4

Click here to load reader

Cyberoam Best Practices - Cyberoam - Securing You Best Practices Cyberoam Best Practices Deployment 1. Always connect Cyberoam WAN interface with a Router via hub or switch and not

Embed Size (px)

Citation preview

Page 1: Cyberoam Best Practices - Cyberoam - Securing You Best Practices Cyberoam Best Practices Deployment 1. Always connect Cyberoam WAN interface with a Router via hub or switch and not

Cyberoam Best Practices

Deployment

1. Always connect Cyberoam WAN interface with a Router via hub or switch and not with cross

over cable to avoid auto negotiation problem between Cyberoam WAN interface and Router

2. By default, Cyberoam sends periodic Ping requests to its default gateway to check

connectivity to Internet. It is recommended to change this setting so that Cyberoam sends

Ping requests to a host on the Internet that is permanently running or most reliable, like

8.8.8.8 or 4.2.2.2.

3. If users have browser based proxy settings, make sure configured HTTP proxy port is same

in both Cyberoam and desktop browser. By default, Cyberoam is configured for port 3128.

4. For security purposes, Gateway mode is preferred because it uses NAT Policies to secure

private addresses of internal or DMZ networks.

5. If Cyberoam is deployed in Bridge Mode:

Do not configure Cyberoam IP address as Gateway IP address. If this happens,

users will not be able to access the Internet.

Do not terminate both ports in the same L2 switch. The switch would become instable

if it receives packets of same MAC address from more than one switch ports.

6. It is recommended to use the High Availability feature of Cyberoam for maximum network

uptime.

Note:

This feature is not available in models CR15i, CR15wi, CR25wi, CR35wi and CR25i.

7. In case of wireless networks, ensure maximum security by using WPA or WPA2 protocols

rather than WEP.

8. Do not broadcast the SSID of your wireless networks to avoid unauthorized users from

entering into the network.

Administration

1. Access to Cyberoam should be carefully monitored and protected. This can be done by

changing the default administration settings like:

o Administrator Passwords

o Port used to access Appliance

o Access Protocols (Use secure protocols like SSH and HTTPS)

Cyberoam Best Practices

Page 2: Cyberoam Best Practices - Cyberoam - Securing You Best Practices Cyberoam Best Practices Deployment 1. Always connect Cyberoam WAN interface with a Router via hub or switch and not

Cyberoam Best Practices

2. Create multiple administrator profiles for special-purpose administrators like VPN

Administrator, Security Administrator, Audit Administrator, etc. Each administrator should be

assigned only the required permissions according to his role in the organization.

3. It is recommended to disable administrative access to Cyberoam from all zones except the

internal LAN zone or management zone. Even from LAN or management zone, use secured

protocols like HTTPS and SSH for GUI and CLI access.

4. Check regularly for firmware releases and upgrade Cyberoam to the latest firmware available.

5. Take regular backup of Cyberoam. Also, make sure you take a backup before any changes

are to be made in the configuration of the appliance.

6. Test your firewall rules and policies regularly.

7. Conduct internal audits to check the health of the appliance.

8. Enable Login security in terms of:

o Enabling password complexity for the administrator.

o Restricting number of login attempts to prevent brute force attack.

Firewall

1. Create Firewall rule for DNS IP Address if desktops are configured with a public DNS IP

address.

2. Create firewall rule to allow required and critical traffic across each zone because, by default,

complete traffic across each zone is dropped by Cyberoam, except for LAN to WAN traffic.

This will be applicable in both bridge and gateway mode.

For example, if Mail server is placed in the DMZ zone, then Cyberoam will not allow access of

Mail server from LAN and WAN zone.

o To access specific applications running on mail server, create necessary firewall rule

from each zone.

o Create firewall rule to give external world access to the Mail server.

3. Create Firewall rule to allow access to and from applications running on DMZ as, by default,

entire traffic from LAN to DMZ is dropped.

4. If Cyberoam is configured in Bridge mode and DHCP server is running in WAN zone of

Cyberoam then create firewall rule to allow packets from DHCP server to LAN to lease IP

addresses on desktop.

5. If MX IP is bound to the WAN port of Cyberoam, create NAT and Virtual Host rules to map the

private IP address of mail server with the MX IP.

6. If the LAN zone has Routed Networks, then create static routes in Cyberoam to forward

requests to and from the Routed Networks over the Internet.

Page 3: Cyberoam Best Practices - Cyberoam - Securing You Best Practices Cyberoam Best Practices Deployment 1. Always connect Cyberoam WAN interface with a Router via hub or switch and not

Cyberoam Best Practices

7. If Cyberoam is configured for multiple Internet Service Providers i.e. multiple gateways then:

o To improve browsing speed and reduce latency, create a firewall rule to route the

DNS IP address requests through a specific Gateway. For example, if DNS IP

address is from ISP1 and DNS request is going from ISP2 then latency will increase

and time taken to resolve the site name will also increase.

o If access to certain application like VPN application, SAP or ERP application is

allowed from specific IP address, create firewall rule to route the application request

from the specific IP address only.

o Create a NAT policy to bind the Mail Server IP Address with MX IP. This will

establish connection as well as reduce chances of return MX check problem.

8. It is recommended to bypass DoS screening for traffic-intensive servers like VOIP and FTP to

avoid dropping of legitimate traffic.

9. Disable NAT policies for WAN to LAN rule for Mail Server to avoid making it an open relay.

Authentication

1. If Cyberoam is integrated with one or more external authentication servers, make sure the

servers are selected for firewall authentication and are in the order of preference.

2. In case of AD integration with Single Sign On enabled, create clientless users for servers like

VOIP server, MFDs, etc. whose manual authentication is not feasible.

3. After importing groups from AD, modify the order of the groups according to preference. Any

user, who is a part of multiple groups, will be mapped to the first matching group on

Cyberoam.

IPS

1. Create custom IPS policies with relevant signatures to decrease packet latency and

improve performance.

2. It is recommended to apply IPS policy in WAN to LAN firewall rules for servers hosted in the

network to protect them against known and unknown attacks.

3. IPS policy is not recommended for LAN to WAN traffic, unless it is used to control applications

using custom signatures.

Page 4: Cyberoam Best Practices - Cyberoam - Securing You Best Practices Cyberoam Best Practices Deployment 1. Always connect Cyberoam WAN interface with a Router via hub or switch and not

Cyberoam Best Practices

VPN

1. Create VPN to LAN firewall rules to enable Threat Free Tunnelling, i.e., protect the network

from malicious traffic through the VPN tunnel. In these rules, NAT policies should be disabled

to allow access to internal resources.

2. For additional security, use CHAP and MSCHAP Handshaking Protocols for PPTP remote

access VPN.

3. If VPN connectivity is to be configured between a Head Office and multiple Branch Offices,

create a Hub and Spoke VPN configuration, i.e., create virtual tunnels from each Branch

Office directly to the Head Office.

Antivirus

1. For scanning of HTTP and HTTPS traffic, configure the Scan Mode as “Real Time” rather

than “Batch”. The Real Time scan mode allows virus scanning of files as soon as their

download starts while Batch scan mode waits for download of the complete file before

scanning.

2. Configure Cyberoam to disallow access to HTTPS websites with invalid certificates.

Antispam

1. Configure Cyberoam to “Accept” oversized emails to avoid dropping of emails that might be

useful.

2. Enable Spam Digest to allow end users to manage quarantined mails by themselves.

3. Configure Cyberoam to verify IP Reputation of senders of all emails to improve Antispam

performance.

QoS

1. Create appropriate QoS policies for mission critical applications.

2. Assign highest priority to real time traffic like VOIP and lowest priority to bulky protocols like

FTP or P2P file transfer for better managed bandwidth.