Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


1,113 views | This page as PDF

Setting up InfoExpress CyberArmor Suite 3.5

CyberArmor is a really excellent personal firewall. The CyberArmor suite consists of a Policy Server (and Policy Manager) used to create policies, a CyberServer (used to capture logs and alarms, optional), a Secure Ping Server (optional) and an MSDE back-end. More information can be found at http://www.infoexpress.com/security_products/firewall_overview.php

The product runs on Windows platforms and allows for centralized management (including updating rulesets) of personal firewalls. The nice thing about CyberArmor is that it allows a lot of flexibility in terms of determining where a computer is located, and the ability to apply different rulesets based on the location. This location awareness is the core foundation of the tool, and goes much further than the location awareness found in products such as Symantec or Microsoft. Futhermore, the tool does not only block or allow traffic based on rules, but it also contains application filtering, and intrusion prevention.

You’ll need a Windows server (2003 R2 in my case), with IIS installed. You’ll need a web server certificate (but you can generate a certificate with SelfSSL from the IIS resource kit if you don’t have access to a CA).

Before you begin, make sure NOT to put the server in a domain. CyberArmor suite 3.5 doesn’t support servers that are member of a domain, so make sure not to put in in a domain. Ever.

Second, make sure to turn off DEP. Edit the boot.ini of the server and change /noexecute=optin to /noexecute=AlwaysOff

Reboot before you start installing.

In my environment, the installation of CyberArmor Suite 3.5 failed on Windows 2003 R2, so I had to install 3.2 and then upgraded to 3.5, which did the trick just fine.

The installation for both 3.2 and 3.5 goes as follows :

  1. Make sure all windows patches and updates have been applied on the server.
  2. Make sure there is only one website (default), and that it’s reachable over http and https
  3. Create a ini file called casuite.ini and put it in the same folder as where casuite.exe (which is the installer) resides
  4. Open the ini file and put the following line in the file : Logging=True
  5. Start the installation using the following command : casuite.exe /M=casuite.ini
  6. Click "Accept" at the "Software License Agreement Screen"
  7. Click "Next" at the "CyberArmor 3.5 Suite Installation Welcome" Screen
  8. Click "Next" at the the "CyberArmor 3.5 Suite Installation" screen (With release notes).
  9. Select all the server related options, and click "Next". Initially it is recommended that you install all components on the same system.
  10. Leave the Destination Directory as the default, or change it if desired, and Click "Next" at the "Select Destination Directory" Screen
  11. Click "Next" at the "Select Program Manager Group" Screen.
  12. Click "Next" at the "Policy Server Requirement" screen.
  13. Enter and confirm the password for the root account, that’s the account that you use to log in to policy manager.
  14. Select "Logging with FRAMD database" (Default) and click "Next" at the "Select CyberServer Option" screen.
  15. Leave the log directory as default (c:\csdata) or change of desired and click "Next" at the "Select CyberServer Log Destination Directory" screen.
  16. Click "Next" at the "CyberServer Bridge Requirements" screen.
  17. Leave the SQL Server directory as default (C:\Program Files\Microsoft SQL Server\) or change if desired and click "Next" at the "Select Microsoft SQL Server Destination Directory" Screen.
  18. Leave the Database directory as default (C:\Program Files\Microsoft SQL Server\) or change if desired and click "Next" at the "Select Database Destination Directory" screen.
  19. Enter and confirm the password for the ‘sa’ account, which is the administrator password for the SQL server and click "Next" at the "Select Microsoft SQL Server Administrator Password" screen.
  20. Click "Next" at the "Ready to Install" screen.
  21. The installation will start, Setting up Microsoft SQL Server Desktop Engine screen will appear (this could take up to 20 minutes). Other shell screens will pop up as well.
  22. A screen will pop up to configure the CyberArmor Policy Manager. Enter the real IP address or FQDN name for the server (do not Enter the WINS Server name) as a Policy Server Name. Click "OK".
  23. Click "OK" at the "Configure PolicyServer" screen (This may take a minute)
  24. At the "CyberArmor Policy Manager" screen, make sure the Server name is the same IP address or server name entered in step 22. The proxy port should be left as default (11175). The username should be ‘sa’ and the password (hidden) is the same password that was entered for the ‘sa’ account in step 19. Leave the Audit Section the same (Number of days to keep the Audit records is 180). Do not import CyberArmor Binary at this step. Click "OK".
  25. The next screen is "Configure CyberServer" screen, click "OK".
  26. Leave all the defaults the same at the "CyberServer Setup" screen, Make sure Log using FRAMD is checked, and the number of days to keep the logs is 90 (these settings can be changed later once the installation is complete) Everything else on this screen should be unchecked, or is grayed out.
  27. Click on the Connection tab of the "CyberServer Setup" screen. Again leave all the defaults. Listening Port should be 11162, Encryption Key should be Log11160, and Max Notification Size should be 750000. The next 2 check boxes (Clients must provide password if encryption is disabled, and Log events to the debug log file) should be unchecked.
  28. Click on the Connection tab of the "CyberServer Setup" screen. This tab is used for configuring a Regional Server in a distributed environment. Again leave all the defaults. Regions Reposnsible and Policy Server Address should be blank, Port betweeb CS and PS should be set to 11163, and Replication interval should be set to 180 seconds. Click "OK".
  29. At the next screen, Leave the port number for the "Secure ping server" as the default (should be 11179) and click "OK".
  30. At this point the CyberArmor Suite Installation has been completed. Click Finish to exit the installation
  31. The system has to be rebooted for the installation to complete, and services to be started. Click "OK" to restart the computer.
  32. Once the computer has been restarted, Launch Policy Manager (Start \ Programs \ InfoExpress \ CyberArmor Policy Manager \ Policy Manager)
  33. The Logon to the Policy Server screen will appear. Server name should be the real IP address or DNS name of the serverentered in step 22. User Name should be ‘root’ and Password should be the password that was specified in Step 13. Click OK
  34. Enter the Registration ID and the Registration Code and click OK. Make sure that that "End Systems" screen is populated with data (Types of end systems should show CorpDesktop, CorpLaptop, and EmployeeOwned).
  35. CyberArmor suite now is completely installed and is ready to use.

Now do the same for CyberArmor Suite v3.5

Once you have v3.5 installed, log on to the policy manager. You’ll see the 3 default End User Systems. If you are installing a new system, the first thing you should do now is create a Region and bind a End User System to a region (or create a new end user system and bind it to a region). You’ll have to "check out" before you can modify settings. Don’t forget to check in again when you have finished editing.
When you have created the policies and tested the policy, you can deploy a new policy. This will create a folder under c:\inetpub\wwwroot\cyberarmor containing the current date/time of deployment, the region, the end user system, and then the installation packages. You can install new clients using pcainst.exe (Win2K/XP) or pcamsiinst.exe (Vista) from this folder. Once the clients have been installed (and when you’ve configured automatic updates), your clients will automatically pull down updates when new versions have been deployed.

That’s it – in a nutshell.

When you are installing a new CyberArmor server and you want to import the settings from another machine (because of a migration, or disaster recovery), this is what you should do

  1. Make sure v3.5 works, with default settings
  2. Get the pcarm.ini and pcarm.pro file from one of the policies under c:\inetpub\wwwroot\cyberarmor) Note that each end user system has their own pcarm.ini and pcarm.pro file
  3. Log on to policy manager
  4. Go to "Tools" – "Import Shared Settings"
  5. Select the pcarm.ini file and wait until the import has completed
  6. Go to "Tools" – "Import 2.x profile"
  7. Select the pcarm.pro file, enter the name of the End User type, and the name of the Region Name. Make sure to ENABLE "Import the runtime settings in pcarm.ini" and DISABLE "Import the shared settings stored in pcarm.ini". Do this for for each end user system type.

010708_1217_SettingupIn1

When the import has completed, you should now see the Region and End User system that was created on the old machine.

Next, "check out" and go to "Rules" – "Others"

Edit the "group" variable, remove the hash, and replace the hash with

Check in again, save the changes, and you are now ready to deploy again.

Note on deploying : You’ll see various "Engine" versions in the deploy window. This is what these versions mean :
Pre 3.5 Clients :
– R = Regular Engine (will require reboot before upgrade takes place)
– NB = No Boot Version
– NC = No Encryption Version
– B = Big Version support
– S = SSL Version

3.5 and later clients :
– ST = Standard Client, does not require user intervention
– V = Verbose Client, requires user interaction.

In my opinion, the ST version is the way to go.

If you have questions on how to create policies or set up the location awareness, drop me an email at peter.ve@telenet.be

2008 – 2015, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

Comments are closed.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories