Strengthen Cyberoam UTM Deployment in order to secure the network

Applicable to Version: 10.00 onwards

A network is only as secure as its weakest link. The Cyberoam UTM sits as the access control gateway between the trusted LAN and the un-trusted WAN. It is most importance to strengthen Cyberoam UTM Deployment in order to secure the network.

This document has three (3) sections:

·         Access to Web Admin Console
·         Change Default Credentials for Web Admin Console
·         Role Based Administration

The entire configuration is to be done from Web Admin console. Access Web Admin Console with user having “Administrator” profile.

Access to Web Admin Console on Secured Protocols - HTTPS and SSH from LAN

Appliance Access

Appliance access allows limiting the Administrative access of the following appliance services from various default as well as custom zones – LAN, WAN, DMZ, and VPN:

·         Admin Services – HTTP, HTTPS, Telnet, SSH

·         Authentication Services – Windows/Linux Client, Captive portal
·         Network Services – DNS, Ping
·         Other Services – Web Proxy, SSL VPN

Default Access Control Configuration

Default access configuration is applicable once the appliance is connected and powered up for the first time.
 
Admin Services - HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22) services will be enabled for administrative functions in LAN zone. HTTPS (TCP port 443) services will be enabled for administrative functions in WAN zone. HTTP (TCP port 80) services will be enabled for administrative functions in DMZ zone.
 
Authentication Services - Windows/Linux Client (UDP port 6060) and Captive portal Authentication (TCP port 8090) will be enabled for User Authentication Services in LAN zone. User Authentication Services are not required for any of the Administrative functions but required to apply user based internet surfing, bandwidth, and data transfer restrictions.
 
Network Services Ping and DNS services will be enabled for LAN zone.
 
Other Services Web Proxy service will be enabled for LAN zone. SSL VPN (TCP port 8443) service will be enabled for LAN, WAN and DMZ zone.
 
      1. Go to System --> Administration --> Appliance access to manage access to devices from different zones over secured protocols - 
        HTTPS and SSH
 
         
         Click on Apply and the Appliance Access will be updated successfully.
 

      2. For additional security, it is recommended to change the default HTTP and HTTPS ports.
 
         Go to System --> Administration --> Settings to manage the administration settings.
 
       
         Click on Apply and the Administrative Settings will be updated successfully.
  
 
      3. Allow access to Web Admin Console and CLI from a specific IP address or MAC address in the network.
 
         Go to Object --> Hosts and click on Add button to create IP or MAC based Host and to restrict access by IP or MAC address.
 
 
 

Parameters

Value

Name

Administrator_PC

Type

IP

IP Address

192.168.204.115

Specify IP Address based on the Host Type selected
    
 

         Click on OK and the IP Host will be added successfully.
 
         For MAC address based control, create a Host based on MAC address of the Administrator’s computer.
 
         Then, Go to Firewall à Rule and click on Add button to create Firewall rule to allow access to Management IP on HTTPS and 
         SSH from host created in step 3.
 
 
 

Parameters

Value

Name

Admin_Access

Zone

Source – WAN

Destination - LOCAL

Network/Host

Source – Administrator_PC

LOCAL – 192.168.1.15

Services

HTTP_SSH

Schedule

All the time

Action

Accept
 
 
 
         Click on OK and the firewall rule will be created successfully.
 
 

Change Default Credentials for Web Admin Console

Cyberoam version 10 is shipped with a default super administrative user, which has all the privileges with the following credentials:

Username: admin

Password: admin

Apart from Web Admin Console, CLI can also be access with this password.

We recommend that you change password of this super administrator immediately after deployment. As this account has the super admin privileges for both the consoles, please set complex password that is a combination of a-z, A-Z, 0-9 and special characters. An example of a complex password can be “@Dm1nAcC3s$”.

 

Refer the below attached PDF for the link to change the super administrator password:


Cyberoam is shipped with other default administrator user with credentials: cyberoam/cyber. This user has full privileges of Web Admin Console but cannot access CLI while super administrative user has full privileges of Web Admin Console as well as CLI.
 

Refer the below attached PDF for the link to change the password for default administrator user “cyberoam”

Role Based Administration

Cyberoam provides role-based administration capabilities through profiles to offer greater granular access control and flexibility. Profiles are a function of an organization's security needs and can be set up for special-purpose administrators in areas such as firewall administration, network administration, and logs administration. Profiles allow assigning permissions to individual administrators depending on their role or job need in organization.


The profile separates Cyberoam features into access control categories for which you can enable none, read only, or read-write access.
 
Refer the below attached PDF for the link to get more information about Role –based administration.
 
                                                                                                                                                         Document Version: 1.0 – 13/04/2011