2 Hardening the appliance

Transcription

1 2 Hardening the appliance 2.1 Objective For security reasons McAfee always recommends putting the McAfee Web Gateway appliance behind a firewall. For added security McAfee also recommends that the appliance is then hardened to not allow it to listen on any external facing interfaces. By default the Web Gateway appliance listens on all interfaces when first installed. Those ports include: Out of Box Setting Management UI on HTTP port 4711 Management UI on HTTPS port 4712 HTTP/HTTPS proxy port 9090 FTP proxy port 2121 (when applicable) FTP data port 2020 (when applicable) SNMP (tcp or udp) port 9161 (when applicable) Central management port ICAP port 1344 (when applicable) Yahoo IM port 5050 (when applicable) Windoes Live Messenger ports 1863, 1864, 1865 (when applicable) SSH port 22 (v1 and v2) To harden the MWG appliance it will be required that at least two of the network interfaces are configured, one for external and one for internal traffic. For hardening the McAfee Web Gateway appliance McAfee recommends making the following changes. All ports should be bound to the internal interfaces by IP address. For example, the HTTPS management UI has been set to :4712. This can be confirmed by logging in to the appliance as root via SSH and running the command netstat an. There should be no ports listening on :4712, but should show :4712, for example. Currently the only configurations that can t be done through the admin UI are SNMP and SSH. 2.2 Configuration for SSH Here we need to block SSH access from external sources. Some companies may also want to disable SSH v1 as per their internal best practices. Please note that McAfee fully patches version Hardening Port 22 (SSH access): Login in as root over SSH or direct console vi /etc/ssh/sshd_config find the line: #ListenAddress and change it to: ListenAddress <eth0 IP> Disable SSH v1 Find the line: #Protocol 2,1 and change it to: 10

2 Protocol 2 Save the file and close it Hardening Port 9161 udp/tcp (SNMP): In the current version of MWG 7 ( build 8115) SNMP hardening must be done through SSH and can't be done in the UI. This may change in future releases. Because of this, any changes made in the UI to SNMP will reset the /etc/snmp/snmpd.conf file. Therefore all edits will be lost and need to be redone UDP Login in as root over SSH or direct console vi /etc/snmp/snmpd_conf Change "agentaddress udp:9161" to agentaddress <IP-address>:9161 # McAfee Common OS default snmpd.conf file master agentx ### BEGIN AUTOGENERATED CONFIG agentxsocket /var/agentx/wwsnmp engineid 564DFD8F-BA DE-27 agentaddress :9161 sysdescr McAfee Web Gateway sysobjectid ### END AUTOGENERATED CONFIG TCP Login in as root over SSH or direct console vi /etc/snmp/snmpd_conf Change "agentaddress tcp:9161" to "agentaddress tcp:<ip-address>:9161" # McAfee Common OS default snmpd.conf file master agentx ### BEGIN AUTOGENERATED CONFIG agentxsocket /var/agentx/wwsnmp engineid 564DFD8F-BA DE-27 agentaddress tcp: :9161 sysdescr McAfee Web Gateway sysobjectid ### END AUTOGENERATED CONFIG It is also a good idea to only allow access to SNMP from the servers themselves. This can be accomplished by specifying the server addresses instead of leaving the default * asterisk. 2.3 Hardening all other ports All other ports can be restricted through the admin UI under the "configuration" section "appliances" tab. 11

3 2.3.1 "Proxies" sub menu Hardening Port 9090 (HTTP(S) Proxy): Hardening Port 1344 (ICAP Server): The ICAP server (port 1344) is not active in MWG 7 unless it is configured and enabled. 12

4 Hardening Port 2121 (FTP Proxy) 13

5 Hardening Ports 5050, 1863, 1864, & 1865 (IM) 14

6 2.3.2 "User Interface" sub menu Hardening Ports 4711 & 4712 (HTTP(S) web interface): IMPORTANT: After these changes have been applied, a reboot of the appliance should be done to verify. After the reboot, settings can be verified by running the following command over SSH: netstat an grep LISTEN All ports listed above, will show with the internal IP, instead of ***Please note that upon scanning one may notice an output showing what looks like UDP listening on and random high ports. The netstat an output may look something like this: udp : :* udp : :* udp : :* This is a result of SNMP traps in which the Linux OS automatically adds an entry to the netstat list if an application just sends a UDP packet. McAfee Web Gateway is sending SNMP traps on those ports. MWG is NOT listening or receiving anything on these ports. This is how netstat shows them. As such there is no deemed security hole Harden disabled ports There may be occasions when an enterprise does not have all of these ports enabled. McAfee still recommends that these also be bound to the internal interface via IP address. This should be done in the event that those ports are accidentally enabled, and in turn, opening up a security hole. 15

7 2.3.4 Other ports to consider There are several other ports that need to be considered for firewall access to the MWG environment for different potential integrations with internal servers Internet access 53/udp DNS Log push options 80/tcp HTTP 443/tcp HTTPS any other proprietary ports for HTTP/HTTPS 20+21/tcp FTP (and ephemeral ports if using active FTP) Authentication integration options 445/tcp Native NTLM 389/tcp - udp LDAP 636/tcp LDAP SSL 1812 & 1813 RADIUS on Microsoft 1645 & 1646 RADIUS on Cisco 16