237_BLUECOAT-SGOS_CMG_5.1.4_5.pdf
(
1542 KB
)
Pobierz
Blue Coat
®
Systems
SG
™
Appliance
Configuration and Management Guide
Volume 5: Securing the Blue Coat SG Appliance
SGOS Version 5.1.x
Volume 5: Securing the Blue Coat SG Appliance
Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
bcs.info@bluecoat.com
http://www.bluecoat.com
For concerns or feedback about the documentation:
documentation@bluecoat.com
Copyright© 1999-2007 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®,
Blue Coat®, Accelerating The Internet®, Proxy
SG
®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate
Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Document Number: 231-02841
Document Revision: SGOS 5.1.x—03/2007
ii
Contents
Contact Information
Chapter 1: About Security
Controlling SG Appliance Access .....................................................................................................................9
Controlling User Access with Identity-based Access Controls ....................................................................9
SSL Between the SG Appliance and the Authentication Server.................................................................10
About This Book ................................................................................................................................................10
Document Conventions....................................................................................................................................11
Chapter 2: Controlling Access to the SG Appliance
Limiting Access to the SG Appliance .............................................................................................................13
Requiring a PIN for the Front Panel........................................................................................................13
Limiting Workstation Access ...................................................................................................................14
Securing the Serial Port .............................................................................................................................14
About Password Security .................................................................................................................................14
Limiting User Access to the SG Appliance—Overview ..............................................................................15
Moderate Security: Restricting Management Console Access Through the Console Access Control List
(ACL) ..........................................................................................................................................................17
Maximum Security: Administrative Authentication and Authorization Policy......................................18
Defining Administrator Authentication and Authorization Policies.................................................18
Defining Policies Using the Visual Policy Manager .............................................................................18
Defining Policies Directly in Policy Files ................................................................................................19
Admin Transactions and <Admin> Layers............................................................................................19
Example Policy Using CPL Syntax ..........................................................................................................22
Chapter 3: Controlling Access to the Internet and Intranet
Using Authentication and Proxies ..................................................................................................................23
Understanding Authentication Modes ...................................................................................................23
Understanding Origin-Style Redirection................................................................................................25
Selecting an Appropriate Surrogate Credential ....................................................................................26
Configuring Transparent Proxy Authentication ...................................................................................26
Using SSL with Authentication and Authorization Services......................................................................28
Using SSL Between the Client and the SG Appliance ..........................................................................28
Creating a Proxy Layer to Manage Proxy Operations .................................................................................28
Using CPL ...................................................................................................................................................29
Chapter 4: Understanding and Managing X.509 Certificates
Section A: Concepts
Public Keys and Private Keys ..........................................................................................................................38
Certificates ..........................................................................................................................................................38
iii
Volume 5: Securing the Blue Coat SG Appliance
SSL Certificates........................................................................................................................................... 38
CA Certificates ........................................................................................................................................... 39
External Certificates................................................................................................................................... 39
Keyrings.............................................................................................................................................................. 39
Cipher Suites Supported by SGOS Software ................................................................................................ 39
Server-Gated Cryptography and International Step-Up.............................................................................40
Section B: Using Keyrings and SSL Certificates
Creating a Keyring ............................................................................................................................................ 42
Deleting an Existing Keyring and Certificate ........................................................................................ 44
Section C: Managing Certificates
Managing Certificate Signing Requests ......................................................................................................... 45
Creating a CSR ........................................................................................................................................... 45
Viewing a Certificate Signing Request ................................................................................................... 46
Managing SSL Certificates ............................................................................................................................... 46
Creating Self-Signed SSL Certificates ..................................................................................................... 47
Importing a Server Certificate.................................................................................................................. 48
Using Certificate Revocation Lists ................................................................................................................. 48
Troubleshooting Certificate Problems ........................................................................................................... 50
Section D: Using External Certificates
Importing and Deleting External Certificates ............................................................................................... 51
Deleting an External Certificate ............................................................................................................... 51
Digitally Signing Access Logs ......................................................................................................................... 51
Section E: Advanced Configuration
Importing an Existing Keypair and Certificate............................................................................................. 53
About Certificate Chains.................................................................................................................................. 55
Importing a CA Certificate .............................................................................................................................. 55
Creating CA Certificate Lists........................................................................................................................... 56
Chapter 5: Certificate Realm Authentication
How Certificate Realm Works ........................................................................................................................ 59
Creating a Certificate Realm............................................................................................................................ 60
Defining a Certificate Realm ........................................................................................................................... 60
Defining Certificate Realm General Properties ............................................................................................ 61
Revoking User Certificates .............................................................................................................................. 62
Creating the Certificate Authorization Policy .............................................................................................. 63
Tips ...................................................................................................................................................................... 63
Chapter 6: Oracle COREid Authentication
Understanding COREid Interaction with Blue Coat ................................................................................... 65
Configuring the COREid Access System....................................................................................................... 65
Additional COREid Configuration Notes ..................................................................................................... 66
Configuring the SG Realm............................................................................................................................... 66
Participating in a Single Sign-On (SSO) Scheme .......................................................................................... 67
Avoiding SG Appliance Challenges........................................................................................................ 67
iv
Contents
Creating a COREid Realm ............................................................................................................................... 67
Configuring Agents .......................................................................................................................................... 68
Configuring the COREid Access Server ........................................................................................................ 69
Configuring the General COREid Settings.................................................................................................... 70
Creating the CPL ............................................................................................................................................... 71
Chapter 7: Forms-Based Authentication
Section A: Understanding Authentication Forms
User/Realm CPL Substitutions for Authentication Forms......................................................................... 77
Tip........................................................................................................................................................................ 78
Section B: Creating and Editing a Form
Section C: Setting Storage Options
Section D: Using CPL with Forms-Based Authentication
Tips ...................................................................................................................................................................... 84
Chapter 8: IWA Realm Authentication and Authorization
How Blue Coat Works with IWA ................................................................................................................... 85
Creating an IWA Realm .................................................................................................................................. 85
IWA Servers ....................................................................................................................................................... 86
Defining IWA Realm General Properties ...................................................................................................... 87
Creating the CPL ............................................................................................................................................... 89
Notes ................................................................................................................................................................... 89
Chapter 9: LDAP Realm Authentication and Authorization
Overview ............................................................................................................................................................ 91
Creating an LDAP Realm ................................................................................................................................ 92
LDAP Servers .................................................................................................................................................... 92
Defining LDAP Base Distinguished Names ................................................................................................. 93
LDAP Search & Groups Tab (Authorization and Group Information) .................................................... 96
Customizing LDAP Objectclass Attribute Values........................................................................................ 98
Defining LDAP General Realm Properties................................................................................................... 98
Creating the CPL ............................................................................................................................................. 100
Chapter 10: Local Realm Authentication and Authorization
Creating a Local Realm .................................................................................................................................. 103
Changing Local Realm Properties ................................................................................................................ 103
Defining the Local User List .......................................................................................................................... 104
Creating a Local User List....................................................................................................................... 105
Populating a List using the .htpasswd File .......................................................................................... 106
Uploading the .htpasswd File ............................................................................................................... 106
Populating a Local User List through the SG Appliance ................................................................... 107
Enhancing Security Settings for the Local User List........................................................................... 109
Creating the CPL ............................................................................................................................................. 110
v
Plik z chomika:
tinparade
Inne pliki z tego folderu:
124_ELAMAN-200805-CATALOGUE-P1.zip
(222151 KB)
105_AMESYS-PROP_GEN_SECU_V2.pdf
(17233 KB)
100_AMESYS-EAGLE-GLINT-Operator_Manual-EXTRAS.pdf
(2095 KB)
101_AMESYS-EAGLE-SMINT-en.pdf
(428 KB)
102_AMESYS-GLINT-en.pdf
(258 KB)
Inne foldery tego chomika:
Zgłoś jeśli
naruszono regulamin