| 1. Routing |
| 1.2. Implement Transparent Subnet Gateway Using Bridge Pair | |||||||||||||||||||||||||||||||||||||||||||||||||||
Applicable Version: 10.02.0 Build 224 onwards Overview
Cyberoam can be deployed in Mix Mode, i.e., with the help of Bridge Pairs, both bridge and route modes can be configured simultaneously on a single Cyberoam appliance. This feature is especially useful in situations where organizations want to avail security features offered by a UTM without any change in their existing network gateway configuration. Scenario Cyberoam is deployed in Gateway Mode. As shown, the FTP Server (1.1.1.5) and Web Server (1.1.1.6) are placed in the DMZ zone. While the LAN’s gateway is Cyberoam, the servers have their gateway configured as the External Router (1.1.1.1) which is not subject to change. The servers are to be published over the Internet using public IP addresses that belong to the same subnet as External Router. This is achieved by implementing Cyberoam as a transparent subnet gateway in which the WAN and DMZ zones are configured as a Bridge Pair.
 Configuration You can configure a Bridge Pair by following the steps given below. Configuration is to be done from Web Admin Console using Administrator profile. Step 1: Configure Bridge PairGo to Network à Interface à Interface and click Add Bridge-Pair to configure bridge pair using following parameters.
 Parameter Description
 Click OK to configure Bridge Pair.
 Step 2: Create Firewall RulesGo to Firewall à Rule à Rule and create Firewall Rules to allow traffic from DMZ to WAN and WAN to DMZ as shown below.
 The above configuration implements a transparent subnet gateway using Cyberoam. Note: For security, allow only necessary traffic from WAN to DMZ.
Document Version: 1.0 – 29/09/2012 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| 1.3. Configure BGP in Cyberoam |
|
Overview
Cyberoam can be configured to communicate with neighbouring ASs using BGP. This article describes how you can configure BGP in Cyberoam. Scenario  As shown in the diagram, the entire network forms an AS 8800. Configure Cyberoam to act as a BGP peer or neighbour to AS 5566 and, hence, publish servers in Zone1 (123.186.23.0/27) and Zone 2 (81.236.82.0/27) over the Internet.
Prerequisites Prior to configuration, obtain the following details from your ISP: - BGP AS Number
- Update Source IP
- Number of Hops
Configuration To publish servers over the Internet using BGP, configure Cyberoam as an External BGP peer with the ISP router and an Internal BGP peer with the internal router. Configuring Cyberoam as EBGP Peer To Configure Cyberoam as an EBGP peer, follow the steps given below. Step 1: Create Firewall Rule to Allow Cyberoam to Receive BGP UpdatesGo to Firewall à Rule à Rule create a new rule which allows BGP traffic from WAN to LOCAL Zones.
 Step 2: Configure Cyberoam as EBGP Peer 1. Login to Cyberoam CLI Console. 2. From the Main Menu, choose Option 3 – Route Configuration. 3. From the Router Management Menu, choose Option 1 – Configure Unicast Routing. 4. From the Unicast Routing Configuration Menu, choose Option 3 – Configure BGP. 5. In the BGP command prompt, fire the following commands. ● Enable BGP configuration bgp> enable
bgp# conf t
· Declare Router-ID to identify neighbours bgp(config)# router bgp 8800
bgp(config-router)#bgp router-id 123.234.12.5
● Set peer parameters bgp(config-router)#neighbor 123.234.12.6 remote-as 5566
bgp(config-router)#neighbor 123.234.12.6 ebgp-multihop 4
bgp(config-router)#neighbor 123.234.12.6 update-source 123.234.12.5
Step 3: Publish Server Zones to the ISP To publish server networks, fire the following commands bgp(config-router)#network 123.186.23.0 mask 225.255.255.224
bgp(config-router)#network 123.234.12.4/30
The above steps configure Cyberoam as an EBGP peer to the ISP router. To check whether the EBGP peer has been successfully created, execute the following command:
bgp(config-router)#do show ip bgp summary  Configuring Cyberoam as IBGP Peer To Configure Cyberoam as an IBGP peer, follow the steps given below. Step 1: Create Firewall Rule to Allow BGP Updates on LAN Interface Go to Firewall à Rule à Rule create a new rule which allows BGP traffic from LAN to LOCAL Zones.
 Step 2: Configure Cyberoam as IBGP Peer 1. Login to Cyberoam CLI Console. 2. From the Main Menu, choose Option 3 – Route Configuration. 3. From the Router Management Menu, choose Option 1 – Configure Unicast Routing. 4. From the Unicast Routing Configuration Menu, choose Option 3 – Configure BGP. 5. In the BGP command prompt, fire the following commands. ● Enable BGP configuration bgp> enable
bgp# conf t
● Set peer parameters bgp(config)# router bgp 8800
bgp(config-router)#neighbor 123.186.23.20 remote-as 8800
bgp(config-router)#neighbor 123.186.23.20 update-source 123.186.23.18
The above steps configure Cyberoam as an IBGP peer to the Internal router. To check whether the IBGP peer has been successfully created, execute the following command: bgp(config-router)#do show ip bgp summary  Step 3: Configure Internal Router to form Cyberoam’s IBGP Peer
Here, we have shown the configuration of a Cisco router. Login to the router’s CLI and fire the following commands ● Enable BGP configuration bgp> enable
bgp# conf t
● Declare Router-ID to identify neighbours bgp(config)# router bgp 8800
bgp(config-router)#bgp router-id 123.186.23.20
● Declare server networks R2(config-router)#net 81.236.82.0 mask 255.255.255.224
R2(config-router)#net 123.186.23.0 mask 255.255.255.224
● Set peer parameters R2(config-router)#neighbor 123.186.23.18 remote-as 8800
R2(config-router)#neighbor 123.186.23.18 update-source 123.186.23.20
The above steps configure Cyberoam and the Internal Router as IBGP peers.
Document Version: 1.0 – 14/09/2012 |
| 1.4. Configure Routing Information Protocol (RIP) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Applicable to Version: 10.00 onwards
Routing Information Protocol (RIP) is a distance-vector routing protocol documented in RFC 1058. RIP uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information. The Cyberoam implementation of RIP supports
· RIP version 1 (as described in RFC 1058) · RIP version 2 (as described in RFC 2453) · Plain text and Message Digest 5 (MD5) authentication for RIP Version 2
Prerequisite
RIP must be enabled before carrying out any of the RIP commands. Solution: Configure RIP for Cyberoam Interfaces This document consists of two (2) sections:
To configure RIP, use the following commands from CLI Console:
Step 1: Logon to CLI and Follow On-Screen Steps
Logon to CLI Console; specify password at the password prompt and you will get the following screen:
 Choose Option 3 - Route Configuration  Go to Option 1 - Configure Unicast Routing  Go to Option 1 - Configure RIP  Step 2: Configure RIP To configure RIP, perform the tasks described in the following table
Sample RIP Configuration Screens   Logon to Cyberoam Web Admin Console with user having “Administrator” profile. Step 1: Create Firewall RuleAdditionally, a firewall rule is to be configured for the zone for which the RIP traffic is to be allowed i.e. LAN to LOCAL or WAN to LOCAL. Add Rule Go to Firewall --> Rule and click on “Add” to create Firewall rule.
 Parameters Description
 Click on OK and the Firewall Rule will be created successfully.  Document Version – 1.0 – 14/02/2012
|
| 1.5. Implement Transparent Subnet Gateways using Proxy ARP | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Applicable Version: 10.00 onwards
ARP (Address resolution protocol is a protocol that TCP/IP uses to translate IP address into MAC address (physical network address). It is used by hosts that are directly connected on a local network and uses either or both unicast and broadcast transmissions directly to each other. Host finds the physical address of another host on its network by sending an ARP query packet that includes the IP address of the receiver. But, when host A and host B are separated by a border device (a device connection two networks) such as router, Host A and Host B have to communicate via router/firewall because they are not considered as local host for each other but are “two hops apart” at layer three for each other. Above situation will arise in a network environment where there are two physical network connected by a router that are in the same IP network. Since ARP relies on broadcasts for address resolution, and broadcasts are not propagated beyond a physical network, ARP cannot function between hosts on different physical networks. When such operation is required, a device, such as a router/firewall, can be configured as an ARP proxy to respond to ARP requests on the behalf of a host on a different network. Proxy ARP is a technique of using a router to answer ARP requests. In other words, the router accepts responsibility of routing packets to the "real" destination. Proxy ARP can help hosts on a subnet reach remote subnets without the need to configure routing or a default gateway.
Transparent subnet gatewayingThe most straightforward way of addressing the above issue is to subnet a gateway transparently using Proxy ARP. A network can be extended using this technique without the knowledge of the upstream router. In other words, Transparent subnet gatewaying is a setup that involves two physical segments sharing the same IP subnet and connected together via a router. Deployment:Consider a hypothetical example where Cyberoam needs to be deployed in a network which consists of Mail server and Web server placed in the Internet and a router sharing the same IP subnet. Below given network diagram shows how Cyberoam is deployed in the network. As router and internal servers share the same IP subnet to avoid the above mentioned routing problems, we have deployed Cyberoam between Internal network and Router. As per the diagram Mail server, Web server is having public IP address and configured in DMZ zone, where as Router is configured in WAN zone with same subnet IP address. Throughout the article we will use the network parameters as shown in the diagram below.
 Configuration Follow the below mentioned steps to implement transparent subnet gateways using Proxy ARP: Step 1: Create and Assign IP address to DMZ zoneLogin to Web Admin Console with user having “Administrator” profile. Create Interface Go to Network à Interface à Interface. Click the Interface Name or Edit icon
 in the Manage column against the interface to be modified. Parameters Description
 Click OK and the Interface ‘PortC’ will be updated successfully.  Step 2: Change physical network
Change the physical location of Web and Mail servers from WAN Zone to DMZ zone. By changing the physical location one does not need to change Server IP Address.
Step 3: Enable proxy ARP and create Static Route EntriesEnable proxy ARP entries for DMZ and WAN interface from CLI Console WAN and DMZ interface must be configured to accept and respond to Proxy ARP.
1. Login to CLI Console.
2. Go to Option 4 – Cyberoam Console and execute the below mentioned command: console> set proxy-arp add interface PortB dst_ip 1.1.1.3 console> set proxy-arp add interface PortB dst_ip 1.1.1.4 console> set proxy-arp add interface PortC dst_ip 1.1.1.1
 3. To verify the configuration, use the below mentioned command:
console> show proxy-arp
 Create Static Routes for DMZ and WAN Interface Static route provides next hop information to Cyberoam. Go to Network à Static Route à Unicast and click on “Add” button to add a new static route.
 Parameters Description
 Click OK and the Unicast Route will be added successfully.  Note:
Step 4: Create Firewall Rules to Allow Web and Mail Server Traffic By default, Cyberoam blocks entire WAN-DMZ zone traffic, so create firewall rules to allow to and from traffic from web server & mail server. Go to Firewall --> Rule and Create the following Rules:
Go to Firewall à Rule and Click on “Add” button to add a LAN_DMZ_ProxyARP Firewall Rule.
 Parameters Description
  Click OK and the Host ‘ProxyARP’ will be added successfully.   Click OK and the Firewall Rule will be created successfully.  Note: In this document one Firewall Rule ‘LAN_DMZ_ProxyARP’ has been added and shown. In the same way 2 more Firewall Rules i.e WAN_DMZ_ProxyARP and DMZ_WAN_ProxyARP are to be added. Advantages With the help of Transparent Subnet Gatewaying, once can enable security for mission critical servers like Mail, Web, SAP, ERP without any configuration changes, Routing changes with minimum downtime.
Document Version: 1.3–27/11/2012
|
| 1.6. Avoid Asymmetric Routing in Cyberoam |
|
Applicable to Version: 10.00 onwards Asymmetric routing is an unwanted situation in an IP network. Asymmetric routing is a situation where for one reason or another, packets flowing in i.e. TCP connections flow through different routes to different directions. Asymmetrical routing occurs when a packet takes a certain path from source host A across the network to destination host B but then a return packet takes a separate path from the source host B to destination host A. For normal data, this is not an issue, but for some special cases, like data traveling through stateful-inspection firewalls, this routing behavior can cause some issues. This document describes the procedure to Overcome Asymmetric routing in Cyberoam.
Consider a hypothetical example as given below  Explanation In the figure above Client B behind Router A within the subnet 10.1.1.0/ 24 is trying to access the server within the subnet 192.168.1.0/24 whose IP is 192.168.1.2. In this scenario, when client B sends a TCP SYN segment to server 192.168.1.2, the Server replies back with SYN/ACK and send the traffic to its default gateway which is 192.168.1.1 (Cyberoam) since Client B and the server are in different subnets. Being a Stateful Inspection Firewall, Cyberoam would drop the packet since there is no Related State/Previous Record for this particular packet. Hence the TCP handshake never completes and Client B never gets access to the server. However, Client A (192.168.1.3) does not face issues as the TCP SYN/ACK segment never gets sent to the Cyberoam (as Depicted in the above diagram). This is because Client A (192.168.1.3) is within the same subnet as that of the server. Enabling source NAT on any of the routers will help overcome the issue of Asymmetric routing but the client would have to give away with identity based firewall. Thus to bypass to networks from the Cyberoam Stateful Inspection, refer the Solution section.
Follow the below mentioned steps to overcome asymmetric routing in Cyberoam. The entire configuration is to be done from CLI console.
Step 1
Step 2 Execute the below command to bypass subnets from Cyberoam Stateful Inspection. console> set advanced-firewall bypass-stateful-firewall-config add source_network 10.1.1.0 source_netmask 255.255.255.0 dest_network 192.168.1.0 dest_netmask 255.255.255.0
 console> set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.1.0 source_netmask 255.255.255.0 dest_network 10.1.1.0 dest_netmask 255.255.255.0   Once this is executed the SYN/ACK segment from the server while communicating back to Client B would be routed to Router A by the Cyberoam. Note:
Document Version: – 1.0 – 09/08/2011 |
| 1.7. Enable Multicast Forwarding | ||||||||||
|
Applicable to Version: 10.00 onwards In the traditional IP communication, packets are sent to a single host (Unicast transmission) to all the hosts (broadcast transmission) while in multicast routing, packets are sent to group of hosts. Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in receiving a particular data stream. Hosts that are interested in receiving data flowing to a particular group must join the group as only group members can receive the data. Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive traffic sent to this group. Multicast addresses fall in Class D address space ranging from 224.0.0.0 to 239.255.255.255. This address range is only for the group address or destination address of IP multicast traffic. The source address for multicast datagrams is always the unicast source address. The source sends traffic to a group of hosts represented by a multicast group address and the multicast router determines which direction is upstream (toward the source) and which direction (or directions) is downstream. Cyberoam supports multicast traffic forwarding in both the mode i.e. gateway and bridge. Configuring multicast forwarding is a two step process: · Enable multicast forwarding (both the modes)
Note: By default, multicast forwarding is already enabled in Bridge mode. Consider a hypothetical example as given below: Cyberoam is configured in route (gateway) mode. DMZ users’ of Cyberoam want to receive the packets from Streaming media server (202.247.250.200). Multicast IP: 227.0.0.100
 Multicast Forwarding can be configured by 2 ways: The entire configuration is to be done from CLI console. Step 1: Enable Multicast Forwarding · Log on to CLI Console (Telnet or SSH)
· Choose option 3 – Route Configuration and press Enter
 · From Route Configuration menu, Choose option 2 – Configure Multicast Routing and press Enter
 · Then Go to Option 1 – Enable/Disable Multicast forwarding and type the command – mrouter > enable multicast-forwarding   Step 2: Configure static route (only when Cyberoam is deployed in gateway mode) · From Route Configuration menu, Choose option 2 – Configure Multicast Routing and press Enter · Then Go to Option 2 – Configure Static-routes  · Type the command – mrouter> mroute add <source interface> <source ipaddress> <destination ipaddress> <interface> where, source interface - interface from which the multicast traffic is supposed to arrive (interface that leads to the source of multicast traffic) source ipaddress – unicast IP address of source transmitting multicast traffic destination ipaddress – class D IP address (224.0.0.0 to 239.255.255.255) destination interface – interface on which you want to forward the multicast traffic (interface that leads to destination of multicast traffic)
For our example, mrouter> mroute add PortB 202.247.250.200 227.0.0.100 PortC Cyberoam will forward multicast traffic received on interface PortB from IP address 202.247.250.200 through 227.0.0.100 to DMZ user
through interface PortC Note: Multicast routes cannot be added before enabling multicast forwarding.  The entire configuration is to be done from Web Admin Console. Access Web Admin Console with user having “Administrator” profile. Step 1: Enable Multicast Forwarding Go to Network à Static Routeà Multicast and click on Apply to enable multicast forwarding.  Step 2: Configure static route (only when Cyberoam is deployed in gateway mode)
Go to Network à Static Routeà Multicast to add multicast routes.  For our example,
Cyberoam will forward multicast traffic received on interface Port B from IP address 202.247.250.200 through 227.0.0.100 to DMZ user
through interface Port C.
 Click OK and the Multicast Route will be added successfully.
 Document Version: - 1.0-16/06/2011
|