D-Link DFL-260 Product Manual
D-Link DFL-260 - NetDefend - Security Appliance Manual
 |
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link DFL-260 manual content summary:
- D-Link DFL-260 | Product Manual - Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com - D-Link DFL-260 | Product Manual - Page 2
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010 - D-Link DFL-260 | Product Manual - Page 3
User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published any person or parties of such revision or changes. Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, - D-Link DFL-260 | Product Manual - Page 4
77 3.1. The Address Book 77 3.1.1. Overview 77 3.1.2. IP Addresses 77 3.1.3. Ethernet Addresses 79 3.1.4. Address Groups 80 3.1.5. Auto-Generated Address Objects 81 3.1.6. Address Book Folders 81 3.2. Services 82 3.2.1. Overview 82 3.2.2. Creating Custom - D-Link DFL-260 | Product Manual - Page 5
User Manual 3.2.3. ICMP Services 86 3.2.4. Custom IP Protocol Services 88 3.2.5. Service Groups 88 3.2.6. Custom Service Timeouts 89 3.3. Interfaces 90 3.3.1. Overview 90 3.3.2. Ethernet Interfaces 92 3.3.3. VLAN 97 3.3.4. PPPoE 101 3.3.5. GRE Tunnels 103 3.3.6. Interface Groups 107 3.4. - D-Link DFL-260 | Product Manual - Page 6
Manual 4.7. Transparent Mode 207 4.7.1. Overview 207 4.7.2. Enabling Internet Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Spanning Tree BPDU Support 217 4.7.5. Advanced Settings for Transparent Mode 218 5. DHCP Services Subscribing to the D-Link Anti-Virus Service 311 6.4.6. Anti- - D-Link DFL-260 | Product Manual - Page 7
User Manual 7. Address Translation 334 7.1. Overview 334 7.2. NAT 335 7.3. NAT Pools 340 7.4. SAT 343 9.4.3. Roaming Clients 408 9.4.4. Fetching CRLs from an alternate LDAP server 413 9.4.5. Troubleshooting with ikesnoop 414 9.4.6. IPsec Advanced Settings 421 9.5. PPTP/L2TP 425 9.5.1. PPTP - D-Link DFL-260 | Product Manual - Page 8
User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. IPsec Troubleshooting Commands 438 12. ZoneDefense 497 12.1. Overview 497 12.2. ZoneDefense Switches 498 12.3. ZoneDefense Operation 499 12.3.1. SNMP 499 12.3.2. Threshold Rules 499 12.3.3. Manual Blocking and Exclude Lists 499 12 - D-Link DFL-260 | Product Manual - Page 9
User Manual 13.1. IP Level Settings 504 13.2. TCP Level Settings 508 13.3. ICMP Level Settings 513 13.4. State Settings 514 13.5. Connection Timeout Settings 516 13.6. - D-Link DFL-260 | Product Manual - Page 10
Balancing Scenario 169 4.8. A Simple OSPF Scenario 172 4.9. OSPF Providing Route Redundancy 173 4.10. Virtual Links Connecting Areas 177 4.11. Virtual Links with Partitioned Backbone 178 4.12. NetDefendOS OSPF Objects 179 4.13. Dynamic Routing Rule Objects 186 4.14. Multicast Forwarding - No - D-Link DFL-260 | Product Manual - Page 11
User Manual 10.10. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11 - D-Link DFL-260 | Product Manual - Page 12
Services 82 3.7. Viewing a Specific Service 83 3.8. Creating a Custom TCP/UDP Service 86 3.9. Adding an IP Protocol Service 88 3.10. Defining a VLAN 100 3.11. Configuring a PPPoE Client 103 3.12 SNTP 134 3.24. Manually Triggering a Time Synchronization Enabling the D-Link NTP Server 136 - D-Link DFL-260 | Product Manual - Page 13
User Manual 4.14. IGMP - No Address Translation 201 4.15. if1 Configuration 202 4.16. if2 LDAP server 413 9.10. Setting up a PPTP server 426 9.11. Setting up an L2TP server 427 9.12. Setting up an L2TP Tunnel Over IPsec 427 10.1. Applying a Simple Bandwidth Limit 447 10.2. Limiting Bandwidth - D-Link DFL-260 | Product Manual - Page 14
document to aid with alphabetical lookup of subjects. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in the main text, this ://www.dlink.com. Screenshots This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically - D-Link DFL-260 | Product Manual - Page 15
Preface items in the tree-view list at the left of the interface or in the menu bar or in a context menu need to be opened followed by information about the data items that need to be entered: 1. Go to Item X > Item Y > Item Z 2. Now enter: • DataItem1: datavalue1 • DataItem2: datavalue2 Highlighted - D-Link DFL-260 | Product Manual - Page 16
19 • NetDefendOS State Engine Packet Flow, page 23 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range routing, as well as multicast routing capabilities. In addition, NetDefendOS supports features such as Virtual LANs, Route Monitoring, Proxy ARP and - D-Link DFL-260 | Product Manual - Page 17
steps in Section 9.2, "VPN Quick Start". NetDefendOS supports TLS termination so that the NetDefend Firewall can act on all D-Link NetDefend product models as a subscription service. On some Content Filtering (WCF) web content can be blocked based on category (Dynamic WCF), malicious objects - D-Link DFL-260 | Product Manual - Page 18
detailed event and logging capabilities plus support for monitoring through SNMP. More detailed NetDefendOS can be used to control D-Link switches using the ZoneDefense feature. This guides: • The CLI Reference Guide which details all NetDefendOS CLI commands. • The NetDefendOS Log Reference Guide - D-Link DFL-260 | Product Manual - Page 19
receiving or sending traffic. The following types of interface are supported in NetDefendOS: • Physical interfaces - These correspond to the actual host and network addresses. Another example of logical objects are services which represent specific protocol and port combinations. Also important are - D-Link DFL-260 | Product Manual - Page 20
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview NetDefendOS Rule Sets Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules, which are used to - D-Link DFL-260 | Product Manual - Page 21
. A corresponding state will be added to the connection table for matching subsequent packets belonging to the same connection. In addition, the service object which matched the IP protocol and ports might have contained a reference to an Application Layer Gateway (ALG) object. This information - D-Link DFL-260 | Product Manual - Page 22
1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 22 - D-Link DFL-260 | Product Manual - Page 23
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 1.3. NetDefendOS State Engine Packet Flow The diagrams in this section provide a summary of the flow of packets through the NetDefendOS state-engine. There are three diagrams, each flowing into the next. It is not necessary - D-Link DFL-260 | Product Manual - Page 24
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 24 - D-Link DFL-260 | Product Manual - Page 25
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 25 - D-Link DFL-260 | Product Manual - Page 26
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 26 - D-Link DFL-260 | Product Manual - Page 27
1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27 - D-Link DFL-260 | Product Manual - Page 28
Chapter 2. Management and Maintenance This chapter describes the management, operations and maintenance related aspects of NetDefendOS. • Managing NetDefendOS, page 28 • Events and Logging, page 55 • RADIUS Accounting, page 60 • Hardware Monitoring, page 65 • SNMP Monitoring, page 67 • The pcapdump - D-Link DFL-260 | Product Manual - Page 29
any console key between power-up and NetDefendOS starting. It is the D-Link firmware loader that is being accessed with the boot menu. This feature is use with the WebUI. Other browsers may also provide full support. Remote Management Policies Access to remote management interfaces can be regulated - D-Link DFL-260 | Product Manual - Page 30
a Default IP Address For a new D-Link NetDefend firewall with factory defaults, a default model as follows: • On the NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the to succeed so the connecting interface of the workstation must be manually given the following static IP values: • IP address: - D-Link DFL-260 | Product Manual - Page 31
login dialog offers the option to select a language other than English for the interface. Language support is provided by a set of separate resource files. These files can be downloaded from the D-Link website. It may occasionally be the case that a NetDefendOS upgrade can contain features that - D-Link DFL-260 | Product Manual - Page 32
for system diagnostics. • Maintenance • Update Center - Manually update or schedule updates of the intrusion detection and support specialist to analyze a problem. This can be very useful since the information provided automatically includes many details that are required for troubleshooting - D-Link DFL-260 | Product Manual - Page 33
to the system. Logout by clicking on the Logout button at the right of the menu bar. Tip: Correctly routing management traffic If there is a problem with the management interface when communicating alongside VPN tunnels, check the main routing table and look for an all-nets route to the VPN tunnel - D-Link DFL-260 | Product Manual - Page 34
to be performed. This section only provides a summary for using the CLI. For a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands are: • add - Adds an object such as an IP address or a rule to a NetDefendOS configuration. • set - D-Link DFL-260 | Product Manual - Page 35
2.1.4. The CLI Chapter 2. Management and Maintenance a command appears it can be re-executed in it's original form or changed first before execution. Tab Completion Remembering all the commands and their options can be difficult. NetDefendOS provides a feature called tab completion which means - D-Link DFL-260 | Product Manual - Page 36
2.1.4. The CLI Chapter 2. Management and Maintenance Not all object types belong in a category. The object type UserAuthRule is a type without a category and will appear in the category list after pressing tab at the beginning of a command. The category is sometimes also referred to as a context. - D-Link DFL-260 | Product Manual - Page 37
by alternatively using the name assigned to it. The CLI Reference Guide lists the parameter options available for each NetDefendOS object, including the terminal. To locate the serial console port on your D-Link hardware, see the D-Link Quick Start Guide . To use the console port, you need the - D-Link DFL-260 | Product Manual - Page 38
over insecure networks, providing strong authentication and data integrity. SSH clients are freely available for almost all hardware platforms. NetDefendOS supports version 1, 1.5 and 2 of the SSH protocol. SSH access is regulated by the remote management policy in NetDefendOS, and is disabled - D-Link DFL-260 | Product Manual - Page 39
Firewall. This can be customized, for example, to my-prompt:/>, by using the CLI command: gw-world:/> set device name="my-prompt" The CLI Reference Guide uses the command prompt gw-world:/> throughout. Tip: The CLI prompt is the WebUI device name When the command line prompt is changed to a new - D-Link DFL-260 | Product Manual - Page 40
in a configuration using the command: gw-world:/> show -errors This will cause NetDefendOS to scan the configuration about to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP object in the address book that does not exist in a restored - D-Link DFL-260 | Product Manual - Page 41
editor containing a sequential list of CLI commands, one per line. The D-Link recommended convention is for these files to use the file extension .sgs ( CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.4, "The CLI" in this manual. Only - D-Link DFL-260 | Product Manual - Page 42
a script called my_script.sgs is to be executed with IP address 126.12.11.01 replacing all occurrences of $1 in the script file and the replacement would mean that the file becomes: add IP4Address If1_ip Address=126.12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts - D-Link DFL-260 | Product Manual - Page 43
2.1.5. CLI Scripts Chapter 2. Management and Maintenance If an executing CLI script file encounters an error condition, the default behavior is for the script to terminate. This behavior can be overridden by using the -force option. To run a script file called my_script2.sgs in this way, the CLI - D-Link DFL-260 | Product Manual - Page 44
2.1.5. CLI Scripts Chapter 2. Management and Maintenance gw-world:/> script -show -name=my_script.sgs Creating Scripts Automatically When the same configuration objects needs to be copied between multiple NetDefend Firewalls, then one way to do this with the CLI is to create a script file that - D-Link DFL-260 | Product Manual - Page 45
2.1.6. Secure Copy Chapter 2. Management and Maintenance Any line in a script file that begins with the # character is treated as a comment. For example: # The following line defines the If1 IP address add IP4Address If1_ip Address=10.6.60.10 Scripts Running Other Scripts It is possible for one - D-Link DFL-260 | Product Manual - Page 46
SSH client key object type. Examples of Uploading and Downloading In some cases, a file is located in the NetDefendOS root. The license file (license.lic) falls into this category, as well as backup files for configurations (config.bak) and the complete system (full.bak). When uploading, these files - D-Link DFL-260 | Product Manual - Page 47
2.1.7. The Console Boot Menu Chapter 2. Management and Maintenance To upload a file to an object type under the root, the command is slightly different. If we have a local CLI script file called my_script.sgs then the upload command would be: > scp my_script.sgs [email protected]:script/ If we - D-Link DFL-260 | Product Manual - Page 48
2.1.8. Management Advanced Settings Chapter 2. Management and Maintenance The options available in the boot menu are: 1. Start firewall This initiates the complete startup of the NetDefendOS software on the NetDefend Firewall. 2. Reset unit to factory defaults This option will restore the hardware - D-Link DFL-260 | Product Manual - Page 49
to use for HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9. Working with Configurations Configuration Objects The Examples of configuration objects are routing table entries, address book entries, service definitions, IP rules and so on. Each configuration object has a - D-Link DFL-260 | Product Manual - Page 50
To find out what configuration objects exist, you can retrieve a listing of the objects. This example shows how to list all service objects. Command-Line Interface gw-world:/> show Service A list of all services will be displayed, grouped by their respective type. Web Interface 1. Go to Objects - D-Link DFL-260 | Product Manual - Page 51
: SYNRelay: PassICMPReturn: ALG: MaxSessions: Comments: Value ------telnet 23 TCP 0-65535 No No (none) 1000 Modified Comment Web Interface 1. Go to Objects > Services 2. Click on the telnet hyperlink in the list 3. In the Comments textbox, enter your new comment 4. Click OK Verify that the new - D-Link DFL-260 | Product Manual - Page 52
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Important: Configuration changes must be activated Changes to a configuration object will not be applied to a running system until the new NetDefendOS configuration is activated. Example 2.6. Adding a Configuration Object - D-Link DFL-260 | Product Manual - Page 53
2.1.9. Working with Configurations Chapter 2. Management and Maintenance Example 2.8. Undeleting a Configuration Object A deleted object can always be restored until the configuration has been activated and committed. This example shows how to restore the deleted IP4Address object shown in the - D-Link DFL-260 | Product Manual - Page 54
2.1.9. Working with Configurations Chapter 2. Management and Maintenance default) during which a connection to the administrator must be re-established. As described previously, if the configuration was activated via the CLI with the activate command then a commit command must be issued within - D-Link DFL-260 | Product Manual - Page 55
health, but also allows auditing of network usage and assists in trouble-shooting. Log Message Generation NetDefendOS defines a large number of of all event messages can be found in the NetDefendOS Log Reference Guide. That guide also describes the design of event messages, the meaning of severity - D-Link DFL-260 | Product Manual - Page 56
log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity levels are found listed in the NetDefendOS Log Reference Guide. 2.2.3. Creating Log Receivers To distribute and log the - D-Link DFL-260 | Product Manual - Page 57
in the log entry. The Prio and Severity fields The Prio= field in SysLog messages contains the same information as the Severity field for D-Link Logger messages. However, the ordering of the numbering is reversed. Example 2.11. Enable Logging to a Syslog Host To enable logging of all events with - D-Link DFL-260 | Product Manual - Page 58
of the firewall) is provided by D-Link and defines the SNMP objects and data types NetDefendOS subsystem is reporting the problem • ID - Unique identification -referenced to the Log Reference Guide. Note: SNMP Trap standards RFC1901, RFC1905 and RFC1906. Example 2.12. Sending SNMP Traps to an SNMP - D-Link DFL-260 | Product Manual - Page 59
2.2.7. Advanced Log Settings Chapter 2. Management and Maintenance Web Interface 1. Go to Log & Event Receivers > Add > SNMP2cEventReceiver 2. Specify a name for the event receiver, for example my_snmp 3. Enter 195.11.22.55 as the IP Address 4. Enter an SNMP Community String if needed by the trap - D-Link DFL-260 | Product Manual - Page 60
Message Parameters Parameters included in START messages sent by NetDefendOS are: • Type - Marks this AccountingRequest as signalling the beginning of the service (START). • ID - A unique identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP. • User Name - The user - D-Link DFL-260 | Product Manual - Page 61
2.3.2. RADIUS Accounting Messages Chapter 2. Management and Maintenance authentication server. • How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database. • Delay Time - D-Link DFL-260 | Product Manual - Page 62
2.3.3. Interim Accounting Messages Chapter 2. Management and Maintenance Tip: The meaning of the asterisk after a list entry The asterisk "*" symbol after an entry in the list above indicates that the sending of the parameter is optional and is configurable. 2.3.3. Interim Accounting Messages In - D-Link DFL-260 | Product Manual - Page 63
RADIUS servers before commencing with the shutdown. 2.3.9. Limitations with NAT The User Authentication module in NetDefendOS is based on the user's IP address. Problems can therefore occur with users who have the same IP address. This can happen, for example, when several users are behind the same - D-Link DFL-260 | Product Manual - Page 64
2.3.10. RADIUS Advanced Settings Chapter 2. Management and Maintenance continue to be logged in. Disabling the setting will mean that the user will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated. Default: Enabled Logout at - D-Link DFL-260 | Product Manual - Page 65
such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring. The D-Link NetDefend models that currently support hardware monitoring are the DFL-1600, 1660, 2500, 2560 and 2560G. Configuring and performing hardware monitoring can be done either through the - D-Link DFL-260 | Product Manual - Page 66
2.4. Hardware Monitoring Chapter 2. Management and Maintenance The -verbose option displays the current values plus the configured ranges: gw-world:/> hwm -a -v 2 sensors available Poll interval time = 500ms Name [type][number] = low_limit] current_value [high_limit (unit) SYS Temp [TEMP - D-Link DFL-260 | Product Manual - Page 67
by any SNMP compliant clients to devices running NetDefendOS. however only query operations are permitted for security reasons. Specifically, NetDefendOS supports the following SNMP request operations by a client: • The GET REQUEST operation • The GET NEXT REQUEST operation • The GET BULK REQUEST - D-Link DFL-260 | Product Manual - Page 68
2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as - D-Link DFL-260 | Product Manual - Page 69
2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 - D-Link DFL-260 | Product Manual - Page 70
the defacto libpcap library file format standard for packet capture. The complete syntax of the pcapdump command is described in the CLI Reference Guide. A Simple Example An example of pcapdump usage is the following sequence: gw-world:/> pcapdump -size 1024 -start int gw-world:/> pcapdump -stop int - D-Link DFL-260 | Product Manual - Page 71
2.6. The pcapdump Command Chapter 2. Management and Maintenance It is possible to have multiple pcapdump executions being performed at the same time. The following points describe this feature: 1. All capture from all executions goes to the same memory buffer. The command can be launched multiple - D-Link DFL-260 | Product Manual - Page 72
2.6. The pcapdump Command Chapter 2. Management and Maintenance The name of the file used for pcapdump output must comply with the following rules: • Excluding the filename extension, the name may not exceed 8 characters in length. • The filename extension cannot exceed 3 characters in length. • - D-Link DFL-260 | Product Manual - Page 73
in order to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low response times, NetDefendOS employs a mechanism for automatically - D-Link DFL-260 | Product Manual - Page 74
up the Entire System In this example we will backup the entire system on 12 December 2008. Web Interface 1. Go to Maintenance > Backup 2. The Backup the original hardware state that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Anti- - D-Link DFL-260 | Product Manual - Page 75
the unit left the factory will be lost. Reset Procedure for the NetDefend DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button located at the rear of is destroyed and certified as destroyed by a suitable provider of computer disposal services. 75 - D-Link DFL-260 | Product Manual - Page 76
2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76 - D-Link DFL-260 | Product Manual - Page 77
addition, the chapter explains the different interface types and explains how security policies are constructed the administrator. • The Address Book, page 77 • Services, page 82 • Interfaces, page 90 • ARP, page 108 • IP Rule Sets, page 116 • Schedules, page 126 • Certificates, page 128 • Date and - D-Link DFL-260 | Product Manual - Page 78
3.1.2. IP Addresses Chapter 3. Fundamentals IP Network IP Range An IP Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a digit (0-32) to denote the size of the network as a postfix. This is also known as the netmask. /24 corresponds to a class - D-Link DFL-260 | Product Manual - Page 79
3.1.3. Ethernet Addresses Chapter 3. Fundamentals This example adds a range of IP addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers: Command-Line Interface gw-world:/> add Address IP4Address wwwservers Address=192.168.10.16-192.168.10.21 Web Interface 1. Go to Objects > - D-Link DFL-260 | Product Manual - Page 80
3.1.4. Address Groups Chapter 3. Fundamentals The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2. Command-Line Interface gw-world:/> add Address EthernetAddress wwwsrv1_mac Address=08-a3-67-bc-2e-f2 Web Interface 1. Go to - D-Link DFL-260 | Product Manual - Page 81
3.1.6. Address Book Folders Chapter 3. Fundamentals 3.1.5. Auto-Generated Address Objects To simplify the configuration, a number of address objects in the address book are automatically created by NetDefendOS when the system starts for the first time and these objects are used in various parts - D-Link DFL-260 | Product Manual - Page 82
act as a filter to apply those rules only to a specific type of traffic. For example, an IP rule in a NetDefendOS IP rule set has a service object associated with it as a filtering parameter to decide whether or not to allow a specific type of traffic to traverse the NetDefend Firewall. Inclusion in - D-Link DFL-260 | Product Manual - Page 83
be created. Reading this section will explain not only how new services are created but also provides an understanding of the properties of predefined services. The Type of service created can be one of the following: • TCP/UDP Service - A service based on the UDP or TCP protocol or both. This type - D-Link DFL-260 | Product Manual - Page 84
ports. As an example, the NetBIOS protocol used by Microsoft Windows™ uses destination ports 137 to 139. To define a range of ports in a TCP/UDP service object, the format mmm-nnn is used. A port range is inclusive, meaning that a range specified as 137-139 covers ports 137, 138 and 139. Multiple - D-Link DFL-260 | Product Manual - Page 85
traffic flow. On the other hand, dropping ICMP messages increases security by preventing them being used as a means of attack. • ALG A TCP/UDP service can be linked to an Application Layer Gateway (ALG) to enable deeper inspection of certain protocols. This is the way that an ALG is associated with - D-Link DFL-260 | Product Manual - Page 86
. This could be included in a group with http-all and then associated with the IP rules that allow web surfing. Restrict Services to the Minimum Necessary When choosing a service object to construct a policy such as an IP rule, the protocols included in that object should be as few as necessary to - D-Link DFL-260 | Product Manual - Page 87
• Code 1: Redirect datagrams for the host • Code 2: Redirect datagrams for the Type of Service and the network • Code 3: Redirect datagrams for the Type of Service and the host Parameter Problem Identifies an incorrect parameter on the datagram. Echo Reply The reply from the destination which - D-Link DFL-260 | Product Manual - Page 88
Groups For example, there may be a need for a set of IP rules that are identical to each other except for the service parameter. By defining a service group which contains all the service objects from all the individual rules, we can replace all of them with just one IP rule that uses the group - D-Link DFL-260 | Product Manual - Page 89
configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS but it is more usual to change these values individually in a custom service. The timeout settings that can be - D-Link DFL-260 | Product Manual - Page 90
require a binding to an underlying physical interface in order to transfer data. This group of interfaces is called Physical Sub-Interfaces. NetDefendOS has support for two types of sub-interfaces: • Virtual LAN (VLAN) interfaces as specified by IEEE 802.1Q. When routing IP packets over a Virtual - D-Link DFL-260 | Product Manual - Page 91
of tunnel interface. For example, when routing traffic over an IPsec interface, the payload is usually encrypted to achieve confidentiality. NetDefendOS supports the following tunnel interface types: i. IPsec interfaces are used as end-points for IPsec VPN tunnels. More information about this topic - D-Link DFL-260 | Product Manual - Page 92
physical Ethernet port in the system. The number of ports, their link speed and the way the ports are realized, is dependent on the be convenient to change the interface name to radio. For maintenance and troubleshooting, it is recommended to tag the corresponding physical port with the new name - D-Link DFL-260 | Product Manual - Page 93
, where N represents the number of the interface if your NetDefend Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend Firewall does not have these interfaces, please substitute the - D-Link DFL-260 | Product Manual - Page 94
removed. • Hardware Settings In some circumstances it may be necessary to change hardware settings for an interface. The available options are: i. The speed of the link can be set. Usually this is best left as Auto. ii. The MAC address can be set if it needs to be different to the - D-Link DFL-260 | Product Manual - Page 95
on this interface. By default, the interface uses the maximum size supported. • High Availability There are two options which are specific to high the sending of HA cluster heartbeats from this interface. • Quality Of Service The option exists to copy the IP DSCP precedence to the VLAN priority - D-Link DFL-260 | Product Manual - Page 96
3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Property Value Name: wan_ip Address: 0.0.0.0 UserAuthGroups: NoDefinedCredentials: No Comments: IP address of interface wan To show the current interface assigned to the network wan_net: gw-world:/> show Address IP4Address - D-Link DFL-260 | Product Manual - Page 97
through a related set of CLI commands. These are particularly useful if D-Link hardware has been replaced and Ethernet card settings are to be changed, of all CLI options see the CLI Reference Guide. 3.3.3. VLAN Overview Virtual LAN (VLAN) support in NetDefendOS allows the definition of one or more - D-Link DFL-260 | Product Manual - Page 98
frame belongs. With this mechanism, Ethernet frames can belong to different Virtual LANs but can still share the same physical Ethernet link. The following principles underlie the NetDefendOS processing of VLAN tagged Ethernet frames at a physical interface: • Ethernet frames received on a physical - D-Link DFL-260 | Product Manual - Page 99
as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured with the ID of the VLAN or - D-Link DFL-260 | Product Manual - Page 100
3.3.3. VLAN Chapter 3. Fundamentals License Limitations The number of VLAN interfaces that can be defined for a NetDefendOS installation is limited by the parameters of the license used. Different hardware models have different licenses and different limits on VLANs. Summary of VLAN Setup Below - D-Link DFL-260 | Product Manual - Page 101
ISPs) often require customers to connect through PPPoE to their broadband service. Using PPPoE the ISP can: • Implement security and access- link, for example, both IP and IPX traffic can share a PPP link. PPP Authentication PPP authentication is optional with PPP. Authentication protocols supported - D-Link DFL-260 | Product Manual - Page 102
PPPoE client can be configured to use a service name to distinguish between different servers on When NetDefendOS acts as a PPPoE client, support for unnumbered PPPoE is provided by default addresses to users. These IP addresses are then manually entered into client computers. The ISP does not assign - D-Link DFL-260 | Product Manual - Page 103
-nets (as we will route all traffic into the tunnel) • Service Name: Service name provided by the service provider • Username: Username provided by the service provider • Password: Password provided by the service provider • Confirm Password: Retype the password • Under Authentication specify which - D-Link DFL-260 | Product Manual - Page 104
to be multicast and it is necessary to transit through a network device which does not support multicasting. GRE allows tunneling though the network device. GRE Security and Performance A GRE tunnel table is automatically updated. The alternative is to manually create the required route. 104 - D-Link DFL-260 | Product Manual - Page 105
3.3.5. GRE Tunnels Chapter 3. Fundamentals • Address to use as source IP - It is possible to specify a particular IP address as the source interface IP for the GRE tunnel. The tunnel setup will appear to be initiated by this IP address instead of the IP address of the interface that actually sets - D-Link DFL-260 | Product Manual - Page 106
the tunnel: Name To_B From_B Action Allow Allow Src Int lan GRE_to_B Src Net lannet remote_net_B Dest Int GRE_to_B lan Dest Net remote_net_B lannet Service All All Setup for NetDefend Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting - D-Link DFL-260 | Product Manual - Page 107
as an alternative interface that is much slower, it may not be sensible to allow certain connections over the new interface. Example 3.12. Creating an Interface Group Command-Line Interface gw-world:/> add Interface InterfaceGroup examplegroup Members=exampleif1,exampleif2 Web Interface 1. Go to - D-Link DFL-260 | Product Manual - Page 108
into its corresponding Ethernet address. ARP operates at the OSI layer 2, data link layer, and is encapsulated by Ethernet headers for transmission. Tip: OSI ARP entry binding the IP address 10.5.16.3 to Ethernet address 4a:32:12:6c:89:a4. The Expires Column The third column in the table, Expires - D-Link DFL-260 | Product Manual - Page 109
its destination. After the ARP entry expiration time, NetDefendOS will learn the new MAC address of the host but sometimes it may be necessary to manually force the update. The easiest way to achieve this is by flushing the ARP cache. This deletes all dynamic ARP entries from the cache and - D-Link DFL-260 | Product Manual - Page 110
an incorrect MAC address. Some network devices, such as wireless modems, can have such problems. It may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only applies to - D-Link DFL-260 | Product Manual - Page 111
• IP Address: 192.168.10.15 • MAC: 4b-86-f6-c5-a2-14 4. Click OK Chapter 3. Fundamentals Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a specific MAC address instead of the interfaces MAC address. NetDefendOS will then send out - D-Link DFL-260 | Product Manual - Page 112
3.4.4. Using ARP Advanced Settings Chapter 3. Fundamentals Figure 3.2. An ARP Publish Ethernet Frame The Publish option uses the real MAC address of the sending interface for the address (1) in the Ethernet frame. In rare cases, some network equipment will require that both MAC addresses in the - D-Link DFL-260 | Product Manual - Page 113
an existing entry in the ARP cache. Allowing this to take place may allow hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced since NetDefendOS will not accept the new address until the previous ARP cache entry has timed out - D-Link DFL-260 | Product Manual - Page 114
an existing item in the ARP table. Allowing this to take place may facilitate hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP table entry has timed out - D-Link DFL-260 | Product Manual - Page 115
3.4.5. ARP Advanced Settings Summary Chapter 3. Fundamentals Default: 900 seconds (15 minutes) ARP Expire Unknown Specifies in seconds how long NetDefendOS is to remember addresses that cannot be reached. This is done to ensure that NetDefendOS does not continuously request such addresses. Default - D-Link DFL-260 | Product Manual - Page 116
The principle NetDefendOS rule sets that define NetDefendOS security policies, and which use the same filtering parameters described above (networks/interfaces/service), include: • IP Rules These determine which traffic is permitted to pass through the NetDefend Firewall as well as determining if - D-Link DFL-260 | Product Manual - Page 117
interface to what interface traffic flows. • From what network to what network the traffic flows. • What kind of protocol is affected (the service). • What action the rule will take when a match on the filter triggers. Specifying Any Interface or Network When specifying the filtering criteria in - D-Link DFL-260 | Product Manual - Page 118
3.5.2. IP Rule Evaluation Chapter 3. Fundamentals all source/destination networks/interfaces, and with logging enabled, is placed as the last rule in the IP rule set. This is often referred to as a drop all rule. Traffic Flow Needs an IP Rule and a Route As stated above, when NetDefendOS is - D-Link DFL-260 | Product Manual - Page 119
through the NetDefend Firewall. If the action is Drop or Reject then the new connection is refused. Tip: Rules in the wrong order sometimes cause problems It is important to remember the principle that NetDefendOS searches the IP rules from top to bottom, looking for the first matching rule. If an - D-Link DFL-260 | Product Manual - Page 120
3.5.4. Editing IP rule set Entries Chapter 3. Fundamentals • Destination Network • Service When an IP rule is triggered by a match then one of the following Actions can occur: Allow The packet is allowed to pass. As the - D-Link DFL-260 | Product Manual - Page 121
be the main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=wan DestinationNetwork=all-nets Name=lan_http Return to the top level: gw-world:/main> cc Configuration - D-Link DFL-260 | Product Manual - Page 122
way to document the contents of NetDefendOS configurations. This can be very useful for someone seeing a configuration for the first time, such as technical support staff. In an IP rule set that contains hundreds of rules it can often prove difficult to quickly identify those rules associated with - D-Link DFL-260 | Product Manual - Page 123
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Note The screen images used in this example show just the first few columns of the object properties. We would like to create an object group for the two IP rules for web surfing. This is done with the following steps: • Select the first - D-Link DFL-260 | Product Manual - Page 124
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Any color can be chosen for the group. The color can be selected from the 16 predefined color boxes or entered as a hexadecimal RGB value. In addition, when the hexadecimal value box is selected, a full spectrum color palette appears which - D-Link DFL-260 | Product Manual - Page 125
3.5.6. Configuration Object Groups Chapter 3. Fundamentals Moving Groups Groups can be moved in the same way as individual objects. By right clicking the group title line, the context menu includes options to move the entire group. For example, the Move to Top option moves the entire group to the - D-Link DFL-260 | Product Manual - Page 126
3.6. Schedules Chapter 3. Fundamentals 3.6. Schedules In some scenarios, it might be useful to control not only what functionality is enabled, but also when that functionality is being used. For instance, the IT policy of an enterprise might stipulate that web traffic from a certain department is - D-Link DFL-260 | Product Manual - Page 127
be the main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Schedule=OfficeHours name=AllowHTTP Return to the top level: gw-world:/main - D-Link DFL-260 | Product Manual - Page 128
with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate. A certificate is a digital proof of identity. It links an identity to a public key in order to establish whether a public key truly belongs - D-Link DFL-260 | Product Manual - Page 129
CRL can be downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this interval depends on how the CA is configured. Typically, this is somewhere between - D-Link DFL-260 | Product Manual - Page 130
Upload a remote certificate 4. Click OK and follow the instructions Example 3.19. Associating Certificates with IPsec Tunnels To associate cer and .key files required by NetDefendOS. It is possible, however, to manually create the required files for a Windows CA server using the following stages. - D-Link DFL-260 | Product Manual - Page 131
3.7.3. CA Certificate Requests Chapter 3. Fundamentals • Take out the relevant parts of the .pem file to form the required .cer and .key files. The detailed steps for the above stages are as follows: 1. Create the gateway certificate on the Windows CA server and export it to a .pfx file on the - D-Link DFL-260 | Product Manual - Page 132
other equipment in the network. Time Synchronization Protocols NetDefendOS supports the optional use of Time Synchronization Protocols in order Time Current Date and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for - D-Link DFL-260 | Product Manual - Page 133
variations within the same country. For this reason, NetDefendOS does not automatically know when to adjust for DST. Instead, this information has to be manually provided if daylight saving time is to be used. There are two parameters governing daylight saving time; the DST period and the DST offset - D-Link DFL-260 | Product Manual - Page 134
retrieving time information from external Time Servers. NetDefendOS supports the following time synchronization protocols: • SNTP Time Protocol (UDP/TIME) is an older method of providing time synchronization service over the Internet. The protocol provides a site-independent, machine-readable date - D-Link DFL-260 | Product Manual - Page 135
86400 seconds (equivalent to one day) is used. Example 3.24. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. to synchronize system time... Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local - D-Link DFL-260 | Product Manual - Page 136
than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter. time synchronization process is executed once in a 24 hour period. D-Link Time Servers Using D-Link's own Time Servers is an option in NetDefendOS and this is the - D-Link DFL-260 | Product Manual - Page 137
3.8.4. Settings Summary for Date and Time Time zone offset in minutes. Default: 0 Chapter 3. Fundamentals DST Offset Daylight saving time offset in minutes. Default: 0 DST Start Date What month and day DST starts, in the format MM-DD. Default: none DST End Date What month and day DST ends, in - D-Link DFL-260 | Product Manual - Page 138
3.8.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Group interval Interval according to which server responses will be grouped. Default: 10 Chapter 3. Fundamentals 138 - D-Link DFL-260 | Product Manual - Page 139
3.9. DNS Chapter 3. Fundamentals 3.9. DNS Overview A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows - D-Link DFL-260 | Product Manual - Page 140
.org. The CLI console command httpposter can be used to troubleshoot problems by seeing what NetDefendOS is sending and what the servers are returning. Note: A high rate of server queries can cause problems Dynamic DNS services are often sensitive to repeated logon attempt over short periods of - D-Link DFL-260 | Product Manual - Page 141
3.9. DNS Chapter 3. Fundamentals 141 - D-Link DFL-260 | Product Manual - Page 142
setting up routing is crucial for the system to function as expected. NetDefendOS offers support for the following types of routing mechanisms: • Static routing • Dynamic routing NetDefendOS additionally supports route monitoring to achieve route and link redundancy with fail-over capability. 142 - D-Link DFL-260 | Product Manual - Page 143
where the amount of connected networks are limited to a few. However, for larger networks, or whenever the network topology is complex, the work of manually maintaining static routing tables can be time-consuming and also problematic. Dynamic routing should therefore be used in such cases. For more - D-Link DFL-260 | Product Manual - Page 144
4.2.1. The Principles of Routing Chapter 4. Routing This parameter usually doesn't need to be specified. If it is specified, NetDefendOS responds to ARP queries sent to this address. A special section below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive - D-Link DFL-260 | Product Manual - Page 145
second network won't then be able to communicate with the NetDefend Firewall because ARP won't function between the clients and the interface. To solve this problem we would add a new route to NetDefendOS which would have the following parameters: 145 - D-Link DFL-260 | Product Manual - Page 146
4.2.1. The Principles of Routing Chapter 4. Routing • Interface: The interface on which the second network is found. • Network: The IP address range of the second network. • Local IP Address: An address within the second network's IP range. When the Default Gateway of the second network's clients - D-Link DFL-260 | Product Manual - Page 147
as Core. 4.2.2. Static Routing This section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table called main is predefined and is always present in NetDefendOS. However, additional and completely - D-Link DFL-260 | Product Manual - Page 148
4.2.2. Static Routing Chapter 4. Routing Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 20 10.0.0.0 255.0.0.0 10.4.2.143 10.4.2.143 1 10.4.2.143 255.255.255.255 127.0.0.1 127.0.0.1 50 10.255.255.255 255.255.255.255 10 - D-Link DFL-260 | Product Manual - Page 149
4.2.2. Static Routing Chapter 4. Routing when the routing table contents are displayed. These routing table changes can take place for different reasons. For example, if dynamic routing with OSPF has been enabled then routing tables will become populated with new routes learned from communicating - D-Link DFL-260 | Product Manual - Page 150
metric assigned to the default routes automatically created for the physical interfaces is always 100. These automatically added routes cannot be removed manually by deleting them one at a time from a routing table. Instead, the properties of the interface must be selected and the advanced option - D-Link DFL-260 | Product Manual - Page 151
of the CLI routes command. Please see the CLI Reference Guide. 4.2.3. Route Failover Overview NetDefend Firewalls are often deployed in backup Internet connectivity using a secondary ISP. The connections to the two service providers often use different routes to avoid a single point of failure. To - D-Link DFL-260 | Product Manual - Page 152
the following monitoring methods must be chosen: Interface Link Status NetDefendOS will monitor the link status of the interface specified in the route. route. Setting the Route Metric When specifying routes, the administrator should manually set a route's Metric. The metric is a positive integer - D-Link DFL-260 | Product Manual - Page 153
could happen, it is necessary to take some precautionary steps to ensure that policies and existing connections will be maintained. To illustrate the problem, consider the following configuration: Firstly, there is one IP rule that will NAT all HTTP traffic destined for the Internet through the - D-Link DFL-260 | Product Manual - Page 154
to check accessibility to external hosts. Just monitoring a link to a local switch may not indicate a problem in another part of the internal network. • Host monitoring can be used to help in setting the acceptable Quality of Service level of - D-Link DFL-260 | Product Manual - Page 155
for monitoring. Multiple hosts can provide a higher certainty that any network problem resides in the local network rather than because one remote host itself Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes online. This is the minimum - D-Link DFL-260 | Product Manual - Page 156
4.2.5. Advanced Settings for Route Failover Chapter 4. Routing The Reachability Required option An important option that can be enabled for a host is the Reachability Required option. When this is selected, the host must be determined as accessible in order for that route to be considered to be - D-Link DFL-260 | Product Manual - Page 157
4.2.6. Proxy ARP Chapter 4. Routing Ping poll interval The time in milliseconds between sending a Ping to hosts. Default: 1000 Grace time The length of time in seconds between startup or reconfigure and monitoring start. Default: 30 Consecutive fails The number of consecutive failures that occurs - D-Link DFL-260 | Product Manual - Page 158
4.2.6. Proxy ARP Chapter 4. Routing pretending to be the target host. After receiving the reply, Host A then sends data directly to NetDefendOS which forwards the data to host B. In the process NetDefendOS checks the traffic against the configured rule sets. Setting Up Proxy ARP Setting up proxy - D-Link DFL-260 | Product Manual - Page 159
the NetDefendOS configuration and are treated differently. If Proxy ARP is required on an automatically created route, the route should first be deleted and then manually recreated as a new route. Proxy ARP can then be enabled on the new route. 159 - D-Link DFL-260 | Product Manual - Page 160
A different routing table may need to be chosen based on the source of traffic. When more than one ISP is used to provide Internet services, Policy-based Routing can route traffic originating from different sets of users through different routes. For example, traffic from one address range might be - D-Link DFL-260 | Product Manual - Page 161
anything not explicitly matched. 2. A search is now made for a Policy-based Routing Rule that matches the packet's source/destination interface/network as well as service. If a matching rule is found then this determines the routing table to use. If no Routing Rule is found then the main table will - D-Link DFL-260 | Product Manual - Page 162
4.3.5. The Ordering parameter Chapter 4. Routing Important: Ensure all-nets appears in the main table A common mistake with policy-based routing is the absence of the default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact - D-Link DFL-260 | Product Manual - Page 163
: Source Interface lan1 wan2 Source Range 10.10.10.0/24 all-nets Destination Interface wan2 lan1 Destination Range all-nets 20.20.20.0/24 Selected/ Service ALL ALL Forward VR table r2 r2 Return VR table r2 r2 To configure this example scenario: Web Interface 1. Add the routes found in the - D-Link DFL-260 | Product Manual - Page 164
4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 164 - D-Link DFL-260 | Product Manual - Page 165
is to provide the following: • Balancing of traffic between interfaces in a policy driven fashion. • To balance simultaneous utilization of multiple Internet links so networks are not dependent on a single ISP. • To allow balancing of traffic across multiple VPN tunnels which might be setup over - D-Link DFL-260 | Product Manual - Page 166
4.4. Route Load Balancing Chapter 4. Routing done according to which algorithm is selected in the table's RLB Instance object: • Round Robin Successive routes are chosen from the matching routes in a "round robin" fashion provided that the metric of the routes is the same. This results in route - D-Link DFL-260 | Product Manual - Page 167
4.4. Route Load Balancing Chapter 4. Routing Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer - D-Link DFL-260 | Product Manual - Page 168
4.4. Route Load Balancing Chapter 4. Routing When that new route's interface limits are also exceeded then the route with the next highest metric is taken and so on. As soon as any route with a lower metric falls below its interface limit for its Hold Timer number of seconds, then it reverts to - D-Link DFL-260 | Product Manual - Page 169
lan Src Network lannet lannet Dest Interace Dest Network WAN1 all-nets WAN2 all-nets Service All All The service All is used in the above IP rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow. Example 4.6. Setting - D-Link DFL-260 | Product Manual - Page 170
to try and use RLB to balance traffic between two IPsec tunnels, the problem that arises is that the Remote Endpoint for any two IPsec tunnels in ISPs gateway. This solution has the advantage of providing redundancy should one ISP link fail. • Use VPN with one tunnel that is IPsec based and another - D-Link DFL-260 | Product Manual - Page 171
has some disadvantages in that it can be more susceptible to certain problems such as routing loops. One of two types of algorithms are implement the dynamic routing mechanism: • A Distance Vector (DV) algorithm. • A Link State (LS) algorithm. How a router decides the optimal or "best" route - D-Link DFL-260 | Product Manual - Page 172
all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and be sent to firewall B. Instead of having to manually insert this routing information into the routing tables of A, OSPF 172 - D-Link DFL-260 | Product Manual - Page 173
Figure 4.9. OSPF Providing Route Redundancy In addition, we now have route redundancy between any two of the firewalls. For example, if the direct link between A and C fails then OSPF allows both firewalls to know immediately that there is an alternate route between them via firewall B. For instance - D-Link DFL-260 | Product Manual - Page 174
length Item Bandwidth Load Delay The sum of the costs associated with each link. A commonly used value for this metric is called "hop count" Link NetDefend models The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 - D-Link DFL-260 | Product Manual - Page 175
. The backbone ensures routing information is distributed between connected areas. When an area is not directly connected to the backbone it needs a virtual link to it. OSPF networks should be designed by beginning with the backbone. Stub Areas Stub areas are areas through which or into which AS - D-Link DFL-260 | Product Manual - Page 176
set this feature up in NetDefendOS, see Section 4.5.3.5, "OSPF Aggregates". Virtual Links Virtual links are used for the following scenarios: A. Linking an area that does not have a direct connection to the backbone area. B. Linking backbone areas when the backbone is partitioned. The two uses are - D-Link DFL-260 | Product Manual - Page 177
to the same area (Area 1) but just one of them, fw1, is connected physically to the backbone area. Figure 4.10. Virtual Links Connecting Areas In the above example, a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In this configuration only the Router - D-Link DFL-260 | Product Manual - Page 178
Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1. To set this feature up in NetDefendOS, see Section 4.5.3.6, "OSPF VLinks". OSPF High Availability Support There are some limitations in High Availability support for OSPF that should be noted: Both the active - D-Link DFL-260 | Product Manual - Page 179
the OSPF network and should describe the same network. An illustration of the relationship between NetDefendOS OSPF objects is shown below. Figure 4.12. NetDefendOS OSPF Objects 4.5.3.1. OSPF Router Process This object defines the autonomous system (AS) which is the top level of the OSPF network - D-Link DFL-260 | Product Manual - Page 180
/ bandwidth Enable this if the NetDefend Firewall will be used in a environment that consists of routers that only support RFC 1583. Debug Protocol debug provides a troubleshooting tool by logging OSPF protocol specific information to the log. • Off - Nothing is logged. • Low - Logs all actions - D-Link DFL-260 | Product Manual - Page 181
divided into smaller parts called an Area, this section explains how to configure areas. An area collects together OSPF interfaces, neighbors, aggregates and virtual links. An OSPF area is a child of the OSPF router process and there can be many area objects defined under a single router process. In - D-Link DFL-260 | Product Manual - Page 182
no configuration of OSPF Neighbor objects is required for the discovery of neighboring routers. • Point-to-Point - Point-to-Point is used for direct links which involve only two routers (in other words, two firewalls). A typical example of this is a VPN tunnel which is used to transfer OSPF traffic - D-Link DFL-260 | Product Manual - Page 183
-Multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks, where there is more then one router in a link that does not have OSI Layer 2 broadcast/multicast capabilities. Specifies the metric for this OSPF interface. This represents the "cost" of sending packets - D-Link DFL-260 | Product Manual - Page 184
AS must be physically connected to the backbone area (the area with ID 0). In some cases this is not possible and in that case a Virtual Link (VLink) can be used to connect to the backbone through a non-backbone area. NetDefendOS OSPF VLink objects are created within an OSPF Area and each - D-Link DFL-260 | Product Manual - Page 185
Chapter 4. Routing Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, OSPF VLink objects will not - D-Link DFL-260 | Product Manual - Page 186
4.5.4. Dynamic Routing Rules Chapter 4. Routing OSPF Requires at Least an Import Rule By default, NetDefendOS will not import or export any routes. For OSPF to function, it is therefore mandatory to define at least one dynamic routing rule which will be an Import rule. This Import rule specifies - D-Link DFL-260 | Product Manual - Page 187
4.5.4. Dynamic Routing Rules Chapter 4. Routing From OSPF AS From Routing Table Destination Interface Specifies the from which OSPF AS (in other words, an OSPF Router Process) the route should be imported from into either a routing table or another AS. Specifies from which routing table a route - D-Link DFL-260 | Product Manual - Page 188
4.5.5. Setting Up OSPF Chapter 4. Routing A Routing Action is used to manipulate and export routing changes to one or more local routing tables. Destination Offset Metric Offset Metric Type 2 Limit Metric To Static Route Override Default Route Override Specifies into which routing table the - D-Link DFL-260 | Product Manual - Page 189
4.5.5. Setting Up OSPF Chapter 4. Routing • The advanced option No OSPF routers connected to this interface must be enabled if the physical interface doesn't connect directly to another OSPF Router (in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the - D-Link DFL-260 | Product Manual - Page 190
be used to indicate OSPF status. The options for this command are fully described in the CLI Reference Guide. Sending OSPF Traffic Through a VPN Tunnel In some cases, the link between two NetDefend Firewalls which are configured with OSPF Router Process objects may be insecure. For example, over - D-Link DFL-260 | Product Manual - Page 191
into the tunnel and all-nets will allow all traffic into the tunnel. ii. In the routing section of the IPsec properties, the Specify address manually option needs to be enabled and the IP address in this example of 192.168.55.1 needs to be entered. This sets the tunnel endpoint - D-Link DFL-260 | Product Manual - Page 192
4.5.6. An OSPF Example Chapter 4. Routing Example 4.7. Creating an OSPF Router Process On the first firewall involved in the OSPF AS, create an OSPF Router Process. Web Interface 1. Go to Routing > OSPF > Add > OSPF Routing Process 2. Specify a suitable name for the process, for example as_0 3. - D-Link DFL-260 | Product Manual - Page 193
4.5.6. An OSPF Example Chapter 4. Routing Web Interface 1. Go to Routing > Dynamic Routing Rules > Add > Dynamic Routing Policy Rule 2. Specify a suitable name for the rule. For example, ImportOSPFRoutes. 3. Select the option From OSPF Process 4. Move as0 from Available to Selected 5. Choose all- - D-Link DFL-260 | Product Manual - Page 194
. An appropriate solution should also be able to scale to large numbers of receivers. The Multicast Routing Solution Multicast Routing solves the problem by the network routers themselves, replicating and forwarding packets via the optimum route to all members of a group. The IETF standards that - D-Link DFL-260 | Product Manual - Page 195
routed to the core interface. By default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured with static address translation of the destination address. The Interface - D-Link DFL-260 | Product Manual - Page 196
translation (see below) but cannot be a FwdFast or SAT rule. Example 4.12. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we separately. Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services > Add > TCP/UDP 2. Now - D-Link DFL-260 | Product Manual - Page 197
would be: gw-world:/main> add IPRule SourceNetwork= SourceInterface= DestinationInterface=core DestinationNetwork=239.192.100.50 Action=MultiplexSAT Service= MultiplexArgument={if2;},{if3;} The destination interface is core since 239.192.100.50 is a multicast group. No address - D-Link DFL-260 | Product Manual - Page 198
SAT Multiplex rule needs to be configured to match the scenario described above: Web Interface A. Create a custom service for multicast called multicast_service: 1. Go to Objects > Services > Add > TCP/UDP 2. Now enter: • Name: multicast_service • Type: UDP • Destination: 1234 B. Create an IP rule - D-Link DFL-260 | Product Manual - Page 199
IGMP Configuration Chapter 4. Routing • Action: Multiplex SAT • Service: multicast_service 3. Under Address Filter enter: • Source Interface: wan Firewall, an IGMP query would also not have to be specified. NetDefendOS supports two IGMP modes of operation: • Snoop Mode • Proxy Mode The operation - D-Link DFL-260 | Product Manual - Page 200
4.6.3. IGMP Configuration Chapter 4. Routing Figure 4.16. Multicast Snoop Mode Figure 4.17. Multicast Proxy Mode In Snoop Mode, the NetDefend Firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports - D-Link DFL-260 | Product Manual - Page 201
4.6.3. IGMP Configuration Chapter 4. Routing Example 4.14. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as UpstreamRouterIP. Two rules are needed. - D-Link DFL-260 | Product Manual - Page 202
4.6.3. IGMP Configuration Chapter 4. Routing 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Section 4.6.2.2, "Multicast Forwarding - Address - D-Link DFL-260 | Product Manual - Page 203
4.6.3. IGMP Configuration • Destination Network: auto • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Chapter 4. Routing Example 4.16. if2 Configuration - Group Translation The following steps needs to be executed to create the report and query rule pair for if2 - D-Link DFL-260 | Product Manual - Page 204
4.6.4. Advanced IGMP Settings Chapter 4. Routing • Multicast Source: 192.168.10.1 • Multicast Group: 239.192.10.0/24 4. Click OK Advanced IGMP Settings There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for - D-Link DFL-260 | Product Manual - Page 205
4.6.4. Advanced IGMP Settings Chapter 4. Routing group-and-source specific query. Global setting on interfaces without an overriding IGMP Setting. Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests The - D-Link DFL-260 | Product Manual - Page 206
4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 206 - D-Link DFL-260 | Product Manual - Page 207
the computing resources of different departments from one another. The finance department might require access to only a restricted set of services (HTTP for example) on the sales department's servers whilst the sales department might require access to a similarly restricted set of applications - D-Link DFL-260 | Product Manual - Page 208
to another in a "plug-n-play" fashion, without changing their IP address (assuming their IP address is fixed). The user can still obtain the same services as before (for example HTTP, FTP) without any need to change routes. • The same network address range can exist on several interfaces. Note - D-Link DFL-260 | Product Manual - Page 209
but more restrictive IP rules are recommended. Action Allow Src Interface any Src Network all-nets Dest Interface any Dest Network all-nets Service all Restricting the Network Parameter As NetDefendOS listens to ARP traffic, it continuously adds single host routes to the routing table as it - D-Link DFL-260 | Product Manual - Page 210
a VLAN vlan5 which is defined on two physical interfaces called if1 and if2. Both physical interfaces have switch routes defined so they operate in transparent 210 - D-Link DFL-260 | Product Manual - Page 211
be able to roam between NetDefendOS interfaces, retaining the same IP address. Secondly, and more importantly, their network routes will need to be manually configured for proxy ARP. Transparent Mode with DHCP In most Transparent Mode scenarios, the IP address of users is predefined and fixed and - D-Link DFL-260 | Product Manual - Page 212
4.7.2. Enabling Internet Access Chapter 4. Routing Figure 4.18. Non-transparent Mode Internet Access The non-switch route usually needed to allow Internet access would be: Route type Non-switch Interface if1 Destination all-nets Gateway gw-ip Now lets suppose the NetDefend Firewall is to - D-Link DFL-260 | Product Manual - Page 213
-switch Non-switch Interface if1 if2 if1 if1 Destination all-nets all-nets 85.12.184.39 194.142.215.15 Gateway gw-ip gw-ip The appropriate IP and then use that object in a single defined route. In the above example, 85.12.184.39 and 194.142.215.15 could be grouped into a single object in this - D-Link DFL-260 | Product Manual - Page 214
: 10.0.0.2 • Network: 10.0.0.0/24 • Transparent Mode: Enable 6. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTPAllow • Action: Allow • Service: http 214 - D-Link DFL-260 | Product Manual - Page 215
4.7.3. Transparent Mode Scenarios Chapter 4. Routing • Source Interface: lan • Destination Interface: any • Source Network: 10.0.0.0/24 • Destination Network: all-nets (0.0.0.0/0) 3. Click OK Scenario 2 Here the NetDefend Firewall in Transparent Mode separates server resources from an internal - D-Link DFL-260 | Product Manual - Page 216
24 • Metric: 0 3. Click OK Configure the rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: HTTP-LAN-to-DMZ • Action: Allow • Service: http • Source Interface: lan • Destination Interface: dmz • Source Network: 10.0.0.0/24 • Destination Network: 10.1.4.10 216 Chapter 4. Routing - D-Link DFL-260 | Product Manual - Page 217
4.7.4. Spanning Tree BPDU Support Chapter 4. Routing 3. Click OK 4. Go to Rules > IP Rules > Add > IPRule 5. Now enter: • Name: HTTP-WAN-to-DMZ • Action: SAT • Service: http • Source Interface: wan • Destination Interface: dmz • Source Network: all-nets • Destination Network: wan_ip • Translate: - D-Link DFL-260 | Product Manual - Page 218
) • Cisco proprietary PVST+ Protocol (Per VLAN Spanning Tree Plus) NetDefendOS checks the contents of BDPU messages to make sure the content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is disabled by default and can be controlled through the - D-Link DFL-260 | Product Manual - Page 219
the TTL should be decremented each time a packet traverses the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is the preferred value to use. Default: Dynamic CAM Size If the Dynamic CAM Size - D-Link DFL-260 | Product Manual - Page 220
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • Drop - Drop packets • DropLog - Drop and log packets Default: DropLog - D-Link DFL-260 | Product Manual - Page 221
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing • Drop - Drop the packets • DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options: • Ignore - Let the packets pass but do not log • Log - - D-Link DFL-260 | Product Manual - Page 222
4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222 - D-Link DFL-260 | Product Manual - Page 223
This chapter describes DHCP services in NetDefendOS. • Overview, page 223 • DHCP Servers, page 224 • DHCP Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol (DHCP) is a protocol - D-Link DFL-260 | Product Manual - Page 224
DHCP servers form a list as they are defined, the last defined being at the top of the list. When NetDefendOS searches for a DHCP server to service a request, it goes through the list from top to bottom and chooses the first server with a matching combination of interface and relayer IP filter value - D-Link DFL-260 | Product Manual - Page 225
the lease. Primary/Secondary DNS The IP of the primary and secondary DNS servers. Primary/Secondary NBNS/WINS IP of the Windows Internet Name Service (WINS) servers that are used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. Next - D-Link DFL-260 | Product Manual - Page 226
5.2. DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server called DHCPServer1 which assigns and manages IP 00-00-00-00-02-14 10.4.13.254 00-00-00-00-02-54 10.4.13.1 00-12-79-3b-dd-45 10.4.13.2 00-12-79-c4-06-e7 10.4.13.3 *00-a0-f8-23-45-a3 10.4.13.4 *00-0e- - D-Link DFL-260 | Product Manual - Page 227
5.2.1. Static DHCP Hosts Chapter 5. DHCP Services The asterisk "*" before a MAC address means that the DHCP server does not track the client using the MAC address but instead tracks the client through a - D-Link DFL-260 | Product Manual - Page 228
Services can be specified as this parameter. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value. Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to the MAC address 00-90-12 MACAddress=00-90-12-13-14- - D-Link DFL-260 | Product Manual - Page 229
5.2.2. Custom Options Chapter 5. DHCP Services Custom Option Parameters The following parameters can be set for a custom option: Code This is the code that describes the type of information being sent - D-Link DFL-260 | Product Manual - Page 230
5.3. DHCP Relaying Chapter 5. DHCP Services 5.3. DHCP Relaying The DHCP Problem With DHCP, clients send requests relayer takes the place of the DHCP server in the local network and acts as the link between the client and a remote DHCP server. It intercepts requests coming from clients and relays - D-Link DFL-260 | Product Manual - Page 231
5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services • Name: ipgrp-dhcp • Interfaces: select vlan1 and vlan2 from the Available list and put them into the Selected list. 3. Click OK Adding a DHCP relayer called - D-Link DFL-260 | Product Manual - Page 232
5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: - D-Link DFL-260 | Product Manual - Page 233
5.4. IP Pools Chapter 5. DHCP Services 5.4. IP Pools Overview An IP pool is used to offer other subsystems access to a cache of DHCP IP addresses. These addresses are gathered into a pool - D-Link DFL-260 | Product Manual - Page 234
5.4. IP Pools Chapter 5. DHCP Services Receive Interface MAC Range Prefetch leases Maximum free Maximum clients Sender IP A "simulated" virtual DHCP server receiving interface. This setting is used to simulate a receiving - D-Link DFL-260 | Product Manual - Page 235
5.4. IP Pools Chapter 5. DHCP Services Other options in the ippool command allow the administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of - D-Link DFL-260 | Product Manual - Page 236
5.4. IP Pools Chapter 5. DHCP Services 236 - D-Link DFL-260 | Product Manual - Page 237
page 309 • Intrusion Detection and Prevention, page 315 • Denial-of-Service Attack Prevention, page 326 • Blacklisting Hosts and Networks, page 331 6.1. troubleshooting dropped connections, the administrator should look out for Default Access Rule messages in the logs. The solution to the problem is - D-Link DFL-260 | Product Manual - Page 238
. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop because of its - D-Link DFL-260 | Product Manual - Page 239
can appear, such as setting up VPN tunnels, precisely because of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly. Example 6.1. Setting up an Access - D-Link DFL-260 | Product Manual - Page 240
• SIP • H.323 • TLS Deploying an ALG Once a new ALG object is defined by the administrator, it is brought into use by first associating it with a Service object and then associating that service with an IP rule in the NetDefendOS IP rule set. Figure 6.1. Deploying an ALG 240 - D-Link DFL-260 | Product Manual - Page 241
of ALG. For instance, the default value for the HTTP ALG is 1000. This means that a 1000 connections are allowed in total for the HTTP service across all interfaces. The full list of default maximum session values are: • HTTP ALG - 1000 sessions. • FTP ALG - 200 sessions. • TFTP ALG - 200 sessions - D-Link DFL-260 | Product Manual - Page 242
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Anti-Virus scanning, if it is enabled, is always applied to the HTTP traffic even if it is whitelisted. These features are described in depth in Section 6.3.3, "Static Content Filtering". • Dynamic Content Filtering - Access to specific URLs can - D-Link DFL-260 | Product Manual - Page 243
6.2.2. The HTTP ALG Chapter 6. Security Mechanisms Note: Similarities with other NetDefendOS features The Verify MIME type and Allow/Block Selected Types options work in the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for - D-Link DFL-260 | Product Manual - Page 244
the ALG will be applied to traffic targeted by that IP rule. The https service (which is also included in the http-all service) cannot be used with an HTTP ALG since HTTPS traffic is encrypted. 6.2.3. The Both active and passive modes of FTP operation present problems for NetDefend Firewalls. 244 - D-Link DFL-260 | Product Manual - Page 245
6.2.3. The FTP ALG Chapter 6. Security Mechanisms Consider a scenario where an FTP client on the internal network connects through the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server. When active - D-Link DFL-260 | Product Manual - Page 246
6.2.3. The FTP ALG Chapter 6. Security Mechanisms Figure 6.3. FTP ALG Hybrid Mode Note: Hybrid conversion is automatic Hybrid mode does not need to enabled. The conversion between modes occurs automatically within the FTP ALG. Connection Restriction Options The FTP ALG has two options to restrict - D-Link DFL-260 | Product Manual - Page 247
Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed. Encryption would mean that the FTP command channel in the control channel. Allowing 8-bit characters enables support for filenames containing international characters. For example, accented - D-Link DFL-260 | Product Manual - Page 248
the client belongs to the local network and will therefore upload blocking instructions to the local switches. The host will be blocked from accessing virus is detected. For more information about this topic refer to Chapter 12, ZoneDefense. Example 6.2. Protecting an FTP Server with an ALG As shown - D-Link DFL-260 | Product Manual - Page 249
client to use active mode 4. Uncheck Allow server to use passive mode 5. Click OK B. Define the Service: 1. Go to Objects > Services > Add > TCP/UDP Service 2. Enter the following: • Name: ftp-inbound-service • Type: select TCP from the list • Destination: 21 (the port the FTP server resides on) 249 - D-Link DFL-260 | Product Manual - Page 250
single public IP address: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: NAT-ftp • Action: NAT • Service: ftp-inbound-service 3. For Address Filter enter: • Source Interface: dmz • Destination Interface: core • Source Network: dmznet • Destination Network: wan_ip 4. For NAT check Use - D-Link DFL-260 | Product Manual - Page 251
the client. • Enable the Allow server to use passive mode FTP ALG option. This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet. The configuration is performed as follows: Web Interface A. Create the FTP ALG (The ALG ftp-outbound is - D-Link DFL-260 | Product Manual - Page 252
public IPs, make sure there are no rules disallowing or allowing the same kind of ports/traffic before these rules. The service used here is the ftp-outbound-service which should be using the predefined ALG definition ftp-outbound which is described earlier. 1. Go to Rules > IP Rules > Add > IPRule - D-Link DFL-260 | Product Manual - Page 253
must return an IP address and port to the client on which it can set up the data transfer connection. This IP address is normally manually specified by the administrator in the FTP server software and the natural choice is to specify the external IP address of the interface on the - D-Link DFL-260 | Product Manual - Page 254
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms TFTP Request Options As long as the Remove Request Option described above is set to false (options are not removed) then the following request option settings can be applied: Maximum Blocksize The maximum blocksize allowed can be specified. The - D-Link DFL-260 | Product Manual - Page 255
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Email address blacklisting Email address whitelisting Verify MIME type Block/Allow filetype Anti-Virus scanning The administrator should therefore add a reasonable margin above the anticipated email size when setting this limit. A blacklist of - D-Link DFL-260 | Product Manual - Page 256
a session with an SMTP server using ESMTP, the client first sends an EHLO command. If the server supports ESMTP it will respond with a list of the extensions that it supports. These extensions are defined by various separate RFCs. For example, RFC 2920 defines the SMTP Pipelining extension. Another - D-Link DFL-260 | Product Manual - Page 257
excluded from this range. Tip: Exclusion can be manually configured It is possible to manually configure certain hosts and servers to be excluded is detected. For more information about this topic refer to Chapter 12, ZoneDefense. 6.2.5.1. Anti-Spam Filtering Unsolicited email, often referred to - D-Link DFL-260 | Product Manual - Page 258
public Internet. These lists are known as DNS Black List (DNSBL) databases and the information is accessible using a standardized query method supported by NetDefendOS. The image below illustrates all the components involved: DNSBL Server Queries When the NetDefendOS Anto-Spam filtering function is - D-Link DFL-260 | Product Manual - Page 259
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms servers are queried to assess the likelihood that the email is Spam, based on its origin address. The NetDefendOS administrator assigns a weight greater than zero to each configured server so that a weighted sum can then be calculated based on all - D-Link DFL-260 | Product Manual - Page 260
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms And this is what the email's recipient will see in the summary of their inbox contents. The individual user could then decide to set up their own filters in the local client to deal with such tagged emails, possibly sending it to a separate folder - D-Link DFL-260 | Product Manual - Page 261
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms Logging There are three types of logging done by the Spam filtering module: • Logging of dropped or Spam tagged emails - These log messages include the source email address and IP as well as its weighted points score and which DNSBLs caused the - D-Link DFL-260 | Product Manual - Page 262
6.2.5. The SMTP ALG Chapter 6. Security Mechanisms For the DNSBL subsystem overall: • Number of emails checked. • Number of emails Spam tagged. • Number of dropped emails. For each DNSBL server accessed: • Number of positive (is Spam) responses from each configured DNSBL server. • Number of - D-Link DFL-260 | Product Manual - Page 263
connections between client and server that send the username/password combination as clear text which can be easily read (some servers may not support other methods than this). Hide User This option prevents the POP3 server from revealing that a username does not exist. This prevents users from - D-Link DFL-260 | Product Manual - Page 264
the same endpoint. Figure 6.6. PPTP ALG Usage The PPTP ALG solves this problem. By using the ALG, the traffic from all the clients can be multiplexed ALG types. The ALG object must be associated with the relevant service and the service is then associated with an IP rule. The full sequence of steps - D-Link DFL-260 | Product Manual - Page 265
the rule that NATs the traffic out to the Internet with a destination network of all-nets. The single IP rule below shows how the custom service object called pptp_service is associated with a typical NAT rule. The clients, which are the local end point of the PPTP tunnels, are located behind the - D-Link DFL-260 | Product Manual - Page 266
SIP ALG Any traffic connections that trigger an IP rule with a service object that uses the SIP ALG cannot be also subject to traffic NetDefend Firewall but can have other locations. All of these scenarios are supported by NetDefendOS. Registrars A server that handles SIP REGISTER requests is - D-Link DFL-260 | Product Manual - Page 267
the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local proxy is set up with the Record-Route option enabled. In this mode, all SIP messages will only come - D-Link DFL-260 | Product Manual - Page 268
are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. SIP Usage Scenarios NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover nearly all possible types of usage: • Scenario 1 Protecting local clients - Proxy located - D-Link DFL-260 | Product Manual - Page 269
steps for this scenario are as follows: 1. Define a SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port). • Type set to TCP/UDP. 3. Define - D-Link DFL-260 | Product Manual - Page 270
object for IP rules In this section, tables which list IP rules like those above, will omit the Service object associated with the rule. The same, custom Service object is used for all SIP scenarios. Scenario 2 Protecting proxy and local clients - Proxy on the same network as clients In this - D-Link DFL-260 | Product Manual - Page 271
. The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define - D-Link DFL-260 | Product Manual - Page 272
6.2.8. The SIP ALG Chapter 6. Security Mechanisms If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using "ip_proxy" as indicated. When an incoming call is received, the SIP ALG will follow the SAT rule and - D-Link DFL-260 | Product Manual - Page 273
proxy must be a globally routable IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. • The IP address of the using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The service should have: • Destination Port set to - D-Link DFL-260 | Product Manual - Page 274
Dest Network all-nets ipdmz Solution B - Without NAT The setup steps are as follows: 1. Define a single SIP ALG object using the options described above. 2. Define a Service object which is associated with the SIP ALG object. The - D-Link DFL-260 | Product Manual - Page 275
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms • Destination Port set to 5060 (the default SIP signalling port) • Type set to TCP/UDP 3. Define four rules in the IP rule set: • An Allow rule for outbound traffic from the clients on the internal network to the proxy located on the DMZ - D-Link DFL-260 | Product Manual - Page 276
on busy, etc. It is needed when there is more then one H.323 terminal behind a NATing device with only one public IP. MCUs provide support for conferences of three or more H.323 terminals. All H.323 terminals participating in the conference call have to establish a connection with the MCU. The - D-Link DFL-260 | Product Manual - Page 277
through. • NAT and SAT rules are supported, allowing clients and gatekeepers to use the gatekeeper and less probability of a problem if the network becomes unavailable and of both the ALG and the rules are presented. The three service definitions used in these scenarios are: • Gatekeeper (UDP ALL > - D-Link DFL-260 | Product Manual - Page 278
calls 3. Click OK Incoming Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowIn • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: lan • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: lannet • Comment: Allow incoming calls - D-Link DFL-260 | Product Manual - Page 279
Allow outgoing calls 3. Click OK Incoming Rules: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: SAT • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall - D-Link DFL-260 | Product Manual - Page 280
rules. Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323AllowOut • Action: Allow • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls - D-Link DFL-260 | Product Manual - Page 281
each firewall. Web Interface Outgoing Rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323Out • Action: NAT • Service: H323 • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing calls - D-Link DFL-260 | Product Manual - Page 282
(IP address of phone) 4. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: H323 • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the firewall) • Comment - D-Link DFL-260 | Product Manual - Page 283
(IP address of gatekeeper). 4. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: any • Destination Interface: core • Source Network: 0.0.0.0/0 (all-nets) • Destination Network: wan_ip (external IP of the - D-Link DFL-260 | Product Manual - Page 284
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms 2. Now enter: • Name: H323In • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper (IP address of the gatekeeper) • Comment: Allow incoming - D-Link DFL-260 | Product Manual - Page 285
6.2.9. The H.323 ALG Chapter 6. Security Mechanisms 2. Now enter: • Name: H323Out • Action: NAT • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: any • Source Network: lannet • Destination Network: 0.0.0.0/0 (all-nets) • Comment: Allow outgoing communication with a - D-Link DFL-260 | Product Manual - Page 286
be configured as follows: Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: LanToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: lan • Destination Interface: dmz • Source Network: lannet • Destination Network: ip-gatekeeper • Comment: Allow H.323 entities - D-Link DFL-260 | Product Manual - Page 287
323 Gateway on the DMZ 3. Click OK 1. Go to Rules > IP Rules > Add > IPRule 2. Now enter: • Name: GWToLan • Action: Allow • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: lan • Source Network: ip-gateway • Destination Network: lannet • Comment: Allow communication from the - D-Link DFL-260 | Product Manual - Page 288
Gatekeeper connected to the Head Office DMZ 3. Click OK Example 6.12. Allowing the H.323 Gateway to register with the Gatekeeper The branch > Add > IPRule 2. Now enter: • Name: GWToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network - D-Link DFL-260 | Product Manual - Page 289
access by clients to servers and avoids many of the complexities of other types of VPN solutions such as using IPsec. Most web browsers support TLS and users can therefore easily have secure server access without requiring additional software. The Relationship with SSL TLS is a successor to the - D-Link DFL-260 | Product Manual - Page 290
the transfer of unencrypted data to/from servers. The advantages of this approach are: • TLS support can be centralized in the NetDefend Firewall instead of being set up on individual servers. • both be set to the same certificate. 3. Create a new custom Service object based on the TCP protocol. 290 - D-Link DFL-260 | Product Manual - Page 291
do load balancing (the destination port can also be changed through a custom service object). URLs Delivered by Servers It should be noted that using NetDefendOS for TLS Limitations As discussed above, NetDefendOS TLS provides support for server side termination only. The other limitations that - D-Link DFL-260 | Product Manual - Page 292
Content Filtering provides a means for manually classifying web sites as "good" service. Dynamic content filtering requires a minimum of administration effort and has very high accuracy. Note: Enabling WCF embedded into web pages. NetDefendOS includes support for removing the following types of - D-Link DFL-260 | Product Manual - Page 293
Filtering (described below), which allows the possibility of manually making exceptions from the automatic dynamic classification process. In over Dynamic Content Filtering. Wildcarding Both the URL blacklist and URL whitelist support wildcard matching of URLs in order to be more flexible. This - D-Link DFL-260 | Product Manual - Page 294
handling will not be enabled in this example. In this small scenario a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should be allowed to download. Command-Line Interface Start by adding an HTTP ALG in - D-Link DFL-260 | Product Manual - Page 295
Overview As part of the HTTP ALG, NetDefendOS supports Dynamic Web Content Filtering (WCF) of web traffic, which enables an administrator to Dynamic WCF is only available on certain NetDefend models Dynamic WCF is only available on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. WCF - D-Link DFL-260 | Product Manual - Page 296
content at the URL will automatically be downloaded to D-Link's central data warehouse and automatically analyzed using a combination of blocked by the filtering policy. WCF and Whitelisting If a particular URL is whitelisted then it will bypass the WCF subsystem. No classification will be done - D-Link DFL-260 | Product Manual - Page 297
Content Filtering enabled. This object is then associated with a service object and the service object is then associated with a rule in the IP rule lookup. Fail mode can have one of two settings: • Deny - If WCF is unable to function then URLs are denied if external database access to verify - D-Link DFL-260 | Product Manual - Page 298
rule handling your HTTP traffic 3. Select the Service tab 4. Select your new service, http_content_filtering, in the predefined Service list 5. Click OK Dynamic content filtering is understand the potential impact of turning on the WCF feature. Introducing Blocking Gradually Blocking websites can be - D-Link DFL-260 | Product Manual - Page 299
The steps to then create a service object using the new HTTP ALG and modifying the NAT rule to use the new service, are described in the previous will not be able to do his job. For this reason, NetDefendOS supports a feature called Allow Override. With this feature enabled, the content filtering - D-Link DFL-260 | Product Manual - Page 300
well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web site being the Allow Reclassification control 7. Click OK Then, continue setting up the service object and modifying the NAT rule as we have done in the - D-Link DFL-260 | Product Manual - Page 301
or submit online employment applications. This also includes resume writing and posting and interviews, as well as staff recruitment and training services. Examples might be: • www.allthejobs.com • www.yourcareer.com Category 4: Gambling A web site may be classified under the Gambling category if - D-Link DFL-260 | Product Manual - Page 302
.au Category 6: Shopping A web site may be classified under the Shopping category if its content includes any form of advertisement of goods or services to be exchanged for money, and may also include the facilities to perform that transaction online. Included in this category are market promotions - D-Link DFL-260 | Product Manual - Page 303
12: E-Banking A web site may be classified under the E-Banking category if its content includes electronic banking information or services. / Cults category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be: • www - D-Link DFL-260 | Product Manual - Page 304
• www.political.com Category 16: Sports A web site may be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: • www.sportstoday.com • www - D-Link DFL-260 | Product Manual - Page 305
site may be classified under the Health Sites category if its content includes health related information or services, including sexuality and sexual health, as well as support groups, hospital and surgical information and medical journals. Examples might be: • www.thehealthzone.com • www.safedrugs - D-Link DFL-260 | Product Manual - Page 306
under the Health category. Examples might be: • www.the-cocktail-guide.com • www.stiffdrinks.com Category 29: Computing/IT A web site under the Computing/IT category if its content includes computing related information or services. Examples might be: • www.purplehat.com • www.gnu.org Category - D-Link DFL-260 | Product Manual - Page 307
9. Click OK to exit editing 10. Go to User Authentication > User Authentication Rules 11. Select the relevant HTML ALG and click the Agent Options tab 12. Set the HTTP Banners option to be new_forbidden 13. Click OK 14. Go to Configuration > Save & Activate to activate the new file 15. Press Save - D-Link DFL-260 | Product Manual - Page 308
6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Tip: Saving changes In the above example, more than one HTML file can be edited in a session but the Save button should be pressed to save any edits before beginning editing on another file. Uploading with SCP It is possible to - D-Link DFL-260 | Product Manual - Page 309
ALG • The SMTP ALG Note: Anti-Virus is not available on all NetDefend models Anti-Virus scanning is available only on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall, NetDefendOS will scan the data - D-Link DFL-260 | Product Manual - Page 310
object must first exist with the Anti-Virus option enabled. As always, an ALG must then be associated with an appropriate service object for the protocol to be scanned. The service object is then associated with a rule in the IP rule set which defines the origin and destination of the traffic to - D-Link DFL-260 | Product Manual - Page 311
of the SafeStream database should therefore be updated regularly and this updating service is enabled as part of the subscription to the D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an additional component to the - D-Link DFL-260 | Product Manual - Page 312
6.4.6. Anti-Virus Options Chapter 6. Security Mechanisms the excluded list is checked. 3. Compression Ratio Limit When scanning compressed files, NetDefendOS must apply decompression to examine the file's contents. Some types of data can result in very high compression ratios where the compressed - D-Link DFL-260 | Product Manual - Page 313
Firewall will upload blocking instructions to the local switches and instruct them to block all For more information about this topic refer to Chapter 12, ZoneDefense. Example 6.19. Activating Anti-Virus Scanning anti_virus Antivirus=Protect Next, create a Service object using the new HTTP ALG: - D-Link DFL-260 | Product Manual - Page 314
1. Go to Rules > IP Rules 2. Select the NAT rule handling the traffic between lannet and all-nets 3. Click the Service tab 4. Select your new service, http_anti_virus, in the predefined Service dropdown list 5. Click OK Anti-Virus scanning is now activated for all web traffic from lannet to all-nets - D-Link DFL-260 | Product Manual - Page 315
for the triggering IDP Rule is taken. IDP Rules, Pattern Matching and IDP Rule Actions are described in the sections which follow. 6.5.2. IDP Availability for D-Link Models Maintenance and Advanced IDP D-Link offers two types of IDP: 315 - D-Link DFL-260 | Product Manual - Page 316
Link Models Chapter 6. Security Mechanisms • Maintenance IDP Maintenance IDP is the base IDP system included as standard with the NetDefend DFL 210 12 months and provides automatic IDP signature database updates. This IDP option is available for all D-Link the D-Link Advanced IDP Service Advanced - D-Link DFL-260 | Product Manual - Page 317
System (IDP) and Intrusion Detection System (IDS) are used interchangeably in D-Link literature. They all refer to the same feature, which is IDP. 6.5.3. IDP Rules Rule Components An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in makeup to an IP - D-Link DFL-260 | Product Manual - Page 318
6.5.4. Insertion/Evasion Attack Prevention Chapter 6. Security Mechanisms HTTP Normalization Each IDP rule has a section of settings for HTTP normalization. This allows the administrator to choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in incoming HTTP - D-Link DFL-260 | Product Manual - Page 319
6.5.5. IDP Pattern Matching Chapter 6. Security Mechanisms aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data stream must often be reassembled from smaller pieces of data because the individual pieces either arrive in the wrong order or are fragmented in - D-Link DFL-260 | Product Manual - Page 320
attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable components, , advisories are not included in D-Link documentation but instead, are available on the D-Link website at: http://security.dlink.com.tw Advisories can be found - D-Link DFL-260 | Product Manual - Page 321
6.5.6. IDP Signature Groups Chapter 6. Security Mechanisms least possible number of signatures. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is the signature Type, the second level the Category and the third level - D-Link DFL-260 | Product Manual - Page 322
ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense. 6.5.8. SMTP Log Receiver for IDP Events In order to - D-Link DFL-260 | Product Manual - Page 323
6.5.8. SMTP Log Receiver for IDP Events Chapter 6. Security Mechanisms Example 6.20. Configuring an SMTP Log Receiver In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, the Rule is triggered. At least one new event occurs within the Hold Time of 120 - D-Link DFL-260 | Product Manual - Page 324
should therefore be set to the object defining the mail server. 1. Go to IDP > IDP Rules > Add > IDP Rule 2. Now enter: • Name: IDPMailSrvRule • Service: smtp • Also inspect dropped packets: In case all traffic matching this rule should be scanned (this also means traffic that the main rule set - D-Link DFL-260 | Product Manual - Page 325
6.5.8. SMTP Log Receiver for IDP Events Chapter 6. Security Mechanisms • Destination Network: ip_mailserver • Click OK Specify the Action: An action is now defined, specifying what signatures the IDP should use when scanning data matching the rule, and what NetDefendOS should do when a possible - D-Link DFL-260 | Product Manual - Page 326
, providing a 24/7 evolution of attack methods. Many newer attack techniques utilize the distributed topology of the Internet to launch Denial of Service (DoS) attacks against organizations resulting in paralysed web servers that can no longer respond to legitimate connection requests. To be on the - D-Link DFL-260 | Product Manual - Page 327
no interest here since it is always the same as the destination IP address. 6.6.6. The WinNuke attack The WinNuke attack works by connecting to a TCP service that does not have handlers for "out-of-band" data (TCP segments with the URG bit set), but still accepts such data. This will usually - D-Link DFL-260 | Product Manual - Page 328
(port 7) to accomplish the task. Fraggle generally gets lower amplification factors since there are fewer hosts on the Internet that have the UDP echo service enabled. Smurf attacks will show up in NetDefendOS logs as masses of dropped ICMP Echo Reply packets. The source IP addresses will be those - D-Link DFL-260 | Product Manual - Page 329
TCP SYN Flood attacks if the Syn Flood Protection option is enabled in a service object associated with the rule in the IP rule set that triggers on the on other operating systems. While other operating systems can exhibit problems with as few as 5 outstanding half-open connections, NetDefendOS - D-Link DFL-260 | Product Manual - Page 330
6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both private - D-Link DFL-260 | Product Manual - Page 331
time is renewed to its original, full value (in other words, it is not cumulative). Block only this Service By default Blacklisting blocks all services for the triggering host. Exempt already established connections from Blacklisting If there are established connections that have the same - D-Link DFL-260 | Product Manual - Page 332
to the whitelist. This will mean this IP address can never be blacklisted. Command-Line Interface gw-world:/> add BlacklistWhiteHost Addresses=white_ip Service=all_tcp Web Interface 1. Goto System > Whitelist > Add > Whitelist host 2. Now select the IP address object white_ip so it is added to the - D-Link DFL-260 | Product Manual - Page 333
6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333 - D-Link DFL-260 | Product Manual - Page 334
hides internal IP addresses which means that an attack coming from the "outside" is much more difficult. Types of Translation NetDefendOS supports two types of translation: • Dynamic Network Address Translation (NAT). • Static Address Translation (SAT). Both types of translation are policy-based in - D-Link DFL-260 | Product Manual - Page 335
7.2. NAT Chapter 7. Address Translation 7.2. NAT Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address. Outgoing packets then appear to come from a different IP address and incoming packets back to that address have their - D-Link DFL-260 | Product Manual - Page 336
7.2. NAT Chapter 7. Address Translation address on the firewall then this will constitute two, unique IP pairs. The 64,500 figure is therefore not a limitation for the entire NetDefend Firewall. Tip: Use NAT pools to get around the connection limit The connection maximum per unique IP pair is - D-Link DFL-260 | Product Manual - Page 337
the main IP rule set: gw-world:/> cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Name=NAT_HTTP NATAction=UseInterfaceAddress Return to the top level: gw-world - D-Link DFL-260 | Product Manual - Page 338
suitable name for the rule, for example NAT_HTTP 3. Now enter: • Action: NAT • Service: http • Source Interface: lan • Source Network: lannet • Destination Interface: any • of the method of transportation used, can cause problems during address translation. Anonymizing Internet Traffic with NAT - D-Link DFL-260 | Product Manual - Page 339
for PPTP clients. Clients that wish to be anonymous, communicate with their local ISP using PPTP. The traffic is directed to the anonymizing service provider where a NetDefend Firewall is installed to act as the PPTP server for the client, terminating the PPTP tunnel. This arrangement is illustrated - D-Link DFL-260 | Product Manual - Page 340
will then use the same external IP address. The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when - D-Link DFL-260 | Product Manual - Page 341
will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems sometimes by possibly creating routes to interfaces on which packets should not arrive. It is therefore recommended that the interface(s) to be used for the - D-Link DFL-260 | Product Manual - Page 342
• Action: NAT 3. Under Address filter enter: • Source Interface: int • Source Network: int-net • Destination Interface: wan • Destination Network: all-nets • Service: HTTP 4. Select the NAT tab and enter: • Check the Use NAT Pool option • Select stateful_natpool from the drop-down list 5. Click OK - D-Link DFL-260 | Product Manual - Page 343
also sometimes referred to as a Virtual IP or Virtual Server in some other manufacturer's products. The Role of the DMZ At this point in the manual, it's relevant to discuss the concept and role of the network known as the Demilitarized Zone (DMZ). The DMZ's purpose is to have a network where - D-Link DFL-260 | Product Manual - Page 344
the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is a specific Ethernet port which is marked as being for the rule: gw-world:/main> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork - D-Link DFL-260 | Product Manual - Page 345
Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example SAT_HTTP_To_DMZ 3. Now enter: • Action: SAT • Service: http • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4. Under the SAT tab, make sure that - D-Link DFL-260 | Product Manual - Page 346
7.4.1. Translation of a Single IP Address (1:1) Chapter 7. Address Translation # Action Src Iface 3 NAT lan Src Net lannet Dest Iface any Dest Net all-nets Parameters All Now, what is wrong with this rule set? If we assume that we want to implement address translation for reasons of - D-Link DFL-260 | Product Manual - Page 347
Src Net lannet Dest Iface any Dest Net all-nets Parameters All The problem with this rule set is that it will not work at all for change to the rule set in the same way as described above, will solve the problem. In this example, for no particular reason, we choose to use option 2: # Action - D-Link DFL-260 | Product Manual - Page 348
is to allow internal clients to speak directly to 10.0.0.2 and this would completely avoid all the problems associated with address translation. However, this is not always practical. 7.4.2. Translation of Multiple IP Addresses (M:N) A single SAT rule can be used to translate an entire - D-Link DFL-260 | Product Manual - Page 349
world:/> cc IPRuleSet main Next, create a SAT rule for the translation: gw-world:/main> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=wan DestinationNetwork=wwwsrv_pub SATTranslateToIP=wwwsrv_priv_base SATTranslate=DestinationIP Finally, create an - D-Link DFL-260 | Product Manual - Page 350
Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface:any • Source Network: all-nets • Destination Interface: wan • Destination Network: wwwsrv_pub 4. Click OK 7.4.3. All-to-One - D-Link DFL-260 | Product Manual - Page 351
is needed for port translation In order to create a SAT rule that allows port translation, a Custom Service object must be used with the rule. 7.4.5. Protocols Handled by SAT Generally, static address translation can handle all protocols that allow address translation to take - D-Link DFL-260 | Product Manual - Page 352
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition, if anyone tries to connect to the - D-Link DFL-260 | Product Manual - Page 353
3. The replies will therefore be dynamically address translated. This changes the source port to a completely different port, which will not work. The problem can be solved using the following rule set: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast lan 4 NAT lan 5 FwdFast lan Src - D-Link DFL-260 | Product Manual - Page 354
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354 - D-Link DFL-260 | Product Manual - Page 355
Method A may require a special piece of equipment such as a biometric reader. Another problem with A is that the special attribute often cannot be replaced if it is lost. user authentication performed with username/password combinations that are manually entered by a user attempting to gain access to - D-Link DFL-260 | Product Manual - Page 356
8.1. Overview To remain secure, passwords should also: • Not be recorded anywhere in written form. • Never be revealed to anyone else. • Changed on a regular basis such as every three months. Chapter 8. User Authentication 356 - D-Link DFL-260 | Product Manual - Page 357
8.2. Authentication Setup Chapter 8. User Authentication 8.2. Authentication Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of a database of users, each with a username/password - D-Link DFL-260 | Product Manual - Page 358
8.2.2. The Local Database Chapter 8. User Authentication The purpose of this is to restrict access to certain networks to a particular group by having IP rules which will only apply to members of that group. To gain access to a resource there must be an IP rule that allows it and the client must - D-Link DFL-260 | Product Manual - Page 359
server can validate username/password combinations by responding to requests from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage with NetDefendOS NetDefendOS can act as a RADIUS client, sending user credentials and - D-Link DFL-260 | Product Manual - Page 360
is required. There are a number of issues that can cause problems: • LDAP servers differ in their implementation. NetDefendOS provides a a tuple (a pair of data values) consisting of an attribute name (in this manual we will call this the attribute ID to avoid confusion) and an attribute value. An - D-Link DFL-260 | Product Manual - Page 361
groups that a user belongs to should be retrieved from the LDAP server. The group name is often used when granting user access to a service after a successful logon. If the Retrieve Group Membership option is enabled then the Membership Attribute option, described next can also be set. • Membership - D-Link DFL-260 | Product Manual - Page 362
8.2.4. External LDAP Servers Chapter 8. User Authentication successful authentication. The domain name is the host name of the LDAP server, for example myldapserver. The choices for this parameter are: i. None - This will not modify the username in any way. For example, testuser. ii. Username - D-Link DFL-260 | Product Manual - Page 363
8.2.4. External LDAP Servers Chapter 8. User Authentication • Domain Name The Domain Name is used when formatting usernames. This is the first part of the full domain name. In our examples above, the Domain Name is myldapserver. The full domain name is a dot separated set of labels, for example, - D-Link DFL-260 | Product Manual - Page 364
8.2.4. External LDAP Servers Chapter 8. User Authentication If the domain is mydomain.com then the username for myuser might need to be specified as [email protected]. With some LDAP servers this might be myuser@domain mydomain.com\myuser or even mydomain\myuser. The format depends entirely on - D-Link DFL-260 | Product Manual - Page 365
there. LDAP servers store passwords in encrypted digest form and do not provide automatic mechanisms for doing this. It must therefore be done manually by the administrator as they add new users and change existing users passwords. This clearly involves some effort from the administrator, as well - D-Link DFL-260 | Product Manual - Page 366
must be protected Since the LDAP server is sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected. A VPN link should be used if the link between the two is not local. Access to the LDAP server itself must also be restricted as - D-Link DFL-260 | Product Manual - Page 367
8.2.5. Authentication Rules Chapter 8. User Authentication This is the IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security which means that clients accessing a VPN - D-Link DFL-260 | Product Manual - Page 368
database server or an external LDAP server. 7. NetDefendOS then allows further traffic through this connection as long as authentication was successful and the service requested is allowed by a rule in the IP rule set. That rule's Source Network object has either the No Defined Credentials option - D-Link DFL-260 | Product Manual - Page 369
step is to set up the rules in the IP rule set as shown below: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan trusted_net int important_net All 2 Allow lan untrusted_net dmz regular_net All If we wanted to allow the trusted group users to also be - D-Link DFL-260 | Product Manual - Page 370
through the wan interface then the IP rule set would contain the following rules: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all - D-Link DFL-260 | Product Manual - Page 371
how to enable HTTP user authentication for the user group users on lannet. Only users that belong to the group users can get Web browsing service after authentication, as it is defined in the IP rule. We assume that lannet, users, lan_ip, local user database folder lannet_auth_users and the - D-Link DFL-260 | Product Manual - Page 372
: Enter the IP address of the server, or enter the symbolic name if the server has been defined in the Address Book d. Port: 1812 (RADIUS service uses UDP port 1812 by default) e. Retry Timeout: 2 (NetDefendOS will resend the authentication request to the sever if there is no response after the - D-Link DFL-260 | Product Manual - Page 373
8.3. Customizing HTML Pages Chapter 8. User Authentication f. Shared Secret: Enter a text string here for basic encryption of the RADIUS messages g. Confirm Secret: Retype the string to confirm the one typed above 3. Click OK 8.3. Customizing HTML Pages User Authentication makes use of a set of - D-Link DFL-260 | Product Manual - Page 374
the changes 9. Click OK to exit editing 10. Go to Objects > ALG and select the relevant HTML ALG 11. Select new_forbidden as the HTML Banner 12. Click OK 13. Go to Configuration > Save & Activate to activate the new file Tip: HTML file changes need to be saved In the above example - D-Link DFL-260 | Product Manual - Page 375
8.3. Customizing HTML Pages Chapter 8. User Authentication 2. A new Auth Banner Files object must exist which the edited file(s) is uploaded to. If the object is called ua_html, the CLI command to create this object is: gw-world:/> add HTTPAuthBanners ua_html This creates an object which contains - D-Link DFL-260 | Product Manual - Page 376
8.3. Customizing HTML Pages Chapter 8. User Authentication 376 - D-Link DFL-260 | Product Manual - Page 377
PPTP/L2TP, page 425 • CA Server Access, page 434 • VPN Troubleshooting, page 437 9.1. Overview 9.1.1. VPN Usage The Internet is increasingly used as this need, providing a highly cost effective means of establishing secure links between two co-operating computers so that data can be exchanged in - D-Link DFL-260 | Product Manual - Page 378
9.1.2. VPN Encryption Chapter 9. VPN 2. Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. - D-Link DFL-260 | Product Manual - Page 379
a special DMZ or outside a firewall dedicated to this task. By doing this, the administrator can restrict which services can be accessed via the VPN and ensure that these services are well protected against intruders. In instances where the firewall features an integrated VPN feature, it is usually - D-Link DFL-260 | Product Manual - Page 380
9.1.5. The TLS Alternative for VPN "The TLS ALG". Chapter 9. VPN 380 - D-Link DFL-260 | Product Manual - Page 381
, this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables. If a route is defined manually, the tunnel is treated exactly like a physical interface in the route properties, as it is in other aspects of NetDefendOS. In other words, the - D-Link DFL-260 | Product Manual - Page 382
object as the Source Interface. The Source Network is remote_net. Action Allow Src Interface lan Src Network lannet Dest Interface ipsec_tunnel Dest Network remote_net 382 Service All - D-Link DFL-260 | Product Manual - Page 383
Action Allow Src Interface ipsec_tunnel Src Network remote_net Dest Interface lan Dest Network lannet Service All The Service used in these rules is All but it could be a predefined service. 6. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the Interface - D-Link DFL-260 | Product Manual - Page 384
The IP addresses may be known beforehand and have been pre-allocated to the roaming clients before they connect. The client's IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication is not required with IPsec roaming clients but is - D-Link DFL-260 | Product Manual - Page 385
. 3. The IP rule set should contain the single rule: Action Allow Src Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service All Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used - D-Link DFL-260 | Product Manual - Page 386
. • Define the IPsec algorithms that will be used and which are supported by NetDefendOS. • Specify if the client will use config mode. There of IPsec client software products available from a number of suppliers and this manual will not focus on any specific one. The network administrator should use - D-Link DFL-260 | Product Manual - Page 387
9.2.5. L2TP Roaming Clients with Pre-Shared Keys Chapter 9. VPN Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. Also review Section 9.6, "CA Server Access", which describes important - D-Link DFL-260 | Product Manual - Page 388
the IP rule set: Action Allow NAT Src Interface l2tp_tunnel ipsec_tunnel Src Network l2tp_pool l2tp_pool Dest Interface any ext Dest Network int_net all-nets Service All All The second rule would be included to allow clients to surf the Internet via the ext interface on the NetDefend Firewall - D-Link DFL-260 | Product Manual - Page 389
9.2.7. PPTP Roaming Clients Chapter 9. VPN 1. The NetDefendOS date and time must be set correctly since certificates can expire. 2. Load a Gateway Certificate and Root Certificate into NetDefendOS. 3. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication. - D-Link DFL-260 | Product Manual - Page 390
IP rule set: Action Allow NAT Src Interface pptp_tunnel pptp_tunnel Src Network pptp_pool pptp_pool Dest Interface any ext Dest Network int_net all-nets Service All All As described for L2TP, the NAT rule lets the clients access the public Internet via the NetDefend Firewall. 5. Set up the - D-Link DFL-260 | Product Manual - Page 391
9.3. IPsec Components Chapter 9. VPN 9.3. IPsec Components This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs. 9.3.1. Overview Internet Protocol Security (IPsec) is a set of protocols defined - D-Link DFL-260 | Product Manual - Page 392
list is a suggestion of how to protect IPsec data flows. The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the device at the other end of the connection to say which proposal is acceptable - D-Link DFL-260 | Product Manual - Page 393
-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security Negotiation In phase 2, another negotiation is performed, detailing the parameters for - D-Link DFL-260 | Product Manual - Page 394
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Remote Endpoint Main/Aggressive Mode IPsec Protocols remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from - D-Link DFL-260 | Product Manual - Page 395
that is no longer considered to be sufficiently secure. This specifies the authentication algorithms used in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: • SHA1 • MD5 This specifies the Diffie-Hellman group to use for the IKE exchange. The available DH groups - D-Link DFL-260 | Product Manual - Page 396
protected traffic. This is not used when ESP is used without authentication, although it is not recommended to use ESP without authentication. The algorithms supported by NetDefend Firewall VPNs are: • SHA1 • MD5 This is the lifetime of the VPN connection. It is specified in both time (seconds) and - D-Link DFL-260 | Product Manual - Page 397
support manual keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE. Manual VPN "share" a secret key. This is a service provided by IKE, and thus has all the advantages that come with it, making it - D-Link DFL-260 | Product Manual - Page 398
9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a - D-Link DFL-260 | Product Manual - Page 399
be used to do either encryption only, or authentication only. Figure 9.2. The ESP protocol 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work through NATs and because of this, a technique called "NAT traversal" has - D-Link DFL-260 | Product Manual - Page 400
that it understands NAT traversal, and which specific versions of the draft it supports. Achieving NAT Detection To achieve NAT detection both IPsec peers send hashes UDP packets in an effort to work around the NAT problems with IKE. The problem is that this special handling of IKE packets may in - D-Link DFL-260 | Product Manual - Page 401
point for the negotiation. Each entry in the list defines parameters for a supported algorithm that the VPN tunnel end point device is capable of supporting (the shorter term tunnel endpoint will also be used in this manual). The initial negotiation attempts to agree on a set of algorithms that the - D-Link DFL-260 | Product Manual - Page 402
command pskgen (this command is fully documented in the CLI Reference Guide). Beware of Non-ASCII Characters in a PSK on Different Platforms the tunnel there will be a mismatch and this can sometimes cause problems when setting up a Windows L2TP client that connects to NetDefendOS. manually, use: 402 - D-Link DFL-260 | Product Manual - Page 403
, members of the sales force need access to servers running the order system, while technical engineers need access to technical databases. The Problem Since the IP addresses of the travelling employees VPN clients cannot be known beforehand, the incoming VPN connections from the clients cannot be - D-Link DFL-260 | Product Manual - Page 404
-world:/> cc IDList MyIDList gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName CommonName="John Doe" OrganizationName=D-Link OrganizationalUnit=Support Country=Sweden [email protected] gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel: gw-world - D-Link DFL-260 | Product Manual - Page 405
9.3.8. Identification Lists Chapter 9. VPN 2. Select the IPsec tunnel object of interest 3. Under the Authentication tab, choose X.509 Certificate 4. Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls 5. Select MyIDList in the Identification List 6. - D-Link DFL-260 | Product Manual - Page 406
9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by - D-Link DFL-260 | Product Manual - Page 407
flows. It does this by continuously sending ICMP Ping messages through the tunnel. If replies to the ping messages are not received then the tunnel link is assumed to be broken and an attempt is automatically made to re-establish the tunnel. This feature is only useful for LAN to LAN - D-Link DFL-260 | Product Manual - Page 408
LANs at geographically separate sites can communicate with a level of security comparable to that existing if they communicated through a dedicated, private link. Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending from the VPN gateway at one location to - D-Link DFL-260 | Product Manual - Page 409
9.4.3. Roaming Clients Chapter 9. VPN Example 9.4. Setting up a PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients that connect to the office to gain remote access. The head office network uses - D-Link DFL-260 | Product Manual - Page 410
the certificate on the client 8. Create a new ID for every client that you want to grant access rights according to the instructions above D. Configure the IPsec tunnel: 1. Go to Interfaces > IPsec > Add > IPsec Tunnel 2. Now enter: • Name: RoamingIPsecTunnel • Local Network: 10.0.1.0/24 (This - D-Link DFL-260 | Product Manual - Page 411
CA server (in Windows 2000 Server this is found in Certificate Services). For more information on CA server issued certificates see Section 3.7, ID for every client that you want to grant access rights according to the instructions above C. Configure the IPsec tunnel: 1. Go to Interfaces > IPsec > - D-Link DFL-260 | Product Manual - Page 412
URL resolution (already provided by an IP Pool). NBNS/WINS The IP address for NBNS/WINS resolution (already provided by an IP Pool). DHCP Instructs the host to send any internal DHCP requests to this address. Subnets A list of the subnets that the client can access. Example 9.7. Setting Up - D-Link DFL-260 | Product Manual - Page 413
wishes to use another LDAP server. The LDAP configuration section can then be used to manually specify alternate LDAP servers. Example 9.9. Setting up an LDAP server This example shows how to manually setup and specify an LDAP server. Command-Line Interface gw-world:/> add LDAPServer Host=192 - D-Link DFL-260 | Product Manual - Page 414
: 389 3. Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise because the initial negotiation . Complete ikesnoop command options can be found in the CLI Reference Guide. The Client and the Server The two parties involved in the tunnel - D-Link DFL-260 | Product Manual - Page 415
9.4.5. Troubleshooting with ikesnoop negotiation and the server refers to the device which is the responder. Chapter 9. VPN Step 1. Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output initially shows the proposed list of algorithms that the client first sends - D-Link DFL-260 | Product Manual - Page 416
9.4.5. Troubleshooting with ikesnoop Chapter ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor or kilobytes VID: The IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to Client A - D-Link DFL-260 | Product Manual - Page 417
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN SA (Security Association) Payload data length : 52 bytes DOI : 1 ( data length : 16 bytes Vendor ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor ID) Payload data length : - D-Link DFL-260 | Product Manual - Page 418
9.4.5. Troubleshooting with ikesnoop NAT-D (NAT Detection) Payload data length : 16 bytes Chapter 9. VPN Step 4. Server Sends Key Exchange Data The Server now sends key exchange data - D-Link DFL-260 | Product Manual - Page 419
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN Step 6. Server ID Response The ) Payload data length : 16 bytes Step 7. Client Sends a List of Supported IPsec Algorithms Now the client sends the list of supported IPsec algorithms to the server. It will also contain the proposed host/networks - D-Link DFL-260 | Product Manual - Page 420
9.4.5. Troubleshooting with 10.4.2.6) ID (Identification) Payload data length : 12 bytes ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16) Explanation otherwise it is SA per host. Step 8. Client Sends a List of Supported Algorithms The server now responds with a matching IPsec proposal from the list - D-Link DFL-260 | Product Manual - Page 421
ipv4(any:0,[0..3]=10.4.2.6) ID (Identification) Payload data length : 12 bytes ID : ipv4_subnet(any:0,[0..7]=10.4.0.0/16) Step 9. Client Confirms is changed. This linkage is broken once IPsec Max Rules is altered manually so that subsequent changes to IPsec Max Tunnels will not cause an - D-Link DFL-260 | Product Manual - Page 422
allow the CA administrator to issue new CRLs at any time, so even if the "next update" field says that a new CRL is available in 12 hours, there may already be a new CRL for download. This setting limits the time a CRL is considered valid. A new CRL is downloaded when IKECRLVailityTime expires - D-Link DFL-260 | Product Manual - Page 423
9.4.6. IPsec Advanced Settings Chapter 9. VPN IPsec Cert Cache Max Certs Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm. Default: 1024 IPsec - D-Link DFL-260 | Product Manual - Page 424
9.4.6. IPsec Advanced Settings Chapter 9. VPN In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (not reachable). The SA will then be placed in - D-Link DFL-260 | Product Manual - Page 425
a consortium of companies that includes Microsoft. It is an OSI layer 2 "data-link" protocol (see Appendix D, The OSI Framework) and is an extension of the number of clients with the software already installed. Troubleshooting PPTP A common problem with setting up PPTP is that a router and/or - D-Link DFL-260 | Product Manual - Page 426
, which will not be covered in this example. 9.5.2. L2TP Servers Layer 2 Tunneling Protocol (L2TP) is an IETF open standard that overcomes many of the problems of PPTP. Its design is a combination of Layer 2 Forwarding (L2F) protocol and PPTP, making use of the best features of both. Since the L2TP - D-Link DFL-260 | Product Manual - Page 427
be able to authenticate the users using the PPTP tunnel you also need to configure authentication rules, which is not covered in this example. Example 9.12. Setting up an L2TP Tunnel Over IPsec This example shows how to setup a fully working L2TP Tunnel based on IPsec encryption and will cover many - D-Link DFL-260 | Product Manual - Page 428
9.5.2. L2TP Servers Chapter 9. VPN 2. Enter a suitable name for the user database, for example UserDB 3. Go to User Authentication > Local User Databases > UserDB > Add > User 4. Now enter: • Username: testuser • Password: mypassword • Confirm Password: mypassword 5. Click OK Now we will setup the - D-Link DFL-260 | Product Manual - Page 429
9.5.2. L2TP Servers Chapter 9. VPN gw-world:/> add Interface L2TPServer l2tp_tunnel IP=lan_ip Interface=l2tp_ipsec ServerIP=wan_ip IPPool=l2tp_pool TunnelProtocol=L2TP AllowedRoutes=all-nets ProxyARPInterfaces=lan Web Interface 1. Go to Interfaces > L2TP Servers > Add > L2TPServer 2. Enter a name - D-Link DFL-260 | Product Manual - Page 430
to be the main IP rule set: gw-world:/> cc IPRuleSet main Now, add the IP rules: gw-world:/main> add IPRule action=Allow Service=all_services SourceInterface=l2tp_tunnel SourceNetwork=l2tp_pool DestinationInterface=any DestinationNetwork=all-nets name=AllowL2TP gw-world:/main> add IPRule action=NAT - D-Link DFL-260 | Product Manual - Page 431
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting the rule set. Default: Enabled PPTP Before Rules Pass PPTP traffic sent to the NetDefend Firewall directly to the PPTP Server without consulting the rule set. - D-Link DFL-260 | Product Manual - Page 432
9.5.4. PPTP/L2TP Clients Chapter 9. VPN specified gateway. Authentication • Username - Specifies the username to use for this PPTP/L2TP interface. • Password - Specifies the password for the interface. • Authentication - Specifies which authentication protocol to use. • MPPE - Specifies if - D-Link DFL-260 | Product Manual - Page 433
9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 433 - D-Link DFL-260 | Product Manual - Page 434
9.6. CA Server Access Chapter 9. VPN 9.6. CA Server Access Overview Where certificates are used, the two sides of a VPN tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by accessing a CA server. A certificate - D-Link DFL-260 | Product Manual - Page 435
9.6. CA Server Access Chapter 9. VPN 3. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that NetDefendOS will need to have at least one public DNS server address configured to resolve the - D-Link DFL-260 | Product Manual - Page 436
must be configured in NetDefendOS so that these requests can be resolved. Turning Off FQDN Resolution As explained in the troubleshooting section below, identifying problems with CA server access can be done by turning off the requirement to validate certificates. Attempts to access CA servers - D-Link DFL-260 | Product Manual - Page 437
how to troubleshoot the common problems that are found with VPN. 9.7.1. General Troubleshooting In all types of VPNs some basic troubleshooting checks Src Network all-nets Dest Interface core Dest Network all-nets Service ICMP • Ensure that another IPsec Tunnel definition is not preventing - D-Link DFL-260 | Product Manual - Page 438
zone. • Disable CRL (revocation list) checking to see if CA server access could be the problem. CA Server issues are discussed further in Section 9.6, "CA Server Access". 9.7.3. IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec tunnels: The ipsecstat console command - D-Link DFL-260 | Product Manual - Page 439
a more detailed discussion of this topic, see Section 9.4.5, "Troubleshooting with ikesnoop". 9.7.4. Management Interface Failure with VPN If any VPN management interface no longer operates then it is likely to be a problem with the management traffic being routed back through the VPN tunnel instead - D-Link DFL-260 | Product Manual - Page 440
the IKE phase) and PFS (for IPsec phase). 2. Incorrect pre-shared key A problem with the pre-shared key on either side has caused the tunnel negotiation to fail. This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and that is incorrect pre - D-Link DFL-260 | Product Manual - Page 441
does not give that much information about certificates, while normal logs can provide important clues as to what the problem could be. A good suggestion before you start to troubleshoot certificate based tunnels is to first configure it as a PSK tunnel and then verify that it can successfully - D-Link DFL-260 | Product Manual - Page 442
used. 1. The tunnel can only be initiated from one side This is a common problem and is due to a mismatch of the size in local or remote network and/or the lifetime settings on the proposal list(s). To troubleshoot this you need to examine the settings for the local network, remote network, IKE - D-Link DFL-260 | Product Manual - Page 443
9.7.6. Specific Symptoms Chapter 9. VPN 443 - D-Link DFL-260 | Product Manual - Page 444
in packet headers to provide network devices with QoS information. NetDefendOS Diffserv Support NetDefendOS supports the Diffserv architecture the following ways: • NetDefendOS forwards the 6 bits which make up the Diffserv Differentiated Services Code Point (DSCP) as well as copying these bits from - D-Link DFL-260 | Product Manual - Page 445
of prioritized traffic. Note: Traffic shaping will not work with the SIP ALG Any traffic connections that trigger an IP rule with a service object that uses the SIP ALG cannot be also subject to traffic shaping. 10.1.2. Traffic Shaping in NetDefendOS NetDefendOS offers extensive traffic shaping - D-Link DFL-260 | Product Manual - Page 446
flow through which pipes. Each pipe rule is defined like other NetDefendOS secuirity policies: by specifying the source/destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by the IP rule set, the pipe rule set is then checked for - D-Link DFL-260 | Product Manual - Page 447
require much planning. The example that follows applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit Begin with creating a simple pipe that limits all traffic that gets passed - D-Link DFL-260 | Product Manual - Page 448
Traffic Management > Traffic Shaping > Add > Pipe Rule 2. Specify a suitable name for the pipe, for instance outbound 3. Now enter: • Service: all_services • Source Interface: lan • Source Network: lannet • Destination Interface: wan • Destination Network: all-nets 4. Under the Traffic Shaping tab - D-Link DFL-260 | Product Manual - Page 449
limit is 2 Mbps, the actual flow will be close to 1 Mbps in each direction. Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps of outbound are the intended limits. The result might be 3 Mbps outbound - D-Link DFL-260 | Product Manual - Page 450
10.1.6. Precedences Chapter 10. Traffic Management requests followed by long inbound responses. A surf-in pipe is therefore first created for inbound traffic with a 125 kbps limit. Next, a new Pipe Rule is set up for surfing that uses the surf-in pipe and it is placed before the rule that directs - D-Link DFL-260 | Product Manual - Page 451
the DSCP bits Take the precedence from the DSCP bits in the packet. DSCP is a subset of the Diffserv architecture where the Type of Service (ToS) bits are included in the IP packet header. Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence, a Minimum Precedence and - D-Link DFL-260 | Product Manual - Page 452
10.1.6. Precedences Chapter 10. Traffic Management • Default Precedence: 0 • Maximum Precedence: 7 As described above, the Default Precedence is the precedence taken by a packet if it is not explicitly assigned by a pipe rule. The minimum and maximum precedences define the precedence range that - D-Link DFL-260 | Product Manual - Page 453
used for other traffic. The effect of doing this is that the SSH and Telnet rule sets the higher priority on packets related to these services and these packets are sent through the same pipe as other traffic. The pipe then makes sure that these higher priority packets are sent first - D-Link DFL-260 | Product Manual - Page 454
10. Traffic Management The Need for Guarantees A problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other services such as surfing, DNS or FTP - D-Link DFL-260 | Product Manual - Page 455
10.1.7. Pipe Groups Chapter 10. Traffic Management Set the priority assignment for both rules to Use defaults from first pipe; the default precedence of both the ssh-in and telnet-in pipes is 2. Using this approach rather than hard-coding precedence 2 in the rule set, you can easily change the - D-Link DFL-260 | Product Manual - Page 456
10.1.7. Pipe Groups Chapter 10. Traffic Management Specifying Group Limits Once the way the method of grouping is selected, the next step is to specify the Group Limits. These limits can consist of one or both of the following: • Group Limit Total This value specifies a limit for each user within - D-Link DFL-260 | Product Manual - Page 457
10.1.7. Pipe Groups Chapter 10. Traffic Management Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the total bandwidth limit for a pipe is 400 bps. If the aim is to allocate this bandwidth amongst many destination IP addresses so that no - D-Link DFL-260 | Product Manual - Page 458
SSH traffic. If desired, we could also limit the group total bandwidth for each user to some value, such as 40 kbps. There will be a problem if there are more than 5 users utilizing SSH simultaneously: 16 kbps times 5 is more than 64 kbps. The total limit for the pipe will still - D-Link DFL-260 | Product Manual - Page 459
about, they cannot know when the Internet connection is full. The problems resulting from leaks are exactly the same as in the cases described by parties outside of administrator control but sharing the same connection. Troubleshooting For a better understanding of what is happening in a live setup - D-Link DFL-260 | Product Manual - Page 460
of bandwidth. 10.1.10. More Pipe Examples This section looks at some more scenarios and how traffic shaping can be used to solve particular problems. A Basic Scenario The first scenario will examine the configuration shown in the image below, in which incoming and outgoing traffic is to be limited - D-Link DFL-260 | Product Manual - Page 461
is that these are easier to match to the physical link capacity. This is especially true with asynchronous links such as ADSL. First, two pipes called in- Network lannet Destination Destination Interface Network wan all-nets Selected Service all The rule will force all traffic to the default - D-Link DFL-260 | Product Manual - Page 462
lan Source Network lannet Dest Interface wan Dest Network all-nets Selected Service All Prece dence 2 Note that in-other and out-other are all non-VPN traffic using the same physical link. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit which allows for - D-Link DFL-260 | Product Manual - Page 463
lan Destination Network vpn_remote_net vpn_remote_net lannet lannet all-nets lannet Selected Prece Service dence H323 6 All 0 H323 6 All 0 All 0 or it will escape traffic shaping and ruin the planned quality of service. In addition, server traffic is initiated from the outside so the - D-Link DFL-260 | Product Manual - Page 464
10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 464 - D-Link DFL-260 | Product Manual - Page 465
Intrusion Detection and Prevention"). Application Related Bandwidth Usage A typical problem that can be solved with IDP Traffic Shaping is dealing by P2P transfers can often have a negative impact on the quality of service for other network users as bandwidth is quickly absorbed by such applications. - D-Link DFL-260 | Product Manual - Page 466
10.2.3. Processing Flow Chapter 10. Traffic Management information followed by a number of data transfer connections to other hosts. It is the initial connection that IDP detects and the Time Window specifies the expected period afterwards when other connections will be opened and subject to - D-Link DFL-260 | Product Manual - Page 467
10.2.5. A P2P Scenario Chapter 10. Traffic Management Excluding Hosts To avoid these unintended consequences, we specify the IP addresses of client A and client B in the Network range but not host X. This tells NetDefendOS that host X is not relevant in making a decision about including new non- - D-Link DFL-260 | Product Manual - Page 468
command: gw-world:/> idppipes -unpipe -host=192.168.1.1 A full description of the idppipes command can be found in the separate CLI Reference Guide. Viewing Pipes IDP Traffic Shaping makes use of normal NetDefendOS pipe objects which are created automatically. These pipes are always allocated the - D-Link DFL-260 | Product Manual - Page 469
are no longer piped. There are also some other log messages which indicate less common conditions. All log messages are documented in the Log Reference Guide. 469 - D-Link DFL-260 | Product Manual - Page 470
only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies A Threshold Rule is like other policy based rules found in NetDefendOS, a combination of source/destination network/interface can be specified for a rule and a type of service - D-Link DFL-260 | Product Manual - Page 471
attmepts from internal hosts. For more information on this refer to Chapter 12, ZoneDefense. 10.3.8. Threshold Rule Blacklisting If the Protect option is rule. If the Threshold Rule is linked to a service then it is possible to block only that service. When Blacklisting is selected, the - D-Link DFL-260 | Product Manual - Page 472
10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, "Blacklisting Hosts and Networks". 472 - D-Link DFL-260 | Product Manual - Page 473
server farm) that can handle many more requests than a single server. Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. The illustration below shows a typical SLB scenario, with Internet - D-Link DFL-260 | Product Manual - Page 474
administrators to perform maintenance tasks on servers or applications without disrupting services. Individual servers can be restarted, upgraded, removed, or load is shared across a set of servers. NetDefendOS SLB supports the following two algorithms for load distribution: Round-robin Connection - D-Link DFL-260 | Product Manual - Page 475
. In this mode, a series of connections from a specific client will be handled by the same server. This is particularly important for TLS or SSL based services such as HTTPS, which require a repeated connection to the same host. This mode is similar to IP stickiness except that the stickiness can be - D-Link DFL-260 | Product Manual - Page 476
10.4.4. SLB Algorithms and Stickiness Chapter 10. Traffic Management The consequence of a full table can be that stickiness will be lost for any discarded source IP addresses. The administrator should therefore try to ensure that the Max Slots parameter is set to a value that can accommodate the - D-Link DFL-260 | Product Manual - Page 477
in for the distribution. Figure 10.12. Stickiness and Connection-rate Regardless which server is restored to full functionality. D-Link Server Load Balancing provides the following monitoring modes example, if a server is specified as running web services on port 80, the SLB will send a TCP - D-Link DFL-260 | Product Manual - Page 478
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: 1. Define an IP address object for each server for - D-Link DFL-260 | Product Manual - Page 479
NAT IP rule for internal clients: 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_NAT • Action: NAT • Service: HTTP • Source Interface: lan • Source Network: lannet • Destination Interface: core • Destination Network: ip_ext 3. Click OK E. Specify an Allow IP rule for - D-Link DFL-260 | Product Manual - Page 480
Setting Up SLB_SAT Rules 1. Go to Rules > IP Rule Sets > main > Add > IP Rule 2. Enter: • Name: Web_SLB_ALW • Action: Allow • Service: HTTP • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: ip_ext 3. Click OK Chapter 10. Traffic Management 480 - D-Link DFL-260 | Product Manual - Page 481
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481 - D-Link DFL-260 | Product Manual - Page 482
active-passive implementation of fault tolerance. Note: High Availability is only available on some NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, it should be kept in mind - D-Link DFL-260 | Product Manual - Page 483
made to the configurations of both the master and the slave. Load-sharing D-Link HA clusters do not provide load-sharing since only one unit will be active it detects the active unit is not responding. Hardware Duplication D-Link HA will only operate between two NetDefend Firewalls. As the internal - D-Link DFL-260 | Product Manual - Page 484
is still active. Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on any interface if that is desired. This hardware address. In other words, 11-00-00-C1-4A-nn. Link-level multicasts are used over normal unicast packets for security: using unicast - D-Link DFL-260 | Product Manual - Page 485
occur. These updates involve downloads from the external D-Link databases and they require NetDefendOS reconfiguration to occur for the cluster: 1. The active (master) unit downloads the new database files from the D-Link servers. The download is done via the shared IP address of the cluster. 2. - D-Link DFL-260 | Product Manual - Page 486
11.2. HA Mechanisms Chapter 11. High Availability Should such a failure occur then the consequence is that both units will continue to function but they will lose their synchronization with each other. In other words, the inactive unit will no longer have a correct copy of the state of the active - D-Link DFL-260 | Product Manual - Page 487
11.3. Setting Up HA Chapter 11. High Availability 11.3. Setting Up HA This section provides a step-by-step guide for setting up an HA Cluster. 11.3.1. HA Hardware Setup The steps for the setup of hardware in an HA cluster are as follows: 1. Start - D-Link DFL-260 | Product Manual - Page 488
between the sync interfaces of each unit. This connection could, instead, be via a switch or broadcast domain. 11.3.2. NetDefendOS Manual HA Setup To set up an HA cluster manually, the steps are as follows: 1. Connect to the master unit with the WebUI. 2. Go to System > High Availability. 3. Check - D-Link DFL-260 | Product Manual - Page 489
11.3.3. Verifying the Cluster Functions Chapter 11. High Availability 4. Set the Cluster ID. This must be unique for each cluster. 5. Choose the Sync Interface. 6. Select the node type to be Master. 7. Go to Objects > Address Book and create an IP4 HA Address object for each interface pair. Each - D-Link DFL-260 | Product Manual - Page 490
lan1 interface on the master unit will appear to have the same MAC address as the lan1 interface on the slave unit. Problem Diagnosis An HA cluster will function if this setting is disabled but can cause problems with a limited number of switch types where the switch uses a shared ARP table. Such - D-Link DFL-260 | Product Manual - Page 491
for anything but management. Using them for anything else, such as for source IPs in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does. The Shared IP Must Not Be 0.0.0.0 Assigning the - D-Link DFL-260 | Product Manual - Page 492
11.4. HA Issues Chapter 11. High Availability If OSPF is to work then there must be another designated router available in the same OSPF area as the cluster. Ideally, there will also be a second, backup designated router to provide OSPF metrics if the main designated router should fail. PPPoE - D-Link DFL-260 | Product Manual - Page 493
11.5. Upgrading an HA Cluster Chapter 11. High Availability 11.5. Upgrading an HA Cluster The NetDefendOS software versions running on the master and slave in an HA cluster should be the same. When a new NetDefendOS version becomes available and is to be installed on both units, the upgrade is - D-Link DFL-260 | Product Manual - Page 494
11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE... To check that the failover has completed - D-Link DFL-260 | Product Manual - Page 495
11.6. HA Advanced Settings Chapter 11. High Availability 11.6. HA Advanced Settings The following NetDefendOS advanced settings are available for High Availability: Sync Buffer Size How much sync data, in Kbytes, to buffer while waiting for acknowledgments from the cluster peer. Default: 1024 Sync - D-Link DFL-260 | Product Manual - Page 496
11.6. HA Advanced Settings Chapter 11. High Availability 496 - D-Link DFL-260 | Product Manual - Page 497
the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page 499 12.1. Overview ZoneDefense behavior. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the Web or Command Line interface. Note: - D-Link DFL-260 | Product Manual - Page 498
to be manually specified in the firewall configuration. The information needed in order to control a switch includes: • The IP address of the management interface of the switch • The switch model type • The SNMP community string (write access) The ZoneDefense feature currently supports the following - D-Link DFL-260 | Product Manual - Page 499
devices The managed devices must be SNMP compliant, as are D-Link switches. They store state data in databases known as the and source network • Destination interface and destination network • Service • Type of threshold: Host and/or network based 12.3.3. Manual Blocking and Exclude Lists 499 - D-Link DFL-260 | Product Manual - Page 500
12. ZoneDefense As a complement to threshold rules, it is also possible to manually define hosts and networks that are to be statically blocked or excluded. Manually .168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S is used in this case, with a - D-Link DFL-260 | Product Manual - Page 501
Rule 2. For the Threshold Rule enter: • Name: HTTP-Threshold • Service: http 3. For Address Filter enter: • Source Interface: The firewall's management Scanning" and in the sections covering the individual ALGs. 12.3.5. Limitations There are some differences in ZoneDefense operation depending on - D-Link DFL-260 | Product Manual - Page 502
Chapter 12. ZoneDefense of latency time to implement blocking once the rule is triggered. Some models can activate blocking in less than a second while some models may require a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support - D-Link DFL-260 | Product Manual - Page 503
12.3.5. Limitations Chapter 12. ZoneDefense 503 - D-Link DFL-260 | Product Manual - Page 504
Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings. The settings are divided up into the following categories: - D-Link DFL-260 | Product Manual - Page 505
13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0 Net Block 0.* as source addresses. Default: DropLog Block 127 Net Block 127.* as source addresses. Default: DropLog Block Multicast Src Block multicast both source addresses - D-Link DFL-260 | Product Manual - Page 506
. NetDefendOS never obeys the source routes specified by these options, regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the route. These options do - D-Link DFL-260 | Product Manual - Page 507
13.1. IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting. Default: DropLog Strip DontFragment Strip the Don't - D-Link DFL-260 | Product Manual - Page 508
High Determines the action taken on packets whose TCP MSS option exceeds the stipulated TCPMSSMax value. Values that are too high could cause problems in poorly written TCP stacks or give rise to large quantities of fragmented packets, which will adversely affect performance. Default: Adjust TCP MSS - D-Link DFL-260 | Product Manual - Page 509
to prevent the sequence numbers (a 32-bit figure) from "exceeding" their upper limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it takes for a packet to travel to and from its destination. This - D-Link DFL-260 | Product Manual - Page 510
13.2. TCP Level Settings Chapter 13. Advanced Settings initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, - D-Link DFL-260 | Product Manual - Page 511
standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information present in the - D-Link DFL-260 | Product Manual - Page 512
13.2. TCP Level Settings Chapter 13. Advanced Settings TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: Ignore - Do not validate. Means that sequence number validation is completely - D-Link DFL-260 | Product Manual - Page 513
13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this - D-Link DFL-260 | Product Manual - Page 514
13.4. State Settings Chapter 13. Advanced Settings 13.4. State Settings Connection Replace Allows new additions to the NetDefendOS connection list to replace the oldest connections if there is no available space. Default: ReplaceLog Log Open Fails In some instances where the Rules section - D-Link DFL-260 | Product Manual - Page 515
is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP address and interface. This setting should only be enabled for diagnostic and testing purposes since it generates unwieldy - D-Link DFL-260 | Product Manual - Page 516
seconds how long a Ping (ICMP ECHO) connection can remain idle before it is closed. Default: 8 IGMP Idle Lifetime Connection lifetime for IGMP in seconds. Default: 12 516 - D-Link DFL-260 | Product Manual - Page 517
13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 517 - D-Link DFL-260 | Product Manual - Page 518
13.6. Length Limit Settings Chapter 13. Advanced Settings 13.6. Length Limit Settings This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP. The values specified here concern the IP data contained in packets. In the case - D-Link DFL-260 | Product Manual - Page 519
13.6. Length Limit Settings Chapter 13. Advanced Settings Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, - D-Link DFL-260 | Product Manual - Page 520
13.7. Fragmentation Settings Chapter 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each - D-Link DFL-260 | Product Manual - Page 521
13.7. Fragmentation Settings Chapter 13. Advanced Settings Default: Check8 - compare 8 random locations, a total of 32 bytes Failed Fragment Reassembly Reassemblies may fail due to one of the following causes: • Some of the fragments did not arrive within the time stipulated by the ReassTimeout or - D-Link DFL-260 | Product Manual - Page 522
Although the arrival of too many fragments that are too small may cause problems for IP stacks, it is usually not possible to set this limit too fragments and an equal number of 40 byte fragments. Because of potential problems this can cause, the default settings in NetDefendOS has been designed to - D-Link DFL-260 | Product Manual - Page 523
13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 523 - D-Link DFL-260 | Product Manual - Page 524
13.8. Local Fragment Reassembly Settings Chapter 13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over - D-Link DFL-260 | Product Manual - Page 525
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 13.9. Miscellaneous Settings UDP Source Port 0 How to treat UDP packets with source port 0. Default: DropLog Port 0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. Default: DropLog Watchdog Time - D-Link DFL-260 | Product Manual - Page 526
13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526 - D-Link DFL-260 | Product Manual - Page 527
public Internet is possible when' doing this). Tip: A registration guide can be downloaded A step-by-step "Registration manual" which explains registration and update service procedures in more detail is available for download from the D-Link website. Subscription renewal In the Web-interface go to - D-Link DFL-260 | Product Manual - Page 528
AV updates: gw-world:/> updatecenter -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter -servers Deleting Local Databases Some technical problem in the operation of either IDP or the Anti-Virus modules may be resolved by - D-Link DFL-260 | Product Manual - Page 529
IDP Signature Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information see Section 6.5, "Intrusion - D-Link DFL-260 | Product Manual - Page 530
Group Name FTP_FORMATSTRING FTP_GENERAL FTP_LOGIN FTP_OVERFLOW GAME_BOMBERCLONE GAME_GENERAL GAME_UNREAL HTTP_APACHE HTTP_BADBLUE HTTP_CGI HTTP_CISCO HTTP_GENERAL HTTP_MICROSOFTIIS HTTP_OVERFLOWS HTTP_TOMCAT ICMP_GENERAL IGMP_GENERAL IMAP_GENERAL IM_AOL IM_GENERAL IM_MSN IM_YAHOO IP_GENERAL - D-Link DFL-260 | Product Manual - Page 531
Systems software McAfee Symantec AV solution SMB Error SMB Exploit SMB attacks NetBIOS attacks SMB worms SMTP command attack Denial of Service for SMTP SMTP protocol and implementation SMTP Overflow SPAM SNMP encoding SNMP protocol/implementation SOCKS protocol and implementation SSH protocol and - D-Link DFL-260 | Product Manual - Page 532
Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 532 - D-Link DFL-260 | Product Manual - Page 533
Appendix C. Verified MIME filetypes Some NetDefendOS Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename indicates. The filetypes for which MIME verification can be done are listed in this - D-Link DFL-260 | Product Manual - Page 534
filetypes Application Windows Control Panel Extension file Database file Graphics Multipage PCX Bitmap file Debian Linux Package file DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive Allegro datafile eMacs Lisp Byte-compiled Source Code ABT EMD - D-Link DFL-260 | Product Manual - Page 535
Atari MSA archive data Navy Interchange file Format Bitmap Nancy Video CODEC NES Sound file Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Linux executable CrossePAC archive data Portable Bitmap Format Image Portable - D-Link DFL-260 | Product Manual - Page 536
Filetype extension tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Appendix C. Verified MIME filetypes Application TeX font metric data Tagged Image Format file Transport Neutral Encapsulation Format BitTorrent Metainfo file TrueType Font - D-Link DFL-260 | Product Manual - Page 537
many NetDefendOS features such as ARP, Services and ALGs. Layer number Layer 7 Layer - Application Layer Defines the user interface that supports applications directly. Protocols: HTTP, FTP, TFTP ICMP, IGMP and similar. Layer 2 - Data-Link Layer Creates frames of data for transmission over the - D-Link DFL-260 | Product Manual - Page 538
Alphabetical Index A access rules, 237 accounting, 60 interim messages, 62 limitations with NAT, 63 messages, 60 system shutdowns, 63 address book, 77 ethernet addresses in, 79 folders, 81 IP addresses in, 77 address groups, 80 excluding addresses, 80 address translation, 334 admin account, 29 - D-Link DFL-260 | Product Manual - Page 539
383, 409 validity, 128 with IPsec, 386 VPN troubleshooting, 437 chains (in traffic shaping), 445 CLI, 292 audit mode, 298 categories, 300 dynamic (WCF), 295 override, 299 phishing, 304 setting up setting, 505 demilitarized zone (see DMZ) denial of service, 326 destination RLB algorithm, 165 DHCP, 223 - D-Link DFL-260 | Product Manual - Page 540
vector algorithms, 171 DMZ, 343 DNS, 139 dynamic lookup, 139 DNS black lists for Spam filtering, 258 documentation, 18 DoS attack (see denial of service) downloading files with SCP, 45 DPD Expire Time (IPsec) setting, 423 DPD Keep Time (IPsec) setting, 423 DPD Metric (IPsec) setting, 423 drop all - D-Link DFL-260 | Product Manual - Page 541
overview, 391 quick start guide, 381 roaming clients setup, 384 troubleshooting, 437 tunnel establishment, 406 guide, 382, 383 Large Buffers (reassembly) setting, 524 Layer Size Consistency setting, 505 LDAP authentication, 359 authentication with PPP, 364 MS Active Directory, 360 servers, 413 link - D-Link DFL-260 | Product Manual - Page 542
setting, 64 Max Reassembly Time Limit setting, 522 max sessions services parameter, 85 Max Size (reassembly) setting, 524 Max SKIP 184 router process, 179 setting up, 188 virtual links, 176, 184 Other Idle Lifetimes setting, 516 overriding support, 102 with HA, 102 PPTP, 425 advanced settings, - D-Link DFL-260 | Product Manual - Page 543
-shared keys, 382, 402 non-ascii character problem, 402 Primary Time Server setting, 137 product overview, 16 proposal lists, 401 proxy ARP, 157 setting up, 158 Pseudo Reass Max Concurrent setting, 520 Q QoS (see quality of service) quality of service, 444 R RADIUS accounting, 60 advanced settings - D-Link DFL-260 | Product Manual - Page 544
160 spam filtering, 257 caching, 261 logging, 260 tagging, 259 spam WCF category, 306 spanning tree relaying, 217 spillover RLB algorithm, 165 spoofing, routes, 209 switch routes, 207, 209 with high availability, 211 with VLANs, 210 vs routing mode, 207 TTL Min setting, 505 TTL on Low setting, 505 - D-Link DFL-260 | Product Manual - Page 545
with SIP, 265 VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 whitelisting, 296 web interface, 28, 29 default connection interface, 30
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
 |
 |
Network Security Solution
Security
Security
DFL-210/ 800/1600/ 2500
DFL-260/ 860/1660/ 2560(G)
Ver
2.27.01
Network Security Firewall
User Manual