D-Link DFL-2560 Product Manual
D-Link DFL-2560 Manual
 |
UPC - 790069335433
View all D-Link DFL-2560 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-2560 manual content summary:
- D-Link DFL-2560 | Product Manual - Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com - D-Link DFL-2560 | Product Manual - Page 2
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010 - D-Link DFL-2560 | Product Manual - Page 3
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 person or parties of such revision or changes. Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF - D-Link DFL-2560 | Product Manual - Page 4
73 2.7.1. Auto-Update Mechanism 73 2.7.2. Backing Up Configurations 73 2.7.3. Restore to Factory Defaults 74 3. Fundamentals 77 3.1. The Address Book 77 3.1.1. Overview 77 3.1.2. IP Addresses 77 3.1.3. Ethernet Addresses 79 3.1.4. Address Groups 80 3.1.5. Auto-Generated Address Objects - D-Link DFL-2560 | Product Manual - Page 5
User Manual 3.2.3. ICMP Services 86 3.2.4. Custom IP Protocol Services 88 3.2.5. Service Groups 88 3.2.6. Custom Service Timeouts 89 3.3. Interfaces 90 3.3.1. Overview 90 3.3.2. Ethernet Interfaces 92 3.3.3. VLAN 97 3.3.4. PPPoE 101 3.3.5. GRE Tunnels 103 3.3.6. Interface Groups 107 3.4. - D-Link DFL-2560 | Product Manual - Page 6
User Manual 4.7. Transparent Mode 207 4.7.1. Overview 207 4.7.2. Enabling Internet Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Spanning Tree BPDU Support 217 4.7.5. Advanced Settings for Transparent Mode 218 5. DHCP Services to the D-Link Anti-Virus Service 311 6.4.6. Anti - D-Link DFL-2560 | Product Manual - Page 7
User Manual 7. Address Translation 334 7.1. Overview 334 7.2. NAT 335 7.3. NAT Pools 340 7.4. SAT 343 7.4.1. Translation of a Single IP Address (1:1 343 7.4.2. Translation of Multiple IP from an alternate LDAP server 413 9.4.5. Troubleshooting with ikesnoop 414 9.4.6. IPsec Advanced Settings - D-Link DFL-2560 | Product Manual - Page 8
User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. IPsec Troubleshooting Commands 438 12. ZoneDefense 497 12.1. Overview 497 12.2. ZoneDefense Switches 498 12.3. ZoneDefense Operation 499 12.3.1. SNMP 499 12.3.2. Threshold Rules 499 12.3.3. Manual Blocking and Exclude Lists 499 12 - D-Link DFL-2560 | Product Manual - Page 9
User Manual 13.1. IP Level Settings 504 13.2. TCP Level Settings 508 13.3. ICMP Level Settings 513 13.4. State Settings 514 13.5. Connection Timeout Settings 516 13.6. Length Limit - D-Link DFL-2560 | Product Manual - Page 10
Route Redundancy 173 4.10. Virtual Links Connecting Areas 177 4.11. Virtual Links with Partitioned Backbone 178 4.12. NetDefendOS OSPF Objects 179 4.13. 10.5. Minimum and Maximum Pipe Precedence 453 10.6. Traffic Grouped By IP Address 457 10.7. A Basic Traffic Shaping Scenario 460 10.8. IDP - D-Link DFL-2560 | Product Manual - Page 11
User Manual 10.10. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11 - D-Link DFL-2560 | Product Manual - Page 12
Defaults 74 3.1. Adding an IP Host 78 3.2. Adding an IP Network 78 3.3. Adding an IP Services 82 3.7. Viewing a Specific Service 83 3.8. Creating a Custom TCP/UDP Service 86 3.9. Adding an IP Protocol Service 88 3.10. Defining a VLAN 100 3.11. Configuring a PPPoE Client 103 3.12 Manually Link - D-Link DFL-2560 | Product Manual - Page 13
User Manual 4.14. IGMP - No Address NetDefend Firewalls 280 6.7. Using Private IP Addresses 281 6.8. H.323 with Gatekeeper 282 6.9. H.323 with Gatekeeper and two NetDefend Firewalls 284 6.10. Using the H.323 ALG in a Corporate Environment 285 6.11. Configuring remote offices for H.323 288 6.12 - D-Link DFL-2560 | Product Manual - Page 14
). For example, http://www.dlink.com. Screenshots This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have a choice of management user interfaces. It was decided that the manual would be less cluttered - D-Link DFL-2560 | Product Manual - Page 15
care is not exercised. Important This is an essential point that the reader should read and understand. Warning This is essential reading for the user as they should be aware that a serious situation may result if certain actions are taken or not taken. Trademarks Certain names in this publication - D-Link DFL-2560 | Product Manual - Page 16
Architecture, page 19 • NetDefendOS State Engine Packet Flow, page 23 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall hardware products. NetDefendOS as a Network Security Operating System Designed as a network security - D-Link DFL-2560 | Product Manual - Page 17
setup steps in Section 9.2, "VPN Quick Start". NetDefendOS supports TLS termination so that the NetDefend Firewall can act as the end point for connections by HTTP Note Full IDP is available on all D-Link NetDefend product models as a subscription service. On some models, a simplified IDP subsystem - D-Link DFL-2560 | Product Manual - Page 18
on certain D-Link NetDefend product models. Administrator management of NetDefendOS is possible through either a Web-based User Interface (the companion reference guides: • The CLI Reference Guide which details all NetDefendOS CLI commands. • The NetDefendOS Log Reference Guide which details - D-Link DFL-2560 | Product Manual - Page 19
based connections. Traditional IP routers or switches NetDefend Firewall. Without interfaces, a NetDefendOS system has no means for receiving or sending traffic. The following types of interface are supported Another example of logical objects are services which represent specific protocol and port - D-Link DFL-2560 | Product Manual - Page 20
interface. If no Access Rule matches then a reverse route lookup will be done in the routing tables. In other words, by default, an interface will only accept source IP addresses that belong to networks routed over that interface. A reverse lookup means that we look in the routing tables to confirm - D-Link DFL-2560 | Product Manual - Page 21
belonging to the same connection. In addition, the service object which matched the IP protocol and ports might have contained a reference to Detection and Prevention (IDP) Rules are now evaluated in a similar way to the IP rules. If a match is found, the IDP data is recorded with the state. - D-Link DFL-2560 | Product Manual - Page 22
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 22 - D-Link DFL-2560 | Product Manual - Page 23
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary - D-Link DFL-2560 | Product Manual - Page 24
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 24 - D-Link DFL-2560 | Product Manual - Page 25
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 25 - D-Link DFL-2560 | Product Manual - Page 26
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 26 - D-Link DFL-2560 | Product Manual - Page 27
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27 - D-Link DFL-2560 | Product Manual - Page 28
(also known as the Web User Interface or WebUI) is built into NetDefendOS and provides a user-friendly and intuitive graphical management interface of file transfer between the administrator's workstation and the NetDefend Firewall. Various files used by NetDefendOS can be both uploaded and downloaded with - D-Link DFL-2560 | Product Manual - Page 29
same time allowing CLI access for a remote administrator connecting through a specific IPsec tunnel. By default, Web Interface access is enabled for users on the network connected via the LAN interface of the D-Link firewall (on products where more than one LAN interface is available, LAN1 is the - D-Link DFL-2560 | Product Manual - Page 30
, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is 192.168.10.1. Setting the Workstation IP The assigned NetDefend Firewall interface and the workstation interface must be - D-Link DFL-2560 | Product Manual - Page 31
on for the first time, the default username is always admin and the password is admin. After successful login, the WebUI user interface will be presented in the browser window. If no configuration changes have yet been uploaded to the NetDefend Firewall, the NetDefendOS Setup Wizard will start - D-Link DFL-2560 | Product Manual - Page 32
Center - Manually update or firewall or reset to factory default. • Upgrade - Upgrade the firewall's firmware. • Technical support - This option provides the option to download a file from the firewall which can be studied locally or sent to a technical support specialist to analyze a problem - D-Link DFL-2560 | Product Manual - Page 33
the Web Interface By default, the Web Interface Interface, you should always logout to prevent other users with access to your workstation to get unauthorized access Tip: Correctly routing management traffic If there is a problem with the management interface when communicating alongside VPN tunnels, - D-Link DFL-2560 | Product Manual - Page 34
CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are: • add - Adds an object such as an IP address or a rule to a versions of Microsoft Windows™, the up and down arrow keys allow the user to move through the list of commands in the CLI command history. - D-Link DFL-2560 | Product Manual - Page 35
, the " - D-Link DFL-2560 | Product Manual - Page 36
the command would be: AccountingServers=server1,server2,server3 Inserting into Rule Lists Rule lists such as the IP rule set have an ordering which is important. When adding using the CLI add command, the default is to add a new rule to the end of a list. When placement at a particular position is - D-Link DFL-2560 | Product Manual - Page 37
done to resolve the hostname to an IP address. For example, the hostname host.company NetDefend Firewall that allows direct access to the NetDefendOS CLI through a serial connection to a PC or dumb terminal. To locate the serial console port on your D-Link hardware, see the D-Link Quick Start Guide - D-Link DFL-2560 | Product Manual - Page 38
. SSH clients are freely available for almost all hardware platforms. NetDefendOS supports version 1, 1.5 and 2 of the SSH protocol. SSH access is CLI welcome message. Changing the admin User Password It is recommended to change the default password of the admin account from admin to something 38 - D-Link DFL-2560 | Product Manual - Page 39
be confused with the passwords related to user accounts. The console password is described in Section 2.1.7, "The Console Boot Menu". Changing the CLI Prompt The default CLI prompt is: gw-world:/> where Device is the model number of the NetDefend Firewall. This can be customized, for example, to - D-Link DFL-2560 | Product Manual - Page 40
to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP object in the address book that In other words, Internet access has been enabled for the NetDefend Firewall. Managing Management Sessions with sessionmanager The CLI provides a command - D-Link DFL-2560 | Product Manual - Page 41
CLI commands, one per line. The D-Link recommended convention is for these files to use the file extension .sgs (Security Gateway Script). The filename, including the extension, should not be more than 16 characters. 2. Upload the file to the NetDefend Firewall using Secure Copy (SCP). Script files - D-Link DFL-2560 | Product Manual - Page 42
that has been previously uploaded to the NetDefend Firewall. For example, to execute the script called my_script.sgs is to be executed with IP address 126.12.11.01 replacing all occurrences of $1 in 12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by default - D-Link DFL-2560 | Product Manual - Page 43
If an executing CLI script file encounters an error condition, the default behavior is for the script to terminate. This behavior can be .sgs -verbose Saving Scripts When a script file is uploaded to the NetDefend Firewall, it is initially kept only in temporary RAM memory. If NetDefendOS restarts - D-Link DFL-2560 | Product Manual - Page 44
=141.1.1.1 " " " The file new_script_sgs can then be downloaded with SCP to the local management workstation and then uploaded and executed on the other NetDefend Firewalls. The end result is that all units will have the same IP4Address objects in their address book. The name of the file created - D-Link DFL-2560 | Product Manual - Page 45
as a comment. For example: # The following line defines the If1 IP address add IP4Address If1_ip Address=10.6.60.10 Scripts Running Other Scripts It is 5. 2.1.6. Secure Copy To upload and download files to or from the NetDefend Firewall, the secure copy (SCP) protocol can be used. SCP is based on - D-Link DFL-2560 | Product Manual - Page 46
File type Firmware upgrades Certificates are: • HTTPALGBanners/ - The banner files for user authentication HTML. Uploading these is described further in a header). If an administrator username is admin1 and the IP address of the NetDefend Firewall is 10.5.62.11 then to upload a configuration backup, - D-Link DFL-2560 | Product Manual - Page 47
we have the same CLI script file called my_scripts.sgs stored on the NetDefend Firewall then the download command would be: > scp [email protected]: this must be followed by commit to make the change permanent. Uploads of firmware upgrades (packaged in .upg files) or a full system backup (full.bak - D-Link DFL-2560 | Product Manual - Page 48
2. Management and Maintenance The options available in the boot menu are: 1. Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall. 2. Reset unit to factory defaults This option will restore the hardware to its initial factory state. The operations - D-Link DFL-2560 | Product Manual - Page 49
firewall regardless of configured IP Rules. Default: Enabled Local Console Timeout Number of seconds of inactivity until the local console user is automatically logged out. Default certificates are supported. Default: HTTPS entries, address book entries, service definitions, IP rules and so on. Each - D-Link DFL-2560 | Product Manual - Page 50
To find out what configuration objects exist, you can retrieve a listing of the objects. This example shows how to list all service objects. Command-Line Interface gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface 1. Go to Objects - D-Link DFL-2560 | Product Manual - Page 51
: SYNRelay: PassICMPReturn: ALG: MaxSessions: Comments: Value ------telnet 23 TCP 0-65535 No No (none) 1000 Modified Comment Web Interface 1. Go to Objects > Services 2. Click on the telnet hyperlink in the list 3. In the Comments textbox, enter your new comment 4. Click OK Verify that the new - D-Link DFL-2560 | Product Manual - Page 52
the new NetDefendOS configuration is activated. Example 2.6. Adding a Configuration Object This example shows how to add a new IP4Address object, here creating the IP address 192.168.10.10, to the address book. Command-Line Interface gw-world:/> add Address IP4Address myhost Address=192.168.10.10 - D-Link DFL-2560 | Product Manual - Page 53
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.8. Undeleting a Configuration Object A deleted object can always be restored until the configuration has been activated and committed. This example shows how to restore the deleted IP4Address object shown in the - D-Link DFL-2560 | Product Manual - Page 54
2.1.9. Working with Configurations Chapter 2. Management and Maintenance default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated via the CLI with the activate command - D-Link DFL-2560 | Product Manual - Page 55
of network usage and assists in trouble-shooting. Log Message Generation NetDefendOS defines The events range from high-level, customizable, user events down to low-level and mandatory system be found in the NetDefendOS Log Reference Guide. That guide also describes the design of event messages, - D-Link DFL-2560 | Product Manual - Page 56
log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity levels are found listed in the NetDefendOS Log Reference Guide. 2.2.3. Creating Log Receivers To distribute and log the - D-Link DFL-2560 | Product Manual - Page 57
with a timestamp and the IP address of the machine that sent the log data: Feb 5 2000 09:45:23 firewall.ourcompany.com This is followed by in SysLog messages contains the same information as the Severity field for D-Link Logger messages. However, the ordering of the numbering is reversed. Example - D-Link DFL-2560 | Product Manual - Page 58
Link and defines the SNMP objects and data types that are used to describe an SNMP Trap received from NetDefendOS. Note There is a different MIB file for each model of NetDefend Firewall. Make sure that the correct file is used. For each NetDefend Firewall problem Guide Example 2.12. an IP address - D-Link DFL-2560 | Product Manual - Page 59
name for the event receiver, for example my_snmp 3. Enter 195.11.22.55 as the IP Address 4. Enter an SNMP Community String if needed by the trap receiver 5. Click OK such an undesirable situation where bandwidth is consumed unnecessarily. Default: 3600 (once per hour) Alarm Repetition Interval The - D-Link DFL-2560 | Product Manual - Page 60
as signalling the beginning of the service (START). • ID - A unique identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP. • User Name - The user name of the authenticated user. • NAS IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port of - D-Link DFL-2560 | Product Manual - Page 61
sent AccountingRequest packet, with Acct-Status-Type set to START. • User Name - The user name of the authenticated user. • NAS IP Address - The IP address of the NetDefend Firewall. • NAS Port - The port on the NAS on which the user was authenticated. (This is a physical port and not a TCP or - D-Link DFL-2560 | Product Manual - Page 62
user. An Interim Accounting Message can be seen as a snapshot of the network resources that an authenticated user an authenticated user has sent an authenticated user. It contains the user has not • A user authentication object in the IP rule set. default port number used is 1813 although this is user - D-Link DFL-2560 | Product Manual - Page 63
that the NetDefend Firewall administrator issues a shutdown command while authenticated users are still User Authentication module in NetDefendOS is based on the user's IP address. Problems can therefore occur with users who have the same IP address. This can happen, for example, when several users - D-Link DFL-2560 | Product Manual - Page 64
will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated. Default: Enabled Logout at shutdown If there is an orderly shutdown of the NetDefend Firewall by the administrator, then NetDefendOS will delay the shutdown until it has sent - D-Link DFL-2560 | Product Manual - Page 65
firewall. This feature is referred to as Hardware Monitoring. The D-Link NetDefend models that currently support hardware monitoring are the DFL-1600, 1660 readings of hardware monitor values. Minimum value: 100 Maximum value: 10000 Default: 500 Using the hwm CLI Command To get a list current - D-Link DFL-2560 | Product Manual - Page 66
2.4. Hardware Monitoring Chapter 2. Management and Maintenance The -verbose option displays the current values plus the configured ranges: gw-world:/> hwm -a -v 2 sensors available Poll interval time = 500ms Name [type][number] = low_limit] current_value [high_limit (unit) SYS Temp [TEMP - D-Link DFL-2560 | Product Manual - Page 67
for security reasons. Specifically, NetDefendOS supports the following SNMP request operations by MIB (where NNN indicates the model number of the firewall) and this should be transferred to the hard controls if the IP rule set checks all accesses by SNMP clients. This is by default disabled and the - D-Link DFL-2560 | Product Manual - Page 68
: mgmt-net 4. Click OK Should it be necessary to enable SNMPBeforeRules (which is enabled by default) then the setting can be found in System > Remote Management > Advanced Settings. 2.5.1. SNMP WebUI. SNMP Before RulesLimit Enable SNMP traffic to the firewall regardless of configured IP Rules. 68 - D-Link DFL-2560 | Product Manual - Page 69
excess requests will be ignored by NetDefendOS. Default: 100 System Contact The contact person for the managed node. Default: N/A System Name The name for the managed node. Default: N/A System Location The physical location of the node. Default: N/A Interface Description (SNMP) What to display in - D-Link DFL-2560 | Product Manual - Page 70
complete syntax of the pcapdump command is described in the CLI Reference Guide. A Simple Example An example of pcapdump usage is the following using Capture Files Since the only way to delete files from the NetDefend Firewall is through the serial console, the recommendation is to always use - D-Link DFL-2560 | Product Manual - Page 71
ip= - Filter source or destination IP address. -ipsrc= - Filter on source IP address. -ipdest= - Filter on destination IP of pcapdump can save buffered packet information to a file on the NetDefend Firewall. These output files are placed into the NetDefendOS root directory and - D-Link DFL-2560 | Product Manual - Page 72
that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address. Compatibility with Wireshark The open source tool Wireshark (formerly called Ethereal) is an extremely useful analysis tool for examining logs of - D-Link DFL-2560 | Product Manual - Page 73
to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically selecting - D-Link DFL-2560 | Product Manual - Page 74
System In this example we will backup the entire system on 12 December 2008. Web Interface 1. Go to Maintenance > Backup Defaults A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the NetDefend Firewall was shipped by D-Link - D-Link DFL-2560 | Product Manual - Page 75
and the unit will continue to load and startup with its default factory settings. The IP address 192.168.1.1 will be assigned to the LAN interface. Reset Procedure for the NetDefend DFL-1600, 1660, 2500, 2560 and 2560G To reset the DFL-1600/1660/2500/2560/2560G models, press any key on the keypad - D-Link DFL-2560 | Product Manual - Page 76
2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76 - D-Link DFL-2560 | Product Manual - Page 77
exist by default and some must be defined by the administrator. In addition, the chapter explains the different interface types and explains how security policies are constructed the administrator. • The Address Book, page 77 • Services, page 82 • Interfaces, page 90 • ARP, page 108 • IP Rule Sets - D-Link DFL-2560 | Product Manual - Page 78
addresses. For example, 192.168.0.10-192.168.0.15 represents six hosts in consecutive order. Example 3.1. Adding an IP Host This example adds the IP host www_srv1 with IP address 192.168.10.16 to the address book: Command-Line Interface gw-world:/> add Address IP4Address www_srv1 Address=192.168.10 - D-Link DFL-2560 | Product Manual - Page 79
3. Choose Delete from the menu 4. Click OK Deleting In-use IP Objects If an IP object is deleted that is in use by another object then NetDefendOS will not allow the configuration to be saved to the NetDefend Firewall. 3.1.3. Ethernet Addresses Ethernet Address objects are used to define - D-Link DFL-2560 | Product Manual - Page 80
be used with this group, thereby greatly reducing the administrative workload. IP Addresses Can Be Excluded When groups are created with the Web Interface, is added to a group, it is possible to then explicitly exclude the IP address 192.168.2.1. This means that the group will then contain the range - D-Link DFL-2560 | Product Manual - Page 81
name>_net. As an example, an interface named lan will have an associated interface IP object named lan_ip, and a network object named lannet. An IP Address object named wan_gw is auto-generated and represents the default gateway of the system. The wan_gw object is used primarily by the routing table - D-Link DFL-2560 | Product Manual - Page 82
a specific type of traffic to traverse the NetDefend Firewall. Inclusion in IP rules is one the most important usage of service objects and it is also how ALGs become associated with IP rules since an ALG is associated with a service and not directly with an IP rule. For more information on how - D-Link DFL-2560 | Product Manual - Page 83
is discussed further in Section 3.2.3, "ICMP Services". • IP Protocol Service - A service based on a user defined protocol. This is discussed further in Section 3.2.4, "Custom IP Protocol Services". • Service Group - A service group consisting of a number of services. This is discussed further in - D-Link DFL-2560 | Product Manual - Page 84
services. TCP and UDP Based Services Most applications use TCP and/or UDP as transport protocol for transferring data over IP networks service. Specifying Port Numbers Port numbers are specified with all types of services and it is useful to understand how these can be entered in user interfaces - D-Link DFL-2560 | Product Manual - Page 85
IP service type. For more details on how this feature works see Section 6.6.8, "TCP SYN Flood Attacks". • Pass ICMP Errors If an attempt to open a TCP connection is made by a user application behind the NetDefend Firewall attack. • ALG A TCP/UDP service can be linked to an Application Layer Gateway ( - D-Link DFL-2560 | Product Manual - Page 86
. This could be included in a group with http-all and then associated with the IP rules that allow web surfing. Restrict Services to the Minimum Necessary When choosing a service object to construct a policy such as an IP rule, the protocols included in that object should be as few as necessary to - D-Link DFL-2560 | Product Manual - Page 87
3.2.4. Custom IP Protocol Services Chapter 3. Fundamentals ICMP messages are delivered in IP packets, and includes a Message datagrams for the Type of Service and the network • Code 3: Redirect datagrams for the Type of Service and the host Parameter Problem Identifies an incorrect parameter on - D-Link DFL-2560 | Product Manual - Page 88
the Internet Assigned Numbers Authority (IANA) and can be found at: http://www.iana.org/assignments/protocol-numbers Example 3.9. Adding an IP Protocol Service This example shows how to add an IP Protocol service, with the Virtual Router Redundancy Protocol. Command-Line Interface gw-world:/> add - D-Link DFL-2560 | Product Manual - Page 89
troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service from the NetDefendOS state table. The default setting for this time with TCP/ - D-Link DFL-2560 | Product Manual - Page 90
from or enters a NetDefend Firewall will pass through one of the physical interfaces. NetDefendOS currently supports Ethernet as the only Interfaces. NetDefendOS has support for two types of sub-interfaces: • Virtual LAN (VLAN) interfaces as specified by IEEE 802.1Q. When routing IP packets over a - D-Link DFL-2560 | Product Manual - Page 91
to achieve confidentiality. NetDefendOS supports the following tunnel interface types default names that are possible to modify if required. New interfaces defined by the administrator will always require a user of the use of core are when the NetDefend Firewall acts as a PPTP or L2TP server or - D-Link DFL-2560 | Product Manual - Page 92
physical Ethernet port in the system. The number of ports, their link speed and the way the ports are realized, is dependent on the be convenient to change the interface name to radio. For maintenance and troubleshooting, it is recommended to tag the corresponding physical port with the new name - D-Link DFL-2560 | Product Manual - Page 93
guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend Firewall does not have these interfaces, please substitute the references with the name of your chosen interface. • IP Internet. Normally, only one default all-nets route to the default gateway needs to exist in the - D-Link DFL-2560 | Product Manual - Page 94
is a set of interface specific advanced settings: i. A preferred IP address can be requested. ii. A preferred lease time can be this option. When enabled, default switch routes are automatically added . The available options are: i. The speed of the link can be set. Usually this is best left as Auto - D-Link DFL-2560 | Product Manual - Page 95
HA cluster heartbeats from this interface. • Quality Of Service The option exists to copy the IP DSCP precedence to the VLAN priority field for any VLAN packets. This is disabled by default. Changing the IP Address of an Ethernet Interface To change the IP address on an interface, we can use one of - D-Link DFL-2560 | Product Manual - Page 96
: 0.0.0.0 UserAuthGroups: NoDefinedCredentials: No Comments: IP address of interface wan To show the current interface assigned : Address: UserAuthGroups: NoDefinedCredentials: Comments: Value wan_gw 0.0.0.0 No Default gateway for interface wan By using the tab key at the end of - D-Link DFL-2560 | Product Manual - Page 97
commands. These are particularly useful if D-Link hardware has been replaced and Ethernet card the CLI Reference Guide. 3.3.3. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the number of physical Ethernet ports on a NetDefend Firewall need not limit how many totally separated - D-Link DFL-2560 | Product Manual - Page 98
from the NetDefend Firewall to switches and these switches are configured with port based VLANs on their interfaces. Any physical firewall interface can Virtual LANs but can still share the same physical Ethernet link. The following principles underlie the NetDefendOS processing of VLAN tagged - D-Link DFL-2560 | Product Manual - Page 99
the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured - D-Link DFL-2560 | Product Manual - Page 100
Default: DropLog Example 3.10. Defining a VLAN This simple example defines a virtual LAN called VLAN10 with a VLAN ID of 10. The IP address vlan10_ip. Command-Line Interface gw-world:/> add Interface VLAN VLAN10 Ethernet=lan IP=vlan10_ip Network=all-nets VLANID=10 Web Interface 1. Go to Interfaces - D-Link DFL-2560 | Product Manual - Page 101
PPPoE to their broadband service. Using PPPoE the ISP can: • Implement security and access-control using username/password authentication • Trace IP addresses to a specific user • Allocate IP address automatically for PC users (similar to DHCP). IP address provisioning can be per user group The PPP - D-Link DFL-2560 | Product Manual - Page 102
, support for unnumbered PPPoE is provided by default. The additional option also exists to force unnumbered PPPoE to be used in PPPoE sessions. Unnumbered PPPoE is typically used when ISPs want to allocate one or more preassigned IP addresses to users. These IP addresses are then manually entered - D-Link DFL-2560 | Product Manual - Page 103
connected with the way IP addresses are shared in service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Retype the password • Under Authentication specify which authentication protocol to use (the default - D-Link DFL-2560 | Product Manual - Page 104
to transit through a network device which does not support multicasting. GRE allows tunneling though the network device. GRE GRE tunnel will connect with. • Remote Endpoint This is the IP address of the remote device which the tunnel will connect with. manually create the required route. 104 - D-Link DFL-2560 | Product Manual - Page 105
tunnel. Furthermore a Route has to be defined so NetDefendOS knows what IP addresses should be accepted and sent through the tunnel. An Example GRE Scenario The diagram above shows a typical GRE scenario, where two NetDefend Firewalls A and B must communicate with each other through the intervening - D-Link DFL-2560 | Product Manual - Page 106
lan Dest Net remote_net_B lannet Service All All Setup for NetDefend Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting up NetDefendOS on B are as follows: 1. In the address book set up the following IP objects: • remote_net_A: 192.168.10 - D-Link DFL-2560 | Product Manual - Page 107
group is used, for example, as the source interface in an IP rule , any of the interfaces in the group could provide a can be enabled (it is disabled by default). Enabling the option means that the group connections over the new interface. Example 3.12. Creating an Interface Group Command-Line - D-Link DFL-2560 | Product Manual - Page 108
IP address into its corresponding Ethernet address. ARP operates at the OSI layer 2, data link firewalls, is an important component in the implementation of ARP. It consists of a dynamic table that stores the mappings between IP binding the IP address 10.5.16.3 to Ethernet address 4a:32:12:6c:89: - D-Link DFL-2560 | Product Manual - Page 109
.168.0.10 IP address after the expiration, NetDefendOS will issue a new ARP request. The default expiration time for host but sometimes it may be necessary to manually force the update. The easiest way to achieve large LANs directly connected to the firewall, it may be necessary to adjust this value - D-Link DFL-2560 | Product Manual - Page 110
advanced setting ARP Hash Size to reflect specific network requirements. The default value of this setting is 512. The setting ARP Hash Size problems. It may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users - D-Link DFL-2560 | Product Manual - Page 111
Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 4. Click OK Chapter 3. Fundamentals Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC address instead of the interfaces MAC address. NetDefendOS will then send out these - D-Link DFL-2560 | Product Manual - Page 112
result will be the same. Publishing Entire Networks When using ARP entries, IP addresses can only be published one at a time. However, the redundancy devices, which make use of hardware layer multicast addresses. The default behavior of NetDefendOS is to drop and log such ARP requests and - D-Link DFL-2560 | Product Manual - Page 113
of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced since IP. Normally, these ARP replies are dropped and logged, but the behavior can be changed by modifying the setting ARP Query No Sender. Matching Ethernet Addresses By default - D-Link DFL-2560 | Product Manual - Page 114
IP of 0.0.0.0. Such sender IPs are never valid in responses, but network units that have not yet learned of their IP address sometimes ask ARP questions with an "unspecified" sender IP. Default: DropLog ARP Sender IP Determines if the IP not allowing this may cause problems if, for example, a - D-Link DFL-2560 | Product Manual - Page 115
be twice as large as the table it is indexing. If the largest directly-connected LAN contains 500 IP addresses then the size of the ARP entry hash should be at least 1000 entries. Default: 512 ARP Hash Size VLAN Hashing is used to rapidly look up entries in a table. For maximum - D-Link DFL-2560 | Product Manual - Page 116
security policies, and which use the same filtering parameters described above (networks/interfaces/service), include: • IP Rules These determine which traffic is permitted to pass through the NetDefend Firewall as well as determining if the traffic is subject to address translation. They are - D-Link DFL-2560 | Product Manual - Page 117
8, User Authentication. IP Rules and the Default main IP Rule Set IP rule sets are the most important of these security policy rule sets. They determine the critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the NetDefend Firewall, and - D-Link DFL-2560 | Product Manual - Page 118
from the source interface and network bound for the destination network to leave the NetDefend Firewall on the interface decided by the route. If the IP rule used is an Allow rule then this is bi-directional by default. The ordering of these steps is important. The route lookup occurs first to - D-Link DFL-2560 | Product Manual - Page 119
NetDefend Firewall. If the action is Drop or Reject then the new connection is refused. Tip: Rules in the wrong order sometimes cause problems It is important to remember the principle that NetDefendOS searches the IP rules from top to bottom, looking for the first matching rule. If an IP - D-Link DFL-2560 | Product Manual - Page 120
• Destination Network • Service When an IP rule is triggered by engine". FwdFast Let the packet pass through the NetDefend Firewall without setting up a state for it in the of such a situation is when responding to the IDENT user identification protocol. Some applications will pause for a timeout - D-Link DFL-2560 | Product Manual - Page 121
the rule set line will not affect traffic flow and will appear grayed out in the user interface. It can be re-enabled at any time. The last section of the context main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=Allow Service=http - D-Link DFL-2560 | Product Manual - Page 122
specified title text for the purpose of organizing their display in graphical user interfaces. Unlike folders, they do not require the folder to be someone seeing a configuration for the first time, such as technical support staff. In an IP rule set that contains hundreds of rules it can often prove - D-Link DFL-2560 | Product Manual - Page 123
object properties. We would like to create an object group for the two IP rules for web surfing. This is done with the following steps: • a title line and the IP rule as its only member. The default title of "(new Group)" is used. The entire group is also assigned a default color and the group member - D-Link DFL-2560 | Product Manual - Page 124
moved to the new position, right click the object again and select the Join Preceding option. Moving Group Objects Once an object, such as an IP rule, is within a group, the context of move operations becomes the group. For example, right clicking a group object and selecting Move to Top will move - D-Link DFL-2560 | Product Manual - Page 125
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Moving Groups Groups can be moved in the same way as individual objects. By right clicking the group title line, the context menu includes options to move the entire group. For example, the Move to Top option moves the entire group to the - D-Link DFL-2560 | Product Manual - Page 126
the following parameters: Name The name of the schedule. This is used in user interface display and as a reference to the schedule from other objects. Scheduled be associated with the object. This functionality is not limited to IP Rules, but is valid for most types of policies, including Traffic - D-Link DFL-2560 | Product Manual - Page 127
this schedule. First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Schedule=OfficeHours - D-Link DFL-2560 | Product Manual - Page 128
authentication. References in this manual to a certificate means a X.509 certificate. A certificate is a digital proof of identity. It links an identity to a following: • A public key: The "identity" of the user, such as name and user ID. • Digital signatures: A statement that tells the information - D-Link DFL-2560 | Product Manual - Page 129
simplifies the administration of large user communities. CRLs are published on servers that all certificate users can access, using either the this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this - D-Link DFL-2560 | Product Manual - Page 130
Upload a remote certificate 4. Click OK and follow the instructions Example 3.19. Associating Certificates with IPsec Tunnels To associate cer and .key files required by NetDefendOS. It is possible, however, to manually create the required files for a Windows CA server using the following stages. - D-Link DFL-2560 | Product Manual - Page 131
3.7.3. CA Certificate Requests Chapter 3. Fundamentals • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: 1. Create the gateway certificate on the Windows CA server and export it to a .pfx file on the - D-Link DFL-2560 | Product Manual - Page 132
other equipment in the network. Time Synchronization Protocols NetDefendOS supports the optional use of Time Synchronization Protocols in order Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for - D-Link DFL-2560 | Product Manual - Page 133
from GMT. The NetDefendOS time zone setting reflects the time zone where the NetDefend Firewall is physically located. Example 3.21. Setting the Time Zone To modify the when to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are two - D-Link DFL-2560 | Product Manual - Page 134
Time Servers. NetDefendOS supports the following time synchronization TIME) is an older method of providing time synchronization service over the Internet. The protocol provides a site-independent 3.9, "DNS"). This is not needed if using IP addresses for the servers. Example 3.23. Enabling Time - D-Link DFL-2560 | Product Manual - Page 135
the synchronization interval, the default of 86400 seconds (equivalent to one day) is used. Example 3.24. Manually Triggering a Time Synchronization Time to synchronize system time... Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local - D-Link DFL-2560 | Product Manual - Page 136
than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter. firewall clock. These servers communicate with NetDefendOS using the SNTP protocol. When the D-Link Server option is chosen, a predefined set of recommended default - D-Link DFL-2560 | Product Manual - Page 137
: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1. Default: None Secondary Time Server DNS hostname or IP Address of Timeserver 2. Default: None teriary Time Server DNS hostname or IP Address of Timeserver 3. Default: None Interval between synchronization Seconds between each - D-Link DFL-2560 | Product Manual - Page 138
3.8.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 Chapter 3. Fundamentals 138 - D-Link DFL-2560 | Product Manual - Page 139
in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same. A Uniform is configured to use one primary and one secondary DNS server, having IP addresses 10.0.0.1 and 10.0.0.2 respectively. Command-Line Interface gw-world:/> - D-Link DFL-2560 | Product Manual - Page 140
can be used to troubleshoot problems by seeing what NetDefendOS is sending and what the servers are returning. Note: A high rate of server queries can cause problems Dynamic DNS services are often sensitive to repeated logon attempt over short periods of time and may blacklist IP addresses that are - D-Link DFL-2560 | Product Manual - Page 141
3.9. DNS Chapter 3. Fundamentals 141 - D-Link DFL-2560 | Product Manual - Page 142
fundamental functions of NetDefendOS. Any IP packet flowing through a NetDefend Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected. NetDefendOS offers support for the following types of - D-Link DFL-2560 | Product Manual - Page 143
, or whenever the network topology is complex, the work of manually maintaining static routing tables can be time-consuming and also problematic. is not needed. When a router lies between the NetDefend Firewall and the destination network, a gateway IP must be specified. For example, if the route - D-Link DFL-2560 | Product Manual - Page 144
below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive and either one to the route and is used as a weight when performing comparisons between alternate routes. If two diagram below illustrates a typical NetDefend Firewall usage scenario. Figure 4.1. - D-Link DFL-2560 | Product Manual - Page 145
to as the Default Route as it IP address. We would say that this network is not bound to the physical interface. Clients on this second network won't then be able to communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem - D-Link DFL-2560 | Product Manual - Page 146
in this second network must also have their Default Gateway set to 10.2.2.1 in order to reach the NetDefend Firewall. This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network. From a security - D-Link DFL-2560 | Product Manual - Page 147
and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is predefined and is always routing. These user-defined extra routing toubles can be used to implement Policy Based Routing which means the administrator can set up rules in the IP rule set - D-Link DFL-2560 | Product Manual - Page 148
255.255 255.255.255.255 192.168.0.10 192.168.0.10 1 Default Gateway: 192.168.0.1 Persistent Routes: None The corresponding routing table in NetDefendOS to define one route for the destination IP address range 192.168.0.5 to 192.168.0.17 and another route for IP addresses 192.168.0.18 to 192.168 - D-Link DFL-2560 | Product Manual - Page 149
Static Routes are Added Automatically for Each Interface When the NetDefend Firewall is started for the first time, NetDefendOS will automatically add a route in the main routing table for each physical interface. These routes are assigned a default IP address object in the address book and these - D-Link DFL-2560 | Product Manual - Page 150
default routes is 100 The metric assigned to the default routes automatically created for the physical interfaces is always 100. These automatically added routes cannot be removed manually words, two interfaces named lan and wan, and with IP addresses 192.168.0.10 and 193.55.66.77, respectively - D-Link DFL-2560 | Product Manual - Page 151
IP Metric 127.0.0.1 core (Shared IP) 0 192.168.0.1 core (Iface IP) 0 213.124.165.181 core (Iface IP) 0 127.0.3.1 core (Iface IP) 0 127.0.4.1 core (Iface IP Guide. 4.2.3. Route Failover Overview NetDefend Firewalls connections to the two service providers often use different - D-Link DFL-2560 | Product Manual - Page 152
the following monitoring methods must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. route. Setting the Route Metric When specifying routes, the administrator should manually set a route's Metric. The metric is a positive integer - D-Link DFL-2560 | Product Manual - Page 153
next best matching route will be used instead. The table below defines two default routes, both having all-nets as the destination, but using two different will be maintained. To illustrate the problem, consider the following configuration: Firstly, there is one IP rule that will NAT all HTTP - D-Link DFL-2560 | Product Manual - Page 154
however, some problems with this setup: if a route failover occurs, the default route will then monitoring a link to a local switch may not indicate a problem in another part of the internal network. • Host monitoring can be used to help in setting the acceptable Quality of Service - D-Link DFL-2560 | Product Manual - Page 155
is the period of time after startup or after reconfiguration of the NetDefend Firewall which NetDefendOS will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes online. This is the minimum number of hosts that must be - D-Link DFL-2560 | Product Manual - Page 156
This external route specifies on which interface the network which exists between the NetDefend Firewall and the ISP can be found. If only an all-nets route is interval The time in milliseconds between polling for interface failure. Default: 500 ARP poll interval The time in milliseconds between ARP - D-Link DFL-2560 | Product Manual - Page 157
", the ARP protocol facilitates a mapping between an IP address and the MAC address of a host on an Ethernet network. However, situations may exist where a network running Ethernet is separated into two parts with a routing device such as a NetDefend Firewall in between. In such a case, NetDefendOS - D-Link DFL-2560 | Product Manual - Page 158
any ARP request issued by a net_2 host connected to if2 looking for an IP address in net_1 will get a positive response from NetDefendOS. In other words, . Keep in mind that if the host has an ARP request for an IP address outside of the local network then this will be sent to the gateway - D-Link DFL-2560 | Product Manual - Page 159
the NetDefendOS configuration and are treated differently. If Proxy ARP is required on an automatically created route, the route should first be deleted and then manually recreated as a new route. Proxy ARP can then be enabled on the new route. 159 - D-Link DFL-2560 | Product Manual - Page 160
routing forwards packets according to destination IP address information derived from static routes Routing can allow: Source based routing Service-based Routing User based Routing A different routing table Tables NetDefendOS, as standard, has one default routing table called main. In addition to - D-Link DFL-2560 | Product Manual - Page 161
Rule that matches the packet's source/destination interface/network as well as service. If a matching rule is found then this determines the routing previously selected routing table is done using the source IP address. If the check fails then a Default access rule log error message is generated. 4. - D-Link DFL-2560 | Product Manual - Page 162
not continue in the main routing table. 3. If Remove Interface IP Routes is enabled, the default interface routes are removed, that is to say routes to sender address in ARP queries. If no address is specified, the firewall's interface IP address will be used. • Metric: Specifies the metric for this - D-Link DFL-2560 | Product Manual - Page 163
a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the NetDefend Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be - D-Link DFL-2560 | Product Manual - Page 164
4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 164 - D-Link DFL-2560 | Product Manual - Page 165
policy driven fashion. • To balance simultaneous utilization of multiple Internet links so networks are not dependent on a single ISP. • To routes is assembled. The routes in the list must cover the exact same IP address range (further explanation of this requirement can be found below). 2. If - D-Link DFL-2560 | Product Manual - Page 166
similar to Round Robin but provides "stickiness" so that unique destination IP addresses always get the same route from a lookup. The importance of RLB Algorithm Settings along with the Hold Timer number of seconds (the default is 30 seconds) for the interface. When the traffic passing through the - D-Link DFL-2560 | Product Manual - Page 167
to simplify specification of the values. Using Route Metrics with Round Robin An individual route has a metric associated with it, with the default metric value being zero. With the Round Robin and the associated Destination algorithms, the metric value can be set differently on matching routes - D-Link DFL-2560 | Product Manual - Page 168
16.0/16 because the range is narrower with 10.4.16.0/24 for an IP address they both contain. RLB Resets There are two occasions when all RLB of clients on a network connected via the LAN interface of the NetDefend Firewall and these will access the internet. Internet access is available from either - D-Link DFL-2560 | Product Manual - Page 169
lan Src Network lannet lannet Dest Interace Dest Network WAN1 all-nets WAN2 all-nets Service All All The service All is used in the above IP rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow. Example 4.6. Setting - D-Link DFL-2560 | Product Manual - Page 170
the server always sees the same source IP address (WAN1 or WAN2) from a use RLB to balance traffic between two IPsec tunnels, the problem that arises is that the Remote Endpoint for any two solution has the advantage of providing redundancy should one ISP link fail. • Use VPN with one tunnel that is - D-Link DFL-2560 | Product Manual - Page 171
routing network device, such as a NetDefend Firewall, can adapt to changes of network that it can be more susceptible to certain problems such as routing loops. One of two types mechanism: • A Distance Vector (DV) algorithm. • A Link State (LS) algorithm. How a router decides the optimal or - D-Link DFL-2560 | Product Manual - Page 172
Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL destination IP and firewall A to know that to reach network Y, traffic needs to be sent to firewall B. Instead of having to manually - D-Link DFL-2560 | Product Manual - Page 173
routes When designing the topology of a network that implements OSPF, arranging NetDefend Firewalls in a circular ring means that any firewall always has two possible routes to any other. Should any one inter-firewall connection fail, an alternative path always exists. A Look at Routing Metrics - D-Link DFL-2560 | Product Manual - Page 174
Link NetDefend models The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. OSPF functions by routing IP packets based only on the destination IP address found in the IP packet header. IP NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 175
An area is a generalization of an IP sub netted network. In NetDefendOS, areas should be defined separately on each NetDefend Firewall which will be part of the backbone it needs a virtual link to it. OSPF networks should the router will automatically advertise a default route so that routers in the - D-Link DFL-2560 | Product Manual - Page 176
periodically on each interface using IP multicast. Routers become neighbors NOT include the Router ID of the firewall in it, the neighbor will be Links Virtual links are used for the following scenarios: A. Linking an area that does not have a direct connection to the backbone area. B. Linking - D-Link DFL-2560 | Product Manual - Page 177
to the same area (Area 1) but just one of them, fw1, is connected physically to the backbone area. Figure 4.10. Virtual Links Connecting Areas In the above example, a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In this configuration only the Router - D-Link DFL-2560 | Product Manual - Page 178
show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1. To HA support to work correctly, the NetDefend Firewall needs to have a broadcast interface with at least ONE neighbor for ALL areas that the firewall is - D-Link DFL-2560 | Product Manual - Page 179
the OSPF network. A similar Router Process object should be defined on each NetDefend Firewall which is part of the OSPF network. General Parameters Name Router ID Private Router ID Specifies a symbolic name for the OSPF AS. Specifies the IP address that is used to identify the router in a AS. If - D-Link DFL-2560 | Product Manual - Page 180
the following formula: cost = reference bandwidth / bandwidth Enable this if the NetDefend Firewall will be used in a environment that consists of routers that only support RFC 1583. Debug Protocol debug provides a troubleshooting tool by logging OSPF protocol specific information to the log. • Off - D-Link DFL-2560 | Product Manual - Page 181
links. An OSPF area is a child of the OSPF router process and there can be many area objects defined under a single router process. In most simple networking scenarios, a single area is sufficient. Like the router process object, a similar area object should be defined on all the NetDefend Firewalls - D-Link DFL-2560 | Product Manual - Page 182
possible to configure if the firewall should become the default router for the stub area are not similar on each NetDefend Firewall in the OSPF network. The OSPF Hello packets to the IP multicast address 224.0.0.5. Those direct links which involve only two routers (in other words, two firewalls). - D-Link DFL-2560 | Product Manual - Page 183
-to-Point networks, where there is more then one router in a link that does not have OSI Layer 2 broadcast/multicast capabilities. Specifies the metric authenticated using a simple password or MD5 cryptographic hashes. If Use Default for Router Process is enabled then the values configured in the - D-Link DFL-2560 | Product Manual - Page 184
is located on. IP Address The IP Address of the neighbor. This is the IP Address of the the size of the routing table in the firewall, if not advertised this will hide the networks cases this is not possible and in that case a Virtual Link (VLink) can be used to connect to the backbone through - D-Link DFL-2560 | Product Manual - Page 185
Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link Routing Rule on each NetDefend Firewall which allows the routing information that the OSPF AS delivers from remote firewalls to be added to - D-Link DFL-2560 | Product Manual - Page 186
4.5.4. Dynamic Routing Rules Chapter 4. Routing OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which - D-Link DFL-2560 | Product Manual - Page 187
to Process Forward Tag Route Type OffsetMetric Limit Metric To Specifies into which OSPF AS the route change should be imported. If needed, specifies the IP to route via. Specifies a tag for this route. This tag can be used in other routers for filtering. Specifies what the kind of external route - D-Link DFL-2560 | Product Manual - Page 188
the override of the static routes. Allows the override of the default route. 4.5.5. Setting Up OSPF Setting up OSPF can seem complicated scenario described earlier with just two NetDefend Firewalls. In this example we connect together the two NetDefend Firewalls with OSPF so they can share - D-Link DFL-2560 | Product Manual - Page 189
connected to this interface must be enabled if the physical interface doesn't connect directly to another OSPF Router (in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in which case the option - D-Link DFL-2560 | Product Manual - Page 190
might see the following output: gw-world:/> routes Flags Network Iface Gateway Local IP Metric 192.168.1.0/24 lan 0 172.16.0.0/16 wan 0 O 192.168 the CLI Reference Guide. Sending OSPF Traffic Through a VPN Tunnel In some cases, the link between two NetDefend Firewalls which are - D-Link DFL-2560 | Product Manual - Page 191
IPsec properties, the Specify address manually option needs to be enabled and the IP address in this example of 192.168.55.1 needs to be entered. This sets the tunnel endpoint IP to be 192.168.55.1 so that all OSPF traffic will be sent to firewall A with this source IP. The result of doing - D-Link DFL-2560 | Product Manual - Page 192
Interface. For example, lan 4. Click OK Just selecting the Interface means that the Network defaults to the network bound to that interface. In this case lannet. This should be repeated for all the interfaces on this NetDefend Firewall that will be part of the OSPF area and then repeated for all the - D-Link DFL-2560 | Product Manual - Page 193
Action > Add > DynamicRountingRuleAddRoute 4. Move the routing table main from Available to Selected 5. Click OK Example 4.11. Exporting the Default Route into an OSPF AS In this example, the default all-nets route from the main routing table will be exported into an OSPF AS named as_0. This must - D-Link DFL-2560 | Product Manual - Page 194
problem Interface By default, multicast IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples described later. Note: Interface multicast handling must be On or Auto For multicast to function with an Ethernet interface on any NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 195
be duplicated by the multiplex rule needs to be routed to the core interface. By default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured with static address - D-Link DFL-2560 | Product Manual - Page 196
translation (see below) but cannot be a FwdFast or SAT rule. Example 4.12. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we separately. Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services > Add > TCP/UDP 2. Now - D-Link DFL-2560 | Product Manual - Page 197
SourceNetwork= SourceInterface= DestinationInterface= DestinationNetwork= Action=MultiplexSAT Service= MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;ip3}... The two values {outif;ip} represent a combination of output interface and, if address translation - D-Link DFL-2560 | Product Manual - Page 198
above: Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services > Add > TCP/UDP 2. Now enter: • Name: multicast_service • Type: UDP • Destination: 1234 B. Create an IP rule: 1. Go to Rules > IP Rules > Add > IP Rule 2. Under General enter. • Name - D-Link DFL-2560 | Product Manual - Page 199
• Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter Click OK Note: Replace Allow with NAT for source IP translation If address translation of the source address is to the NetDefend Firewall, an IGMP query would also not have to be specified. NetDefendOS supports two IGMP - D-Link DFL-2560 | Product Manual - Page 200
4.6.3. IGMP Configuration Chapter 4. Routing Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports - D-Link DFL-2560 | Product Manual - Page 201
Example 4.14. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed. The first one is a report rule that allows the - D-Link DFL-2560 | Product Manual - Page 202
for the original address towards if1. Two examples are provided, one for each pair of report and query rule. The upstream multicast router uses IP UpstreamRouterIP. Example 4.15. if1 Configuration The following steps needs to be executed to create the report and query rule pair for if1 which uses - D-Link DFL-2560 | Product Manual - Page 203
if2 which translates the multicast group. Note that the group translated therefore the IGMP reports include the translated IP addresses and the queries will contain the original IP addresses Web Interface A. Create the first IGMP Rule: 1. Go to Routing > IGMP > IGMP Rules > Add > IGMP Rule 2. Under - D-Link DFL-2560 | Product Manual - Page 204
, multicast packets might be forwarded according to the default route. Default: Enabled IGMP Before Rules For IGMP traffic, by-pass the normal IP rule set and consult the IGMP rule set. Default: Enabled IGMP React To Own Queries The firewall should always respond with IGMP Membership Reports, even - D-Link DFL-2560 | Product Manual - Page 205
is robust to (IGMP Robustness Variable - 1) packet losses. Global setting on interfaces without an overriding IGMP Setting. Default: 2 IGMP Startup Query Count The firewall will send IGMP Startup Query Count general queries with an interval of IGMPStartupQueryInterval at startup. Global setting on - D-Link DFL-2560 | Product Manual - Page 206
4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 206 - D-Link DFL-2560 | Product Manual - Page 207
services (for example HTTP) and in specified directions. As long as users are accessing the services permitted, they will not be aware of the NetDefend Firewall connected Ethernet network to identify and keep track of which host IP addresses are located on that interface (this is explained further - D-Link DFL-2560 | Product Manual - Page 208
Ethernet networks on either side of the NetDefend Firewall to act as though they were a single logical IP network. (See Appendix D, The OSI play" fashion, without changing their IP address (assuming their IP address is fixed). The user can still obtain the same services as before (for example HTTP, - D-Link DFL-2560 | Product Manual - Page 209
all-nets Dest Interface any Dest Network all-nets Service all Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it discovers on which interface IP addresses are located. As the name suggests, single hosts - D-Link DFL-2560 | Product Manual - Page 210
routing tables. By default, one main routing table always exists and once an additional routing table has been defined, the Membership for any interface can then be set to be that new table. Transparent Mode with VLANs If transparent mode is being set up for all hosts and users on a VLAN then - D-Link DFL-2560 | Product Manual - Page 211
box for this is provided in the graphical user interfaces). When enabled in this way, default switch routes are automatically added to the routing need to be manually configured for proxy ARP. Transparent Mode with DHCP In most Transparent Mode scenarios, the IP address of users is predefined and - D-Link DFL-2560 | Product Manual - Page 212
. In non-transparent mode the user's gateway IP would be the NetDefend Firewall's IP address but in transparent mode the ISP's gateway is on the same logical IP network as the users and will therefore be gw-ip. NetDefendOS May Also Need Internet Access The NetDefend Firewall also needs to find the - D-Link DFL-2560 | Product Manual - Page 213
Interface if1 if2 if1 if1 Destination all-nets all-nets 85.12.184.39 194.142.215.15 Gateway gw-ip gw-ip The appropriate IP rules will also need to be added to the IP rule set to allow Internet access through the NetDefend Firewall. Grouping IP Addresses It can be quicker when dealing with many - D-Link DFL-2560 | Product Manual - Page 214
2. Now enter: • IP Address: 10.0.0.1 • Network: 10.0.0.0/24 • Default Gateway: 10.0.0.1 • IP Address: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Enable 6. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTPAllow • Action: Allow • Service - D-Link DFL-2560 | Product Manual - Page 215
on DMZ while the HTTP server on the DMZ can be reached from the Internet. The NetDefend Firewall is transparent between the DMZ and LAN but traffic is still controlled by the IP rule set. Figure 4.21. Transparent Mode Scenario 2 Example 4.18. Setting up Transparent Mode for Scenario 2 Configure - D-Link DFL-2560 | Product Manual - Page 216
TransparentGroup • Network: 10.0.0.0/24 • Metric: 0 3. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to-DMZ • Action: Allow • Service: http • Source Interface: lan • Destination Interface: dmz • Source Network: 10.0.0.0/24 • Destination Network - D-Link DFL-2560 | Product Manual - Page 217
: Allow • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip 9. Click OK 4.7.4. Spanning Tree BPDU Support NetDefendOS includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall. BPDU - D-Link DFL-2560 | Product Manual - Page 218
the content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is disabled by default and can be Transparent Mode CAM To L3 Cache Dest Learning Enable this if the firewall should be able to learn the destination for hosts by combining destination - D-Link DFL-2560 | Product Manual - Page 219
should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size setting - D-Link DFL-2560 | Product Manual - Page 220
the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog Broadcast Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to - D-Link DFL-2560 | Product Manual - Page 221
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not - D-Link DFL-2560 | Product Manual - Page 222
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222 - D-Link DFL-2560 | Product Manual - Page 223
This chapter describes DHCP services in NetDefendOS. • Overview, page 223 • DHCP Servers, page 224 • DHCP Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol that allows network administrators to automatically assign IP numbers to computers - D-Link DFL-2560 | Product Manual - Page 224
IP The relayer IP address in the IP packet is also used to determine the server. The default When NetDefendOS searches for a DHCP server to service a request, it goes through the list from top to one of the user interfaces. Using Relayer IP Address Filtering As explained above a DHCP server - D-Link DFL-2560 | Product Manual - Page 225
to DHCP clients. Optional Parameters Default GW This specifies what IP should be sent to the client for use as the default gateway (the router to which DNS The IP of the primary and secondary DNS servers. Primary/Secondary NBNS/WINS IP of the Windows Internet Name Service (WINS) servers - D-Link DFL-2560 | Product Manual - Page 226
Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP addresses from an IP address pool called DHCPRange1. This example assumes that an IP 13.254 00-00-00-00-02-54 10.4.13.1 00-12-79-3b-dd-45 10.4.13.2 00-12-79-c4-06-e7 10.4.13.3 *00-a0-f8-23- - D-Link DFL-2560 | Product Manual - Page 227
Services The asterisk "*" before a MAC address means that the DHCP server does not track the client using the MAC address but instead tracks the client through a client identifier which the client has given to the server. Tip: Lease database saving DHCP leases are, by default is the IP address that - D-Link DFL-2560 | Product Manual - Page 228
Chapter 5. DHCP Services can be specified as this parameter. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value. Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12-13-14-15 - D-Link DFL-2560 | Product Manual - Page 229
5.2.2. Custom Options Chapter 5. DHCP Services Custom Option Parameters The following parameters can be set for a custom option: Code This is the code that describes the type of information being sent - D-Link DFL-2560 | Product Manual - Page 230
Services 5.3. DHCP Relaying The DHCP Problem server in the local network and acts as the link between the client and a remote DHCP server. say, a route exists by default that routes interface IP addresses to Core) for relayed IP addresses from a DHCP server. It is assumed the NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 231
IP offers from server: all-nets 3. Under the Add Route tab, check Add dynamic routes for this relayed DHCP lease 4. Click OK 5.3.1. DHCP Relay Advanced Settings The following advanced settings are available with DHCP relaying. Max Transactions Maximum number of transactions at the same time. Default - D-Link DFL-2560 | Product Manual - Page 232
DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: the disk, possible settings are Disabled, ReconfShut, or ReconfShutTimer. Default: ReconfShut Auto Save Interval How often, in seconds, should the - D-Link DFL-2560 | Product Manual - Page 233
or ranges (if multiple) will be used to indicate the preferred servers. Client IP filter This is an optional setting used to specify which offered IPs are acceptable. In most cases this will be set to the default of all-nets so all addresses will be acceptable. Alternatively, a set of acceptable - D-Link DFL-2560 | Product Manual - Page 234
Services Receive Interface MAC Range Prefetch leases Maximum free Maximum clients Sender IP A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving interface when an IP pool is obtaining IP keeps giving out the same IP for each client. Specifies the - D-Link DFL-2560 | Product Manual - Page 235
IP Pools Chapter 5. DHCP Services Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of an IP - D-Link DFL-2560 | Product Manual - Page 236
5.4. IP Pools Chapter 5. DHCP Services 236 - D-Link DFL-2560 | Product Manual - Page 237
, page 315 • Denial-of-Service Attack Prevention, page 326 • by the NetDefendOS IP rule set in Default Access Rule log message will be generated. When troubleshooting dropped connections, the administrator should look out for Default Access Rule messages in the logs. The solution to the problem - D-Link DFL-2560 | Product Manual - Page 238
be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, : The interface that the packet arrives on. • Network: The IP span that the sender address should belong to. Access Rule Actions The Default Access Rule Messages 238 - D-Link DFL-2560 | Product Manual - Page 239
If, for some reason, the Default Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop. Troubleshooting Access Rule Related Problems It should be noted that - D-Link DFL-2560 | Product Manual - Page 240
inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (ALGs) which by first associating it with a Service object and then associating that service with an IP rule in the NetDefendOS IP rule set. Figure 6.1. Deploying an ALG 240 - D-Link DFL-2560 | Product Manual - Page 241
total for the HTTP service across all interfaces. The full list of default maximum session values are: default value of the maximum sessions can often be too low for HTTP if there are large number of clients connecting through the NetDefend Firewall by establishing a TCP/IP connection to a known - D-Link DFL-2560 | Product Manual - Page 242
data then the download will be dropped. If nothing is marked in this mode then no files can be downloaded. Additional filetypes not included by default can be added to the Allow/Block list however these cannot be subject to content checking meaning that the file extension will be trusted as - D-Link DFL-2560 | Product Manual - Page 243
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for - D-Link DFL-2560 | Product Manual - Page 244
the FTP client to the FTP server, just like the command channel. This is the often recommended default mode for FTP clients though some advice may recommend the opposite. A Discussion of FTP Security Issues Both active and passive modes of FTP operation present problems for NetDefend Firewalls. 244 - D-Link DFL-2560 | Product Manual - Page 245
on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic for servers. • When an FTP session is established, the NetDefend Firewall will automatically and transparently receive the passive data channel from the - D-Link DFL-2560 | Product Manual - Page 246
to connect to any of these if the client is using active mode. The default range is 1024-65535. • Allow the server to use passive mode. If this to connect to any of these if the server is using passive mode. The default range is 1024-65535. These options can determine if hybrid mode is required to - D-Link DFL-2560 | Product Manual - Page 247
never allowed Some commands, such as encryption instructions, are never allowed. Encryption would mean causing buffer overruns This restriction combats this threat. The default value is 256 If very long file or directory Allowing 8-bit characters enables support for filenames containing international - D-Link DFL-2560 | Product Manual - Page 248
code. Suspect files can be de dropped or just logged. This network and will therefore upload blocking instructions to the local switches. The 12, ZoneDefense. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the NetDefend Firewall on a DMZ with private IP - D-Link DFL-2560 | Product Manual - Page 249
client to use active mode 4. Uncheck Allow server to use passive mode 5. Click OK B. Define the Service: 1. Go to Objects > Services > Add > TCP/UDP Service 2. Enter the following: • Name: ftp-inbound-service • Type: select TCP from the list • Destination: 21 (the port the FTP server resides on) 249 - D-Link DFL-2560 | Product Manual - Page 250
port 21 and forward that to the internal FTP server: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. For Address Filter enter: • Source Interface: any • Destination Interface: core • Source Network: all-nets • Destination - D-Link DFL-2560 | Product Manual - Page 251
6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a workstation that will connect to FTP servers on This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet. The configuration is performed as follows - D-Link DFL-2560 | Product Manual - Page 252
OK ii. Using Public IPs If the firewall is using private IPs with a single external public IP, the following NAT rule need to be added instead: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: NAT-ftp-outbound • Action: NAT • Service: ftp-outbound-service 3. For Address Filter enter - D-Link DFL-2560 | Product Manual - Page 253
the NetDefend Firewall and IP address is normally manually specified by the administrator in the FTP server software and the natural choice is to specify the external IP address of the interface on the firewall default value is Allow. Specifies if options should be removed from request. The default - D-Link DFL-2560 | Product Manual - Page 254
can be restricted. By default this is the absolute maximum NetDefend Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, "Anti-Spam Filtering"). Local users be specified. This rate is calculated on a per source IP address basis, in other words it is not the total - D-Link DFL-2560 | Product Manual - Page 255
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Email address blacklisting Email address whitelisting Verify MIME type Block/Allow filetype Anti-Virus scanning The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. A blacklist of - D-Link DFL-2560 | Product Manual - Page 256
including Pipelining and Chunking. The ALG therefore removes any unsupported extensions from the supported extension list that is returned to the client by an SMTP server behind the NetDefend Firewall. When an extension is removed, a log message is generated with the text: unsupported_extension - D-Link DFL-2560 | Product Manual - Page 257
For example, if a remote user is sending an infected email Exclusion can be manually configured It is possible to manually configure certain hosts about this topic refer to Chapter 12, ZoneDefense. 6.2.5.1. Anti-Spam Filtering email as it passes through the NetDefend Firewall on its way to a local - D-Link DFL-2560 | Product Manual - Page 258
emails as they pass through the NetDefend Firewall from an external remote SMTP server accessible using a standardized query method supported by NetDefendOS. The image below illustrates the email is from a spammer or not. NetDefendOS examines the IP packet headers to do this. The reply sent back by a - D-Link DFL-2560 | Product Manual - Page 259
notifying text inserted into it. A Threshold Calculation Example As an example, lets suppose that three DNSBL servers are configured: dnsbl1, dnsbl2 and dnsbl3. Weights of 3, 2 and 2 are assigned to these respectively. The Spam threshold is then set to be 5. If dnsbl1 and dnsbl2 say an email is - D-Link DFL-2560 | Product Manual - Page 260
user IP address used by the email sender. These fields can be referred to in filtering rules set up by the administrator in mail server software. Allowing for Failed DNSBL Servers If a query to a DNSBL server times out then NetDefendOS will consider that the query has failed and the weight - D-Link DFL-2560 | Product Manual - Page 261
tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the event. • DNSBLs not responding sent to the DNSBL servers. The default value if 600 seconds. The Anti-Spam address cache is emptied at startup or reconfiguration - D-Link DFL-2560 | Product Manual - Page 262
not yet processed any emails. gw-world:/> dnsbl my_smtp_alg -show Drop Threshold : 20 Spam Threshold : 10 Use TXT records : yes IP Cache disabled Configured BlackLists : 4 Disabled BlackLists : 0 Current Sessions :0 Statistics: Total number of mails checked : 0 Number of mails dropped - D-Link DFL-2560 | Product Manual - Page 263
Chapter 6. Security Mechanisms BlackList: zen.spamhaus.org Status : active Weight value : 25 Number of mails checked Number of matches in list which can be easily read (some servers may not support other methods than this). Hide User This option prevents the POP3 server from revealing that - D-Link DFL-2560 | Product Manual - Page 264
inner network behind a NetDefend Firewall. The firewall is connected to the external firewall and the server. PPTP ALG Setup Setting up the PPTP ALG is similar to the set up of other ALG types. The ALG object must be associated with the relevant service and the service is then associated with an IP - D-Link DFL-2560 | Product Manual - Page 265
port range can be the default of 0-65535. iii. Set the Destination port to be 1723. iv. Select the ALG to be the PPTP ALG object that was defined in the first step. In this case, it was called pptp_alg. • Associate this service object with the NAT IP rule that permits the traffic - D-Link DFL-2560 | Product Manual - Page 266
authenticating and authorizing access to services. They also implement provider call-routing policies. The proxy is often located on the external, unprotected side of the NetDefend Firewall but can have other locations. All of these scenarios are supported by NetDefendOS. Registrars A server that - D-Link DFL-2560 | Product Manual - Page 267
must be set up to allow all SIP messages through the NetDefend Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local proxy is set up with the Record - D-Link DFL-2560 | Product Manual - Page 268
NetDefend Firewall. Tip Make sure there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. SIP Usage Scenarios NetDefendOS supports Internet The scenario assumed is an office with VoIP users on a private internal network where the network's topology will - D-Link DFL-2560 | Product Manual - Page 269
2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port the local users are being NATed. • An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the NetDefend Firewall. This rule - D-Link DFL-2560 | Product Manual - Page 270
for incoming traffic have to include all IP addresses that are possible. The Service object for IP rules In this section, tables which list IP rules like those above, will omit the Service object associated with the rule. The same, custom Service object is used for all SIP scenarios. Scenario - D-Link DFL-2560 | Product Manual - Page 271
behind the IP address of the NetDefend Firewall. The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP - D-Link DFL-2560 | Product Manual - Page 272
6.2.8. The SIP ALG Chapter 6. Security Mechanisms If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using "ip_proxy" as indicated. When an incoming call is received, the SIP ALG will follow the - D-Link DFL-2560 | Product Manual - Page 273
should be noted about this setup: • The IP address of the SIP proxy must be a globally routable IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. • The IP address of the DMZ interface must be a globally routable IP address. This address can be the same address - D-Link DFL-2560 | Product Manual - Page 274
for inbound SIP traffic from the SIP proxy behind the DMZ interface to the IP address of the NetDefend Firewall. This rule will have core (in other words, NetDefendOS itself) as the object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The - D-Link DFL-2560 | Product Manual - Page 275
Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • An Allow rule the Internet to clients on the local network. The IP rules with Record-Route enabled are: OutboundToProxy OutboundFromProxy InboundFromProxy InboundToProxy - D-Link DFL-2560 | Product Manual - Page 276
one H.323 terminal behind a NATing device with only one public IP. MCUs provide support for conferences of three or more H.323 terminals. All H.323 via private networks secured by NetDefend Firewalls. The H.323 specification was not designed to handle NAT, as IP addresses and ports are sent - D-Link DFL-2560 | Product Manual - Page 277
NetDefend Firewall to let calls through. • NAT and SAT rules are supported, allowing clients and gatekeepers to use private IP addresses on a network behind the NetDefend Firewall clients with the gatekeeper and less probability of a problem if the network becomes unavailable and the client thinks - D-Link DFL-2560 | Product Manual - Page 278
The H.323 ALG Chapter 6. Security Mechanisms Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all - D-Link DFL-2560 | Product Manual - Page 279
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a network with private IP addresses. To make it possible to place a call from this phone to another H.323 phone on the Internet, - D-Link DFL-2560 | Product Manual - Page 280
as this only requires one external address. Example 6.6. Two Phones Behind Different NetDefend Firewalls This scenario consists of two H.323 phones, each one connected behind the NetDefend Firewall on a network with public IP addresses. In order to place calls on these phones over the Internet, the - D-Link DFL-2560 | Product Manual - Page 281
Network: lannet • Comment: Allow incoming calls 3. Click OK Example 6.7. Using Private IP Addresses This scenario consists of two H.323 phones, each one connected behind the NetDefend Firewall on a network with private IP addresses. In order to place calls on these phones over the Internet, the - D-Link DFL-2560 | Product Manual - Page 282
• Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: Allow incoming calls to H.323 phone at ip-phone 3. Click OK To place a call to the phone behind the NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 283
Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment: SAT rule for incoming communication with the - D-Link DFL-2560 | Product Manual - Page 284
in scenario 3. The other NetDefend Firewall should be configured as below. The rules need to be added to the rule listings, and it should be make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. Web Interface 1. Go to Rules > IP Rules > Add > IPRule - D-Link DFL-2560 | Product Manual - Page 285
Security Mechanisms 2. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network are correctly configured and that all offices use private IP-ranges on their local networks. All outside calls are done over the - D-Link DFL-2560 | Product Manual - Page 286
a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz - D-Link DFL-2560 | Product Manual - Page 287
communication with the Gatekeeper on DMZ from the Branch network 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: BranchToGW • Action: Allow • Service: H323-Gatekeeper • Source Interface: vpn-remote • Destination Interface: dmz • Source Network: remote-net • Destination - D-Link DFL-2560 | Product Manual - Page 288
NetDefend Firewall has a H.323 Gateway connected to its DMZ. In order to allow the Gateway to register with the H.323 Gatekeeper at the Head Office, the following rule has to be configured: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: GWToGK • Action: Allow • Service - D-Link DFL-2560 | Product Manual - Page 289
solutions such as using IPsec. Most web browsers support TLS and users can therefore easily have secure server access without NetDefend Firewall is providing SSL termination since it is acting as an SSL end-point. Regarding the SSL and TLS standards supported, NetDefendOS provides termination support - D-Link DFL-2560 | Product Manual - Page 290
data to/from servers. The advantages of this approach are: • TLS support can be centralized in the NetDefend Firewall instead of being set up on individual servers. • Certificates can be managed be set to the same certificate. 3. Create a new custom Service object based on the TCP protocol. 290 - D-Link DFL-2560 | Product Manual - Page 291
newly created service object. 5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object with supported (where NetDefend Firewall authenticates the identity of the client). • Renegotation is not supported. • Sending server key exchange messages is not supported - D-Link DFL-2560 | Product Manual - Page 292
an organization or group of users: • Active Content Handling can Content Filtering provides a means for manually classifying web sites as "good by an automatic classification service. Dynamic content filtering requires into web pages. NetDefendOS includes support for removing the following types of - D-Link DFL-2560 | Product Manual - Page 293
Filtering (described below), which allows the possibility of manually making exceptions from the automatic dynamic classification process. In over Dynamic Content Filtering. Wildcarding Both the URL blacklist and URL whitelist support wildcard matching of URLs in order to be more flexible. This - D-Link DFL-2560 | Product Manual - Page 294
active content handling will not be enabled in this example. In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download. Command-Line Interface Start by adding - D-Link DFL-2560 | Product Manual - Page 295
As part of the HTTP ALG, NetDefendOS supports Dynamic Web Content Filtering (WCF) of manually specify beforehand which URLs to block or to allow. Instead, D-Link NetDefend models Dynamic WCF is only available on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. WCF Processing Flow When a user - D-Link DFL-2560 | Product Manual - Page 296
the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of software entire site. NetDefendOS provides blocking down to the page level so that users may still access parts of websites that are not blocked by the - D-Link DFL-2560 | Product Manual - Page 297
object is then associated with a service object and the service object is then associated with a rule in the IP rule set to determine which then URLs are denied if external database access to verify them is not possible. The user will see an "Access denied" web page. • Allow - If the external WCF - D-Link DFL-2560 | Product Manual - Page 298
service: 1. Go to Rules > IP Rules 2. Select the NAT rule handling your HTTP traffic 3. Select the Service tab 4. Select your new service, http_content_filtering, in the predefined Service what categories of websites are being accessed by a user community and how often. After running in Audit Mode - D-Link DFL-2560 | Product Manual - Page 299
new service, are described in the previous example. Allowing Override On some occasions, Active Content Filtering may prevent users carrying , NetDefendOS supports a feature called Allow Override. With this feature enabled, the content filtering component will present a warning to the user that he - D-Link DFL-2560 | Product Manual - Page 300
category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in 7. Click OK Then, continue setting up the service object and modifying the NAT rule as we traffic from lannet to all-nets and the user is able to propose reclassification of blocked sites - D-Link DFL-2560 | Product Manual - Page 301
or submit online employment applications. This also includes resume writing and posting and interviews, as well as staff recruitment and training services. Examples might be: • www.allthejobs.com • www.yourcareer.com Category 4: Gambling A web site may be classified under the Gambling category if - D-Link DFL-2560 | Product Manual - Page 302
Dating Sites category if its content includes facilities to submit and review personal advertisements, arrange romantic meetings with other people, mail order bride / foreign spouse introductions and escort services. Examples might be: • adultmatefinder.com • www.marriagenow.com Category 10: Game - D-Link DFL-2560 | Product Manual - Page 303
12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. / Cults category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be: • www - D-Link DFL-2560 | Product Manual - Page 304
category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples includes "Phishing" URLs which designed to capture secret user authentication details by pretending to be a legitimate organization. - D-Link DFL-2560 | Product Manual - Page 305
site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals. Examples might be: • www.thehealthzone.com • www.safedrugs - D-Link DFL-2560 | Product Manual - Page 306
under the Health category. Examples might be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category 29: Computing/IT A web site under the Computing/IT category if its content includes computing related information or services. Examples might be: • www.purplehat.com • www.gnu.org Category - D-Link DFL-2560 | Product Manual - Page 307
be edited and uploaded back to NetDefendOS. The original Default object cannot be edited. The following example goes through the to exit editing 10. Go to User Authentication > User Authentication Rules 11. Select the relevant HTML ALG and click the Agent Options tab 12. Set the HTTP Banners option - D-Link DFL-2560 | Product Manual - Page 308
to download the original default HTML, the source on the NetDefend Firewall. HTML Page Parameters The HTML pages contain a number of parameters that can be used as and where it is appropriate. The parameters available are: • %URL% - The URL which was requested • %IPADDR% - The IP - D-Link DFL-2560 | Product Manual - Page 309
NetDefend models Anti-Virus scanning is available only on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall of being downloaded to a user behind the NetDefend Firewall. Once a virus is recognized - D-Link DFL-2560 | Product Manual - Page 310
default upper limit on file sizes. Simultaneous Scans There is no fixed limit on how many Anti-Virus scans can take place simultaneously in a single NetDefend Firewall an appropriate service object for the protocol to be scanned. The service object is then associated with a rule in the IP rule set - D-Link DFL-2560 | Product Manual - Page 311
of the SafeStream database should therefore be updated regularly and this updating service is enabled as part of the subscription to the D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the - D-Link DFL-2560 | Product Manual - Page 312
-update feature. This can also be done through the WebUI. Updating in High Availability Clusters Updating the Anti-Virus databases for both the NetDefend Firewalls in an HA Cluster is performed automatically by NetDefendOS. In a cluster there is always an active unit and an inactive unit. Only the - D-Link DFL-2560 | Product Manual - Page 313
NetDefend Firewall will upload blocking instructions to the local switches and instruct about this topic refer to Chapter 12, ZoneDefense. Example 6.19. Activating is already a NAT rule defined in the IP rule set to NAT this traffic. Command-Line Protect Next, create a Service object using the new - D-Link DFL-2560 | Product Manual - Page 314
ALG you just created in the ALG dropdown list 6. Click OK C. Finally, modify the NAT rule (called NATHttp in this example) to use the new service: 1. Go to Rules > IP Rules 2. Select the NAT rule handling the traffic between lannet and all-nets 3. Click the - D-Link DFL-2560 | Product Manual - Page 315
attempts. It operates by monitoring network traffic as it passes through the NetDefend Firewall, searching for patterns that indicate an intrusion is being attempted. Once sections which follow. 6.5.2. IDP Availability for D-Link Models Maintenance and Advanced IDP D-Link offers two types of IDP: 315 - D-Link DFL-2560 | Product Manual - Page 316
range of database signatures for more demanding installations. The standard subscription is for 12 months and provides automatic IDP signature database updates. This IDP option is available for all D-Link NetDefend models, including those that don't come as standard with Maintenance IDP. Maintenance - D-Link DFL-2560 | Product Manual - Page 317
System (IDS) are used interchangeably in D-Link literature. They all refer to the same Clusters Updating the IDP databases for both the NetDefend Firewalls in an HA Cluster is performed automatically by traffic, or service, should be analyzed. An IDP Rule is similar in makeup to an IP Rule. - D-Link DFL-2560 | Product Manual - Page 318
The initial order of packet processing with IDP is as follows: 1. A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is part of a new connection then it is checked against the IP rule set before being passed to the IDP module. If the packet is part of an - D-Link DFL-2560 | Product Manual - Page 319
NetDefendOS has been unable to identify potential attacks when reassembling a TCP/IP stream although such an attack may have been present. This condition is complex patterns of data in the stream. Recommended Configuration By default, Insertion/Evasion protection is enabled for all IDP rules and - D-Link DFL-2560 | Product Manual - Page 320
user Link website at: http://security.dlink.com.tw Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu. IDP Signature types IDP offers three signature types which offer differing levels of certainty with regard to threats: • Intrusion Protection Signatures (IPS - D-Link DFL-2560 | Product Manual - Page 321
1. Signature Group Type The group type is one of the values IDS, IPS or Policy. These types are explained above. 2. Signature Group Category This followed by the Sub-Category, since the Type could be any of IDS, IPS or POLICY. Processing Multiple Actions For any IDP rule, it is possible to specify - D-Link DFL-2560 | Product Manual - Page 322
on the firewall hardware unnecessarily high Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12 IP Address of SMTP Log Receivers is Required When specifying an SMTP log receiver, the IP - D-Link DFL-2560 | Product Manual - Page 323
details the steps needed to set up IDP for a simple scenario where a mail server is exposed to the Internet on the DMZ network with a public IP address. The public Internet can be reached through 323 - D-Link DFL-2560 | Product Manual - Page 324
6.5.8. SMTP Log Receiver for IDP Events the firewall on the WAN interface as illustrated below. Chapter 6. Security Mechanisms An IDP rule called IDPMailSrvRule will be created, and the Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in - D-Link DFL-2560 | Product Manual - Page 325
6.5.8. SMTP Log Receiver for IDP Events Chapter 6. Security Mechanisms • Destination Network: ip_mailserver • Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a possible - D-Link DFL-2560 | Product Manual - Page 326
At the same time, using a public IP network enables companies to reduce infrastructure related costs. of the Internet to launch Denial of Service (DoS) attacks against organizations resulting in . This section deals with using NetDefend Firewalls to protect organizations against these attacks - D-Link DFL-2560 | Product Manual - Page 327
" by default, or if the configuration contains custom Access Rules, the name of the Access rule that dropped the packet. The sender IP address is usually put the service in a tight loop that consumes all available CPU time. One such service was the NetBIOS over TCP/IP service on Windows machines, - D-Link DFL-2560 | Product Manual - Page 328
of open networks with many machines, faking the source IP address to be that of the victim. All machines . In its default configuration, NetDefendOS firewall. However, NetDefendOS can help in keeping the load off of internal servers, making them available for internal service, or perhaps service - D-Link DFL-2560 | Product Manual - Page 329
if the Syn Flood Protection option is enabled in a service object associated with the rule in the IP rule set that triggers on the traffic. This is placed on other operating systems. While other operating systems can exhibit problems with as few as 5 outstanding half-open connections, NetDefendOS - D-Link DFL-2560 | Product Manual - Page 330
6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both private - D-Link DFL-2560 | Product Manual - Page 331
it is not cumulative). Block only this Service By default Blacklisting blocks all services for the triggering host. Exempt already established Important IP addresses should be whitelisted It is recommended to add the NetDefend Firewall itself to the whitelist as well as the IP address or - D-Link DFL-2560 | Product Manual - Page 332
-Line Interface gw-world:/> add BlacklistWhiteHost Addresses=white_ip Service=all_tcp Web Interface 1. Goto System > Whitelist > Add > Whitelist host 2. Now select the IP address object white_ip so it is added to the whitelist 3. Select the service all_tcp to be associated with this whitelist entry - D-Link DFL-2560 | Product Manual - Page 333
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333 - D-Link DFL-2560 | Product Manual - Page 334
to change the IP address of packets as they pass through the NetDefend Firewall is known as address translation. The ability to transform one IP address to another IP addresses which means that an attack coming from the "outside" is much more difficult. Types of Translation NetDefendOS supports - D-Link DFL-2560 | Product Manual - Page 335
addresses of individual clients and hosts can be "hidden" behind the firewall's IP address. • Only the firewall needs a public IP address for public Internet access. Hosts and networks behind the firewall can be allocated private IP addresses but can still have access to the public Internet through - D-Link DFL-2560 | Product Manual - Page 336
default way that the IP address is determined. • Specify a Specific IP Address A specific IP address can be specified as the new source IP address. The specified IP traffic will not be received by the NetDefend Firewall. This technique might be used when the source IP is to differ based on the source - D-Link DFL-2560 | Product Manual - Page 337
Command-Line Interface First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Name=NAT_HTTP - D-Link DFL-2560 | Product Manual - Page 338
to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example NAT_HTTP 3. Now enter: • Action: NAT • Service: http • Source translated to the same IP. Some protocols, regardless of the method of transportation used, can cause problems during address translation. Anonymizing - D-Link DFL-2560 | Product Manual - Page 339
using PPTP. The traffic is directed to the anonymizing service provider where a NetDefend Firewall is installed to act as the PPTP server for the anonymizing service provider's external IP address and not the client's IP. The application therefore sends its responses back to the firewall which - D-Link DFL-2560 | Product Manual - Page 340
several external ISP links while ensuring that an external host will always communicate back to the same IP address which will the state table tracks all the connections for a single host behind the NetDefend Firewall no matter which external host the connection concerns. If Max States is reached - D-Link DFL-2560 | Product Manual - Page 341
ARP queries to the NetDefend Firewall to resolve external IP addresses included in a NAT default, the administrator must specify in NAT Pool setup which interfaces will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems - D-Link DFL-2560 | Product Manual - Page 342
Go to Rules > IP Rules > Add > IP Rule 2. Under General enter: • Name: Enter a suitable name such as nat_pool_rule • Action: NAT 3. Under Address filter enter: • Source Interface: int • Source Network: int-net • Destination Interface: wan • Destination Network: all-nets • Service: HTTP 4. Select the - D-Link DFL-2560 | Product Manual - Page 343
for this is to enable external users to access a protected server in a DMZ that has a private address. This scenario is also sometimes referred to as a Virtual IP or Virtual Server in some other manufacturer's products. The Role of the DMZ At this point in the manual, it's relevant to discuss the - D-Link DFL-2560 | Product Manual - Page 344
arrangement with the NetDefend Firewall mediating communications between the public Internet and servers in the DMZ, and between the DMZ and local clients on a network called LAN. Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there - D-Link DFL-2560 | Product Manual - Page 345
nets • Destination Interface: core • Destination Network: wan_ip 4. Under the Service tab, select http in the Predefined list 5. Click OK The example two rules allow us to access the web server via the NetDefend Firewall's external IP address. Rule 1 states that address translation can take place - D-Link DFL-2560 | Product Manual - Page 346
7.4.1. Translation of a Single IP Address (1:1) Chapter 7. Address Translation # Action Src order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the NetDefend Firewall's external address - D-Link DFL-2560 | Product Manual - Page 347
The problem with this rule set is that it will not work at all for traffic from the internal network. In order to illustrate exactly what happens, we use the following IP addresses: • wan_ip (195.55.66.77): a public IP address • lan_ip (10.0.0.1): the NetDefend Firewall's private internal IP address - D-Link DFL-2560 | Product Manual - Page 348
all the problems associated with address translation. However, this is not always practical. 7.4.2. Translation of Multiple IP Addresses (M:N) servers located in a DMZ. The NetDefend Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range - D-Link DFL-2560 | Product Manual - Page 349
this for all the five public IP addresses. Next, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Next, create a SAT rule for the translation: gw-world:/main> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface - D-Link DFL-2560 | Product Manual - Page 350
7. Click OK Finally, create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface:any • Source Network: all-nets • Destination Interface: wan - D-Link DFL-2560 | Product Manual - Page 351
that allows port translation, a Custom Service object must be used with the rule many VPN protocols. • The protocol embeds its IP addresses inside the TCP or UDP level data, and can be resolved by modifying the application or the firewall configuration. There is no definitive list of what protocols - D-Link DFL-2560 | Product Manual - Page 352
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition, if anyone tries to connect to the - D-Link DFL-2560 | Product Manual - Page 353
port to a completely different port, which will not work. The problem can be solved using the following rule set: # Action Src Iface sender address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic passes through the NetDefend Firewall. • Return traffic will - D-Link DFL-2560 | Product Manual - Page 354
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354 - D-Link DFL-2560 | Product Manual - Page 355
Combinations This chapter deals specifically with user authentication performed with username/password combinations that are manually entered by a user attempting to gain access to resources. Access to the external public Internet through a NetDefend Firewall by internal clients using the HTTP - D-Link DFL-2560 | Product Manual - Page 356
8.1. Overview To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. Chapter 8. User Authentication 356 - D-Link DFL-2560 | Product Manual - Page 357
user database internal to NetDefendOS. ii. A RADIUS server which is external to the NetDefend Firewall. iii. An LDAP Server which is also external to the NetDefend Firewall rule as the originator IP or can be associated with an Authentication Group. • Set up IP rules to allow the authentication - D-Link DFL-2560 | Product Manual - Page 358
cannot change it. PPTP/L2TP Configuration If a client is connecting to the NetDefend Firewall using PPTP/L2TP then the following three options called also be specified for the local NetDefendOS user database: • Static Client IP Address This is the IP address which the client must have if it is to be - D-Link DFL-2560 | Product Manual - Page 359
server. When there is more than one NetDefend Firewall in the network and thousands of users, maintaining separate authentication databases on each device from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage with - D-Link DFL-2560 | Product Manual - Page 360
as a list within a user authentication rule. The ordering are a number of issues that can cause problems: • LDAP servers differ in their implementation. NetDefendOS (a pair of data values) consisting of an attribute name (in this manual we will call this the attribute ID to avoid confusion) and an - D-Link DFL-2560 | Product Manual - Page 361
request which is sent using TCP/IP. This port is by default 389. • Timeout This is the timeout length for LDAP server user authentication attempts in seconds. If server. The group name is often used when granting user access to a service after a successful logon. If the Retrieve Group Membership - D-Link DFL-2560 | Product Manual - Page 362
where route lookup will be done to resolve the server's IP address into a route. The default is the main routing table. Database Settings The Database Settings If the Base Object is specified incorrectly then this can mean that a user will not be found and authenticated if they are not in the part - D-Link DFL-2560 | Product Manual - Page 363
. Optional Settings There is one optional setting: • Password Attribute The password attribute specifies the ID of the tuple on the LDAP server that contains the user's password. The default ID is userPassword. This option should be left empty unless the LDAP server is being used to authenticate - D-Link DFL-2560 | Product Manual - Page 364
it expects. Real-time Monitoring Statistics The following statistics are available for real-time monitoring of LDAP server access for user authentication: • Number of authentications per second. • Total number of authentication requests. • Total number of successful authentication requests. • Total - D-Link DFL-2560 | Product Manual - Page 365
the password when it's sent back. This ID must be different from the default password attribute (which is usually userPassword for most LDAP servers). A suggestion is must therefore be done manually by the administrator as they add new users and change existing users passwords. This clearly involves - D-Link DFL-2560 | Product Manual - Page 366
Rules Chapter 8. User Authentication Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server - D-Link DFL-2560 | Product Manual - Page 367
For XAuth and PPP, this is the tunnel originator IP. • Terminator IP The terminating IP with which new connections arrive. This is only specified related to a user session: • Idle Timeout How long a connection is idle before being automatically terminated (1800 seconds by default). • Session Timeout - D-Link DFL-2560 | Product Manual - Page 368
User Authentication The maximum time that a connection can exist (no value is specified by default user creates a new connection to the NetDefend Firewall. 2. NetDefendOS sees the new user connection was successful and the service requested is allowed by a rule in the IP rule set. That rule - D-Link DFL-2560 | Product Manual - Page 369
the rules in the IP rule set as shown below: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan trusted_net These are: • Login Type - This can be one of: i. FORM - The user is presented with an HTML page for authentication which is filled in and the data sent - D-Link DFL-2560 | Product Manual - Page 370
lan_ip IP address, which is the IP address of the interface on the NetDefend Firewall where the users come to the authentication page we must add a SAT rule and its associated Allow rule. The rule set will now look like this: # Action Src Interface Src Network Dest Interface Dest Network Service - D-Link DFL-2560 | Product Manual - Page 371
shows how to enable HTTP user authentication for the user group users on lannet. Only users that belong to the group users can get Web browsing service after authentication, as it is defined in the IP rule. We assume that lannet, users, lan_ip, local user database folder lannet_auth_users and the - D-Link DFL-2560 | Product Manual - Page 372
for the server, for example ex-users b. Type: Select RADIUS c. IP Address: Enter the IP address of the server, or enter the symbolic name if the server has been defined in the Address Book d. Port: 1812 (RADIUS service uses UDP port 1812 by default) e. Retry Timeout: 2 (NetDefendOS will resend the - D-Link DFL-2560 | Product Manual - Page 373
user is taken to a particular web page (the LoginSuccess page) before being automatically redirected to the originally requested page. HTTP Banner Files The web page files, also referred to as HTTP banner files, are stored within NetDefendOS and exist by default The original Default object cannot be - D-Link DFL-2560 | Product Manual - Page 374
Chapter 8. User Authentication • %IPADDR% - The IP address which is the relevant HTML ALG 11. Select new_forbidden as the HTML Banner 12. Click OK 13. Go to Configuration > Save & Activate 1. Since SCP cannot be used to download the original default HTML, the source code must be first copied from - D-Link DFL-2560 | Product Manual - Page 375
HTTPAuthBanners ua_html This creates an object which contains a copy of all the Default user auth banner files. 3. The modified file is then uploaded using SCP. It in Section 2.1.6, "Secure Copy". 4. Using the CLI, the relevant user authentication rule should now be set to use the ua_html. If the - D-Link DFL-2560 | Product Manual - Page 376
8.3. Customizing HTML Pages Chapter 8. User Authentication 376 - D-Link DFL-2560 | Product Manual - Page 377
page 425 • CA Server Access, page 434 • VPN Troubleshooting, page 437 9.1. Overview 9.1.1. VPN Usage The Internet providing a highly cost effective means of establishing secure links between two co-operating computers so that data can NetDefend Firewall and the VPN tunnel is set up between them. 377 - D-Link DFL-2560 | Product Manual - Page 378
- Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption Encryption of VPN traffic is done using the - D-Link DFL-2560 | Product Manual - Page 379
for services that need to be shared with other companies through VPNs. • Adapting VPN access policies for different groups of users. • servers using HTTP is the scenario under consideration, then using a NetDefend Firewall for TLS termination can offer an alternative "lightweight" VPN approach that - D-Link DFL-2560 | Product Manual - Page 380
9.1.5. The TLS Alternative for VPN "The TLS ALG". Chapter 9. VPN 380 - D-Link DFL-2560 | Product Manual - Page 381
be checked by examining the routing tables. If a route is defined manually, the tunnel is treated exactly like a physical interface in the route tunnel is treated exactly like a physical interface when defining the IP rule. IP rules are not created automatically after defining the tunnel object and - D-Link DFL-2560 | Product Manual - Page 382
object if the default algorithm proposal IP address of the network device at the other end of the tunnel (let's call this object remote_gw). • The remote network which lies behind the remote VPN gateway (let's call this object remote_net). • The local network behind the NetDefend Firewall Service All - D-Link DFL-2560 | Product Manual - Page 383
lan Dest Network lannet Service All The Service used in these rules is All but it could be a predefined service. 6. Define a use. c. Select the Gateway Certificate. 4. Open the WebUI management interface for the NetDefend Firewall at the other side of the tunnel and repeat the above steps with a - D-Link DFL-2560 | Product Manual - Page 384
and have been pre-allocated to the roaming clients before they connect. The client's IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication is not required with IPsec roaming clients but is recommended (this step could initially - D-Link DFL-2560 | Product Manual - Page 385
to LAN tunnel scenarios. • Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels. This will enable a search for IP rule set should contain the single rule: Action Allow Src Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service - D-Link DFL-2560 | Product Manual - Page 386
pre-shared key. • Define the URL or IP address of the NetDefend Firewall. The client needs to locate the tunnel endpoint. supported by NetDefendOS. • Specify if the client will use config mode. There are a variety of IPsec client software products available from a number of suppliers and this manual - D-Link DFL-2560 | Product Manual - Page 387
have an expiry date and time. Also review Section 9.6, "CA Server Access", which describes 10 to 192.168.0.20. The danger here is that an IP address might be accidentally used on the internal network and handed This setting is enabled by default. 5. Define an PPTP/L2TP Server object (let's call - D-Link DFL-2560 | Product Manual - Page 388
Dest Interface any ext Dest Network int_net all-nets Service All All The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall. The client will be allocated a private internal IP address which must be NATed if connections are then - D-Link DFL-2560 | Product Manual - Page 389
user authentication is optional since this is additional security to certificates. Also review clients can use a single connection to the NetDefend Firewall. If NATing is tried then only the come. • An ip_int object which is the internal IP address of the interface connected to the internal network - D-Link DFL-2560 | Product Manual - Page 390
IP rules in the IP rule set: Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service All All As described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 391
SAs, for each connection. SAs are unidirectional, so there are usually at least two for each IPsec connection. The second part is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by - D-Link DFL-2560 | Product Manual - Page 392
list is a suggestion of how to protect IPsec data flows. The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the device at the other end of the connection to say which proposal is acceptable - D-Link DFL-2560 | Product Manual - Page 393
method today. PSK and certificates are supported by the NetDefendOS VPN module. two NetDefend Firewalls as VPN endpoints, the matching process is greatly simplified since the default NetDefendOS /Hosts These are the subnets or hosts between which IP traffic will be protected by the VPN. In - D-Link DFL-2560 | Product Manual - Page 394
be used to secure a connection from a VPN client directly to the NetDefend Firewall, for example for IPsec protected remote configuration. This setting will typically be is that AH also authenticates parts of the outer IP header, for instance source and destination addresses, making certain that the - D-Link DFL-2560 | Product Manual - Page 395
algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used. The algorithms supported by NetDefendOS IPsec are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES DES is only included to be interoperable with other older VPN implementations. The use of - D-Link DFL-2560 | Product Manual - Page 396
traffic. This is not needed when AH is used, or when ESP is used without encryption. The algorithms supported by NetDefend Firewall VPNs are: • AES • Blowfish • Twofish • Cast128 • 3DES • DES This specifies the authentication algorithm used on the protected traffic. This is not used when ESP is used - D-Link DFL-2560 | Product Manual - Page 397
support manual keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE. Manual -replay services, and it is not very flexible. There is also no way of assuring that the remote host/firewall really is - D-Link DFL-2560 | Product Manual - Page 398
9. VPN Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs is key distribution. How are the Pre-Shared Keys distributed to remote VPN clients and firewalls? This is a major issue, since the security of a PSK system is based on - D-Link DFL-2560 | Product Manual - Page 399
ESP protocol is used for both encryption and authentication of the IP packet. It can also be used to do either encryption only, or authentication only. Figure 9.2. The ESP protocol 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not - D-Link DFL-2560 | Product Manual - Page 400
both ends have support for it. For problem that NAT traversal resolves is that the ESP protocol is an IP firewall no special configuration is needed. However, for responding firewalls two points should be noted: • On responding firewalls, the Remote Endpoint field is used as a filter on the source IP - D-Link DFL-2560 | Product Manual - Page 401
firewalls have the same external IP address. • IP - An IP address can be manually entered • DNS - A DNS address can be manually entered • Email - An email address can be manually default in NetDefendOS for different VPN scenarios and user It will propose 3DES and DES as encryption algorithms. The hash - D-Link DFL-2560 | Product Manual - Page 402
-l2tptunnel 3. Now check the following: • DES • 3DES • SHA1 • MD5 4. Click in the CLI Reference Guide). Beware of Non-ASCII cause a problem with non-ASCII and this can sometimes cause problems when setting up a Windows key automatically with a 64 bit (the default) key, use: gw-world:/> pskgen - D-Link DFL-2560 | Product Manual - Page 403
certificates are used as authentication method for IPsec tunnels, the NetDefend Firewall will accept all remote devices or VPN clients that are capable while technical engineers need access to technical databases. The Problem Since the IP addresses of the travelling employees VPN clients cannot be - D-Link DFL-2560 | Product Manual - Page 404
-world:/> cc IDList MyIDList gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden [email protected] gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world - D-Link DFL-2560 | Product Manual - Page 405
9.3.8. Identification Lists Chapter 9. VPN 2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls 5. Select MyIDList in the Identification List 6. - D-Link DFL-2560 | Product Manual - Page 406
. Local Initiation of Tunnel Establishment Alternatively, a user on a protected local network might try and is then initiated from the local NetDefend Firewall. IP Rules Control Decrypted Traffic Note packets are by default dealt with by the NetDefendOS's internal IPsec engine and the IP rule set - D-Link DFL-2560 | Product Manual - Page 407
Advanced Settings". DPD is enabled by default for NetDefendOS IPsec tunnels. Disabling does messages are not received then the tunnel link is assumed to be broken and an attempt IP address and/or a destination IP address for the pings can be specified. It is recommended to specify a destination IP - D-Link DFL-2560 | Product Manual - Page 408
mobile user's IP address is often not known beforehand. To handle the unknown IP address the NetDefendOS can dynamically add routes to the routing table as tunnels are established. Dealing with Unknown IP addresses If the IP address of the client is not known before hand then the NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 409
10.0.1.0/24 (This is the local network that the roaming users will connect to) • Remote Network: all-nets • Remote . 6. Click OK C. Finally configure the IP rule set to allow traffic inside the tunnel an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the - D-Link DFL-2560 | Product Manual - Page 410
to grant access rights according to the instructions above D. Configure the IPsec tunnel: 1. This is the local network that the roaming users will connect to) • Remote Network: all- Choose your newly created firewall certificate • Identification List IP rule set to allow traffic inside the tunnel. 410 - D-Link DFL-2560 | Product Manual - Page 411
found in Certificate Services). For more information head office NetDefend Firewall for roaming span with external firewall IP wan_ip. Web Interface access rights according to the instructions above C. Configure the IPsec the local network that the roaming users will connect to) • Remote Network - D-Link DFL-2560 | Product Manual - Page 412
to the Selected list • Gateway Certificate: Choose your newly created firewall certificate • Identification List: Select your ID List that you (already provided by an IP Pool). NBNS/WINS The IP address for NBNS/WINS resolution (already provided by an IP Pool). DHCP Instructs the host to send - D-Link DFL-2560 | Product Manual - Page 413
. The default value for this setting is Disabled. 9.4.4. Fetching CRLs from an alternate LDAP server A Root Certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or CRLs need to be downloaded to the NetDefend Firewall. Lightweight - D-Link DFL-2560 | Product Manual - Page 414
IP Address: 192.168.101.146 • Username: myusername • Password: mypassword • Confirm Password: mypassword • Port: 389 3. Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can be found in the CLI Reference Guide. The Client and the Server The - D-Link DFL-2560 | Product Manual - Page 415
9.4.5. Troubleshooting with ikesnoop negotiation and the server refers to the device which is the responder. Chapter 9. VPN Step 1. Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output initially shows the proposed list of algorithms that the client first sends - D-Link DFL-2560 | Product Manual - Page 416
9.4.5. Troubleshooting with ikesnoop Chapter ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor or kilobytes VID: The IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to Client A - D-Link DFL-2560 | Product Manual - Page 417
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA (Security Association) Payload data length : 52 bytes DOI : 1 ( data length : 16 bytes Vendor ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor ID) Payload data length : - D-Link DFL-2560 | Product Manual - Page 418
9.4.5. Troubleshooting with ikesnoop NAT-D (NAT Detection) Payload data length : 16 bytes 16 bytes Step 5. Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used. IkeSnoop: Received IKE packet from - D-Link DFL-2560 | Product Manual - Page 419
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 6. Server ID Response The ) Payload data length : 16 bytes Step 7. Client Sends a List of Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to the server. It will also contain the proposed host/networks - D-Link DFL-2560 | Product Manual - Page 420
9.4.5. Troubleshooting with 10.4.2.6) ID (Identification) Payload data length : 12 bytes ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16) Explanation otherwise it is SA per host. Step 8. Client Sends a List of Supported Algorithms The server now responds with a matching IPsec proposal from the list - D-Link DFL-2560 | Product Manual - Page 421
10.4.2.6) ID (Identification) Payload data length : 12 bytes ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16) Step of IP rules that can be connected to IPsec tunnels. By default this manually so that subsequent changes to IPsec Max Tunnels will not cause an automatic change in IPsec Max Rules. Default - D-Link DFL-2560 | Product Manual - Page 422
so even if the "next update" field says that a new CRL is available in 12 hours, there may already be a new CRL for download. This setting limits the Default: 86400 seconds IKE Max CA Path When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user - D-Link DFL-2560 | Product Manual - Page 423
be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm. Default: 1024 DPD Metric The amount of time in tens of seconds that the peer is considered to be alive (reachable) since the last received IKE - D-Link DFL-2560 | Product Manual - Page 424
it is considered to be dead (not reachable). The SA will then be placed in the dead cache. This setting is used with IKEv1 only. Default: 15 seconds 424 - D-Link DFL-2560 | Product Manual - Page 425
Microsoft. It is an OSI layer 2 "data-link" protocol (see Appendix D, The OSI Framework) and protocol and then establishes a TCP/IP connection across the Internet to the NetDefend Firewall, which acts as the PPTP already installed. Troubleshooting PPTP A common problem with setting up PPTP is - D-Link DFL-2560 | Product Manual - Page 426
9.5.2. L2TP Servers Chapter 9. VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the NetDefend Firewall. Examining the log can indicate if this problem occurred, with a log message of the following form appearing: Error PPP lcp_negotiation_stalled ppp_terminated - D-Link DFL-2560 | Product Manual - Page 427
Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control. 5. Under the Add Route tab, select all_nets in the Allowed Networks control. 6. Click OK Use User Authentication Rules is enabled as default. To be able to authenticate the users using the PPTP tunnel you also need to configure - D-Link DFL-2560 | Product Manual - Page 428
Databases > UserDB > Add > User 4. Now enter: • Username: testuser • Password: mypassword • Confirm Password: mypassword 5. Click OK Now we will setup the IPsec Tunnel, which will later be used in the L2TP section. As we are going to use L2TP, the Local Network is the same IP as the IP that the L2TP - D-Link DFL-2560 | Product Manual - Page 429
rule, for example L2TP_Auth 3. Now enter: • Agent: PPP • Authentication Source: Local • Interface: l2tp_tunnel • Originator IP: all-nets • Terminator IP: wan_ip 4. Under the Authentication Options tab enter UserDB as the Local User DB 5. Click OK When the other parts are done, all that is left is - D-Link DFL-2560 | Product Manual - Page 430
settings First, change the current category to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, add the IP rules: gw-world:/main> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any DestinationNetwork=all-nets name - D-Link DFL-2560 | Product Manual - Page 431
NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall try to get that one from the PPTP/L2TP server as the preferred IP. • Automatically pick name - If this option is enabled then NetDefendOS - D-Link DFL-2560 | Product Manual - Page 432
the scenario depicted below. Here a number of clients are being NATed through NetDefendOS before being connected to a PPTP server on the other side of the NetDefend Firewall. If more that one of the clients is acting as a PPTP client which is trying to connect to the PPTP server then this will not - D-Link DFL-2560 | Product Manual - Page 433
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 433 - D-Link DFL-2560 | Product Manual - Page 434
must be configured so that NetDefendOS can locate the private CA server to validate the certificates coming from clients. b. The external IP address of the NetDefend Firewall needs to be registered in the public DNS system so that the FQDN reference to the private CA server in certificates sent to - D-Link DFL-2560 | Product Manual - Page 435
client) to the CA server and an HTTP reply to be received. If the request is going to pass through the NetDefend Firewall, the appropriate rules in the NetDefendOS IP rule set need to be defined to allow this traffic through. Figure 9.4. Certificate Validation Components CA Server Access by Clients - D-Link DFL-2560 | Product Manual - Page 436
NetDefend Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these requests can be resolved. Turning Off FQDN Resolution As explained in the troubleshooting section below, identifying problems - D-Link DFL-2560 | Product Manual - Page 437
troubleshoot the common problems that are found with VPN. 9.7.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks can be made: • Check that all IP best done by Pinging the internal IP address of the local network interface on the NetDefend Firewall from a client (in LAN - D-Link DFL-2560 | Product Manual - Page 438
are not. • Consider time-zone issues with newly generated certificates. The NetDefend Firewall's time zone may not be the same as the CA server's time could be the problem. CA Server issues are discussed further in Section 9.6, "CA Server Access". 9.7.3. IPsec Troubleshooting Commands A number - D-Link DFL-2560 | Product Manual - Page 439
, an ICMP ping can then be sent to the NetDefend Firewall from the remote end of the tunnel. This will cause Troubleshooting with ikesnoop". 9.7.4. Management Interface Failure with VPN If any VPN tunnel is set up and then the management interface no longer operates then it is likely to be a problem - D-Link DFL-2560 | Product Manual - Page 440
the IKE phase) and PFS (for IPsec phase). 2. Incorrect pre-shared key A problem with the pre-shared key on either side has caused the tunnel negotiation to fail. This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and that is incorrect pre - D-Link DFL-2560 | Product Manual - Page 441
what the problem could be. A good suggestion before you start to troubleshoot certificate based CA server or the NetDefend Firewall or they are in different time zones. • The NetDefend Firewall is unable to reach L2TP, Microsoft Vista tries by default to contact and download the CRL list, while Microsoft - D-Link DFL-2560 | Product Manual - Page 442
ID lists match the certificate properties of the connecting user. Either the user is non-authorized or the certificate properties are wrong on common problem and is due to a mismatch of the size in local or remote network and/or the lifetime settings on the proposal list(s). To troubleshoot this - D-Link DFL-2560 | Product Manual - Page 443
9.7.6. Specific Symptoms Chapter 9. VPN 443 - D-Link DFL-2560 | Product Manual - Page 444
IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality. QoS is the ability to guarantee and limit network bandwidth for certain services and users. Solutions such as the Differentiated Services prioritizing traffic passing through the NetDefend Firewall. It is important to - D-Link DFL-2560 | Product Manual - Page 445
IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. 10.1.2. Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the NetDefend Firewall . None are defined by default. Pipes are simplistic in - D-Link DFL-2560 | Product Manual - Page 446
the service to which the rule is to apply. Once a new connection is permitted by the IP default The rule set for pipe rules is initially empty with no rules being defined by default. that will be used for outgoing (leaving) traffic from the NetDefend Firewall. One, none or a series of pipes may be - D-Link DFL-2560 | Product Manual - Page 447
traffic that is flows as a result of triggering a FwdFast IP rule in the NetDefendOS IP rule sets. The reason for this is that traffic shaping is inbound traffic only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit Begin - D-Link DFL-2560 | Product Manual - Page 448
Traffic Management > Traffic Shaping > Add > Pipe Rule 2. Specify a suitable name for the pipe, for instance outbound 3. Now enter: • Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the Traffic Shaping tab - D-Link DFL-2560 | Product Manual - Page 449
limit is 2 Mbps, the actual flow will be close to 1 Mbps in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps of outbound are the intended limits. The result might be 3 Mbps outbound - D-Link DFL-2560 | Product Manual - Page 450
on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic. 10.1.6. Precedences The Default Precedence is Zero All packets that pass through NetDefendOS traffic shaping pipes have a Precedence. In the examples so far, precedences have not - D-Link DFL-2560 | Product Manual - Page 451
DSCP bits in the packet. DSCP is a subset of the Diffserv architecture where the Type of Service (ToS) bits are included in the IP packet header. Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence, a Minimum Precedence and a Maximum Precedence can be specified. The - D-Link DFL-2560 | Product Manual - Page 452
10.1.6. Precedences Chapter 10. Traffic Management • Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by a packet if it is not explicitly assigned by a pipe rule. The minimum and maximum precedences define the precedence range - D-Link DFL-2560 | Product Manual - Page 453
used for other traffic. The effect of doing this is that the SSH and Telnet rule sets the higher priority on packets related to these services and these packets are sent through the same pipe as other traffic. The pipe then makes sure that these higher priority packets are sent first - D-Link DFL-2560 | Product Manual - Page 454
problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services : ssh-in and telnet-in. Set the default precedence for both pipes to 2, and the - D-Link DFL-2560 | Product Manual - Page 455
easily change the precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in and telnet-in pipes. Notice that we of host computer B. It is the combination of port and IP address that identifies a unique user in a group. Grouping by Networks Requires the Size If the - D-Link DFL-2560 | Product Manual - Page 456
specify the Group Limits. These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user within the grouping. For example, if the grouping is by source IP address and the total specified is 100 Kbps then this is saying that no one - D-Link DFL-2560 | Product Manual - Page 457
400 bps. • Set the Grouping option for the pipe to have the value Destination IP. • Set the total for the pipe's Group Limits to be 100 bps. Bandwidth allocated on a "first come, first forwarded" basis but no single destination IP address can ever take more than 100 bps. No matter how many - D-Link DFL-2560 | Product Manual - Page 458
to be Destination IP. Now specify per-user limits by setting the precedence 2 limit to 16 kbps per user. This means that each user will get no group total bandwidth for each user to some value, such as 40 kbps. There will be a problem if there are more than 5 users utilizing SSH simultaneously: 16 - D-Link DFL-2560 | Product Manual - Page 459
user bandwidth by specifying a "Per Destination IP" grouping. Knowing when the pipe is full is not important since the only constraint is on each user the NetDefend Firewall, there connection is full. The problems resulting from leaks are the same connection. Troubleshooting For a better understanding - D-Link DFL-2560 | Product Manual - Page 460
For example, by source IP address. Each user in a group (for example, each source IP address) can be given users in a group get a fair and equal amount of bandwidth. 10.1.10. More Pipe Examples This section looks at some more scenarios and how traffic shaping can be used to solve particular problems - D-Link DFL-2560 | Product Manual - Page 461
Network wan all-nets Selected Service all The rule will force all traffic to the default precedence level and the pipes will assume we have a symmetric 2/2 Mbps link to the Internet. We will allocate descending priorities and traffic requirements to the following users: • Priority 6 - VoIP (500 - D-Link DFL-2560 | Product Manual - Page 462
Dest Interface wan Dest Network all-nets Selected Service All Prece dence 2 Note that in-other shaping is occurring inside a single NetDefend Firewall. VPN is typically used for communication using the same physical link. The pipe chaining can be used as a solution to the problem of VPN overhead. - D-Link DFL-2560 | Product Manual - Page 463
pipes or it will escape traffic shaping and ruin the planned quality of service. In addition, server traffic is initiated from the outside so the order pipes traffic that is coming from the inside and going to the external IP address. This last rule will therefore be: Rule Name all-in Forward - D-Link DFL-2560 | Product Manual - Page 464
10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 464 - D-Link DFL-2560 | Product Manual - Page 465
Intrusion Detection and Prevention"). Application Related Bandwidth Usage A typical problem that can be solved with IDP Traffic Shaping is dealing can often have a negative impact on the quality of service for other network users as bandwidth is quickly absorbed by such applications. An ISP - D-Link DFL-2560 | Product Manual - Page 466
. At least one side of associated connection has to be in the IP range specified for it to be included in traffic shaping. 10.2.3. Processing opened by one host to another through the NetDefend Firewall and traffic begins to flow. The source and destination IP address of the connection is noted by - D-Link DFL-2560 | Product Manual - Page 467
Network range but this is done on the assumption that client B is a user whose traffic might also have to be traffic shaped if they become involved in P2P data transfer. The sequence of events is: • The client with IP address 192.168.1.15 initiates a P2P file transfer through a connection (1) to - D-Link DFL-2560 | Product Manual - Page 468
show Host kbps Tmout 192.168.1.1 100 58 A host, in this case with IP address 192.168.1.1, can be removed from traffic shaping using the command: gw- the idppipes command can be found in the separate CLI Reference Guide. Viewing Pipes IDP Traffic Shaping makes use of normal NetDefendOS pipe - D-Link DFL-2560 | Product Manual - Page 469
required. The traffic shaping pipes that are then automatically created get the highest priority by default and are therefore guaranteed that bandwidth. 10.2.8. Logging IDP Traffic Shaping generates log messages on common conditions. All log messages are documented in the Log Reference Guide. 469 - D-Link DFL-2560 | Product Manual - Page 470
to external IP addresses. Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies A Threshold Rule is like other policy based rules found in NetDefendOS, a combination of source/destination network/interface can be specified for a rule and a type of service NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 471
applied in the order they appear in the user interface. If several Actions that have the management from examination by the NetDefendOS IP rule set if they are enabled on this refer to Chapter 12, ZoneDefense. 10.3.8. Threshold Rule linked to a service then it is possible to block only that service - D-Link DFL-2560 | Product Manual - Page 472
10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, "Blacklisting Hosts and Networks". 472 - D-Link DFL-2560 | Product Manual - Page 473
client application requests over a number of servers through the use of IP rules with an Action of SLB_SAT. SLB is a powerful tool that SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. The - D-Link DFL-2560 | Product Manual - Page 474
administrators to perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or load is shared across a set of servers. NetDefendOS SLB supports the following two algorithms for load distribution: Round-robin Connection - D-Link DFL-2560 | Product Manual - Page 475
TLS or SSL based services such as HTTPS, which require a repeated connection to the same host. This mode is similar to IP stickiness except that the goes to the same server as previous connections from the same source IP. The default value for this setting is 10 seconds. • Max Slots This parameter - D-Link DFL-2560 | Product Manual - Page 476
source IP addresses default value for this setting is a network size of 24. 10.4.4. SLB Algorithms and Stickiness This section discusses further how stickiness functions with the different SLB algorithms. An example scenario is illustrated in the figure below. In this example, the NetDefend Firewall - D-Link DFL-2560 | Product Manual - Page 477
for the distribution. Figure 10.12. Stickiness and Connection-rate Regardless which to full functionality. D-Link Server Load Balancing provides the following 3. SLB will ping the IP address of each individual server , if a server is specified as running web services on port 80, the SLB will send a - D-Link DFL-2560 | Product Manual - Page 478
load balancing is to be done between 2 HTTP webservers which are situated behind the NetDefend Firewall. The 2 webservers have the private IP addresses 192.168.1.10 and 192.168.1.11 respectively. The default SLB values for monitoring, distribution method and stickiness are used. A NAT rule is used - D-Link DFL-2560 | Product Manual - Page 479
3. Add server1 and server2 to the group 4. Click OK C. Specify the SLB_SAT IP rule: 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB • Action: SLB_SAT • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination - D-Link DFL-2560 | Product Manual - Page 480
10.4.6. Setting Up SLB_SAT Rules 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK Chapter 10. Traffic - D-Link DFL-2560 | Product Manual - Page 481
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481 - D-Link DFL-2560 | Product Manual - Page 482
on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster. The active unit is the NetDefend Firewall that is actually - D-Link DFL-2560 | Product Manual - Page 483
the IP rule set are carried out as normal with the changes automatically being made to the configurations of both the master and the slave. Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two NetDefend Firewalls, the - D-Link DFL-2560 | Product Manual - Page 484
Sending on Interfaces The administrator can manually disable heartbeat sending on any interface IP is the interface address of the sending firewall. • The destination IP is the broadcast address on the sending interface. • The IP , 11-00-00-C1-4A-nn. Link-level multicasts are used over normal unicast - D-Link DFL-2560 | Product Manual - Page 485
must be unique for each cluster in a network. As the shared IP address always has the same hardware address, there will be no latency (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster. 2. The active (master) node - D-Link DFL-2560 | Product Manual - Page 486
used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to synchronize. If the sync interface is functioning correctly, there may still be some small differences - D-Link DFL-2560 | Product Manual - Page 487
can also be "pinged" using ICMP provided that IP rules are defined to permit this (by default, ICMP queries are dropped by the rule set). , SSH for remote management of the NetDefend Firewalls in an HA Cluster, the individual IP addresses of each firewall's interfaces must be used and these - D-Link DFL-2560 | Product Manual - Page 488
between the sync interfaces of each unit. This connection could, instead, be via a switch or broadcast domain. 11.3.2. NetDefendOS Manual HA Setup To set up an HA cluster manually, the steps are as follows: 1. Connect to the master unit with the WebUI. 2. Go to System > High Availability. 3. Check - D-Link DFL-2560 | Product Manual - Page 489
"private IP address" is not strictly correct when used here. Either address used in an IP4 HA Address object may be public if management access across the public Internet is required. 9. Save and activate the new configuration. 10. Repeat the above steps for the other NetDefend Firewall but this - D-Link DFL-2560 | Product Manual - Page 490
ID must be changed for the cluster so that it is unique (the default value is 0). The Cluster ID determines that the MAC address for the cluster interface on the slave unit. Problem Diagnosis An HA cluster will function if this setting is disabled but can cause problems with a limited number of - D-Link DFL-2560 | Product Manual - Page 491
, such as for source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does. The Shared IP Must Not Be 0.0.0.0 Assigning the IP address 0.0.0.0 as the shared IP address must be avoided - D-Link DFL-2560 | Product Manual - Page 492
, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tunnels and DHCP clients should not be configured in an HA cluster. 492 - D-Link DFL-2560 | Product Manual - Page 493
11.5. Upgrading an HA Cluster Chapter 11. High Availability 11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is - D-Link DFL-2560 | Product Manual - Page 494
11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed - D-Link DFL-2560 | Product Manual - Page 495
minute has elapsed, the synchronization traffic is then only sent after repeated periods of silence. The length of this silence is this setting. Default: 5 Use Unique Shared Mac Use a unique shared MAC address for each interface. For further explanation of this setting see Section 11.3.4, "Unique - D-Link DFL-2560 | Product Manual - Page 496
11.6. HA Advanced Settings Chapter 11. High Availability 496 - D-Link DFL-2560 | Product Manual - Page 497
and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. 497 - D-Link DFL-2560 | Product Manual - Page 498
firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports - D-Link DFL-2560 | Product Manual - Page 499
Operation 12.3.1. SNMP Simple Network Management Protocol (SNMP) is an application layer protocol for complex network management. SNMP allows the managers and managed devices in a network to communicate with each other. SNMP Managers A typical managing device, such as a NetDefend Firewall, uses - D-Link DFL-2560 | Product Manual - Page 500
192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a management interface address 192.168.1.250 connecting to the firewall's interface address 192.168.1.1. This firewall interface is added into the exclude list to prevent the - D-Link DFL-2560 | Product Manual - Page 501
enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: • Source Interface: The firewall's management interface • Destination Interface: any Scanning" and in the sections covering the individual ALGs. 12.3.5. Limitations There are some differences in ZoneDefense operation depending - D-Link DFL-2560 | Product Manual - Page 502
12. ZoneDefense of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support firewall - D-Link DFL-2560 | Product Manual - Page 503
12.3.5. Limitations Chapter 12. ZoneDefense 503 - D-Link DFL-2560 | Product Manual - Page 504
that are not already described in the manual. In the Web Interface these settings Default: Enabled Log non IP4 Logs occurrences of IP packets that are not version 4. NetDefendOS only accepts version 4 IP packets; everything else is discarded. Default: Enabled Log Received TTL 0 Logs occurrences of IP - D-Link DFL-2560 | Product Manual - Page 505
13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses - D-Link DFL-2560 | Product Manual - Page 506
security risk. NetDefendOS never obeys the source routes specified by these options, regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the route. These - D-Link DFL-2560 | Product Manual - Page 507
: 65535 bytes Multicast Mismatch option What action to take when Ethernet and IP multicast addresses does not match. Default: DropLog Min Broadcast TTL option The shortest IP broadcast Time-To-Live value accepted on receipt. Default: 1 Low Broadcast TTL Action option What action to take on too low - D-Link DFL-2560 | Product Manual - Page 508
taken on packets whose TCP MSS option falls below the stipulated TCPMSSMin value. Values that are too low could cause problems in poorly written TCP stacks. Default: DropLog TCP MSS Max Determines the maximum permissible TCP MSS size. Packets containing maximum segment sizes exceeding this limit are - D-Link DFL-2560 | Product Manual - Page 509
to MTU of involved interfaces, in addition to TCPMSSMax. Default: Enabled TCP Zero Unused ACK Determines whether NetDefendOS should set limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it - D-Link DFL-2560 | Product Manual - Page 510
attention. These two flags should not be turned on in a single packet as they are used exclusively to crash computers with poorly implemented TCP stacks. Default: DropLog TCP SYN/PSH Specifies how NetDefendOS will deal with TCP packets with SYN and PSH (push) flags both turned on. The PSH flag means - D-Link DFL-2560 | Product Manual - Page 511
are only a few operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP Reserved Field Specifies how OS Fingerprinting and stealth port scanners, as some firewalls are unable to detect them. Default: DropLog TCP Sequence Numbers Determines if the sequence - D-Link DFL-2560 | Product Manual - Page 512
on. ReopenValidLog - Do not validate reopen attempts at all; validate, log if bad. Default: ValidateLogBad Notes on the TCPSequenceNumbers setting The default ValidateLogBad (or the alternative ValidateSilent) will allow the de-facto behavior of TCP re-open attempts, meaning that they will reject re - D-Link DFL-2560 | Product Manual - Page 513
. In other words, this setting limits how many Rejects per second may be generated by the Reject rules in the Rules section. Default: 500 Silently Drop State ICMPErrors Specifies if NetDefendOS should silently drop ICMP errors pertaining to statefully tracked open connections. If these errors are - D-Link DFL-2560 | Product Manual - Page 514
determines if NetDefendOS is to log the occurrence of such packets. Default: Enabled Log Reverse Opens Determines if NetDefendOS logs packets that attempt not matter if logging is enabled for either Allow or NAT rules in the IP rule set; they will not be logged. However, FwdFast, Drop and Reject - D-Link DFL-2560 | Product Manual - Page 515
NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP throughput performance. Default: Disabled Dynamic Max Connections Allocate the Max Connection value dynamically. Default: Enabled Max - D-Link DFL-2560 | Product Manual - Page 516
before being closed. Default: 60 TCP Idle both directions. Default: 262144 TCP has passed in any direction. Default: 80 UDP Idle Lifetime Specifies in Default: 130 UDP Bidirectional Keep-alive This allows both sides to keep a UDP connection alive. The default data. Default: Disabled Ping Idle Lifetime - D-Link DFL-2560 | Product Manual - Page 517
13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 517 - D-Link DFL-2560 | Product Manual - Page 518
packet including the header. This value usually correlates with the amount of IP data that can be accommodated in an unfragmented packet, since TCP usually to 1000 bytes if you do not wish to use large Ping packets. Default: 10000 Max GRE Length Specifies in bytes the maximum size of a GRE packet - D-Link DFL-2560 | Product Manual - Page 519
maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs. Default: 1480 Max IPIP/FWZ Length Specifies in bytes the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This value should be set at the size - D-Link DFL-2560 | Product Manual - Page 520
each one given their own IP header and information that will help the recipient reassemble the original packet correctly. Many IP stacks, however, are unable reassembly, and in this way block almost all communication. Default: DropLog - discards individual fragments and remembers that the reassembly - D-Link DFL-2560 | Product Manual - Page 521
LogAll - Logs all failed reassembly attempts. • LogAllSubseq - As LogAll, but also logs subsequent fragments of the packet as and when they arrive. Default: LogSuspectSubseq Dropped Fragments If a packet is denied entry to the system as the result of the settings in the Rules section, it may also be - D-Link DFL-2560 | Product Manual - Page 522
the arrival of too many fragments that are too small may cause problems for IP stacks, it is usually not possible to set this limit too high an equal number of 40 byte fragments. Because of potential problems this can cause, the default settings in NetDefendOS has been designed to allow the smallest - D-Link DFL-2560 | Product Manual - Page 523
13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 523 - D-Link DFL-2560 | Product Manual - Page 524
13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over 2K) local reassembly buffers (of the above size - D-Link DFL-2560 | Product Manual - Page 525
specifies this amount of time. Default: 3600 Max Connections Packet re-assembly collects IP fragments into complete IP datagrams and, for TCP, available. Minimum 1, Maximum 100. Default: 3 Max Pipe Users The maximum number of pipe users to allocate. As pipe users are only tracked for a 20th of - D-Link DFL-2560 | Product Manual - Page 526
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526 - D-Link DFL-2560 | Product Manual - Page 527
is done by: • Purchasing a subscription from your local D-Link reseller. • On purchase, you will receive a unique activation code to identify you as a user of the service. • Go to Maintenance > License in the Web Interface of your NetDefend Firewall system and enter this activation code. NetDefendOS - D-Link DFL-2560 | Product Manual - Page 528
of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation seconds to be optimized once an update is downloaded. This will cause the firewall to momentarily pause in its operation. It can therefore be best to set - D-Link DFL-2560 | Product Manual - Page 529
, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, "Intrusion Detection and Prevention". Group Name - D-Link DFL-2560 | Product Manual - Page 530
protocol and implementation IGMP IMAP protocol/implementation AOL IM Instant Messenger implementations MSN Messenger Yahoo Messenger IP protocol and implementation Overflow of IP protocol/implementation Internet Relay Chat General LDAP clients/servers Open LDAP License management for CA software - D-Link DFL-2560 | Product Manual - Page 531
Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB attacks NetBIOS attacks SMB worms SMTP command attack Denial of Service for SMTP SMTP protocol and implementation SMTP Overflow SPAM SNMP encoding SNMP protocol/implementation SOCKS protocol and implementation SSH protocol and - D-Link DFL-2560 | Product Manual - Page 532
Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 532 - D-Link DFL-2560 | Product Manual - Page 533
Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this - D-Link DFL-2560 | Product Manual - Page 534
filetypes Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD - D-Link DFL-2560 | Product Manual - Page 535
Atari MSA archive data Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Linux executable CrossePAC archive data Portable Bitmap Format Image Portable - D-Link DFL-2560 | Product Manual - Page 536
Filetype extension tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Appendix C. Verified MIME filetypes Application TeX font metric data Tagged Image Format file Transport Neutral Encapsulation Format BitTorrent Metainfo file TrueType Font - D-Link DFL-2560 | Product Manual - Page 537
such as ARP, Services and ALGs. Layer number Link Physical Figure D.1. The 7 Layers of the OSI Model Layer Functions The different layers perform the following functions: Layer 7 - Application Layer Defines the user interface that supports IP, OSPF, ICMP, IGMP and similar. Layer 2 - Data-Link - D-Link DFL-2560 | Product Manual - Page 538
ARP Expire setting, 109, 114 ARP Expire Unknown setting, 109, 115 ARP Hash Size setting, 109, 115 ARP Hash Size VLAN setting, 110, 115 ARP IP Collision setting, 115 ARP Match Ethernet Sender setting, 113 ARP Multicast setting, 115 ARP poll interval setting, 156 ARP Query No Sender setting, 113 ARP - D-Link DFL-2560 | Product Manual - Page 539
files in user authentication, signed, 129, 383, 409 validity, 128 with IPsec, 386 VPN troubleshooting, 437 chains (in traffic shaping), 445 CLI, 28, 33 TTL setting, 219 default access rule, 147, 237 Default TTL setting, 505 demilitarized zone (see DMZ) denial of service, 326 destination RLB - D-Link DFL-2560 | Product Manual - Page 540
service, 139 E Enable Sensors setting, 65 end of life procedures, 75 ESMTP extensions, 256 ethernet interface, 92 changing IP addresses, 95 CLI command summary, 95 default gateway, 93 IP , 154 HTML pages content filtering customizing, 307 user auth customizing, 373 HTTP ALG, 241 authentication, - D-Link DFL-2560 | Product Manual - Page 541
IP rules, 406 clients, 386 dead peer detection, 407 keep-alive, 407 LAN to LAN setup, 382 overview, 391 quick start guide, 381 roaming clients setup, 384 troubleshooting Active Directory, 360 servers, 413 link state algorithms, 171 Local Console Timeout setting, 49 local IP address in routes, 145 Log - D-Link DFL-2560 | Product Manual - Page 542
Other Length setting, 519 Max Pipe Users setting, 525 Max PPM (DHCP) Time Limit setting, 522 max sessions services parameter, 85 Max Size (reassembly) 335 anonymizing with, 338 IP rules, 119 pools, setting up, 188 virtual links, 176, 184 Other support, 102 with HA, 102 PPTP, 425 advanced settings, - D-Link DFL-2560 | Product Manual - Page 543
problem with NAT, 432 quick start guide, 389 server, 425 PPTP Before Rules setting, 431 precedences in pipes, 450 pre-shared keys, 382, 402 non-ascii character problem FwdFast rules, 478 service based routing, 160 services, 82 and ALGs, 85 creating custom, 83 custom IP protocol, 88 custom timeouts - D-Link DFL-2560 | Product Manual - Page 544
auth HTML customizing, 373 user based routing, 160 Use Unique Shared Mac (HA) setting, 490, 495 V Validation Timeout setting, 49 virtual LAN (see VLAN) virtual private networks (see VPN) VLAN, 97 advanced settings, 100 license limitations, 99 port based, 98 trunk, 98 voice over IP with H.323, 275 - D-Link DFL-2560 | Product Manual - Page 545
VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 whitelisting, 296 web interface, 28, 29 default connection interface, 30 setting workstation
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
 |
 |
Network Security Solution
Security
Security
DFL-210/ 800/1600/ 2500
DFL-260/ 860/1660/ 2560(G)
Ver
2.27.01
Network Security Firewall
User Manual