapter 16, Configuring Admin Access Options on
page 225.
External access
Used to create rules that determine which interfaces, services, networks and hosts
can be used to administer NITO. For more information, see Chapter 16,
Configuring External Access on page 226.
Administrative
users
Used to manage user accounts and set or edit user passwords on the system. For
more information, see Chapter 16, Administrative User Settings on page 227.
Hardware
Pages
UPS
Description
Used to configure the system's behavior when it is using battery power from an
Uninterruptible Power Supply (UPS) device. For more information, see Chapter 16,
UPS Settings on page 228.
Diagnostics
Pages
Description
Configuration
tests
Used to ensure that your current NITO settings are not likely to cause problems. For
more information, see Chapter 16, Diagnostics on page 238.
Diagnostics
Used to create diagnostic files for support purposes. For more information, see
Chapter 16, Generating Diagnostics on page 239.
IP tools
Contains the ping and traceroute IP tools. For more information, see Chapter 16, IP
Tools on page 240.
Whois
Used to find and display ownership information for a specified IP address or domain
name. For more information, see Chapter 16, Whois on page 240.
Traffic
analysis
Used to generate and display detailed information on current traffic. For more
information, see Chapter 16, Analyzing Network Traffic on page 241.
11
NITO Overview
Guardian
Guardian
The Guardian section contains the following sub-sections and pages:
Quick Links
Page
Description
Getting started
This page provides an overview of what comprises a web filter policy, a link to the
default policies and an introduction to policy wizards. For more information, see
Chapter 9, Guardian Getting Started on page 80.
Shortcuts
This page provides direct links to tasks you might do on a daily basis, such as
blocking and allowing sites and running reports. For more information, see
Chapter 8, About Shortcuts on page 75.
Quick block/
allow
This page enables you to block or allow content immediately. For more
information, see Chapter 8, Blocking and Allowing Content Immediately on
page 72.
Web Filter Policies
Pages
Description
Manage policies
This is where you manage how web filtering policies are applied. For more
information, see Chapter 9, Managing Web Filter Policies on page 88.
Policy wizard
This is where you can configure a custom web filtering policy. For more
information, see Chapter 9, Creating Web Filter Policies on page 89.
Location
blocking
Enables you to block computers at a specific location from accessing web content.
For more information, see Chapter 8, Blocking Locations on page 72.
Exceptions
Here you can exempt computers from any web filtering. For more information, see
Chapter 8, Excepting Computers from Web Filtering on page 73
Outgoing
This is where you configure outgoing settings for a censor policy for content and/or
files posted using web forms. For more information, see Chapter 9, Censoring Web
Form Content on page 101.
HTTPS Inspection Policies
Pages
12
Description
Manage policies
This is where you manage HTTPS inspection policies that decrypt and inspect
encrypted communications. For more information, see Chapter 9, Managing
HTTPS Inspection Policies on page 92.
Policy wizard
This is where you create custom policies for managing encrypted communications.
For more information, see Chapter 9, Creating an HTTPS Inspection Policy on
page 93.
Nomadix NITO
User Guide
Pages
Settings
Description
This is where you manage CA security certificates and configure HTTPS
interception messages. For more information, see Chapter 9, Configuring HTTPS
Inspection Policy Settings on page 95.
Content Modification Policies
Pages
Description
Manage
policies
This is where you manage content modification policies that apply recommended
security rules and enforce SafeSearch in browsers. For more information, see
Chapter 9, Managing Content Modification Policies on page 97.
Policy wizard
Enables you to create custom policies for applying security rules and enforcing
SafeSearch in browsers. For more information, see Chapter 9, Creating a Content
Modification Policy on page 98.
Block Page Policies
Pages
Description
Manage
policies
This is where you manage block page policies. For more information, see Chapter
11, Managing Block Page Policies on page 141.
Policy wizard
This is where you create and edit block page policies. For more information, see
Chapter 11, Configuring a Block Page Policy on page 140.
Block pages
This is where you create and edit block pages. For more information, see Chapter
11, Managing Block Pages on page 137.
Policy Objects
Pages
Description
Category groups
This is where you manage content categories used when applying a web
filtering policy. For more information, see Chapter 9, Working with Category
Group Objects on page 80.
User defined
This is where you manage custom content categories. For more information,
see Chapter 9, Defining Categories on page 81.
Time slots
This is where you create and manage time slot policy objects for use in content
filtering policies. For more information, see Chapter 9, Working with Time
Slot Objects on page 84.
Locations
This is where you create and manage location policy objects for use in content
filtering policies. For more information, see Chapter 9, Working with Location
Objects on page 85.
13
NITO Overview
Web Proxy
Pages
Quotas
Description
This is where you create and manage quota policy objects for use in content
filtering policies. For more information, see Chapter 9, Working with Quota
Objects on page 86.
Web Proxy
The Web proxy section contains the following sub-sections and pages:
Web Proxy
Pages
Description
Settings
This is where you configure and manage web proxy settings. For more
information, see Chapter 11, Overview of NITO’s Web Proxy on page 119.
Automatic
configuration
This is where you create and make available proxy auto-configuration (PAC)
scripts. For more information, see Chapter 11, Using PAC Scripts on page 124.
Bandwidth limiting
This is where you can manage how much bandwidth is made available to
clients. For more information, see Chapter 11, Limiting Bandwidth on
page 126.
WCCP
This is where you can configure NITO to join a Web Cache Coordination
Protocol (WCCP) cache engine cluster. For more information, see Chapter 11,
Configuring WCCP on page 128.
Upstream Proxy
Pages
Description
Manage policies
This is where you manage upstream proxy policies. For more information, see
Chapter 11, Working with Multiple Upstream Proxies on page 134.
Proxies
This is where you configure upstream proxy settings. For more information, see
Chapter 11, Configuring an Upstream Proxy on page 130.
Filters
This is where you manage upstream proxy source and destination filters. For
more information, see Chapter 11, Configuring Source and Destination Filters
on page 131.
Authentication
Pages
Manage polices
14
Description
This is where you manage authentication policies which determine which web
filter policies are applied. For more information, see Chapter 10, Managing
Authentication Policies on page 113.
Nomadix NITO
User Guide
Pages
Description
Policy wizard
This is where you create and edit authentication policies. For more information,
see Chapter 10, Creating Authentication Policies on page 105.
Exceptions
This is where you can exempt content from authentication. For more
information, see Chapter 10, Managing Authentication Exceptions on page 114.
Ident by location
This is where you configure identification of groups and/or users by their
location. For more information, see Chapter 10, Identification by Location on
page 114.
MobileProxy
Pages
Description
Settings
On this page, you configure global MobileProxy server settings. For more
information, see Chapter 9, Enabling MobileProxy on page 91.
Proxies
On this page, you manage MobileProxyservers for use with mobile devices. For
more information, see Chapter 9, Specifying MobileProxy Servers on page 92.
Exceptions
On this page, you specify proxy exceptions. For more information, see Chapter
9, Configuring Proxy Exceptions on page 93.
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required configuration
settings.
Specifying Networks, Hosts and Ports
IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can
span subnets. For example:
192.168.10.1-192.168.10.20
192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The format
combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0
192.168.10.0/24
15
NITO Overview
Configuration Guidelines
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some
pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0
255.255.0.0
255.255.248.0
Service and Ports
A Service or Port identifies a particular communication port in numeric format. For ease of use, a number
of well known services and ports are provided in Service drop-down lists. To use a custom port number,
choose the User defined option from the drop-down list and enter the numeric port number into the
adjacent User defined field. Examples:
21
7070
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of
communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of NITO can be assigned a descriptive text comment. This feature is
provided so that administrators can record human-friendly notes against configuration settings they
implement.
Comments are entered in the Comment fields and displayed alongside saved configuration information.
Creating, Editing and Removing Rules
Much of NITO is configured by creating rules – for example, IP block rules and administration access
rules.
Creating a Rule
To create a rule:
1.
Enter configuration details in the Add a new rule area.
2.
Click Add to create the rule and add it to the appropriate Current rules area.
Editing a Rule
To edit a rule:
1.
Find the rule in the Current rules area and select its adjacent Mark option.
2.
Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current
configuration values.
3.
Change the configuration values as necessary.
4.
Click Add to re-create the edited rule and add it to the Current rules area.
16
Nomadix NITO
User Guide
Removing a Rule
To remove one or more rules:
1.
Select the rule(s) to be removed in the Current rules area.
2.
Click Remove to remove the selected rule(s).
Note: The same processes for creating, editing and removing rules also apply to a number of pages where hosts
and users are the configuration elements being created. On such pages, the Add a new rule and Current
rules area will be Add a new host and Current users etc.
Connecting via the Console
You can access NITO via a console using the Secure Shell (SSH) protocol.
Note: By default, NITO only allows SSH access if it has been specifically configured. See Chapter 16,
Configuring Admin Access Options on page 225 for more information.
Connecting Using a Client
When SSH access is enabled, you can connect to NITO via a secure shell application, such as PuTTY, or
from the System > Maintenance > Shell page.
To connect using an SSH client:
1.
Check SSH access is enabled on NITO. See Chapter 16, Configuring Admin Access Options on page 225
for more information.
2.
Start PuTTY or an equivalent client.
3.
Enter the following information:
Field
4.
Description
Host Name (or IP
address)
Enter NITO’s host name or IP address.
Port
Enter 222
Protocol
Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given access to the
NITO command line.
17
NITO Overview
Secure Communication
Connecting Using Web-based SSH
To connect via the web-based SSH:
1.
Navigate to the System > Maintenance > Shell page.
2.
Enter the username root, and the password associated with it. As a root user, you will access the NITO
command line.
Secure Communication
When you connect your web browser to NITO’s web-based interface on a HTTPS port for the first time,
your browser will display a warning that NITO’s certificate is invalid. The reason given is usually that the
certificate was signed by an unknown entity or because you are connecting to a site pretending to be
another site.
Unknown Entity Warning
This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is
signed by a trusted third party. However, NITO’s certificate is a self-signed certificate.
Note: The data traveling between your browser and NITO is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by NITO.
To do this, import the certificate into your web browser. The details of how this are done vary between
browsers and operating systems. See your browser’s documentation for information on how to import the
certificate.
Inconsistent Site Address
Your browser will generate a warning if NITO’s certificate contains the accepted site name for the secure
site in question and your browser is accessing the site via a different address.
A certificate can only contain a single site name, and in NITO’s case, the hostname is used. If you try to
access the site using its IP address, for example, the names will not match.
To remove this warning, access NITO using the hostname. If this is not possible, and you are accessing the
site by some other name, then this warning will always be generated.
In most cases, browsers have an option you can select to ignore this warning and which will ignore these
security checks in the future.
Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that
HTTPS is also about identity as well encryption.
18
3
Working with Interfaces
In this chapter:
z
How to manage NITO’s network interfaces.
Managing Network Interfaces
You can configure and review network interfaces on NITO’s internal interfaces page.
To access interface settings:
1.
Browse to the Networking > Interfaces > Interfaces page.
19
Working with Interfaces
Changing the IP Address
The following settings for your NITO’s interface are available:
Setting
Description
Default interface
A drop-down list of the current interfaces available.
Primary DNS
If NITO is to be integrated as part of an existing DNS infrastructure, enter the
appropriate DNS server information within the existing infrastructure.
For more information, see Appendix A, NITO and DNS on page 282.
Secondary DNS
Enter the IP address of the secondary DNS server, if one is available.
Changing the IP Address
If required, it is possible to change NITO’s IP address.
To change the IP address:
1.
On the Networking > Interfaces > Interfaces page, locate the interface from the Default interface dropdown list and, in the appropriate Settings area, enter the following settings:
Field
2.
Explanation
IP address
Enter the IP address you want NITO to use on your internal network.
Netmask
If required, enter the netmask NITO should use on your internal network.
Browse to the bottom of the page. Click Save to save the changes and then click Restart to restart
networking.
Note: Restarting the networking system can take some time and may interrupt some services.
3.
After 15 seconds, in your browser’s address field, enter the new IP address. When prompted, enter your
user name and password. NITO now uses the new IP address.
Interfaces
Here you can review all the settings for your NITO interfaces.
Tip:
Clicking the graph takes you to the relevant interface report.
Restarting Networking
Several key changes may have an effect on connectivity of NITO. For this reason, most changes are only
applied when networking is restarted.
To restart networking:
1.
Click Restart.
Note: Restarting networking can take some time and may interrupt some services.
20
Nomadix NITO
User Guide
About Connection Methods and Profiles
NITO supports the following connection methods:
Connection Method
Description
Ethernet
An Ethernet NIC routed to an Internet connection, not controlled by NITO.
Modem
An internal or external modem connected to the Internet via an ISP,
controlled by NITO.
Ethernet/modem
hybrid
An Ethernet NIC routed to an external modem connected to the Internet via
an ISP, controlled by NITO.
Up to five different connections to the Internet can be defined, each stored in its own connection profile.
Each connection profile defines the type of connection that should be used and appropriate settings.
About Connection Profiles for Modems
PPP Profiles
Connection profiles for modems, including ISDN, and Ethernet/modem hybrid devices use an additional
profile: a Point-To-Point (PPP) profile.
A PPP profile contains the username, password and other settings used for dial-up type connections. The
advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the
same authentication and dial settings. This is useful for creating multiple profiles to ISPs that support a
range of access technologies that are authenticated via the same user account.
Modem Profiles
A modem profile is used solely for connections using dial-up modems. A modem profile contains
hardware and dialling preferences to control the behavior of dial-up modem devices.
Creating a Connection Profile
The following sections explain how to create a connection profile. When creating a connection profile, you
configure the global settings, including the connection method, and then configure the method-specific
settings.
21
Working with Interfaces
Creating a Connection Profile
Configuring Global Settings
To configure global settings:
1.
Navigate to the Networking > Interfaces > Connectivity page.
2.
Configure the following settings:
Setting
22
Description
Profiles
Select Empty from drop-down list and click Select.
Profile name
Enter a name for the connection profile.
Method
Choose the connection method from the drop-down list. Options include:
Static Ethernet – for more information, see Configuring a Static Ethernet
Connection on page 23.
DHCP Ethernet – for more information, see Configuring a DHCP Ethernet
Connection on page 24.
PPP over Ethernet – for more information, see Configuring a PPP over Ethernet
Connection on page 24.
PPTP over Ethernet – for more information, see Configuring a PPTP over
Ethernet Connection on page 25.
ADSL Modem – for more information, see Configuring an ADSL/DSL Modem
Connection on page 25.
ISDN TA – for more information, see Configuring an ISDN Modem Connection
on page 26.
Modem – for more information, see Configuring a Dial-up Modem Connection
on page 27.
Auto connect on
boot
By default, all connections will automatically connect at boot time. If you wish to
disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Nomadix NITO
User Guide
Setting
Description
Automatic
failover to profile
Optionally, select to specify a different external connection profile to switch to if
communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if NITO cannot
establish a connection using the specified connection profile. There is also
a reboot option which you can use to restart the system if all of the
connections fail.
Primary failover
ping IP
Enter an IP address that is known to be contactable if the external connection is
operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection
will failover, if another profile has been chosen in the Automatic failover to
profile drop-down menu.
Secondary
failover ping IP
Optionally, enter a secondary IP address that is known to be contactable if the
external connection is operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection
will failover, if another profile has been chosen in the Automatic failover to
profile drop-down menu.
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been added to
the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
web proxy traffic
Select to ensure that web proxy traffic is divided among the primary external
connection and any other secondary connections that have themselves been added
to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective weights
of each connection.
3.
Click Update to display further method-specific settings in the settings area.
4.
At this point, click Save as configuration using other pages may be necessary for some connection
methods, for example PPP and modem profiles.
To complete the connection profile, refer to the method-specific sections in the remaining sections of this
chapter.
Configuring a Static Ethernet Connection
A static Ethernet connection enables NITO to use a static IP address, as assigned by your ISP.
To create a static Ethernet connection:
1.
Configure the global settings and select Static Ethernet as the connection method. For more information
on global settings, see Configuring Global Settings on page 22. Click Update.
23
Working with Interfaces
Creating a Connection Profile
2.
In the Static Ethernet settings area, configure the following settings:
Setting
3.
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
Default
gateway
Enter the default gateway IP address as provided by your ISP.
Address
Enter the static IP address provided by your ISP.
Netmask
Enter the subnet mask as provided by your ISP.
Primary DNS
Enter the primary DNS server details as provided by your ISP.
Secondary
DNS
Enter the secondary DNS server details as provided by your ISP.
Click Save.
Configuring a DHCP Ethernet Connection
A DHCP Ethernet connection enables NITO to be allocated a dynamic IP address, as assigned by the ISP.
To create a DHCP Ethernet connection:
1.
Configure the global settings and select DHCP Ethernet as the connection method. For more information
on global settings, see Configuring Global Settings on page 22. Click Update.
2.
In the DHCP Ethernet settings area, configure the following settings:
Setting
3.
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
DHCP
Hostname
Optionally enter a DHCP hostname, if provided by your ISP.
MAC spoof
Enter a MAC spoof value if required.
Some cable modems require the MAC address of the connecting NIC to be spoofed
in order to function correctly. For more information about whether MAC spoof
settings are required, consult the documentation supplied by your ISP and modem
supplier.
Click Save.
Configuring a PPP over Ethernet Connection
This section explains how to configure NITO to use a PPPoE modem for Internet connectivity.
To create a PPP over Ethernet connection:
1.
24
Configure the global settings and select PPP over Ethernet as the connection method. For more
information on global settings, see Configuring Global Settings on page 22. Click Update.
Nomadix NITO
User Guide
2.
In the PPP over Ethernet settings area, configure the following settings:
Setting
3.
Description
Service name
If required, enter the service name as specified by your ISP.
Concentrator
If required, enter the concentrator name as specified by your ISP.
Interface
From the drop-down list, select the Ethernet interface for this connection.
PPP Profile
From the drop-down list, select the PPP profile for this connection. Or, if no PPP
profile has been created, click Configure PPP to go to the PPPNetworking >
Interfaces > Interfaces and create one.
Click Save.
Configuring a PPTP over Ethernet Connection
This section explains how to configure NITO to use a PPTP modem for Internet connectivity.
To create a PPTP over Ethernet connection:
1.
Configure the global settings and select PPTP over Ethernet as the connection method. For more
information on global settings, see Configuring Global Settings on page 22. Click Update.
2.
In the PPTP over Ethernet settings area, configure the following settings:
Setting
3.
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Address
Enter the IP address assigned by your ISP.
Netmask
Enter the netmask assigned by your ISP.
Gateway
Enter the gateway assigned by your ISP
Telephone
Enter the dial telephone number as provided by your ISP.
Click Save.
Configuring an ADSL/DSL Modem Connection
Note: The following sections apply if an ADSL/DSL modem is installed in your NITO.
NITO can connect to the Internet using an ADSL modem. If your ADSL connection uses a PPPoE
connection, see Configuring a PPP over Ethernet Connection on page 24 for more information.
To complete the connection profile:
1.
Configure the global settings and select ADSL Modem as the connection method. For more information
on global settings, see Configuring Global Settings on page 22. Click Update.
25
Working with Interfaces
Creating a Connection Profile
2.
In the ADSL Modem settings area, configure the following settings:
Setting
3.
Description
Service name
Leave this field blank. It is not required for this type of profile.
Concentrator
Leave this field blank. It is not required for this type of profile.
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Click Save.
Configuring an ISDN Modem Connection
Note: The following sections apply if an ISDN modem is installed in your NITO.
This section explains how to configure NITO to use an ISDN modem for Internet connectivity.
To complete the connection profile:
1.
Configure the global settings and select ISDN TA as the connection method. For more information on
global settings, see Configuring Global Settings on page 22. Click Update.
2.
In the ISDN settings area, configure the following settings:
Setting
3.
26
Description
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Telephone
Enter the telephone number for the ISDN connection.
Channels
From the drop-down list, select either Single channel or Dual channel, depending on
whether you are using one or two ISDN lines.
Keep second
channel up
Select to force the second channel to remain open when its data rate falls below a
worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput rates. If
this occurs in dual channel mode, and the data-rate of the second channel
decreases below a threshold where it is of no benefit, NITO will automatically
close it. Forcing the second channel to stay up will help prevent this from
happening.
Minimum
time to keep
second
channel up
(sec)
Enter a minimum time, in seconds, if your ISDN connection experiences intermittent
loss of data throughput for short periods of time.
This option is of use when the second channel data-rate falls below the threshold for
short periods of time.
Click Save.
Nomadix NITO
User Guide
Configuring a Dial-up Modem Connection
Note: The following sections apply if a dial-up modem is installed in your NITO.
This section explains how to configure NITO to use a dial-up modem for Internet connectivity.
To complete the profile:
1.
Configure the global settings and select Modem as the connection method. For more information on
global settings, see Configuring Global Settings on page 22. Click Update.
2.
In the Modem settings area, configure the following settings:
Setting
3.
Description
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
PPPNetworking > Interfaces > Interfaces and create one. For more information, see
Creating a PPP Profile on page 27.
Modem
profile
From the drop-down list, select the modem profile to use. See Configuring Modems on
page 236 for more information on modem profiles.
Telephone
Enter the telephone number for the connection.
Click Save.
Creating a PPP Profile
Up to five PPP profiles can be created to store username, password and connection-specific details for
connections where NITO controls the connecting device, e.g. an ADSL modem attached to NITO.
To create a PPP profile:
1.
Navigate to the Networking > Interfaces > PPP page.
27
Working with Interfaces
Modifying Profiles
2.
Configure the following settings:
Setting
3.
Description
Profiles
From the drop-down list, select Empty.
Profile name
Enter a name for the profile.
Dial on
Demand
Select to ensure that the PPP connection is only established if an outward-bound
request is made. This may help reduce costs if your ISP uses per unit time billing.
Dial on
Demand for
DNS
Select to ensure that the system dials for DNS requests – this is normally the desired
behavior.
Idle timeout
Enter the number of minutes that the connection must remain inactive for before it
is automatically closed by NITO. Enter 0 to disable this setting.
Persistent
connection
Select to ensure that once this PPP connection has been established, it will remain
connected, regardless of the value entered in the Idle timeout field.
Maximum
retries
Enter the maximum number of times that NITO will try to connect following failure
to connect.
Username
Enter your ISP assigned username.
Password
Enter your ISP assigned password.
Method
Choose the authentication method as specified by your ISP in this field.
Script name
Enter the name of a logon script here, if your ISP informs you to do so. Ensure that
the relevant script type has been selected in the Method drop-down list.
Type
Specifies the DNS type used by your ISP.
Manual – select if your ISP has provided you with DNS server addresses to enter.
Automatic – select if your ISP automatically allocates DNS settings upon
connection.
Primary DNS
If Manual has been selected, enter the primary DNS server IP address.
Secondary DNS
If Manual has been selected, enter the secondary DNS server IP address.
Click Save to save your settings and create a PPP profile.
Modifying Profiles
To modify an existing connection, PPP or modem profile:
1.
Navigate to the appropriate profile page.
2.
Choose the profile from the Profiles drop-down list that you wish to modify and click Select.
3.
The profile details will now be displayed. Make changes to any of the fields, review the changes and click
Save.
Note: Any changes made to a profile that is used as part of a current connection will only be applied following
re-connection. The connection can be manually restarted on the main > control page.
28
Nomadix NITO
User Guide
Deleting Profiles
To delete an existing connection, PPP or modem profile:
1.
Navigate to the appropriate profile page.
2.
Choose the profile from the Profiles drop-down list that you wish to delete and click Select.
3.
The profile details will now be displayed. If you are certain that you wish to delete the selected profile,
click Delete.
Note: Deleting a profile that is used as part of a current connection will cause the current connection to close.
29
Working with Interfaces
Deleting Profiles
30
4
Managing Your Network
Infrastructure
In this chapter:
z
Creating subnets and internal subnet aliases
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors and
buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway.
To create a subnet rule:
1.
Navigate to the Networking > Routing > Subnets page.
2.
Configure the following settings:
Setting
Description
Network
Enter the IP address that specifies the network ID part of the subnet definition when
combined with a netmask value.
Netmask
Enter a network mask that specifies the size of the subnet when combined with the
network field.
31
Managing Your Network Infrastructure
Using RIP
Setting
3.
Description
Gateway
Enter the IP address of the gateway device by which the subnet can be found.
This will be an address on a locally recognized network zone. It is necessary for NITO to
be able to route to the gateway device in order for the subnet to be successfully
configured.
The gateway address must be a network that NITO is directly attached to.
Metric
Enter a router metric to set the order in which the route is taken. This sets the order in
which the route is evaluated, with 0 being the highest priority and the default for new
routes.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules table.
Editing and Removing Subnet Rules
To edit or remove existing subnet rules, use Edit and Remove in the Current rules area.
Using RIP
The Routing Information Protocol (RIP) service enables network-wide convergence of routing information
amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest
neighbor, typically every 30 seconds.
NITO’s RIP service can:
z
Operate in import, export or combined import/export mode
z
Support password and MD5 authentication
z
Export direct routes to the system’s internal interfaces.
To configure the RIP service:
1.
32
Navigate to the Networking > Routing > RIP page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
Description
Enabled
Select to enable the RIP service.
Scan interval
From the drop-down menu, select the time delay between routing table imports and
exports.
Select a frequent scan interval for networks with fewer hosts. For networks with
greater numbers of hosts, choose a less frequent scan interval.
Note: There is a performance trade-off between the number of RIP-enabled
devices, network hosts and the scan frequency of the RIP service. The
periodic exchange of routing information between RIP-enabled devices
increases the ambient level of traffic on the host network. Accordingly,
administrators responsible for larger networks should consider increasing
the RIP scan interval or the suitability of the RIP service for propagating
routing information.
Direction
From the drop-down menu, select how to manage routing information. The
following options are available:
Import and Export
The RIP service will add and update its routing table from information received
from other RIP enabled gateways. The RIP service will also broadcast its routing
tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information received
from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP enabled
gateways.
Logging level
From the drop-down menu, select the level of logging.
RIP interfaces
Select each interface that the RIP service should import/export routing information
to/from.
Authentication
Enabling RIP authentication ensures that routing information is only imported and
exported amongst trusted RIP-enabled devices.
Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between any RIP
device. We do not recommend this option from a security standpoint.
Password
In this mode, a plain text password is specified which must match other RIP
devices.
MD5
In this mode, an MD5 hashed password is specified which must match other RIP
devices.
Password
If Password is selected as the authentication method, enter a password for RIP
authentication.
Again
If Password is selected as the authentication method, re-enter the password to
confirm it.
Direct routing
interfaces
Optionally, select interfaces whose information should also include routes to the
RIP service’s own interfaces when exporting RIP data.
This ensures that other RIP devices are able to route directly and efficiently to each
exported interface.
33
Managing Your Network Infrastructure
Sources
3.
Click Save.
Sources
The Sources page is used to determine which external network interface will be used by internal network
hosts for outbound communication when a secondary external connection is active.
Source rules can be created for individual hosts, ranges of hosts or subnet ranges.
Creating Source Rules
Source rules route outbound traffic from selected network hosts through a particular external interface.
To create a source rule:
1.
Navigate to the Networking > Routing > Sources page.
2.
Configure the following settings:
3.
34
Setting
Description
Source IP
or network
Enter the source IP or subnet range of internal network host(s) specified by this rule. For
more information, see About IP Address Definitions on page 35.
Internal
interface
From the drop-down menu, select the internal interface that the source IP must originate
from to use the external connection.
External
interface
From the drop-down menu, select the external interface that is used by the specified
source IP or network for external communication.
Alternatively, select Exception to create an exception rule to ensure that all outbound
traffic from the specified source IP, network and internal interface is routed via the
primary external interface.
Note: If the external interface is set to Exception, any traffic specified here will not be
subject to any load balancing.
Note: Using Exception will always send traffic out via the primary, no matter what
interface is currently being used by the primary connection.
Comment
Optionally, enter a description for the source rule.
Enabled
Select to activate the rule.
Click Add.
Nomadix NITO
User Guide
Removing a Rule
To remove one or more rules:
1.
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1.
Locate it within the Current rules region, select it and click Edit to populate the configuration controls in
the Add a new rule region with the rule's current configuration values.
2.
Alter the configuration values as necessary, and click Add.
About IP Address Definitions
Single or multiple IP addresses can be specified in a number of different manners:
IP address – An identifier for a single network host, written as quartet of dotted decimal values, e.g.
192.168.10.1
IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP
addresses, e.g. 192.168.10.0/255.255.255.0 defines a subnet range of IP addresses from
192.168.10.0 to 192.168.10.255
IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation, e.g.
192.168.10.0/24 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255.
Ports
The Ports page is where you route outbound traffic for selected ports through a particular external
interface. For example, you can create a rule to send all SMTP traffic down a specific external interface.
Note: The rules specified on the sources pages will always be examined first, so a rule will only travel down this
list of ports if it does not first hit a sources rule. For more information, see Sources on page 34.
Creating a Ports Rule
Port rules route outbound traffic for selected ports through a particular external interface.
To create a ports rule:
1.
Navigate to the Networking > Routing > Ports page.
35
Managing Your Network Infrastructure
Creating an External Alias Rule
2.
Configure the following settings:
Setting
3.
Description
Protocol
From the drop down menu, select the protocol the traffic uses.
Service
From the drop down menu, select the select the services, port range or group of ports.
Port
If the service is user defined, enter the port number.
External
interface
From the drop-down menu, select the external interface to use.
Select Exception to never route the traffic via an alternative interface.
Note: Using Exception will always send traffic out via the primary, no matter what
interface is currently being used by the primary connection.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule currently active.
Click Add to create the rule. The rule is created and listed in the Current rules area.
Removing Rules
To remove one or more rules:
1.
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1.
Select the rule in the Current rules area and click Edit.
2.
In the Add a new rule area, make the changes you require and click Add. The rule is updated and listed in
the Current rules area.
Creating an External Alias Rule
NITO enables you to associate multiple public IP addresses with a single NITO by creating external
aliases. An external alias binds an additional public IP address to Nomadix System’s external interface.
36
Nomadix NITO
User Guide
To create an external alias rule:
1.
Navigate to the Networking > Interfaces > External aliases page.
2.
Configure the following settings:
Setting
3.
Description
External
interface
From the drop-down list, select the external interface to which you want to bind an
additional public IP address.
Select
Click to select the interface.
Connectivity
profile
Used to determine when the external alias is active. Options include:
All – The external alias will always be active, irrespective of the currently active
connection profile.
Named connection profile – The external alias will only be active if the named
connection profile is currently active. This is particularly useful for creating aliases for
connection profiles that are used as failover connections.
Alias IP
Enter the IP address of the external alias. This address should be provided by your ISP
as part of an multiple static IP address allocation.
Netmask
Used to specify the network mask of the external alias. This value is usually the same
as the external interface's netmask value. This value should be provided by your ISP.
Comment
A field used to assign a helpful message describing the external alias rule.
Enabled
Determines whether the external alias rule is currently active.
Click Add. The external alias rule is added to the Current rules table.
Editing and Removing External Alias Rules
To edit or remove existing external alias rules, use Edit and Remove in the Current rules region.
Port Forwards from External Aliases
NITO extends your system’s port forwarding capabilities by allowing port forward rules to be created that
can forward traffic arriving at an external alias.
37
Managing Your Network Infrastructure
Creating a Source Mapping Rule
No special configuration is required to use this feature. Use the existing Networking > Firewall > Port
forwarding page and select the required external alias from the Source IP drop-down list.
Creating a Source Mapping Rule
NITO enables you to map internal hosts to an external IP alias, instead of the default, real external IP, by
creating source mapping rules. This allows outbound communication from specified hosts to appear to
originate from the external alias IP address.
A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via
the same IP address. If the incoming IP address is an external alias, and outbound mail fails to mirror the
IP address as its source, some SMTP servers will reject the mail. This is because the mail will not appear to
originate from the correct IP address, i.e. the NITO default external IP is not the MX for the email domain.
This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the
same IP address for inbound and outbound traffic.
To create a source mapping rule:
1.
Navigate to the Networking > Firewall > Source mapping page.
2.
Configure the following settings:
Setting
3.
Description
Source IP
Enter the source IP or network of hosts to be mapped to an external.
For a single host, enter its IP address.
For a network of hosts, enter an appropriate IP address and subnet mask combination,
for example, enter 192.168.100.0/255.255.255.0 will create a source mapping
rule for hosts in the IP address range 192.168.100.1 through to 192.168.100.255.
For all hosts, leave the field blank.
Alias IP
From the drop-down list, select the external alias that outbound communication is
mapped to.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The source mapping rule is added to the Current rules table.
Editing and Removing Source Mapping Rules
To edit or remove existing source mapping rules, use Edit and Remove in the Current rules area.
38
Nomadix NITO
User Guide
Managing Internal Aliases
NITO can be configured to create internal aliases for each installed NIC. Internal aliases can be used to
create logical subnets amongst hosts within the same physical network zone.
Note: This function is recommended only for experienced network administrators, as there are a number of
security implications and limitations that using this feature will impose on the rest of your network.
Internal alias rules are used to create such bindings on an internal network interface, thus enabling it to
route packets to and from IP addresses on a virtual subnet – without the need for physical switches.
Note: No services will run on the alias IP.
Note: Use of this feature is not normally recommended for the following reasons:
• No physical separation – Internal aliases should not be considered as a substitute for physically
separating multiple networks. Network users can join a logical subnet by changing their IP
address.
• No DHCP service – DHCP servers cannot serve a logical subnet, as it is impossible for it to know
which subnet (physical or logical) that the client should be on.
• No direct DNS or proxy access – The DNS proxy and web proxy services cannot be accessed
by hosts on a logical subnet. Requests for such services must be routed via the IP address of the
physical interface – this is not the case when an alias is in use.
Generally, internal aliases should only be created in special circumstances.
Creating an Internal Alias Rule
To create an internal alias rule:
1.
Navigate to the Interfaces > Internal aliases page.
2.
Configure the following settings:
Setting
Description
Interface
From the drop-down menu, select the internal interface on which to create the alias.
IP address
Enter an IP address for the internal alias.
Netmask
Enter a network mask that specifies the size of the subnet accessible via the internal alias
(when combined with a network value).
39
Managing Your Network Infrastructure
Working with Secondary External Interfaces
Setting
3.
Description
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The internal alias rule is added to the Current rules table.
Editing and Removing Internal Alias Rules
To edit or remove existing internal alias rules, use Edit and Remove in the Current rules area.
Working with Secondary External Interfaces
The Secondaries page is used to configure an additional, secondary external interface. A secondary
external interface will operate independently of the primary external interface, NATing its own outbound
traffic.
Once a secondary external interface is active, the system can be configured to selectively route different
internal hosts, ranges of hosts and subnets out across either the primary or secondary external interface.
Configuring a Secondary External Interface
Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces.
To configure a secondary external interface:
1.
40
Navigate to the Networking > Interfaces > Secondaries page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
Description
Secondary
external
interface
From the drop-down list, select the interface you want to use as the secondary
external interface.
Select
Click to select the interface.
Address
Enter the IP address.
Netmask
Enter the netmask.
Default gateway
Enter the default gateway.
Enabled
Select to enable the interface
Primary
failover ping IP
Optionally, specify an IP address that you know can be contacted if the secondary
connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary to
ensure that the connection is active.
If this IP address cannot be contacted, all outbound traffic will be redirected to the
primary connection. If a secondary failover IP has been entered, it must also fail
before failover routing is activated.
Secondary
failover ping IP
Optionally, specify an additional IP address that you know can be contacted if the
secondary connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary to
ensure that the connection is active.
If this IP address and the primary failover ping IP cannot be contacted, all
outbound traffic will be redirected to the primary connection.
Load balance
outgoing traffic
Optionally, select to add the currently selected secondary address to the load
balancing pool of connections.
Selecting this option ensures that outbound NATed traffic is divided among the
currently selected secondary address and any other connections, primary or
secondary, that have been added to the load balancing pool.
Note: If no load balance options are enabled, all traffic will be sent out of the
primary external connection.
Load balance
web proxy
traffic
Optionally, select to add the currently selected secondary address to the proxy load
balancing pool.
Selecting this option ensures that web proxy traffic is divided among the currently
selected secondary address and any other connections, primary or secondary, that
have themselves been added to the proxy load balancing pool.
Note - If no load balance tick-box controls are selected, all traffic will be sent out
of the primary external connection.
41
Managing Your Network Infrastructure
Working with Secondary External Interfaces
Setting
Weighting
Description
Optionally, select to set the weighting for load balancing on the currently selected
secondary address.
A weighting is assigned to all external connections in the load balancing pool and
load balancing is performed according to the respective weights of each
connection. For example:
•
A connection weighted 10 will be given 10 times as much load as a
connection weighted 1.
•
A connection weighted 6 will be given 3 times as much load as a connection
weighted 2.
•
A connection weighted 2 will be given twice as much load as a connection
weighted 1.
The weighting value is especially useful for load balancing external connections of
differing speeds.
3.
42
Click Save to save your settings and enable the secondary external interface.
5
General Network Security Settings
In this chapter:
z
Using IP blocking to block source IPs and networks
z
Reviewing network interface information
z
Fine-tuning network communications using the advanced networking features
z
Creating groups of ports for use throughout NITO.
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network
addresses. IP block rules are primarily intended to block hostile hosts from the external network, however,
it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been
infected by malware.
IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network
addresses to always be allowed.
Creating IP Blocking Rules
IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks.
To create an IP block rule:
1.
Navigate to the Networking > Filtering > IP block page.
43
General Network Security Settings
Configuring Advanced Networking Features
2.
Configure the following settings:
Control
Source IP or
network
Destination IP or
network
3.
Description
Enter the source IP, IP range or subnet range of IP addresses to block or exempt.
To block or exempt:
•
An individual network host, enter its IP address, for example:
192.168.10.1.
•
A range of network hosts, enter an appropriate IP address range, for
example: 192.168.10.1-192.168.10.15.
•
A subnet range of network hosts, enter an appropriate subnet range, for
example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24.
Enter the destination IP, IP range or subnet range of IP addresses to block or
exempt. To block or exempt:
•
An individual network host, enter its IP address, for example:
192.168.10.1.
•
A range of network hosts, enter an appropriate IP address range, for
example: 192.168.10.1-192.168.10.15.
•
A subnet range of network hosts, enter an appropriate subnet range, for
example, 192.168.10.0/255.255.255.0 or 19
Drop packet
Select to ignore any request from the source IP or network. The effect is similar to
disconnecting the appropriate interface from the network.
Reject packet
Select to cause an ICMP Connection Refused message to be sent back to the
originating IP, and no communication will be possible.
Exception
Select to always allow the source IPs specified in the Source IP or Network field
to communicate, regardless of all other IP block rules.
Exception block rules are typically used in conjunction with other IP block rules,
for example, where one IP block rule drops traffic from a subnet range of IP
addresses, and another IP block rule creates exception IP addresses against it.
Log
Select to log all activity from this IP.
Comment
Optionally, describe the IP block rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules table.
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same
subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Editing and Removing IP Block Rules
To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
Configuring Advanced Networking Features
NITO’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP
standards to restrict broken network devices from causing disruption.
44
Nomadix NITO
User Guide
To configure advance networking features:
1.
Navigate to the Networking > Settings > Advanced page.
2.
Configure the following settings:
Setting
Description
Block ICMP ping
broadcasts
Select to prevent the system responding to broadcast ping messages from all
network zones (including external).
This can prevent the effects of a broadcast ping-based DoS attack.
Block ICMP ping
Select to block all ICMP ping requests going to or through NITO.
This will effectively hide the machine from Internet Control Message
Protocol (ICMP) pings, but this can also make connectivity problems more
difficult to diagnose.
Enable SYN cookies
Select to defend the system against SYN flood attacks.
A SYN flood attack is where a huge number of connection requests, SYN
packets, are sent to a machine in the hope that it will be overwhelmed.
The use of SYN cookies is a standard defence mechanism against this type of
attack, the aim being to avoid a DoS attack.
Block and ignore
IGMP packets
Select this option to block and ignore multi-cast reporting Internet Group
Management Protocol (IGMP) packets.
IGMP packets are harmless and are most commonly observed when using
cable modems to provide external connectivity.
If your logs contain a high volume of IGMP entries, enable this option to
ignore IGMP packets without generating log entries.
Block and ignore
multicast traffic
ARP table size
Select this option to block multicast messages on network address
224.0.0.0 from ISPs and prevent them generating large volumes of
spurious log entries.
You should increase the ARP table size if the number of directly connected
machines or IP addresses is more then the value shown in the dropdown.
In normal situations, the default value of 2048 will be adequate, but in very
big networks, select a bigger value.
Directly connected machines are those which are not behind a intermediate
router but are instead directly attached to one of NITO's network interfaces.
45
General Network Security Settings
Enabling Traffic Auditing
Setting
3.
Description
Connection tracking
table size
Select to store information about all connections known to the system. This
includes NATed sessions, and traffic passing through the firewall.
The value entered in this field determines the table’s maximum size. In
operation, the table is automatically scaled to an appropriate size within this
limit, according to the number of active connections and their collective
memory requirements.
Occasionally, the default size, which is set according to the amount of
memory, is insufficient – use this field to configure a larger size.
SYN backlog queue
size
Select this option to set the maximum number of requests which may be
waiting in a queue to be answered.
The default value for this setting is usually adequate, but increasing the value
may reduce connection problems for an extremely busy proxy service.
Click Advanced to access the following settings:
Setting
4.
Description
Block SYN+FIN
packets
Select to automatically discard packets used in SYN+FIN scans used
passively scan systems.
Generally, SYN+FIN scans result in large numbers of log entries being
generated. With this option enabled, the scan packets are automatically
discarded and are not logged.
Enable TCP
timestamps
Select this option to enable TCP timestamps (RFC1323) to improve TCP
performance on high speed links.
Enable selective
ACKs
Select this option to enable selective ACKs (RFC2018) to improve TCP
performance when packet loss is high.
Enable window
scaling
Select this option to enable TCP window scaling to improve the performance
of TCP on high speed links.
Enable ECN
Select this option to enable Explicit Congestion Notification (ECN), a
mechanism for avoiding network congestion.
While effective, it requires communicating hosts to support it, and some
routers are known to drop packets marked with the ECN bit. For this reason,
this feature is disabled by default.
Click Save to enable the settings you have selected.
Enabling Traffic Auditing
Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different
types of incoming, outgoing and forwarded traffic.
To activate a particular traffic auditing feature:
1.
46
Navigate to the Networking > Settings > Advanced page.
Nomadix NITO
User Guide
2.
Click Advanced to access the Traffic auditing area and configure the following settings:
Setting
3.
Description
Direct incoming
traffic
Select to log all new connections to all interfaces that are destined for the
firewall.
Direct outgoing
traffic
Select to log all new connections from any interface.
Forwarded traffic
Select to log all new connections passing through one interface to another.
Click Save.
Note: Traffic auditing can potentially generate vast amounts of logging data. Ensure that the quantity of logs
generated is acceptable.
Note: Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page.
Working with Port Groups
You can create and edit named groups of TCP/UDP ports for use throughout NITO. Creating port groups
significantly reduces the number of rules needed and makes rules more flexible.
For example, you can create a port group to make a single port forward to multiple ports and modify which
ports are in the group without having to recreate the rules that use it. In this way you could easily add a
new service to all your DMZ servers.
Creating a Port Group
To create a port group:
1.
Navigate to the Networking > Settings > Port groups page.
47
General Network Security Settings
Working with Port Groups
2.
In the Port groups area, click New and configure the following settings:
Setting
3.
Description
Group
name
Enter a name for the port group and click Save.
Name
Enter a name for the port or range of ports you want to add to the group.
Port
Enter the port number or numbers.
For one port, enter the number.
For a range, enter the start and end numbers, separated by : for example: 1024:65535
For non-consecutive ports, create a separate entry for each port number.
Comment
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or port range is added to the group.
Adding Ports to Existing Port Groups
To add a new port:
1.
Navigate to the Networking > Settings > Port groups page.
2.
Configure the following settings:
Setting
3.
Description
Port
groups
From the drop-down list, select the group you want to add a port to and click Select.
Name
Enter a name for the port or range of ports you want to add to the group.
Port
Enter the port number or numbers.
For one port, enter the number.
For a range, enter the start and end numbers, separated by : for example: 1024:65535
Comment
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or range are added to the group.
Editing Port Groups
To edit a port group:
1.
Navigate to the Networking > Settings > Port groups page.
2.
From the Port groups drop-down list, select the group you want to edit and click Select.
3.
In the Current ports area, select the port you want to change and click Edit.
4.
In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
Deleting a Port Group
To delete a Port group:
1.
48
Navigate to the Networking > Settings > Port groups page.
Nomadix NITO
User Guide
2.
From the Port groups drop-down list, select the group you want to delete and click Select.
3.
Click Delete.
Note: Deleting a port group cannot be undone.
49
General Network Security Settings
Working with Port Groups
50
6
Configuring Inter-Zone Security
In this chapter:
How bridging rules allow access between internal network zones.
z
About Zone Bridging Rules
By default, all internal network zones are isolated by NITO. Zone bridging is the process of modifying
this, in order to allow some kind of communication to take place between a pair of network zones.
A zone bridging rule defines a bridge in the following terms:
Term
Description
Zones
Defines the two network zones between which the bridge exists.
Direction
Defines whether the bridge is accessible one-way or bi-directionally.
Source
Defines whether the bridge is accessible from an individual host, a range of hosts, a
network or any host.
Destination
Defines whether the bridge allows access to an individual host, a range of hosts, a
network or any hosts.
Service
Defines what ports and services can be used across the bridge.
Protocol
Defines what protocol can be used across the bridge.
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a named
port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to any-host bridge, using
any port and protocol.
In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
Creating a Zone Bridging Rule
Zone bridging rules enable communications between specific parts of separate internal networks.
51
Configuring Inter-Zone Security
Creating a Zone Bridging Rule
To create a zone bridging rule:
1.
Navigate to the Networking > Filtering > Zone bridging page.
2.
Configure the following settings:
Setting
52
Description
Source
interface
From the drop-down menu, select the source network zone.
Destination
interface
From the drop-down menu, select the destination network zone.
Bidirectional
Select to create a two-way bridge where communication can be initiated from either
the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated from the
source interface to the destination interface and not vice versa, ensure that this
option is not selected.
Protocol
From the drop-down list, select a specific protocol to allow for communication
between the zones or select All to allow all protocols.
Source IP
Enter the source IP, IP range or subnet range from which access is permitted.
To create a bridge from:
•
A single network host, enter its IP address, for example: 192.168.10.1.
•
A range of network hosts, enter an appropriate IP address range: for example,
192.168.10.1-192.168.10.15.
•
A subnet range of network hosts, enter an appropriate subnet range, for example:
192.168.10.0/255.255.255.0 or 192.168.10.0/24.
•
Any network host in the source network, leave the field blank.
Nomadix NITO
User Guide
Setting
Destination
IP
3.
Description
Enter the destination IP, IP range or subnet range to which access is permitted.
To create a bridge to:
•
A single network, enter its IP address, for example, 192.168.10.1.
•
A range of network hosts, enter an IP address range, for example,
192.168.10.1-192.168.10.15.
•
A subnet range of network hosts, enter a subnet range, for example:
192.168.10.0/255.255.255.0 or 192.168.10.0/24.
•
To create a bridge to any network host in the destination network, leave the field
blank.
Service
From the drop-down list, select the services, port range or group of ports to which
access is permitted.
Or, select User defined and leave the Port field blank to permit access to all ports for
the relevant protocol.
Note: This is only applicable to TCP and UDP.
Port
If User defined is selected as the destination port, specify the port number.
Or, leave the field blank to permit access to all ports for the relevant protocol.
Comment
Enter a description of the bridging rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules table.
Editing and Removing Zone Bridge Rules
To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
A Zone Bridging Tutorial
In this tutorial, we will use the following two local network zones:
Network zone
Description
IP address
Protected
network
Contains local user workstations and
confidential business data.
192.168.100.0/24
DMZ
Contains a web server.
192.168.200.0/24
Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created, neither
zone can see or communicate with the other.
In this example, we will create a DMZ that:
z
Allows restricted external access to a web server in the DMZ, from the Internet.
z
Does not allow access to the protected network from the DMZ.
z
Allows unrestricted access to the DMZ from the protected network.
A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will
forward HTTP requests from the Internet to the web server in the DMZ.
53
Configuring Inter-Zone Security
A Zone Bridging Tutorial
Creating the Zone Bridging Rule
To create the rule:
1.
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Settings
2.
Description
Source interface
From the drop-down menu, select the protected network.
Destination
interface
From the drop-down menu, select the DMZ.
Protocol
From the drop-down list, select All.
Comment
Enter a description of the rule.
Enabled
Select to activate the bridging rule once it has been added.
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but
not vice versa.
Allowing Access to the Web Server
To allow access to a web server in the DMZ from the Internet:
1.
Navigate to the Networking > Firewall > Port forwarding page and configure the following settings:
Setting
2.
Description
Protocol
From the drop-down list, select TCP.
Destination
IP
Enter the IP address of the web server 192.168.200.10.
Source
From the drop-down menu, select HTTP (80) to forward HTTP requests to the web
server.
Comment
Enter a description, such as Port forward to DMZ web server.
Enabled
Select to activate the port forward rule once it has been added.
Click Add.
Accessing a Database on the Protected Network
Multiple zone bridging rules can be used to further extend the communication allowed between the zones.
As a extension to the previous example, a further requirement might be to allow the web server in the
DMZ to communicate with a confidential database in the Protected Network.
54
Nomadix NITO
User Guide
To create the rule:
1.
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Setting
2.
Description
Source interface
From the drop-down menu, select DMZ.
Destination
interface
From the drop-down menu, select Protected Network.
Protocol
From the drop-down menu, select TCP.
Source IP
Enter the web server’s IP address: 192.168.200.10
Destination IP
Enter the database’s IP address: 192.168.100.50
Service
Select User defined.
Port
The database service is accessed on port 3306. Enter 3306.
Comment
Enter a comment: DMZ web server to Protected Network DB.
Enabled
Select Enabled to activate the bridging rule once the bridging rule has been
added.
Click Add.
Group Bridging
By default, authenticated users may only access network resources within their current network zone, or
that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default
security policy, in order to allow authenticated users from any network zone to access specific IP
addresses, IP ranges, subnets and ports within a specified network zone.
Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A
group bridging rule defines a bridge in the following terms:
Group – The group of users from the authentication sub-system that may access the bridge.
Zone – The destination network zone.
Destination – Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of
hosts or any hosts.
Service – Defines what ports and services can be used across the bridge.
Protocol – Defines what protocol can be used across the bridge.
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and
protocol) or wide (e.g. allow access to any host, using any port and protocol).
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use.
Group Bridging and Authentication
Group bridging uses the core authentication mechanism, meaning that users must be pre-authenticated
before group bridging rules can be enforced by NITO.
Users can authenticate themselves using the authentication system’s Login mechanism, either
automatically when they try to initiate outbound web access or manually by browsing to the secure SSL
Login page.
55
Configuring Inter-Zone Security
Group Bridging
Authentication can also be provided by any other mechanism used elsewhere in the system. For further
information about authentication, see Chapter 14, Authentication and User Management on page 177.
Creating Group Bridging Rules
Group bridging rules apply additional zone communication rules to authenticated users.
To create a group bridging rule:
1.
Navigate to the Networking > Filtering > Group bridging page.
2.
Configure the following settings:
Setting
Groups
From the drop-down menu, select the group of users that this rule will apply to.
Select
Click to select the group.
Destination
interface
Select the interface that the group will be permitted to access.
Destination IP
Enter the destination IP, IP range or subnet range that the group will be permitted to
access. To create a rule to allow access to:
•
A single network host in the destination network, enter its IP address, for
example: 192.168.10.1.
Protocol
56
Description
•
A range of network hosts in the destination network, enter an appropriate IP
address range, for example: 192.168.10.1-192.168.10.15.
•
A subnet range of network hosts in the destination network, enter an
appropriate subnet range, for example: 192.168.10.0/255.255.255.0 or
192.168.10.0/24.
•
Any network host in the destination network, leave the field blank.
From the drop-down list, select a specific protocol to allow for communication
between the zones or select All to allow all protocols.
Nomadix NITO
User Guide
Setting
3.
Description
Service
From the drop-down list, select the service, port or port range to be used.
To restrict to a custom port, select User defined and enter a port number in the Port
field.
To allow any service or port to be used, select User defined and leave the Port field
empty.
Port
If applicable, enter a destination port or range of ports. If this field is blank, all ports
for the relevant protocol will be permitted.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules table.
Editing and Removing Group Bridges
To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules
region.
57
Configuring Inter-Zone Security
Group Bridging
58
7
Managing Inbound and Outbound
Traffic
In this chapter:
z
How port forward rules work
z
Application helpers which allow traffic passing through the firewall to work correctly
z
How to manage outbound access to IP addresses and networks.
Introduction to Port Forwards – Inbound Security
Port forwards are used to forward requests that arrive at an external network interface to a particular
network host in an internal network zone.
It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be
used to forward any type of traffic that arrives at an external interface, regardless of whether the external
interface connects to the Internet or some other external network zone.
Port Forward Rules Criteria
Port forward rules can be configured to forward traffic based on the following criteria:
Criterion
Description
External IP
Forward traffic if it originated from a particular IP address, IP address range or
subnet range.
Source IP
Forward traffic if it arrived at a particular external interface or external alias.
Port
Forward traffic if it was destined for a particular port or range of ports.
Protocol
Forward traffic if it uses a particular protocol.
Destination IP
A port forward will send traffic to a specific destination IP.
Destination port
A port forward will send traffic to a specific destination port.
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server
listening on port 81 in a De-Militarized Zone (DMZ).
If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all
port 80 TCP traffic to port 81 on 192.168.2.60.
59
Managing Inbound and Outbound Traffic
Introduction to Port Forwards – Inbound Security
Note: It is important to consider the security implications of each new port forward rule. Any network is only as
secure as the services exposed upon it.
Port forwards allow unknown hosts from the external network to access a particular internal host. If a
cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts
in the network.
For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones,
that preferably contain no confidential or security-sensitive network hosts. Use the Networking > Filtering
> Zone bridging page to ensure that the target host of the port forward is contained within a suitably
isolated network, i.e. a DMZ scenario.
Creating Port Forward Rules
To create a port forward rule:
1.
Navigate to the Networking > Firewall > Port forwarding page.
2.
Configure the following settings:
Setting
60
Description
Protocol
From the drop-down list, select the network protocol for the traffic that you
want to forward. For example, to port forward a HTTP request, which is a
TCP-based protocol, choose the TCP option.
External IP or
network
Enter the IP address, address range or subnet range of the external hosts
allowed to use this rule.
Or, to create a port forward rule that will forward all external hosts (such as
that required to port forward anonymous HTTP requests from any network
host to a web server), leave this field blank.
Log
Select to log all port forwarded traffic.
Source IP
Select the external IP alias that this rule will apply to. In most cases, this will
be the IP of the default external connection.
Nomadix NITO
User Guide
Setting
3.
Description
Source service
From the drop-down menu, select the service, port, port range or group of
ports. Or, to specify a user defined port, select User defined.
Note: Only applies to the protocols TCP and UDP.
User defined
If User defined is selected in the Source service drop-down menu, enter a
single port or port range.
Port ranges are specified using an A:B notation. For example: 1000:1028
covers the range of ports from 1000 to 1028.
Destination IP
Enter the IP address of the network host to which traffic should be forwarded.
Destination service
From the drop-down menu, select the service, port, port range or group of
ports. Or, select User defined.
User defined
If User defined is selected as the destination service, enter a destination port.
Leave this field empty to create a port forward that uses the source port as the
destination port.
If left blank and the source service value specified a port range, the
destination port will be the same as the port that the connection came in on. If
it contains a single port, then this will be used as the target.
Comment
Enter a description of the port forward rule.
Enabled
Select to enable the rule.
Click Add. The port forward rule is added to the Current rules table.
Load Balancing Port Forwarded Traffic
NITO enables you to load balance port forwarded traffic to different network hosts.
To load balance port forwards:
1.
On the Networking > Firewall > Port forwarding page, create a port forward rule to the first network
host. See Creating Port Forward Rules on page 60 for more information.
2.
On the Networking > Firewall > Port forwarding page, create another port forward rule using exactly
the same settings except for the destination IP to the second network host.
NITO automatically balances the traffic between the hosts.
Editing and Removing Port Forward Rules
To edit or remove existing port forward rules, use Edit and Remove in the Current rules area.
Advanced Network and Firewall Settings
The following sections explain network application helpers, how you can manage bad traffic actions and
reflective port forwarding.
Network Application Helpers
NITO includes a number of helper applications which must be enabled to allow certain types of traffic
passing through the firewall to work correctly.
61
Managing Inbound and Outbound Traffic
Advanced Network and Firewall Settings
To activate helper applications:
1.
Navigate to the Networking > Firewall > Advanced page.
The following helper applications are available:
Application
Description
FTP
IP information is embedded within FTP traffic – this helper application ensures that FTP
communication is not adversely affected by the firewall.
IRC
IP information is embedded within IRC traffic – this helper application ensures that IRC
communication is not adversely affected by the firewall.
Advanced
PPTP
client
support
When enabled, loads special software modules to help PPTP clients. This is the protocol
used in standard Windows VPNing.
If this option is not selected, it is still possible for PPTP clients to connect through to a
server on the outside, but not in all circumstances. Difficulties can occur if multiple
clients on the local network wish to connect to the same PPTP server on the Internet. In
this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP
traffic. For this reason, this option is not enabled by default.
H323
When enabled, loads modules to enable passthrough of H323, a common protocol used
in Voice over IP (VoIP) applications.
Without this option enabled, it will not be possible to make VoIP calls. Additionally,
with this option enabled, it is possible to receive incoming H323 calls through the use of
a port forward on the H323 port.
This option is disabled by default because of a theoretical security risk associated with
the use of H323 passthrough. We recommend that you only enable this feature if you
require VoIP functionality.
To enable a helper application:
1.
In the Network application helpers area, select the application(s) you require.
2.
Optionally, in the Advanced area, select Drop to drop traffic silently. This runs NITO in a stealth-like
manner and makes things like port scans much harder to do.
3.
Click Save.
62
Nomadix NITO
User Guide
Managing Bad External Traffic
By default, bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. This is
what Internet hosts are meant to do.
Using the Bad external traffic action option, you can drop traffic silently which enables you to ‘stealth’
your firewall and make things like port scans much harder to do.
To manage bad external traffic:
1.
Navigate to the Networking > Firewall > Advanced page.
2.
From the Bad external traffic action drop-down list, select Drop to silently discard the traffic and not
send a message to the sender, or Reject to keep the default behavior, that is, reject the traffic and notify the
sender.
3.
Click Save to implement your selection.
Configuring Reflective Port Forwards
By default, port forwards are not accessible from within the same network where the destination of the
forward resides. However, when enabled, the reflective port forwards option allows port forwards
originating on an internal network to reach a host on the same network.
This makes it possible to access a port forwarded service from inside the internal network using the same
(external) address as an external host would.
To configure reflective port forwards:
1.
Navigate to the Networking > Firewall > Advanced page.
2.
Select Reflective port forwards and click Save.
Outbound Access
The following sections discuss outbound port and source rules.
Port rules are used to create lists of outbound communication rules that can be subsequently applied to
individual hosts and networks using source rules.
Port Rule Modes
Port rules can operate in one of two modes:
Mode
Description
Permissive
Reject only outbound requests to the named ports.
Restrictive
Allow only outbound requests to the named ports.
63
Managing Inbound and Outbound Traffic
Outbound Access
Preset Port Rules
NITO supports a maximum of 20 port rule sets, of which the following preset rules are installed by default
and can be customized:
Preset port rules
Description
MS ports
Ports commonly associated with Microsoft Windows such as SMB (NetBIOS),
Active Directory etc.
Known exploits
Ports associated with many common exploits against a variety of programs and
services, including many ports associated with malware attacks
Basic services
Services common to most user computers, including web browsing (HTTP and
HTTPS), email (POP3), DNS etc.
DMZ
Basic ports necessary for hosting servers in a DMZ network.
In addition, the following preset rules are included and cannot be customized:
Preset port rules
Description
Allow all
This port rule allows unrestricted access to the Internet.
Reject all
This port rule denies all outbound access to the Internet.
Creating a Port Rule
To create a port rule:
1.
64
Navigate to the Networking > Outgoing > Ports page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
3.
Description
Port rules
From the drop-down menu, select Empty and click Select.
Port rule name
Enter a name for the port rule. This name will be displayed in the Port
rules drop-down list and where ever the rule can be selected.
Reject only listed ports
Select to reject listed ports.
Allow only listed ports
Select to allow listed ports.
Rejection logging
Select if you want to log outbound requests rejected by this rule.
Note: This generates a lot of data and should be used with care.
Stealth mode
Select if you want to log but not reject outbound requests.
Block Aimini
Select to block access to the Aimini network.
Block BitTorrent
Select to block the use of the BitTorrent protocol for P2P file transfers.
Block eDonkey
Select to block access to eDonkey and eMule P2P variants.
Block Filetopia
Select to block access to Filetopia.
Block Gnutella
Select to block access to the Gnutella and GnutellaNet P2P networks.
Block iMESH
Select to block access to iMESH.
Block KaZaA
Select to block access to the KaZaA P2P network.
Block Manolito
Select to block access to Manolito.
Block Pando
Select to block access to Pando.
Block SoulSeek
Select to block access to SoulSeek.
Block StealthNet
Select to block access to StealthNet.
Block WinMX
Select to block access to WinMX.
Click Save. The port rule is added to the Port rules drop-down list.
Note: The dedicated P2P blocking options are provided due to the nature of certain P2P software. Various P2P
applications are port-aware and use a number of evasive techniques to circumvent regular outbound
access controls. NITO is able to detect such activity when these options are activated, and ensure that P2P
communication is completely blocked.
4.
In the Add a new rule area, configure the following settings:
Setting
Description
Protocol
From the drop-down menu, select a network protocol to add to the port rule.
Service
From the drop-down menu, select the service, port, port range or group of ports
you want to allow or deny, depending on the rule you are creating.
Select User defined to be able to specify a specific port number in the User
defined port or range field.
65
Managing Inbound and Outbound Traffic
Outbound Access
Setting
5.
Description
Port
Enter a custom port number or range of ports if User defined is selected in the
Service drop-down list. A port range is specified using from:to notation, for
example: 1024:2048.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules region.
Editing a Port Rule
To edit an existing port rule:
1.
Navigate to the Networking > Outgoing > Ports page.
2.
Choose the port rule that you wish to edit from the Port rules drop-down list.
3.
Click Select to display the port rule and make any changes to the port rule settings using the controls in the
Port rules region.
4.
Click Save in the Port rules region.
Editing and Removing Protocols and Ports
To edit or remove existing protocols and ports for a port rule, use Edit and Remove in the Current rules
region.
Deleting a Port Rule
To delete an existing port rule:
1.
Navigate to the Networking > Outgoing > Ports page.
2.
Select the port rule that should be deleted using the Port rules drop-down list from the Port rules region.
Click Delete.
Viewing a Port Rule
To display the contents of preset or custom port rules:
1.
Navigate to the Networking > Outgoing > Ports page.
2.
In the Port rules region, choose a set of port rules using the Port rules drop-down list. Click Select. The set
of port rules and associated configuration are displayed in the Port rules and Current rules regions.
Source Rules
Source rules are used to assign outbound access controls to IP addresses and networks. Each source rule
associates a particular host or network with a preset or customized port rule.
When the source IP of an outbound packet originates from a host that is defined in a source rule, NITO
checks that the packet does not break the port rules assigned to the host.
If the packet is destined for a banned port, the packet is rejected. If the packet is destined for an allowed
port, the packet is allowed.
Note: Once a packet matches a source rule, it will not be subjected to further rule matching. Source rules cannot
be stacked.
66
Nomadix NITO
User Guide
Configuring the Default Source Rule Settings
To create a source rule:
1.
Navigate to the Networking > Outgoing > Sources page.
2.
Configure the following settings:
Setting
3.
Description
Default port rule
From the drop-down list, select the port rule to be applied to outbound packets
originating from a source IP that has no matching source rule configured. This
value is usually set to one of the preset catch-all port rules, either Allow all or
Reject all.
Selecting Allow all enables all hosts that are not matched by a source rule to
initiate any kind of outbound communication. Selecting Reject all prevents all
outbound communication from all non-matching hosts.
Best practice is to select Reject all.
Rejection logging
Select to log all traffic rejected by the default or current list of source rules.
Stealth mode
Select to allow all traffic that would normally be rejected by the default port rule
and log all traffic information in the firewall logs.
Click Save. In the Add a new rule area, configure the following settings:
Setting
Source IP or
network
Description
Enter the source IP or network that the selected port rule will affect.
To apply the port rule to:
•
A specific host, enter its IP address.
•
A range of network hosts, enter an IP address range, for example, entering
the value 192.168.10.10:50 will encompass the range of addresses
from 192.168.10.10 to 192.168.10.50.
•
A subnet, enter a source IP and network mask, for example,
192.168.10.0/255.255.255.0 will encompass the range of range of
addresses from 192.168.10.0 to 192.168.10.255.
67
Managing Inbound and Outbound Traffic
Managing External Services
Setting
4.
Description
Port rule
From the drop-down list, select the port rule to apply.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The source rule is added to the Current rules table.
Editing and Removing Source Rules
To edit or remove existing source rules, use Edit and Remove in the Current rules region.
Managing External Services
You can prevent local network hosts from using external services by creating appropriate source and port
rules to stop outbound traffic.
To create an external service rule:
1.
Navigate to the Networking > Outgoing > External services page.
2.
Configure the following settings:
Setting
68
Description
Service
Select Empty from the drop-down list.
Service rule name
Enter a name for the rule.
Protocol
Select the protocol used by the service.
Service
From the drop-down menu, select the service, port, port range or group of ports.
Or, to specify a user defined port, select User defined.
Nomadix NITO
User Guide
Setting
3.
Description
Port
If User defined is selected in the Service drop-down menu, enter a single port or
port range.
Port ranges are specified using an A:B notation. For example: 1000:1028
covers the range of ports from 1000 to 1028.
Rejection logging
Select to log all traffic rejected by the external services rule
Stealth mode
Select to allow traffic that would normally be rejected by the external services
rule and log all traffic in the firewall logs.
Click Save. In the Add a new rule area:
Setting
4.
Description
Destination IP
Enter the IP address of the external service to which the rule applies.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The external service rule is added to the Current rules region:
Editing and Removing External Service Rules
To edit or remove existing external service rules, use Edit and Remove in the Current rules area.
Assigning Rules to Groups
The Groups page is used to assign outbound access controls to authenticated groups of users. Each group
rule associates a particular authenticated group of users with a preset or customized port rule.
69
Managing Inbound and Outbound Traffic
Assigning Rules to Groups
To assign rules to groups:
1.
Navigate to the Networking > Outgoing > Groups page.
2.
Select Enable authenticated groups.
3.
Locate the authentication group in the Group rules area and choose its port rule from the adjacent Port
rule drop-down list.
4.
Click Save.
Note: Group rules cannot be enforced in all circumstances. If a user has not actively authenticated themselves,
using the SSL Login page or by some other authentication method, the user is unknown to the system and
group rules cannot be applied.
In this case, only source rules will be applied. Group rules are often more suitable for allowing access to
ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that
they can gain access to an outbound port or service.
70
8
Deploying Web Filtering
In this chapter:
z
How to get content filtering up and running quickly
z
How to block or allow content immediately
z
Shortcuts to daily tasks
z
About NITO’s default web filter policies
z
About NITO’s default authentication policies.
Getting Up and Running
By default, NITO comes with a comprehensive set of web filter policies and an authentication policy
which you can use immediately in order to protect your users and your organization.
The following section explains how to use these policies to get web filtering up and running quickly.
To get up and running:
1.
On users’ computers, configure the web browser to use port 800 on NITO as the web proxy, i.e. nontransparent proxying.
2.
Navigate to the Web proxy > Web proxy > Settings page.
3.
Check that the Guardian option is enabled.
4.
Scroll to the bottom of the page and click Save and Restart. NITO starts to provide web security.
71
Deploying Web Filtering
Getting Up and Running
5.
On a user’s computer, browse to http://thepiratebay.se/ NITO blocks access to the site and
displays a block page
You can edit the default policies and create new policies to suit you organization. For more information,
see Chapter 9, Working with Policies on page 77.
Blocking and Allowing Content Immediately
NITO enables you to block or allow content immediately without having to create or edit a web filter policy.
To block or allow content immediately:
1.
Browse to the Guardian > Quick links > Quick block/allow page.
2.
Enter the URL to the content you want to block or allow.
3.
Click Block or Allow depending on what you want. NITO immediately blocks or allows the content and
adds the URL to the appropriate custom blocked or allowed content lists.
Blocking Locations
NITO enables you to block web-enabled resources at a specific location from accessing content.
To block a location:
1.
Browse to the Guardian > Web filter > Location blocking page.
2.
Locate the location and click Block. NITO blocks any web-enabled resources at that location from
accessing web content. For more information on locations, see Chapter 9, Working with Location Objects
on page 85.
72
Nomadix NITO
User Guide
Excepting Computers from Web Filtering
NITO enables you to except specific computers from any web filtering. You can configure exceptions based
on the source IP address or the destination IP address.
Configuring Source Exceptions
A source exception IP using a non-transparent connection will have unfiltered access to the Internet if
configured to use port 801. A source exception IP going through an interface where transparent proxy is
enabled will not have outgoing HTTP or HTTPS traffic redirected to NITO.
A source exception IP using a transparent connection requires no client browser configuration.
To configure a source exception:
1.
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR
notation of the computers to be exempted and click Save. NITO exempts the computer(s) from any web
filtering.
73
Deploying Web Filtering
Getting Up and Running
Configuring Destination Exceptions
A destination exception IP which goes through an interface where transparent proxy is enabled will not have
outgoing HTTP or HTTPS traffic redirected to NITO.
To configure a destination exception:
1.
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR
notation of the computers to be exempted and click Save. NITO exempts the computer(s) from any web
filtering.
74
Nomadix NITO
User Guide
About Shortcuts
NITO provides a number of shortcuts to tasks you might carry out on a daily basis.
To access the shortcuts:
1.
Browse to the Guardian > Quick links > Shortcuts page.
2.
Click on a link to be taken to the task’s page.
About NITO’s Default Policies
The following sections discuss NITO’s default web filtering and authentication policies.
About the Default Web Filter Policies
NITO’s default web filtering default policies are:
z
Web filter policies – these policies allow users access to custom specified content, access to
specific web sites at lunch time and Microsoft Windows updates. They also block core and custom
specified undesireable content and adverts and enforce file security. To review this policy, browse to
the Guardian > Web filter > Manage policies page. For information on customizing web filter
policies, see Chapter 9, Managing Web Filter Policies on page 88.
z
HTTPS inspection policies – these policies can be enabled to allow users to access online banking
sites securely while inspecting encrypted traffic and checking security certificates. To review these
policies, browse to the Guardian > HTTPS inspection > Manage policies page. For information on
customizing HTTPS inspection policies, see Chapter 9, Managing HTTPS Inspection Policies on
page 92.
z
Content modification policies – these policies apply recommended security rules and force search
engines to use SafeSearch functionality. To review these policies, browse to the Guardian > Content
modification policies > Policy page. For information on customizing content modification policies,
see Chapter 9, Managing Content Modification Policies on page 97.
About the Default Authentication Policies
NITO comes with the following authentication policy ready for use:
z
Non-transparent authentication policy – any user’s browser configured to use NITO on port 800
as its web proxy will have this authentication policy applied to it. For information on creating more
authentication policies, see Chapter 10, About Authentication Policies on page 105.
75
Deploying Web Filtering
About NITO’s Default Policies
76
9
Working with Policies
In this chapter:
z
An overview of policies, what comprises them and what types of policy you can create
z
Working with objects that make up a policy
z
Configuring and managing policies.
An Overview of Policies
Policies determine how NITO handles web content to best protect your users and your organization. You
can create and deploy custom policies to fit your organization. Deploying custom policies entails:
z
Configuring custom policies based on your organization’s Acceptable Usage Policies (AUPs); for
more information, see Types of Policies on page 77
z
Configuring authentication policies; for more information, see Chapter 10, Creating Authentication
Policies on page 105
z
Configuring users’ browsers or network connections to use NITO as their web proxy or default
gateway; for more information, see Chapter 10, Connecting to NITO on page 115.
Types of Policies
NITO enables you to create the following types of policies:
z
Web filter policies – Web filter policies determine whether to allow, block, softblock or whitelist
web content that a user has requested. For more information, see Managing Web Filter Policies on
page 88
z
HTTPS inspection policies – when enabled, HTTPS inspection policies determine whether to
decrypt and inspect encrypted content in order to determine to handle the content based on web filter
policies. HTTPS inspection policies can also be used to validate web site certificates. For more
information, see Managing HTTPS Inspection Policies on page 92
z
Content modification policies – Content modification policies can be used to identify and stop
malicious content embedded in web pages from being accessed. For information, see Chapter 9,
Managing Content Modification Policies on page 97.
How Policies are Applied
How NITO applies policies depends on the original web request from a user. The following diagrams give
a high-level view of what happens when a user makes a non-encrypted (HTTP) web request and an
encrypted (HTTPS) web request.
77
Working with Policies
An Overview of Policies
Applying Policies to a HTTP Web Request
78
Nomadix NITO
User Guide
Applying Policies to a HTTPS Web Request
79
Working with Policies
Working with Category Group Objects
Guardian Getting Started
The Getting started page explains policies and policy objects.
Working with Category Group Objects
A category group object is a collection of URLs, domains, phrases, lists of file types and/or security rules.
NITO uses category group objects in policies to determine if a user should be allowed access to the content
they have requested using their web browser.
Creating Category Group Objects
The following section explains how to create a category group object to be used in a web filter policy.
To create a category group object:
1.
80
Browse to the Guardian > Policy objects > Category groups page.
Nomadix NITO
User Guide
2.
In the Manage category groups area, configure the following settings:
Setting
3.
Description
Name
Enter a name for the category group.
Comment
Optionally, enter a comment to make it easier to remember what the category contains.
Content
categories
Select the content you want to include in the category group object. Click [ + ] to
access and view any sub-categories available.
Tip: Click the Advanced view option to access more detailed information on the
content.
Click Save. The category group object is saved and added to the list of groups of content available.
Defining Categories
You can define new categories of content for use in category group objects to suit you organizations
requirements.
To define a category:
1.
Browse to the Guardian > Policy objects > User defined page.
81
Working with Policies
Working with Category Group Objects
2.
Configure the following settings:
Setting
3.
Description
Name
Enter a name for the category.
Comment
Optionally, enter a comment describing the category.
Domains &
URLs
Enter one domain or URL per line. For example: example.com
Do not include www. in URLs.
Optionally, click Advanced to access the following settings:
Setting
Search term
filtering
Description
Enter one search term, surrounded by delimiters, per line for example:
( hardcore )
(xxx)
Spaces before and after a term are not removed, thus simplifying searching for whole
words.
Parenthesis are required.
You can use the following delimiters: [] () {} <> ||
URL
patterns
Enter a URL pattern per line, for example:
( adultsite|sexdream )
The example above looks for URLs containing either the word adultsite or the word
sexdream.
You can use the following delimiters: [] () {} <> ||
Note: If the URL pattern you enter contains a delimiter, you must use a different
delimiter to contain the whole pattern. For example:
[ mysearchwith(abracket) ]
Headers to
override
Here you can specify if NITO should use the requested site’s capability to override
HTTP headers sent to it and redirect users to other content.
For example, if a student tries to access inappropriate Youtube content, NITO can
request YouTube to override the request and redirect them to YouTube Education.
Also, if your organization uses Google Apps, you can configure NITO to request
Google Apps to prevent users from accessing their personal Google accounts.
Note: To use YouTube Education, you must sign up for an account and obtain a key.
See http://www.youtube.com/schools for instructions.
To request a redirect to YouTube education:
1
Enter a value in this format:
X-YouTube-Edu-Filter: AbcdEfghIjklmnOpq_rstU
To request a restriction by Google Apps:
1
Enter a value in this format:
X-GoogApps-Allowed-Domains: example.org, example.net
Note: For a Google Apps restriction, HTTPS interception is required as Google Apps
uses HTTPS throughout. For more information, see Managing HTTPS
Inspection Policies on page 92.
File
extensions
4.
82
Enter one file extension, e.g. .doc, or MIME type, e.g. application/octetstream per line. You must include the dot (.) when entering file extensions.
Click Save. NITO creates the content category and makes it available on the Guardian > Policy objects >
Category groups page.
Nomadix NITO
User Guide
Editing Category Group Objects
You can edit category group objects to suit you organizations requirements.
To edit a category group object:
1.
Browse to the Guardian > Policy objects > Category groups page.
2.
From the Category groups list, select the object you want to edit and click Edit category group. NITO
displays the object in the Manage category groups area. Click [ + ] to access and view any sub-categories
available.
Tip:
Click the advanced view option to access more detailed information on the content and sub-categories.
3.
Select any new content you want to add to the object and de-select any content you want to remove from
the object.
4.
Click Save. NITO saves and applies the changes.
Deleting Category Group Objects
You can delete category group objects you no longer require.
To delete a category group object:
1.
Browse to the Guardian > Policy objects > Category groups page.
2.
From the Category groups list, select the content category object you want to delete and click Delete
category group. NITO deletes the object.
Note: You cannot delete a category group object if it is in use in a policy. You must first remove the object from
the policy.
83
Working with Policies
Working with Time Slot Objects
Working with Time Slot Objects
You can configure NITO to allow or stop users accessing the Internet during certain time periods depending
on the time and day.
Creating a Time Slot
The following section explains how to create a time slot for use in a web filter policy.
To create a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page.
2.
Configure the following settings:
Setting
Description
Name
Enter a name for the time slot.
Comment
Optionally, enter a comment to help identify when the period is used
3.
In the time-table, click and drag to select the periods of time you want to include in the time slot.
4.
Click Save. NITO creates the time slot and adds it to the list of time slots. It also makes the time slot
available where applicable on the policy wizard pages for inclusion in policies.
Editing a Time Slot
The following section explains how to edit a time slot.
To edit a time slot:
1.
84
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time
slot you want to edit.
Nomadix NITO
User Guide
2.
Click the Edit time button. NITO displays the time slot in the time-table.
Tip:
You can use the Clear and Edit in full-text mode options to make changes the time slot.
3.
Make the changes you require and click Save. NITO makes the changes and saves the time slot.
Deleting a Time Slot
The following section explains how to delete a time slot.
To edit a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time
slot you want to delete.
2.
Click the Delete time button. NITO deletes the time slot.
Working with Location Objects
NITO enables you to create locations into which you can place resources such as desktop and laptop
computers. You can use a location to block the resources at the location from accessing external networks
or the Internet.
Creating a Location Object
To create a location object:
1.
Browse to the Guardian > Policy objects > Locations page.
2.
In the Manage location area, configure the following settings:
Setting
Name
Description
Enter a name for the location object.
85
Working with Policies
Working with Quota Objects
Setting
Addresses
3.
Description
Enter an IP address, hostname, IP range or a subnet of the resource(s), for example:
For a computer, enter: 192.168.0.58
For a range of computers, enter: 192.168.0.61-192.168.0.71
For content identified by a hostname, enter: roaming_laptop
Optionally, click Advanced and configure the following settings to define exceptions to any address
ranges you specified in the previous step:
Setting
Exceptions
Description
Enter an individual IP, hostname, IP range or a subnet of the resource(s), for example:
To make an exception for a computer, enter: 192.168.0.53
To make an exception for a range of computers, enter: 192.168.0.65192.168.0.67
4.
Click Save. NITO adds the resources to the location object and lists it in the Locations list.
Editing Location Objects
You can edit a location object.
To edit a location object:
1.
On the Guardian > Policy objects > Locations page, in the Locations area, select the location and click
the Edit location button.
2.
Make the changes you require and click Save, NITO displays the settings.
3.
Click Save. NITO updates the resources in the location object and lists it in the Locations list.
Deleting Location Objects
You can delete location objects you no longer require.
Note: You cannot delete a location object if it is in use in a policy. You must first remove the object from the
policy.
To delete a location object:
1.
Browse to the Guardian > Policy objects > Locations page.
2.
In the Locations list, locate the location object you want to delete and click the Delete location button.
NITO deletes the location object.
Working with Quota Objects
NITO’s quota objects enable you to limit user access to content on a daily basis. When a quota is used in a
web filter policy, users to whom the policy is applied are prompted to confirm that they want to access the
content and are told how long their quota is and how much of the quota they have left.
About the Default Quota Object
NITO comes with a default quota object which is ready for use in a web filtering policy. When used, the
default quota limits access to the relevant content to 60 minutes per 24 hours. Users will be prompted
every 10 minutes to confirm that they want to continue using their quota. Default quotas are reset daily at
86
Nomadix NITO
User Guide
04:00. You can edit the default quota but you cannot remove it – there must always be a default in case the
quota action is used in a web filtering policy.
For more information on using quotas and web filtering policies, see Creating Web Filter Policies on
page 89.
Creating Quota Objects
Creating a quota object entails specifying who the quota applies to, how long the quota is, how often to
prompt the user to confirm that they want to continue using their quota and when the quota is reset.
To create a quota object:
1.
Browse to the Guardian > Policy objects > Quotas page.
2.
Click Create a new quota and configure the following settings:
Setting
Available users or groups
Description
From the list, select the user(s) and/or group(s) to whom the quota will
apply.
Tip: Enter a name or part of a name and NITO will search for names
of users and groups that match. To select more than one user or
group, hold the CTRL button down while selecting them.
Click Add.
Duration
Move the slider to set the duration of the quota.
Prompt every
From the drop-down list, select how often users will be prompted to
confirm that they want to use more of their quota.
Reset at
From the drop-down list, select when to rest the quota.
Enable quota
Select to enable the quota.
3.
Click Save. NITO creates the quota and lists it on the Guardian > Policy objects > Quotas page.
4.
Drag and drop the quota object to the correct position.
87
Working with Policies
Managing Web Filter Policies
Note: Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must consider their position
when using them. Take, for example Bob. Bob is a member of the Staff group. The Staff group has a quota
of 60 minutes. However, because of Bob’s responsibilities, he needs a quota of 120 minutes.
To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the Guardian >
Policy objects > Quotas page, list it above the Staff quota object. When NITO applies the web filtering
policy to the Staff group, it will check for quotas and allow Bob 120 minutes while other people in the Staff
group will get 60 minutes. If Bob’s quota object is listed below the Staff group’s quota object, Bob will get
60 minutes just like everyone else.
For more information on using quotas and web filtering policies, see Creating Web Filter Policies on
page 89.
Editing Quota Objects
It is possible to edit a quota object’s settings.
To edit a quota object:
1.
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Edit
quota button. NITO displays the settings.
2.
Make the changes required. See Working with Quota Objects on page 86 for more information on the
settings available.
3.
Click Save. NITO edits and updates the quota and lists it on the Guardian > Policy objects > Quotas page.
Deleting Quota Objects
You can delete a quota object when it is no longer required.
To delete a quota object:
1.
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its
Delete quota button. NITO deletes the quota and removes it from the Guardian > Policy objects > Quotas
page.
Managing Web Filter Policies
NITO processes web filter policies in order of priority, from top to bottom, until it finds content that
matches. When it finds a match, NITO applies the action, block, allow, whitelist, soft block or limit to
quota as configured in the policy.
You can review the default web filter policies on the Guardian > Web filter > Manage policies page and you
can change the order by dragging and dropping policies in the list.
The following sections discuss how to create, edit and delete web filter policies.
88
Nomadix NITO
User Guide
Creating Web Filter Policies
You can create custom web filter policies to allow or block specific content, allow access to specific web
sites at certain times or apply an acceptable usage policy (AUP) to meet your organization’s requirements.
To create a web filter policy:
1.
Browse to the Guardian > Web filter > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Description
From the Available users or groups list, select the user(s) and/or group(s) to whom
the policy will apply.
Tip: Enter a name or part of a name and NITO will search for names of users
and groups that match. To select more than one user or group, hold the
CTRL button down while selecting them.
Click Add and, when you have added all the users and/or groups, click Next to
continue.
Step 2: What
From the Available categories or category groups list, select what is to be filtered.
Tip: Enter the name or part of the name and NITO will search for content that
matches. To select more than one type of content, hold the CTRL button
down while selecting it.
Click Add and, when you have selected all the content, click Next to continue.
Step 3: Where
From the Available locations list, select where the policy will apply.
Tip: Enter the name or part of the name and NITO will search for locations that
match. To select more than one location, hold the CTRL button down while
selecting them.
Click Add and, when you have added the location(s), click Next to continue.
89
Working with Policies
Managing Web Filter Policies
Step
Step 4: When
Description
From the Available time slots list, select when the policy will apply.
Tip: Enter the name or part of the name and NITO will search for time slots that
match. To select more than one time slot, hold the CTRL button down while
selecting them.
Click Add and, when you have added the time slot(s), click Next to continue.
Step 5: Action
Select one of the following actions to use when applying this policy:
Create policy folder – Select this action when configuring a policy at a central
installation where you need to create policy folders for multiple locations or
groups.
Block – Select this action to block the selected content.
Allow – Select this action to allow the content.
NITO may also categorize the content and apply any content modification policies
in place. You can use this option to create specific exceptions to broad blocking
policies.
Another possible use is to prevent over-blocking of diverse content such as news
articles, which may fall under a variety of categorizations depending on the type of
news article.
Whitelist – Select this action to whitelist the selected content.
When content is whitelisted, NITO does not examine it any further. Whitelisting is
applied early on when NITO is checking URLs. Content which is whitelisted will
not be subjected to outgoing filtering or dynamic content analysis. Content
modification policies may still be applied, unless the categorization of the original,
unmodified URL matches the whitelist.
Whitelisting content may help to conserve system resources and prevent
unintentional blocking when dealing with trusted content, such as online banking
sites or Windows updates.
Softblock – Select this action to soft-block the selected content.
Anyone trying to access the content will be prompted by NITO to confirm that
they want to access content.
Limit to quota – Select this action to apply a quota when applying the policy.
When the policy is applied, NITO will check the quotas defined on the Guardian >
Policy objects > Quotas page and limit access to the requested content based on
the quota object’s settings.
Note: Any content being streamed or downloaded by a user will not be stopped
when the user’s quota runs out.
Note: Each step must be completed in order to create the policy. If you skip a step, NITO creates a policy folder
in which you can store policies. For more information on policy folders, see Working with Policy Folders
on page 100.
3.
Select Enable policy to enable the policy and click Confirm.
4.
90
NITO displays the settings you have selected. Review them and click Save to create the policy. NITO
creates the policy and makes it available on the Guardian > Web filter > Manage policies page. You must
now specify in what order NITO should apply the policy.
Nomadix NITO
User Guide
5.
Browse to the Guardian > Web filter > Manage policies page.
6.
Locate the policy in the Filtering policies area. Drag and drop the policy to where you want NITO to apply
it. For example, if you have created a policy which allows media students to access advertising content
during their lunch break, drag the policy to the top of the list of policies.
7.
Click Save. NITO re-orders and applies the filtering policies and allows all users in the media student
group to access adverts during their lunch break.
Editing Web Filter Policies
You can edit an existing web filter policy to suit your organization’s requirements.
To edit a web filter policy:
1.
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to edit.
2.
Click the Edit policy button. NITO displays the policy settings on the Guardian > Web filter > Policy
wizard page.
3.
Make the changes necessary, see Creating Web Filter Policies on page 89 for more information on
working with policies.
4.
Click Confirm. NITO displays the settings you have selected. Review them and click Save to save the
changes to the policy. NITO updates the policy and makes it available on the Guardian > Web filter >
Manage policies page.
Deleting Web Filter Policies
You can delete a web filter policy you no longer require.
To delete a web filter policy:
1.
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to delete.
2.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy. Click
Remove. NITO deletes the policy.
91
Working with Policies
Managing HTTPS Inspection Policies
Managing HTTPS Inspection Policies
The following sections discuss how to create, edit and delete HTTPS inspection policies.
HTTPS inspection policies enable you to inspect and manage communication between users on your
network and web sites which use HTTPS by configuring an inspection method for different user groups,
destinations and locations.
NITO processes HTTPS inspection policies in order of priority as listed on the Guardian > HTTPS
inspection > Manage policies page, from top to bottom, until a match is found. You can change the order
by dragging and dropping policies in new positions.
NITO comes with three pre-configured HTTPS inspection policies which handle the following content:
z
Online banking – when enabled, this policy allows end-users to do online banking without
communications being decrypted and inspected
z
All encrypted content accessed by unauthenticated IPs – when enabled, this policy decrypts and
inspects all encrypted content that users at unauthenticated IPs try to access
z
Certificate validation – enabled by default, this policy check secure certificates on web sites. Any
sites whose certificates are self-signed, out of date or otherwise invalid will be blocked.
Enabling HTTPS Inspection Policies
The following section explains how to enable HTTPS inspection policies that are listed on the Guardian >
HTTPS inspection > Manage policies page.
To enable HTTPS inspection policies:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page.
2.
Locate the policy you want to enable, click on the Enabled button and select Enable.
3.
Repeat the step above for any other policies you want to enable and then click Save. NITO enables the
policies.
Note: When, for the first time, you enable a HTTP inspection policy which decrypts and inspects content NITO
informs you that users’ browsers must have the NITO CA certificate in order for the policy to work.
You can click on Guardian CA certificate in the text displayed and download the certificate ready for
import into browsers. See Managing Certificates on page 96 for more information on how to import the
certificate.
92
Nomadix NITO
User Guide
Creating an HTTPS Inspection Policy
When an HTTPS inspection policy is in place, NITO displays a warning page informing users who try to
access a HTTPS web site that their communication with the site is being monitored. Users must actively
accept the monitoring by clicking Yes in order to continue to the site, or click No to end the
communication.
Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy to work. For
more information, see Configuring HTTPS Inspection Policy Settings on page 95.
To create an HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Description
From the Available users or groups list, select who the policy will apply to.
Tip: Enter a name or part of a name and NITO will search for names of users
and groups that match. To select more than one user or group, hold the
CTRL button down while selecting them.
Click Add and, when you have added all the users and/or groups, click Next to
continue.
Step 2: What
From the Available categories or category groups list, select what is to be
inspected.
Tip: Enter the name or part of the name and NITO will search for content that
matches. To select more than one type of content, hold the CTRL button
down while selecting it.
Click Add and, when you have added all the categories or category groups, click
Next to continue.
93
Working with Policies
Managing HTTPS Inspection Policies
Step
Step 3: Where
Description
From the Available locations list, select where the policy will apply.
Tip: Enter the name or part of the name and NITO will search for locations that
match. To select more than one location, hold the CTRL button down
while selecting them.
Click Add and, when you have added the location(s), click Next to continue.
Step 4: When
From the Available time slots list, select when the policy will apply.
Tip: Enter the name or part of the name and NITO will search for time slots that
match. To select more than one time slot, hold the CTRL button down
while selecting them.
Click Add and, when you have added the time slot(s), click Next to continue.
Step 5: Action
Select one of the following actions to apply:
Create policy folder – Select this action when configuring NITO at a central
installation where you need to create policy folders for multiple locations or
groups.
Decrypt and inspect – Select this action to decrypt and inspect the encrypted
content.
Validate certificate only – Select this action to check secure certificates on web
sites. Any sites whose certificates are self-signed, out of date or otherwise invalid
will be blocked.
Do not inspect – Select this action to not inspect the communication. An
example of using this would be to not intercept communication with banking
sites if a blanket policy of inspecting all HTTPS communication was in place.
Note: Each step must be completed in order to create the policy. If you skip a step, NITO creates a policy folder
in which you can store policies. For more information on policy folders, see Working with Policy Folders
on page 100.
3.
Select Enable policy to enable the policy and then click Confirm.
4.
NITO displays the settings you have selected. Review them and click Save to create the policy. NITO
creates the policy and makes it available on the Guardian > HTTPS Inspection > Manage policies page.
You must now specify in what order NITO should apply the policy.
5.
Browse to the Guardian > HTTPS Inspection > Manage policies page.
94
Nomadix NITO
User Guide
6.
Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want NITO to apply
it. For example, if you have created a policy which does not inspect the Google HTTPS AdSense site when
accessed by marketing students, drag the policy to the top of the list of policies.
7.
Click Save. NITO re-orders and applies the HTTPS inspection policies and allows all users in the
marketing student group to access the Google AdSense site.
Editing HTTPS Inspection Policies
You can edit an existing HTTPS inspection policy to suit your organization’s requirements.
To edit a HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to
edit.
2.
Click the Edit policy button. NITO displays the policy settings on the Guardian > HTTPS inspection >
Policy wizard page.
3.
Make the changes necessary, see Creating an HTTPS Inspection Policy on page 93 for more information
on working with policies.
4.
Click Confirm. NITO displays the settings you have selected. Review them and click Save to save the
changes to the policy. NITO updates the policy and makes it available on the Guardian > HTTPS
inspection policies > Manage policies page.
Deleting HTTPS Inspection Policies
You can delete a HTTPS inspection policy you no longer require.
To delete a HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to
delete.
2.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy. Click
Remove. NITO deletes the policy.
Configuring HTTPS Inspection Policy Settings
For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings. Configuring
these settings entails exporting certificate authority certificates, import them into the list of trusted CA
95
Working with Policies
Managing HTTPS Inspection Policies
certificates on the computers in your network and configuring warning and confirmation messages that are
displayed to users when communications are being decrypted and inspected.
Managing Certificates
Managing certificate authority (CA) certificates entails exporting them and then installing them on endusers’ computers. Without certificates on users’ computers, HTTPS inspection policies cannot work.
To export a certificate:
1.
Browse to the Guardian > HTTPS inspection > Settings page.
2.
Click Export. NITO generates the Guardian CA Cert.crt file. Save the certificate and import it into
the list of trusted CA certificates on the computers in your network on which you want to implement
HTTPS filtering.
Tip:
At the time of writing, to import the certificate on a PC running Internet Explorer 8: from the Tools menu,
select Internet Options. On the Content tab, click Certificates and then click Import. Run the Certificate
Import Wizard and place the certificate in Trusted Root Certification Authorities store.
In Firefox 3 on Windows XP, from the Tools menu, select Options. Click Advanced and display the
Encryption tab. Click View Certificates and then click the Authorities tab. Click Import, browse to
where the certificate is stored and click Open. When prompted, select Trust this CA to identify web sites
and click OK, OK and OK.
For Active Directory, you can deploy the certificate using a group policy. Consult your Active Directory
documentation for more information.
Configuring Warning Information
When implemented, NITO displays a warning page informing users who try to access HTTPS web site(s)
that their communication with the site(s) is being decrypted and inspected. Users must actively accept the
decryption and inspection in order to continue to the site.
To configure HTTP inspection policy settings:
1.
96
Browse to the Guardian > HTTPS inspection > Settings page.
Nomadix NITO
User Guide
2.
In the Manage HTTPS interception warning area, configure the following settings:
Setting
3.
Description
Warning message
Accept the default message or enter a custom message informing users that
their HTTPS connections will be decrypted and filtered if they continue to
the site they have requested.
Note: After displaying the warning page, NITO will not display it again
for 24 hours or until the user restarts their browser.
Confirmation button
label
Accept the default label or enter a new label to display on the button users
must click in order to continue to the site they accepted.
Click Save to save the settings.
Clearing the Generated Certificate Cache
It is possible to clear NITO’s cache of certificates generated for use with HTTPS inspection policies.
To clear the cache:
1.
Browse to the Guardian > HTTPS inspection > Settings page and click Clear. NITO clears the cache.
Managing Content Modification Policies
The following sections discuss how to create, edit and delete content modification policies.
A content modification policy can apply recommended security rules, determine if Internet searches
should use SafeSearch functionality, warn about address spoofing and more. It can also ignore content thus
making it possible to exempt content from modification for specific users or locations.
97
Working with Policies
Managing Content Modification Policies
Creating a Content Modification Policy
You can create a content modification policy that enforces or ignores security rules and/or SafeSearch for
specific users at certain locations.
To create a content modification policy:
1.
Browse to the Guardian > Content modification > Policy wizard page.
2.
Complete the following steps:
Step
Step 1: Who
Description
From the Available users or groups list, select who the policy applies to.
Tip: Enter a name or part of a name and NITO will search for names of users
and groups that match. To select more than one user or group, hold the
CTRL button down while selecting them.
Click Add and, when you have added all the users and/or groups, click Next to
continue.
Step 2: What to
target
From the Available categories or category groups list, select what the policy
applies to.
Tip: Enter the name or part of the name and NITO will search for matches. To
select more than one item, hold the CTRL button down while selecting it.
Click Add and, when you have selected the categories or category groups, click
Next to continue.
Step 3: Where
From the Available locations list where the policy will apply.
Tip: Enter the name or part of the name and NITO will search for locations that
match. To select more than one location, hold the CTRL button down
while selecting them.
Click Add and, when you have selected the location(s), click Next to continue.
98
Nomadix NITO
User Guide
Step
Step 4: Action
Description
Select one of the following options:
Create policy folder – Select this action to group related rules in a policy folder.
You can then use Apply or Ignore actions within this folder. For more
information on policy folders, see Working with Policy Folders on page 100.
Apply – Select this action to modify the categories and category groups selected.
Ignore – Select this action to exempt the categories and category groups from
being modified.
Note: Usually creating a policy which ignores content implies that there is
another policy which modifies content. For example, there might be an
Apply policy which enforces SafeSearch for everyone, and another Ignore
policy which exempts certain users who need unrestricted search. In such
a case, on the Guardian > Content modification > Manage policies page,
the Ignore policy which creates the exception must be placed before the
Apply policy which modifies the content.
From the Available categories or category groups list, select the content
modification to apply and click Add.
Tip: Enter the name or part of the name and NITO will search for matches. To
select more than one item, hold the CTRL button down while selecting it.
Note: If you are creating a policy that ignores content, the options here are
disabled.
Note: Each step must be completed in order to create the policy. If you skip a step, NITO creates a policy folder
in which you can store policies. For more information on policy folders, see Working with Policy Folders
on page 100.
3.
Select Enable policy to enable the policy and click Confirm.
4.
NITO displays the settings you have selected. Review them and click Save to create the policy. NITO
creates the policy and makes it available on the Guardian > Content modification > Manage policies page.
You must now specify in what order NITO should apply the policy.
5.
Browse to the Guardian > Content modification > Manage policies page.
6.
Locate the policy. Drag and drop the policy to where you want NITO to apply it. For example, if you have
created a policy which exempts search results from modification for users in the teachers group, drag the
policy to the top of the list of policies.
99
Working with Policies
Working with Policy Folders
Editing Content Modification Policies
You can edit an existing content modification policy to suit your organization’s requirements.
To edit a content modification policy:
1.
Browse to the Guardian > Content modification > Manage policies page and locate the policy you want
to edit.
2.
Click the Edit policy button. NITO displays the policy settings on the Guardian > Content modification >
policy wizard page.
3.
Make the changes necessary, see Creating a Content Modification Policy on page 98 for more information
on working with policies.
4.
Click Confirm. NITO displays the settings you have selected. Review them and click Save to save the
changes to the policy. NITO updates the policy and makes it available on the Guardian > Content
modification > Manage policies page.
Deleting Content Modification Policies
You can delete a content modification policy you no longer require.
To delete a content modification policy:
1.
Browse to the Guardian > Content modification > Manage policies page and locate the policy you want
to delete.
2.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy. Click
Remove. NITO deletes the policy.
Working with Policy Folders
Policy folders enable you to organize and apply policies according to whatever criteria are most appropriate
to your organization.
For example, by default, NITO blocks all adverts for all users all the time in every location. If you want to
allow some users and/or groups to access adverts sometimes and others to access them always at specific
locations, you can accomplish this by creating a policy folder which contains a general web filter policy
allowing access to adverts. You can then add policies to the folder specifying which groups are allowed
access, at what times and in which locations.
Using policy folders makes it easier to understand the policy table on the manage policies page and more
accurately reflects how a policy is applied to specific groups.
Creating a Policy Folder
You create a policy folder by using a policy wizard.
To create a policy folder:
1.
When running a policy wizard, do not add a policy object for the criterion you want to use to determine the
type of policy folder. For example, if you want to create a web filter policy folder to contain policies that
can be applied to specific groups and/or users, do not add any users or groups to the policy.
2.
When configuring the policy action, select Create policy folder. After you have completed the policy
wizard, NITO makes the policy folder available on the manage policies page.
3.
To add a policy to a folder, browse to the relevant manage policies page, locate the policies folder and click
Add policy to folder. NITO opens the folder and displays it on the policy wizard page.
4.
Add the policy object, for example a group to which you want to apply the policy and click Confirm.
NITO displays the policy settings. Review the settings and then click Save. NITO creates the policy, places
it in the policy folder and makes it available on the manage policies page.
100
Nomadix NITO
User Guide
Editing Policy Folders
You can edit policy folders by changing the policy objects it contains.
To edit a policy folder:
1.
On the relevant manage policies page, locate the policy folder and click Edit policy folder. NITO opens
the folder and displays it on the policy wizard page.
2.
Make changes to the policy object(s) included in the folder by adding or removing them as required.
3.
Click Confirm, review the changes and click Save to apply the changes and update the folder.
Deleting Policy Folders
You can delete policy folders you no longer require.
To delete a policy folder:
1.
On the relevant manage policies page, locate the policy folder and click Delete policy folder. Click
Remove when prompted to confirm that you want to delete the folder. NITO deletes the folder and
removes it from the relevant manage policies page.
Censoring Web Form Content
The following section explains how to create and apply a censor policy for content and/or files posted
using web forms. A censor policy consists of a filter, an action and a time period.
To create and apply a censor policy:
1.
Browse to the Services > Message censor > Policies page.
101
Working with Policies
Censoring Web Form Content
2.
Configure the following settings:
Setting
3.
102
Description
Service
From the drop-down menu, select one of the following options:
Web filter outgoing – Select to apply the policy to content and/or files being
posted in web forms, such as to message boards or Wikipedia, using HTTP.
Web filter secure outgoing (HTTPS) – Select to apply the policy to content
and/or files being posted in web forms, such as to message boards or
Wikipedia, using HTTPS.
Note: A HTTPS inspection policy must be deployed for this to work. See
Managing HTTPS Inspection Policies on page 92 for more
information.
Click Select to update the policy settings available.
Filter
From the drop-down menu, select a filter to use. For more information on
filters, see Chapter 13, Creating Filters on page 160.
Time period
From the drop-down menu, select a time period to use, or accept the default
setting. For more information on time settings, see Chapter 13, Setting Time
Periods on page 159.
Action
From the drop-down menu, select one of the following actions:
Block - Content which is matched by the filter is blocked.
Allow - Content which is matched by the filter is allowed and is not processed
by any other filters.
Log severity level
NITO enables you to store all blocked content, no blocked content or only
blocked content above a certain severity level.
If you want NITO to only store blocked content above a certain severity level,
you must assign severity levels to the content.
The Log severity level option enables you to this.
From the drop-down list, select the severity level to assign to content that has
been blocked by this policy.
Note: You must also configure the options for storing blocked content on the
Guardian > Web filter > Outgoing page. See below for more
information.
Group
From the drop-down list, select the group to which you want to apply the
policy.
Comment
Optionally, enter a description of the policy.
Enabled
Select to enable the policy.
Click Add and, at the top of the page, click Restart to apply the policy.
Nomadix NITO
User Guide
4.
Browse to the Guardian > Web filter > Outgoing page.
5.
Configure the following settings:
Setting
6.
Description
MessageCensor
filtering and logging
Select Enable to enable censoring of content and/or files posted using web
forms.
Store blocked content
Select this option if you want NITO to store content it blocks.
Note: This option does not apply to content posted using HTTPS.
Store blocked content
above severity level
If you have selected to store blocked content, from the drop-down list,
select one of the following options:
Always store – NITO stores all blocked content and makes it available for
review in the web filter log.
–4 to 5 – Select a severity level above which NITO stores the blocked
content and makes it available for review in the web filter log. For more
information, see the Log severity option above.
Note: This option does not apply to content posted using HTTPS.
Click Save. NITO applies the policy.
103
Working with Policies
Censoring Web Form Content
104
10
Managing Authentication Policies
In this chapter:
z
About and working with authentication policies
z
About exceptions to authentication and identification by location
z
About and how to configure transparent and non-transparent connections to NITO
z
Some example scenarios of how to use authentication to manage web access.
About Authentication Policies
Note: By default, NITO comes with an authentication policy in place. To use it, you configure your users’ web
browsers to use NITO as their web proxy. For more information, see Creating a Non-transparent
Connection Manually on page 116.
NITO uses authentication to:
z
Identify users and assign them to groups, so that NITO can apply different policies to each group
z
Allow access to registered users or trusted workstations
z
Provide logging and auditing facilities in case of misuse
z
Show in real time which users are accessing content.
An authentication policy is comprised of a connection type, an authentication method, port information and
a location.
NITO can use several different authentication methods to identify a user or group, with different
requirements and restrictions. Authentication policies determine which method is used. They also
determine which interfaces and ports NITO listens on for web requests.
Creating Authentication Policies
NITO enables you to create the following types of authentication policies:
z
Non-transparent authentication policies – this type of policy is applied to users whose web browsers
are configured to connect to the Internet using NITO as their web proxy. For more information, see
Creating Non-transparent Authentication Policies on page 106
z
Transparent authentication policies – this type of policy is applied to users whose computers’
network connection uses NITOFor more information, see Creating Transparent Authentication
Policies on page 110.
105
Managing Authentication Policies
Creating Authentication Policies
Creating Non-transparent Authentication Policies
Non-transparent authentication policies enable you to apply a web filter policy and authentication
requirements to a user or group of users.
To create a non-transparent authentication policy:
1.
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Non-Transparent and from the Method drop-down list, select one of the following authentication
methods:
Method
106
Setting
No
authentication
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
Kerberos
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
About Kerberos on page 284.
Kerberos
(Terminal
Services
compatibility
mode)
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
About Kerberos on page 284.
This method is designed to work with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Proxy
authentication
Identify users by requesting a username and password from the user’s browser.
This authentication method prompts users to enter a username and password when
they try to web browse. The username and password details are encoded in all
future requests made by the user’s browser.
Proxy
authentication
(Terminal
Services
compatibility
mode)
Identify users by requesting a username and password from the user’s browser.
This method is designed to work with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Nomadix NITO
User Guide
Method
Setting
NTLM
identification
Identify users according to the username logged into their Microsoft Windows
workstation.
Note: NTLM identification does not verify a user's credentials. It should only be
used where all client workstations are secured and members of a Microsoft
Windows domain. Unsecured clients can spoof their credentials.
Note: NITO supports NTLM on Microsoft operating system software and
browsers only. NTLM should not be used with any other browser or
platform, even if the platform claims to support NTLM.
NTLM should only be used on single domain networks because the protocol
does not support the transmission of domain information with usernames.
NTLM
identification
(Terminal
Services
compatibility
mode)
Identify users according to the username logged into their Microsoft Windows
workstation.
Can be used in conjunction with Microsoft Terminal Services.
Note: NTLM identification does not verify a user’s credentials. It should only be
used where all client workstations are secured and members of a Microsoft
Windows domain. Unsecured clients can spoof their credentials.
Note: NITO supports NTLM on Microsoft operating system software and
browsers only. NTLM mode should not be used with any other browser or
platform, even if the platform claims to support NTLM.
Note: NTLM should only be used on single domain networks because the
protocol does not support the transmission of domain information with
usernames.
This method works with network clients using Microsoft Terminal Services,
including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft
Windows 2000 Server, and Microsoft Windows Server 2003.
NTLM
authentication
Identify users according to the username logged into their Microsoft Windows
workstation, and validate their credentials with the domain controller.
Prerequisites:
•
There must be a computer account for NITO in Active Directory
•
The account specified on the Services > Authentication > Settings page
must have permission to join the computer to the domain.
Note: NITO supports NTLM on Microsoft operating system software and
browsers only. NTLM mode should not be used with any other browser or
platform, even if the platform claims to support NTLM.
Note: NTLM should only be used on single domain networks because the
protocol does not support the transmission of domain information with
usernames
107
Managing Authentication Policies
Creating Authentication Policies
Method
NTLM
authentication
(Terminal
Services
compatibility
mode)
Setting
Identify users according to the username logged into their Microsoft Windows
workstation, and validate their credentials with the domain controller.
Can be used in conjunction with Microsoft Terminal Services.
Prerequisites:
•
There must be a computer account for NITO in Active Directory
•
The account specified on the Services > Authentication > Settings page
must have permission to join the computer to the domain.
Note: NITO supports NTLM on Microsoft operating system software and
browsers only. NTLM mode should not be used with any other browser or
platform, even if the platform claims to support NTLM.
Note: NTLM should only be used on single domain networks because the
protocol does not support the transmission of domain information with
usernames.
This method works with network clients using Microsoft Terminal Services,
including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft
Windows 2000 Server, and Microsoft Windows Server 2003.
108
Redirect users to
SSL Login page
(with
background tab)
Identify users with the NITO authentication service. If no user is logged in,
redirect web requests to the SSL Login page which checks their username and
password.
The NITO authentication service supports only one user per client IP address.
Using this method, the SSL Login page automatically refreshes itself so that the
authentication time-out period does not elapse; because of this, the user must
leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This method is also
suitable if a user’s browser plugins or applications require the authenticated
session to remain active.
SSL login is more secure than Ident or web proxy authentication because the
authentication process between the user’s workstation and the NITO system is
encrypted.
To securely logout, the user must click Logout on the SSL Login page.
Redirect users to
SSL Login page
(with session
cookie)
Identify users with the NITO authentication service. If no user is logged in,
redirect web requests to the SSL Login page which checks their username and
password.
The NITO authentication service supports only one user per client IP address.
Using this method, NITO stores a session cookie on the user’s browser. The
cookie removes the need for the user to reauthenticate.
This method is useful for users of tablet PCs and other mobile devices which have
problems keeping tabs in browsers open in the background.
SSL login is more secure than Ident or web proxy authentication because the
authentication process between the user’s workstation and the NITO system is
encrypted.
To securely logout, the user must click Logout from the SSL Login page.
Core
authentication
Identify users with the NITO authentication service. If no user is logged in,
identify the user by their IP address and assign the request to the Unauthenticated
IPs group.
The NITO authentication service supports only one user per client IP address.
Core authentication is typically used with the SSL Login page. For example,
anonymous users can be allowed to certain sites only, but users can optionally log
in to gain a higher level of access.
Nomadix NITO
User Guide
Method
3.
Setting
Ident
Identify users according to the username returned by an Ident server running on
their workstation.
NITO supports Ident for compatibility with any Ident-enabled networks your
organization may already be using. Networks supporting Ident authentication
require an Ident server application to be installed on all workstations that can be
queried by Ident-enabled systems.
The user does not need to enter their username as it is automatically supplied by
the Ident server application.
Once a user’s Ident server has identified the user, the user’s web activities will be
filtered according to their authentication group membership.
For details of how to configure this with your choice of Ident server, please refer
to the ident server’s administrator's guide.
Note: Ident does not verify a user’s credentials. It should only be used where all
client workstations are secured and running an Ident server controlled by
the network administrator. Unsecured clients can spoof their credentials.
Identification by
Location
Identify users by their IP address. Assign a group based on the identification by
location policy configured for their location.
Identification by location is typically used where certain clients do not support the
authentication method used by the rest of the network.
For more information, see Identification by Location on page 114.
For information on locations, see Chapter 9, Working with Location Objects on
page 85.
Kerberos (via
redirect)
Identify users with the NITO authentication service. If no user is logged in,
redirect Web requests to the Kerberos login page, which obtains the username
logged into their Microsoft Windows workstation.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
About Kerberos on page 284.
The NITO authentication service supports only one user per client IP address.
NTLM
identification
(via redirect)
Identify users with the NITO authentication service. If no user is logged in,
redirect Web requests to the NTLM login page, which obtains the username
logged into their Microsoft Windows workstation.
The NITO authentication service supports only one user per client IP address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
NTLM
authentication
(via redirect)
Identify users with the NITO authentication service. If no user is logged in,
redirect Web requests to the NTLM login page, which obtains the username
logged into their Microsoft Windows workstation and validates their credentials
with the domain controller.
The NITO authentication service supports only one user per client IP address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
Configure the following settings:
Setting
Description
Interface
From the drop-down list, select the interface on which to apply the authentication
policy.
Port
From the drop-down list, select the port on which to apply the authentication
policy.
109
Managing Authentication Policies
Creating Authentication Policies
Setting
Enabled
Description
Select to enable the policy.
4.
Click Next and add the location at which the policy will apply.
5.
Click Next and review the options for handling unauthenticated requests. When requests are permitted
without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions
page, NITO assigns them to the Unauthenticated IPs group. If you want to assign them to a different group,
add the group to the Included groups list.
6.
Click Next, select Enabled and click Confirm. NITO displays the policy settings.
7.
Review the settings and click Save to make the policy available for use.
Creating Transparent Authentication Policies
Transparent authentication policies enable you to apply a web filter policy and authentication requirements
to a user or group of users.
To create a transparent authentication policy:
1.
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Transparent and, from the Method drop-down list, select one of the following authentication
methods:
Method
110
Setting
No
authentication
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
Kerberos
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
About Kerberos on page 284.
Kerberos
(Terminal
Services
compatibility
mode)
Identify users by using the Kerberos keytab stored on NITO. For more
information, see Chapter 14, Managing Kerberos Keytabs on page 185.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
About Kerberos on page 284.
This method is designed to work with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Nomadix NITO
User Guide
Method
Setting
Redirect users to
SSL Login page
(with
background tab)
Identify users with the NITO authentication service. If no user is logged in,
redirect web requests to the SSL Login page which checks their username and
password.
The NITO authentication service supports only one user per client IP address.
Using this method, the SSL Login page automatically refreshes itself so that the
authentication time-out period does not elapse; because of this, the user must
leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This method is also
suitable if a user’s browser plugins or applications require the authenticated
session to remain active.
SSL login is more secure than Ident or web proxy authentication because the
authentication process between the user’s workstation and the NITO system is
encrypted.
To securely logout, the user must click Logout on the SSL Login page.
Redirect users to
SSL Login page
(with session
cookie)
Identify users with the NITO authentication service. If no user is logged in,
redirect web requests to the SSL Login page which checks their username and
password.
The NITO authentication service supports only one user per client IP address.
Using this method, NITO stores a session cookie on the user’s browser. The
cookie removes the need for the user to reauthenticate.
This method is useful for users of tablet PCs and other mobile devices which have
problems keeping tabs in browsers open in the background.
SSL login is more secure than Ident or web proxy authentication because the
authentication process between the user’s workstation and the NITO system is
encrypted.
To securely logout, the user must click Logout from the SSL Login page.
Core
authentication
Identify users with the NITO authentication service. If no user is logged in,
identify the user by their IP address and assign the request to the Unauthenticated
IPs group.
The NITO authentication service supports only one user per client IP address.
Core authentication is typically used with the SSL Login page. For example,
anonymous users can be allowed to certain sites only, but users can optionally log
in to gain a higher level of access.
Identification by
location
Identify users by their IP address. Assign a group based on the identification by
location policy configured for their location.
Identification by location is typically used where certain clients do not support the
authentication method used by the rest of the network. For more information, see
Identification by Location on page 114.
For information on locations, see Chapter 9, Working with Location Objects on
page 85.
Kerberos (via
redirect)
Identify users with the NITO authentication service. If no user is logged in,
redirect Web requests to the Kerberos login page, which obtains the username
logged into their Microsoft Windows workstation.
For information on Kerberos pre-requisites and troubleshooting, see Appendix A,
About Kerberos on page 284.
The NITO authentication service supports only one user per client IP address.
NTLM
identification
(via redirect)
Identify users with the NITO authentication service. If no user is logged in,
redirect Web requests to the NTLM login page, which obtains the username
logged into their Microsoft Windows workstation.
The NITO authentication service supports only one user per client IP address.
Note: NTLM identification does not verify a user's credentials. It should only be
used where all client workstations are secured and members of a Microsoft
Windows domain. Unsecured clients can spoof their credentials.
111
Managing Authentication Policies
Creating Authentication Policies
Method
NTLM
authentication
(via redirect)
3.
Setting
Identify users with the NITO authentication service. If no user is logged in,
redirect Web requests to the NTLM login page, which obtains the username
logged into their Microsoft Windows workstation and validates their credentials
with the domain controller.
The NITO authentication service supports only one user per client IP address.
Configure the following settings:
Setting
Description
Interface
From the drop-down list, select the interface on which to apply the authentication
policy.
Note: For more information on the WCCP interface option, see Chapter 11,
Configuring WCCP on page 128.
HTTPS
Select this option to transparently intercept HTTPS connections.
Enabled
Select to enable the policy. When disabled, no filtering is performed on HTTPS
requests from clients without deployed proxy settings.
Note: Transparent HTTPS interception is not compatible with Internet Explorer
running on Windows XP or earlier.
4.
Click Next and add the location at which the policy will apply.
5.
Click Next and review the options for handling unauthenticated requests. When requests are permitted
without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions
page, NITO assigns them to the Unauthenticated IPs group. If you want to assign them to a different group,
add the group to the Included groups list.
6.
Click Next, select Enabled and click Confirm. NITO displays the policy settings.
7.
Review the settings and click Save to make the policy available for use.
112
Nomadix NITO
User Guide
Managing Authentication Policies
NITO applies authentication policies in the order they are displayed on the Web proxy > Authentication >
Manage policies page. You can re-order the policies by dragging and dropping them in new positions.
To access authentication policies:
1.
Browse to the Web proxy > Authentication > Manage policies page.
NITO displays the current authentication policies.
Editing Authentication Policies
You can make changes to authentication policies by editing them.
To edit an authentication policy:
1.
On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to
change.
2.
Click the Edit policy button. NITO displays the policy on the Web proxy > Authentication > Policy
wizard page.
3.
Make the changes you require, see Creating Authentication Policies on page 105 for more information on
the settings available.
4.
Click Confirm, review your changes and then click Save to save and apply the changes. NITO applies the
changes and prompts you to restart the NITO proxy.
5.
Click Restart proxy. NITO restarts the proxy.
Deleting Policies
You can delete authentication policies you no longer require.
To delete an authentication policy:
1.
On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to delete.
2.
Click the Delete policy button. NITO prompts you to confirm that you want to delete the policy.
3.
Click Delete. NITO deletes the policy and prompts you to restart the NITO proxy.
4.
Click Restart proxy. NITO restarts the proxy.
113
Managing Authentication Policies
Managing Authentication Exceptions
Managing Authentication Exceptions
You can configure NITO to allow access to content without requiring authentication. For example,
automatic Windows updates can be accessed without user authentication.
To create an exception:
1.
Browse to the Web proxy > Authentication > Exceptions page.
2.
Select the content to be excepted from authentication and click Add.
3.
Click Save to create the exception.
Identification by Location
You can configure NITO to identify groups and/or users by the location in which they are situated. This
ident by location status can be used to configure an identification by location authentication policy.
Note: The settings configured on this page are only used when Identification by Location is selected as the
method in an authentication policy. See Creating Authentication Policies on page 105 fro more
information.
114
Nomadix NITO
User Guide
To configure identification by location:
1.
Browse to the Web proxy > Authentication > Ident by location page.
2.
From the Selected location drop-down list, select the location.
3.
Select the groups and/or users to include in the location and click Add.
4.
Click Confirm. NITO lists the location in the Location to group mappings table.
Connecting to NITO
The following sections explain how to connect non-transparently and transparently to NITO.
About Non-transparent Connections
Non-transparent connections from users’ web browsers to NITO are suitable when content is accessed using
HTTPS or when using NTLM or proxy authentication or identification in terminal services compatibility
mode.
Connecting to NITO non-transparently entails configuring users’ web browsers to use NITO as the web
proxy using one of the following methods:
z
Manually – Web browser LAN settings are manually configured, see Creating a Non-transparent
Connection Manually on page 116 for more information
z
Automatic configuration script – Web browser LAN settings are configured to receive proxy
configuration settings from an automatic configuration script which is generated by NITO, see
Configuring Non-transparent Connections Using a PAC Script on page 116 for more information
115
Managing Authentication Policies
Connecting to NITO
z
WPAD automatic script – Web browser LAN settings are configured to detect proxy settings, see
Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 116 for more
information.
Creating a Non-transparent Connection Manually
Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the
documentation delivered with the browsers.
To create a non-transparent connection manually:
1.
On users’ computers, start Internet Explorer, and from the Tools menu, select Internet Options.
2.
On the Connections tab, click LAN settings.
3.
In the Automatic configuration area, check that Automatically detect settings and Use automatic
configuration script are not selected.
4.
In the Proxy server area, select Use a proxy server for your LAN …
5.
Enter NITO's IP address and port number 800 and select Bypass proxy server for local addresses.
6.
Click Advanced to access more settings. In the Exceptions area, enter NITO’s IP address and any other IP
addresses to content that you do not want filtered, for example, your intranet or local wiki.
7.
Click OK and OK to save the settings.
Configuring Non-transparent Connections Using a PAC Script
A proxy auto-config (PAC) script is a file generated by NITO. Once configured, any changes to
connections are automatically retrieved by the user’s web browser. For information on working with PAC
scripts, see Chapter 11, Using PAC Scripts on page 124.
Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the
documentation delivered with the browsers.
To configure a non-transparent connection using a PAC script:
1.
On the user’s computer, start Internet Explorer, and from the Tools menu, select Internet Options.
2.
On the Connections tab, click LAN settings.
3.
Configure the settings as follows:
Setting
4.
Description
Automatically detect settings
Deselect this option.
Use automatic configuration script
Select this option.
Address
Enter the address of the script.
Tip: To locate the address, navigate to the Web proxy >
Web proxy > Settings page. The address is listed in
the Automatic configuration script address area.
Ensure that no other proxy settings are enabled or have entries.
Note: You may need to restart the web browser for the settings to take effect.
Configuring a Non-transparent Connection Using a WPAD Automatic Script
Note: This method is only for administrators familiar with configuring web and DNS servers. End-user browsers
must support WPAD – the latest versions of Microsoft Internet Explorer support this method.
116
Nomadix NITO
User Guide
The WPAD method works by the web browser pre-pending the hostname wpad to the front of its fully
qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file. The file
works in the same way as the automatic configuration script and tells the browser what web security policy
it should use.
To use WPAD:
1.
Configure your network to use NITO as the network web proxy. Consult your network documentation for
more information on how to do this.
2.
Using a local DNS server or NITO’s static DNS, add the host 'wpad.YOURDOMAINNAME' substituting your
own domain name. The host must resolve to NITO’s IP address.
3.
Configure users’ browsers to automatically detect LAN settings.
Note: Users’ computers must be configured with the same domain name as the A record. However, the Microsoft
Knowledge Base article Q252898 suggests that WPAD does not work on Windows 2000. Microsoft
suggests that you should use a DHCP auto-discovery method using a PAC script. See the article for more
information.
About Transparent Connections
You configure transparent connections from users’ computers NITO by configuring computers’ network
connections to use NITO as the default gateway.
In order for a transparent policy to work, the following must be in place:
z
DNS must be set up correctly on your network so that user computers can resolve the short form of
NITO’s hostname, for example: resolve mysystem for the hostname mysystem.example.com
z
User computers and NITO must be within the same DNS domain
z
Internet Explorer must be configured to authenticate automatically with intranet sites.
Authentication Scenarios
The following are high level examples of how you can configure NITO to suit your organization’s
authentication requirements.
New Content Filtering – Changing the Listening Port
Anna runs an Internet cafe. She is replacing her current content filter with NITO because of its superior
filtering. To avoid reconfiguring each workstation, she needs NITO to listen on the same port as before,
which was port 3128.
Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration of no
authentication on port 800. She clicks the Edit button on the entry displayed which takes her to the Web
proxy > Authentication > Policy wizard page. On this page, all fields apart from interface and port are
disabled. She changes the port to 3128 and saves her changes, and a message prompts her to restart NITO.
Providing Filtered Web Access to the Public
Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian
wants to provide filtered web access for a new conference centre open to the public. He does not want
delegates to need to configure a proxy in their browsers.
Brian configures NITO to listen in transparent mode. On the Web proxy > Authentication > Policy wizard
page, he selects Transparent and No authentication and leaves the other options at their defaults.
After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new transparent
authentication policy so he removes the default entry for port 800.
117
Managing Authentication Policies
Authentication Scenarios
He then configures the firewall and DHCP servers on the network to route traffic through NITO.
Requiring Authentication to Browse the Web
Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and shared
PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest is responsible
for web traffic in case of misuse. She wants a simple system which doesn’t require guests to register their
wireless devices.
Charlotte creates a local user account for each room, with names like ‘room23’ and a random simple
password. Guests are told the password for their room when they check in if they request Internet access,
and the password is changed when they check out.
Charlotte then configures NITO in transparent mode on the Web proxy > Authentication > Policy page by
adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at their defaults.
She removes the entry for port 800 before restarting NITO.
Using Multiple Authentication Methods
Donald is a college system administrator. His network contains Windows PCs, Macs, and network points
for student laptops. Donald wants to provide authentication across the network using single sign on
wherever possible.
For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he names
‘Macs’. This location contains the IP address ranges assigned to macs.
On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing the
authentication method to NTLM authentication. Then he adds a new entry, choosing Ident authentication
for the location ‘Macs’. This is displayed above the entry for NTLM on the policy page. Finally he adds an
entry for the laptops for transparent connections and Redirect to SSL Login.
Using group policy and central admin tools, he configures the Windows PCs and Macs to use NITO, and
installs an Ident server on the Macs. Windows and Mac users now authenticate to NITO using their
desktop login session, but laptop users are presented with the SSL Login screen when they browse.
Controlling an Unruly Class
Ellen is a secondary school teacher. Ellen’s students are supposed to be reading about the Civil War but are
inclined to waste time when her back is turned. Ellen needs to be able to ban students from accessing the
Internet as a punishment for misbehavior.
While the students are working, Ellen looks around the room and also monitors web usage on the Logs and
reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching videos on
YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his login entry, and
selects Ban. This takes her to the temporary bans page where she configures the ban to expire at the end of
the lesson. When Fred clicks on another video, he is shown the block page.
118
11
Managing Web Security
In this chapter:
z
Overview of web proxy settings
z
Using PAC scripts
z
Limiting bandwidth and configuring WCCP
z
Managing upstream proxies
z
Managing blocklists
z
Configuring block pages.
Overview of NITO’s Web Proxy
The following sections provide an overview of NITO’s web proxy settings.
To access NITO’s web proxy settings:
1.
Navigate to the Web proxy > Web proxy > Settings page.
119
Managing Web Security
Overview of NITO’s Web Proxy
Global Options
The following table lists NITO’s global web proxy setting:
Setting
Guardian
1.
120
Description
Select Enable to enable content filtering and NITO’s web proxy.
Click Advanced to access advanced web proxy settings which are documented in the following sections.
Nomadix NITO
User Guide
Advanced Web Proxy Settings
The following advanced web proxy settings are available.
Web Filter Options
The following optional advanced web filter settings are available:
Settings
Description
HTTP strict mode
By default, this option is enabled. However, for certain client applications
going through NITO you may need to disable this so as to handle problems,
for example, with headers that the applications send.
File upload policy
The following options are available:
Allow unlimited uploads – All file uploads are allowed.
Block all uploads – All file uploads are blocked.
Restrict upload size to – Files below the size specified are allowed.
Resume interrupted
NTLM connections
By default NITO resumes interrupted NTLM connections caused by nonstandard web browser behavior.
Enable – This is the default setting. Select this setting to configure NITO to
resume interrupted NTLM connections.
Disable – Select this setting to disable resumption of interrupted NTLM
connections when restrictive Active Directory account lockout policies are in
operation.
Resolve single
component
hostnames
By default, NITO makes no attempt to interpret single component hostnames
which are not fully qualified.
Enable – Select this setting to enable NITO to atempt to interpret single
component hostnames which are not fully qualified if single component
hostnames are being used.
Disable – Select this setting to stop NITOfrom trying to interpret single
component hostnames which are not fully qualified.
Allow access to web
servers on these
additional ports
By default, NITO only allows requests to servers running on a certain subset
of privileged ports, i.e. ports below 1024, such as HTTP (80), HTTPS (443)
and FTP (21).
If you require access to servers running on non-standard ports, enter them
here.
Logging Options
The following advanced logging settings are available:
Setting
Description
Proxy logging
We recommend that you disable this option when Filter logging mode is enabled.
This is because NITO proxy logs are effectively duplicated subsets of NITO web
filter logs.
Disabling proxy logging can lead to improved performance by reducing system
storage and processing requirements.
Organization
name
Enter a name which can be used to identify NITO in your organization.
Organization names are also referenced in certain web reports.
121
Managing Web Security
Overview of NITO’s Web Proxy
Setting
Description
Filter logging
mode
From the drop-down list, select one of the following logging modes:
Normal – Select this option to generate proxy logs with all recorded data.
Anonymized – Select this option to generate proxy logs with anonymous
username and IP address information.
Disabled – Select this option to disable content filter logging.
Client hostnames
Select one of the following options:
Log – Select this option to record hostnames of computers using NITO. When
enabled, filter logs and reports incorporating hostname information can be
generated. It is important that DNS servers exist on the local network and are
correctly configured with the reverse DNS of all machines if this option is
enabled, otherwise performance will suffer.
Do not log – Select this option to disable the logging of hostnames of computers
using NITO.
Client user-agents
Select one of the following options:
Log – Select to record the types of browsers used by users.
Do not log – Select to disable the logging of the types of browsers used by users.
Explicitly allowed
sites
Select one of the following options:
Log – Select this option to log information on explicitly allowed sites.
Do not log – Select to disable the logging of information on explicitly allowed
sites.
Advert blocks
Select one of the following options:
Log – Select this option to log information on advert blocking.
Do not log – Select to disable the logging of information on advert blocking.
Cache Options
The following advanced, optional cache settings are available:
Setting
Global cache size
122
Description
The size entered here determines the amount of disk space allocated to NITO
for caching web content. Web and FTP requests are cached. HTTPS requests
and pages including username and password information are not cached.
The specified size must not exceed the amount of free disk space available.
The cache size should be configured to an approximate size of around 40% of
the system’s total storage capacity, up to a maximum of around 2 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial and can
adversely affect page access times. This occurs when the system spends more
time managing the cache than it saves retrieving pages over a fast connection.
For slower external connections such as dial-up, the cache can dramatically
improve access to recently visited pages.
Nomadix NITO
User Guide
Setting
Description
Max and min object
size that can be
stored in the cache
The values entered here determine the maximum and minimum sizes of objects
stored the cache.
Max object size – Enter the largest object size that will be stored in NITO’s
cache. Any object larger than the specified size will not be cached. This
prevents large downloads filling the cache.
The default of 30720 bytes (30 MB) should be adjusted to suit the needs of
your end-users.
Min object size – Enter the smallest object size that will be stored in NITO’s
cache. Any object smaller than the specified size will not be cached. This can
be useful for preventing large numbers of tiny objects filling the cache. The
default is no minimum – this should be suitable for most purposes.
Max object size that
can pass in and out
of proxy
The values entered here determine the maximum sizes of objects which can
pass through the web proxy.
Max outgoing size – Enter the maximum amount of outbound data that can be
sent by a browser in any one request. This can be used to prevent large uploads
or form submissions. The default no limit.
Max incoming size – Enter the maximum amount of inbound data that can be
received by a browser in any one request. This limit is independent of whether
the data is cached or not. This can be used to prevent excessive and disruptive
download activity. The default is no limit.
Do not cache these
domains
Used to specify domains that should be excluded from the web cache. This can
be used to ensure that old content of frequently updated web sites is not
cached.
Enter domain names without the www prefix, one entry per line.
To apply the option to any subdomains, enter a leading period, for example:
.example.com
123
Managing Web Security
Using PAC Scripts
Internet Cache Protocol
The following advanced, optional Internet Cache Protocol (ICP) settings are available:
Setting
Description
ICP server
Select one of the following options:
Enable – Select to allow ICP compatible proxies to query NITO's cache. ICP is a
technique employed by proxies to determine if an unfulfilled local cache request can
be fulfilled by another proxy’s cache. ICP-enabled proxies work together as cache
peers to improve cache performance across a LAN.
ICP is recommended for LANs with multiple NITO proxy servers; non-Nomadix
proxies must use port 801 for HTTP traffic.
Disable – Select to disable NITOas an ICP server.
ICP server
IP addresses
Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN that
NITO should query. Use in conjunction with the ICP server option enabled to allow
two-way cache sharing.
Load Balancing
The following load balancing option is available:
Setting
Direct
Return
Server
Virtual IP
Description
Enables you to use a load balancing device which uses a virtual IP with NITO.
Enter the IP address on which NITO can accept load balanced connections.
Assuming a load balancer has been setup, NITO will form part of its cluster.
Note: This IP address must not respond to ARP queries, as ARP-ing behavior is what
sets this type of Virtual IP apart from a simple alias.
Using PAC Scripts
NITO enables you to create and make available proxy auto-config (PAC) scripts which determine which IP
addresses and domains to access via NITO and which to access directly.
NITO supports built-in PAC scripts and custom PAC script templates.
124
Nomadix NITO
User Guide
Using a Built-in Script
A built-in script is an auto configuration script which you can customize with additional settings such as
exceptions.
To use a built-in script:
1.
Browse to the Web proxy > Web proxy > Automatic configuration page.
2.
Select Built-in and configure the following settings:
Setting
Bypass proxy
server for local
addresses
Description
Select this option to not use NITO when connecting to local addresses.
When selected, this option makes users’ browsers bypass the NITO proxy if the
address is a hostname only, for example: myhostname. Browsers will not bypass
the NITO proxy if the address is a fully qualified domain name (FQDN) for
example: myhostname.example.local. We recommend that this setting is
enabled.
125
Managing Web Security
Limiting Bandwidth
Setting
Description
Exception
domains and IP
addresses
In this text box, enter an IP address, IP address range, network address or hostname
that users may access directly.
For example:
192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24
hostname.local
Exception
regular
expression
domains
Optionally, click Advanced to access the Exception regular expression domains
area. In the text box, enter one regular expression domain per line that users may
access directly.
For example:
^(.*\.)?youtube\.com$
^(.*\.)?ytimg\.com$
would disable usage of NITO for youtube.com, ytimg.com and subdomains
such as www.youtube.com; but not, for example, fakeyoutube.com.
3.
Click Save. NITO creates the script and makes it available at: http://Your_System_IP_address/
proxy.pac
Using a Custom Script
A custom script provides advanced functionality by enabling you to use a script customized to suit your
organization.
Tip:
You can use the built-in template as starting point for creating a custom script. On the Web proxy > Web
proxy > Automatic configuration page, click Download and save the default script to a suitable location.
Edit the file to suit your requirements and save it using a different name. See below for how to upload it.
To use a custom script:
1.
After configuring the custom script, browse to the Web proxy > Web proxy > Automatic configuration
page.
2.
Select Custom script template and click Browse. Locate and select the script and click Upload. NITO
uploads the script and makes it available at: http://Your_System_IP_address/proxy.pac
Managing the Configuration Script
You define the policy for each interface, by configuring which proxy address the configuration script should
direct clients to.
To manage the configuration script:
1.
Browse to the Web proxy > Web proxy > Automatic configuration page.
2.
In the Manage configuration script area, from the Interface drop-down list, select the address the
configuration script should direct clients to.
3.
Click Save.
Limiting Bandwidth
NITO enables you to limit downstream bandwidth overall or based on the URL being accessed.
126
Nomadix NITO
User Guide
Limiting Overall Bandwidth
By default, NITO does not limit bandwidth. The following section explains how you can limit overall
bandwidth.
To limit bandwidth:
1.
Navigate to the Web proxy > Web proxy > Bandwidth limiting page.
2.
In the Default options area, select the Restrict bandwidth to option and enter the overall bandwidth limit
in kilobytes per second.
3.
Click Save, NITO applies the limit.
Limiting Bandwidth Based on URL
You can create bandwidth limiting rules to apply when users enter URLs or parts of URLs. These rules
override the default bandwidth limit settings as specified in the section above.
To limit bandwidth based on a URL or part of a URL:
1.
Navigate to the Web proxy > Web proxy > Bandwidth limiting page.
2.
In the Add a new rule area, configure the following settings:
Setting
Description
URL or part of URL
Enter the full URL or part of it to which the limit will be applied.
Bandwidth limit
In kilobytes per second, enter the maximum amount of bandwidth allowed.
Allocated to each
proxy client
Select this option to allocate the bandwidth limit to each client.
Shared between all
proxy clients
Select this option to share the maximum amount of bandwidth specified
between all clients on the network.
Comment
Optionally, enter a comment describing the rule.
127
Managing Web Security
Configuring WCCP
Setting
Enabled
3.
Description
Select to enable the rule.
Click Save, NITO applies the limit.
Configuring WCCP
NITO can be added to a Web Cache Communication Protocol (WCCP) cache engine cluster. When
enabled, NITO broadcasts its availability to a nominated WCCP-compatible router.
The WCCP-compatible router can forward web traffic and perform load balancing across all the WCCP
capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via WCCP
Note: WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel, therefore you
must configure a transparent authentication policy for the interface which will receive redirected traffic.
For information on transparent authentication policies, see Chapter 10, Creating Transparent
Authentication Policies on page 110.
For more information on configuring WCCP on your router, see http://www.cisco.com/en/US/docs/ios/
11_2/feature/guide/wccp.html
To configure WCCP:
1.
Browse to the Web proxy > Web proxy > WCCP page.
2.
Select the option you require and configure its settings:
Option
128
Description
No WCCP
Select to disable WCCP.
WCCP
version 1
Select this option to enable WCCP version 1. Version 1 does not require authentication
for caches to join the cluster, and only supports a single coordinating router.
WCCP router IP – Enter the WCCP router’s IP address.
Nomadix NITO
User Guide
Option
WCCP
version 2
Description
Select this option to enable WCCP version 2. Version 2 can be more secure than version
1, as it supports authentication for caches to join the cluster, providing a level of
protection against rogue proxies on the LAN. In addition, it supports multiple
coordinating routers.
Note: Currently, WCCP version 2 in NITO only supports routers configured to use the
hash assignment method and GRE for both the forwarding and return methods.
Password – Enter the password required to join the WCCP cluster. WCCP passwords
can be a maximum of 8 characters.
Cache weight – Enter a cache weight to provide a hint as to the proportion of traffic
which will be forwarded to this particular cache.
Caches with high weights relative to other caches in the cluster will receive more
redirected requests.
Device IP addresses – Enter the IP addresses of one or more WCCP version 2 routers.
3.
Click Save. NITO saves the settings.
4.
On the Web proxy > Authentication > Manage policies page, create a transparent authentication policy
using the authentication method you require and select WCCP as the interface. For more information, see
Chapter 10, Creating Transparent Authentication Policies on page 110.
NITO completes the WCCP configuration.
Managing Upstream Proxies
NITO enables you to configure and deploy policies which manage access to upstream proxies. The policies
can:
z
Allow or deny access to upstream proxies based on network location
z
Direct web requests to a specific upstream proxy depending on the type of request
z
Provide load balancing and failover.
The following sections explain how to configure and deploy upstream proxy policies.
Overview
Managing upstream proxies entails:
z
Configuring upstream proxy settings, for more information see Configuring an Upstream Proxy on
page 130
z
Creating source and destination filters, for more information see Configuring Source and
Destination Filters on page 131
z
Configuring a single upstream proxy for all web requests, see Using a Single Upstream Proxy on
page 133, or deploying upstream proxy policies to combine multiple upstream proxies and use load
balancing and failover, for more information, see Working with Multiple Upstream Proxies on
page 134.
129
Managing Web Security
Managing Upstream Proxies
Configuring an Upstream Proxy
The following section explains how to configure an upstream proxy.
To configure an upstream proxy:
1.
Browse to the Web proxy > Upstream proxy > Proxies page.
2.
Configure the following settings:
Setting
Name
Description
Enter a name for the upstream proxy. Only the following characters and numbers are
allowed in a proxy name:
.,
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
The name Default is invalid as it is reserved as the name of the default proxy.
130
IP/
Hostname
Enter the IP address or the hostname of the upstream proxy.
Port
Enter the port number to use on the upstream proxy.
Comment
Optionally, enter a comment or description.
Nomadix NITO
User Guide
3.
Click Advanced to access the following, optional settings:
Setting
Description
Credential
forwarding
Select one of the following credential forwarding options:
Disabled – Select this option to use the static username and password entered below
when logging in to the upstream proxy.
Username only – Forward the username of the client making the request with the
password entered below when logging in to the upstream proxy. This allows the
upstream proxy to identify individual users without revealing their passwords.
Note: This requires proxy authentication, NTLM authentication or NTLM
identification to be enabled, otherwise usernames cannot be determined by
NITO.
Username and password – Forward the username and password of the client making
the request when logging in to the upstream proxy. This could be used if both NITO and
the upstream proxy are authenticating against the same directory server, but should be
used with caution as it reveals client credentials.
Note: This option requires proxy authentication to be used, not NTLM. Otherwise,
plaintext usernames and passwords cannot be determined by NITO.
Note: NITO can only log in to upstream proxies which require basic proxy
authentication, not NTLM or any other authentication scheme.
Username
Enter a static username for use when credential forwarding is disabled.
Password
Enter a static password for use when credential forwarding is disabled, or when
forwarding usernames only.
Load
balance
ratio
Enter a load balance ratio value.
Values are relative. For example, if one upstream proxy has the value: 2 and another
upstream proxy has the value: 1 and both use the round robin load balancing method,
then the proxy with value: 2 will receive twice as many web requests as the proxy with
value:1.
For more information, see Configuring Multiple Upstream Proxy Policies on page 134.
4.
Click Save. NITO adds the upstream proxy to the list of current upstream proxies.
5.
Repeat the steps above to add other upstream proxies.
Configuring Source and Destination Filters
NITO enables you to create source and destination filters which are used when applying upstream proxy
policies.
Configuring a Destination Filter
NITO uses destination filters to determine which upstream proxy policy to apply based on the destination
domain(s), IP(s) or destination URL regular expressions.
131
Managing Web Security
Managing Upstream Proxies
To create a destination filter:
1.
Browse to the Web proxy > Upstream proxy > Filters page.
2.
Configure the following settings:
Setting
3.
Description
Type
Select Destination.
Name
Enter a name for the destination filter.
Comment
Optionally, enter a description or comment.
IPs/Hostnames
Enter a destination IP address or hostname.
Optionally, click Advanced and configure the following setting:
Setting
Destination regular expression
URLs
Description
Optionally, click Advanced. Enter one regular expression URL,
including the protocol, per line.
Note: The full URL is not available for HTTPS requests.
4.
Click Save. NITO adds the filter and lists it in the Upstream proxy filters.
5.
Repeat the steps above to add more destination filters.
Configuring a Source Filter
NITO uses source filters to determine which upstream proxy policy to apply based on the source IP(s),
subnet(s) or IP range(s) of the client machine(s).
132
Nomadix NITO
User Guide
To create a source filter:
1.
Browse to the Web proxy > Upstream proxy > Filters page.
2.
Configure the following settings:
Setting
Description
Type
Select Source.
Name
Enter a name for the filter.
Comment
Optionally, enter a description or comment.
IPs/Hostnames
Enter a source IP address, IP address range, network address or hostname.
For example: 192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24
hostname.local
Note: Hostnames require reverse DNS look-ups to be performed.
3.
Click Save. NITO adds the filter and lists it in the Upstream proxy filters area.
4.
Repeat the steps above to add more source filters.
Using a Single Upstream Proxy
After configuring upstream proxy settings, see Configuring an Upstream Proxy on page 130, you can use a
single upstream proxy for all web requests.
To use a single upstream proxy:
1.
Browse to the Web proxy > Upstream proxy > Manage policies page.
2.
In the Global options area, configure the following settings:
Setting
Default upstream
proxy
Description
This setting determines the default proxy which is used when upstream
proxies are not available, not configured or not allowed by policies.
From the drop-down list, select an upstream proxy.
133
Managing Web Security
Managing Upstream Proxies
Setting
3.
Description
Allow direct
connections
Select this option to allow direct connections to origin servers.
If allowed, direct connections will be made as a final fall-back if the default
proxy is unavailable or not configured.
For more information, see Enforcing Upstream Proxy Usage on page 135.
Leak client IP with Xforwarded-For header
Select this option to send the originating IP addresses of client requests
upstream.
Click Save. NITO starts using the single upstream proxy.
Working with Multiple Upstream Proxies
The following sections discuss general upstream proxy behavior, how to load balance using multiple
upstream proxy policies and how to enforce upstream proxy usage.
About Upstream Proxy Behavior
There are three potential destinations for a web request forwarded to an upstream proxy. These are as
follows, in order of precedence:
1.
A pool of one or more proxies which are allowed by the upstream proxy policies, to service the request.
2.
The default proxy, if configured.
3.
Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target
destination of web request, i.e. the server from which a requested resource originates.
Upstream proxy policies are additive. NITO checks requests against all the policies, in order. Any proxy
which is allowed to service a particular request is added to the proxy pool in step 1. If the final pool for a
request contains two or more proxies, load-balancing and fail-over rules decide which one will be sent the
request.
Note: The rules above only apply to requests serviced by NITO. If a client behind NITO is able to obtain direct,
unfiltered web access, the client’s requests will be treated no differently from other Internet traffic.
Configuring Multiple Upstream Proxy Policies
By configuring multiple upstream proxy policies, you can balance the web request load across two or more
upstream proxies.
To load balance using upstream proxy policies:
1.
On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you will be using.
See Configuring an Upstream Proxy on page 130 and Configuring Source and Destination Filters on
page 131 for more information.
2.
Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced.
134
Nomadix NITO
User Guide
3.
Configure the following settings:
Setting
Description
Load balancing
method
From the drop-down list, select the load balancing method you require.
The following methods are available:
Source IP – Based on the client’s IP address, NITO selects one proxy from the
set of allowed proxies and uses it as long as that proxy is available.
For example: three requests for example.com from one machine might all go
via proxy A; three requests from the machine next to it might all go via proxy B.
Username – Based on the client’s username, NITO selects one proxy from the
set of allowed proxies and uses it as long as that proxy is available.
For example: three requests for example.com while logged in as Alice might
all go via proxy A; three requests while logged in as Bob might go via proxy B,
even if Bob has the same IP as Alice.
Round-robin – NITO cycles through the proxies one by one. Three requests for
example.com, with three proxies allowed to serve the request, would send one
request via each.
Note: This method requires NITO to be configured for username and password
based authentication. See Chapter 10, About Authentication Policies on
page 105 for more information.
Upstream proxy
From the drop-down list, select the proxy for which you are configuring the
policy.
Source filter
From the drop-down list, select Everything.
Destination filter
From the drop-down list, select Everything.
Action
Select Allow.
Comment
Optionally, enter a comment describing the proxy.
Enabled
Select to enable the policy.
4.
Click Save. NITO creates the policy and lists it in the Upstream proxy policies table.
5.
Configure policies for other upstream proxies by repeating steps 2 and 3 above.
Once you have configured policies for the upstream proxies you require, NITO will check any web
requests against the policy table and each of the proxies will be allowed to service the request, so load
balancing and failover rules will be used to pick the most suitable proxy. NITO monitors availability of
upstream proxies automatically and avoid forwarding requests to unavailable proxies.
If none of the proxies permitted to service a request are available, NITO will use the default proxy. If the
default proxy is not available, or if no default proxy is configured, the request will be forwarded directly to
its origin server.
Enforcing Upstream Proxy Usage
If you want to prevent web requests from being forwarded directly to their origin servers when other
permissible upstream proxies are unavailable, disable the Allow direct connections option.
Note: As the Allow direct connections option eliminates the last option for forwarding requests in failure
scenarios, only use it to implement strict requirements that all traffic go through an upstream proxy.
For finer-grained control of direct connection behavior, you can configure policies using the dummy
upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly,
enable the Allow direct connections option, then create a policy with upstream proxy None, action Block,
and a destination filter corresponding to the youtube.com domain.
135
Managing Web Security
Managing Blocklists
Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections and
create None, Allow policies matching those requests for which direct access is permissible. This may be
useful for bandwidth conservation, if direct access is routed over a slower link than access to the upstream
proxies.
Managing Blocklists
A blocklist is a group of pre-configured settings which is updated on a regular basis by NITO. A blocklist
maintains NITO’s list of undesirable, inappropriate or objectionable content.
NITO automatically checks for and installs blocklist updates. You can also check for and install blocklist
updates manually.
Viewing Blocklist Information
To view blocklist information:
1.
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the product you are using.
Blocklist subscription status is displayed.
By default, NITO checks for updated blocklists hourly. When a new blocklist becomes available, NITO
automatically downloads and installs it.
Note: As NITO complies with Internet Watch Foundation (IWF) guidelines, this mode of working is mandatory.
Visit http://www.iwf.org.uk/ for more information.
Manually Updating Blocklists
To manually update blocklists:
1.
Navigate to the System > Maintenance > Licenses page.
2.
Click Update. The latest blocklists are installed and displayed in the Blocklists subscription area.
Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a blocklist
subscription, please contact your NITO reseller or NITO directly.
136
Nomadix NITO
User Guide
Managing Block Pages
When an end-user’s web request is blocked, NITO displays its default block page which tells the user that
they have been blocked from accessing the web content they requested. It also shows other information
such as which group the user is in, what the blocked content is categorized as and the computer’s IP
address.
Which block page NITO displays is determined by the block page policies in use. The following sections
explain about the different block pages you can use, how to create a block page policy and how to manage
block page policies.
You can configure NITO to display the following different types of block pages:
z
A block page which you have customized, for more information, see Customizing a Block Page on
page 137
z
A block page located at a specified URL, see Using an External Block Page on page 139.
Customizing a Block Page
You can customize the default block page in many ways, including supplying a new message about why a
block occurred and using different graphics.
To customize a block page:
1.
Navigate to the Guardian > Block page > Block pages page.
137
Managing Web Security
Managing Block Pages
2.
Configure the following settings:
Setting
3.
Description
Name
Enter a name for the block page.
Comment
Enter a comment describing the block page.
Select the Manually create contents for block page option and configure the following settings:
Setting
4.
Description
Block message
This is the default message shown when a user is blocked from accessing content
because of the web filter policy that applies to them. You can use this text or enter
a custom message explaining to the user what has happened.
Quota message
This is the default message shown when a user tries to access content which is
time limited because of the web filter policy that applies to them. You can use this
text or enter a custom message. For more information on quotas, see Chapter 9,
Working with Quota Objects on page 86.
Quota button
label
This is the text used on the quota button which users must click to start using their
quota of time to access the content. You can use this text or enter custom text.
Sub message
Accept the default message, or enter a custom, secondary message.
Administrator's
email address
Optionally, enter a administrator’s email address, for contact purposes.
Optionally, click Advanced and configure the following settings:
Setting
Custom title
image
Custom
background
image
Description
This option determines the image displayed at the top of the block page.
Note: To use a custom title image, the image must be 551 x 79 pixels.
To specify a custom title image:
1
Click Browse.
2
In the dialog box that opens, browse to and select the image. Click OK.
3
Click Upload.
This option determines the image displayed as a background on the block page.
Note: To use a custom title image, the image must be 551 x 552 pixels.
To specify a custom background image:
1
138
Click Browse.
2
In the dialog box that opens, browse to and select the image. Click OK.
3
Click Upload.
Show client
username
Optionally, select to display the user’s username, if applicable.
Show email
address
Optionally, select to display the administrator's email address.
Show client IP
Optionally, select to display the IP address of the user’s workstation.
Nomadix NITO
User Guide
Setting
5.
Description
Show client
hostname
Optionally, select to display the workstation’s hostname on the block page.
Show user
group
Optionally, select to display the users group membership, if applicable.
Show unblock
controls
Optionally, select to display controls on the block page which allow administrators
to add domains and URLS to the custom allowed or custom blocked content
categories. For more information, see Working on Block Pages on page 141.
Show reason
for block
Optionally, select to display the reason why the web request was blocked.
Show bypass
controls
Optionally, select to display temporary bypass controls on the block page. These
controls allow users with bypass privileges to temporarily bypass the NITO.For
more information, see Customizing a Block Page on page 137.
Note: When an HTTPS inspection policy is enabled, see About the Default Web
Filter Policies on page 75, and a user visits a site with an invalid certificate,
NITO’s temporary bypass will not work. This is because NITO must check the
certificate before authentication information for bypass can be detected. In
this case, bypass controls will be visible on the block page if enabled, but will
not work.
Show URL of
blocked page
Optionally, select to display the URL of the blocked web request.
Use custom
title image
Select if you have specified a custom title image, see above for more information.
Show
categories
matched
Optionally, select to display the filter category that caused the page to be blocked, if
applicable.
Use custom
background
image
Select if you have specified a custom background image, see above for more
information.
Click Save to save the block page and make it available for use in a block page policy.
Using an External Block Page
NITO enables you to specify an external page as a block page.
To use an external page as a block page:
1.
Navigate to the Guardian > Block page > Block pages page and configure the following settings:
Setting
Description
Name
Enter a name for the block page.
Comment
Enter a comment describing the block page.
Redirect to block page
Select to enable NITO to use an external block page.
Block page URL
Enter the block page’s URL.
139
Managing Web Security
Managing Block Pages
2.
Click Save to make it available for use in a block page policy.
Configuring a Block Page Policy
By default, NITO displays a standard block page whenever it blocks a web request by users. You can
configure NITO to display a specific block page when a web request is blocked based on unsuitable or
objectionable content, location or time.
To configure a block page policy:
1.
Browse to the Guardian > Block page > Policy wizard page.
2.
Complete the following steps:
Step
140
Description
Step 1: Who
From the Available users or groups list, select who will see the block page
when content is blocked. Click Next to continue.
Step 2: What
From the Available categories or category groups list, select what categories
or category groups will trigger the content being blocked. Click Next to
continue.
For information on categories, see Chapter 9, Working with Category Group
Objects on page 80.
Step 3: Where
From the Available locations list, select where the policy applies. Click Next
to continue.
For information on locations, see Chapter 9, Working with Location Objects
on page 85.
Step 4: When
From the Available time slots list, select when the policy applies. Click Next
to continue.
For information on time slots, see Chapter 9, Working with Time Slot Objects
on page 84.
Nomadix NITO
User Guide
Step
Step 5: Action
Description
Select which block page to use.
For information on the types of block pages you can use, see Chapter 11,
Managing Block Pages on page 137.
3.
Select Enable policy to enable the policy and click Confirm.
4.
NITO displays the settings you have specified for the policy. Review the settings and then click Save to
save the policy and make it available on the manage policies page.
Managing Block Page Policies
Block page policies are managed on the manage policy page. NITO processes policies in order of priority,
from top to bottom, until it finds a match. You can change the order by dragging and dropping them on the
page.
To manage block page policies:
1.
Browse to the Guardian > Block page > Manage policies page.
2.
To change the order of the policies displayed, select a policy and drag it to the position you require.
3.
Click Save to save the change(s). NITO re-orders the policies.
Working on Block Pages
Depending on how a block page is configured, there may be controls to add URLS and domains to userdefined blocked or allowed categories as well as temporary bypass features to allow users with the correct
privileges to access the blocked content.
Adding to User-defined Categories
Note: The availability of these options depends on how the block page is configured. For more information, see
Customizing a Block Page on page 137.
141
Managing Web Security
Managing Block Pages
To add to user-defined categories:
1.
Configure the following settings on the block page:
Setting
Description
Control
From the User-defined categories drop-down list, select one of the following options:
Custom blocked content – Add the blocked URL or domain to the custom blocked
category.
Custom allowed content – Add the blocked URL or domain to the custom allowed
category.
Temporary
Bypass
Enables temporary bypass of the block page if the user has the necessary privileges.
Select from the following options:
30 seconds– Temporarily bypass the block page for 30 seconds.
5 minutes – Temporarily bypass the block page for 5 minutes.
30 minutes – Temporarily bypass the block page for 30 minutes.
When prompted, enter the bypass password.
Note: The temporary bypass and control options use non-standard port 442. This is to enable administrator
access controls to be used without affecting these features.
142
12
NITO Alerts, Logs and Reports
In this chapter:
z
Configuring alerts
z
Reviewing realtime and logged information
z
Generating reports
z
Backing up and restoring data.
About Alerts
You access the alerts and their settings on the Logs and reports> Alerts > Alerts page.
Alert
Description
Guardian Violations
Constantly monitors NITO activity and generates warnings about
suspicious or blocked web access.
Guardian upstream proxy
status
Web proxy failover status notifications occur when the web proxy either
fails over, or fails back. Monitored once every five minutes
Guardian URL violations
Monitors URL activity once every five minutes.
143
NITO Alerts, Logs and Reports
About Alerts
Alert
Guardian Web Proxy
Failover Status
Description
Web proxy failover status notifications occur when the web proxy either
fails over, or fails back. Monitored once every five minutes
Configuring the Guardian Violations Alert
When configured and enabled, NITOgenerates warnings about suspicious or blocked web accesses.
To set the alert:
1.
On the Logs and reports > Alerts > Alert settings page, configure the following settings:
Setting
2.
Description
Forbidden user accesses
Monitor for blocked accesses – Select to alert when the warning and
caution thresholds are exceeded.
Warning threshold – Accept the default threshold, or enter a threshold
above which a warning alert is generated.
Caution threshold – Accept the default threshold, or enter a threshold
above which a caution alert is generated.
Exclude adverts – Select to exclude adverts when monitoring the
number of accesses.
Note: The alert will be triggered only if the method used to
authenticate users supplies a username. For more information
on authentication methods, see Chapter 10, Managing
Authentication Policies on page 105.
Forbidden IP address
accesses
Monitor for blocked accesses – Select to alert when the warning and
caution thresholds are exceeded.
Warning threshold – Accept the default threshold, or enter a threshold
above which a warning alert is generated.
Caution threshold – Accept the default threshold, or enter a threshold
above which a caution alert is generated.
Exclude adverts – Select to exclude adverts when monitoring the
number of accesses.
Click Save to save and apply the settings.
Configuring the Guardian URL Violations Alert
When configured and enabled, NITOgenerates warnings about suspicious URL activity.
144
Nomadix NITO
User Guide
To set the alert:
1.
On the Logs and reports > Alerts > Alert settings page, configure the following settings:
Setting
URLs to monitor
Description
Enter a URL or part of a URL to monitor. NITOwill search for each
entry exactly as entered.
For example, any of the following entries:
http://www.example.com
example.com
real
would match:
http://www.example.com/we%20are%20not%20real
2.
Warning threshold
Enter the number of URL matches above which a warning alert is
generated.
Caution threshold
Enter the number URL matches above which a caution alert is
generated.
Click Save to save and apply the settings.
Realtime Web Filter Information
NITO enables you to view realtime information on web filtering.
To display realtime information:
1.
Navigate to the Logs and reports > Realtime > Web filter page.
2.
Configure the following options:
3.
Click Update to refresh the information displayed. NITO displays the following details about the content
being filtered:
URL
The URL of the content requested.
Code
The HTTP return code of the content request.
145
NITO Alerts, Logs and Reports
Web Filter Logs
Web Filter Logs
Web filter logs provide detailed analysis of NITO web proxy and filtering activity.
Information can be viewed, with customized content by IP address, request type, authenticated username
and domain.
You can select what you want to view with the options at the top of the page. You may select the day,
month, year and the source IP to view the logs for. You can use regular expressions to filter certain lines
from the log and also filter to show only a single user, domain or category. The default has been set to strip
all images, etc.
Viewing Log Entries
To view web filter log entries:
1.
Navigate to the Logs and reports > Logs > Web filter page.
2.
Configure the following options to view NITO log information:
Option
146
Description
View mode
Allows a particular subset of web or filter logs to be displayed.
Web Filter Logs – Used to display all web filter log entries including blocked
and exception log entries.
Web Filter Logs (only denied pages) – Used to display all log entries where the
request was blocked by the filter.
Web Filter Logs (only denied and exception) – Used to display all log entries
where the request was blocked or let through due to an exception rule.
Max results to
display
By default, NITO displays 1 000 log entries.
To change this, select a new number from the drop-down list.
Date
By default, NITO uses the current date. To change this, from the drop-down lists,
select the date you want to show for.
Start time
By default, NITO uses 00.00 as the start time. To change this, from the dropdown lists, set the time you want to start showing for.
Nomadix NITO
User Guide
Option
3.
Description
Source IP
Used to display web filter logs originating from a particular source by IP.
Ignore filter
Used to enter a regular expression that excludes matching log entries.
The default value excludes common log entries for image, javascript, CSS style
and other file requests.
Enable ignore
filter
Used to activate the ignore filter.
User filter
Used to display log entries recorded against a particular username.
For example, john will display log entries for the user john. However, this will
not match johnathan.
It is possible to include regular expressions within the filter – for example,
john.* will match john, johnny, johnathan etc.
To activate the user filter, the Enable user filter option must be selected.
Enable user filter
Used to activate the user filter.
Domain filter
Used to display log entries recorded against a particular domain. Matching will
occur on the start of the domain part of the URL.
For example, www.abc will match www.abc.com, www.abc.net but not match
abc.net etc.
It is possible to include regular expressions within the filter – for example
(www.)?abc.com will match both abc.com and www.abc.com.
To activate the domain filter, the Enable domain filter option must be selected.
Enable domain
filter
Used to activate the domain filter.
Export format
When exporting log information you can select from the following export
formats:
Comma Separated Values – The information is exported in comma separated
text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
To export and download all log entries generated by the current settings, for all
dates available, select this option.
Choose or enter appropriate settings using the above controls and click Update. Log entries will be
displayed in the Web log area.
The following display columns are presented in the Web log area:
Column
Description
Time
The time the web request was made.
Source IP
The source IP address the web request originated from.
User
The username of the user the web request originated from.
Website
The URL of the requested web resources.
Note: When content matches a web filter policy, NITO displays a link to the policy.
Code
The HTTP return code of the request.
147
NITO Alerts, Logs and Reports
Guardian Reports
Restoring the Default Settings
To restore the default view settings, click Restore defaults in the Settings area.
Guardian Reports
NITO provides a number of Guardian reports which supply information on IP activity, sites visited and
much more.
Report types
Description
Blogs
Contains reports on bloggers, blogs and WordPress activity.
Category analysis
Contains reports on categories by hits and bandwidth and categories and the
users who viewed sites within them.
Image and video
sharing
Contains reports on Dailymotion, Flickr, Fotolog, ImageShack, ImageVenue
and YouTube.
News
Contains reports on BBC News, CNet, CNN, general news and Slashdot.
Reference and
educational
Contains reports on IMDB and Wikipedia.
Shopping and
online auctions
Contains reports on Amazon, Craigslist, EBay and shopping and online
auctions.
Social
bookmarking
Contains reports on Delicious, Digg, Reddit and StumbleUpon.
Social networking
Contains reports on Bebo, Facebook, Friendster, Hi5, Linkedin, MySpace,
Orkut, general social networking and Twitter.
Sport
Contains reports on BBC Sport, ESPN and general sport.
Web portals and
search engines
Contains reports on AOL, Google, search engines, Windows Live and MSN and
Yahoo.
For information on working with reports, see Chapter 15, Reporting on page 201.
148
13
NITO Services
In this chapter:
z
User portals
For information on authentication services, see Chapter 14, Authentication and User Management on
page 177.
Working with User Portals
NITO enables you to create user portals which can be configured to make reports and software downloads
available and enable users with the correct privileges to ban other users or locations from web browsing.
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific group.
149
NITO Services
Working with User Portals
To create a user portal and make it available to users:
1.
Browse to the Services > User portal > Portals page.
2.
In the Portals area, enter a name for the portal and click Save. NITO creates the portal and makes it
accessible on your NITO system at, for example: http://192.168.72.141/portal/
3.
Browse to the Services > User portal > Groups page.
150
Nomadix NITO
User Guide
4.
Configure the following settings:
Setting
5.
Description
Group
From the drop-down menu, select the group containing the users you want to authorize
to use the portal. For more information on users and groups, see Chapter 14, Managing
Groups of Users on page 186.
Portal
From the drop-down menu, select the portal you want the group to access.
Click Add. NITO authorizes the group to use the portal.
The next step is to configure the portal to enable authorized users to use it to download files, manage web
access and display reports.
Configuring a Portal
The following sections explain how to configure a NITO portal so that authorized users can view reports,
block other users from accessing the web, download VPN client files and receive a welcome message.
Making Reports Available
When enabled, NITO will make the most often viewed reports available on the portal. For more
information on working with reports, see Chapter 15, Reporting on page 201.
To make reports available on a portal:
1.
Browse to the Logs and reports > Reports > Recent and saved page, locate the report you want to
publish on a portal.
2.
On the Permissions tab, click Portal Access. A dialog box containing report details opens.
3.
From the Add access drop-down list, select the portal where you want to publish the report and click Add.
4.
Click Close to close the dialog box.
5.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the following
settings:
Setting
Portals
6.
Description
From the drop-down list, select the portal on which you want to
make reports available and click Select.
In the Portal published reports and templates area, configure the following settings:
Setting
7.
Description
Enabled
Select Enabled.
Top reports displayed on
portal home page
From the drop-down list, select the number of reports you want to
display on the portal’s home page.
NITO will display the most often viewed reports.
Browse to the bottom of the page and click Save to save the settings and make the reports available on the
portal.
151
NITO Services
Working with User Portals
Enabling Groups to Block Users’ Access
You can enable users in a specific group which can access the portal to block individual user web access.
To authorize blocking:
1.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the following
settings:
Setting
Portals
2.
Description
From the drop-down list, select the portal on which you want to authorize
groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
3.
Description
Enabled
Select Enabled.
Allow control of
groups
Select this option and, in the list of groups displayed, select the group(s)
containing the users that the group is authorized to block from accessing the
web.
To select consecutively listed groups, hold down the Shift key while
selecting. To select non-consecutively listed groups, hold down the Ctrl key
while selecting.
Browse to the bottom of the page and click Save to save the settings.
Enabling Groups to Block Location-based Web Access
You can enable users in a specific group which can access a NITO portal to block specific locations from
accessing the other networks or external connections. For information on locations, see Chapter 9,
Working with Location Objects on page 85.
To enable a group to block users:
1.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the following
settings:
Setting
Portals
2.
Description
From the drop-down list, select the portal on which you want to enable groups to
block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Enabled
152
Description
Select Enabled.
Nomadix NITO
User Guide
3.
Setting
Description
Allow control
of locations
Select this option and, in the list of locations displayed, select the location(s) that the
group is authorized to block from accessing the web.
To select consecutively listed locations, hold down the Shift key while selecting. To
select non-consecutively listed locations, hold down the Ctrl key while selecting.
Browse to the bottom of the page and click Save to save the settings.
Configuring a Welcome Message
NITO enable you to display a customized welcome message when a user visits a portal.
To display a welcome message on a portal:
1.
Browse to the Services > User portal > Portals page and, in the Welcome message area, configure the
following settings:
Setting
Welcome message
2.
Description
Select to display the message on the portal.
In the text box, enter a welcome message and/or any information you
wish the user to have, for example regarding acceptable usage of the
portal.
Browse to the bottom of the page and click Save to save the settings.
Assigning Groups to Portals
The following section explains how to assign a group of users to a portal so that they can access it.
To assign a group to a portal:
1.
Browse to the Services > User portal > Groups page.
2.
Configure the following settings:
Setting
3.
Description
Group
From the drop-down menu, select the group you want to allow access to the portal. For
more information on groups, see Chapter 14, Managing Groups of Users on page 186.
Portal
From the drop-down menu, select the portal you want the group to access.
Click Add. NITO will allow members of the group to access the specified portal.
Making User Exceptions
You can configure NITO so that a user uses a specific portal. This setting overrides group settings.
153
NITO Services
Working with User Portals
To make user exceptions on a portal:
1.
Browse to the Services > User portal > User exceptions page.
2.
Configure the following settings:
Setting
3.
Description
Username
Enter the username of the user you want to access the portal.
Portal
From the drop-down list, select the portal you want the user to access.
Click Add. NITO gives the user access to the portal.
Accessing Portals
The following section explains how to access a portal.
To access a portal:
1.
In the browser of your choice, enter the URL to the portal on your NITO system, for example: http://
192.168.72.141/portal/
2.
Accept any certificate and other security information. NITO displays the login page for the portal.
3.
Enter a valid username and password and click Login. The portal is displayed.
Editing Portals
The following section explains how to edit a portal.
To edit a portal:
1.
Browse to the Services > User portal > Portals page.
2.
From the Portals drop-down list, select the portal you want to edit.
3.
Make the changes you require, see Configuring a Portal on page 151 for information on the settings
available.
4.
Click Save to save the changes.
Deleting Portals
The following section explains how to delete a portal.
154
Nomadix NITO
User Guide
To delete a portal:
1.
Browse to the Services > User portal > Portals page
2.
From the Portals drop-down list, select the portal you want to delete.
3.
Click Delete. NITO deletes the portal.
SNMP
Simple Network Management Protocol (SNMP) is part of the IETF’s Internet Protocol suite. It is used to
enable a network-attached device to be monitored, typically for centralized administrative purposes.
NITO’s SNMP service operates as an SNMP agent that gathers all manner of system status information,
including the following:
z
System name, description, location and contact information
z
Live TCP and UDP connection tables
z
Detailed network interface and usage statistics
z
Network routing table
z
Disk usage information
z
Memory usage information.
In SNMP terminology, NITO can be regarded as a managed device when the SNMP service is enabled.
The SNMP service allows all gathered management data to be queried by any SNMP-compatible NMS
(Network Management System) devices, that is a member of the same SNMS community.
The Community field is effectively a simple password control that enables SNMP devices sharing the
same password to communicate with each other.
To enable and configure the SNMP service:
1.
Navigate to the Services > SNMP > SNMP page.
2.
Select Enabled and enter the SNMP community password into the Community text field. The default
value public is the standard SNMP community.
3.
Click Save.
Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP
management tool is required. For specific details about how to view all the information made accessible
by NITO’s SNMP service, please refer to the product documentation that accompanies your preferred
SNMP management tool.
Note: To access the SNMP service, remote access permissions for the SNMP service must be configured. For
further information, see Chapter 16, Configuring Administration and Access Settings on page 224.
155
NITO Services
DNS
DNS
The following sections discuss domain name system (DNS) services in NITO.
Adding Static DNS Hosts
NITO can use a local hostname table to resolve internal hostnames. This allows the IP addresses of a
named host to be resolved by its hostname.
Note: NITO itself can resolve static hostnames regardless of whether the DNS proxy service is enabled.
To add a static DNS host:
1.
Navigate to the Services > DNS > Static DNSpage.
2.
Configure the following settings:
Control
3.
Description
IP address
Enter the IP address of the host you want to be resolved.
Hostname
Enter the hostname that you would like to resolve to the IP address.
Comment
Enter a description of the host.
Enabled
Select to enable the new host being resolved.
Click Add. The static host is added to the Current hosts table.
Editing and Removing Static Hosts
To edit or remove existing static hosts, use Edit and Remove in the Current hosts area.
Enabling the DNS Proxy Service
The DNS proxy service is used to provide internal and external name resolution services for local network
hosts.
In this mode, local network hosts use NITO as their primary DNS server to resolve external names, if an
external connection is available, in addition to any local names that have been defined in the NITO’s static
DNS hosts table.
156
Nomadix NITO
User Guide
To enable the DNS proxy service on a per-interface basis:
1.
Navigate to the Services > DNS > DNS Proxy page.
2.
Select each interface that should be able to use the DNS proxy and click Save.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup process of
NITO, the system will use the DNS proxy for name resolution.
Censoring Instant Message Content
NITO enables you to create and deploy policies which accept, modify, block and/or log content in instant
messages.
Configuration Overview
Configuring an instant message censor policy entails:
z
Defining custom categories required to cater for situations not covered by the default NITO phrase
lists, for more information, see Managing Custom Categories on page 157
z
Configuring time periods during which policies are applied, for more information, see Setting Time
Periods on page 159
z
Configuring filters which classify messages by their textual content, for more information, see
Creating Filters on page 160
z
Configuring and deploying a policy consisting of a filter, an action, a time period and level of
severity, see Creating and Applying Message Censoring Policies on page 161.
Managing Custom Categories
Custom categories enable you to add phrases which are not covered by the default NITO phrase lists. The
following sections explain how to create, edit and delete custom categories.
Creating Custom Categories
The following section explains how to create a custom category.
157
NITO Services
Censoring Instant Message Content
To create a custom category:
1.
Browse to the Services > Message censor > Custom categories page.
2.
Configure the following settings:
Setting
3.
Description
Name
Enter a name for the custom category.
Comment
Optionally, enter a description of the category.
Phrases
Enter the phrases you want to add to the category.
Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase) – NITO matches exact phrases without taking into
account possible spelling errors.
(example-approximate-phrase)(2) – For the number specified, NITO uses
‘fuzzy’ matching to take into account that number of spelling mistakes or typographical
errors when searching for a match.
Click Add. NITO adds the custom category to the current categories list and makes it available for
selection on the Services > Message censor > Filters page.
Editing Custom Categories
The following section explains how to edit a custom category.
To edit a custom category:
1.
Browse to the Services > Message censor > Custom categories page.
2.
In the Current categories area, select the category and click Edit.
3.
In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes.
4.
At the top of the page, click Restart to apply the changes.
158
Nomadix NITO
User Guide
Deleting Custom Categories
The following section explains how to delete custom categories.
To delete custom categories:
1.
Browse to the Services > Message censor > Custom categories page.
2.
In the Current categories area, select the category or categories and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Setting Time Periods
You can configure NITO to apply policies at certain times of the day and/or days of the week.
To set a time period:
1.
Browse to the Services > Message censor > Time page.
2.
Configure the following settings:
Setting
3.
Description
Active from
– to
From the drop-down lists, set the time period.
Select the weekdays when the time period applies.
Name
Enter a name for the time period.
Comment
Optionally, enter a description of the time period.
Click Add. NITO creates the time period and makes it available for selection on the Services > Message
censor > Policies page.
Editing Time Periods
The following section explains how to edit a time period.
To edit a time period:
1.
Browse to the Services > Message censor > Time page.
2.
In the Current time periods area, select the time and click Edit.
3.
In the Time period settings, edit the settings. When finished, click Add to save your changes.
159
NITO Services
Censoring Instant Message Content
4.
At the top of the page, click Restart to apply the changes.
Deleting Time Periods
The following section explains how to delete time periods.
To delete time periods:
1.
Browse to the Services > Message censor > Time page.
2.
In the Current time periods area, select the period(s) and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Creating Filters
NITO uses filters to classify messages according to their textual content. NITO supplies a default filter.
You can create, edit and delete filters. You can also create custom categories of phrases for use in filters,
for more information, see Creating Custom Categories on page 157.
To create a filter:
1.
Browse to the Services > Message censor > Filters page.
2.
Configure the following settings:
Setting
3.
160
Description
Name
Enter a name for the filter.
Comment
Optionally, enter a description of the filter.
Custom phrase list
Select the categories you want to include in the filter.
Click Add. NITO creates the filter and makes it available for selection on the Services > Message censor >
Policies page.
Nomadix NITO
User Guide
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
1.
Browse to the Services > Message censor > Filters page.
2.
In the Current filters area, select the filter and click Edit.
3.
In the Custom phrase list area, edit the settings. When finished, click Add to save your changes.
4.
At the top of the page, click Restart to apply the changes.
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
1.
Browse to the Services > Message censor > Filters page.
2.
In the Current filters area, select the filter(s) and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Creating and Applying Message Censoring Policies
The following section explains how to create and apply a censor policy for IM content. A policy consists
of a filter, an action, a time period and a level of severity.
To create and apply a censor policy:
1.
Browse to the Services > Proxies > Instant messenger page and, in the Instant Messaging proxy area,
configure the following settings:
Setting
Description
Enabled
Check that instant messaging proxying is enabled.
Enable Message
Censor
Select this option to enable censoring of words usually considered
unsuitable.
161
NITO Services
Censoring Instant Message Content
2.
Browse to the Services > Message censor > Policies page.
3.
Configure the following settings:
Setting
4.
162
Description
Service
From the drop-down menu, select one of the following options:
IM proxy incoming – Select to apply the policy to incoming instant message content.
IM proxy outgoing – Select to apply the policy to outgoing instant message content.
Click Select to update the policy settings available.
Filter
From the drop-down menu, select a filter to use. For more information on filters, see
Creating Filters on page 160.
Time
period
From the drop-down menu, select a time period to use, or accept the default setting. For
more information on filters, see Setting Time Periods on page 159.
Action
From the drop-down menu, select one of the following actions:
Block – Content which is matched by the filter is discarded.
Censor – Content which is matched by the filter is masked but the message is delivered
to its destination.
Categorize – Content which is matched by the filter is allowed and logged.
Allow – Content which is matched by the filter is allowed and is not processed by any
other filters.
Log
severity
level
Based on the log severity level, you can configure NITO to send an alert if the policy is
violated.
From the drop-down list, select a level to assign to the content if it violates the policy.
See Chapter 18, Configuring the Inappropriate Word in IM Monitor Alert on page 261
for more information.
Comment
Optionally, enter a description of the policy.
Enabled
Select to enable the policy.
Click Add and, at the top of the page, click Restart to apply the policy. NITO applies the policy and adds
it to the list of current policies.
Nomadix NITO
User Guide
Editing Polices
You can add, change or delete a policy.
To edit a policy:
1.
Browse to the Services > Message censor > Policies page.
2.
In the Current policies area, select the policy and click Edit.
3.
Edit the settings as required, see Creating and Applying Message Censoring Policies on page 161 for
information on the settings available. When finished, click Add to save your changes.
4.
At the top of the page, click Restart to apply the changes.
Deleting Policies
You can delete policies which are no longer required.
To delete policies:
1.
Browse to the Services > Message censor > PServices > Message censor > Policies page.
2.
In the Current policies area, select the policy or policies and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Managing the Intrusion System
NITO’s intrusion system performs real-time packet analysis on all network traffic in order to detect and
prevent malicious network activity. NITO can detect a vast array of well-known service exploits including
buffer overflow attempts, port scans and CGI attacks.
All violations are logged and the logged data can be used to strengthen the firewall by creating IP block
rules against identified networks and source IPs.
About the Default Policies
By default, NITO comes with a number of intrusion policies which you can deploy immediately. The
default policies will change as emerging threats change and will be updated regularly.
Deploying Intrusion Detection Policies
NITO’s default policies enable you to deploy intrusion detection immediately to identify threats on your
network.
163
NITO Services
Managing the Intrusion System
To deploy an intrusion detection policy:
1.
Browse to the Services > Intrusion system > IDS page.
2.
Configure the following settings:
3.
Click Add. NITO deploys the policy and lists it in the Current IDS policies area.
Removing Intrusion Detection Policies
To remove an intrusion detection policy from deployment:
1.
Browse to the Services > Intrusion system > IDS page.
2.
In the Current IDS policies area, select the policy you want to remove.
3.
Click Remove. NITO removes the policy.
Deploying Intrusion Prevention Policies
NITO enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day
attacks, undesired access and denial of service.
To deploy an intrusion prevention policy:
1.
Browse to the Services > Intrusion system > IPS page.
2.
Configure the following settings:
3.
Click Add. NITO lists the policy in the Current IPS policies area.
164
Nomadix NITO
User Guide
4.
Browse to the Networking > Firewall > Port forwarding page and configure a port forwarding rule with
IPS enabled to deploy the policy. For more information on port forwarding, see Chapter 7, Creating Port
Forward Rules on page 60.
Removing Intrusion Prevention Policies
To remove an intrusion prevention policy from deployment:
1.
Browse to the Services > Intrusion system > IPS page.
2.
In the Current IPS policies area, select the policy you want to remove.
3.
Click Remove. NITO removes the policy.
165
NITO Services
Managing the Intrusion System
Creating Custom Policies
By default, NITO contains a number of policies which you can deploy to detect and prevent intrusions. It is
also possible to create custom policies to suit your individual network.
To create a custom policy:
1.
166
Browse to the Services > Intrusion system > Policies page.
Nomadix NITO
User Guide
Tip:
If the list of signatures takes some time to load, try upgrading to the latest version of your browser to speed
the process.
2.
Configure the following settings:
3.
Click Add. NITO creates the policy and lists it in the Current policies area.
The policy is now available when deploying intrusion detection and intrusion prevention policies. For
more information, see Deploying Intrusion Detection Policies on page 163 and Deploying Intrusion
Prevention Policies on page 164.
Uploading Custom Signatures
NITO enables you to upload custom signatures and/or Sourcefire Vulnerability Research Team (VRT)
signatures and make them available for use in intrusion detection and prevention policies.
To upload custom signatures:
1.
Navigate to the Services > Intrusion system > Signatures page.
2.
Configure the following settings:
Setting
Description
Custom signatures
Click Browse to locate and select the signatures file you want to upload.
Click Upload to upload the file. NITO uploads the file and makes it available
for inclusion in detection and prevention policies on the Services > Intrusion
system > Policies page.
Note: Use custom signatures with caution as NITO cannot verify custom
signature integrity.
Use syslog for
Intrusion logging
Select this option to enable logging intrusion events in the syslog.
167
NITO Services
DHCP
Setting
Oink code
3.
Description
If you have signed-up with Sourcefire to use their signatures, enter your Oink
code here.
Click Update to update and apply the latest signature set. NITO downloads
the signature set and makes it available for inclusion in detection and
prevention policies on the Services > Intrusion system > Policies page.
Note: Updating the signatures can take several minutes.
Click Save. Any custom signatures you have uploaded to NITO or Sourcefire VRT signatures you have
downloaded to NITO will be listed on the Services > Intrusion system > Policies page. For information on
deploying intrusion policies, see Deploying Intrusion Detection Policies on page 163 and Deploying
Intrusion Prevention Policies on page 164.
Deleting Custom Signatures
It is possible to delete custom signatures that have been made available on the Services > Intrusion system
> Policies page.
Note: If you choose to delete custom signatures, NITO will delete all custom signatures. If there are detection or
prevention policies which use custom signatures, the signatures will be deleted from the policies.
To delete custom signatures:
1.
On the Services > Intrusion system > Signatures page, click Delete.
2.
NITO prompts you to confirm the deletion. Click Confirm, NITO deletes the signatures.
DHCP
NITO's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically
obtain IP address and other network settings.
NITO DHCP provides a fully featured DHCP server, with the following capabilities:
168
z
Support for 2 DHCP subnets
z
Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet
z
Automate the creation of static assignments using the ARP cache
Nomadix NITO
User Guide
Enabling DHCP
To enable DHCP:
1.
Navigate to the Services > DHCP > Global page.
2.
Configure the following settings:
Setting
3.
Description
Enabled
Select to enable the DHCP service.
Server
Select to set the DHCP service to operate as a DHCP server in standalone
mode for network hosts.
Relay (forwarding
proxy)
Select to set the DHCP service to operate as a relay, forwarding DHCP
requests to another DHCP server.
Enable logging
Select to enable logging.
Click Save to enable the service.
Creating a DHCP Subnet
The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic and
static IP ranges defined.
169
NITO Services
DHCP
To create a DHCP subnet:
1.
Navigate to the Services > DHCP > DHCP server page.
2.
Configure the following settings:
Setting
170
Description
DHCP Subnet
From the drop-down menu, select Empty and click Select.
Subnet name
Enter a name for the subnet.
Network
Enter the IP address that specifies the network ID of the subnet when combined
with the network mask value entered in the netmask field. For example:
192.168.10.0.
Netmask
Define the subnet range by entering a network mask, for example
255.255.255.0.
Primary DNS
Enter the value that a requesting network host will receive for the primary DNS
server it should use.
Nomadix NITO
User Guide
Setting
Description
Secondary DNS
Optionally, enter the value that a requesting network host will receive for the
secondary DNS server it should use.
Default gateway
Enter the value that a requesting network host will receive for the default
gateway it should use.
Enabled
Determines whether the DHCP subnet is currently active.
Click Advanced to access the following settings:
3.
Primary WINS
Optionally, enter the value that a requesting network host will receive for the
primary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Secondary WINS
Optionally, enter the value that a requesting network host will receive for the
secondary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Primary NTP
Optionally, enter the IP address of the Network Time Protocol (NTP) server that
the clients will use if they support this feature.
Tip: Enter NITO’s IP address and clients can use its time services if enabled.
See Chapter 16, Setting Time on page 221 for more information.
Secondary NTP
Optionally, enter the IP address of a secondary Network Time Protocol (NTP)
server that the clients will use if they support this feature.
Tip: Enter NITO’s IP address and clients can use its time services if enabled.
See Chapter 16, Setting Time on page 221 for more information.
Default lease time
(mins)
Enter the lease time in minutes assigned to network hosts that do not request a
specific lease time. The default value is usually sufficient.
Max lease time
(mins)
Enter the lease time limit in minutes to prevent network hosts requesting, and
being granted, impractically long DHCP leases. The default value is usually
sufficient.
TFTP server
Enter which Trivial File Transfer Protocol (TFTP) server workstations will use
when booting from the network.
Network boot
filename
Specify to the network booting client which file to download when booting off
the above TFTP server.
Domain name
suffix
Enter the domain name suffix that will be appended to the requesting host's
hostname.
Automatic proxy
config URL
Specify a URL which clients will use for determining proxy settings. Note that it
should reference an proxy auto-config (PAC) file and only some systems and
web browsers support this feature.
Custom DHCP
options
Any custom DHCP options created on the Services > DHCP > Custom options
page are listed for use on the subnet. For more information, see Creating Custom
DHCP Options on page 174.
Click Save.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration is
required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server
knows which addresses it should allocated to the various network hosts.
171
NITO Services
DHCP
Editing a DHCP subnet
To edit a DHCP subnet:
1.
Navigate to the Services > DHCP > DHCP server page.
2.
From the DHCP Subnet drop-down list, select the subnet and click Select.
3.
Edit the settings displayed in the Settings area.
4.
Click Save.
Deleting a DHCP subnet
To delete a DHCP subnet:
1.
Navigate to the Services > DHCP > DHCP server page.
2.
From the DHCP Subnet drop-down list, select the subnet and click Select.
3.
Click Delete.
Adding a Dynamic Range
Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that
it can dynamically allocate to requesting hosts.
To add a dynamic range to an existing DHCP subnet:
1.
Navigate to the Services > DHCP > DHCP server page.
2.
Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select.
3.
In the Add a new dynamic range, configure the following settings:
4.
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
Adding a Static Assignment
Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing
the unique MAC address of the requesting host’s network interface card. This is used to ensure that certain
hosts are always leased the same IP address, as if they were configured with a static IP address.
To add a static assignment to an existing DHCP subnet:
1.
Navigate to the Services > DHCP > DHCP server page.
2.
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
3.
Scroll to the Add a new static assignment area and configure the following settings:
4.
Click Add static. The static assignment is added to the Current static assignments table.
Adding a Static Assignment from the ARP Table
In addition to the previously described means of adding static DHCP assignments, it is possible to add
static assignments automatically from MAC addresses detected in the ARP table.
To add a static assignment from the ARP cache to an existing DHCP subnet:
1.
Navigate to the Services > DHCP > DHCP server page.
2.
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
3.
Scroll to the Add a new static assignment from ARP table area:
4.
Select one or more MAC addresses from those listed and click Add static from ARP table.
172
Nomadix NITO
User Guide
5.
Click Save.
Editing and Removing Assignments
To edit or remove existing dynamic ranges and static assignments, use the options available in the Current
dynamic ranges and Current static hosts areas.
Viewing DHCP Leases
To view free leases:
1.
Navigate to the Services > DHCP > DHCP leases page.
2.
Select Show free leases and click Update. The following information is displayed:
Field
Description
IP address
The IP address assigned to the network host which submitted a DHCP request.
Start time
The start time of the DHCP lease granted to the network host that submitted a DHCP
request.
End time
The end time of the DHCP lease granted to the network host that submitted a DHCP
request.
MAC
address
The MAC address of the network host that submitted a DHCP request.
Hostname
The hostname assigned to the network host that submitted a DHCP request.
State
The current state of the DHCP lease.
The state can be either Active, that is, currently leased; or Free, the IP address is
reserved for the same MAC address or re-used if not enough slots are available.
173
NITO Services
DHCP
DHCP Relaying
NITO DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP
responses back to the requesting host.
To configure DHCP relaying:
1.
Connect to NITO and navigate to the Services > DHCP > DHCP relay page.
2.
Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary
DHCP server and Secondary DHCP server fields. Click Save.
Note: DHCP relaying must be enabled on the Services > DHCP > Global page.
Creating Custom DHCP Options
NITO enables you to create and edit custom DHCP options for use on subnets.
For example, to configure and use SIP phones you may need to create a custom option which specifies a
specific option code and SIP directory server.
To create a custom option:
1.
174
Browse to the Services > DHCP > Custom options page.
Nomadix NITO
User Guide
1.
2.
Configure the following settings:
Setting
Description
Option code
From the drop-down list, select the code to use.
The codes available are between the values of 128 and 254, with 252 excluded as it is
already allocated.
Option type
From the drop-down list, select the option type.
IP address – Select when creating an option which uses an IP address.
Text – Select when creating an option which uses text.
Description
Enter a description for the option. This description is displayed on the Services >
DHCP > DHCP server page.
Comment
Optionally, enter any comments relevant to the option.
Enabled
Select to enable the option.
Click Add. NITO creates the option and lists it in the Current custom options area. For information on
using custom options, see Creating a DHCP Subnet on page 169.
175
NITO Services
DHCP
176
14
Authentication and User
Management
In this chapter:
z
Managing local users
z
Configuring login time-out
z
Managing temporarily banned users
z
Viewing user activity
z
Authenticating users with SSL login
z
Working with Kerberos keytabs
z
Managing groups
z
Working with directory servers
z
Managing the authentication system and running diagnostics.
Managing Local Users
NITO stores user account information comprised of usernames, passwords and group membership, in its
local user database, so as to provide a standalone authentication service for network users.
Administrators can quickly add, view, edit, import, export and delete users to or from the local user
database and map local users to a local authentication group.
177
Authentication and User Management
Managing Local Users
Adding Users
To add a user to the local user database:
1.
Navigate to the Services > Authentication > Local users page.
2.
Configure the following settings:
Setting
3.
Description
Username
Enter the user account name.
Password
Enter the password associated with the user account. Passwords must be a
minimum of six characters long.
Repeat password
Re-enter the password to confirm it.
Select group
From the drop-down menu, select a group to assign the user account to.
Click Add. NITO saves the information and lists the user in the Current users area.
Viewing Local Users
To view existing users from the local user database:
1.
Navigate to the Services > Authentication > Local users page.
2.
Review the Current users area of the page. Users are listed alphabetically by username.
Editing Local Users
To edit an existing user's details:
1.
Navigate to the Services > Authentication > Local users page.
2.
In the Current users area, locate and select the user you wish to edit.
178
Nomadix NITO
User Guide
3.
Click Edit user. Once this button has been clicked, the user will be suspended, and physically removed
from the user list. The user's details are displayed in the Add a user area.
4.
Edit the user’s details as required. For more information, see Adding Users on page 178.
5.
Click Add. NITO updates the information and re-lists the user in the Current users area.
Note: Once you click Edit, the user is effectively removed from the user list. If you do not re-add the user, his/her
information is permanently lost.
Importing New Users
New users can be imported into the local user database using a comma-separated text file in the following
format:
username1,password1
username2,password2
...
Note: The username and password must not contain special characters or spaces. You must include the comma
to separate the columns. If the password is in clear text, i.e. not encrypted, it will automatically be
encrypted when the user is added. We recommend that you test importing a few users to confirm that you
are getting the results you expect.
To import users to the local user database:
1.
Navigate to the Services > Authentication > Local users page.
2.
In the Import users area, click Browse, navigate to and select the text file containing the user information
and click Open.
3.
Click Import users. NITO imports the user information into the local user database.
Exporting Local Users
Existing groups of users can be exported from the local user database to a comma-separated file in the
following format:
Username1:ENCRYPTED_PASSWORD
Username2:ENCRYPTED_PASSWORD
...
An example line in the export file might resemble something like the following:
testuser:$apr1$Np4hD...$2eNu.nSQuj8b2apdZufcz0e
To export a group of users:
1.
Navigate to the Services > Authentication > Local users page.
2.
In the Export users area, from the Select group drop-down list select the group containing the users you
want to export and click Export users users.
3.
Select the Save to disk or equivalent option from the dialog box displayed by your browser and click its
OK, Save or equivalent button.
The exported users will be saved to a text file called users.txt. Files exported in this format can be
imported back into the local user database using the import facility.
Deleting Users
To delete users:
1.
Navigate to the Services > Authentication > Local users page.
2.
In the Current users area, locate and select the user or users you want to delete.
3.
Click Delete user(s). NITO deletes the user(s).
179
Authentication and User Management
Managing Temporarily Banned Users
Moving Users between Groups
To change the group mapping:
1.
Navigate to the Services > Authentication > Local users page.
2.
Locate and select the user or users you wish to move in the Current users area of the page.
3.
In the Current users area, locate and select the user or users you want to move.
4.
From the Group to move users to drop-down list, select the group to move the user or users to.
5.
Click Move user(s). NITO moves the user(s).
Managing Temporarily Banned Users
NITO enables you to temporarily ban specific user accounts. When temporarily banned, the user is added
to the Banned users group.
Note: You can apply any web filtering policy to the Banned users group.
Creating a Temporary Ban
Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more
information, see Chapter 16, Administrative User Settings on page 227.
To ban an account temporarily:
1.
Navigate to the Services > Authentication > Temporary bans page.
2.
Configure the following settings:
Setting
3.
180
Description
Username
Enter the user name of the account you want to ban.
Comment
Optionally, enter a comment explaining why the account has been banned.
Ban expires
From the drop-down lists, select when the ban expires.
Enabled
Click to enable the ban.
Click Add. NITO lists the ban in the Current rules area and enforces the ban immediately.
Nomadix NITO
User Guide
Tip:
You can edit the block page displayed to banned users so that it gives them information on the ban in force.
See Chapter 11, Managing Block Pages on page 137 for more information.
Tip:
There is also a ban option on the Services > Authentication > User activity page, for more information, see
Viewing User Activity on page 181.
Removing Temporary Bans
To remove a ban:
1.
Navigate to the Services > Authentication > Temporary bans page.
2.
In the Current rules area, select the ban and click Remove. NITO removes the ban.
Removing Expired Bans
To remove bans which have expired:
1.
Navigate to the Services > Authentication > Temporary bans page.
2.
In the Current rules area, click Remove all expired. NITO removes all bans which have expired.
Viewing User Activity
NITO enables you to see how many users are logged in, who is logged in and who has recently logged out.
To view activity:
1.
Navigate to the Services > Authentication > User activity page.
NITO displays the number of users currently logged in, who is logged in and which users have either
recently logged themselves out or been logged out by NITO because of inactivity.
Recently logged out users are listed for 1 hour. For more information, see Configuring Authentication
Settings on page 188.
2.
You can configure the following settings:
Setting
Most recent
users to
show
Description
From the drop-down list, select the number of users to display and click Show. NITO
displays the specified number in the User activity area.
181
Authentication and User Management
Authenticating Users with SSL Login
Setting
Description
Ban
Click to ban a user. NITO copies the user’s information and displays it on the
temporary ban page. For more information, see Creating a Temporary Ban on
page 180.
Logout
Click to log out a user immediately. NITO logs the user out and lists him/her in the
Recently logged out users area.
Note: Logging a user out is not the same as blocking a user from accessing web
content. Connection-based authentication will automatically log the user back
in. If the user is using SSL login, they will be prompted to authenticate again.
Authenticating Users with SSL Login
NITO provides SSL Login as a built-in authentication mechanism which can be used by authenticationenabled services to apply permissions and restrictions on a customized, per-user basis.
When SSL Login is enabled, network users requesting port 80 for outbound web access will be
automatically redirected to a secure login page, the SSL Login page, and prompted for their user
credentials.
The SSL Login page can also be manually accessed by users wishing to pro-actively authenticate
themselves, typically where they need to use a non-web authentication-enabled service, for example,
group bridging, or where only a small subset of users require authentication.
SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated
user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated
user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80
will again cause automatic redirection to the SSL Login.
182
Nomadix NITO
User Guide
Enabling SSL Login
SSL Login authentication is enabled on a per-interface basis.
To enable SSL Login:
1.
Navigate to the Services > Authentication > SSL login page.
2.
In the SSL Login redirect interfaces area, select each interface that the SSL Login should be active on.
3.
Click Save. NITO enables SSL Login for the selected interfaces.
Creating SSL Login Exceptions
SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets from
being automatically redirected to the SSL Login page. This is mostly useful to avoid the need for servers to
authenticate.
To create an SSL login exception:
1.
On the Services > Authentication > SSL login page, locate the SSL Login redirect interfaces area.
2.
In the Exception local IP addresses field, enter an IP address, IP range or subnet that should not be
redirected to the SSL Login.
3.
Repeat the step above on a new line for each further exception you want to make.
4.
Click Save.
Customizing the SSL Login Page
You can customize the title graphic, background image and message displayed on an SSL login page.
Customizing the Title Graphic
It is possible to customize the title graphic displayed on the SSL login page.
183
Authentication and User Management
Authenticating Users with SSL Login
Note: The title graphic must be in jpeg format and must be 500 x 69 pixels.
To upload a title graphic for the login page:
1.
On the Services > Authentication > SSL login page, in the Upload SSL Login page images area, adjacent
to Custom title image, use your browser’s controls to locate and select the file.
2.
Click Upload. NITO uploads the file.
3.
In the Customize SSL Login page area, select Use custom title jpeg. NITO replaces the current file and
uses it on the SSL login page.
Customizing the Background Image
It is possible to customize the background image used on an SSL login page.
Note: The background image must be in jpeg format and must be 500 x 471 pixels.
To upload a background image:
1.
On the Services > Authentication > SSL login page, in the Upload SSL Login page images area, adjacent
to Custom background image, use your browser’s controls to locate and select the file.
2.
Click Upload. NITO uploads the file.
3.
In the Customize SSL Login page area, select Use custom background jpeg. NITO replaces the current
file and uses it on the SSL login page.
Removing Custom Files
To remove a custom file:
1.
Browse to the Services > Authentication > SSL login page.
2.
To remove the title image, adjacent to Custom title image, click Remove.
3.
To remove the background image, adjacent to Custom background image, click Remove.
Customizing the Message
It is possible to provide users with a customized message containing instructions.
To customize the login message:
1.
Navigate to the Services > Authentication > SSL login page.
2.
In the Customize SSL Login page area, enter your custom message in the Message text box.
3.
Click Save to apply the new message.
Reviewing SSL Login Pages
You can review SSL Login pages.
To review the SSL Login page:
1.
184
In the web browser of your choice, enter your NITO system’s IP address and /login. For example:
http://192.168.72.141/login or, using HTTPS, https://192.168.72.141:442/login. NITO
displays the SSL login page.
Nomadix NITO
User Guide
Managing Kerberos Keytabs
Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For
other directory servers, it is necessary to import keytabs manually, see the following section for
information on how to do this.
A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By importing
and using Kerberos keytabs, NITO services, such as authentication, can use the interoperability features
provided by Kerberos.
For information on using Kerberos as the authentication method in authentication policies, see Chapter 10,
Creating Authentication Policies on page 105.
Importing Keytabs
The following section explains how to import Kerberos keytabs into NITO.
For information on generating keytabs, consult the documentation delivered with your directory server;
also, available at the time of writing, see http://technet.microsoft.com/en-us/library/
cc753771%28v=WS.10%29.aspx which discusses how to get a keytab from Active Directory.
To import a keytab:
1.
Browse to the Services > Authentication > Kerberos keytabs page.
2.
Configure the following settings:
Setting
Description
Name
Enter a descriptive name for the keytab.
File
Using your browser, locate and select the keytab.
3.
Click Save. NITO imports and saves the keytab and lists it in the Installed Kerberos keytabs area.
4.
Repeat the steps above for any other keytabs you need to import.
185
Authentication and User Management
Managing Groups of Users
Managing Keytabs
The following sections explain how to enable, view, edit and delete Kerberos keytabs.
Enabling Keytabs
Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required, for
example, when troubleshooting.
To disable a keytab:
1.
Browse to the Services > Authentication > Kerberos keytabs page.
2.
In the Installed Kerberos keytabs area, click on the Enabled button. Click Save to save the setting. NITO
enables the keytab.
Viewing Keytab Content
It is possible to view the contents of a Kerberos keytab.
To view a Kerberos keytab:
1.
Browse to the Services > Authentication > Kerberos keytabs page.
2.
In the Installed Kerberos keytabs area, click on the name of the Kerberos keytab you want to view. NITO
displays the content in a new browser tab.
Editing Keytabs
It is possible to change the name of the Kerberos keytab file.
To change the name of the Kerberos keytab file:
1.
Browse to the Services > Authentication > Kerberos keytabs page.
2.
In the Installed Kerberos keytabs area, locate the Kerberos keytab and click on Edit keytab. NITO makes
the information available in the Import Kerberos keytab area.
3.
Change the name as required and click Save to save the change. NITO changes the name and lists the
Kerberos keytab in the Installed Kerberos keytabs area
Deleting Keytabs
It is possible to delete Kerberos keytabs that are no longer require.
To delete a Kerberos keytab:
1.
Browse to the Services > Authentication > Kerberos keytabs page.
2.
In the Installed Kerberos keytabs area, locate the Kerberos keytab you want to delete and click on Delete
keytab. NITO displays the content of the keytab and prompts you to confirm that you want to delete the
keytab.
3.
Click Delete. NITO deletes the keytab.
Managing Groups of Users
The following sections discuss groups of users and how to manage them.
About Groups
NITO uses the concept of groups to provide a means of organizing and managing similar user accounts.
Authentication-enabled services can associate permissions and restrictions to each group of user accounts,
thus enabling them to dynamically apply rules on a per-user account basis.
186
Nomadix NITO
User Guide
Local users can be added or imported to a particular group, with each group being organized to mirror an
organization’s structure. Groups can be renamed by administrators to describe the users that they contain.
Currently, NITO supports up to 100 groups and by default, contains the following groups:
Group
Description
Unauthenticated IPs
The main purpose of this group is to allow certain authentication-enabled
services to define permissions and restrictions for unauthenticated users,
i.e. users that are not logged in, currently unauthenticated or cannot be
authenticated.
Note: This group cannot be renamed.
Default Users
Users can be mapped to Default Users. The main purpose of this group is
to allow certain authentication-enabled services to define permissions and
restrictions for users that are not specifically mapped to an NITO group,
i.e. users that can be authenticated, but who are not mapped to a specific
NITO authentication group.
Note: This group cannot be renamed.
Banned Users
This purpose of this group is to contain users who are banned from using
an authentication-enabled service.
The Banned Users group can be renamed.
Network Administrators
This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by authenticationenabled services to enforce any kind of permissions or restrictions.
Configuring the Number of Groups
NITO enables you to set the number of groups available.
To configure the number of groups available:
1.
Navigate to the Services > Authentication > Groups page.
2.
From the Number of groups drop-down list, select the number you require.
Note: When you select the number of groups, NITO calculates the amount of memory available. If the number of
groups you select requires more memory than is available to NITO, NITO will require you to select fewer
groups.
3.
Click Save and Restart to save the change.
187
Authentication and User Management
Configuring Authentication Settings
Renaming a Group
All groups, except the Unauthenticated IPs and Default Users groups, can be renamed.
To rename a group:
1.
Navigate to the Services > Authentication > Groups page and configure the following settings:
Setting
2.
Description
Existing name
From the drop-down list, select the group you want to rename.
New name
Enter the new group name.
Click Rename. NITO renames the group.
Configuring Authentication Settings
Configuring authentication settings entails setting login timeout, the number of logins allowed, the type of
authentication logging you require and configuring directory servers.
Configuring Login and Logging Settings
You can configure NITO to require users to log-in again after a specific period of inactivity. For more
information, see Appendix A, About the Login Time-out on page 282. You can also allow unlimited logins
or restrict the number of logins per user.
Depending on your logging requirements, you can configure NITO to log a minimum of authentication
information or more verbose information when troubleshooting.
To configure login and logging settings:
1.
188
Navigate to the Services > Authentication > Settings page.
Nomadix NITO
User Guide
2.
Configure the following settings:
Setting
Login timeout
Description
Accept the default or enter the time out period.
Note: Setting a short login timeout increases the load on the machine,
particularly when using transparent NTLM or SSL Login. It also increase
the rate of re-authentication requests.
Setting a long login timeout may enable unauthorized users to access the
network if users leave computers without actively logging out.
The behavior of some authentication mechanisms is automatically
adjusted by the time-out period. For example, the SSL Login refresh rate
will update to ensure that authenticated users do not time-out.
Concurrent logins
Concurrent login settings determine how many logins you want to allow per user.
The following options are available:
Allow unlimited logins – Select this option to allow an unlimited number of
logins per user.
Restrict each user to – Enter the number of logins you want to allow users.
Logging
Logging settings determine the type of authentication logging you want. The
following options are available:
Normal logging – Select this option to log user login and LDAP server
information.
Verbose logging, for troubleshooting – Select this option to log user login and
LDAP server information, request, response and result information. This option
is useful when troubleshooting possible authentication issues.
3.
Click Save, navigate to the Services > Authentication > Control page and click Restart.
Tip:
Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot
assume their privileges if login time-out is yet to occur.
About NITO and Directory Servers
The NITO authentication service is designed to enable NITO to connect to multiple directory servers in
order to:
z
Retrieve groups configured in directories and apply network and web filtering permissions to users
based on group membership within directories
z
Verify the identity of a user who is trying to access network or Internet resources.
If multiple directories exist, NITO tries them in the order they are listed.
If most of your users are in one directory, list that directory first so as to reduce the number of queries
required.
If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the
RADIUS server first.
Once the connection to a directory service has been configured, NITO retrieves a list of groups configured
in the directory and maps them to the groups available in NITO.
When the groups have been mapped, permissions and network access permissions in the filtering and
outgoing sections can be granted on the basis of group membership.
For information on how authentication works and interacts with other systems, see Appendix A,
Authentication on page 281.
The following sections explain how to configure NITO for use with directory servers.
189
Authentication and User Management
Configuring Authentication Settings
Supported Directory Servers
Currently, NITO supports the following directory servers:
Directory
Description
Microsoft Active Directory
Microsoft’s Active Directory, for more information, see Configuring
a Microsoft Active Directory Connection on page 190.
For information on using the legacy method to connect to Active
Directory, see Configuring an Active Directory Connection – Legacy
Method on page 194.
Novell eDirectory
Apple Open Directory/Open
LDAP
Sun Directory
Fedora Directory
Red Hat Directory
Netscape Directory
Various directories which support the LDAP protocol, for more
information, see Configuring an LDAP Connection on page 191
RADIUS
Remote Authentication Dial In User Service, for more information,
see Configuring a RADIUS Connection on page 193.
Configuring a Microsoft Active Directory Connection
The following sections explain the prerequisites for Microsoft Active Directory and how to configure NITO
to work with Microsoft Active Directory.
Prerequisites for Active Directory
Before you configure any settings for use with Active Directory:
z
On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the
secondary, DNS server containing the Active Directory information is specified correctly. This DNS
server is used by NITO for name lookups. For more information, see Appendix A, NITO and DNS on
page 282.
z
In Active Directory, choose or configure a non-privileged user account to use for joining the
domain. Because NITO stores this account’s credentials, for instance, when backing-up and
replicating settings
Note: We strongly recommend that you do not use an administrator account.
The account that you use needs permission to modify the Computers container. To delegate these
permissions to a non-privileged user account, choose Delegate Control on the Computers container, create
a custom task to delegate, and for Computer objects grant the full control, create, and delete privileges.
z
Ensure that the times set on NITO and your Active Directory server are synchronized using NTP.
See Chapter 16, Setting Time on page 221 for more information.
Configuring an Active Directory Connection
Configuring an Active Directory connection entails specifying domain and account details and, optionally,
comments and advanced cache timeout.
To configure the connection:
1.
Navigate to the Services > Authentication > Settings page.
2.
In the Add directory server area, from the Directory server drop-down list, select Active Directory and
click Next.
190
Nomadix NITO
User Guide
3.
Configure the following settings:
Setting
4.
Description
Domain
Enter the full DNS domain name of the domain. Other trusted domains will be
accessible automatically.
Username
Enter the user name of the user account.
Password
Enter the password for the user account.
Comment
Optionally, enter a comment describing the connection.
Enabled
Select to enable the connection.
Optionally, click Advanced to access and configure the following setting:
Setting
Cache timeout
5.
Description
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO will not need to query the directory server for users who log out and log
back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for
longer, i.e. until the cache timeout has been passed.
Click Save to save your settings and restart the authentication service on the control page. See Restarting
the Authentication System on page 198 for more information.
Configuring an LDAP Connection
The following section explains what is required to configure a connection to an LDAP directory server.
To configure the connection:
1.
Navigate to the services > authentication > settings page.
2.
In the Add directory server area, from the Directory server drop-down list, select the directory server you
want to connect to and click Next.
3.
Configure the following settings:
Setting
Description
LDAP server
Enter the directory’s IP address or hostname.
Note: If using Kerberos as the bind method, you must enter the hostname.
Bind method
Accept the default bind method, or from the drop-down list, select one of the
following options:
TLS (with password) – Select to use Transport Layer Security (TLS).
Kerberos – Select to use Kerberos authentication.
Simple bind – Select to bind without encryption. This is frequently used by
directory servers that do not require a password for authentication.
191
Authentication and User Management
Configuring Authentication Settings
Setting
Server username
Description
Enter the username of a valid account in the LDAP notation format
The format depends on the configuration of the LDAP directory. Normally it
should look something like this:
cn=user,ou=container,o=organization
This is what is referred to in the Novell eDirectory as tree and context. A user part
of the tree Organization and in the context Sales would have the LDAP
notation:
cn=user,ou=sales,o=organization
For Apple Open Directory, when not using Kerberos, the LDAP username can be
written as: uid=user,cn=users,dc=example,dc=org
Consult your directory documentation for more information.
4.
Server password
Enter the password of a valid account.
Note: A password is not required if using simple bind as the bind method.
Kerberos realm
If using Kerberos, enter the Kerberos realm. Use capital letters.
User search root
Enter where in the directory, NITO should start looking for user accounts.
Usually, this is the top level of the directory.
For example: ou=myusers,dc=mydomain,dc=local
In LDAP form, this is seen in the directory as dc=mycompany,dc=local.
OpenLDAP based directories will often use the form o=myorganization
Apple Open Directory uses the form: cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form as the
OpenLDAP-based directories o=myorganization.
Note: In larger directories, it may be a good idea to narrow down the user
search root so NITO does not have to look through the entire directory.
For example, if all users that need to be authenticated have been placed in
an organizational unit, the user search root can be narrowed down by
adding ou=userunit in front of the domain base.
Note: When working with multi domain environments, the user search root must
be set to the top level domain.
Group search
roots
Enter where in the directory, NITO should start looking for user groups. Usually
this will be the same location as configured in the user search root field.
For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form: cn=groups,dc=example,dc=org
Note: With larger directories, it may be necessary to narrow down the group
search root. Some directories will not return more than 1000 results for a
search, so if there are more than 1000 groups in the directory, a more
specific group search root needs to be configured. The principle is the
same as with the user search root setting.
If there are multiple OUs containing groups that need to be mapped, add the other
locations in the advanced section.
Comment
Optionally, enter a comment about the connection.
Enabled
Select to enable the connection.
Optionally, click Advanced to access and configure the following settings:
Setting
LDAP port
192
Description
Accept the default, or enter the LDAP port to use.
Note: LDAPS will be automatically used if you enter port number 636.
Nomadix NITO
User Guide
Setting
5.
Description
Cache timeout
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO does not query the directory server for users who log out and log back in as
long as their records are still in the cache.
Discover
Kerberos using
DNS
Only available if you have selected Kerberos as the authentication method, select
this advanced option to use DNS to discover Kerberos realms.
Using DNS to discover realms configures NITO to try to find all the domains in
the directory server by querying the DNS server that holds the directory
information. For this to work, NITO needs to have a configured hostname in the
directory domain.
For example:
Directory domain: domain.local
NITO hostname: system.domain.local
The hostname is needed so NITO knows what domain to query for subdomains.
Extra user search
roots
This option enables you to enter directory-specific user search paths when
working with a large directory structure which contains multiple OUs and many
users.
Enter search roots one per line.
Extra group
search roots
Optionally, enter where in the directory, NITO should start looking for more user
groups.
Enter search roots one per line.
For more information, see Appendix A, Working with Large Directories on
page 283.
Extra realms
This setting enables you to configure subdomains manually, as opposed to
automatically, using DNS.
Click Save to save your settings and restart the authentication service on the control page. See Restarting
the Authentication System on page 198 for more information.
Configuring a RADIUS Connection
You can configure NITO to use a Remote Authentication Dial In User Service (RADIUS) as an
authentication service.
Prerequisites
Before you configure any settings:
z
Configure the RADIUS server to accept queries from NITO. Consult your RADIUS server
documentation for more information.
Configuring the Connection
To configure the connection:
1.
Navigate to the services > authentication > settings page.
2.
In the Add directory server area, from the Directory server drop-down list, select RADIUS and click
Next.
193
Authentication and User Management
Configuring Authentication Settings
3.
Configure the following settings:
Setting
4.
Description
Server
Enter the RADIUS server’s domain name
Secret
Enter the secret shared with the server.
Port
Accept the default port, or enter the port to use.
Obtain groups
from RADIUS
IF the RADIUS server can provide group information, select this option to enable
NITO to use the group information in the RADIUS Filter-Id attribute.
The Filter-Id attribute must have the following format: GROUPn, e.g. GROUP5 or
GROUP16.
When not enabled, NITO will use group information from the next directory
server in the list. If there are no other directories in the list, NITO will place all
users in the Default Users group.
If login attempt
fails
Try next directory server, if any – Select this option if users in RADIUS are
unrelated to users in any other directory server.
Deny access – Select this option if the RADIUS password should override the
password set in another directory server, for example when using an
authentication token.
Cache timeout
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO does not query the directory server for users who log out and log back in as
long as their records are still in the cache.
Enabled
Select to enable the connection
Click Save to save your settings and restart the authentication service on the control page. See Restarting
the Authentication System on page 198 for more information. For information on groups and directory
servers, see Mapping Groups on page 197.
Configuring an Active Directory Connection – Legacy Method
Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we
recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection on
page 190 for more information.
The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy
method to configure NITO to work with Microsoft Active Directory.
Prerequisites for Active Directory
Before you configure any settings for use with Active Directory:
z
Run the NITO Setup program and check that the DNS server containing the Active Directory
information is specified correctly. This DNS server is used by NITO for name lookups. For more
information, see Appendix A, NITO and DNS on page 282 and the NITO Installation and Setup
Guide.
z
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active
Directory servers.
z
Ensure that the times set on NITO and your Active Directory server are synchronized.
Note: Do not use the administrator account as the lookup user. Often the administrator account will not have a
Windows 2000 username, preventing the account from being used by the authentication service.
194
Nomadix NITO
User Guide
Configuring an Active Directory Connection
Configuring an Active Directory connection entails specifying server details, the Kerberos realm to use,
search roots and any optional advanced settings required.
To configure the connection:
1.
Navigate to the services > authentication > settings page.
2.
In the Add directory server area, from the Directory server drop-down list, select Active Directory and
click Next. NITO displays the settings for Active Directory.
3.
Configure the following settings:
Setting
Description
LDAP server
Enter the directory server’s full hostname.
Note: For Microsoft Active Directory, NITO requires DNS servers that can
resolve the Active Directory server hostnames. Often, these will be the
same servers that hold the Active Directory. The Active Directory DNS
servers will need a reverse lookup zone with pointer (PTR) records for the
Active Directory servers for a successful lookup to be able to take place.
Refer to the Microsoft DNS server help if you need assistance in setting up
a reverse lookup zone. See also, Appendix A, NITO and DNS on page 282
for more information.
Server username
Enter the username of a valid account.
Enter the username without the domain. The domain will be added automatically
by NITO.
In a multi domain environment, the username must be a user in the top level
domain. For more information, see Appendix A, Active Directory on page 283.
Server password
Enter the password of a valid account.
Kerberos realm
Enter the Kerberos realm in capital letters.
Use default
search roots
Select this option to configure NITO to start looking for user accounts at the top
level of the directory.
Tip: In larger directories, it may be a good idea to use the Use custom search
roots option, to narrow the user search root so NITO does not have to look
through the entire directory. See below for more information.
Use custom
search roots
Select this option to specify where in the directory NITO should start looking for
user accounts and groups.
Custom user search root – Enter the user search root to start looking in, for
example: ou=myusers,dc=mydomain,dc=local
Note: When working with multi-domain environments, the user search root must
be set to the top level domain.
Custom group search root – Enter where in the directory, NITO should start
looking for user groups, for example: ou=mygroups,dc=mydomain,dc=local
Note: Some directories will not return more than 1 000 results for a search, so if
there are more than 1 000 groups in the directory, a more specific group
search root needs to be configured.
Comment
Optionally, enter a comment about the directory server and the settings used.
Enabled
Select this option to enable the connection to the directory server.
195
Authentication and User Management
Configuring Authentication Settings
4.
Optionally, click Advanced to access and configure the following settings:
Setting
5.
196
Description
LDAP port
Accept the default, or enter the LDAP port to use.
Cache timeout
Accept the default or specify the length of time NITO keeps a record of directoryauthenticated users in its cache.
NITO will not need to query the directory server for users who log out and log
back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for
longer, i.e. until the cache timeout has been passed.
Discover
Kerberos using
DNS
Select this option to use DNS to discover Kerberos realms.
Using DNS to discover realms configures NITO to try to find all the domains in
the Active Directory by querying the DNS server that holds the Active Directory
information. For this to work, NITO needs to have a configured hostname in the
Active Directory domain.
For example:
Active Directory domain: domain.local
NITO hostname: system.domain.local
The hostname is needed so NITO knows what domain to query for subdomains.
Use
sAMAccountNam
e
This setting applies when using Microsoft Windows NT4 or older installations.
Enter the sAMAccountName to override the userPrincipleName.
NetBIOS
workgroup
This setting applies when using NTLM authentication with Guardian.
NITO cannot join domains required for NTLM authentication where the
workgroup, also known as NetBIOS domain name or pre-Windows 2000 domain
name, is not the same as the Active Directory domain.
Here you can enter a NetBIOS domain name and set this as the value when
joining the workgroup.
Extra user search
Roots
This option enables you to enter directory-specific user search paths when
working with a large directory structure which contains multiple OUs and many
users.
Enter search roots one per line.
Extra group
search roots
Optionally, enter where in the directory, NITO should start looking for more user
groups.
Enter search roots one per line.
For more information, see Appendix A, Working with Large Directories on
page 283.
Extra realms
This setting enables you to configure subdomains manually, as opposed to
automatically, using DNS.
This can be useful if the Active Directory is in a state where orphaned domains
are referenced or only certain subdomains are needed for user authentication.
Click Save to save your settings and restart the authentication service on the control page. See Restarting
the Authentication System on page 198 for more information.
Nomadix NITO
User Guide
Reordering Directory Servers
If multiple directory servers exist, NITO tries them in the order they are listed.
If most of your users are in one directory, list that directory first so as to reduce the number of queries
required.
To reorder directory servers:
1.
Navigate to the services > authentication > settings page.
2.
In the Directory servers area, select the directory server you want to move and click Up or Down until the
servers are in the order you require.
Editing Removing Directory Servers
To remove a directory server:
1.
Navigate to the services > authentication > settings page.
2.
In the Directory servers area, select the directory server you want to remove and click Remove. NITO
removes the server.
Mapping Groups
Once you have successfully configured a connection to a directory you can map the groups NITO retrieves
from the directory to apply permissions and restrictions to the users in the groups.
To map directory groups to NITO groups:
1.
After configuring the connection to the directory, see About NITO and Directory Servers on page 189, go
to the services > authentication > groups page.
Note: Only directory servers containing groups that are mapped will be displayed. RADIUS groups are fixed.
Tip: When working with a large number of groups, you can use the Filter option to limit searches to specific
groups.
2.
In the Available groups tree, navigate to and highlight the group you want to map and click Select. NITO
lists the group in the Mapped groups area. By default, NITO maps all groups to the Unauthenticated IPs
group. For more information on groups, see About Groups on page 186.
3.
From the Mapped group drop-down list, select the group you want to map the group to and click Save.
4.
Repeat the step above to map any other groups required.
Remapping Groups
It is possible to change group mappings.
To remap groups:
1.
Navigate to the services > authentication > groups page and in the Mapped groups area, locate the
directory server group you want to remap.
2.
From the Mapped group drop-down list, select the NITO group you want to remap the directory server
group to. Tick the Mark check box.
3.
Click Save. NITO remaps the group.
Managing the Authentication System
NITO’s authentication system can be stopped, started and monitored.
197
Authentication and User Management
Managing the Authentication System
To access the authentication system controls:
1.
Navigate to the Services > Authentication > Control page.
See the sections below for information on restarting, stopping and reviewing the service.
Restarting the Authentication System
It may be necessary to restart the authentication system if unapplied configuration changes have been
made. In this situation, a warning will be displayed at the top of all authentication pages as a reminder that
a restart is required.
A full restart normally takes a few seconds to complete, after which users will be required to reauthenticate. A restart will also cause all active downloads to be terminated.
To restart the authentication system:
1.
Navigate to the Services > Authentication > Control page and click Restart.
Note: It is a good idea to only restart the authentication system at a convenient time for network users.
Stopping the Authentication System
There are no reasons to stop the authentication system in normal operation. This procedure should only be
carried out if instructed by the Nomadix support team.
To stop the authentication system:
1.
On the Services > Authentication > Control page.
2.
Click Stop in the Manual control area.
Viewing System Status
To display the current status of the authentication system:
1.
Navigate to the Services > Authentication > Control page.
2.
Click Refresh in the Manual control area. The current status will be displayed in Current status field and
can be either Running or Stopped.
Running Diagnostics
To check that the authentication system is operating correctly, diagnostic tests can be run.
198
Nomadix NITO
User Guide
To run authentication diagnostics:
1.
On the Services > Authentication > Control page, click Run. NITO runs the tests and displays the
results.
Test
Authentication service self
test
Description
Checks to see if the authentication service can be contacted.
199
Authentication and User Management
Managing the Authentication System
200
15
Reporting
In this chapter:
z
About the Summary page
z
Working with NITO reports
z
Managing report data databases.
About the Summary Page
The summary page displays a customizable list of reports.
To access the summary page:
1.
Navigate to the Logs and reports > Reports > Summary page.
Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 16, Configuring the User Interface on page 220.
201
Reporting
Accessing Reporting
Accessing Reporting
NITO can produce many types of reports which provide information on almost every aspect of NITO.
To access reporting:
1.
Navigate to the Logs and reports > Reports > Reports page.
Generating Reports
NITO contains a broad range of reports which can be generated immediately.
To generate a report:
1.
Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the report
you want to generate.
2.
Click on the report to access its options. NITO displays the options available.
Tip:
Click Advanced to see a description of the report, access advanced options and portal publication
permissions. For more information on publishing reports, see Chapter 13, Making Reports Available on
page 151.
3.
If applicable, set the time interval for the report and enter/select any option(s) you require.
4.
Click Run report to generate the report. NITO displays the report.
Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
1.
Generate the report, see Generating Reports on page 202.
2.
When the report progress bar is displayed, click Cancel. NITO cancels the report.
Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1.
202
Generate the report, see Generating Reports on page 202.
Nomadix NITO
User Guide
2.
In the Save as field, enter a name for the report and click Save. You can access the report on the Logs and
reports > Reports > Recent and saved page.
About Recent and Saved Reports
You can access all reports generated in the last three days on the Logs and reports > Reports > Recent and
saved page.
You can also save recently generated reports and change report formats on this page.
Changing Report Formats
NITO enables you to change reports viewed and/or saved in one format to another.
To change a report format:
1.
Navigate to the Logs and reports > Reports > Recent and saved page.
2.
Locate the report you want to change and click on the format you want to change the report to. The
following formats are available:
Format
Description
csv
The report will be generated in comma separated text format.
excel
The report will be generated in Microsoft Excel format.
pdf
The report will be generated in Adobe’s portable document format.
pdfbw
The report will be generated in black and white in Adobe’s portable document format.
tsv
The report will be generated in tab separated text (tsv) format.
Managing Reports and Folders
The following sections explain how to create, delete and navigate reports and folders in NITO.
Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in a folder
or sub-folder contained on the page.
203
Reporting
Generating Reports
To create a folder:
1.
On the Logs and reports > Reports > Reports page, determine where you want to create the folder, on
the page or in an existing folder.
2.
Click the Create a new folder button. NITO creates the folder.
3.
Enter a name for the folder and click Rename.
Deleting Folders
To delete a folder:
1.
On the Logs and reports > Reports > Reports page, locate the folder.
2.
Click the Delete button. NITO deletes the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete the
folder.
Deleting Reports
To delete a report:
1.
Navigate to the Logs and reports > Reports > Recent and saved page.
2.
Locate the report and click the Delete button.
Report Permissions
NITO enables you to publish reports on a portal. For more information, see Chapter 13, Making Reports
Available on page 151.
Making Reports Available to Other Portals
You can make reports generated on one portal available to other portals.
To make the report available:
1.
Navigate to the Logs and reports > Reports > Reports page and locate the report you want to publish to
other portals.
2.
On the Permissions tab, click Automatic Access.
3.
In the Automatic Access area, from the Add access drop-down list. select the portal you want to publish
the generated report on and click Add.
4.
Click Close to close the dialog box. NITO publishes the report to the portal.
204
Nomadix NITO
User Guide
Scheduling Reports
NITO can generate and deliver reports to specified user groups at specified intervals.
To schedule a report:
1.
Navigate to the Logs and reports > Reports > Scheduled page.
2.
Configure the following settings:
Setting
Description
Start date
Select the month and day on which to create and deliver the report.
If the report is to be repeated, enter the date on which the first report should be
created and delivered.
Time
Select the hour and minute at which to deliver the report.
Repeat
Scheduled reports can be generated and delivered more than once. Select from
the following options:
No Repeat – The report will be generated and delivered once on the specified
date at the specified time.
Daily Repeat – The report will be generated and delivered once a day at the
specified time starting on the specified date.
Weekday Repeat – The report will be generated and delivered at the specified
time, Monday to Friday, starting on the specified date.
Weekly Repeat – The report will be generated and delivered at the specified
time, once a week, starting on the specified date.
Monthly Repeat – The report will be generated and delivered at the specified
time, once a month, starting on the specified date.
Enabled
Select to enable the scheduled report.
205
Reporting
Managing Report Data
Setting
3.
Description
Comment
Optionally, enter a description of the scheduled report.
Report
From the drop-down list, select the report.
Report shows
period
From the drop-down list, select how long to collate data for this report.
Save report
Select this option if you want to save the scheduled report after it has been
generated. The report will be available on the Logs and reports > Reports >
Recent and saved page.
Report name
Enter a name for the scheduled report.
Publish from portal
Optionally, from the drop-down menu, select a portal to publish the report
from.
Email report
Select this option if you want to email the report to a group of users.
Group
From the drop-down list, select the group you want to deliver the report to. For
more information, see Chapter 18, Configuring Groups on page 274.
Click Add. NITO schedules the report and lists it in the Scheduled reports area.
Managing Report Data
To manage a local report database:
1.
Navigate to the Logs and reports > Settings > Database settings page.
2.
Configure the following settings:
Setting
Database
206
Description
Enter the following information:
Username – Accept the default user name or enter a new user name.
Password – Enter a password for the database.
Nomadix NITO
User Guide
Setting
Pruning
3.
Description
Select if you want to prune entries in the database at specified intervals to save
storage space or potentially speed up information processing.
Don’t prune – Select to not remove any enties from the database.
Over a month – Select to remove entries that are more than one month old and
repeat every month.
Over three months – Select to remove entries that are more than three months old
and repeat every month.
Over six months – Select to remove entries that are more than six months old and
repeat every month.
Click Save to save the database management settings.
Storing Report Data Remotely
NITO can be configured to store report data remotely in the database of a compatible system. Storing data
in a remote database entails:
z
First configuring the remote database management system with username and password information
z
Then configuring the local system with the IP address of the remote database.
To store reports remotely:
1.
On the remote, compatible system which will store the data, navigate to the Logs and reports > Settings >
Database settings page.
2.
Configure the following settings:
3.
On the local NITO, navigate to the Logs and reports > Settings > Database settings page and configure
the following settings:
4.
Click Save. NITO starts to store data on the remote system.
Managing Disk Space
Using NITO, you can review how disk space is used to store log and database information, optimize,
empty or prune the database and back-up data in an archive.
207
Reporting
Managing Disk Space
About Disk Usage
NITO displays information on how much data and the type of data being stored on the system’s hard disk.
To review information on disk usage:
1.
Browse to the Logs and reports > Settings > Database backup page.
The following information is available:
Disk information
Description
Log and database
partition usage
summary
In this area, NITO shows a summary of how much disk space there is, how
much has been used and how much is free.
Usage broken down
by module/category
In this area, NITO shows how much disk space is being used to store
information by module and type of storage.
NITO updates the information every 60 minutes and all figures shown are approximate.
Monitoring Log Insertion
NITO enables you to monitor the process of inserting log information into the database.
208
Nomadix NITO
User Guide
To monitor log insertion:
1.
Browse to the Logs and reports > Settings > Database backup page. Current information is displayed in
the Log insertion process area.
Optimizing, Emptying and Pruning Databases
It is possible to optimize, empty and prune databases in order to improve performance and use disk space
in the best possible way.
Tip:
Run the Reporting database health report, to determine the database’s status before using any of the
database management options documented in the following sections. See Chapter 15, Reporting on
page 201 for more information on generating reports.
Optimizing a Database
Note: Optimizing a database can take a long time to complete and may have an impact on the system’s
performance.
To optimize a database:
1.
Browse to the Logs and reports > Settings > Database backup page and click Optimize database.
2.
When prompted, click Continue to confirm. The database is optimized.
Emptying a Database
Note: Emptying a database removes all data from the database and can take a long time to complete.
To empty a database:
1.
Browse to the Logs and reports > Settings > Database backup page and click Empty database.
2.
When prompted, click Continue to confirm. The database is emptied.
Pruning a Database
Note: Pruning a database can take a long time to complete and may have an impact on the system’s
performance.
To prune a database:
1.
Browse to the Logs and reports > Settings > Database backup page and click Prune now.
2.
When prompted, click Continue to confirm.The database is pruned.
Backing up Data
It is possible to back up your report data in an archive. This enables you to restore data, for example, when
recovering from hardware failure.
To back up data:
1.
Browse to the Logs and reports > Settings > Database backup page.
2.
In the Backup area, click Backup, the data is backed up in an archive and listed it in the Backup area.
3.
In the Backup area, select the archive and click Download. When prompted, save the archive in a secure
location for use if you need to restore data.
Restoring Data
The following section explains how to restore data.
209
Reporting
Managing Disk Space
Note: When you restore data, the database is not emptied. Therefore, if the database is not empty, restoring data
can cause duplicate data. We recommend that you always ensure that the database is empty to avoid
duplicate data. See Emptying a Database on page 209 for information on how to empty a database.
To restore data:
1.
Browse to the Logs and reports > Settings > Database backup page.
2.
In the Upload area, click Browse. In the File Upload dialog box, navigate to where the backup archive
stored, select it and click Open.
3.
Click Upload. The file is uploaded and listed it in the Backup area.
4.
Select the file and click Restore. The data is restored.
About Migrating from Earlier Versions
When updating to the latest version, existing data stored in the database may not be accessible for
reporting.
If this is the case, a warning message will be displayed. The data is safe but not accessible in its current
format. To make it accessible, create a backup archive and restore it. For more information, see Backing up
Data on page 209 and Restoring Data on page 209.
210
16
Managing Your NITO
In this chapter:
z
Managing system and security updates
z
Managing module installations and product licensing
z
Creating and restoring archives
z
Scheduling automatic maintenance
z
Producing diagnostic support files
z
Managing certificates
z
Shutting down and restarting NITO
z
How to use NITO’s network tools to perform a variety of everyday network maintenance tasks.
Managing Updates
Administrators should use NITO's update facility whenever a new update is released. Updates are typically
released in response to evolving or theoretical security threats, as and when they are discovered. System
updates may also include general product enhancements, as part of Nomadix’s commitment to continuous
product improvement.
NITO must be connected to the Internet in order to discover, download and install system updates.
Nomadix’s support systems are directly integrated with NITO’s system update procedure, allowing the
Nomadix support department to readily track the status of your system.
211
Managing Your NITO
Managing Updates
To manage updates:
1.
Navigate to the System > Maintenance > Updates page.
2.
Configure the following settings:
Setting/button
3.
Description
Refresh update list
Click to get a list of available updates. Any updates available will be listed
in the Available updates area.
Download updates
Click to download all available updates. Once downloaded, the updates
are listed in the Pending updates area.
Clear download cache
Click to clear any downloaded updates stored in the cache.
Install updates
Click to install all updates in the Pending updates area immediately
Install at this time
Enter the time at which you want to install the updates if you do not want
to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the System > Maintenance > Shutdown page.
Installing Updates Manually
The Install new update area enables you to install system updates manually.
To manually install an update:
1.
Navigate to the System > Maintenance > Updates page and click Refresh update list.
2.
In the Available updates list, locate the update and click Info. The Nomadix Updates page opens.
3.
Download the update to a suitable location.
4.
On the System > Maintenance > Updates page, click Advanced.
5.
In the Install new update area, click Browse to find and open the update.
6.
Click Upload to upload and install the update file.
212
Nomadix NITO
User Guide
Managing Modules
NITO's major system components are separated into individually installed modules. Modules can be added
to extend NITO’s capabilities, or removed in order to simplify administration and reduce the theoretical
risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your NITO serial number before they can be installed and used. For
further information, please consult your Nomadix partner or, if purchased directly, Nomadix.
NITO must be connected to the Internet in order to install modules.
To install a module:
1.
Navigate to the System > Maintenance > Modules page.
2.
In the Available modules area, locate the module and click Install.
Note: Some module installations require a full reboot of NITO. Please read the module description carefully
prior to installation.
Installing Modules Manually
To install a module manually:
1.
Navigate to the System > Maintenance > Modules page and click Advanced.
2.
In the Upload module file area, browse to and select the module.
3.
Click Upload. The module is uploaded and installed
Removing a Module
To remove a module:
1.
Navigate to the System > Maintenance > Modules page.
2.
In the Installed modules area, locate the module and click Remove.
3.
Reboot NITO on the System > Maintenance > Shutdown page.
213
Managing Your NITO
Licenses
Licenses
NITO contains information on licenses and subscriptions.
To view license information:
1.
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the Nomadix product you are using.
Installing Licenses
You can buy additional licenses from Nomadix or an approved Nomadix partner. License, installation and
activation is an automated process, initiated via a secure request to Nomadix licensing servers.
To install additional licenses:
1.
Navigate to the System > Maintenance > Licenses page.
2.
Click Refresh license list. This will cause the available license information to be updated via the Internet,
and any new licenses will be installed.
Note: The Subscriptions area is used to manage blocklists used by add-on modules. For more information, see
the documentation delivered with your Nomadix add-on module.
Archives
The Archives page is used to create and restore archives of system settings. Archives can be saved on
removable media and used when restoring a NITO system. They can also be used to create clones of
existing systems.
Note: You can automatically schedule the creation of backup archives. For further information, see Scheduling
on page 216.
About Archive Profiles
You can assign a profile to an archive enabling you to specify which components you want backed up in a
particular archive.
You can create and assign up to 20 profiles and generate their archives automatically.
Profiles are also used to store settings for Nomadix replication systems. For more information, see Chapter
17, Centrally Managing Nomadix Systems on page 245.
214
Nomadix NITO
User Guide
Creating an Archive
To create an archive:
1.
Navigate to the System > Maintenance > Archives page.
2.
Configure the following settings:
Settings
3.
Description
Profile
To create a new profile, from the drop-down list, select Empty and click
Select.
To reuse or modify an existing profile, from the drop-down list select the
profile and click Select.
Profile name
Enter a name for the profile.
Comment
Enter a description for the archive.
Automatic backup
Select if you want to archive settings automatically.
Settings
Settings available include general settings for NITO and replicable settings
which can be used in a Nomadix system.
Indicates that the setting can be replicated.
Select the components you want to archive or select All to select and archive all
settings.
For more information on replication in Nomadix systems, see Chapter 17,
Centrally Managing Nomadix Systems on page 245
Logs
Select the log files you want to archive or select All to select and archive all
logs.
Click Save and backup to create the archive.
215
Managing Your NITO
Scheduling
Downloading an Archive
To download an archive:
1.
In the Archives area, select the archive.
2.
Click Download and save the archive to disk using the browser's Save as dialog box.
Restoring an Archive
To restore an archive:
1.
In the Archives area, select the archive.
2.
Click Restore. The archive contents are displayed.
3.
Select the components in the archive that you want to restore and click Restore.
Deleting Archives
To delete an archive:
1.
In the Archives area, select the archive and click Delete.
Uploading an Archive
This is where you upload archived settings from previous versions of NITO and Nomadix modules so that
they can be re-used in the current version(s).
To upload an archive:
1.
In the Upload area, enter the name of the archive and click Browse.
2.
Navigate to and select the archive.
3.
Click Upload to upload the archive.
Scheduling
You can configure NITO to automatically discover and download system updates, modules and license
upgrades using the scheduler.
You can also use the scheduler to create and remotely archive automatic backups. Other system modules
can integrate with the scheduler to provide additional automated maintenance tasks.
216
Nomadix NITO
User Guide
To create a schedule of tasks:
1.
Navigate to the System > Maintenance > Scheduler page.
2.
Configure the following settings:
Setting
Description
Day
From the drop-down list, select the day of the week that the tasks will be
executed.
Hour
From the drop-down list, select the time of day at which the tasks will
be executed.
Check for new updates
Select to check for new system updates.
Download updates
Select to download available updates.
Check for new modules
Select to check for new modules.
Check for license
upgrades
Select to discover and install license upgrades.
217
Managing Your NITO
Scheduling
Setting
Prune archives
3.
Description
Options here enable you to schedule archive pruning if you require it.
Select one of the following options:
Don’t prune – This is the default option, archives are never pruned.
Over a month – Select this option to prune archives that are older than
one month.
Over 2 months – Select this option to prune archives that are older than
two months.
Over 3 months – Select this option to prune archives that are older than
three months.
Click Save.
Scheduling Remote Archiving
Scheduled remote archiving uses SSH keys to allow NITO to securely copy files to a remote SSH server
without the need for passwords.
The use of SSH keys requires NITO to generate a key pair which it will use to encrypt all file transfers sent
to the SSH server.
The SSH server must be configured to accept connections from NITO in this manner – it requires the
public half of the key pair to be installed.
To schedule remote archiving:
1.
Navigate to the System > Maintenance > Scheduler page.
2.
In the Remote archive destinations area, click Export Public Backup Key.
3.
Install the public key on the remote SSH server – for details on how to do this, please consult the
administrator's guide of the SSH server in use.
4.
In the Remote archive destinations area, enter the following information:
Setting
5.
218
Description
Name
Enter a name to identify this destination.
Username
Specify the user name of the account on the SSH server that will be used. For
additional security it is recommended that this user has no additional
privileges and is only allowed write access to the specified Remote path.
Remote path
Enter the path where archives are to be stored on the remote SSH server, for
example: /home/mypath/
If left blank, NITO uses the default home directory of the specified remote
user.
Server
Set the IP address of the SSH server.
Port Number
Set the port number used to access the SSH server (normally port 22).
Transfer Speed Limit
Specify the maximum transfer speed when automatic archiving occurs. This
control is useful for preventing the automatic remote archiving system
adversely affecting the performance of other network traffic.
Comment
Enter a description of the destination.
Click Add.
Nomadix NITO
User Guide
6.
Repeat the steps above to make other destinations available.
7.
In the Remote archival area, enter the following information:
Setting
Description
Day
The day of the week to carry out the archive.
Hour
The hour of the day to carry out the archive.
Archive destination
From the drop-down list, select a destination as configured in the Remote
archive destinations area.
Archive profile
From the drop-down list, select an archive profile as configured on the
archives page.
Enabled
Select to enable the archive.
Comment
Enter a description of the archive.
8.
Click Add.
9.
Repeat the steps above to configure other archives for scheduled remote archive.
Note: A local copy of the archive is also created and stored.
Editing Schedules
To edit a schedule:
1.
In the appropriate area, select the destination or task and click Edit or Remove.
Shutting down and Rebooting
NITO can be shutdown or restarted immediately, after a specified delay or at a pre-determined time.
To shut down or reboot:
1.
Browse to the System > Maintenance > Shutdown page.
219
Managing Your NITO
Shell Access
2.
Configure the following settings:
Setting
3.
Description
Immediately
Select to shut down or reboot immediately.
Delay action for
Select to shut down or reboot after a specified length of time.
From the drop-down menu, select the length of time.
At the following
time
Select to shut down or reboot at a specified length of time.
From the drop-down menu, select the hour and minute at which to shut down or
reboot.
Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time
Shell Access
The web-based secure shell (SSH) remote access tool enables command line administration of the NITO
system through a web browser.
Note: In order to use this feature, SSH access must be enabled. See Chapter 16, Configuring Admin Access
Options on page 225.
The browser that is connected to the NITO system is required to have a Java Virtual Machine capability
installed. For details on setting your browser up in this way, consult your browser help system.
To use the shell tool:
1.
Navigate to the System > Maintenance > Shell page.
2.
Click on the shell window once the Java applet has loaded.
3.
Enter the following information:
Information
4.
Description
User name
Enter root.
Password
Enter the root account’s password.
Click Login.You gain access to the shell.
Setting System Preferences
The following sections discuss how to configure the user interface, time settings and a web proxy if your
ISP requires you use one.
Configuring the User Interface
NITO can be customized in different ways, dependent on how you prefer working. The main changes that
can be made are the method of displaying errors and the drop-down list navigation system. It is also
possible to alter the system's description.
220
Nomadix NITO
User Guide
To configure the user interface:
1.
Browse to the System > Preferences > User interface page.
2.
Configure the following settings:
Setting
3.
Description
Host information
In the description field, enter a description to identify NITO. This will be
displayed in the title bar of the browser window.
System Control
page
From the Report to show drop-down list, select the report you want displayed on
the Dashboard.
Dashboard
sections
Determines what, if any, information is displayed in the System Services area on
the Dashboard.
Click Save.
Setting Time
NITO's time zone, date and time settings can be specified manually or automatically retrieved from a local
or external Network Time Protocol (NTP) server, typically located on the Internet.
NITO can also act as an NTP server itself, allowing network wide synchronization of system clocks.
221
Managing Your NITO
Setting System Preferences
To set the time:
1.
Navigate to the System > Preferences > Time page.
2.
Configure the following settings:
Setting
Timezone
Time and
date
Network
time
retrieval
Description
From the drop-down list, select the appropriate time zone.
To manually set the time and date:
1.
Select Set and use the drop-down lists to set the time and date.
To automatically retrieve time settings:
1.
Select Enabled in the Network time retrieval area.
2.
Choose the time retrieval frequency by selecting an interval from the Interval
drop-down list.
3.
Select Save time to RTC to ensure that the time is written back to the system's
hardware clock (the Real-Time Clock).
4.
Choose one of the following network retrieval methods:
Multiple random public servers – select to set the time as the average time
retrieved from five random time servers
Selected single public server –select from the drop-down list a public time
server to use to set the time
User defined single public or local server – Enter the address of a specific local
or external time server.
222
Nomadix NITO
User Guide
Setting
Network
time service
interfaces
3.
Description
NITO can be used to synchronize the system clocks of local network hosts by
providing a time service.
To synchronize the network time service:
1.
Enable network time retrieval.
2.
Select each internal network interface that the network time service should be
available from.
Click Save.
Configuring Registration Options
NITO enables you to use an upstream registration proxy if your ISP requires you to use one, and
optionally, supply information about the status of your system and web filtering statistics.
To configure registration options:
1.
Navigate to the System > Preferences > Registration options page.
2.
Configure the following settings:
Setting
Upstream
registration
proxy
Description
Server – Enter the hostname or IP address of the proxy server.
Port – Enter the port number to use.
Username – Enter the username provided by your ISP.
Password – Enter the password provided by your ISP.
Note: The upstream proxy has no bearing on NITO proxy services.
223
Managing Your NITO
Configuring Administration and Access Settings
Setting
Description
Extended
registration
informatio
n
When registering, updating and/or installing add-on modules, NITO sends information
about licences, subscription and add-on modules to Nomadix.
When this option is enabled and depending on which add-on modules are installed, the
following information is also sent:
•
Enabled status for optional services
•
The number of configured interfaces and whether they are internal or external
•
Authentication service settings and the LDAP server type
•
Guardian transparent mode and authentication service settings mode
•
Manufacturer name and product name – from dmidecode
•
Main board manufacturer and main board product name – from dmidecode.
Note: No usernames, passwords or sensitive information are sent and any potentially
identifying data is summarized before sending.
Provide
filtering
feedback
informatio
n
3.
When enabled, NITO will periodically send information about web filtering accuracy
and a list of the domains of any web sites which could not be classified.
Nomadix will take every available measure to ensure data cannot be associated with
your organization and no personal information is ever sent.
Click Save. NITO starts to use the configured upstream proxy and, if enabled, send registration and/or
filtering information.
Configuring the Hostname
You can configure NITO’s hostname. A hostname should usually include the name of the domain that it is
within.
To change the hostname:
1.
Browse to the System > Preferences > Hostname page.
2.
Enter a new value in the Hostname field and click Save.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in its
Common Name field.
Configuring Administration and Access Settings
The following sections discuss administration, external access and account settings.
224
Nomadix NITO
User Guide
Configuring Admin Access Options
You can enable and disable remote access to NITO’s console via Secure Shell (SSH) and configure remote
access referral checking.
To access NITO via remote SSH, the following criteria must be met:
z
The host must be from a valid network zone
z
The host must be from a valid source IP
z
The SSH service must be enabled
z
Admin access must be set to enabled
z
The setup or root username and password must be known.
z
To use NITO's web-based SSH shell, the host browser must have a Java Virtual Machine installed.
To permit access to the console via SSH:
1.
Navigate to the System > Administration > Admin options page.
2.
Select SSH and click Save.
Note: Terminal access to NITO uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in
administrator, and not some third party web page, you can enable remote access referral checking.
When enabled, administration requests are only processed if the referral URL contains the local IP address,
the local hostname, or the external IP address where applicable.
If the referral is not from a NITO page, the request is ignored and reported in the general Nomadix log file.
225
Managing Your NITO
Configuring Administration and Access Settings
Note: This function prevents NITO from being accessed remotely via a DNS or a Dynamic DNS address. To
remotely manage an NITO system via a DNS or a Dynamic DNS address, the referral URL check must be
disabled.
To enable referral checking:
1.
Navigate to the System > Administration > Admin access page.
2.
Select Allow admin access only from valid referral URLs in the Remote Access area.
3.
Click Save.
Configuring External Access
External access rules are used to determine which interfaces, services, networks and host systems can be
used to administer NITO.
The default external access rule allows administrators to access and configure NITO from any source IP
that can route to the system's first (default) network interface.
This default rule allows administrators to access any of the following admin services:
z
SSH admin – Access to the system console using port 222. Requires the SSH access to be enabled,
see Configuring Admin Access Options on page 225.
z
HTTP admin – Access to the web-based interface on port 81.
z
HTTPS admin – Access to the web-based interface on port 441.
To enable external access:
1.
Browse to the System > Administration > External access page.
2.
Configure the following settings:
Setting
226
Description
Interface
From the drop-down list, select the interface that access is permitted from.
Source IP,
or network
Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted to
use admin access.
For a range of hosts, enter an IP address range, for example, 192.168.10.1192.168.10.50.
For a particular subnet of hosts, enter a subnet range, for example, 192.168.10.0/
255.255.255.0 or 192.168.10.0/24.
If no value is entered, any source IP can access the system.
Nomadix NITO
User Guide
Setting
3.
Description
Service
Select the permitted access method.
Comment
Enter a description for the access rule.
Enabled
Select to activate access.
Click Add. The access rule is added to the Current rules table.
Note: Do not remove the default external access rule, it provides access to the default internal network.
Editing and Removing External Access Rules
To edit or remove access rules, use Edit and Removes in the Current rules area.
Administrative User Settings
NITO supports different types of administrative accounts.
To manage accounts:
1.
Navigate to the System > Administration > Administrative users page.
2.
Configure the following settings:
Setting
Description
Username
Enter a name for the user account.
Password
Enter a password. Passwords are case sensitive and must be at least six characters long.
Again
Re-enter the password to confirm it.
227
Managing Your NITO
Hardware
3.
Setting
Description
Permissions
Select the account permissions you want to apply to the account.
Administrator – Full permission to access and configure NITO.
Guardian temporary bypass – gives the account user access to the temporary bypass
buttons on the block page.
Guardian – enables access to the guardian tab on the web interface.
Log – Permission to view the system log files.
Operator – Permission to shutdown or reboot the system.
Portal User – Permission to access the user portal pages.
SMTP quarantine – Permission to access and manage the SMTP quarantine pages.
Realtime logs – Permission to view realtime logs.
Reporting system – Permission to access the reporting system.
Guardian room block controls – Permission to manage blocking of location contents.
Rule editor user – Permission to edit rules.
Temp ban – Permission to access and change temporary ban status.
Guardian unblock controls – gives the account user access to the unblock controls on
the block page.
Click Add to add the account.
Changing a User's Password
To set or edit a user's password:
1.
Browse to the System > Administration Administrative users page.
2.
In the Current users area, select the user and click Edit.
3.
Enter and confirm the new password in the Password and Again fields.
4.
Click Add to activate the changes.
Hardware
The following sections discuss UPS, modem and firmware settings
UPS Settings
NITO can be connected to a local Uninterruptible Power Supply (UPS) device to protect the system
against power cuts. With this arrangement, local UPS status monitoring can be configured, and the system
can be configured to automatically react when it detects that it is using UPS battery power. In this mode, it
is also possible for NITO to act as a UPS master, and broadcast power status messages to other
appropriately configured UPS systems or devices so that they too can react to power changes.
Alternatively, NITO can be configured as a UPS device to an appropriately configured master UPS system
or device. In this mode, the status of the UPS service will be updated over the network, whenever the UPS
master device alerts the NITO system. This mode also allows NITO to react when it is informed that UPS
battery power is being used.
228
Nomadix NITO
User Guide
Enabling UPS Monitoring
To enable UPS monitoring:
1.
Navigate to the System > Hardware > UPS page.
2.
Configure the following settings:
Setting
3.
Description
Enable UPS
monitor support
Select to enable support.
UPS connection
type
Select one of the following options:
Local connection – select to monitor a UPS device which is directly connected
to the NITO system. For more information, see Configuring a Local UPS
Connection on page 229.
Network connection – select to monitor a UPS device that is connected to the
network. For more information, see Connecting to a Network UPS on page 230.
Click Save.
Configuring a Local UPS Connection
Once UPS monitoring is enabled and operating in Local connection mode, the appropriate local UPS
settings are configured using the Local UPS Configuration area:
229
Managing Your NITO
Hardware
The following controls are used to configure a local UPS connection:
Control
Description
Select UPS type
Used to set the manufacturer, model or compatible setting for the local UPS
device (refer to the UPS device's technical documentation if this is not
readily known).
Select UPS COM port
Used to set the serial or USB port that the UPS device is attached to.
Select UPS cable type
Used to set the type of cable that connects to the UPS device (refer to the
UPS device's technical documentation if this is not readily known).
To configure a local UPS connection:
1.
Navigate to the System > Hardware > UPS page.
2.
Choose the manufacturer, model or compatible setting for the UPS device from the Select UPS type dropdown list.
3.
Choose the serial or USB port that the UPS device is attached to from the Select UPS COM port dropdown list.
4.
Choose the cable type that the UPS device is attached by from the Select UPS cable type drop-down list.
5.
Click Save.
Connecting to a Network UPS
Once UPS monitoring is enabled and operating in Network connection mode, the appropriate network
UPS settings are configured using the Network UPS Configuration area:
The following controls are used to configure a network UPS connection:
Control
Description
Master IP
Address
The IP address of the 'master' UPS device.
Port
The numeric port number of the master UPS device's network service.
To configure a network UPS connection (with NITO acting as a UPS device):
1.
Navigate to the System > Hardware > UPS page.
2.
Enter the IP address of the UPS device into the Master IP Address field.
3.
Enter the port number that the UPS device uses into the Port field.
4.
Click Save.
Customizing UPS Behavior
Once UPS monitoring is enabled and an appropriate connection to a remote or local UPS device has been
configured, UPS behavior can be customized. The Action to take when UPS on battery area is used for this
purpose.
230
Nomadix NITO
User Guide
The following controls are used to customize UPS behavior:
Control
Description
Action to
take...
Provides a combination of choices that configure different logging, shutdown and
continue options in the event of a switch to battery power.
Force
shutdown...
Used to forcibly shutdown the system once battery power falls below a set level
(between 5% and 30%). This feature will only work with UPS devices that support UPS
'Smart' mode (refer to the UPS device's technical documentation to determine if
functionality is supported).
To customize UPS behavior:
1.
Navigate to the System > Hardware > UPS page.
2.
Choose what action should be taken when using battery power using the Action to take drop-down list.
3.
If the UPS device operates in Smart mode, use the Force shutdown drop-down list to choose the battery
power level that will trigger the NITO system to be forcibly shutdown.
4.
Click Save.
Viewing UPS Device Status
If UPS monitoring is enabled and all UPS configuration is correct, the UPS area can be used to view a
variety of UPS status information. The following information fields are displayed:
Field
Description
Status
The current status of the UPS device.
UPS monitor daemon
The current status of the system's UPS monitoring service.
Time and date of listed status
information
The time of the last update.
Model
The model description of the UPS device.
Serial number
The serial number of the UPS device.
Cable type
The UPS device's cable connection type.
Load percentage
The current load required from the UPS as a percentage of the
total UPS output capacity.
Battery charge
The amount of charge currently stored in the UPS device's
battery.
Estimated battery run time
The estimated duration that battery power can be sustained
while being used.
Time been on battery
The amount of time that the UPS device has used battery power
for (if currently running on battery).
Line supply voltage
The mains voltage.
Line supply frequency
The mains frequency.
UPS internal temperature
The internal temperature of the UPS device.
231
Managing Your NITO
Managing Hardware Failover
Field
Description
Last reason for switching to
battery
The last reason for switching to battery power.
Last time was on battery
The last date and time that the UPS device's battery was used.
Last time came off battery
The last date and time that the UPS device's switched from
battery to mains.
Acting as a UPS Master Device
NITO can be configured to operate as a UPS master device, allowing it to connect to appropriately
configured UPS devices and send them UPS status updates.
UPS devices can be daisy-chained to propagate UPS status updates. This means that the system can
operate as both a UPS device and a master, i.e. the system connects as a UPS device to a UPS system or
device over a network and receives UPS status updates. Following each update, the system acts as a master
by sending status information to its UPS devices.
To act as a UPS master device, UPS monitoring must be enabled and a local or network UPS connection
must be configured and working correctly. The Local UPS configuration area is then used to enter
appropriate configuration settings:
To act as a UPS master:
1.
Navigate to the System > Hardware > UPS page.
2.
Enter the port number that UPS devices can connect to into the Port field.
3.
Enter up to five IP addresses into the appropriate Slave IP Address fields. Each IP address should belong
to a UPS device.
4.
Click Save.
Managing Hardware Failover
NITO’s hardware failover enables you to configure a failover NITO system which, in the event of
hardware failure, provides all the protection and services your master NITO usually provides.
How does it work?
When configured and enabled, the failover NITO runs in a standby mode monitoring the master NITO for
a heartbeat communication. Heartbeat is the name of a suite of services and configuration options that
enable two identical NITO systems to be configured to provide hardware failover.
The master periodically copies settings to the failover unit to ensure that the failover unit can provide a
fully configured service if the master fails.
Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few minutes
behind configuration changes made to the master.
If the master fails, it stops responding to the failover unit’s heartbeat and the failover unit therefore
determines that the primary system is no longer available. This will occur somewhere between 0 seconds
and the keep-alive time specified when configuring failover.
The failover unit then enters a more responsive mode where it monitors the master for its revival. It
remains in this mode for the length of dead time you have configured. This stage is designed principally to
cope with intermittent failures within the communication system, such a heavily loaded master.
Once the dead time has expired, the failover unit awakens from its standby mode and begins re-instating
the settings and services which allow it to take over operations from the master. Since part of this
232
Nomadix NITO
User Guide
information includes the IP addresses for each of the master interfaces, the failover unit will essentially
provide a drop-in replacement and the transition will generally go unnoticed.
When the master starts to respond again, be it minutes, days or weeks later, assuming that auto-failback is
enabled, the failover unit hands over control to the master, de-activates its configuration and services and
returns to standby mode.
Prerequisites
The following must be in place for hardware failover to work:
z
A private network consisting of only two NITO systems connected via their heartbeat interfaces
preferably using a crossover cable
z
The failover unit must be plugged into all the switches the master is plugged into
z
SSH must be enabled on the master, see Chapter 16, Configuring Admin Access Options on
page 225 for more information.
Configuring Hardware Failover
Configuring hardware failover entails:
z
On the master, specifying a network interface for the heartbeat and configuring and generating a
failover archive to deploy on the failover unit
z
On the failover unit, via SSH, running the setup program and deploying the failover archive.
Configuring the Master
To configure the master NITO:
1.
Navigate to the Networking > Interfaces > Interfaces page.
233
Managing Your NITO
Managing Hardware Failover
2.
From the Heartbeat interface drop-down list, select a network interface to use for the heartbeat
communication between the master and failover unit.
Note: The master and failover unit systems are connected via their heartbeat interfaces on a private network. It
is critically important that this network is not congested and suffers as little latency as is possible. For these
reasons, we strongly recommend that this connection be a crossover cable.
Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat
interface is on could fail.
3.
Click Save and Restart to save the setting and restart networking.
Note: If NITO is connected to the Internet, you must disconnect before you can restart networking.
4.
Navigate to the System > Hardware > Failover page.
5.
Configure the following settings:
Setting
234
Description
Enabled
Select to enable failover.
Auto failback
Select if you want the failover unit to automatically hand back control to the
master when the master starts to respond after a hardware failure. The failover
unit will hand over control to the master, deactivate its configuration and
services and return to standby status.
Keep-alive internal
Set the interval after which the master and failover unit communicate to ensure
the master is still working. The default is 1 second.
In non-congested networks, we recommend a very short interval which is
undetectable in terms of system performance.
Dead time
Specify how long after the failover unit has become aware that the master is no
longer responding it should wait before taking over from the master.
Master heartbeat IP
Enter an IP address for the master.
Note: We recommend that this network be private and only used by the master
and failover units.
Slave heartbeat IP
Enter an IP address for the failover unit.
Note: We recommend that this network be private and only used by the master
and failover units.
Netmask
Enter a netmask.
Note: We recommend that this network be private and only used by the master
and failover units.
Nomadix NITO
User Guide
6.
Click Save.
7.
Browse to the System > Maintenance > Shutdown page, select Immediately and click Reboot. Wait a
couple of minutes for the system to reboot and then log in again.
The next step is to generate the failover archive to deploy on the failover unit.
Generating a Failover Archive
A failover archive contains the settings required to configure the failover unit to provide hardware failover
for NITO.
To generate a failover archive:
1.
Navigate to the System > Hardware > Failover page and configure and save the failover settings. See
Configuring the Master on page 233.
2.
Click Generate slave setup archive. NITO generates the archive and prompts you to specify where to
save it.
3.
Save the archive on USB storage media. The next step is to use the archive to implement the failover
settings on the failover unit.
Note: The size of the failover unit archive varies depending on the Nomadix modules installed. 50 M bytes is an
average size.
Implementing Failover Settings on the Failover Unit
Implementing failover on the failover unit entails running the setup program and using the restore options
to apply the settings.
To implement failover on the failover unit:
1.
Access the failover unit using one of the following methods:
z
The built-in Java shell client on the System > Maintenance > Shell page, see Shell Access on
page 220
z
An alternative SSH client such as PuTTY
2.
On the command line, enter setup to start the NITO Setup program.
3.
From the Setup menu, select Restore configuration and press Enter.
4.
Select USB storage media and press Enter. You are prompted to insert the media.
5.
Insert the USB storage media in the USB port located on NITO’s front panel and press Enter.
6.
Select the archive and press Enter. The failover settings are installed.
7.
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically
enter standby mode.
Administering Failover
There are no noticeable differences between administering NITO used as a master and one which is not
used as a master.
There should be little or no need to administer the failover unit on a day to day basis. However, from time
to time, you will need to install updates.
Updates are not automatically applied in order to ensure that the failover unit can provide a known good
system to failover to in case of any issues resulting from updates to the master.
235
Managing Your NITO
Configuring Modems
Accessing the Failover Unit
With failover implemented, the active NITO system is always accessed via the usual address, whether
services and protection are being supplied by the master or the failover unit.
When you need to access the failover unit directly you can do so using a variation of the address for
master. For example, to access the master's Update page the address would usually look as follows:
https://192.168.72.142:441/cgi-bin/admin/updates.cgi
To access the settings on the failover unit, the address would be:
https://192.168.72.142:440/cgi-bin/admin/updates.cgi
All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of
port 441.
The address used, in the example above: 192.168.72.142, is the address of the master, as when in
standby mode the failover unit has no effective presence on any of the local or remote networks.
Testing Failover
In order to test failover, you can force the master to enter standby mode.
To test failover:
1.
On the master, go to the System > Hardware > Failover page and click Enter standby mode. After a
short period of time the failover unit will take over from the master.
2.
To restore operations to the master, on the active system, go to theSystem > Hardware >
FailoverFailover page and click Enter standby mode. Operations will be transferred to the master.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force the failover
unit into standby mode.
Manual Failback
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but the
master system has become available again after corrective action has been taken you can manually failback
to the master.
To manually failback:
1.
On the failover unit, go to the System > Hardware > Failover page and click Enter standby mode to
restore the system to normal operation.
Configuring Modems
NITO can store up to five modem profiles.
236
Nomadix NITO
User Guide
To configure a modem profile:
1.
Browse to the System > Hardware > Modem page.
2.
Configure the following settings:
Setting
3.
Description
Profiles
From the drop-down list, select Empty to create a modem profile.
Profile name
Enter a name of the modem profile.
Interface
Select the serial port that the modem is connected to.
Computer to modem
rate
Select the connection speed of the modem. A standard 56K modem is usually
connected at the default 115200 rate.
Modem speaker on
Select to enable audio output during the modem dialing process, if the
modem has a speaker.
Dialing mode
Select the dialing mode.
Tone – Select if your telephone company supports tone dialing.
Pulse – Select if your telephone company supports pulse dialing.
Init
Enter the commands required to initialize the modem.
Hangup
Enter the commands required to end a connection.
Speaker on
Enter the commands required to turn the speaker on.
Speaker off
Enter the commands required to turn the speaker off.
Tone dial
Enter the commands required to turn tone dialing on.
Pulse dial
Enter the commands required to turn pulse dialing on.
Connect timeout
Enter the amount of time in seconds to allow the modem to attempt to
connect.
Click Save to save your settings and create the profile.
237
Managing Your NITO
Installing and Uploading Firmware
Installing and Uploading Firmware
NITO can upload the third-party mgmt.o file to the system. Without this file, Alcatel SpeedTouch USB
ADSL modems will not work.
To upload and install the Alcatel firmware:
1.
Navigate to the System > Hardware > Firmware upload page.
2.
Click Browse adjacent to Upload file field.
3.
Use the browser's Open dialog to find and open the mgmt.o firmware update file.
4.
Click Upload to upload the firmware update.
Note: Once this process has been completed, the system must be rebooted before the new firmware is activated.
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The Configuration tests page is used to ensure that your current NITO settings are not likely to cause
problems.
Components installed on your NITO add tests to this page which, when run, highlight problem areas. For
example, DNS resolution is checked, gateways are ping-ed and network routing is tested to make sure your
current settings are not likely to cause problems.
238
Nomadix NITO
User Guide
To test your configuration:
1.
Navigate to the System > Diagnostics > Configuration tests page.
2.
Click Perform tests. The results are displayed in the Details area.
Generating Diagnostics
NITO provides diagnostics facilities, typically used to provide Nomadix support engineers with complete
system configuration information to aid problem solving.
To generate a diagnostics file:
1.
Navigate to the System > Diagnostics > Diagnostics page.
2.
Configure the following settings:
Setting
Description
System
Select All to include all system components, or individually select the components you
want to include in the diagnostics results.
Modules
Select All to include all modules, or individually select the modules you want to
include in the diagnostics results.
239
Managing Your NITO
Diagnostics
3.
Click Generate. When prompted, save the results in a suitable location for review.
IP Tools
The IP tools page is used to check connectivity, both from NITO to computers on its local networks and to
hosts located externally on the Internet. There are two IP Tools:
•
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that NITO can
communicate with hosts its local networks and external hosts on the Internet.
•
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to
another. A greater number of hops indicates a longer (and therefore slower) connection.
The output of these commands is as it would be if the commands were run directly by the root user from
the console of the NITO system. It is of course, more convenient to run them from this page.
Using Ping
To use Ping
1.
Navigate to the System > Diagnostics > IP tools page.
2.
Select the Ping option from the Tool drop-down list.
3.
Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field.
4.
Click Run. The result of the ping command is displayed.
Using Traceroute
To use Traceroute:
1.
Navigate to the System > Diagnostics > IP tools page.
2.
Select the Traceroute option from the Tool drop-down list.
3.
Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field.
4.
Click Run. The result of the traceroute command is displayed.
Whois
Whois is used to display ownership information for an IP address or domain name. A major use for this is
to determine the source of requests appearing in the firewall or
240
Nomadix NITO
User Guide
Detection System logs. This can assist in the identification of malicious hosts.
To use Whois:
1.
Navigate to the System > Diagnostics > Whois page.
2.
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field.
3.
Click Run. The output of Whois is as it would be if it were run directly by the root user from the console
of the NITO system.
Analyzing Network Traffic
The Traffic analysis page displays detailed information on what traffic is currently on the network.
To analyze traffic:
1.
Navigate to the System > Diagnostics > Traffic analysis page.
2.
From the Interface drop-down list, select the interface.
3.
From the Time to run for drop-down list, select how long to analyze the traffic.
4.
Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and services
have been used is presented, as well as specific information on connections made. It is possible to view a
complete transcript of TCP and UDP sessions, including pictures sent or received on web requests.
241
Managing Your NITO
Managing CA Certificates
Managing CA Certificates
When NITO’s instant messenger proxy and/or Guardian are configured to intercept SSL traffic, certificates
must be validated. NITO validates the certificates by checking them against the list of installed Certificate
Authority (CA) certificates on the System > Certificates > Certificate authorities page.
The following sections describe how you can import new CA certificates, export existing CA certificates
and edit the list to display a subset or all of the CA certificates available.
Reviewing CA Certificates
By default, NITO comes with certificates issued by well-known and trusted CAs.
To review the certificates:
1.
Browse to the System > Certificates > Certificate authorities page. NITO displays the certificates
available. It also displays which certificates are valid and which are built-in, i.e. included in NITO by
default.
2.
To review a specific certificate, click on its name. NITO displays it.
3.
Click your browser’s Back button to return to NITO.
Importing CA Certificates
To import CA certificates:
1.
Navigate to the System > Certificates > Certificate authorities page and locate the Import Certificate
Authority certificate area.
2.
Click Browse, navigate to the certificate and select it.
3.
Click the import option. NITO imports the certificate and displays it at the bottom of the list.
Exporting CA Certificates
To export certificates:
1.
On the System > Certificates > Certificate authorities page, select the certificate.
2.
From the Export format drop-down list, select one of the following options:
Option
3.
Description
CA certificate in PEM
Export the certificate in an ASCII (textual) certificate format commonly
used by Microsoft operating systems.
CA certificate in BIN
Export the certificate in a binary certificate format.
Click Export and save the certificate on suitable medium.
Deleting and Restoring Certificates
You can remove built-in certificates from the list on the System > Certificates > Certificate authorities
page. You can also restore them to the list if required.
To delete certificates:
1.
242
On the System > Certificates > Certificate authorities page, select the certificate(s) and click Delete.
NITO removes the certificate(s).
Nomadix NITO
User Guide
To restore the built-in list:
1.
On the System > Certificates > Certificate authorities page, click Clear built-in deleted list. NITO
restores any built-in certificates which have been deleted from the list.
243
Managing Your NITO
Managing CA Certificates
244
17
Centrally Managing Nomadix
Systems
In this chapter:
z
About centrally managing Nomadix systems
z
Pre-requirements
z
Setting up a Nomadix system
z
Managing nodes in a system.
About Centrally Managing Nomadix Systems
NITO’s central management enables you to monitor and manage nodes in a Nomadix system.
A Nomadix system is comprised of an instance of a Nomadix product running as a parent node and one or
more compatible Nomadix products running as child nodes being managed by the parent node.
Configuring and managing a Nomadix system entails:
z
Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally
Managed Nomadix System on page 246
z
Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on
page 251
z
Applying updates, for more information, see Scheduling and Applying Updates to One or More
Nodes on page 252
z
Rebooting nodes as required, for more information, see Rebooting Nodes on page 253
z
Disabling nodes as required, for more information, see Disabling Nodes on page 253
z
Managing central logging, for more information, see Configuring Child Node Log Retention on
page 253.
Pre-requirements
Before you start to set up a centrally managed Nomadix system:
z
Check that all the Nomadix machines you intend to include in the system have the latest updates
applied. For more information, see Chapter 16, Managing Updates on page 211
z
Check that you have administrator access to all of the computers you want to include in the system
z
Check that there is IP access from the computer that will be a the parent node to the computers that
will be child nodes in the system.
245
Centrally Managing Nomadix Systems
Setting up a Centrally Managed Nomadix System
Setting up a Centrally Managed Nomadix System
Setting up a centrally managed Nomadix system entails:
z
Configuring the parent node in the system
z
Configuring child nodes settings, installing the central management key and enabling SSH on child
nodes
z
Adding child nodes to the system.
Configuring the Parent Node
The first step when configuring a Nomadix system is to configure the parent node in the system.
To configure the parent node:
1.
Log in to the instance of NITO you want to function as the parent node.
2.
Browse to the System > Central management > Local node settings page.
3.
Configure the following settings:
Setting
Local node options
4.
246
Description
Parent node – Select this option to enable central management and configure
this instance of NITO as the parent node in the Nomadix system.
Click Save. This instance of NITO becomes the parent node and can be used to centrally manage the
Nomadix system.
Nomadix NITO
User Guide
Configuring Child Nodes
Every child node in a Nomadix system must have a central management key installed and SSH enabled.
To configure a child node:
1.
On the system’s parent node, browse to the System > Central management > Local node settings page.
2.
Configure the following settings:
Setting
3.
Description
Local node options
Parent node – Check that this option is selected so that you can generate a
central management key for installation on child nodes.
Manage central
management keys
Central management key – Click Download to download and save the
central management key in a secure, accessible location for distribution to the
child nodes in the system.
On the Nomadix product you want to add to as a child node, browse to the System > Central
management > Local node settings page and configure the following settings:
Setting
Description
Local node options
Child node – Select this option to configure this machine as a child node in
the system. Click Save to save this setting.
Manage central
management keys
Upload central management key – Using your browser’s controls, browse to
and select the key. Click Save to upload the key to the child node.
4.
On the System > Administration > Admin options page, select SSH and click Save.
5.
Repeat step 3. and step 4. above on any other machines you want to add to the system.
247
Centrally Managing Nomadix Systems
Setting up a Centrally Managed Nomadix System
Adding Child Nodes to the System
When you have installed the central management key and enabled SSH on all child nodes, you are ready to
add them to the system.
You can add nodes:
z
Manually by adding each node separately, see Manually Adding Child Nodes on page 248
z
By importing node information from a CSV file, for more information, see Importing Nodes into the
System on page 249.
Manually Adding Child Nodes
Adding child nodes manually entails entering the information for each node separately.
To add child nodes manually:
1.
On the parent node, browse to the System > Central management > Child nodes page.
2.
Click Add node and configure the following settings:
Setting
248
Description
Node details
Node name – Enter a unique name to identify the node. Node names may only
consist of letters, numbers, spaces, underscores and full stops. Unicode is not
supported.
IP/hostname – Enter the IP address or hostname of the child node.
Comment – Optionally, enter a comment describing the child node.
Node settings
Replication profile – From the drop-down list, select the replication profile to
be deployed on the child node. The replication profile enables the sharing of
system settings between nodes. For information on configuring a replication
profile, see Chapter 16, Creating an Archive on page 215.
Central logging – Select to enable central logging on the child node.
Allow parent to monitor status – Select to enable central monitoring for the
child node.
Allow parent to manage resources – Select to enable the parent node in the
group to manage child node resources such as quotas which limit user access to
web content. When enabled and quotas have been used in a web filtering
policy, the parent ensures that users cannot access content for longer than
allowed by using different child nodes.
Nomadix NITO
User Guide
3.
Select Enable node and click Confirm. When prompted, review the node details and then click Save to
add the node.
4.
Repeat step 2. and step 3. for each node you want to add to the system.
5.
When you have added all of the nodes, browse to the System > Central management > Overview page.
The parent node lists the child nodes and displays their current status. For more information, see
Monitoring Node Status on page 251.
Importing Nodes into the System
If child node information is available in a comma separated format (CSV) file, you can import it directly
into the parent node.
About the CSV File
Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered as
follows:
Name,IP/hostname,Centrallogging,Monitorstatus,Centralresources
Replicationprofile,Enabled,Comment
The possible values for the fields are as follows:
Field
Value
Name
The node name. This field is required.
Note: If the name is the same as that of a child node already in the system, the
child node in the system will be overwritten.
A node name may consist of letters, numbers, spaces, underscores and full
stops. Unicode is not supported.
IP/hostname
The IP or hostname of the node. This field is required.
Central logging
Determines if central logging is enabled or disabled. This field is required.
Enabled – Enter: yes, on, or 1.
Disabled – Enter: no, off, or 0.
Monitor status
Determines if central monitoring is enabled or disabled. This field is required.
Enabled – Enter: yes, on, or 1.
Disabled – Enter: no, off, or 0.
Central resources
Determines if resources are managed by the parent. This field is required.
Enabled – Enter: yes, on, or 1.
Disabled – Enter: no, off, or 0.
Note:
Replication profile
The name of the replication profile used on the node. This field is optional and
may be empty.
For more information, see Chapter 16, About Archive Profiles on page 214.
Enabled
Determines if the node settings are enabled or disabled. This field is required.
Enabled – Enter: yes, on, or 1.
Disabled – Enter: no, off, or 0.
Comment
A comment. This field is optional.
It may consist of letters, numbers, spaces, underscores and full stops. Unicode
is not supported.
For full information on what the settings do, see Manually Adding Child Nodes on page 248.
249
Centrally Managing Nomadix Systems
Managing Nodes in a Nomadix System
Importing Node Information
The following steps explain how to import node information from a CSV file. For more information on CSV
files, see About the CSV File on page 249.
To import node information from a CSV file:
1.
On the parent node, browse to the System > Central management > Child nodes page.
2.
Click Import CSV, browse to the file and select it. Click Import to import the contents of the file.
3.
The parent node displays the contents of the file and notifies you of any errors in the file.
Note: Importing settings from a CSV file will overwrite existing nodes with the same name.
4.
Click Confirm to import the information in the file. The parent node imports the node information and
displays it.
Editing Child Node Settings
When required, it is possible to edit child node settings.
To edit a child node’s settings:
1.
Browse to the System > Central management > Child nodes page, locate the node you want to edit and
click Edit node.
2.
Make the changes required, see Manually Adding Child Nodes on page 248 for full information on the
settings.
3.
Click Confirm, review the changes and then click Save to save and implement the changes.
Deleting Nodes in the System
It is possible to delete nodes that are no longer required in the system.
To delete a node:
1.
On the System > Central management > Child nodes page, locate the node you want to delete and click
Delete node. When prompted, click Delete to confirm the deletion.
2.
Repeat the step above for any other nodes you want to delete.
Managing Nodes in a Nomadix System
Managing nodes in a Nomadix system entails:
250
z
Monitoring node status
z
Applying updates to nodes
z
Scheduling updates for application at a specific time
z
Rebooting nodes when necessary
z
Disabling nodes when necessary
Nomadix NITO
User Guide
Monitoring Node Status
The central management node overview on the parent node displays a list of all of the nodes in the Nomadix
system. It also displays the nodes’ current status and whether updates for the nodes are available.
To monitor node status:
1.
On the parent node, browse to the System > Central management > Overview page. The parent node
displays current node status, for example:
Node information is contained in the following fields:
Field
Description
Name
The Name field displays the name of the node. Click on the name to log in to the node.
Status
The Status field displays the current state of the node. Click on the Status text to
display detailed information on the node. For more information, see Accessing the
Node Details Page on page 251.
The following statuses are possible:
OK – the node is functioning and does not require attention.
Critical – the node requires immediate attention. Click on the node’s stautus field for
more information.
Warning – the node does not require immediate attention but should be checked for
problems. Click on the node’s status field for more information.
Updates
The Updates field enables you to schedule the application of available updates. For
more information, see Scheduling and Applying Updates to One or More Nodes on
page 252.
Click on the Updates text to display detailed information on the node.
Accessing the Node Details Page
It is possible to view detailed information on a node by accessing the node details page.
To access a node details page:
1.
On the parent node, browse to the System > Central management > Overview page.
2.
Locate the node you want more information on and click on its Status text. NITO displays the node details
page
3.
Click on the displayed headings for more information.
4.
Click Refresh node to refresh the information displayed.
5.
Click Reboot node to reboot the node.
251
Centrally Managing Nomadix Systems
Managing Nodes in a Nomadix System
Working with Updates
You can review and apply updates to a node as they become available. You can also apply updates to one
ore more nodes immediately or at a later date.
Reviewing and Applying Available Updates to a Node
You can review and apply updates to a node as they become available.
To review and apply updates:
1.
On the parent node, browse to the System > Central management > Overview page.
2.
Click the Updates tab and then click the Status field of the node. The node details are displayed.
3.
Click on the Updates line to review detailed information about the updates available. To apply the updates
to the node, click Schedule update. The Schedule node update page is displayed.
4.
In the Install updates area, select one of the following options:
Option
5.
Description
Now
Select to apply the updates to the node immediately.
Later
From the drop-down list, select when you want the updates applied to the node.
Click Schedule update. The updates are applied to the node as specified in the previous step and the node
is rebooted.
Scheduling and Applying Updates to One or More Nodes
You can apply updates to one or more nodes immediately or schedule them for application later.
To apply updates:
1.
On the parent node, browse to the System > Central management > Overview page.
2.
Locate and select the node(s) that require updates and click Schedule update. The Schedule node update
page is displayed.
3.
In the Install updates area, select one of the following options:
Option
4.
Description
Now
Select to apply the update(s) to the node(s) immediately.
Later
From the drop-down list, select when you want the update(s) applied to the node(s).
Click Schedule update. The updates are applied to the node(s) as specified in the previous step and the
node(s) are rebooted.
Clearing Schedule Updates
It is possible to clear any scheduled updates.
To clear scheduled updates:
1.
On the System > Central management > Overview page or the node details page, under Updates, click
Clear schedule.
2.
NITO displays the updates that are currently scheduled. Click Clear schedule to clear the updates.
252
Nomadix NITO
User Guide
Rebooting Nodes
When required, you can reboot a child node from the system’s parent node.
To reboot a child node:
1.
On the parent node, browse to the System > Central management > Overview page.
2.
Locate the node you want to reboot and click on the Status text. The node details are displayed.
3.
Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of the
following options:
Option
4.
Description
Now
Select to reboot the node immediately.
Later
From the drop-down list, select when you want to reboot the node.
Click Schedule reboot. The node is rebooted.
Disabling Nodes
It is possible to disable nodes locally and system-wide.
Disabling Nodes Locally
You may need to work on a child node in a system and, e.g. want to stop replication settings from being
applied by the parent. You can do this by disabling the child node locally.
To disable a node locally:
1.
On the node you want to disable, browse to the System > Central management > Local node settings
page.
2.
In the Local node options area, select Disable and click Save.
3.
Repeat the step above for any other nodes in the system that you want to disable.
Note: On the parent node, on the System > Central management > Overview page, nodes that have been
disabled locally will be listed as Node uncontactable.
Disabling Nodes System-wide
You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do this by
disabling the child node system-wide.
To disable a node system-wide:
1.
On the parent node, browse to the System > Central management > Child nodes page.
2.
Locate the node you want to disable area, select Disable and click Save.
3.
Repeat the steps above for any other nodes in the system that you want to disable system-wide.
Configuring Child Node Log Retention
It is possible to configure how long child node logs are retained on the parent node.
To configure child node log retention:
1.
Browse to the System > Central management > Local node settings page.
253
Centrally Managing Nomadix Systems
Managing Nodes in a Nomadix System
2.
Configure the following settings:
Setting
Manage central
management local
log retention
Description
Local log retention – This setting determines how long a copy of the child
node’s logs is kept on the parent node. From the drop-down list, select the
length of time to retain the logs.
The information in the retained logs can be used in:
•
Zap (email) user activity summary report which generates a summary of
a users/domains incoming and outgoing mail
•
3.
254
Guardian3 user activity report which generates a report on the browsing
activity of local users by the number of sites visited or the amount of
data received.
Click Save. NITO applies the settings you have configured.
18
Information, Alerts and Logging
In this chapter:
z
About the dashboard, registration and initial setup pages
z
Viewing, analyzing and configuring alerts, realtime information and log files.
About the Dashboard
The dashboard is the default home page of your NITO system. The dashboard displays a to-do list for
getting started, service information, external connectivity controls and a number of summary reports.
To access the dashboard:
1.
Browse to Dashboard.
About the About Page
The About page displays product, registration, copyright and trademark information. It also displays
acknowledgements.
To access the About page:
1.
Browse to the bottom of the page you are on and click About.
255
Alerts
NITO contains a comprehensive set of incident alerting controls.
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events,
for example, an administrator login failure, or a series of events occurring over a particular time period, for
example, a sustained high level of traffic over a five minute period. Some alerts allow their trigger
conditions to be edited to customize the alert sensitivity.
Some situations are constantly monitored, particularly those relating to critical failures, for example, UPS
and power supply alerts.
It is possible to specify two trigger conditions for some alerts – the first acts as a warning alert, and, in
more critical circumstances, the second denotes the occurrence of an incident.
Available Alerts
Note: or information on Guardian alerts, see Chapter 12, About Alerts on page 143.
You access the alerts and their settings on the Logs and reports > Alerts > Alerts page.
Alert
Description
Hardware failure alerts,
harddisk failure
Generates messages when hardware problems are detected.
License expiry status
warnings
Generates messages when the license is due for renewal or has expired.
Monitored once an hour.
UPS, Power Supply status
warnings
Generates messages when server power switches to and from mains
supply. Constant monitoring.
System Resource Monitor
These alerts are triggered whenever the system resources exceed
predefined limitations. Monitored once every five minutes.
Firewall Notifications
Monitors firewall activity and generates warnings based on suspicious
activities to or from certain IP addresses involving particular ports.
Constant monitoring.
System Service
Monitoring
This alert is triggered whenever a critical system service changes
statues, i.e. starts or stops. Monitored once every five minutes.
Health Monitor
Checks on remote services for activity.
Output System Test
Messages
Catches test alerts generated for the purposes of testing the NITO
Output systems. Constant Monitoring.
Administration Login
Failures
Monitors both the Secure Shell (SSH) and Web Interface services for
failed login attempts. Constant Monitoring.
Update Monitoring
Monitors the system for new updates once an hour.
System Boot (Restart)
Notification
This alert is generated whenever the system is booted; i.e. is turned on
or restarted. Monitored once every five minutes.
256
Enabling Alerts
Note: or information on Guardian alerts, see Chapter 12, About Alerts on page 143.
NITO contains a comprehensive set of incident alerting controls.
To enable alerts:
1.
Browse to the Logs and reports > Alerts > Alerts page.
2.
Configure the following settings:
Setting
Description
Group name
From the drop-down list, select a group of recipients and click Select. For
information on creating a group, see Configuring Groups on page 274.
Enable
instantaneous
alerts
By default, NITO queues alerts in two minute intervals, and then distributes a
merged notification of all alerts.
Select this option to send the alert(s) individually as soon as they are triggered.
3.
For each alert you want to send, select the delivery method: SMS or Email.
4.
Click Save.
Looking up an Alert by Its Reference
To view the content of an alert that has already been sent:
1.
Enter the alert’s unique ID into the Alert ID field and click Show. The content of the alert will be displayed
on a new page.
Configuring Alert Settings
Note: For information on Guardian alerts, see Chapter 12, About Alerts on page 143.
The following sections explain how to configure NITO alert settings.
257
To access the alert settings:
1.
Browse to the Logs and reports > Alerts > Alert settings page.
Configuring the System Resource Alert
This alert is triggered whenever particular system resources exceed some predefined limitations.
To adjust the settings:
1.
Enter or choose appropriate settings for each of the following controls:
Setting
2.
Description
System
load
average
Used to set a threshold for the average number of processes waiting to use the
processor(s) over a five minute period.
A system operating at normal performance should record a load average of between 0.0
and 1.0. While higher values are not uncommon, prolonged periods of high load (for
example, averages greater than 3.0) may merit attention.
Disk usage
Used to set a disk space usage percentage threshold, that generates an alert once
exceeded. Low amounts of free disk space can adversely affect system performance.
System
memory
usage
Used to set a system memory usage percentage threshold, that generates an alert once
exceeded. NITO uses system memory aggressively to improve system performance, so
higher than expected memory usage may not be a concern. However, prolonged periods
of high memory usage may indicate that the system could benefit from additional
memory.
Click Save.
Configuring the Firewall Notifications Alert
This alert monitors firewall activity and generates warnings based on suspicious activities to or from
certain IP addresses involving particular ports.
258
To adjust the settings:
1.
Enter or choose appropriate settings for each of the following controls:
Setting
2.
Description
Monitor Source
(remote) IP
addresses
Detects suspicious inbound communication from remote IP addresses. Alerts
will be generated if a rapid series of inbound requests from the same remote IP
address is detected.
Monitor Source
(remote) Ports
Detects suspicious inbound communication from remote ports. Alerts will be
generated if a rapid series of inbound requests from the same remote port is
detected.
Monitor
Destination (local)
IP Addresses
Detects suspicious inbound communication to local IP addresses. Alerts will be
generated if a rapid series of inbound requests to the same local IP address is
detected.
Monitor
Destination (local)
Ports
Detects suspicious inbound communication to local ports. Alerts will be
generated if a rapid series of inbound requests to the same local port is detected.
Click Save.
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels at
which alerts are generated for each type of activity.
Note: To exempt particular ports from monitoring, enter a comma separated list of ports into the appropriate
Ignore fields.
Configuring the System Service Alert
This alert is triggered whenever a critical system service changes states, i.e. starts or stops.
To adjust the settings for this alert:
1.
Select the components, modules and services that should generate alerts when they start or stop.
2.
Click Save.
Configuring the Health Monitor
This alert is triggered whenever a remote service fails to report activity.
Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which
are usually outside of the remit of NITO.
The health monitor provides the following checks and alerts:
259
Web Servers (HTTP)
When enabled, tries to retrieve the specified web page and check that it contains specific keywords. This is
for detecting defacement.
Setting
Description
Request
URL
Enter the URL of the web page you want retrieved and checked for keywords, for
example: example.com/index.htm
Note: Omit http:// when entering the URL.
No of tries
Enter the number of times NITO should try to retrieve the page.
Keywords
Enter the keywords to be checked in the page.
Assuming the page has been retrieved and the keywords are missing, an alert is generated.
Other Services
Checks that the specified port is open and offering a service.
Setting
Description
IP Address
Enter the IP address.
Port
Enter the port number.
Protocol
From the drop-down list, select the protocol of the service you want to check for a
response. Select Other to check that there is any response to connections on the
associated port.
No of tries
Enter the number of times NITO should check the address and not receive a response
before generating an alert.
DNS Name Resolution
Checks that a domain has not expired or been hijacked.
Setting
Description
Name
Enter the domain name.
Address
Enter the domain address.
To configure the alert:
1.
For the services, enter the URL, IP address or name.
2.
Enter keywords, port numbers and number of tries, if applicable.
3.
Select the protocol.
4.
Click Add for each service.
260
Configuring the Inappropriate Word in IM Monitor Alert
These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat
conversations.
To configure the alert:
1.
Configure the following settings:
Setting
2.
Description
Enabled on received text
Select to generate the alert when an inappropriate word is used in a
message received from a remote user.
Enabled on sent text
Select to generate the alert when an inappropriate word is used in a
message sent by a local user.
Generate alert for each
message which exceeds the
Message Censor severity
threshold
Select to generate an alert when the Message Censor threshold is
exceeded. For information on the Message censor threshold, see
Chapter 13, Censoring Instant Message Content on page 157.
From the drop-down list, select the threshold above which an alert will
be generated.
Generate alert when users
exceed the rate of
inappropriate messages
Select to generate an alert when users exceed the specified number of
inappropriate messages within a 15 minute period.
Number of inappropriate
messages in 15 mins
Specify how many inappropriate messages to allow in a 15 minute
period before generating an alert.
Click Save to save the settings.
Realtime
The realtime pages provide access to realtime information about your system.
Note: For realtime information on web filtering, see Chapter 12, Realtime Web Filter Information on page 145.
System Information
The System page is a realtime version of the system log viewer with some filtering options.
261
To access the system page:
1.
Browse to Logs and reports > Realtime > System page.
By default, all information in the system log is displayed and updated automatically approximately every
second.
To display information on specific components:
1.
From the Section drop-down list, select the component and click Update. If there is information on the
component available in the system log, it is displayed in the Details area.
Firewall Information
The Firewall page is a realtime version of the firewall log viewer with some filtering options. All entries in
the firewall log are from packets that have been blocked by NITO.
To access the page:
1.
Browse to Logs and reports > Realtime > Firewall page.
262
By default, information is displayed and updated automatically approximately every second.
To display information on specific sources and destinations:
1.
Enter a complete or partial IP address and/or port number in the fields and click Update.
Portal Information
The Portal page displays realtime information on users accessing NITO portals.
To access the portal page:
1.
Browse to Logs and reports > Realtime > Portal page.
For more information on portals, see Chapter 13, Working with User Portals on page 149.
Traffic Graphs
The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the
currently selected interface.
263
To access the traffic graphs page:
1.
Browse to Logs and reports > Realtime > Traffic graphs page.
The Interfaces area displays a list of the active interfaces on NITO. Clicking on an interface displays its
current traffic.
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth.
Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing
bandwidth.
Logs
The log pages display system, firewall, IPsec, intrusion system and proxy information.
264
System Logs
The system logs contain simple logging and management information.
To access system logs:
1.
Browse to the Logs and reports > Logs > System page.
The following filter criteria controls are available in the Settings area:
Control
Description
Section
Used to select which system log is displayed. The following options are available:
Authentication service– Log messages from the authentication system, including
service status messages and user authentication audit trail.
Kernel – Log messages from the core NITO operating system.
Message censor – Displays information from the message censor logs.
NTP – Log messages from the network time system.
SystemD – Log messages from the system super server.
SSH – Log messages from the SSH system.
System – Displays server log information.
Monitor – Displays monitoring system information including service status and alert/
report distribution audit trail.
System – Simple system log messages, including startup, shutdown, reboot and service
status messages.
UPS – Log messages from the UPS system, including service status messages.
Update transcript – Displays information on update history.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Export
format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated text
format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format.
You will need an Excel-compatible spreadsheet application to view these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
265
Control
Export all
dates
Description
Exports the currently displayed log for all available dates.
To view specific information:
1.
Select the filtering criteria using the Settings area and click Update.
A single column is displayed containing the time of the event(s) and descriptive messages.
Firewall Logs
The firewall logs contain information on network traffic.
To view the firewall logs:
1.
Browse to the Logs and reports > Logs > Firewall page.
Filtering Firewall Logs
The following filter criteria controls are available in the Settings area:
Control
Description
Section
Used to select which firewall log is displayed. The content of each section is
discussed below.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Compression
Used to ghost repeated sequential log entries for improved log viewing.
266
Control
Description
Source
Enter an IP address and click Update to display log entries for that source address.
Src port
This drop-down list is populated with a list of all source ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Destination
Enter an IP address and click Update to display log entries for that destination
address.
Dst port
This drop-down list is populated with a list of all destination ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated text
format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view these
reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all
dates
Exports the currently displayed log for all available dates.
The list of possible sections that can be viewed are as follows:
Section
Description
Main
All rejected data packets.
Incoming
audit
All traffic to all interfaces that is destined for the firewall – if Direct incoming traffic is
enabled on the Networking > advanced page.
Forward
audit
All traffic passing through one interface to another – if Forwarded traffic is enabled on
the Networking > Settings > Advanced page.
Outgoing
audit
All traffic leaving from any interface – if Direct outgoing traffic is enabled on the
Networking > Settings > Advanced page.
Viewing Firewall Logs
To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update. The
following columns are displayed:
Column
Description
Time
The time that the firewall event occurred.
In
The interface at which the data packet arrived.
Out
The interface at which the data packet left.
Protocol
The network protocol used by the data packet.
267
Column
Description
Source
The IP address of the data packet's sender.
Src Port
The outbound port number used by the data packet.
Destination
The IP address of the data packet's intended destination.
Dst port
The inbound port number used by the data packet.
Looking up a Source IP – whois
The firewall log viewer can be used to find out more information about a selected source or destination IP
by using the whois tool.
To use whois:
1.
Navigate to the Logs and reports > Logs > Firewall page.
2.
Select a particular source or destination IP in Source and Destination columns.
3.
Click Lookup. A lookup is performed and the result displayed on the System > Diagnostics > whois page.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
1.
Navigate to the Logs and reports > Logs > Firewall page.
2.
Select one or more source or destination IPs.
3.
Click Add to IP block list.
The selected source and destination IPs will be automatically added to the IP block list which you can
review on the Networking > Filtering > IP block page. See Chapter 5, Blocking by IP on page 43 for more
information.
Exporting Logs
To export and download all log entries generated by the current settings, click Export.
Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.
Viewing and Sorting Log Entries
The following columns are displayed in the Web log region:
Column
Description
Time
The time the tunnel activity occurred.
Name
The name of the tunnel concerned.
268
Column
Description
Description
Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its Page
number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next)
and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title
hyperlink. Clicking the currently selected column reverses the sort direction.
IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewall’s intrusion
detection system (IDS).
To view the IDS logs:
1.
Navigate to the Logs and reports > Logs > IDS page.
NITO displays the results.
Option
Select to:
Month
Specify which month you wish to view logs for.
Day
Specify which day you wish to view logs for.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated
text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
269
Exporting Logs
To export logs:
1.
Filter the logs to show the information you want to export.
2.
Select the export format and if you want to export all dates.
3.
Click Export. To save the exported log, use the browser's File, Save As option.
IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewall’s intrusion
prevention system (IPS).
To view the IDS logs:
1.
Navigate to the Logs and reports > Logs > IPS page.
NITO displays the results.
Option
Select to:
Month
Specify which month you wish to view logs for.
Day
Specify which day you wish to view logs for.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma separated
text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
270
User Portal Logs
The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
1.
Browse to the Logs and reports > Logs > User portal page.
NITO displays the information.
Configuring Log Settings
NITO can send logs to an external syslog server, automatically delete log files when disk space is low and
set the maximum log file retention settings.
To configure logging settings:
1.
Browse to the Logs and reports > Logs > Log settings page.
2.
In the Syslog logging area, select the logging you require.
271
3.
To enable and configure remote logging, configure the following settings:
Setting
Description
Remote syslog
To send logs to an external syslog server, select this setting.
Syslog server
If you have selected the Remote syslog option, enter the IP address of the remote
syslog server.
Default
retention
To set default log retention for all of the logs listed above, select one of the
following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.
4.
Optionally, to set an individual retention period for specific logs, click Advanced and configure the
settings displayed.
5.
Click Save. NITO will log and retain the information you have specified and, if configured, send logs to
the remote syslog server.
Configuring Other Log Settings
NITO enables you to configure retention settings for other logs.
To configure other logs:
1.
Browse to the Logs and reports > Logs > Log settings page.
272
2.
In the Other logging area, configure the following settings:
Setting
Default
retention
3.
Description
To set default log retention for all of the logs listed in the table below, select one of
the following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.
Click Advanced to see what other logs are available and to determine if you want to set individual log
retention settings.
Setting
4.
Description
Default retention
From the drop-down menu, select the default retention period you want to use
for advanced logging settings. To set individual retention periods, configure the
settings below.
Intrusion
detection logs
From the drop-down menu, select how long you want to keep intrusion detection
logs.
Intrusion
prevention logs
From the drop-down menu, select how long you want to keep intrusion
prevention logs.
IM logs
From the drop-down menu, select how long you want to keep instant messaging
logs.
Click Save. NITO will now retain the logs as you have specified.
Managing Automatic Deletion of Logs
NITO can be set to automatically delete log files if there is a limited amount of free disk space available.
To configure automatic log deletion:
1.
Browse to the Logs and reports > Logs > Log settings page.
273
2.
In the Automatic log deletion area, configure the settings:
Setting
3.
Description
Delete old logs when free space is
low
Select to automatically delete logs when the specified amount
of disk space has been used.
Amount of disk space to use for
logging
From the drop-down list, select the level at which NITO will
delete logs.
Click Save. NITO will delete the logs when the specified amount of disk space has been used.
Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated alerts and
reports.
Creating Groups
To create a group of users:
1.
Browse to the Logs and reports > Settings > Groups page.
2.
Configure the following settings:
Setting
Description
Group name
From the Group name drop-down list, select Empty and click Select.
Name
Enter a name for the group.
274
3.
Click Save. NITO creates the group. In the Add user area, configure the following settings:
Setting
Description
Name
Enter a user's name.
SMS number
If required, enter the user’s SMS number details
Comment
Optionally, enter a description or comment.
Email address
If required, enter the user's email address.
Enable HTML Email
Select if you want emailed reports to be sent in HTML format.
4.
Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.
5.
Click Add. The user's details will be added to the list of current users in the Current users region.
Editing a Group
To edit a group:
1.
Browse to the Logs and reports > Settings > Groups page.
2.
Choose the group that you wish to edit using the Group name drop-down list. Click Select to display the
group.
3.
Make any changes to the group using the controls in the Add a user and Current users areas.
Deleting a Group
To delete a group:
1.
Browse to the Logs and reports > Settings > Groups page.
2.
Select the group to be deleted using the Group name drop-down list.
3.
Click Delete.
275
Configuring Output Settings
Reports and alerts are distributed according to NITO’s output settings. In order to send reports and alerts,
NITO must be configured to operate with mail servers and email-to-SMS gateway systems.
To access output settings:
1.
Browse to the Logs and reports > Settings > Output settings page.
About Email to SMS Output
NITO generates SMS alerts by sending emails to a designated email-to-SMS gateway. When an email-toSMS gateway receives an email, it extracts the information it needs and composes an SMS message which
is then sent.
A wide variety of different email-to-SMS gateway services are available. Unfortunately, each has its own
definition of the format that an email should arrive in. While there are a few conventions, usually the
destination SMS number is placed in the email's subject line, it is necessary to configure NITO so that it
can format email messages in the format specified by your email-to-SMS gateway service provider.
About Placeholder Tags
To allow easy configuration of message formats for different service providers, NITO uses placeholder tags
that can be incorporated into an email template. The placeholder tags available are as follows:
Placeholder
Description
%%ALERT%%
The content of the alert message.
%%SMS%%
The recipient SMS number.
276
Placeholder
Description
%%EMAIL%%
The recipient's email address.
%%HOSTNAME%%
The hostname of the NITO system (useful when using multiple firewall
systems).
%%DESCRIPTION%%
The description of the NITO system (useful when using multiple firewall
systems).
%%--%%
A special placeholder that indicates that all text following it should be truncated
to 160 characters.
This requires truncation to be enabled (indicated by the Truncate SMS
messages to 160 characters option).
For example, if an email-to-SMS gateway requires emails to be sent to: <telephone
number>@sampleSMS.com, the following configuration would provide this: %%SMS%%@sampleSMS.com
If the content of the message should be entered in the email message body, the following configuration
would provide this: %%ALERT%%
Networks with multiple NITO systems may wish to include detail of the system that the alert was
generated by, the following examples would provide this:
%%ALERT%%
%%ALERT%%
%%ALERT%%
%%ALERT%%
%%ALERT%%
- From: %%HOSTNAME%%
- From: %%HOSTNAME%% (%%DESCRIPTION%%)
- From: %%DESCRIPTION%%
-%%HOSTNAME%%
:%%DESCRIPTION%% (%%HOSTNAME%%)
Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters.
NITO can be configured to truncate messages – in this mode, all characters past position 155 are removed
and the text: .. + is appended to the message to indicate that truncation has occurred.
A further complication is caused by email-to-SMS gateways that require parameters such as usernames
and passwords to be set within the email's message body. In situations where truncation is enabled, such
additional (yet required) parameter text may force truncation of the actual alert. To compensate for this,
insert the special %%--%% placeholder at the start of the actual message content, so that any truncation is
only applied to the actual alert content.
Configuring Email to SMS Output
To configure NITO's SMS settings:
1.
Browse to Logs and reports > Settings > Output settings.
2.
In the Email to SMS Output System area, configure the following settings:
Setting
Description
SMTP server
Enter the hostname or IP address of the SMTP server to be used by
NITO.
Sender's email address field
Enter the sender's email address.
This would typically be a valid email address reserved and frequently
checked for IT administration purposes. This might also be an email
address that is registered with your email-to-SMS gateway provider.
277
Setting
3.
Description
SMS to address
Specify the formatting of the email's To: address according to the
format required by your service provider.
This may be a regular email address, or it may require additional
placeholders such as %%SMS%% to identify the destination of the SMS.
Truncate SMS messages to
160 characters
Select if you want the content of SMS message body to be truncated to
160 characters or if your email-to-SMS gateway service provider
instructs you to do so.
Enable SMTP auth
Select to use SMTP auth if required.
Username
If using SMTP auth, enter the username.
Password
If using SMTP auth, enter the password.
SMS subject line
Enter the subject line of the SMS email in the SMS subject line field as
specified by your email-to-SMS service provider.
This will often contain the %%SMS%% placeholder as many email-toSMS gateways use the subject line for this purpose.
SMS message body
Enter additional parameters and the content of the alert message.
If the truncation is required from a particular point onwards, use the
%%--%% placeholder to indicate its start position.
Click Save.
Testing Email to SMS Output
To test the output system:
1.
In the Send test to: field, enter the cell phone number of the person who is to receive the test.
2.
Click Send test.
Output to Email
To configure email settings:
1.
Browse to Logs and reports > Settings > Output settings.
2.
In the SMTP (Email) Output System area, configure the following settings:
Setting
Description
SMTP server
Enter the hostname or IP address of the SMTP server to be used by
NITO.
Sender's email address
Enter the sender's email address.
This would typically be a valid email address reserved and frequently
checked for IT administration purposes. This might also be an email
address that is registered with your email-to-SMS gateway provider.
Enable SMTP auth
Select to use SMTP auth if required.
Username
If using SMTP auth, enter the username.
278
Setting
Password
3.
Description
If using SMTP auth, enter the password.
Click Save.
Generating a Test Alert
To generate a test alert:
1.
Configure Email to SMS output and/or SMTP (Email) output.
2.
Click Generate test alert.
279
280
A
Authentication
In this appendix:
z
Authentication methods.
Overview
NITO's authentication system enables the identity of internal network users to be verified, such that service
permissions and restrictions can be dynamically applied according to a user's group membership.
z
Identity verification – authenticate users by checking supplied identity credentials, e.g. usernames
and passwords, against known user profile information.
z
Identity confirmation – provide details of known authenticated users at a particular IP address.
Verifying User Identity Credentials
In order to authenticate users, NITO must be able to verify the identity credentials, usernames and
passwords, supplied by network users. Credentials are verified against the authentication system's local
user database.
Network users must provide their identity credentials when using an authentication-enabled service for the
first time. If the credentials cannot be verified by the authentication system, i.e. a matching username and
password cannot be found in the local user database, the user's identity status will be set to
'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no, access to
authentication-enabled services.
A user that is authenticated can be described as being logged in.
About Authentication Mechanisms
All authentication-enabled services use the authentication system to discover what users are accessing
them. Once a particular user is known, an authentication-enabled service can enforce customized
permissions and restrictions. Authentication-enabled services can interact with the authentication system
in the following ways:
z
Passive interrogation of whether there is an already-authenticated user at a particular IP address, and
if so their details
z
Active provision of user-supplied identity credentials, for onward authentication.
The means by which these two types of interactions are combined and implemented defines a particular
named authentication mechanism.
281
NITO and DNS
The Core Authentication Mechanism
This is a special type of authentication mechanism that uses the first interaction method exclusively, i.e. it
only ever asks the authentication system whether there is a known user at a particular IP address. If the
user has not been authenticated by any other authentication mechanism, the user's status is returned by the
authentication system as 'Unauthenticated'.
Other Authentication Mechanisms
All other authentication mechanisms use a combination of the previously discussed interactions. Such
mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has
already been authenticated. If the user has been authenticated, appropriate permissions and restrictions can
be enforced by the requesting service.
However, if the user is currently unauthenticated, the second type of interaction occurs – i.e. the requesting
service pro-actively provides end-user identity credentials to the authentication system, for onward
authentication. Thus, it follows that such authentication mechanisms must also provide an appropriate
means of collecting end-user identity credentials.
Choosing an Authentication Mechanism
As discussed in the preceding sections, all authentication-enabled services must use some kind of
authentication mechanism to interact with the authentication system. Some authentication-enabled
services offer no choice of mechanism used – in such cases, the authentication mechanism will always be
'Core authentication'.
About the Login Time-out
The login time-out is the length of time that a user's authenticated status will last once they are
authenticated. Time-out does not occur if NITO can determine that the same user is still active – for
example, by seeing continued web browsing from the same user. However, if NITO sees no activity from a
particular user for the length of time specified by the time-out period, the user's authenticated status will be
invalidated.
The login time-out affects the load on the local system. Lower time-out values increase the frequency of
re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values that are
too low may adversely affect system performance, resulting in failed login attempts. However, longer
time-outs increase the risk of a new user at the same IP address being granted inappropriate rights, if the
original user fails to pro-actively log-out.
NITO and DNS
NITO’s authentication service uses internal DNS servers for name lookups. Internal DNS servers are
specified using NITO’s setup program.
NITO’s DNS proxy server uses external DNS servers for name lookups. External DNS servers are
specified when setting up an NITO connectivity profile.
In this way, NITO can be configured to use an internal DNS server and the internal DNS server can, in
turn, be configured to use NITO as its DNS forwarder.
A Common DNS Pitfall
Often NITO is configured so that an internal DNS server is configured as the primary DNS server and an
external DNS server configured as the secondary DNS server.
This is not the correct way to configure DNS servers on any client. DNS is a system that was designed to
be able to respond to any request by redirecting questions to the DNS servers responsible for the various
282
Nomadix NITO
User Guide
registered domains on the public Internet. This means the client assumes that it does not matter which DNS
server it uses, as all DNS servers will have access to the same information. With the proliferation of private
networks and internal DNS zones, this no longer is the case.
A DNS client will behave in the following way when looking up a host:
z
If a reply of “host not found” is received, the client will NOT ask other DNS servers
z
If the DNS is not answering, the client will try to ask another DNS server
z
The client will ask randomly between configured DNS servers
Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS and
an external DNS server in the configuration will not work, or at least, will not work reliably.
The internal DNS server that holds the Active Directory information needs to be configured so it can
resolve external hostnames. The easiest way to do this is to configure the DNS server to use a forwarder,
like NITO’s DNS proxy server.
Working with Large Directories
The Additional Group search roots option enables you to specify several OUs in which to search for
groups.
When dealing with large directories, a search through the entire directory can take a long time and make
the NITO Include groups page unwieldy to manage.
Normally, a specified group search root can help in narrowing the scope of where to search for groups, but
if groups are distributed in multiple OUs, one group search root may not be enough.
Consider, for example, a directory with 5000 users and 2500 groups.
Setting the group search root to the top level of the directory would result in an Include groups page with
2500 entries. This would probably take a long time to load and be hard to get an overview of.
The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are located.
In the groups search root, the administrator enters the path for the primary OU and in the additional groups
search, the second OU is entered:
User search root: dc=domain,dc=local
Group search root: ou=guardiangroups,dc=domain,dc=local
Additional group search root: ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local
The above example is for a multi domain Active Directory installation, where the second OU is in the subdomain sub1. Remember that multiple groups can be mapped to the same NITO permissions group.
Active Directory
The following sections usernames and group membership which must be configured correctly in order to
successfully implement Active Directory-based authentication.
Active Directory Username Types
A user account on a Windows 2000+ server will have 2 types of usernames:
z
A Windows 2000+ username, which takes the form of user@domain.local
z
An old style Windows NT 4 username, which has no domain attached to it.
When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain, the Windows
NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames.
In order for NITO authentication to be able to successfully look up and authenticate Windows users, a
Windows 2000+ username needs to be present.
283
About Kerberos
Accounts and NTLM Identification
When using NTLM identification on an Active Directory server that has been set up with no pre-Windows
2000 access permissions, the server lookup user account needs to be a member of the Pre-Windows 2000
Compatible Access group. This group is normally found in the built-in OU in the Active Directory Users
and Groups snap-in.
About Kerberos
The following sections document Kerberos pre-requisites and list some points to try if troubleshooting.
Kerberos Pre-requisites and Limitations
The following are pre-requisites and known limitations when using Kerberos as an authentication method:
z
Forward and reverse DNS must be working
z
All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail
z
Internet E6 will not work in non-transparent mode.
Troubleshooting
Check the following when troubleshooting a service that uses Kerberos:
284
z
Make sure all the prerequisites have been met, see Kerberos Pre-requisites and Limitations on
page 284 for more information
z
Try another browser for fault-finding
z
In Safari, try the fully qualified domain name (FQDN) if the short form does not work
z
Check if the user logged on before the keytab was created? Try logging off then on again.
z
Check if the user logged on before NITO joined the domain? Try logging off then on again.
z
Double check you are logged on with a domain account
z
When exporting your own keytabs:
•
Make sure the keytab contains keys with the same type of cryptography as that used by the client
•
The “HTTP” in the service principal name (SPN) must be in uppercase
•
The keytab should contain SPNs containing the short and fully qualified forms of each hostname.
B
Understanding Templates and
Reports
In this chapter:
z
How to use custom reporting
Programmable Drill-Down Looping Engine
The NITO reporting system is divided into two conceptually different ideas, those of templates and
reports. A template is a series of report sections and their configuration which contains instructions for
extracting and manipulating data from NITO and producing a report by filling in the template’s sections.
A template is as described above nothing more than a structured series of sections. A report section can be
considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. It has
shape, color and provides some information however its power is better expressed when used in
combination with other blocks to build more complicated and more interesting shapes.
A template in that metaphor is analogous to the instruction sheet for the building blocks, it shows how to
assemble the blocks together to produce the report which is analogous to the finished model. The act of
building it takes the template and finds each of the individual blocks, retrieving data as appropriate and
assembling it as the template dictates.
To this extent a section has a variety of inputs and a number of outputs. These can be connected to each
other where the input and output types are equivalent in the way that jigsaw pieces can be connected if
their input and output facets match.
285
Programmable Drill-Down Looping Engine
Example Report Template
Example Report
Report Templates, Creation and Editing
Creating report templates is done via the NITO custom page, which gives rise to the ability to add, remove
and manipulate the sections which it contains. The description of how to do this is covered elsewhere
however there are a few details which allow for some level of flexibility.
Each report template can be assigned an icon, name and description. The name is clearly the name of the
report template as it appears in the reports section, the description and icon options are equally obvious as
to their use. The description field is actually unlimited in length and reasonably permissive in the
characters it may contain. Long descriptions will be truncated in the interface for brevity however the full
version of the description will appear under the report template’s advanced options.
Once a report template has been created it may be edited (including changing its name) via the edit this
report link under the report icon on the reports page.
While editing a report template is a useful feature, there are occasions when it would be better to simply
alter or manipulate an exact copy of a report template, for this purpose the edit a copy of this report option
should be used. This will take a copy of all the report’s options and sections while leaving the original
report template unchanged.
When editing a report template, or a copy of a report template the preview button may be used without
making changes to the existing template. Changes will only be saved to the desired report template when
the create report option is used.
Note again that the Edit report option on the Report display page (seen while viewing a rendered report) is
analogous to the edit a copy of this report option seen from the reports page.
Viewing Reports, Exporting and Drill Down Reporting
The term reports has been made deliberately ambiguous and is now used to describe both a report and what
was formerly known as a template, with the terms report and report template are used in this appendix
where the distinction between the two is deemed important.
For the bulk of users, the distinction between what is a report and what is a report template is unimportant,
each will eventually show them a set of details about what their system is doing, what it has been doing
historically and where their users may have been attempting things with nefarious end.
The difference between the two is perhaps moot for the most part, however the key difference is that a
report is a combination of several things, the report template used to create it and the data which was
extracted and interpreted along with its interpretation.
In the building block metaphor a report template is the instructions alone, NITO is the warehouse full of
bins of pieces and a report is the final boxed model ready for building. It has the instructions and the pieces
but is still not quite ready for a user to play with.
This should leave the question so when does the model actually get built, the answer to which is
reasonably simple, basically the construction of a rendered report requires the following steps to be
undertaken, again using the building-block metaphor.
286
Nomadix NITO
User Guide
1.
Retrieve assembly instructions.
2.
Collect necessary parts from warehouse.
3.
Place all the required pieces into a box along with its instructions.
4.
Assemble the model and present to the awaiting small child.
A report template provides the first stage of this process, i.e. it is the instruction sheet for building the
model, executing it, i.e. generating a report will conduct steps 2 and 3. Viewing a report is the final step in
this process and renders the report data (assembles the model) according to one of the output methods, i.e.
this renders the report out into HTML, PDF, Excel, CSV or other formats.
These stages are always transparent to the user, but do deserve some explanation. The Reports page lists
the report templates or instruction sheets. The Recent and saved page shows the list of boxed models ready
for assembly, clicking on a report template link or a report itself from either the reports or recent and saved
pages will complete the missing steps and show the requesting user the final model.
Changing Report Formats
The reporting system provides multiple output formats, while HTML output is the most commonly used
there are additional formats which might allow for further analysis or interpretation of data.
The formats available are:
z
Adobe PDF Format
z
Adobe PDF Format (suitable for black and white printers)
z
Microsoft Excel format
z
Comma Separated Value (csv format)
z
Tab Separated Value (tsv format)
Due to the nature of a report and the rendering options, changing the rendering method does not regenerate
the report, only the way it is presented. Thus any saved reports can be exported exactly as is without the
need to regenerate them, making the export process relatively quick in comparison to the generation
process.
Changing Report Date Ranges
From the reports page, and while viewing a rendered report it is possible to change the date range over
which the report data is accrued. Note this would require the regeneration of the report data afterwards.
287
Programmable Drill-Down Looping Engine
From the report page, clicking on either the report template name, its icon or one of the output formats
shown in the bottom right will use the date range specified at the top of the page.
From viewing a report the date controls appear at the top right of the page next to the table of contents
view, the preview button here will regenerate a new report according to those date ranges.
Note again, that both these actions will generate a new report, which may be saved accordingly.
Navigating HTML Reports
The HTML rendered version of a report contains a table of contents for quick and easy navigation within
the report. This table is accessed by clicking on the contents button in the top left hand corner of the report
when it is being viewed.
The table of contents is automatically generated and is based upon the sections contained within the report
itself. Features such as feed-forward and iterative reporting are reflected as titles within the report and
consequently as a level of indentation in the table of contents.
At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be
used to skip back to the top of the page where both the table of contents and rendering format options are
presented.
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be
apparent from the result itself. For example IP addresses can contain whois information which would
allow for greater understanding of the IP address and why it might have appeared; URLs too can contain
more information than is immediately apparent from viewing the URL.
To activate the NITO’s advanced interpreter simply hover the mouse over the desired result, this will
produce a tool-tip which contains more information about the result.
288
Nomadix NITO
User Guide
For example:
In this example, the user has used the advanced interpreter to show the result for a YouTube video. The
URL in question has been truncated to show only the immediately relevant information (the protocol,
domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only
shows the full URL, any associated parameters but has also retrieved the video title, description and
thumbnail from the YouTube server.
The advanced interpreter is capable of recognizing many different types of URL and will present them in
an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to the 48
hour rolling deletion which tidies the reports list each day.
It is also important to note that a saved report is format-less and as such can be rendered to HTML, pdf, csv
etc as desired.
Saved reports are listed on the Recent and saved page under the reporting section, and can be viewed,
deleted and reused (by means of viewing the template used to generate them) in the same manner as a
recent report.
Changing the Report
Once a report has been generated the report template used to create it is stored alongside the report data
itself, and can therefore be used to produce a new report with refined options, alternative date ranges or
saved to appear on the reports page.
This is achieved in numerous ways depending upon location. When viewing the recent and saved page,
underneath the report’s icon is a link to Edit report. This option will present the Custom page with the
report template used to generate this report already loaded. This report template is a copy of the actual
report template used to generate the report and may be edited as desired without altering the version stored
within the report itself.
While viewing a report there is an edit report button presented underneath the table of contents which leads
to the Custom page with the report template used to generate the viewed report already loaded. Note again
that this is a copy of the report template and so may be manipulated as desired.
289
Programmable Drill-Down Looping Engine
Investigating Further (Drill down)
Each report section when it is generated can present a series of related or drill down reports; these are predetermined report templates which will allow further investigation relevant to the item in the section in
question.
To better illustrate this behavior, imagine a report taken from Guardian which lists the top users who have
requested internet sites via the Guardian content filter. This list would present a series of usernames,
suggested drill down reports might allow for a report on the actual sites visited by an individual user, the
full web activity for that user and so on. This is in a way analogous to the feed-forward reporting which
will be discussed later, however this is a manual process which allows for a particular result to be
investigated further.
Drill down reports will be stored notionally underneath the report in the recent and saved section.
Related reports are presented in a variety of ways depending upon the number of options available, and the
section which is being used, when a particular result has only one related report available clicking on the
result itself will lead to the related report for that result. When a result has more than one related report
associated with it then clicking on the result will produce a menu of the available related reports, clicking
on the relevant option will result in generating the relevant related report.
Note the list of related reports is determined by the report section and cannot be altered.
290
Nomadix NITO
User Guide
Creating Template Reports and Customizing Sections
Report templates and customized sections are managed and manipulated from the Custom page on your
NITO’s interface.
Creating templates is a matter of choosing, grouping and refining a number of sections into the correct set
of instructions for the NITO’s reporting engine to interpret and use to extract and manipulate data from the
NITO’s logs.
A list of available sections is included on the Custom page under the heading Available sections, existing
template reports are also included in this list so that, once created they can be included into new report
templates without having to redefine them.
The available sections list is structured as a simple tree, with the sections belonging to each module
categorized accordingly, the templates folder at the bottom of this list includes any existing report
templates for inclusion as mentioned above.
It should be noted that when a template report is included within another template report its options, and
sections are copied into the template at the time of its inclusion. Subsequent modifications to the template
will not update any other templates that include it.
On the right of the available sections list is the included sections list, which shows a simplified form of the
sections currently included in the template report being edited. This list deliberately mirrors its counterpart
and denotes both the list of included sections and any groups that have been configured. Groups are shown
as folders in the included sections list.
To add and remove sections from the included sections list sections can be highlighted by clicking on them
and the add or remove controls used accordingly. Note multiple sections can be added at once, and that
sections can appear more than once in a template report.
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report and
ordered to make logical sense to the reader. To reorder a section simply select it from the Included sections
list and press either move up or move down depending upon which direction you wish to move it. Note
that sections cannot be moved outside of their containing folders.
291
Programmable Drill-Down Looping Engine
Grouped Sections
Many of the underlying concepts in NITO’s reporting system are based around the notion of grouped
sections. A section group is a logical construct which allows for logically connected sections to be collated
together.
Grouping two sections together will produce a number of consequences and will allow for advanced
options such as iteration and feed-forwarding to be used.
Primarily grouping options is done to allow multiple, logically similar sections to share options. For
example, the Guardian web content filter module provides a number of reports which can show aspects of
web browsing activity as conducted by a particular user. For example a Domain activity section could be
configured to show the top 20 domains visited by a particular user, a Browsing times section could be
configured to show the times of day that a particular user tends to browse the internet.
Both of these sections have a username field, these sections could be grouped together and share the
username option, allowing for it to be entered only once when the report is generated.
Groups also form the basis of both iterative reports and feed-forward reports, which are simply special
cases of section groups. For iterative groups, the variable to iterate over can be chosen from the options
common to the grouped sections. For feed-forward groups, a section which produces results of a suitable
type can be nominated and other sections in the group will iterate over the results from that section.
Groups can contain other groups, which may of course be standard groups, iterative or feed-forward
groups. They may also contain single sections. By containing groups within groups complicated reporting
structures can be developed which allows reports to automatically drill down and produce fine grained
detail from a high level overview.
Understanding Groups and Grouped Options
The first details shown in a group are a text entry field allowing for the group name to be changed, this
name provides a group to be given a title which will help with understanding the template structure, and
does not bear any influence on the report creation.
The second option is a drop down list of repeat options; this is used for controlling iterative and feedforward reporting and will be discussed in the appropriate sections.
When options are grouped together they will be presented as an option in the group under a section called
grouped options. They may also have a small visual indicator shown next to them in both the grouped
options section as well as the regular options panel for each section. This indicator shows which options
are grouped together and allows for them to be quickly collated together, for example if two options are
given slightly different names, but require the same value.
The list of sections contained within the group is listed below the grouped options each in its own
collapsible section.
Grouped options will be included for each section here alongside regular per-section options, with a visual
indicator allowing them to be related to their grouped counterparts.
Each option may be overridden by means of ticking the corresponding checkbox. An option with an
override will use the value given to that option rather than the option it receives from its grouped parent,
thus a group containing two sections both of which possess a limit field (the number of items to show) can
have different limits applied to them.
Next to the override option is a small description denoting why the option is inherently disabled, and
where the value comes from. This may be grouped, feed-forward or repeating, meaning that the value will
be assigned by the parent group, the results of a feed-forward section or from one of the list provided in an
iterating group.
Options which are not grouped, fed-forward or iterated over will be displayed using a format which is
appropriate to the type of value expected. This may be any number of common user interface elements
(checkboxes, select boxes, text entry fields etc) and may provide auto-complete features to assist in finding
an appropriate value.
292
Nomadix NITO
User Guide
Any overridden options will also be displayed and entered in this manner and, when provided will replace
values as would be expected.
Feed-Forward Reporting
Due to the jigsaw or building block like nature of reporting sections a particular report section may only
provide part of the information which is desired, rather than the complete picture. To allow for this the
reporting template system in NITO allows for a section’s results to be used as the source of options for
subsequent sections.
To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These in turn
can be used to show a list of all network interfaces which are configured on NITO, or those which are
configured for internal or external networking. This information provides limited details for the network
interface such as its IP address and other details; however it does not show monthly usage statistics.
The Individual Network Interfaces section can provide this information, but needs to be supplied with the
name of the interface for which to provide details for.
These sections can be chained together using a mechanism known as feed-forward where the results from
one section are used to define the behavior of another. In this example the Network Interfaces report can
produce one or more Interfaces, which is one of the options for the Individual Network Interfaces section.
By chaining these two report sections together it is possible to produce a report template which will detail
the configured external interface for NITO, and then display the advanced usage and bandwidth statistics
from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for
example. For this reason it may be desired to repeat a section using mostly the same options, but with one
particular option changed each time.
For example it may be desired to see the Individual Network Interface section for several (but notably not
all) of the local network interfaces. In this case it would be possible to select the local network interfaces
that are desired and repeat the section once for each of the desired interfaces. Note that there is potential
overlap here, and if the desired result is a list of all the local interfaces then feed-forwarding could be used
instead. However, feed-forward would produce a list of all internal interfaces, as well as include the
Network Interfaces report.
Note that while it was covered first, feed-forward is actually a special case of iteration, where the list of
values to be iterated over is produced as the list of answers from a particular report section.
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in which
they are included in the final report once data has been acquired. There are exceptions to this rule however.
Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a
state where it will provide the answers for which the other sections within that group are to be repeated.
Naturally a feeder must be included before the sections it is feeding, and therefore it is removed from the
normal section ordering and placed above the grouped options list in the group’s display.
Grouping Sections
To group a number of sections together they should be selected from the included sections list and then
grouped using the group button. Note that only sections at the same level in the included sections tree can
be grouped together, although a group can contain any number of items including other groups.
Similarly the ungroup command should be used to either disband a group or to remove a single item from
an existing group. Ungrouping a group will disband that group, moving all its contained sections to the
293
Programmable Drill-Down Looping Engine
same level on the included sections tree that the group previously occupied, the group folder will then be
removed.
Ungrouping a single section will move that section up the tree to the same depth as is occupied by the
group that it has just been removed from.
Note, ungrouping sections will remove any properties that the group contains, and so may affect any feedforward, iterative or grouped options.
Creating Feed-forward and Iterative Groups
Creating a group construct for use with feed-forward or iterative operations is done in the same way as
creating a normal group. It should be noted that when feed-forward is desired the section producing results
should be included in the group when it is first created, this will form the basis of the feed-forward.
To create an iterative group, the desired sections should be grouped and the option which will form the
basis of the iteration selected from the Repeat drop-down which can be found immediately above the
grouped options section for that group.
Options which may be used in this way are included under a heading (in the drop down menu) of based
upon grouped option and the list will contain most of the options that the grouped options section contains.
When iterating over a grouped option, that option is no longer available in the group.
Creating a feed-forward enabled group is done in a similar manner; however this time under the Repeat
drop down a list of sections is included under the title using results from a section. The results returned by
each section are visible under the results tab on the section in question, as well as the bottom right hand
side of the section’s description in the available sections list.
By choosing a section to feed-forward the results from, this section is removed from the normal flow
within the group and is instead included as a feeder section. This is due to the nature of feed-forwarding
reports, that they must produce the list of results to iterate over prior to iterating over them.
Feed-forward results pass from one variable into another, however the variables are named in a way which
makes them human readable, but not always identically for the sake of clarity. For example, the Network
ARP Table section produces a list of interfaces which the connection is on. The result is labelled as
Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section.
Some care should be taken when choosing sections to flow into each other, however generally results such
as username should be taken to be suitable for feeding a username field.
Additional caution should be taken when considering feed-forward reports as to the volume of data
produced, along with the potential work load that this would require on NITO.
For example, a report which shows the top 20 groups within an organization, the top 50 users within each
of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible.
However, this would result in the following execution tree.
Group Activity Section
20 x User Activity Section
50 x URL Activity Section
100 URLs
Hence, 20x50x100 URLs, or potentially the results for a thousand users, and hundred thousand URLs. It
would also require the execution and calculation of the top URLs section up to a thousand times, assuming
a reasonable time period for the calculation of each, such a report would potentially take several hours to
compile and be bewilderingly detailed for any person who chooses to read it.
294
Nomadix NITO
User Guide
Exporting Options
Each report section provides a list of options which define its behavior. This behavior may be defined at a
later stage to make the report template truly flexible. For example a domain activity section can take a
username value to show the domains requested for a particular user which were subsequently banned.
Creating a template for this information for each user within an organization is time consuming and
unwieldy to say the least. It is for this purpose that section options may be exported. In this particular
example a domain activity section could be included in a report template, and have its Denied status
checkbox enabled.
Swapping to the export tab would show a list of all the available options for this report, choosing to export
the username field prior to creating the report template would mean that the username field is present for
this template report on the reports tab on the NITO main interface (Logs and reports > Reports >
Reports).
Choosing the Denied option on the export tab would again make this setting available outside of the report
template (on the reports page), however it would also have the added effect of allowing a user to turn this
option off when using the template, similarly typing a username into the section’s username option (on the
options tab) allows the template report to create a default username, which can be changed by the person
using the report template.
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report templates to
be kept together and alleviate some of the confusion in finding the desired template. Report templates are
structured into one of the following folders on a standard NITO installation.
Firewall and networking
System
295
Reporting Folders
Trends
Users
IP address analysis
IP address analysis per web
content category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Top IP addresses
Top users
User analysis
User analysis per web content
category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Web
content
Per category
Blogs
Blogger
Blogs
WordPress
Category analysis
296
Nomadix NITO
User Guide
Image and video
sharing
Dailymotion
Flickr
Fotolog
ImageShack
ImageVenue
YouTube
News
BBC News
CNet
CNN
News
Slashdot
Reference and
educational
IMDB
Shopping and
online auctions
Amazon
Wikipedia
Craiglists
Ebay
Shopping and online
auctions
Social
bookmarking
Delicious
Digg
Reddit
Stumbleupon
Social networking
Bebo
Facebook
Friendster
Hi5
Linkedin
Myspace
Orkut
Social networking
Twitter
297
Reporting Folders
Sport
BBC Sport
ESPN
Sport
Web portals and
search engines
AOL
Google
Search engines
Windows Live and
MSN
Yahoo
Site analysis
Top categories
Top domains
Top URLs
Top web searches
The destination folder for a report template can be set when creating the report template itself by means of
the Location option. This option contains an indented drop-down list of available folders, report templates
can be placed in any folder as desired.
Folders can be created or deleted from the reports page, which is the main location to use to find report
templates and report folders. It also provides the ability to rename folders and edit and remove report
templates.
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the top of
the Reports page which allows users to navigate the folder structure. Clicking on a folder higher up in the
hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to
navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder
button next to the location bar, this will create a new folder called new folder with the ability to rename it.
Entering the name that is desired into the text box that is present and clicking rename will change the name
of the report folder.
A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note that
report folder names must be unique at the same level.
298
Nomadix NITO
User Guide
Renaming Folders
Deleting Folders
Folders can be deleted from the Reports page by pressing the red cross icon immediately below the folder
image. Only empty folders can be deleted, so care should be taken to ensure that all report templates and
other folders have been removed before deleting a folder.
Note, this limitation is in place because folder and report template deletion cannot be undone therefore
such potentially dangerous actions are deliberately long winded.
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated at desired
intervals. Reports generated in this way may be saved for use later via the recent and saved reports section
and/or emailed to a list of people as an HTML embedded email or plaintext email.
Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled.
Options exported to the Reports page may also be set on a report by report basis so it is possible to
schedule a particular user (the sales manager for example) the web activity for the sales group using a web
activity report template and another user (the support manager) the web activity report for the support
group by means of the same report template.
Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals
available are:
z
Daily – each day at the time allocated
z
Weekday – each working day (Monday to Friday) at the allocated time
z
Weekly – every week at the allocated time on the same day of the week as the first report.
z
Monthly – every month at the allocated time on the same day of the month as the first report.
Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
299
Reporting Sections
Reporting Sections
Generators and Linkers
Reporting sections can be divided into principally two types, generators and linkers.
While all report sections generate results, and display those results in the final rendered report, some
sections generate results which are intended for use in feed-forward reports and are only really useful in
that context.
For example, the Guardian module provides a report section entitled Per user Client IP addresses. This
section will take a Guardian username (be it derived from Active Directory or other such authentication
mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access
logs. It will also show the timestamps that these hits occurred at.
By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time period
during which they were using it.
This information is perhaps informative, but not particularly. However the results, Client IP address and
Time-Period are both filters which can be applied to other reports, reports which might not be able to
associate activity with a particular username.
General Sections
The bulk of NITO’s reporting sections are reasonable easy to describe and are detailed quite well by their
descriptions, there are however several big reports which defy such description and require a more in depth
discussion, these will be covered later.
300
Nomadix NITO
User Guide
Standard sections will show up in the available sections list in a manner similar to the following.
This shows the section’s description, title and any results that are returned for use in the system’s feedforward ability.
Network Interfaces
A list of the configured internal and external network interfaces on the system. Includes details about the
hardware, configuration and recent network activity for each interface.
This report section lists the interfaces available on NITO, including any internal NIC interfaces, External
NIC interfaces, modems, VLANs and VPN interfaces.
The options available to this interface allow you to discriminate between Internal, External and VPN
interfaces as well as the ability to show or hide any disconnected interfaces.
This section returns an interface which may be passed into a report section such as the Individual network
interface report section.
The Anatomy of a URL
URL processing in the NITO reporting system is achieved via a series of mechanisms which automatically
split a URL into a number of internal parameters which are used to speed up data processing and achieve
the desired results efficiently and with minimal need to understand the dynamics of how an individual web
site is constructed. However some explanation is required as several of the more advanced features of the
Guardian reports require some manipulation of the URL.
A NITO reporting URL is extracted into three distinct components, the protocol, domain and parameters.
As can be seen, a URL entered into the NITO reporting system will be automatically highlighted in color
to denote where the appropriate parts of the URL are being extracted from.
301
Reporting Sections
URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial
including a combination of protocol, protocol and domain, domain and parameters or the parameters
themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the combination
of parameters which is desired.
Separation is effectively done from the right hand side backwards, so any URL starting with / would be
viewed as simply the parameters.
A URL which starts with a character other than / and does not end with :// is viewed as being the domain.
A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol.
Deciphering a URL can however be a none trivial task, especially due to some web sites, companies and
organizations using a variety of load balancing techniques, curious URLs, sub-domains and a variety of
techniques which can only have been considered a good idea at the time.
For example, StumbleUpon a Social bookmarking site exists not only at the domain
www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the absence
of www. However it also receives some of its content from cdn.stumble-upon.com and
stumbleupon.stumble-upon.com.
For this reason it is possible to switch the URL recognition options in the NITO reporting system into
dealing with URLs as regular expression matches rather than strict matching.
These options can be turned on individually for the protocol, domain and parameter parts of a URL and for
speed / processing reasons it is advised that they be turned on for the minimum of the parts which are
possible.
HTTP Request Methods and HTTPS Interception
The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no
differently to a non-HTTPS site in terms of its logging, indeed, other than the protocol there is nothing to
distinguish HTTP and HTTPS methodology.
Guardian however also logs connections made to HTTPS servers where the content of that communication
has not been intercepted. To differentiate between the two it is possible to set the HTTP request method
(optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted
and that which has not.
HTTPS connections start with a HTTP CONNECT request, if the connection is not being intercepted this
is the only part of the communication which is logged. If the connection is being subjected to HTTPS
interception then the requests within the connection are additionally logged.
302
Nomadix NITO
User Guide
Hence, searching for options other than CONNECT will provide results which may have been subjected to
HTTPS interception. Additionally setting the URL to include the string https:// will return only those
results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS
protocol and using a connection method other than CONNECT.
Guardian Status Filtering
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of that
filtering is logged and can be used to filter any results within the Guardian reports.
A URL may contain one or more of the following status messages, those being Almost blocked, Denied (or
blocked), Exception, Infected or Modified. The meaning of these is covered below.
Almost blocked – This denotes any result whose score for phrase analysis was between 90 and 100 (the
default score over which a result is blocked). This shows content which contained a number of phrases
which elevated its score, but did not quite cause the site to be blocked.
Denied – This denotes sites which were blocked by the phrase or URL filtering in the Guardian product.
The reasoning why the page was banned can be determined by adding the include status option on those
reports which support it. Note however that this can change the ordering of the results.
Exception – The site in question was not filtered for one of several reasons, it may be that it is whitelisted, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc.
Modified – Determines content which was modified as it passed through the Guardian filter. This might be
due to a security rule (such as removing JavaScript etc), or to enforce AUP concepts such as safe search.
Search Terms and Search Phrases
There are three facets to the search term reporting on a Guardian system, searching of search terms,
filtering by search term and selecting banned search terms.
Discovering search terms and showing them is achieved with the search engine search strings and terms
report section.
This section has a few peculiarities to its options which will be covered below, however the section is
essentially designed to show the top search terms, or phrases that have been encountered within the
Guardian filtered URLs.
Search terms are denoted as being either an individual word, or the entire phrase which was searched for.
For example:
303
Reporting Sections
Searching for ‘babylon 5’ earth destroyer would be considered to be three search words, ‘babylon 5’,
‘earth’ and ‘destroyer’ and one search phrase. Note that the search term reporting will treat any quoted
strings as a single search word.
Search words and phrases are assumed to be case insensitive, as the vast majority of searches are done
regardless of capitalization, however search filtering can be made case sensitive by usage of the case
sensitive search option under the advanced options for this report.
Both search terms and phrases can optionally be considered as regular expression matches via the
appropriate option under the advanced options.
Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop words.
Words such as ‘and’, ‘of’ and ‘the’ are usually omitted by most search engines and this can be taken into
consideration by using the option individual (uncommon) search terms on the search term matching dropdown box.
The list of common search terms is taken to be the list of words omitted by the Google search engine, this
list is as follows: ‘i’, ‘a’, about’, ‘an’, ‘are’, ‘as’, ‘at’, ‘be’, ‘by’, ‘com’, ‘de’, ‘en’, ‘for’, ‘from’, ‘how’, ‘in’,
‘is’, ‘it’, ‘la’, ‘of’, ‘on’, ‘or’, ‘that’, ‘the’, ‘this’, ‘to’, ‘was’, ‘what’, ‘when’, ‘where’, ‘who’, ‘will’, ‘with’,
‘und’, ‘the’ and ‘www’.
Additional filtering options for username, group, client IP address and Guardian status are presented for
this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied
option under the Guardian status options.
Filtering by Search Terms
As explained earlier individual Guardian reports can be filtered by the search terminology they contain.
For example it is possible to show the top ten domains which contained a search request for the word
badger.
This filtering is achieved by using the individual report sections Search term matching options presented
under an individual section’s advanced options.
Note that all search term filters operate over the search phrase rather than individual words and can
optionally be changed to using regular expression matches rather than the default mode of operation which
is strings containing this phrase.
To search for blocked search terms this filter can be used in combination with the Guardian status filters.
304
Nomadix NITO
User Guide
URL Extraction and Manipulation
The NITO reporting system for Guardian contains an advanced reporting section called URL interpretation
and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract
information from the Guardian logs.
This reporting section has a lot of reasonably complicated options, however only a few of them are
relevant to the discussion of its operation, those options which are not are grayed out in the example above
and will be omitted from any further discussion as they apply the expected limitations on the search
results, changing the number of results or any username, client IP address or group filter etc.
The most important option for this report section is the URL, which in this example is a regular expression
URL which refers to the BBC news web site. The protocol and domain fields in the URL in this example
are reasonably straight forward, they do not contain any regular expression matches (anything in brackets)
and as such will not be used for anything further in this report section.
The parameters field however does contain two regular expression matches, the parts between the opening
and closing brackets, ( ). The parts of the URL extracted by these matching parts of the URL regular
expression are labelled 1 and 2 respectively and the appropriately labelled term will be used by the Match
to extract from parameters and Match to compare parameters to fields to further analyze the URL.
In this example, there are two matches which are extracted from the URL, in this case, if a BBC news
article URL is considered: http://news.bbc.co.uk/1/hi/technology/7878769.stm
The two matches would provide technology and 7878679 as matches.
Of these two parameters one is the section from the BBC news site this article is from, the other is the
article name.
The Match to extract from domain and Match to extract from parameters options present which regular
expression match ($1, $2, $3 etc) to extract from the URL for the purposes of identifying unique
content, in this example we can see that the parameter match 2, would be used to uniquely identify this
URL, being the value of 7878769 or the article number. This value is subsequently used to uniquely
identify the relevant URLs before producing a list of the top matches, in this case, the top news articles.
Rebuild and include example URL – As part of its drill down and feed-forward abilities the URL
extraction report section reconstitutes a probable URL for the linked material. When this option is ticked,
this reconstructed URL is included in the report alongside the match.
305
Reporting Sections
Note, some sites such as YouTube for example can host several different URLs for the same video ID. In
these cases the reconstructed URL is a potential URL that might have been used, even if it is not the actual
URL that was encountered. To elaborate on this matter both of the following URLs:
http://www.youtube.com/get_video?video_id=6rNgCnY1lPg
http://www.youtube.co.uk/get_video?video_id=6rNgCnY1lPg
are for the same video, and could be matched accordingly (giving two hits for this video), however the
system would then have to construct a probable URL for the content, which would in this example
reference either the .com or .co.uk address version.
Recognise common URLs – This option allows the reporting system to recognise common URLs for
known sites. This includes the ability to extract a YouTube video name from a YouTube video ID, or the
ability to extract a page title from a HTML page’s header.
In this example we can see that the option is enabled, thus for each of the reconstituted URLs the system
would retrieve the HTML (.stm) page from the BBC News web site, extract the <title> section from the
page header and include it in the report.
Domain match and Parameter match – these options allow for additional information to be fed into the
searching and will replace particular matches in the URL with the appropriate values. The options of
Match to compare domain to and Match to compare parameters to allow for values to be substituted into
the appropriate URL regular expression match to further filter the URL.
In the above example the Match to compare parameters to value is 1 which means that the value entered
into the Parameter match box would be substituted into $1 in the URL.
This would mean that entering the option technology into the Parameter match field would produce the top
50 news articles from the technology section of the BBC News web site.
Results title – This report section is feed-forward enabled and can produce a list of regular expression
URLs to identify and extract matching content. However, the URL is rarely of interest to anyone viewing
the resultant report although by default it would be included as the section title for the feed-forwarded
results.
For this purpose it is possible to override the title used for the feed-forward sections by entering a value
into the results title box. This can be straight text, or can reference one of the result’s feed-forward values
by means of a wildcard.
In the above example, we can see that %matchtitle% is used as the value, which would present the feedforward result of matchtitle as the title for any feed-forward sections. In this case, %matchtitle% would
be the <title> extracted from the relevant HTML page. Alternatively values of %domainmatch%,
%parametermatch% or %url% could be used.
In this manner, the URL extraction section provides one of the most flexible tools for extrapolating
information about particular web sites with no inbuilt understanding of the site. This means that the section
can easily be tailored to accommodate new web sites, or internal web sites which may be processed by
Guardian but outside of the scope of the standard templates.
306
Nomadix NITO
User Guide
In this example the URL extraction section is being used to display the top 50 video results from the
YouTube site.
The URL once again contains a series of regular expression matches, this time the domain also includes a
series of wildcards (.*) to accommodate YouTube being hosted via multiple domains, sub-domains and
TLDs.
Origin Filtering
NITO contains the ability to aggregate reports over several different machines, Several NITOs for example
can be used as a cluster of web content filters or alternatively the system might be configured to receive the
browsing activity from several mobile users via the MobileGuardian content filter.
When these results are aggregated onto a central reporting NITO system they each contain a unique
identifier to state where they came from. This identifier can be used to filter particular results to have
originated from a particular machine, or class of machines.
The origin filter on a NITO report allows for the class of machine or in some cases the individual machine
to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations as there
may be several dozen or more of these.
Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive its
configuration from a specific authentication group and so the default template reports have been
constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter
for the appropriate group however should more advanced processing be required the Origin filter could be
used instead.
307
Reporting Sections
308
C
Hosting Tutorials
In this appendix:
z
Examples of hosting using NITO.
Basic Hosting Arrangement
In this example, a DMZ has been configured with a network address of 192.168.1.0/24, i.e. it can
support host IP addresses of 192.168.1.1 through to 192.168.1.254.
Within the DMZ there are two servers:
Web server .2 – This server will have an internal IP address of 192.168.1.2 and present an external
IP address of 216.1.1.2.
Mail server .3 – This server will have an internal IP address of 192.168.1.3 and present an external
IP address of 216.1.1.3.
To configure this scenario:
1.
First create the external aliases:
Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
2.
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Comment: External Alias .3
Next, add the port forwards:
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .3 SMTP
3.
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .3 POP3
Finally, add the source mappings:
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
309
Extended Hosting Arrangement
Comment: Mail Server .3
Extended Hosting Arrangement
In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support
host IP addresses of 192.168.1.1 through to 192.168.1.254.
Within the DMZ are three servers:
Web server .2 – This server will have an internal IP address of 192.168.1.2 and present an external
IP address of 216.1.1.2. It supports both HTTP and HTTPS.
Web server .3 – This server will have an internal IP address of 192.168.1.3 and present an external
IP address of 216.1.1.3. It should only be accessible to external hosts in the range 100.100.100.0/24
and 100.100.101.0/24.
Mail server .4 – This server will have an internal IP address of 192.168.1.4 and present an external
IP address of 216.1.1.4
To configure this scenario:
1.
First create the external aliases:
Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Comment: External Alias .3
2.
Alias IP: 216.1.1.4 | Netmask: 255.255.255.0
Comment: External Alias .4
Next, add the port forwards:
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTPS (443)
Destination port: HTTPS (443)
Comment: Web Server .2 HTTPS
Protocol: TCP
External IP: 100.100.100.0/24
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .3 HTTP
Protocol: TCP
External IP: 100.100.10.0/24
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .3 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.1.4
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .4 SMTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.1.4
Source port: POP3 (110)
310
Nomadix NITO
User Guide
3.
Destination port: POP3 (110)
Comment: Mail Server .4 POP3
Finally, add the source mappings:
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
Comment: Web Server .3
Source IP: 192.168.1.4 | Alias IP: 216.1.1.4
Comment: Mail Server .4
More Advanced Hosting Arrangement
In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support
host IP addresses of 192.168.1.1 through to 192.168.1.254.
A local private network, 192.168.10.0/24 contains 3 servers:
SQL Server .2 – Internal IP: 192.168.10.2
Mail Server [int] .3 – Internal IP: 192.168.10.3
Intranet Web Server .4 – External IP: 216.1.1.4, Internal IP: 192.168.10.4, restricted users.
A DMZ network, 192.168.1.0/24 contains 5 servers:
Web Server .2 – External IP: 216.1.1.2, Internal IP: 192.168.1.2, bridged to SQL Server .2.
Web Server .3 – External IP: 216.1.1.3, Internal IP: 192.168.1.3.
Virtual Web Server .5 – External IP: 216.1.1.5, Internal IP: 192.168.1.5, same physical host as
Virtual Web Server .6.
Virtual Web Server .6 – External IP: 216.1.1.6, Internal IP: 192.168.1.5, same physical host as
Virtual Web Server .5.
Mail Server [ext. out] – External IP: 216.1.1.7, Internal IP: 192.168.1.6, for outgoing mail.
Mail Server [ext. in] – External IP: 216.1.1.7, Internal IP: 192.168.1.7, relaying to Mail
Server [int] .3.
To configure this scenario:
1.
First create the external aliases:
Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Comment: External Alias .3
Alias IP: 216.1.1.4 | Netmask: 255.255.255.0
Comment: External Alias .4
Alias IP: 216.1.1.5 | Netmask: 255.255.255.0
Comment: External Alias .5
Alias IP: 216.1.1.6 | Netmask: 255.255.255.0
Comment: External Alias .6
2.
Alias IP: 216.1.1.7 | Netmask: 255.255.255.0
Comment: External Alias .7
Next, add the port forwards:
Port forwards for example 3.
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
311
More Advanced Hosting Arrangement
External IP: <BLANK>
Source IP: 216.1.1.3
Destination IP: 192.168.1.3
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .3 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.10.4
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Intranet Web Server .4 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.5
Destination IP: 192.168.1.5
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Virtual Web Server .5 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.6
Destination IP: 192.168.1.5
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Virtual Web Server .6 HTTP
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.7
Destination IP: 192.168.1.7
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .7 SMTP
3.
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.7
Destination IP: 192.168.1.7
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .7 POP3
Next, add the zone bridges:
Zone bridging for example 3.
Source interface: Eth1
Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.2
Destination IP: 192.168.10.2
Destination port: User defined, 3306
Comment: Web Server .2 to SQL Server .2
4.
Source interface: Eth1
Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.7
Destination IP: 192.168.10.3
Destination port: SMTP (25)
Comment: Mail Server [ext. in] .7 to Mail Server [int.] .3
Finally, add the source mappings:
Source mapping for example 3.
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
Comment: Web Server .3
Source IP: 192.168.10.4 | Alias IP: 216.1.1.4
Comment: Intranet Web Server .4
Source IP: 192.168.1.5 | Alias IP: 216.1.1.5
Comment: Virtual Web Server .5 & .6
Source IP: 192.168.1.6 | Alias IP: 216.1.1.6
Comment: Mail Server [ext. out] .6
312
Nomadix NITO
User Guide
313
More Advanced Hosting Arrangement
314
Glossary
Numeric
2-factor authentication. The password to a token used with the token. In other words: 2-factor authentication is
something you know, used together with something you have. Access is only be granted when you use the two
together.
3DES. A triple strength version of the DES cryptographic standard, usually using a 168-bit key.
A
Acceptable Use Policy. See AUP
Access control. The process of preventing unauthorized access to computers, programs, processes, or systems.
Active Directory.
Microsoft directory service for organizations. It contains information about organizational units, users and
computers.
ActiveX*. A Microsoft reusable component technology used in many VPN solutions to provide VPN client access
in a road warrior's web browser.
AES. (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for DES and
3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance
across multiple platforms.
AH. (Authentication Header) Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and
datagram payload to maintain information integrity, but not secrecy.
Algorithm. In Nomadix products, an algorithm is a mathematical procedure that manipulates data to encrypt and
decrypt it.
Alias. or External Alias – In Nomadix terminology, an alias is an additional public IP that operates as an alternative
identifier of the red interface.
ARP. (Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses.
ARP Cache. Used by ARP to maintain the correlation between IP addresses and MAC addresses.
AUP. (Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to
conduct messaging and Internet access on the organization’s email and Internet systems. The policy explains the
organization’s position on how its users should conduct communication within and outside of the organization both
for business and personal use.
Authentication. The process of verifying identity or authorization.
B
Bandwidth. Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per
second) or Kbps.
BIN. A binary certificate format, 8-bit compatible version of PEM.
315
Buffer Overflow. An error caused when a program tries to store too much data in a temporary storage area. This
can be exploited by hackers to execute malicious code.
C
CA. (Certificate Authority) A trusted network entity, responsible for issuing and managing x509 digital
certificates.
Certificate. A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity
information and its owner's public key. Certificates are created by CAs.
Cipher. A cryptographic algorithm.
Ciphertext. Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain
text using a cryptographic algorithm.
Client. Any computer or program connecting to, or requesting the services of, another computer or program.
Cracker. A malicious hacker.
Cross-Over Cable. A network cable with TX and RX (transmit and receive) reversed at either end to provide a
direct peer-to-peer network connection.
Cryptography. The study and use of methods designed to make information unintelligible.
D
Default Gateway. The gateway in a network that will be used to access another network if a gateway is not
specified for use.
Denial of Service. Occurs when a network host is flooded with large numbers of automatically generated data
packets. The receiving host typically slows to a halt while it attempts to respond to each request.
DER. (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems.
DES. (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. DES is
scheduled for official obsolescence by the US government agency NIST.
DHCP. (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts joining a
network.
Dial-Up. A telephone based, non-permanent network connection, established using a modem.
DMZ. (Demilitarized Zone) An additional separate subnet, isolated as much as possible from protected networks.
DNS. (Domain Name Service) A name resolution service that translates a domain name to an IP address and vice
versa.
Domain Controller. A server on a Microsoft Windows network that is responsible for allowing host access to a
Windows domain's resources.
Dynamic IP. A non-permanent IP address automatically assigned to a host by a DHCP server.
Dynamic token. A device which generates one-time passwords based on a challenge/response procedure.
E
Egress filtering. The control of traffic leaving your network.
Encryption. The transformation of plaintext into a less readable form (called ciphertext) through a mathematical
316
Nomadix NITO
User Guide
process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it.
ESP. (Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption
services for tunnelled data.
Exchange Server. A Microsoft messaging system including mail server, email client and groupware applications
(such as shared calendars).
Exploit. A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or
service.
F
Filter. A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement
rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has
requested using their web browser.
FIPS. Federal Information Processing Standards. See NIST.
Firewall. A combination of hardware and software used to prevent access to private network resources.
G
Gateway. A network point that acts as an entrance to another network.
Green. In Nomadix terminology, green identifies the protected network.
H
Hacker. A highly proficient computer programmer who seeks to gain unauthorized access to systems without
malicious intent.
Host. A computer connected to a network.
Hostname. A name used to identify a network host.
HTTP. (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web.
HTTPS. A secure version of HTTP using SSL.
Hub. A simple network device for connecting networks and network hosts.
I
ICMP. (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. It is chiefly
used by networked computers' operating systems to send error messages indicating, for example, that a requested
service is not available or that a host or router could not be reached.
IDS. Intrusion Detection System
Internet Protocol
IPS. Intrusion Prevention System
IP Address. A 32-bit number that identifies each sender and receiver of network data.
IPtables. The Linux packet filtering tool used by Nomadix to provide firewalling capabilities.
317
IPSec. (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the Internet
Engineering Task Force (IETF).
IPSec Passthrough. A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through.
ISP. An Internet Service Provider provides Internet connectivity.
K
Key. A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines
the mapping of plaintext to ciphertext.
Kernel. The core part of an operating system that provides services to all other parts the operating system.
Key space. The name given to the range of possible values for a key. The key space is the number of bits needed
to count every distinct key. The longer the key length (in bits), the greater the key space.
L
L2F. (Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
L2TP. (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco
Systems L2F tunnelling protocols.
LAN. (Local Area Network) is a network between hosts in a similar, localized geography.
Leased Lines. (Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is installed,
leased and managed by a telephone company.
Lockout. A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit
when entering a password. After three attempts, the system locks out the user.
M
MAC Address. (Media Access Control) An address which is the unique hardware identifier of a NIC.
MX Record. (Mail eXchange) An entry in a domain name database that specifies an email server to handle a
domain name's email.
N
NAT-T. (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing
problems. It is a more effective solution than IPSec Passthrough.
NIC. Network Interface Card
NIST. (National Institute of Standards and Technology) NIST produces security and cryptography related
standards and publishes them as FIPS documents.
NTP. (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers.
318
Nomadix NITO
User Guide
O
OU. An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your
organization.
P
Password. A protected/private string of characters, known only to the authorized user(s) and the system, used to
authenticate a user as authorized to access a computer or data.
PEM. (Privacy Enhanced Mail) A popular certificate format.
Perfect Forward Secrecy. A key-establishment protocol, used to secure previous VPN communications, should a
key currently in use be compromised.
PFS. See Perfect Forward Secrecy
Phase 1. Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter
agreement.
Phase 2. Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1
to bring the tunnel up.
Ping. A program used to verify that a specific IP address can be seen from another.
PKCS#12. (Public Key Cryptography Standards # 12) A portable container file format for transporting certificates
and private keys.
PKI. (Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching for,
user identities; and binding of public keys to users. The public keys are typically in certificates.
Plaintext. Data that has not been encrypted, or ciphertext that has been decrypted.
Policy. Contains content filters and, optionally time settings and authentication requirements, to determine how
NITO handles web content and downloads to best protect your users and your organization.
Port. A service connection point on a computer system numerically identified between 0 and 65536. Port 80 is the
HTTP port.
Port Forward. A firewall rule that routes traffic from a receiving interface and port combination to another
interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a
network port from one network node to another. This technique can allow an external user to reach a port on a
private IP address (inside a LAN) from the outside via a NAT-enabled router.
PPP. (Point-to-Point Protocol) Used to communicate between two computers via a serial interface.
PPTP. (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be relatively
insecure.
Private Circuits. See Leased Lines.
Private Key. A secret encryption key known only by its owner. Only the corresponding public key can decrypt
messages encrypted using the private key.
Protocol. A formal specification of a means of computer communication.
Proxy. An intermediary server that mediates access to a service.
PSK. (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching process to
determine authenticity.
Public Key. A publicly available encryption key that can decrypt messages encrypted by its owner's private key.
A public key can be used to send a private message to the public key owner.
319
PuTTY. A free Windows / SSH client.
Q
QOS. (Quality of Service) In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth.
R
RAS. (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from other
LANs or individual users. RAS has been largely superseded by VPNs.
Red. In Nomadix, red is used to identify the Unprotected Network (typically the Internet).
RIP. (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in
network connections by communicating information about which networks each router can reach and how far away
those networks are.
Road Warrior. An individual remote network user, typically a travelling worker 'on the road' requiring access to
a organization’s network via a laptop. Usually has a dynamic IP address.
Route. A path from one network point to another.
Routing Table. A table used to provide directions to other networks and hosts.
Rules. In firewall terminology, rules are used to determine what traffic is allowed to move from one network
endpoint to another.
S
Security policy. A security policy is a collection of procedures, standards and guidelines that state in writing how
an organization plans to protect its physical and information technology (IT) assets. It should include password,
account and logging policies, administrator and user rights and define what behavior is and is not permitted, by
whom and under what circumstances.
Server. In general, a computer that provides shared resources to network users.
SIP. (Session Initiation Protocol) A protocol for initiating, modifying, and terminating an interactive user session
that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality.
Commonly used in VOIP applications.
Single Sign-On. (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single
password.
Site-To-Site. A network connection between two LANs, typically between two business sites. Usually uses a static
IP address.
Smart card. A device which contains the credentials for authentication to any device that is smart card-enabled.
Spam. Junk email, usually unsolicited.
SQL Injection. A type of exploit whereby hackers are able to execute SQL statements via an Internet browser.
Squid. A high performance proxy caching server for web clients.
SSH. (Secure Shell) A command line interface used to securely access a remote computer.
SSL. A cryptographic protocol which provides secure communications on the Internet.
SSL VPN. A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client
320
Nomadix NITO
User Guide
configuration.
Strong encryption. A term given to describe a cryptographic system that uses a key so long that, in practice, it
becomes impossible to break the system within a meaningful time frame.
Subnet. An identifiably separate part of an organization’s network.
Switch. An intelligent cable junction device that links networks and network hosts together.
Syslog. A server used by other hosts to remotely record logging information.
T
Triple DES (3-DES) Encryption. A method of data encryption which uses three encryption keys and runs DES
three times Triple-DES is substantially stronger than DES.
Tunneling. The transmission of data intended for use only within a private network through a public network in
such a way that the routing nodes in the public network are unaware that the transmission is part of a private
network.
U
User name / user ID. A unique name by which each user is known to the system.
V
VPN. (Virtual Private Network) A network connected together via securely encrypted communication tunnels over
a public network, such as the global Internet.
VPN Gateway. An endpoint used to establish, manage and control VPN connections.
X
X509. An authentication method that uses the exchange of CA issued certificates to guarantee authenticity.
321
322
Index
A
accessing 6
active directory
extra realm 193, 196
group search root 193, 196
kerberos discover 193, 196
kerberos realm 192, 195
multiple user search roots 193, 196
netbios domain name 196
port 192, 196
sam account name 196
server password 192, 195
server username 192, 195
admin 3
admin options 11
administration 11
administration login failures 256
administrative users 11
adsl modem
settings 26
advanced 7, 8
alerts 5, 256
administration login failures 143, 256
email 278
email to sms 277
firewall notifications 256
guardian upstream proxy status 143
guardian URL violations 143
hardware failure alerts 256
health monitor 256
license expiry status 256
output system test messages 256
settings 5
system boot (restart) notification 256
system resource monitor 256
system service monitoring 256
update monitoring 256
ups, power supply status warning 256
url violations 144
application helper 61
ftp 62
h323 passthrough support 62
irc 62
pptp client support 62
archives 10
authentication 8, 177
choosing 282
core 108, 111
diagnostics 188, 198
identification by IP 109, 111
mechanisms 281
NTLM 107, 108
SSL
background tab 108, 111
session cookie 108, 111
SSL login 182
time-out 188
authentication system
diagnostics 198
managing 197
restarting 198
status 198
stopping 198
B
banned users 187
BitTorrent 65
blogs 148
bridging
groups 55
rules 51
zones 51
C
category analysis 148
central management 245
about 245
configure 253
pre-requirements 245
central management key 247
centrally manage 245
child node 247
cluster 245
configuration tests 11
connection methods 21
dial-up modem 27
ethernet 21, 23
ethernet/modem hybrid 21
isdn modem 26
modem 21
connection profiles 21
creating 21
deleting 29
modem 21
modifying 28
connection tracking 46
connections 19
connectivity 7
console
connecting via 17
control 8
control page 4
Copyright 2
create 4
csv 249
importing nodes 249
csv files 249
custom categories 9
custom signatures 167
D
database 206
backup 6
disk usage 208
323
Index
password 206
pruning 207
remote 207
settings 6
username 206
default
interface 20
users 187
denial of service 44
detection policies 163
dhcp ethernet 24
settings 24
diagnostics 11, 188, 198
dial-up modem 27
directory settings 189
prerequisites 190, 193, 194
disk usage 208
dns 156
proxy service 156
static 156
documentation 1
DoS 45
E
ECN 46
eDonkey 65
email to sms 277
enable filtering 71
ethernet 21
external
access 11
aliases 7
external services 8, 68
editing 69
removing 69
F
failover 232, 233
failover unit 235
master 233
filtering 6
filters 9
about 89, 93, 98
firewall 5
accessing
browser 6
connecting 17
notifications 256
ftp 62
G
global settings 22
configuring 22
Gnutella 65
group bridging 6, 55
group search root
additional 193, 196
groups 6, 8, 9, 186
banned users 187
default users 187
mapping 197
network administrators 187
324
renaming 188
unauthenticated ips 187
H
h323 passthrough support 62
hardware 11
failover 233
hardware Failover 232
hardware failure alerts 256
health monitor 256
heartbeat 232
hostname 11
https 6
hybrid 21
I
icmp 45
ICMP ping 45
ICMP ping broadcast 45
identification
NTLM 107
ids 5
igmp 45
IGMP packets 45
image and video sharing 148
information 6
interfaces 7
internal aliases 7
inter-zone security 51
intrusion system 163
custom policies 166
detection policies 163
policies 163
prevention policies 164
ip
address
defining 35
block 6
tools 11
ips 5
irc 62
isdn modem 26
settings 26
isp 23
K
KaZaA 65
kerberos 193, 196
extra realms 193, 196
kerberos realm 192, 195
L
leak client ip with x-forwarded-for header 134
license expiry status 256
licenses 10
load balancing 135
local users 9
activity 181
adding 178
deleting 179
editing 178
Nomadix NITO
User Guide
exporting 179
importing 179
managing 177
moving 180
viewing 178
log settings 6
logging 253
logs 5
enable remote syslog 272
inserting 208
remote syslog server 272
retention 272
M
mac spoof 24
maintenance 10
master 233
message censor 9
custom categories 9
filters 9
time 9
message censor filtering
enable 103
modem 21
settings 27
modem profile 21
modules 10
multicast traffic 45
multiple user search roots 193, 196
N
netbios domain name 196
network
administrators 187
interface 19
networking 6
restart 20
source mapping 38
news 148
node 250
add 248
child 247
child delete 250
child edit 250
configure child 10
csv 249
delete 250
disable 253
edit 250
import 249
local settings 10
logging 253
manage 250
monitor 251
parent 246
reboot 253
review 251
update 252
O
outbound access
port rules 63
source rules 66
outgoing 8
output settings 6
output system test messages 256
P
pages
central management 10
guardian
block page policies
block pages 13
manage policies 13
policy wizard 13
content modification policies
manage policies 13
policy wizard 13
https inspection policies
manage policies 12
policy wizard 12
settings 13
policy objects
category groups 13
locations 13
quotas 14
time slots 13
user defined 13
quick links
getting started 12
quick block/allow 12
shortcuts 12
web filter policies
exceptions 12
location blocking 12
manage policies 12
outgoing 12
policy wizard 12
info
alerts 5
alerts 5
custom 4
logs 5
firewall 5
ids 5
ips 5
system 5
realtime 5
firewall 5
portal 5
system 5
traffic graphs 5
reports
reports 4
saved 4
scheduled reports 4
settings
alert settings 5
database backup 6
database settings 6
groups 6
log settings 6
output settings 6
user portal 5
information 6
325
Index
main 6
networking 6
filtering 6
group bridging 6
ip block 6
zone bridging 6
firewall 7
advanced 7
port forwarding 7
source mapping 7
interfaces 7
connectivity 7
external aliases 7
interfaces 7
internal aliases 7
ppp 7
secondaries 7
outgoing 8
external services 8
groups 8
ports 8
sources 8
routing 6
ports 7
rip 7
sources 7
subnets 6
settings
advanced 8
port groups 8
services
authentication 8
control 8
groups 8
local users 9
settings 8
ssl login 9
temporary bans 8
user activity 9
message censor 9
user portal 9
groups 9
portals 9
user exceptions 9
system
administration 11
admin options 11
administrative users 11
external access 11
central management
child nodes 10
local node settings 10
overview 10
diagnostics 11
configuration tests 11
diagnostics 11
ip tools 11
traffic analysis 11
whois 11
hardware 11
ups 11
maintenance 10
archives 10
326
licenses 10
modules 10
scheduler 10
shell 10
shutdown 10
updates 10
preferences 10
hostname 11
registration options 10
time 10
web proxy
authentication
exceptions 15
ident by location 15
manage polices 14
policy wizard 15
mobile proxy
exceptions 15
proxies 15
settings 15
upstream proxy
filters 14
manage policies 14
proxies 14
web proxy
automatic configuration 14
bandwidth limiting 14
settings 14
wccp 14
parent node 246
passwords 3
permissive 63
policies 9, 163
intrusion 163
port forwarding 7
port forwards 59
comment 61
creating 60
criteria 59
destination address 61
destination port 61
editing 61
enabled 61
external ip 60
logging 60
protocol 60
removing 61
source IP 60
source port 61
user defined 61
port groups 8
port rules 63
creating 64
deleting 66
editing 66
modes 63
permissive 63
preset 64
restrictive 63
stealth 65, 67
viewing 66
portal 5, 9, 149, 263
access 154
Nomadix NITO
User Guide
configure 149
delete 154
edit 154
groups 153
user except 153
portals 9
ports 7, 8
ppp 7
ppp over ethernet
settings 25
ppp profile 21
creating 27
pptp client
support 62
pptp over ethernet
settings 25
preferences 10
prevention policies 164
primary dns 20
Product Information 3
proxies
dns 156
pruning 207
Q
quotas 86
R
realtime 5
reboot 253
reference and educational 148
registration options 10
reports 4, 201
blogs 148
category analysis 148
custom 4
database 206
image and video sharing 148
news 148
reference and educational 148
reports 4
scheduled 4
shopping and online auctions 148
social bookmarking 148
social networking 148
sport 148
web portals and search engines 148
restrictive 63
rip 7
routing 6
rules
assigning 69
external access 226
external service 68
group bridging 56
internal alias 39
ip blocking 43
port 35
port forward 59
source 66
source mapping 38
subnet 31
zone bridging 51
S
sam account name 196
scheduled reports 4
scheduler 10
secondaries 7
secondary dns 20
selective ACK 46
server password 192, 195
server username 192, 195
services
authentication 8, 188
dhcp 168
dns 156
dns proxy 156
intrusion system 163
message censor 9
portal 9
rip 32
snmp 155
settings 6, 8
shell 10
shopping and online auctions 148
shutdown 10
site address 18
snmp 155
social bookmarking 148
social networking 148
source mapping 7, 38
source rules 66
creating 67
editing 68
rejection logging 67
removing 68
settings 67
sources 7, 8
sport 148
ssh 17
client 17
web-based 18
ssl login 9, 182
accessing the page 184
customizing 183
enabling 183
exceptions 183
static ethernet
settings 24
stealth 65
subnets 6
SYN backlog queue 46
SYN cookies 45
SYN+FIN packets 46
system 5
system boot (restart) notification 256
system resource monitor 256
system service monitoring 256
T
TCP timestamps 46
telephony
settings 28
327
Index
temporary ban 180
temporary bans 8
time 10
time out 188
time slots 9
time-out 282
Trademarks 3
traffic
analysis 11
graphs 5
traffic audit 46
tutorial
zone bridging 53
U
unauthenticated ips 187
unknown entity 18
updates 10
ups 11
ups, power supply status warning 256
upstream proxies 133
allow direct connections 134
default proxy 133
leak client ip with x-forwarded-for header 134
load balancing 135
url violations alert 144
user
activity 9, 181
identity 281
user exceptions 9
user portal 5
users
banned 187
default 187
local 177
network administrators 187
temporary ban 180
unauthenticated IPs 187
W
web filter 5
web filtering
configuring
manual 116
web portals and search engines 148
whois 11
window scaling 46
Z
zone bridge
narrow 51
rule
create 51
settings 52
tutorial 53
wide 51
zone bridging 6, 51
328
Related documents
Simple. Fast. Reliable.
Simple. Fast. Reliable.
Agriculture and Industry.eva
Agriculture and Industry.eva
Chapter 12 12-16 (20–30 min.) Relevant
Chapter 12 12-16 (20–30 min.) Relevant
A Practical Approach to Risk Management
A Practical Approach to Risk Management
Download